Ingress NGINX Remote Code Execution Vulnerability Let Attacker Takeover Cluster
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
Researchers have uncovered a series of critical security vulnerabilities in the Ingress NGINX Controller for Kubernetes, collectively dubbed “IngressNightmare.”
These flaws could allow unauthenticated attackers to execute remote code and gain complete control over vulnerable Kubernetes clusters.
Ingress NGINX Remote Code Execution Vulnerabilities
The vulnerabilities, assigned CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, CVE-2025-1974, and CVE-2025-24513, affect the admission controller component of the Ingress NGINX Controller.
This attack vector has been given a CVSS v3.1 base score of 9.8.
CVE-2025-1097: This vulnerability allows for configuration injection via the unsanitized auth-tls-match-cn annotation in Ingress NGINX Controller.
For example, using the annotation:
It enables attackers to bypass validation checks and inject arbitrary NGINX configurations, potentially leading to remote code execution.
CVE-2025-1098: This flaw involves configuration injection through unsanitized mirror annotations in Ingress NGINX Controller.
It allows attackers to inject arbitrary NGINX configuration directives by manipulating the UID field, which is not properly sanitized.
CVE-2025-24514: This flaw allows for configuration injection via the unsanitized auth-url annotation in Ingress NGINX Controller.
Consider the following auth-url annotation:
The final configuration will be as follows:
It enables attackers to inject arbitrary NGINX configuration directives, potentially leading to remote code execution.
CVE-2025-1974: This issue allows for remote code execution in the Ingress NGINX Admission Controller. Attackers inject the ssl_engine directive through crafted AdmissionReview requests.
It enables attackers to load arbitrary shared libraries during the NGINX configuration testing phase, leading to code execution with elevated privileges.
CVE-2025-24513: This vulnerability in Ingress NGINX Controller involves a file path traversal issue related to auth secret files. It has a lower severity compared to the other vulnerabilities in this set.
“Exploitation of these vulnerabilities leads to unauthorized access to all secrets stored across all namespaces in the Kubernetes cluster by attackers, which can result in cluster takeover,” Wiz researchers warned in their disclosure.
IngressNightmare attack vectors
The Ingress NGINX Controller is one of the most popular ingress controllers for Kubernetes with over 18,000 stars on GitHub.
It’s a core Kubernetes project used to expose applications running in clusters to external traffic.
According to Wiz’s analysis, approximately 43% of cloud environments are vulnerable, with over 6,500 clusters (including those of Fortune 500 companies) publicly exposing vulnerable admission controllers to the internet.
The summary of the vulnerabilities is given below:
Risk Factors Details Affected ProductsIngress NGINX Controller for KubernetesImpactRemote Code ExecutionExploit PrerequisitesNetwork access to admission controllerCVSS 3.1 Score9.8 (Critical)
Technical Exploitation Path
The exploitation chain works as follows:
The vulnerable controller runs with elevated privileges and unrestricted network accessibility, allowing attackers to access all cluster secrets across namespaces, potentially leading to complete cluster takeover.
Security experts strongly advise Kubernetes administrators to take immediate action:
“If you can’t upgrade immediately, consider enforcing strict network policies so only the Kubernetes API Server can access the admission controller,” Wiz advised.
Organizations can check for vulnerable deployments using the command: kubectl get pods –all-namespaces –selector app.kubernetes.io/name=ingress-nginx.
The discovery of IngressNightmare highlights the critical importance of securing Kubernetes admission controllers, which are often overlooked attack surfaces in cluster environments.
With the technical details now public, administrators should prioritize patching to prevent the exploitation of these severe vulnerabilities.
#Cyber_Security #Cyber_Security_News #Vulnerability #cyber_security #cyber_security_news #vulnerability
Оригинальная версия на сайте:
Ingress NGINX Remote Code Execution Vulnerability Let Attacker Takeover Cluster
Author: Guru BaranResearchers have uncovered a series of critical security vulnerabilities in the Ingress NGINX Controller for Kubernetes, collectively dubbed “IngressNightmare.”
These flaws could allow unauthenticated attackers to execute remote code and gain complete control over vulnerable Kubernetes clusters.
