A new set of high-severity vulnerabilities, collectively dubbed IngressNightmare, has been discovered by Wiz in the popular Ingress NGINX Controller for Kubernetes. These flaws open the door to unauthenticated remote code execution (RCE), potentially allowing attackers to compromise entire Kubernetes clusters. Sweet is always here to keep you secure, even against zero-day vulnerabilities.

What’s at Risk?

When exploited, the vulnerabilities (CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, CVE-2025-1974), allow attackers to inject malicious configurations that the Ingress NGINX Controller inadvertently accepts and applies.

This can lead to:

• Arbitrary code execution within the ingress controller pods.
• Unauthorized access to all secrets across all namespaces.
• A potential full cluster takeover.

Why It Matters

Ingress-NGINX is one of the most commonly used ingress controllers in Kubernetes environments. The researchers discovered that approximately 43% of cloud environments were potentially vulnerable, impacting thousands of clusters managed by Fortune 500 companies. Even more alarming is that many of these exposed servers are accessible from the public internet.

Root Cause

The issue stems from how the Ingress NGINX admission controller handles and validates ingress resource configurations. Attackers can craft ingress objects that inject arbitrary NGINX configuration directives. Since the admission controller runs with elevated privileges, this opens up a serious attack vector with cluster-wide implications.

Are You Affected?

• Is nginx-ingress running in your environment? Use this to check, and see which versions are deployed

kubectl get pods --all-namespaces --selector app.kubernetes.io/name=ingress-nginx

• In Sweet, you can visit the technologies page and see which versions are deployed

• Sweet can tell you if port 8443, which serves the admission control component, has connections, and whether or not it’s exposed to the internet.

‍

How to Protect Your Clusters

If you’re at risk, consider upgrading immediately to either v1.12.1 or v1.11.5, which contain the patches. If that’s not a possibility, disable the admission control component altogether, or at least ensure that it’s not exposed externally.

Stay Safe with Sweet Security’s Runtime CNAPP

Sweet Security employs the most advanced baselining mechanisms to detect process anomalies in real time. For example, it can identify suspicious behaviors such as Nginx loading a dynamic library, spawning a malicious process, or establishing connections to command-and-control (C2) servers. 

Unlike legacy CNAPP solutions that provide only a vulnerability framework, Sweet combines framework visibility (inventory of technology stacks) with runtime monitoring, checking for inbound connections and other signs of exploitation. What this does is inform analysts whether a risk is actually exploitable.  

Taking it a step further, Sweet differentiates between dormant yet exploitable vulnerabilities and an actively exploited one— informing analysts the moment a vulnerability is used in an incident, thereby turning a static risk assessment into a real-time breach response. By detecting anomalies at the package level, Sweet ensures that security teams can respond to these threats before they escalate and cause damage. 

Final Thoughts

The IngressNightmare vulnerabilities are a stark reminder of how critical components in Kubernetes can become high-value targets. With the ingress controller acting as the front door to many applications, it's essential to audit your usage, lock down network access, and stay current with patches.

If you’d like to learn more about Sweet’s Runtime CNAPP, please contact us to book a demo.