NGINX Controller for Kubernetes: Kubernetes cluster can be compromised
Attackers can exploit several vulnerabilities in NGINX Controller for Kubernetes and execute malicious code. Updates are available.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
Cloud environments that use Ingress NGINX Controller for Kubernetes are vulnerable. Security researchers from Wiz warn of thousands of publicly accessible instances from large companies via the internet. Attacks may be imminent. So far, however, there have been no reports of ongoing attacks.
IngressNightmare
In one article, the security researchers list four vulnerabilities (CVE-2025-1097 "high", CVE-2025-1098 "high" , CVE-2025-24514 "high", CVE-2025-1974 "critical"), which attackers can use to launch malicious code attacks without authentication.
If attacks are successful, attackers can access all secrets stored in the namespace of a Kubernetes cluster and use this information to compromise entire clusters. The security researchers have dubbed the vulnerabilities "IngressNightmare". They claim to have discovered 6500 publicly accessible clusters over the Internet belonging to various Fortune 500 companies.
The security problem
To initiate an attack, an attacker must have access to the Admission Controller of a vulnerable Kubernetes cluster. However, this is not a major hurdle often, as such components in networks are often not sufficiently secured and can be accessed by default without authentication, the researchers explain. The Admission Controller checks incoming ingress objects before they are made available.
If access is granted, attackers can cause instances to load a module prepared with malicious code by processing a manipulated configuration. The security researchers provide further details on the vulnerabilities in their article. They also explain how admins can find out whether their systems are under threat or have already been attacked.
Videos by heise
Patch now!
If admins are unable to install the NGINX Controller 1.11.5 or 1.12.1 security update immediately, the researchers list temporary solutions for securing instances in their article. Temporary protection is provided, for example, by deactivating the Admission Controller component.
(des)
