Critical Ingress NGINX Controller Vulnerability Exposes Kubernetes to Unauthenticated RCE

 



Critical Ingress NGINX Controller Vulnerabilities Expose Kubernetes Clusters to Remote Code Execution

A set of five critical security vulnerabilities have been disclosed in the Ingress NGINX Controller for Kubernetes, potentially allowing unauthenticated remote code execution (RCE). This flaw puts over 6,500 clusters at immediate risk, particularly those with the component exposed to the public internet.


IngressNightmare: A Severe Security Threat

The vulnerabilities, collectively named IngressNightmare by cloud security firm Wiz, have been assigned the following CVEs with a CVSS score of up to 9.8:

  • CVE-2025-24513 (CVSS: 4.8) – Improper input validation allows directory traversal, leading to denial-of-service (DoS) or limited secret object disclosure.

  • CVE-2025-24514 (CVSS: 8.8) – The auth-url Ingress annotation enables NGINX configuration injection, resulting in arbitrary code execution and secret disclosure.

  • CVE-2025-1097 (CVSS: 8.8) – The auth-tls-match-cn Ingress annotation allows NGINX configuration injection, leading to arbitrary code execution and secret exposure.

  • CVE-2025-1098 (CVSS: 8.8) – The mirror-target and mirror-host annotations permit arbitrary configuration injection, causing remote code execution and secret disclosure.

  • CVE-2025-1974 (CVSS: 9.8) – An unauthenticated attacker with pod network access can execute arbitrary code in the ingress-nginx controller, potentially leading to a full cluster takeover.

How the Exploit Works

Ingress NGINX Controller leverages NGINX as a reverse proxy and load balancer, allowing external HTTP and HTTPS traffic into Kubernetes services. The attack abuses admission controllers, which are accessible over the network without authentication.

Attack Chain:

  1. An attacker uploads a malicious payload as a shared library using the NGINX client-body buffer feature.

  2. The attacker sends an AdmissionReview request with a configuration injection to the admission controller.

  3. The injected directive causes the shared library to load, leading to remote code execution within the ingress-nginx controller.

  4. With high-privileged service accounts, the attacker gains access to Kubernetes secrets across namespaces, potentially compromising the entire cluster.

Who Is Affected?

According to Wiz, approximately 43% of cloud environments using the Ingress NGINX Controller are vulnerable. However, it is important to note that the NGINX Ingress Controller (a separate implementation for NGINX and NGINX Plus) is not affected.

Mitigation and Recommended Actions

The Kubernetes Security Response Committee has released patches in the following Ingress NGINX Controller versions:

  • 1.12.1

  • 1.11.5

  • 1.10.7

Immediate Steps:

  • Update Immediately: Upgrade to the latest patched version of Ingress NGINX Controller.

  • Restrict Admission Controller Access: Ensure that only the Kubernetes API Server can communicate with the admission controller.

  • Disable Admission Controller (if unnecessary): If your setup does not require the admission controller, consider disabling it temporarily.

  • Prevent External Exposure: Avoid exposing the admission webhook endpoint to external networks.


By at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Russian Hackers Leverage CVE-2025-26633 and MSC EvilTwin to Deploy SilentPrism and DarkWisp Malware

  Russian Hackers Exploit CVE-2025-26633 via MSC EvilTwin to Deploy SilentPrism and DarkWisp A suspected Russian hacking group known as Wate...