IngressNightmare: 9.8 Critical Unauthenticated Remote Code Execution Vulnerabilities in Ingress NGINX www.wiz.io/blog/ingr…

Wiz Research discovered CVE-2025-1097, CVE-2025-1098, CVE-2025-24514 and CVE-2025-1974, a series of unauthenticated Remote Code Execution vulnerabilities in Ingress NGINX Controller for Kubernetes dubbed #IngressNightmare. Exploitation of these vulnerabilities leads to unauthorized access to all secrets stored across all namespaces in the Kubernetes cluster by attackers, which can result in cluster takeover.

This attack vector has been assigned a CVSS v3.1 base score of 9.8.

In this blog post, Wiz will share key learnings from the discovery of IngressNightmare, affecting the admission controller component of Ingress NGINX Controller for Kubernetes. Based on their analysis, about 43% of cloud environments are vulnerable to these vulnerabilities, with the research uncovering over 6,500 clusters, including Fortune 500 companies, that publicly expose vulnerable Kubernetes ingress controllers’ admission controllers to the public internet—putting them at immediate critical risk.