Photo credit: www.csoonline.com

Patches Released for Ingress NGINX Controller Vulnerabilities

The Kubernetes project has announced the availability of patches addressing five significant vulnerabilities in the Ingress NGINX Controller. This component is crucial for directing external traffic to various Kubernetes services. If these vulnerabilities are exploited, attackers could gain the ability to take over entire Kubernetes clusters.

Recent research by the cloud security firm Wiz identified that approximately 43% of cloud environments are susceptible to these vulnerabilities. The study revealed that over 6,500 clusters, including those belonging to Fortune 500 companies, are inadvertently exposing vulnerable Kubernetes ingress controllers’ admission controllers to the public internet, which poses an immediate and severe risk.

The vulnerabilities, collectively referred to as IngressNightmare by the Wiz team, are cataloged under the identifiers CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, and CVE-2025-1974. The issues have been rectified in the latest releases of the Ingress NGINX Controller, specifically versions 1.12.1 and 1.11.5, which were made available on Monday.

It is imperative for organizations utilizing Kubernetes to review their infrastructure and apply the patches as soon as possible to mitigate the risk associated with these vulnerabilities.

Source
www.csoonline.com