Researchers at cloud security giant Wiz have identified critical vulnerabilities that can expose Kubernetes clusters to remote hacking.
Kubernetes is a widely used open source system for managing containerized applications across multiple hosts. A cluster is a set of nodes that run such applications.
The vulnerabilities discovered by Wiz have been assigned the CVE identifiers CVE-2025-1097, CVE-2025-1098, CVE-2025-24514 and CVE-2025-1974, and have collectively been named IngressNightmare because they impact Ingress NGINX Controller for Kubernetes, which serves as a load balancer and reverse proxy inside the cluster.
“Using Ingress-NGINX is one of the most common methods for exposing Kubernetes applications externally,” Wiz explained.
Specifically, the IngressNightmare vulnerabilities impact an admission controller, which validates incoming ingress objects before they are deployed. The risk of attacks is increased by the fact that admission controllers are accessible over the network without authentication.
Wiz said 41% of internet-facing clusters are running Ingress NGINX. In addition, 43% of the cloud environments it has seen have at least one vulnerable instance, and 6,500 clusters, including ones belonging to Fortune 500 companies, publicly expose vulnerable admission controllers to the internet.
“When the Ingress-NGINX admission controller processes an incoming ingress object, it constructs an NGINX configuration from it and then validates it using the NGINX binary. Our team found a vulnerability in this phase that allows injecting an arbitrary NGINX configuration remotely, by sending a malicious ingress object directly to the admission controller through the network,” Wiz explained.
“During the configuration validation phase, the injected NGINX configuration causes the NGINX validator to execute code, allowing remote code execution (RCE) on the Ingress NGINX Controller’s pod,” it added.
The IngressNightmare vulnerabilities could ultimately allow an attacker to gain access to all secrets stored across all namespaces and take complete control of the targeted Kubernetes cluster.
“Ingress NGINX is a critical infrastructure component used by the world’s largest enterprises and organizations – from AI companies to Fortune 500 corporations. This makes the hypothetical scenarios as severe as they get,” Nir Ohfeld, head of research at Wiz, told SecurityWeek.
“With Kubernetes serving as the backbone of all cloud environments, if a malicious actor were to take over these clusters, they would have the ability to access and modify all data. The potential implications are essentially limitless,” Ohfeld said.
Wiz reported its findings to Kubernetes in late December 2024 and January 2025. Ingress NGINX Controller versions 1.12.1 and 1.11.5, both released on Monday, should patch the vulnerabilities.
Users should update as soon as possible, and in the meantime they can reduce the risk of exploitation through mitigations involving the admission controller: either temporarily disabling it if not needed, or restricting access to it to the Kubernetes API server.
Advisories for the IngressNightmare vulnerabilities have been published by Kubernetes, Google Cloud, and Microsoft.
Related: Critical Vulnerabilities Found in Ruijie Reyee Cloud Management Platform
Related: Industry Reactions to Google Buying Wiz
Related: Critical Aviatrix Controller Vulnerability Exploited Against Cloud Environments
