String of defects in popular Kubernetes component puts 40% of cloud environments at risk
More than 40% of cloud environments are at risk of an account takeover due to a series of five recently discovered vulnerabilities — one regarded critical — in the Ingress Nginx Controller for Kubernetes, according to security research published this week.
Upon discovering the string of vulnerabilities in one of most widely used ingress controllers for Kubernetes, Wiz researchers described the potential risk as an “IngressNightmare” in a blog post Monday. The most serious defect, an unauthenticated remote code execution vulnerability tracked as CVE-2025-1974, has a CVSS score of 9.8.
Security researchers told CyberScoop they aren’t aware of any active exploitation, but the risk for publicly exposed and unpatched Ingress Nginx controllers is extremely high.
“The exploit chain is unauthenticated and a target is vulnerable in a default configuration,” Stephen Fewer, principal security researcher at Rapid7, said in an email. “With exploit code for CVE-2025-1974 starting to be published online, Kubernetes administrators should remediate publicly-exposed instances on an urgent basis.”
Ingress Nginx maintainers released patches for CVE-2025-1097, CVE-2025-1098, CVE-2025-1974, CVE-2025-24513 and CVE-2025-24514 on Monday. Wiz reported CVE-2025-1974 and CVE-2025-24514 to Kubernetes on Dec. 31, 2024.
Attackers can exploit CVE-2025-1974 and achieve unauthenticated remote code execution by chaining it to one of three high-severity configuration injection vulnerabilities: CVE-2025-1097, CVE-2025-1098 or CVE-2025-24514.
Successful exploitation could allow attackers to access cluster-wide secrets, including passwords or tokens, or completely take over a cluster, Fewer said.
Researchers are especially concerned about the potential risk of exploitation because Ingress Nginx Controller is so widely used across Kubernetes environments.
The open-source tool is deployed in more than 2 in 5 Kubernetes clusters, according to Tabitha Sable, co-chair of SIG Security and member of the Kubernetes Security Response Committee.
“When combined with today’s other vulnerabilities, CVE-2025-1974 means that anything on the pod network has a good chance of taking over your Kubernetes cluster, with no credentials or administrative access required,” Sable said in a blog post Monday.
The pod network is typically accessible to all workloads in a virtual private cloud and anyone connected to the corporate network, Sable added. “This is a very serious situation.”
Wiz researchers said about 43% of cloud environments, spanning more than 6,500 Kubernetes clusters, including some used by Fortune 500 companies, were potentially at risk of exploitation Monday. Censys scans found about 5,000 publicly exposed and potentially vulnerable hosts Tuesday.
Several public proof-of-concept exploit scripts for the vulnerabilities have appeared online, Fewer said.
“Due to the root cause of the vulnerabilities being logic-based issues, these vulnerabilities are both relatively simple to exploit, and exploitation is expected to be reliable,” Fewer said.
“An attacker must first identify an accessible and vulnerable Ingress Nginx controller in a target Kubernetes cluster, along with the admission controller service belonging to that Ingress controller,” he added. “Once a viable target has been identified, the difficulty in exploiting the target will be low.”
