A set of five critical disadvantages was disclosed in Mention of the Nginx controller during Kubernetes This can lead to unauthorized remote code, exposing more than 6,500 clusters at immediate risk by exposing the component on the public.
Vulnecs (CVE-2025-24513, Cve-2025-24514, Cve-2015-1097, Cve-2025-1098 and Cve-2025-1974), assigned to CVSS 9.8, were collectively named inress ingress Mare Wiz. It should be noted that the disadvantages do not affect the Nginx -controller IngressWhich is another implementation of the Ingress controller for Nginx and Nginx Plus.
“The operation of these vulnerabilities leads to unauthorized access to all secrets stored in all the names of the Kubernetes cluster, which may lead to the cluster’s absorption,” the company said in a in a in a report Share with Hacker News.
Ingressnight, inherently, affects Admission controller Nignx Controller Component for Kubernetes. About 43% of cloudy conditions are vulnerable to these vulnerabilities.
The Ingress Nginx Controller uses Nginx as a background and load that allows you to expose the HTTP and HTTPS routes from the cluster’s borders to the services in it.
The vulnerability uses the fact that the admission controllers deployed in the Kubernetes pod are available on the network without authentication.
In particular, it provides for the introduction of an arbitrary Nginx configuration remotely by sending an object of malicious entry (aka reception requests) directly to the reception controller, which led to the execution of the Nginx controller.
“Increased privileges and unlimited availability of the controller network and unlimited network accessibility create a critical escalation path,” the visa explained. “The use of this deficiency allows the attacker to perform an arbitrary code and access all the cluster’s secrets in the names of the name, which can lead to complete cluster’s absorption.”
Disadvantages are below –
- Cve-2025-24514 -Injections AUTH-CURL
- Cve-2015-1097 -Auth-TLS-MATCH-CN-CNT STRUCTION
- Cve-2015-1098 – a mirror of the injection
- Cve-2015-1974 – Fulfillment of Nginx Configuration code
In the experimental attack scenario, the actor threatens can load a harmful useful load in the form of a general library in the pod, using the client buffer function and the Nginx body followed by sending a request for admission controller.
The request, in turn, contains one of the aforementioned injections of the configuration directive, which causes the general library to load, leading to the remote code.
Hillai Ben-Sasson, researcher Cloud Security Wiz, told The Hacker News that the attack chain essentially implies the introduction of a malicious configuration and use to read sensitive files and launch arbitrary code. In the future, it can allow an attacker to abuse a strong accounting service to read Kubernetes’ secrets and ultimately promote the cluster absorption.
Following the responsible disclosure of the vulnerability information, the Nginx Controller 1.12.1, 1.11.5 and 1.10.7.
Users are advised to update the latest version as soon as possible and provide to Sign In Webhook Endpoint not exposed externally.
As a softening, it is recommended to limit only API Kubernetes server to access the admission controller and temporarily disable the admission controller if not needed.
