Heads-up for Kubernetes admins! A batch of five critical vulnerabilities called “IngressNightmare” (CVE-2025-24513, CVE-2025-24514, CVE-2025-1097, CVE-2025-1098, and CVE-2025-1974) affecting Ingress NGINX have been recently patched, posing a serious risk to the clusters. With over 40% of Kubernetes environments relying on Ingress NGINX, swift action is crucial to safeguard your systems and data against RCE attacks. The most serious flaw on the list is CVE-2025-1974 enabling unauthenticated attackers on the pod network to exploit configuration injection vulnerabilities via the Validating Admission Controller feature to reach arbitrary code execution.

With 14% of data breaches starting from vulnerability exploitation, the demand for proactive detection of CVE exploitation has never been more critical. Register to the SOC Prime Platform to outscale cyber threats with real-time CTI and curated detection content backed by a complete product suite for AI-powered detection engineering, automated threat hunting, and advanced threat detection. Explore the world’s largest Detection-as-Code library using CVE tag to find relevant rules, detect potential intrusions, and mitigate attacks on time. Dive in by clicking the Explore Detections button below.

Explore Detections

All the rules are compatible with multiple SIEM, EDR, and Data Lake technologies and mapped to the MITRE ATT&CK framework to streamline threat investigation. Additionally, every rule is enriched with detailed metadata, including CTI references, attack timelines, audit configurations, triage recommendations, and more. 

CVE-2025-1974 Analysis

A series of critical vulnerabilities were recently disclosed in the admission controller component of the Ingress NGINX Controller for Kubernetes, posing more than 6,500 clusters to the risks of attacks due to public internet exposure. Ingress NGINX Controller, which uses NGINX as a reverse proxy and load balancer, exposes HTTP/HTTPS routes from outside a cluster to internal services. The flaw stems from admission controllers being network-accessible without authentication. ​​

Deemed as “IngressNightmare,” these security issues include CVE-2025-24513, CVE-2025-24514, CVE-2025-1097, CVE-2025-1098, and CVE-2025-1974. Notably, the flaws do not affect the NGINX Ingress Controller, a separate implementation for NGINX and NGINX Plus. Among the five vulnerabilities identified, the most severe, CVE-2025-1974, with the CVSS score reaching 9.8, could lead to RCE, potentially impacting the entire Kubernetes cluster due to the elevated role of the NGINX Ingress Controller pod. Although no CVE-2025-1974PoC exploit code is currently available, defenders expect one is likely to emerge soon.

CVE-2025-1974 exploitation involves leveraging NGINX Client Body Buffering to upload a shared library to the target pod, sending an AdmissionReview request with the ssl_engine load_module directive to trigger execution, and retrieving the executed shared library via the /proc filesystem. With its elevated privileges and open network access, CVE-2025-1974 gives attackers the green light to execute arbitrary code, access cluster-wide secrets, and potentially take full control of the system.

The infection flow involves injecting a malicious configuration to read sensitive files and execute arbitrary code, potentially leading to cluster takeover by exploiting a privileged Service Account.

The Kubernetes Security Response Committee noted that all vulnerabilities except CVE-2025-1974 involve configuration handling improvements. However, CVE-2025-1974 can be combined with the other IngressNightmare flaws to compromise the whole cluster without credentials or admin access.

The vendor has recently released ingress-nginx v1.12.1 and v1.11.5, addressing all five IngressNightmare vulnerabilities. As potential CVE-2025-1974 mitigation measures to minimize the risks of IngressNightmare exploitation attempts, users should update immediately and restrict external access to the admission webhook. As a precaution, defenders recommend restricting admission controller access to the Kubernetes API Server or disabling it if not needed.

With the increasing risks of the discovery of Ingress NGINX Controller vulnerabilities that, when combined, could enable RCE and potential cluster compromise, organizations are looking for ways to proactively thwart related attacks. SOC Prime Platform for collective cyber defense helps security teams timely spot intrusions that rely on critical vulnerabilities and proactively defend against evolving threats no matter their sophistication.