Full Report
Wiz Security finds four critical RCE vulnerabilities in the Ingress NGINX Controller for Kubernetes
Analysis Summary
# Vulnerability: IngressNightmare - Critical RCE Flaws in NGINX Ingress Controller
## CVE Details
- CVE ID: CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, CVE-2025-1974 (Four distinct vulnerabilities leading to RCE when chained)
- CVSS Score: 9.8 (Critical)
- CWE: CWE-78 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')) - *Inferred based on RCE via configuration injection.*
## Affected Systems
- Products: Kubernetes Ingress NGINX Controller (specifically the admission controller component).
- Versions: Not explicitly listed, but implied to affect versions where the identified flaw in admission controller processing exists. The disclosure affects roughly 40% of cloud environments.
- Configurations: Systems utilizing the Ingress NGINX Controller where the admission controllers are exposed to the public internet.
## Vulnerability Description
The IngressNightmare findings detail four critical vulnerabilities within the admission controller component of the Ingress NGINX Controller. This component is responsible for routing external traffic to Kubernetes services and pods. The core issue stems from how this controller processes an incoming `ingress` object: it constructs an NGINX configuration based on this object and then validates it using the NGINX binary. Three of the vulnerabilities (CVE-2025-1097, CVE-2025-1098, CVE-2025-24514) allow an attacker to inject arbitrary NGINX configuration directives. When chained with the fourth vulnerability (CVE-2025-1974), this injection leads directly to Remote Code Execution (RCE) on the affected system.
## Exploitation
- Status: PoC available (Implied by deep analysis and reporting by Wiz Security).
- Complexity: Not explicitly detailed, but RCE via configuration injection chains typically requires **Medium** to **High** complexity to reliably exploit cross-vulnerability chain, though the initial injection might be simpler.
- Attack Vector: Network (Since admission controllers are typically public-facing).
## Impact
- Confidentiality: High (RCE allows full system compromise)
- Integrity: High (RCE allows configuration modification and data tampering)
- Availability: High (RCE can lead to service disruption or denial of service)
## Remediation
### Patches
- Specific patch versions are not listed in the provided text, but immediate patching is urged for the Ingress NGINX Controller to mitigate these RCE flaws. Users must consult the vendor (or relevant project source) security advisories for exact fixed versions.
### Workarounds
- Restricting public internet exposure of the Ingress NGINX Controller admission controllers, if possible, until patches can be applied.
- Hardening input validation on the `ingress` objects processed by the admission controller.
## Detection
- Indicators of Compromise (IOCs): Unauthorized or unexpected modifications to NGINX configuration files, abnormal execution of processes within the admission controller pods, or unexpected network traffic originating from the component.
- Detection Methods and Tools: Security monitoring tools capable of auditing configuration changes within Kubernetes workloads and network traffic analysis focused on ingress object submissions to the controller.
## References
- Vendor Advisories: Wiz Security Research (Wiz Research report on "IngressNightmare").
- Relevant Links:
- Infosecurity Magazine article: hxxps://www.infosecurity-magazine.com/news/ingressnightmare-critical-bugs-40/