Researcher Drops PoC for 9.8 CVSS Ingress-NGINX CVE-2025-1974 Flaw in Kubernetes

A series of critical security vulnerabilities has been discovered in the Ingress-NGINX Controller for Kubernetes, posing a significant risk to Kubernetes deployments. Security researcher Jacob Sandum from ShakeyLabs has even published proof-of-concept exploit (PoC) code for one of the most severe vulnerabilities, CVE-2025-1974 (CVSS 9.8).

Cloud security firm Wiz has collectively named these vulnerabilities “IngressNightmare,” highlighting the severity of the threat. The vulnerabilities could allow an unauthenticated attacker with access to the pod network to achieve arbitrary code execution in the context of the Ingress-NGINX controller. This, in turn, could lead to the disclosure of Secrets accessible to the controller, which, in a default installation, might include all Secrets cluster-wide.

Security researcher Jacob Sandum’s proof-of-concept (PoC) exploit code specifically targets CVE-2025-1974. This vulnerability allows an unauthenticated attacker with pod network access to execute arbitrary code within the Ingress-NGINX controller. Successful exploitation could grant attackers access to sensitive information, such as Kubernetes Secrets.

The IngressNightmare vulnerabilities encompass a set of five critical security shortcomings:

• CVE-2025-24513
• CVE-2025-24514
• CVE-2025-1097
• CVE-2025-1098
• CVE-2025-1974

These vulnerabilities collectively expose the Ingress-NGINX Controller to the risk of unauthenticated remote code execution.

The identified vulnerabilities have been addressed in Ingress NGINX Controller versions 1.12.1, 1.11.5, and 1.10.7. It is highly recommended that users update to the latest version as soon as possible.

Additionally, it is crucial to ensure that the admission webhook endpoint is not exposed externally. As further mitigation measures, it is advised to:

• Limit access to the admission controller to only the Kubernetes API Server.
• Temporarily disable the admission controller component if it is not currently needed.

Related Posts:

• CVE-2025-1974 (CVSS 9.8): Ingress NGINX Flaws Threaten Mass Kubernetes Compromise
• CVE-2024-7646: A Threat to Kubernetes Clusters Running ingress-nginx
• Schneider Electric Warns of Multiple Vulnerabilities in Modicon Controllers
• Evolving Cryptojacking Campaign Targets Misconfigured Kubernetes Clusters