Detecting and Mitigating IngressNightmare – CVE-2025-1974

On March 24, 2025, several critical vulnerabilities were announced in the Ingress NGINX Controller for Kubernetes, with the most severe being CVE-2025-1974, which could lead to unauthenticated remote code execution. This vulnerability poses a significant risk as it allows attackers to execute arbitrary code, potentially compromising an entire Kubernetes cluster due to the elevated permissions assigned to the NGINX Ingress Controller pod. Detection methods, such as Sysdig Secure and Falco rules, have been developed, although no public proof of concept exists yet. The article underscores the importance of upgrading to the latest patched versions of the Ingress NGINX Controller, v1.11.5 and v1.12.1, and ensuring that the admission webhook is not publicly exposed to mitigate these vulnerabilities effectively.