Source URL: https://www.wiz.io/blog/ingress-nginx-kubernetes-vulnerabilities
Source: Hacker News
Title: RCE Vulnerabilities in K8s Ingress Nginx (9.8 CVE for ingress-Nginx)
Feedly Summary: Comments
AI Summary and Description: Yes
### Summary:
The text outlines the discovery of significant vulnerabilities in the Ingress NGINX Controller for Kubernetes, known as IngressNightmare. These vulnerabilities, which allow unauthenticated Remote Code Execution (RCE), pose critical risks to cloud security, affecting potentially 43% of Kubernetes environments, including those of Fortune 500 companies. The findings highlight the urgent need for organizations to patch these vulnerabilities and employ mitigation strategies to prevent exploitation.
### Detailed Description:
Wiz Research identified several critical vulnerabilities (CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, and CVE-2025-1974) in the Ingress NGINX Controller for Kubernetes, facilitating unauthorized access to all cluster secrets and resulting in potential cluster takeovers. The vulnerabilities, dubbed IngressNightmare, have a high CVSS v3.1 score of 9.8 and impact the admission controller component.
**Key Points:**
– **Impact and Scope:**
– Approximately 43% of cloud environments using Kubernetes are at risk.
– Over 6,500 Kubernetes clusters, including those hosted by Fortune 500 companies, are publicly exposed and vulnerable.
– **Technical Exploitation:**
– Attackers can exploit these vulnerabilities to inject arbitrary configurations to the NGINX setup, leading to remote code execution.
– The vulnerabilities emerge from the admission controller’s lack of authentication, allowing any pod with network access to send malicious AdmissionReview requests.
– **Specific Vulnerabilities:**
– **CVE-2025-24514:** Exploits authentication-related annotations allowing attackers to inject arbitrary NGINX configuration directives due to improper sanitization.
– **CVE-2025-1097:** Validates Common Name annotations without strict checks, permitting directive injection.
– **CVE-2025-1098 & CVE-2025-1974:** Focus on UID injection and NGINX configuration code execution, respectively, enabling full exploitation for arbitrary code execution.
– **Mitigation Strategies:**
– Immediate upgrade to fixed versions (1.12.1 and 1.11.5) is recommended for affected clusters.
– Enforce strict network policies restricting admission controller access to only the Kubernetes API Server.
– Temporarily disable the admission controller or utilize Helm configurations to mitigate risks until upgrades can be performed.
– **Research Insights:**
– A greater focus on securing admission controllers is necessary, as their high privileges and network exposure present substantial risks.
– The attack surface associated with admission controllers should be minimized, and public accessibility needs to be eliminated.
**Recommendations for Security Professionals:**
– Organizations should prioritize patching vulnerable clusters and enforce access controls that minimize potential exposure.
– Continuous monitoring of traffic and deployment configurations with tools like Wiz Dynamic Scanner may help in early detection of such vulnerabilities.
– Engage with community resources to stay informed of patches and updates following the public disclosure of vulnerabilities.
The analysis underlines the criticality of addressing cloud security weaknesses in real-time and the importance of proactive measures for compliance and risk management in cloud infrastructures.