A newly disclosed critical vulnerability (CVE-2025-1097) in Kubernetes’ Ingress-Nginx controller enables attackers to execute arbitrary code and access sensitive cluster secrets. With a CVSS score of 8.8, this flaw affects default installations where the controller has cluster-wide secret access, potentially impacting thousands of internet-facing deployments. Security teams should prioritize patching as researchers have identified over 6,500 vulnerable clusters exposed to this attack vector.
Security Leadership Briefing
The vulnerability represents a systemic risk to Kubernetes environments, particularly those with internet-exposed admission controllers. Attackers can leverage malicious NGINX configuration injections to gain code execution on controller pods, which by default have access to all cluster secrets. Recent scans indicate 43% of cloud environments may contain vulnerable configurations, requiring immediate remediation.
Key action items include upgrading to patched versions (1.12.1 or 1.11.5), restricting admission controller network access, and auditing clusters for suspicious auth-tls-match-cn annotations. The Kubernetes Security Response Committee has released coordinated patches addressing this and related vulnerabilities collectively termed “IngressNightmare.”
Technical Breakdown
The vulnerability stems from improper input sanitization in the auth-tls-match-cn annotation parser. During ingress object processing, the admission controller fails to validate user-supplied input before incorporating it into NGINX configurations. This allows attackers to inject arbitrary directives through specially crafted AdmissionReview requests.
When the controller validates the malicious configuration using nginx -t, the payload executes in the controller’s context. Successful exploitation grants attackers the controller pod’s privileges, which typically include access to all cluster secrets and potential paths to cluster compromise through privileged service accounts.
Detection and Response
Organizations can identify vulnerable installations using the command:
kubectl get pods --all-namespaces --selector app.kubernetes.io/name=ingress-nginxSecurity researchers have published detection templates, including a Nuclei template for identifying exposed admission controllers. For immediate mitigation, administrators should implement network policies restricting admission controller access exclusively to the API server.
Broader Impact and Context
CVE-2025-1097 forms part of a five-vulnerability cluster affecting Ingress-Nginx controllers, with the most severe (CVE-2025-1974) scoring 9.8 on the CVSS scale. These flaws collectively enable unauthenticated remote code execution when chained with other weaknesses in the admission control workflow.
The vulnerabilities highlight systemic risks in Kubernetes’ ingress architecture, particularly the dangers of excessive default permissions. Security teams should review all ingress controller configurations and consider implementing principle-of-least-privilege access controls for cluster components.
