New API testing category now available
Our API scanner can test for dozens of vulnerability types like prompt injections and misconfigurations. We’re excited to share today that we’re releasing vulnerability tests …
A series of vulnerabilities, known as IngressNightmare (CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, CVE-2025-1974), have been identified in ingress-nginx, a widely used Kubernetes ingress controller. When exploited together, these vulnerabilities allow for configuration injection through the Validating Admission Controller. Unauthenticated remote attackers on the Pod network could exploit this vulnerability to gain unauthorized access to sensitive data, including Kubernetes Secrets, and even perform a complete takeover of the cluster.
Affected Products
The Kubernetes Ingress NGINX Controller is a widely used component that routes external traffic to cluster services. It includes an admission controller that validates incoming ingress objects by reviewing configurations and ensuring they are correct before approval. This controller operates with significant privileges, as it requires access to resources across the cluster.
All versions of ingress-nginx are potentially vulnerable. The issue is fixed in versions 1.12.1 and 1.11.5.
Vulnerability Details
CVE-2025-1974 arises from configuration injection vulnerabilities within ingress-nginx’s Validating Admission Controller. Combined with other vulnerabilities (CVE-2025-24513, CVE-2025-24514, CVE-2025-1097, CVE-2025-1098), attackers on the Pod network can gain unauthorized access to Kubernetes Secrets and potentially take over the entire cluster.
Detection
Detectify Surface Monitoring customers can test whether they have exposed ingress NGINX admission, which enables the exploit chain.
The vulnerability assessment released by Detectify identifies exposed Ingress NGINX admission controllers by analyzing TLS certificates. This assessment is highly reliable as Kubernetes run with self-signed certificates and the assessment looks for certificates with issuer "O=nil1", subject "O=nil2" and SAN containing "ingress-nginx-controller-admission".
Mitigation
- Upgrade to ingress-nginx versions 1.12.1 or 1.11.5.
- If immediate patching is not feasible, disable the Validating Admission Controller:
- For Helm installations: Set controller.admissionWebhooks.enabled=false.
- For manual installations: Delete the ValidatingWebhookconfiguration named ingress-nginx-admission and remove –validating-webhook from the ingress-nginx-controller Deployment or DaemonSet arguments.
- Remember to re-enable the Validating Admission Controller after upgrading.
Patch availability
The vulnerability is fixed in ingress-nginx versions 1.12.1 and 1.11.5. Users are strongly advised to update to these versions or apply the provided mitigation.
Customers can always find updates in the “What’s New at Detectify” product log. Any questions can be directed to Customer Success representatives or Support. If you’re not already a customer, click here to sign up for a demo or a free trial and immediately start scanning. Go hack yourself!
References:
Original Research: Remote Code Execution Vulnerabilities in Ingress NGINX | Wiz Blog
Admission Control in Kubernetes
Check out more content
Product update: Dynamic API Scanning, Recommendations & Classifications, and more
We know the importance of staying ahead of threats. At Detectify, we’re committed to providing you with the tools you need to secure your applications …
