Summary: A set of five critical vulnerabilities, collectively named IngressNightmare, has been identified in the Ingress NGINX Controller for Kubernetes, exposing over 6,500 clusters to potential unauthenticated remote code execution. These vulnerabilities could lead to unauthorized access to all secrets across various namespaces, potentially resulting in complete cluster takeover. Users are urged to update to the latest versions of the Ingress NGINX Controller to mitigate the risks.
Affected: Ingress NGINX Controller for Kubernetes
Keypoints :
- Five critical vulnerabilities (CVE-2025-24513, CVE-2025-24514, CVE-2025-1097, CVE-2025-1098, CVE-2025-1974) have been disclosed, with a CVSS score of 9.8.
- The flaws enable unauthorized access to Kubernetes secrets and can lead to cluster takeover via code execution through an exploited admission controller.
- Immediate action is advised, including updating to the latest versions (1.12.1, 1.11.5, and 1.10.7) and restricting access to the admission controller.
Source: https://thehackernews.com/2025/03/critical-ingress-nginx-controller.html