Wiz Research discovered several unauthenticated Remote Code Execution vulnerabilities in Ingress NGINX Controller for Kubernetes dubbed #IngressNightmare. These include CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, and CVE-2025-1974.

• Ingress NGINX Controller is a popular ingress controller for Kubernetes, with over 18,000 stars on GitHub. It uses NGINX as a reverse proxy and load balancer.
• The vulnerability lies in the admission controller within the pod, which validates incoming ingress objects. By sending a malicious ingress object, attackers can inject arbitrary NGINX configurations and execute remote code, gaining access to all cluster secrets and potentially taking over the cluster.
• The CVSS v3.1 base score for this attack vector is 9.8. About 43% of cloud environments are vulnerable, with over 6,500 clusters, including Fortune 500 companies, exposed.
• Mitigation and detection methods include updating to the latest version of Ingress NGINX Controller (1.12.1 and 1.11.5), ensuring the admission webhook endpoint is not exposed externally, enforcing strict network policies, and temporarily disabling the admission controller if upgrading is not possible.
• Wiz customers can use the pre-built query and advisory in the Wiz Threat Center, and the Wiz Dynamic Scanner validates for exposed admission controllers. The Wiz Runtime Sensor detects zero-day vulnerabilities.
• The research was motivated by the overlooked attack surface of Kubernetes Admission Controllers. The team discovered multiple injection points in the Ingress NGINX Admission Controller code, including auth-url, auth-tls-match-cn, mirror UID, and ssl_engine.
• The responsible disclosure timeline shows the reporting and fix process with Kubernetes.
• Wiz can help customers identify vulnerable Kubernetes clusters through their Threat Intel Center.
  The team consists of Nir Ohfeld, Sagi Tzadik, Ronen Shustin, Hillai Ben-Sasson, and Andres Riancho from the Wiz Research Team. They are dedicated to making the cloud safer.