Researchers identified several critical vulnerabilities in the Ingress NGINX Controller for Kubernetes, including CVE-2025-24513, CVE-2025-24514, CVE-2025-1097, CVE-2025-1098, and CVE-2025-1974. These flaws enables threat actors to execute unauthenticated remote code. Review the details of this Cybersecurity Threat Advisory to keep your environment secure.
What is the threat?
The Ingress NGINX Controller is a component of Kubernetes environments. It acts as a reverse proxy and load balancer, managing external access to services within a cluster. The identified vulnerabilities, collectively referred to as “IngressNightmare,” affect the admission controller component of the Ingress NGINX Controller. Exploiting these vulnerabilities can lead to unauthorized access to all data stored across all namespaces in the Kubernetes cluster. This can result in a complete cluster takeover, compromising the entire environment.
Below is a brief description of each vulnerability:
- CVE-2025-24513: When an input validation is not confirmed, the vulnerability can lead to in directory traversal within the container. When exploited with the other vulnerabilities, it can lead to denial-of-service (DoS) or limited disclosure of secret objects from the cluster.
- CVE-2025-24514: This vulnerability allows the “auth-url” Ingress annotation be used to inject configuration into NGINX, resulting in arbitrary code execution in the context of the ingress-nginx controller and disclosure of secrets accessible to the controller.
- CVE-2025-1097: This vulnerability enables the “auth-tls-match-cn” Ingress annotation be used to inject configuration into NGINX, leading to arbitrary code execution and potential disclosure of secrets.
- CVE-2025-1098: Attackers can exploit this flaw using the “mirror-target” and “mirror-host” Ingress annotations to inject arbitrary configuration into NGINX and perform code execution.
- CVE-2025-1974: Under certain conditions, this flaw enables an unauthenticated attacker with access to the pod network to execute arbitrary code in the context of the ingress-nginx controller.
Why is it noteworthy?
Exploiting these vulnerabilities enable unauthorized access to all data stored across all namespaces in the Kubernetes cluster. This gives attackers the ability to manipulate or steal sensitive information. As a result, it could lead to a complete cluster takeover, compromising the entire environment.
What is the exposure or risk?
Organizations using vulnerable versions of the Ingress NGINX Controller are at risk. Exploitation of these vulnerabilities can lead to unauthorized code execution and execute arbitrary code within the controller itself, leading to control of the Kubernetes cluster. It also leads to data exfiltration where attackers can access or release namespaces, compromising the integrity of an organization’s data.
What are the recommendations?
Barracuda recommends the following actions to keep your environment secure:
- Apply updates to upgrade the Ingress NGINX Controller to the latest version that addresses these vulnerabilities. We recommend updating to at least v1.12.0 or above.
- Examine the use of Ingress annotations (auth-url, auth-tls-match-cn, mirror-target, mirror-host) and restrict or validate their usage to prevent configuration injection.
- Implement proactive monitoring to detect unauthorized access or unusual activity within the cluster.
- Regularly audit configurations, including access controls, to ensure the environment remains secure.
References
For more in-depth information about the recommendations, please visit the following links:
- https://thehackernews.com/2025/03/critical-ingress-nginx-controller.html?m=1
- https://research.kudelskisecurity.com/2025/03/25/critical-unauthenticated-remote-code-execution-vulnerabilities-iningress-nginx/
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
