Unauthenticated Remote Code Execution Vulnerability in Ingress NGINX Controller Puts Thousands of Clusters at Risk

TL;DR

A set of critical vulnerabilities in the Ingress NGINX Controller for Kubernetes allows unauthenticated remote code execution, putting over 6,500 clusters at risk. The vulnerabilities, identified as CVE-2025-24513, CVE-2025-24514, CVE-2025-1097, CVE-2025-1098, and CVE-2025-1974, expose the component to the public internet.

Critical Vulnerabilities in Ingress NGINX Controller

Recently, a set of five critical security vulnerabilities were disclosed in the Ingress NGINX Controller for Kubernetes. These flaws could lead to unauthenticated remote code execution (RCE), putting over 6,500 clusters at immediate risk by exposing the component to the public internet. The vulnerabilities are identified as:

• CVE-2025-24513
• CVE-2025-24514
• CVE-2025-1097
• CVE-2025-1098
• CVE-2025-1974

These vulnerabilities have been assigned a CVSS score of 9.8, indicating a high level of severity.

Impact and Mitigation

The identified vulnerabilities allow attackers to execute arbitrary code without authentication, posing a significant threat to affected clusters. Organizations using the Ingress NGINX Controller are urged to apply the necessary patches and updates to mitigate these risks.

For more details, visit the full article: source

Conclusion

The discovery of these critical vulnerabilities underscores the importance of regular security audits and timely updates. Organizations must remain vigilant and proactive in securing their Kubernetes environments to protect against such threats.

Additional Resources

For further insights, check:

• Kubernetes Security Best Practices
• NGINX Ingress Controller Documentation