Critical Flaws in Ingress NGINX Controller Enable Remote Code Execution
A newly disclosed set of five severe vulnerabilities, dubbed IngressNightmare by cloud security firm Wiz, has put more than 6,500 Kubernetes clusters at risk. These critical flaws impact the Ingress NGINX Controller and could allow unauthenticated remote code execution (RCE), enabling full cluster compromise. The vulnerabilities, with CVSS scores as high as 9.8, do not affect the alternative NGINX Ingress Controller implementation for NGINX and NGINX Plus.
The affected component, the admission controller, is responsible for processing admission requests to the Kubernetes API. Due to its unrestricted network accessibility and elevated privileges, it becomes a key target for exploitation.
Wiz researchers discovered that malicious actors could craft ingress objects to send AdmissionReview requests directly to the admission controller. This allows them to inject arbitrary NGINX configuration, which leads to remote code execution within the controller pod and potential access to all secrets across namespaces.
Details of the IngressNightmare Vulnerabilities
The five vulnerabilities are:
- CVE-2025-24513 (CVSS 4.8) — Improper input validation could lead to directory traversal, denial-of-service, or limited secret leakage when chained with other flaws.
- CVE-2025-24514 (CVSS 8.8) — Abuse of the
auth-urlannotation can inject configuration and enable arbitrary code execution. - CVE-2025-1097 (CVSS 8.8) — Exploiting the
auth-tls-match-cnannotation results in configuration injection and secret disclosure. - CVE-2025-1098 (CVSS 8.8) — Manipulating the
mirror-targetandmirror-hostannotations can lead to unauthorized code execution. - CVE-2025-1974 (CVSS 9.8) — Allows unauthenticated attackers with pod network access to execute arbitrary code under specific conditions.
Exploitation Scenario and Mitigation
In a theoretical attack chain demonstrated by Wiz, an adversary can upload a malicious shared library using the NGINX client-body buffer feature. This is followed by an AdmissionReview request that loads the library via injected configuration directives, ultimately leading to remote code execution.
Security researcher Hillai Ben-Sasson noted that the attacker could escalate privileges by exploiting a powerful Service Account, gaining full access to Kubernetes secrets and orchestrating a cluster-wide takeover.
CVE-2025-1974 and the rest of the vulnerabilities have been patched in Ingress NGINX Controller versions 1.12.1, 1.11.5, and 1.10.7. Users are urged to update immediately and restrict external access to the admission webhook endpoint. Additional mitigations include limiting access to the Kubernetes API Server and disabling the admission controller if not in use.
Other Recently Addressed NGINX Vulnerabilities
In addition to the IngressNightmare flaws, several other NGINX-related vulnerabilities have been identified and resolved:
- CVE-2024-24989: NULL pointer dereference in the HTTP/3 module (fixed in version 1.27.0).
- CVE-2024-24990: Use-after-free vulnerability in the HTTP/3 QUIC module (versions 1.25.0–1.25.3).
- CVE-2024-31079, CVE-2024-32760, CVE-2024-34161, and CVE-2024-35200: A series of memory corruption, disclosure, and buffer overflow issues addressed in versions 1.27.0 and later.
- CVE-2022-41741 and CVE-2022-41742: Memory corruption and disclosure vulnerabilities in the ngx_http_mp4_module (fixed in versions 1.23.2 and 1.22.1).
These cases highlight the importance of staying current with security patches and monitoring official advisories to maintain secure deployments of NGINX-based solutions.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: