Build5Nines - Cloud & Enterprise Technology
Browse Courses
Build5Nines - Cloud & Enterprise Technology
Browse Courses
Build5Nines - Cloud & Enterprise Technology
Browse Courses

IngressNightmare: Critical Zero-Day Kubernetes Vulnerabilities Put Thousands of Clusters at Risk (March 2025)

Written by
Updated March 24, 2025

IngressNightmare: Critical Zero-Day Kubernetes Vulnerabilities Put Thousands of Clusters at Risk (March 2025)

A set of ‘critical’ zero-day vulnerabilities, collectively named IngressNightmare, have been discovered in the widely used Ingress-NGINX Controller for Kubernetes that can result in a ‘full takeover‘ of a Kubernetes cluster! These flaws expose over 6,500 publicly exposed clusters to the risk of unauthenticated remote code execution (RCE) and privilege escalation, putting sensitive data and infrastructure integrity at significant risk. DevOps teams and SREs managing Kubernetes clusters need to take immediate action to patch and mitigate this threat.

What is “IngressNightmare”?

IngressNightmare refers to five CVEs disclosed in March 2025, affecting the Ingress-NGINX Controller, a popular open-source project used to manage external access to services in Kubernetes. These vulnerabilities specifically target the admission controller, a component responsible for inspecting and validating resources before they are admitted into the Kubernetes cluster.

These vulnerabilities have been rated CVSS 9.8/10, indicating critical severity.

The affected CVEs are:

  • CVE-2025-24513: Ingress-NGINX admission controller remote code execution
  • CVE-2025-24514: auth-url Annotation Injection
  • CVE-2025-1097: auth-tls-match-cn Annotation Injection
  • CVE-2025-1098: mirror UID Injection
  • CVE-2025-1974: NGINX Configuration Code Execution

Roughly 43% of internet-facing Kubernetes environments are running a vulnerable configuration

Why It’s a Serious Problem

The most alarming aspect of IngressNightmare is that the vulnerabilities can be exploited without authentication, and in many cases, from the public internet. This gives attackers a direct path to:

  • Execute arbitrary code within the Kubernetes environment.
  • Access all secrets across all namespaces, compromising sensitive configurations and credentials.
  • Escalate privileges and move laterally within the cluster, potentially gaining full control.

According to security firm Wiz, roughly 43% of internet-facing Kubernetes environments are running a vulnerable configuration. That translates to thousands of production systems that could be silently compromised if left unpatched.

The vulnerabilities stem from the fact that the Ingress-NGINX admission webhook was often misconfigured or exposed to external traffic, allowing attackers to manipulate it remotely. Once inside, the attacker can use crafted admission requests to trigger unintended code execution paths.

Kubernetes Unauthenticated RCE via Ingress NGINX Controller - Source: Wiz Research
Kubernetes Unauthenticated RCE via Ingress NGINX Controller – Source: Wiz Research

Mitigation Steps

If you’re managing Kubernetes clusters with the Ingress-NGINX Controller, here’s what you need to do immediately:

  1. Upgrade to a Patched Version
    Today, the Kubernetes project released the following Ingress-NGINX Controller updates to address the issue. Be sure to update to one of these patched releases:
    • v1.12.1
    • v1.11.5
    • v1.10.7
  2. Restrict Access to the Admission Controller
    Ensure that the webhook is not publicly accessible. It should only be reachable by the Kubernetes API server. Use network policies, firewall rules, or security groups to enforce this.
  3. Review Cluster Exposure
    Use tooling or cloud provider dashboards to audit your cluster’s public exposure. Verify whether your Ingress controller’s admission webhook is externally accessible.
  4. Consider Disabling the Admission Controller
    If you are not explicitly using the admission controller functionality, consider disabling it altogether to eliminate the attack surface.
  5. Monitor for Signs of Compromise
    Check logs for suspicious admission requests or unusual network activity. If you suspect compromise, isolate affected nodes and rotate secrets.

Conclusion

The IngressNightmare vulnerabilities are a reminder that even widely trusted open-source components can become high-risk attack vectors if not properly secured and updated. For DevOps teams and SREs, it’s crucial to remain proactive in auditing configurations, limiting public exposure, and applying security patches as soon as they become available.

If your clusters are exposed and running a vulnerable version of Ingress-NGINX, treat this as a security emergency. Patch, restrict access, and review exposure today.

🔁 If you found this information helpful, please share this article with your team and community to help others secure their Kubernetes environments!

Original Article Source: IngressNightmare: Critical Zero-Day Kubernetes Vulnerabilities Put Thousands of Clusters at Risk (March 2025) written by Chris Pietschmann (If you're reading this somewhere other than Build5Nines.com, it was republished without permission.)

About the Author:

Chris Pietschmann is a Microsoft MVP, HashiCorp Ambassador, and Microsoft Certified Trainer (MCT) with 20+ years of experience designing and building Cloud & Enterprise systems. He has worked with companies of all sizes from startups to large enterprises. He has a passion for technology and sharing what he learns with others to help enable them to learn faster and be more productive.
Microsoft MVP HashiCorp Ambassador

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Discover more from Build5Nines

Subscribe now to keep reading and get access to the full archive.

Continue reading