Critical vulnerabilities put Kubernetes environments in jeopardy

Dive Brief:

• Wiz researchers on Monday disclosed the technical details of four critical vulnerabilities — CVE-2025-1097, CVE-2025-1098, CVE-2025-24514 and CVE-2025-1974 — for Ingress NGINX Controller for Kubernetes that enable remote code execution against the popular controller.
• If exploited, the vulnerabilities could allow a threat actor to access sensitive data about organizations’ Kubernetes environments, potentially leading to a full takeover of the clusters.
• Wiz researchers, who nicknamed the vulnerabilities “IngressNightmare,” warned that many organizations with controllers exposed to the public internet are in danger and should patch their Ingress NGINX Controller instances immediately.

Dive Insight:

“Based on our analysis, about 43% of cloud environments are vulnerable to these vulnerabilities, with our research uncovering over 6,500 clusters, including Fortune 500 companies, that publicly expose vulnerable Kubernetes ingress controllers’ admission controllers to the public internet — putting them at immediate critical risk,” Wiz researchers wrote in a blog post on Monday.

Ingress NGINX Controller is a widely used open source application for Kubernetes, a popular platform for managing containerized applications across cloud environments. An ingress controller manages traffic to those applications so that organizations can provide external access to their Kubernetes workloads. “Using Ingress-NGINX is one of the most common methods for exposing Kubernetes applications externally,” the researchers wrote.

However, admission controllers are an overlooked attack surface for Kubernetes environments, Wiz said. They are typically accessible over the network by default and frequently lack authentication requirements.

IngressNightmare vulnerabilities

While studying this attack surface, Wiz researchers discovered an issue with how the Ingress-NGINX admission controller validates incoming objects. The team found that a threat actor could compromise the controller by remotely injecting an arbitrary NGINX configuration. From there, the attackers can take full advantage of the controller’s privileges and broad network access to ultimately assume control of all Kubernetes clusters within an organization’s environment.

Ingress-NGINX’s maintainers released patches for the CVEs on Monday. In a security advisory, Tabitha Sable of the Kubernetes Security Response Committee warned that exploitation of the flaws could allow “easy” takeovers of organizations’ clusters and urged users to take immediate action. Google and AWS also published security advisories for the IngressNightmare flaws.

Beyond patching the flaws, Wiz recommended that organizations apply network policies that restrict access to admission controllers. The research team warned that they are only beginning to scratch the surface of security issues with these controllers.

“We were also surprised by the lack of least-privilege design, as the exploit ended up with privileges to take control of the cluster,” the team wrote. “During this research, we found other vulnerabilities in Ingress NGINX Controller, and we expect to find more in other admission controllers.”