Overview

A critical vulnerability CVE-2025-1974 in the Kubernetes Ingress-NGINX Controller has made unauthenticated remote code execution (RCE) possible, allowing attackers to execute arbitrary code without authentication. This vulnerability, along with others, has been dubbed “Ingress Nightmare” by cloud security company Wiz.

CVSS Score: 9.8 (Critical)

Ingress Nightmare: The Vulnerability Cluster

The following CVEs are part of the Ingress Nightmare suite:

• CVE-2025-24513 – Improper input validation may cause directory traversal or denial of service (CVSS: 4.8).

• CVE-2025-24514 – Exploiting auth-url annotation allows arbitrary code execution (CVSS: 8.8).

• CVE-2025-1097 – Exploits via match-cn for auth-tls enable unauthorized code execution (CVSS: 8.8).

• CVE-2025-1098 – Injecting configuration through mirror-host and mirror-target annotations can lead to RCE (CVSS: 8.8).

• CVE-2025-1974 – Allows unauthenticated RCE through the admission controller (CVSS: 9.8).

Important: NGINX Ingress Controller (distinct from Kubernetes Ingress-NGINX Controller) is unaffected.

What is Kubernetes Ingress?

Ingress is a Kubernetes API object that manages external access to services, typically HTTP/HTTPS, using hostnames, paths, SSL/TLS termination, and load balancing. An Ingress Controller like Ingress-NGINX completes this function by converting Ingress objects into real routing configurations.

How CVE-2025-1974 Enables Remote Code Execution

The vulnerability lies in the Ingress-NGINX admission controller, which validates incoming ingress objects. Attackers can:

1. Craft malicious ingress objects with a specially formed auth-url annotation.

2. Send these directly to the admission controller over the network (unauthenticated).

3. Inject arbitrary NGINX directives using annotations.

4. Upload a malicious shared object (.so) via an HTTP POST to the pod.

5. Trigger nginx -t to validate the injected config, loading the attacker’s shared library.

The ssl_engine directive in OpenSSL was key in enabling arbitrary library loading during config validation.

Exploit Demonstration

Check out a proof-of-concept here: Ingress Nightmare GitHub Repo

Affected Versions

• Affected: Ingress-NGINX Controller < v1.11.5 and all v1.11.x versions before v1.11.5.

• Fixed in: v1.11.5 and v1.12.1+

Remediation & Best Practices

Secure your Kubernetes clusters immediately using the following steps:

1. Upgrade to a fixed version (≥ v1.12.1).

2. Disable validating admission webhooks temporarily:

   • Via Helm: controller.admissionWebhooks.enabled=false

   • Manually: Delete ingress-nginx-admission and update deployment args

3. Audit ingress rules:

   kubectl get ingress --all-namespaces

4. Isolate namespaces to avoid lateral movement.

5. Restrict ingress changes to authorized users only.

6. Apply network policies to restrict pod access.

7. Enforce HTTPS, use strong TLS ciphers.

8. Monitor Kubernetes audit logs with ELK, Prometheus, Grafana, or Falco.

9. Use a WAF like ModSecurity or AWS WAF.

10. Scan YAMLs and Helm Charts for misconfigs using OPA or Kyverno.

11. Run Kubernetes Security Scanners (e.g., Kube-bench, Kube-hunter).

Disable admission controller only temporarily. Reactivate post-upgrade to restore security validations.

Apphaz Can Help

At Apphaz, we provide comprehensive Kubernetes security assessments, including:

• Infrastructure and configuration reviews

• Ingress and admission controller hardening

• Vulnerability and misconfiguration scanning

• CI/CD integration for DevSecOps

• DAST, API, and container security assessments

Don’t wait for a breach.

Stay ahead of zero-days. Stay secure with Apphaz.