Security Update: Publicly Exposed Ingress NGINX Admission

A series of vulnerabilities, known as IngressNightmare (CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, CVE-2025-1974), have been identified in ingress-nginx, a widely used Kubernetes ingress controller. When exploited together, these vulnerabilities allow for configuration injection through the Validating Admission Controller. Unauthenticated remote attackers on the Pod network could exploit this vulnerability to gain unauthorized access to sensitive data, including Kubernetes Secrets, and even perform a complete takeover of the cluster.

Affected Products

The Kubernetes Ingress NGINX Controller is a widely used component that routes external traffic to cluster services. It includes an admission controller that validates incoming ingress objects by reviewing configurations and ensuring they are correct before approval. This controller operates with significant privileges, as it requires access to resources across the cluster.

All versions of ingress-nginx are potentially vulnerable. The issue is fixed in versions 1.12.1 and 1.11.5.

Vulnerability Details

CVE-2025-1974 arises from configuration injection vulnerabilities within ingress-nginx’s Validating Admission Controller. Combined with other vulnerabilities (CVE-2025-24513, CVE-2025-24514, CVE-2025-1097, CVE-2025-1098), attackers on the Pod network can gain unauthorized access to Kubernetes Secrets and potentially take over the entire cluster.

Detection

Detectify Surface Monitoring customers can test whether they have exposed ingress NGINX admission, which enables the exploit chain.

The vulnerability assessment released by Detectify identifies exposed Ingress NGINX admission controllers by analyzing TLS certificates.

Mitigation

Upgrade to ingress-nginx versions 1.12.1 or 1.11.5.
If immediate patching is not feasible, disable the Validating Admission Controller:
- For Helm installations: Set controller.admissionWebhooks.enabled=false.
- For manual installations: Delete the ValidatingWebhookconfiguration named ingress-nginx-admission and remove –validating-webhook from the ingress-nginx-controller Deployment or DaemonSet arguments.
- Remember to re-enable the Validating Admission Controller after upgrading.

Patch availability

The vulnerability is fixed in ingress-nginx versions 1.12.1 and 1.11.5. Users are strongly advised to update to these versions or apply the provided mitigation.

Customers can always find updates in the “What’s New at Detectify” product log. Any questions can be directed to Customer Success representatives or Support. If you’re not already a customer, click here to sign up for a demo or a free trial and immediately start scanning. Go hack yourself!