IngressNightmare – Multiple Vulnerabilities in NGINX Controller for Kubernetes Allow Unauthorized Access to Secrets

Owners of NGINX Controller versions up to 1.12.1/1.11.5 are affected by critical vulnerabilities (CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, CVE-2025-1974) that enable unauthorized access to Kubernetes cluster secrets. Amazon EKS users are not affected, as EKS does not provide or install the ingress-nginx controller.

Affected Users Must:

• Urgently upgrade to the latest patched version.
• Review Kubernetes RBAC policies to restrict unnecessary permissions.
• Monitor for suspicious activity in cluster logs.

Relevant Links:

• Wiz Blog: Remote Code Execution in Ingress NGINX
• Kubernetes Official Blog: CVE-2025-1974 Patch Details

You Should Know:

1. Verify Your NGINX Ingress Controller Version

kubectl get pods -n ingress-nginx -l app.kubernetes.io/name=ingress-nginx -o jsonpath='{.items[<em>].spec.containers[</em>].image}' 

Upgrade Command (Helm):

helm upgrade ingress-nginx ingress-nginx/ingress-nginx --version 4.7.1 -n ingress-nginx 

2. Check for Exposed Secrets

kubectl get secrets --all-namespaces 
kubectl audit logs --filter="resource=secrets" 

3. Mitigation Steps

• Restrict Ingress Permissions:

  </li>
  </ul>
  
  <h1>clusterrole.yaml</h1>
  
  apiVersion: rbac.authorization.k8s.io/v1 
  kind: ClusterRole 
  metadata: 
  name: restricted-ingress-role 
  rules: 
  - apiGroups: [""] 
  resources: ["secrets"] 
  verbs: ["get", "list"] 
  

  • Enable Network Policies:

    kubectl apply -f - <<EOF 
    apiVersion: networking.k8s.io/v1 
    kind: NetworkPolicy 
    metadata: 
    name: deny-ingress-to-secrets 
    namespace: default 
    spec: 
    podSelector: 
    matchLabels: 
    role: ingress-nginx 
    policyTypes: </li>
    <li>Egress 
    egress: </li>
    <li>to: </li>
    <li>namespaceSelector: {} 
    ports: </li>
    <li>protocol: TCP 
    port: 443 
    EOF 
    

  4. Post-Exploitation Detection

  
  <h1>Check for anomalous API calls</h1>
  
  kubectl logs -n kube-system kube-apiserver-<node> | grep "forbidden" 
  

  What Undercode Say:

  The IngressNightmare vulnerabilities underscore the importance of proactive Kubernetes hardening. Key takeaways:

  1. Patch Immediately: Delayed updates risk cluster compromise.

  1. Least Privilege: RBAC must limit ingress controllers to essential resources.
  2. Log Aggregation: Centralized logging (e.g., Fluentd + ELK) detects breaches early.
  3. Network Segmentation: Use Calico or Cilium to isolate ingress pods.

  Linux/Win Commands for Further Checks:

  • Linux: `journalctl -u kubelet –since “1 hour ago” | grep “error”`
  • Windows (if using WSL2): `Get-WinEvent -LogName “Microsoft-Windows-Kubernetes/Operational” | Where-Object {$_.Level -eq 2}`

  Expected Output:

  NAME READY STATUS RESTARTS AGE 
  ingress-nginx-controller-5f669784-abc12 1/1 Running 0 10m 
  

  References:

  Reported By: Roman Siewko – Hackers Feeds
  Extra Hub: Undercode MoN
  Basic Verification: Pass ✅

  Join Our Cyber World:

  💬 Whatsapp | 💬 Telegram