Unauthenticated Remote Code Execution Vulnerability in Ingress NGINX Controller Puts Thousands of Clusters at Risk
Learn about the critical security vulnerabilities in the Ingress NGINX Controller for Kubernetes that allow unauthenticated remote code execution, affecting over 6,500 clusters. Stay informed on how to protect your systems.
TL;DR
A set of critical vulnerabilities in the Ingress NGINX Controller for Kubernetes allows unauthenticated remote code execution, putting over 6,500 clusters at risk. The vulnerabilities, identified as CVE-2025-24513, CVE-2025-24514, CVE-2025-1097, CVE-2025-1098, and CVE-2025-1974, expose the component to the public internet.
Critical Vulnerabilities in Ingress NGINX Controller
Recently, a set of five critical security vulnerabilities were disclosed in the Ingress NGINX Controller for Kubernetes. These flaws could lead to unauthenticated remote code execution (RCE), putting over 6,500 clusters at immediate risk by exposing the component to the public internet. The vulnerabilities are identified as:
- CVE-2025-24513
- CVE-2025-24514
- CVE-2025-1097
- CVE-2025-1098
- CVE-2025-1974
These vulnerabilities have been assigned a CVSS score of 9.8, indicating a high level of severity.
Impact and Mitigation
The identified vulnerabilities allow attackers to execute arbitrary code without authentication, posing a significant threat to affected clusters. Organizations using the Ingress NGINX Controller are urged to apply the necessary patches and updates to mitigate these risks.
For more details, visit the full article: source
Conclusion
The discovery of these critical vulnerabilities underscores the importance of regular security audits and timely updates. Organizations must remain vigilant and proactive in securing their Kubernetes environments to protect against such threats.
Additional Resources
For further insights, check: