A recently discovered set of vulnerabilities, dubbed \u201cIngressNightmare,\u201d found in Ingress NGINX Controller, exposing clusters to unauthenticated remote code execution (RCE). Kubernetes dominates container orchestration, but its prominence has made it a target for exploitation. <\/p>\n
In Kubernetes, Ingress serves as a sophisticated traffic management system, enabling external access to internal services. It comprises two core components:<\/p>\n
- \n
- \nIngress Resources:<\/strong> These define routing rules based on hostnames, paths, or other criteria, typically specified in YAML configuration files.<\/li>\n
- \nIngress Controllers:<\/strong> These implement the routing rules, often using a reverse proxy or load balancer. <\/li>\n<\/ul>\n
The Ingress NGINX Controller, built on the popular NGINX web server, is one of the most widely deployed options, boasting over 18,000 stars on GitHub.<\/p>\n
These flaws could allow attackers to compromise entire Kubernetes environments. Ingress in Kubernetes manages external traffic to internal services through Ingress resources YAML files defining routing rules by hostname or path and an Ingress Controller, such as the NGINX variant, which enforces these rules via a reverse proxy. <\/p>\n
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgfqgLoA0Rtsu0aKvs23m0F4ARqseTmuIY0iKvhHoq03Rx_PzenuzFKyzCfQljSbUKlf6QB1vsSfuLl_QPxkqQfMyjjL4szVNjaRUSaK_RTA3JIaPYkdovNI4v3rHbAe0pE-TCCN9DjWGsx_5XdDksf-laIOY4QpkG00VmwuID94Sifymy0IOMX9FM_pNLN\/s16000\/external_traffic_ingress.webp?ssl=1\")
Flow of external traffic to internal services via ingress controller within the cluster<\/figcaption><\/figure>\n For example, a YAML might direct example.com\/ to a frontend service and example.com\/api to a backend service. While versatile, this system is vulnerable when exploited.<\/p>\n
IngressNightmare: Four Critical Vulnerabilities<\/strong><\/h2>\n
IngressNightmare encompasses four vulnerabilities in the Ingress NGINX Controller\u2019s admission webhook, which validates Ingress objects. These flaws affect versions prior to v1.11.0, v1.11.0\u2013v1.11.4, and v1.12.0, with patches available in v1.11.5 and v1.12.1. They are:<\/p>\n
- \n
- \nCVE-2025-1097<\/a> (Auth-tls-match-cn Annotation Injection)<\/strong>: This vulnerability allows attackers to inject malicious configurations via the auth-tls-match-cn annotation, bypassing authentication checks. It can manipulate TLS verification, potentially exposing sensitive data or enabling further exploitation (CVSS 8.8).<\/li>\n
- \nCVE-2025-1098<\/a> (Mirror UID Injection)<\/strong>: By exploiting mirror-related annotations (mirror-target or mirror-host) or UID manipulation, attackers can inject arbitrary configurations. This could redirect traffic or execute unauthorized actions, compromising cluster integrity (CVSS 8.8).<\/li>\n
- \nCVE-2025-24514<\/a> (Auth-url Annotation Injection)<\/strong>: This flaw targets the auth-url annotation, permitting attackers to inject malicious URLs that the controller processes. It can lead to unauthorized access or serve as an entry point for broader attacks (CVSS 8.8).<\/li>\n
- \nCVE-2025-1974<\/a> (NGINX Configuration Code Execution)<\/strong>: The most severe, this vulnerability enables unauthenticated RCE by exploiting NGINX configuration validation. Attackers inject code executed during the nginx -t test, granting access to cluster secrets and full control (CVSS 9.8).<\/li>\n<\/ul>\n
Successful exploitation could expose all secrets, enable lateral movement, or result in cluster takeover.<\/p>\n
How the Attack Works?<\/strong><\/h2>\n
The IngressNightmare attack exploits these weaknesses in a multi-stage process. It starts with discovery, where attackers scan for exposed controllers using tools like Shodan. <\/p>\n
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEilkpjwGp9Tl0-5pKUvwpX9JeQzkUPL5tRZOdG1j67Ijo1O_-3CLmRqilQOJ_KC5yZgxjK2AuMVGQhZ8XrvoC53q2z00UTqNCL4BJBaTm0uikZ9gHQaGPmIv5so5j8g0lBk7IwqWjsc5lDnTzpR3l2q-UIUsVMkMX_OgmlNGMmjLhPw1N0GXjG9fgfB8IMf\/s16000\/ingress_nightmare_attack.webp?ssl=1\")
IngressNightmare Attack<\/figcaption><\/figure>\n They then craft a malicious Ingress object, embedding harmful NGINX directives into annotations like auth-url or auth-tls-match-cn. <\/p>\n
This object is sent as an unauthenticated AdmissionReview request to the webhook, exploiting its lack of authentication. <\/p>\n
According to the report<\/a>, The controller generates an NGINX configuration incorporating the injected code, and during validation with nginx -t, the malicious directives such as loading a rogue library execute, achieving RCE. With the controller\u2019s privileges, attackers access secrets, move laterally, and potentially dominate the cluster.<\/p>\n
Mitigation Strategies<\/strong><\/h2>\n
Check for vulnerable pods with:<\/strong><\/p>\n
bash<\/strong><\/p>\n
kubectl get pods --all-namespaces --selector app.kubernetes.io\/name=ingress-nginx<\/code><\/pre>\nVerify versions via kubectl describe pod. If at risk, upgrade to v1.11.5 or v1.12.1 using:<\/p>\n
bash<\/strong><\/p>\n
helm upgrade ingress-nginx ingress-nginx\/ingress-nginx --version <patched-version><\/code><\/pre>\nIf patching isn\u2019t immediate, restrict webhook access with network policies or disable it by setting controller.admissionWebhooks.enabled=false (Helm) or removing the ValidatingWebhookConfiguration.<\/p>\n
Ingress also poses operational issues: SSL errors need secret and DNS validation; routing problems require log and endpoint checks; and performance bottlenecks benefit from scaling replicas and adjusting proxy settings like proxy-buffer-size: \u201c8k\u201d.<\/p>\n
IngressNightmare reveals Kubernetes\u2019 exposure to sophisticated attacks. With patches and mitigation steps available, organizations must prioritize securing their clusters. Operational diligence ensures resilience. Act now to counter this critical threat.<\/p>\n
Find this News Interesting! Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>, and\u00a0X<\/a>\u00a0to Get Instant Updates<\/strong><\/p>\n
The post \u201cIngressNightmare\u201d Critical RCE Vulnerabilities in Kubernetes NGINX Clusters Let Attackers Gain Full Control<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n
- \nCVE-2025-1098<\/a> (Mirror UID Injection)<\/strong>: By exploiting mirror-related annotations (mirror-target or mirror-host) or UID manipulation, attackers can inject arbitrary configurations. This could redirect traffic or execute unauthorized actions, compromising cluster integrity (CVSS 8.8).<\/li>\n
- \nIngress Controllers:<\/strong> These implement the routing rules, often using a reverse proxy or load balancer. <\/li>\n<\/ul>\n