A newly discovered set of critical vulnerabilities has left thousands of Kubernetes clusters dangerously exposed to remote hacking threats. Cloud security experts at Wiz uncovered these alarming flaws—dubbed IngressNightmare—impacting Ingress NGINX, a widely used component in Kubernetes environments.
Kubernetes, the go-to open-source platform for managing containerized applications, relies on clusters—groups of nodes—to efficiently run and scale apps. Ingress NGINX acts as a powerful load balancer and reverse proxy, serving as the main gateway for exposing Kubernetes applications to the internet.
However, Wiz researchers revealed that the Ingress NGINX Controller contains multiple severe vulnerabilities tracked as CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, and CVE-2025-1974. These flaws specifically affect the admission controller, a critical security component responsible for validating incoming ingress objects before deployment.
What makes these vulnerabilities so dangerous is the admission controller’s network exposure—accessible without any authentication. This creates a golden opportunity for cyber attackers to strike remotely.
According to Wiz, the scope of exposure is massive. Their scans found that 41% of internet-facing Kubernetes clusters run Ingress NGINX. Alarmingly, 43% of cloud environments examined by the team contained at least one vulnerable instance. Even worse, around 6,500 clusters, including those belonging to Fortune 500 companies, publicly expose their admission controllers.
In a technical breakdown, Wiz explained that the vulnerability allows attackers to inject a malicious NGINX configuration by submitting a crafted ingress object directly to the admission controller. As the controller validates this configuration using the NGINX binary, it unknowingly executes the attacker’s code.
This remote code execution (RCE) flaw gives hackers a terrifying level of control. If exploited, attackers could potentially access sensitive secrets stored in all namespaces and even seize full control of the Kubernetes cluster.
“The impact here is staggering,” said Nir Ohfeld, Head of Research at Wiz. “Ingress NGINX is deeply integrated across major enterprises, including AI firms and Fortune 500 giants. A successful attack could lead to complete data access and manipulation within cloud environments.”
Wiz further warned that because Kubernetes forms the backbone of cloud infrastructure, this vulnerability could open the door to widespread, devastating breaches if left unpatched.
The good news? There’s a fix available. Wiz disclosed their findings to the Kubernetes project in late December 2024 and January 2025. The Ingress NGINX team responded swiftly by releasing patches in versions 1.12.1 and 1.11.5, rolled out earlier this week.
Security experts strongly urge Kubernetes administrators to update to the latest Ingress NGINX versions immediately. As a temporary safeguard, teams can also disable the admission controller if it’s not essential or limit its exposure to the Kubernetes API server only.
Major cloud providers, including Google Cloud and Microsoft, have issued advisories on this critical flaw. Kubernetes maintainers also released detailed mitigation guidance to help users protect their environments.
With Kubernetes playing such a vital role in cloud operations worldwide, staying ahead of these emerging threats is no longer optional—it’s mission-critical.
