Emergency Security Bulletin: IngressNightmare - NGINX Controller for Kubernetes

featured image

By: RedLegg's Cyber Threat Intelligence Team

RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.

VULNERABILITIES:

IngressNightmare – Remote Code Execution Vulnerabilities in Ingress NGINX Controller for Kubernetes

CVSS Scores:
CVE-2025-1097: 8.8 (High)
CVE-2025-1098: 8.8 (High)
CVE-2025-24514: 8.8 (High)
CVE-2025-1974: 9.8 (Critical)

Identifiers: CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, CVE-2025-1974 

Exploit or Proof of Concept (PoC):  A proof of concept was recently published yesterday relating to this vulnerability: https://github.com/hakaioffsec/IngressNightmare-PoC 

Update: The Kubernetes Security Response Committee has released patches addressing these vulnerabilities (https://kubernetes.io/blog/2025/03/24/ingress-nginx-cve-2025-1974)

Description: The IngressNightmare vulnerabilities affect the Ingress NGINX Controller for Kubernetes, a widely used ingress controller that facilitates external access to services within a Kubernetes cluster. These vulnerabilities arise from improper handling of specific annotations and configurations, allowing attackers to inject malicious configurations into NGINX. Exploitation can lead to unauthorized access to sensitive data and potential cluster takeover. Notably, CVE-2025-1974 enables unauthenticated remote code execution via the admission controller component, posing a critical risk to affected environments.

Mitigation Recommendation:  Administrators are strongly advised to upgrade to Ingress NGINX Controller versions 1.12.1 or 1.11.5, which contain fixes for these vulnerabilities. If immediate upgrading is not feasible, consider disabling the admission controller component and ensuring it is not exposed externally. Implementing strict network policies to limit access to the admission controller can also mitigate risk. 

Note:  Given the critical nature of these vulnerabilities and the potential for cluster compromise, prompt action is essential to secure Kubernetes environments.