Ingress NGINX Remote Code Execution Vulnerabilities
The vulnerabilities, assigned CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, CVE-2025-1974, and CVE-2025-24513, affect the admission controller component of the Ingress NGINX Controller.
This attack vector has been given a CVSS v3.1 base score of 9.8.
CVE-2025-1097: This vulnerability allows for configuration injection via the unsanitized auth-tls-match-cn annotation in Ingress NGINX Controller.
For example, using the annotation:
It enables attackers to bypass validation checks and inject arbitrary NGINX configurations, potentially leading to remote code execution.
CVE-2025-1098: This flaw involves configuration injection through unsanitized mirror annotations in Ingress NGINX Controller.
It allows attackers to inject arbitrary NGINX configuration directives by manipulating the UID field, which is not properly sanitized.
CVE-2025-24514: This flaw allows for configuration injection via the unsanitized auth-url annotation in Ingress NGINX Controller.
Consider the following auth-url annotation:
The final configuration will be as follows:
It enables attackers to inject arbitrary NGINX configuration directives, potentially leading to remote code execution.
CVE-2025-1974: This issue allows for remote code execution in the Ingress NGINX Admission Controller. Attackers inject the ssl_engine directive through crafted AdmissionReview requests.
It enables attackers to load arbitrary shared libraries during the NGINX configuration testing phase, leading to code execution with elevated privileges.
CVE-2025-24513: This vulnerability in Ingress NGINX Controller involves a file path traversal issue related to auth secret files. It has a lower severity compared to the other vulnerabilities in this set.
“Exploitation of these vulnerabilities leads to unauthorized access to all secrets stored across all namespaces in the Kubernetes cluster by attackers, which can result in cluster takeover,” Wiz researchers warned in their disclosure.
IngressNightmare attack vectorsThe Ingress NGINX Controller is one of the most popular ingress controllers for Kubernetes with over 18,000 stars on GitHub.
It’s a core Kubernetes project used to expose applications running in clusters to external traffic.
According to Wiz’s analysis, approximately 43% of cloud environments are vulnerable, with over 6,500 clusters (including those of Fortune 500 companies) publicly exposing vulnerable admission controllers to the internet.
The summary of the vulnerabilities is given below:
Risk Factors Details Affected ProductsIngress NGINX Controller for KubernetesImpactRemote Code ExecutionExploit PrerequisitesNetwork access to admission controllerCVSS 3.1 Score9.8 (Critical)
Technical Exploitation Path
The exploitation chain works as follows:
- Attackers upload a malicious shared library payload by exploiting NGINX client body buffers.
- They send a specially crafted AdmissionReview request containing directive injections.
- The injected directive (typically ssl_engine) causes NGINX to load the attacker’s file as a shared library.
- This leads to code execution with the pod’s elevated privileges.
The vulnerable controller runs with elevated privileges and unrestricted network accessibility, allowing attackers to access all cluster secrets across namespaces, potentially leading to complete cluster takeover.
Security experts strongly advise Kubernetes administrators to take immediate action:
- Update to Ingress NGINX Controller version 1.12.1 or 1.11.5, which contain patches for these vulnerabilities
- Ensure the admission webhook endpoint is not exposed externally
- Implement strict network policies to limit access to the admission controller
- Temporarily disable the admission controller if immediate upgrades aren’t possible using: controller.admissionWebhooks.enabled=false for Helm installations
“If you can’t upgrade immediately, consider enforcing strict network policies so only the Kubernetes API Server can access the admission controller,” Wiz advised.
Organizations can check for vulnerable deployments using the command: kubectl get pods –all-namespaces –selector app.kubernetes.io/name=ingress-nginx.
The discovery of IngressNightmare highlights the critical importance of securing Kubernetes admission controllers, which are often overlooked attack surfaces in cluster environments.
With the technical details now public, administrators should prioritize patching to prevent the exploitation of these severe vulnerabilities.
#Cyber_Security #Cyber_Security_News #Vulnerability #cyber_security #cyber_security_news #vulnerability
Оригинальная версия на сайте:
