IngressNightmare: Kubernetes Ingress-NGINX Controller vulnerability #
Today, Wiz released an advisory detailing an attack chain they’ve dubbed IngressNightmare, which, if left exposed and unpatched, can be exploited to achieve remote code execution by unauthenticated attackers. The advisory, covering five separate vulnerabilities, was published after a brief embargo period, once the Kubernetes folks got their patches together.
What's the impact? #
At its core, IngressNightmare is a collection of four injection vulnerabilities (CVE-2025-24513, CVE-2025-24514, CVE-2025-1097, and CVE-2025-1098), tied together by a fifth issue, CVE-2025-1974, which brings the whole attack chain together. Notably, the attack does appear to depend on a clear shot to the admission controller for the Ingress-NGINX controller, which itself is an optional component that allows for Kubernetes-homed services to be reached from the wider network.
Finally, it’s important to note that the very similarly-named NGINX Ingress controller is not affected by these Ingress-NGINX controller vulnerabilities.
Are updates or workarounds available? #
Kubernetes has released an update to address these vulnerabilities. Users are advised to update to version 1.11.5, 1.12.1, or any later version as quickly as possible.
How to find potentially vulnerable Ingress-Nginx services with runZero #
From the Services Inventory, use the following query to locate potentially vulnerable systems:
(_asset.protocols:tls AND protocol:tls AND tls.issuer:="O=nil1" AND tls.subject:="O=nil2" AND tls.names:"%nginx%")
