National Cyber Warfare Foundation (NCWF)

Security Update: Publicly Exposed Ingress NGINX Admission
0 user ratings		2025-03-26 16:04:04
milo
Blue Team (CND)

A series of vulnerabilities, known as IngressNightmare (CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, CVE-2025-1974), have been identified in ingress-nginx, a widely used Kubernetes ingress controller. When exploited together, ...


The post Security Update: Publicly Exposed Ingress NGINX Admission appeared first on Blog Detectify.



A series of vulnerabilities, known as IngressNightmare (CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, CVE-2025-1974), have been identified in ingress-nginx, a widely used Kubernetes ingress controller. When exploited together, these vulnerabilities allow for configuration injection through the Validating Admission Controller. Unauthenticated remote attackers on the Pod network could exploit this vulnerability to gain unauthorized access to sensitive data, including Kubernetes Secrets, and even perform a complete takeover of the cluster.


Affected Products


The Kubernetes Ingress NGINX Controller is a widely used component that routes external traffic to cluster services. It includes an admission controller that validates incoming ingress objects by reviewing configurations and ensuring they are correct before approval. This controller operates with significant privileges, as it requires access to resources across the cluster.


All versions of ingress-nginx are potentially vulnerable. The issue is fixed in versions 1.12.1 and 1.11.5.


Vulnerability Details


CVE-2025-1974 arises from configuration injection vulnerabilities within ingress-nginx’s Validating Admission Controller. Combined with other vulnerabilities (CVE-2025-24513, CVE-2025-24514, CVE-2025-1097, CVE-2025-1098),  attackers on the Pod network can gain unauthorized access to Kubernetes Secrets and potentially take over the entire cluster. 


Detection


Detectify Surface Monitoring customers can test whether they have exposed ingress NGINX admission, which enables the exploit chain. 


The vulnerability assessment released by Detectify identifies exposed Ingress NGINX admission controllers by analyzing TLS certificates.


Mitigation



  • Upgrade to ingress-nginx versions 1.12.1 or 1.11.5.

  • If immediate patching is not feasible, disable the Validating Admission Controller:

    • For Helm installations: Set controller.admissionWebhooks.enabled=false.

    • For manual installations: Delete the ValidatingWebhookconfiguration named ingress-nginx-admission and remove –validating-webhook from the ingress-nginx-controller Deployment or DaemonSet arguments.

    • Remember to re-enable the Validating Admission Controller after upgrading.




Patch availability


The vulnerability is fixed in ingress-nginx versions 1.12.1 and 1.11.5. Users are strongly advised to update to these versions or apply the provided mitigation.


Customers can always find updates in the “What’s New at Detectify” product log. Any questions can be directed to Customer Success representatives or Support. If you’re not already a customer, click here to sign up for a demo or a free trial and immediately start scanning. Go hack yourself!


References:


Original Research: Remote Code Execution Vulnerabilities in Ingress NGINX | Wiz Blog

Admission Control in Kubernetes


The post Security Update: Publicly Exposed Ingress NGINX Admission appeared first on Blog Detectify.



Source: detectify
Source Link: https://blog.detectify.com/product-updates/security-update-publicly-exposed-ingress-nginx-admission/

Comments
new comment
Nobody has commented yet. Will you be the first?
  
Forum
Blue Team (CND)


Copyright 2012 through 2025 - National Cyber Warfare Foundation - All rights reserved worldwide.