Critical Vulnerabilities in Ingress NGINX Controller for Kubernetes
Date of Notice: 03/26/2025
Action Level - Critical
Description
Kubernetes has released updates to the Ingress NGINX Controller component to address multiple critical vulnerabilities. If exploited, these vulnerabilities could allow unauthenticated remote code execution and a takeover of the Kubernetes cluster. Ingress NGNIX Controller is a common Kubernetes component installed on ~40% of externally visible clusters, all of which are potentially vulnerable if left unpatched. We recommend anyone using Kubernetes check their clusters for Ingress NGINX Controller and prioritize patching on all impacted clusters.
Fixed Versions
- Ingress NGINX Controller 1.12.1 or later
- Ingress NGINX Controller 1.11.5 of later
Attack Vector
Any unauthenticated attacker with network access to a Kubernetes pod with Ingress NGINX installed.
Attack Feasibility
Though these vulnerabilities are not known to be exploited at the moment, the security researcher discovering them has demonstrated a potential attack and an exploit could be available very shortly. As such, patching should be prioritized.
Mitigation
If immediate patching is not an option, the vendor recommends the following steps:
- Disable the admission controller component of Ingress-NGINX until you are able to patch
- Configure network policies to only allow access to the admission controller from the Kubernetes API Server
Remediation
Update to a fixed version as identified in the security advisories.
Other Resources
Kubernetes – Vendor post, includes details on determining whether your clusters are impacted
Wiz – 3rd party security vendor, includes deep dive into potential exploit techniques