Wiz researchers have uncovered critical vulnerabilities in the Ingress NGINX Controller for Kubernetes, collectively termed 'IngressNightmare,' which could enable attackers to seize control of Kubernetes clusters.

These vulnerabilities include several CVEs, such as CVE-2025-1097 and CVE-2025-1098, which facilitate various forms of configuration injection.

To mitigate risks, it is recommended to restrict access to the admission controller solely to the Kubernetes API Server and disable the component if it is not needed.

Wiz communicated its findings to Kubernetes developers in late 2024 and early 2025, leading to the release of patches in Ingress NGINX Controller versions 1.12.1 and 1.11.5.

Administrators are urged to promptly install security updates for NGINX Controller versions 1.11.5 or 1.12.1 to safeguard their systems, with temporary mitigation strategies suggested, such as disabling the Admission Controller component.

The vulnerabilities were responsibly disclosed, with a timeline of reporting and fixes spanning from late December 2024 to March 2025, culminating in public disclosure on March 24, 2025.

The vulnerabilities exploit the admission controller component, which is accessible over the network without authentication, allowing for the injection of arbitrary NGINX configurations.

Wiz emphasizes the necessity for improved security practices regarding admission controllers in Kubernetes environments, particularly the importance of sanitizing inputs processed by configuration validators.

Mitigation strategies include updating to the fixed versions of the Ingress NGINX Controller, restricting external access to admission webhook endpoints, and enforcing strict network policies.

Wiz reported that approximately 43% of cloud environments are affected, with over 6,500 publicly accessible Kubernetes clusters, including those of Fortune 500 companies, vulnerable to these issues.

Wiz disclosed these vulnerabilities to Kubernetes developers, with fixes for five CVEs released on March 10, 2025, under the name IngressNightmare.

Hillai Ben-Sasson, a researcher at Wiz, noted that the attack chain involves reading sensitive files and executing arbitrary code to facilitate a cluster takeover.