Kubernetes customers using the popular Ingress NGINX Controller have been urged to patch four newly discovered remote code execution (RCE) flaws assigned a CVSS score of 9.8.
Dubbed “IngressNightmare” by Wiz Security, the four vulnerabilities impact the admission controller component of the popular open source software, which is designed to route external traffic to the relevant Kubernetes services and pods.
Wiz Research claimed the flaws impact 43% of all cloud environments, including many Fortune 500 companies. Because the software’s admission controllers are typically exposed to the public internet, they are at “critical risk” of attack, it warned.
The four vulnerabilities are: CVE-2025-1097, CVE-2025-1098, CVE-2025-24514 and CVE-2025-1974. The first three could enable an attacker to inject arbitrary NGINX configuration directives. When chained with the fourth, the threat actor would be able to achieve remote code execution.
“When the Ingress-NGINX admission controller processes an incoming ingress object, it constructs an NGINX configuration from it and then validates it using the NGINX binary. Our team found a vulnerability in this phase that allows injecting an arbitrary NGINX configuration remotely, by sending a malicious ingress object directly to the admission controller through the network,” Wiz Security explained.
“During the configuration validation phase, the injected NGINX configuration causes the NGINX validator to execute code, allowing remote code execution (RCE) on the Ingress NGINX Controller’s pod.”
Because the admission controller has escalated privileges and unrestricted access to the network, exploitation of the chained flaws could allow an attacker to execute arbitrary code, access all cluster secrets and completely take over a targeted cluster, it added.
To keep their systems secure, Kubernetes admins are urged to upgrade to Ingress NGINX Controller version 1.12.1 and 1.11.5, and ensure the admission webhook endpoint is not exposed externally.
The security vendor has also published some mitigations for those that can’t immediately upgrade to patched versions.
The First of Many?
Unfortunately, this could be the first of many such discoveries in Kubernetes admission controllers.
“Initially, we were surprised to see that such a large code base is used behind the scenes. In our view, this attack surface should be restricted in a much better way: removing access from pods within the cluster, and never exposing this publicly,” Wiz Security concluded.
“We were also surprised by the lack of least-privilege design, as the exploit ended up with privileges to take control of the cluster. During this research, we found other vulnerabilities in Ingress NGINX Controller, and we expect to find more in other admission controllers.”