Introduction

A new cybersecurity revelation from Wiz, a cloud-focused security firm, has uncovered alarming vulnerabilities within the Ingress-Nginx Controller's admission component that could potentially lead to the total compromise of Kubernetes clusters. Shockingly, over 6,000 deployments of this software available online are believed to be affected.

The Security Risks of Public Access

Kubernetes, commonly referred to as K8s, often exposes clusters to external HTTP/S traffic to allow public access to hosted applications. While this setup can be beneficial, exposing the admission controller alongside the cluster itself raises significant security concerns. The concept of allowing external traffic is known as 'ingress' in Kubernetes terminology, which is managed through ingress objects and controllers.

Role of the Ingress-Nginx Controller

As outlined by Tabitha Sable, a member of the Kubernetes team, the ingress controller interprets these ingress objects, setting up local or cloud resources according to specific user needs. Ingress-Nginx plays a pivotal role in this process by translating ingress object requirements into configurations for Nginx, an open-source web server that routes requests to applications within the Kubernetes environment. Proper configuration management is essential to maintain security and functionality.

Identified Vulnerabilities

However, Wiz's research indicates that the Ingress-Nginx admission controller does not handle configurations as securely as required. The researchers pinpointed a vulnerability wherein an attacker could send a malicious ingress object to the admission controller through the network. This injection could allow the attacker to execute arbitrary Nginx configurations, resulting in remote code execution (RCE) on the Ingress-Nginx Controller's pod.

Consequences of Exploitation

The ramifications of this flaw are severe, given that admission controllers come with elevated privileges and unrestricted network access. Successfully exploiting this vulnerability enables attackers to run arbitrary code, potentially accessing all cluster secrets across different namespaces, leading to a complete takeover of the cluster.

Scope of the Issue

Wiz estimates that more than 6,500 publicly accessible Kubernetes installations, including some operated by Fortune 500 companies, expose their systems to this significant threat. The organization, which is on the verge of being acquired by Google, raises a critical alert for Kubernetes users to take immediate action.

Response to Vulnerabilities

Fortunately, the situation has a silver lining. Wiz informed Kubernetes developers about these vulnerabilities back in December 2024 and January 2025, prompting action. On March 10, five vulnerabilities—collectively dubbed 'IngressNightmare'—were addressed, with fixes available in Nginx Controller versions 1.12.1 and 1.11.5.

Ongoing Challenges

However, a critical complication remains: many Kubernetes users neglect to act on security notifications. The most severe vulnerability, identified as CVE-2025-1974, received a near-perfect rating of 9.8 on the Common Vulnerability Scoring System (CVSS), indicating the urgency for immediate attention. Other vulnerabilities in this set received ratings of 8.8 and 4.8, emphasizing the need for comprehensive security measures.

Recommendations for Users

In light of these vulnerabilities, Wiz urges all Kubernetes users to upgrade their systems at the earliest convenience. For those unable to implement an upgrade due to operational constraints, it’s recommended to enforce strict network policies to ensure only the Kubernetes API Server has access to the admission controller or to consider temporarily disabling the admission controller feature of Ingress-Nginx.

Conclusion

Cybersecurity experts strongly advise all organizations to review their Kubernetes configurations and apply the necessary patches to safeguard against these newly discovered vulnerabilities. Your cluster's integrity may depend on it!