A set of five important security deficiencies has been revealed in the Ingress Naginx Controller for Kuberanets, resulting in high risk of more than 6,500 clusters by highlighting the component on public internet.
Weaknesses (CVE-2025-24513, CVE-2025-24514, CVE-2025-1097, CVE-2025-1098, and CVE-2025-1974), CVSS score 9.8, Cloud Security Firm has been assigned collectively for codeenmier. It is worth noting that deficiencies do not affect the Nginx ingrass controller, which is another ingres controller implementation for NGINX and NGINX Plus.
The company said in a report shared with the hacker news, “The exploitation of these weaknesses has unauthorized access to all the secrets stored in all the names in the Kuberanets cluster by the attackers, resulting in cluster takeover.”
Ingressnightmare, at its core, the entry to Kuberanets affects the entry controller component of the NGINX controller. About 43% of the cloud environments are sensitive to these weaknesses.
The ingrass nginx controls the controller as a reverse proxy and load ballanese, making it possible to expose HTTP and HTTPS routes to expose services within a cluster from outside a cluster.
The vulnerability takes advantage of the fact that the entry controller posted within a Kuberanets pod, is accessible on the network without authentication.
In particular, it involves injecting an arbitrary nginx configuration from a distance by sending an admission controller directly to an admission controller, resulting in a code execution on the POD of the ingrass NGINX controller.
“Advanced privileges of the entry controller and unrestricted network accessibility create a significant growth path,” Vij explained. “Exploitation of this defect allows an attacker to execute arbitrary code and reach all cluster secrets in names, allowing the cluster acquisition to be completed.”
The drawbacks are listed below –
- Cve-2025-24514 -Reed
- Cve-2025-1097 -Auth-TLS-Match-CN Anotation injection
- Cve-2025-1098 – Mirror UID injection
- Cve-2025-1974 – NGINX Configuration Code Execution
In the scenario of an experimental attack, a threat can upload an malicious payload as a shared library using the client-body buffer feature of actor Nginx, after which an admit card can be sent to the entry controller.
In turn, the request includes the above configuration direction injection, which causes the shared library to be effectively leading to the execution.
Wise Cloud Security Researchers Hilai Ben-Sesson told Hacker News that the attack series involves the essentially injecting malicious configuration and using it to read sensitive files and use it to run arbitrary code. This may later allow an attacker to misuse a strong service account to read Kuberanets mysteries and eventually facilitate cluster acquisition.
After the disclosure responsible, the weaknesses are addressed in the NGNX Controller version 1.12.1, 1.11.5, and 1.10.7.
Users are recommended to update the latest version as soon as possible and ensure that the entry webhook is not externally exposed.
As mitigations, it is advisable to limit only the Kuberanets API server to reach the entry controller and temporarily disable the entry controller component if not required.
