‘IngressNightmare’ Vulnerabilities Are A Kubernetes Emergency: Wiz CTO

A series of ‘critical’ zero-day vulnerabilities can enable ‘full takeover’ of a Kubernetes cluster — and are ‘probably the most severe’ security issue to affect Kubernetes environments in recent years, Wiz CTO Ami Luttwak tells CRN.

A series of newly discovered critical vulnerabilities can easily enable “full takeover” of certain Kubernetes clusters and may represent the most serious security issue to affect Kubernetes environments in recent years — suggesting that patching should be given high priority, Wiz Co-Founder and CTO Ami Luttwak told CRN.

The zero-day vulnerabilities impact the Ingress NGINX Controller for Kubernetes, a widely used open-source tool for managing external access to services for Kubernetes applications. The critical flaws were discovered by researchers at cloud and AI security vendor Wiz — who have dubbed the issue “IngressNightmare” — and the vulnerabilities were disclosed Monday as part of a coordinated public disclosure.

“IngressNightmare” can enable remote execution of code without authentication, putting the flaws into the same category as the widely exploited Log4Shell flaw, a vulnerability that affected Apache Log4j logging software and was disclosed in late 2021.

Due to a variety of factors that raise the likelihood of exploitation, the “IngressNightmare” vulnerabilities are “probably the most severe in recent years” to impact Kubernetes environments, Luttwak said. “IngressNightmare” has been assigned a severity rating of 9.8 out of 10.0, according to Wiz.

Exploitation of the vulnerabilities can allow an attacker to gain the full privileges held by a Kubernetes administrator, which is a “coveted goal for an attacker,” Luttwak said.

“If you take over the entire cluster, you can infect all of the workloads within the cluster. And that also means maybe [you can] infect all of the users of the cluster,” he said. “You can also get access to all of the secrets, which means that usually you can get access to all of the code of the customer.”

Additionally, an attacker in this position would be able to “get access to very sensitive secrets that allow access to other system” and also potentially “touch any piece of sensitive data in the organization,” Luttwak said, leading to a strong potential for sensitive data exposure and theft.

The bottom line, he said, is that “taking over a [Kubernetes] cluster usually means you can take over the entire environment.”

“IngressNightmare” consists of four CVEs (Common Vulnerabilities and Exposures) — three injection vulnerabilities (tracked at CVE-2025-1097, CVE-2025-1098 and CVE-2025-24514) and a privilege-escalation flaw (tracked at CVE-2025-1974).

However, an attacker only needs to utilize one of the injection vulnerabilities along with the privilege-escalation flaw in order to exploit the “IngressNightmare” issue, according to Nir Ohfeld, head of vulnerability research at Wiz.

And once an attacker gains a foothold in the Kubernetes cluster, further exploitation is not difficult, Ohfeld said.

In fact, the vulnerabilities appear to be “unprecedented” in terms of how easily an attacker can exploit them to become a Kubernetes administrator within the system, he said.

Patches are now available, but remediation may also be time-consuming, according to Ohfeld.

IT teams “have to manually go to each Kubernetes cluster that they have in their environment — and there could be hundreds or thousands of Kubernetes clusters — and one-by-one, update the Ingress NGINX component to the latest version,” he said. “And for large environments, it can take a lot of time. So a lot of work needs to be done after this vulnerability becomes public.”

The organizations that are at the highest risk are those that have vulnerable admission controllers in the Ingress NGINX Controller for Kubernetes that are exposed to the internet, Luttwak noted. Wiz research found that this applies to more than 6,500 Kubernetes clusters — representing about 43 percent all cloud environments — which are thus vulnerable to “IngressNightmare.”

However, “even if you don't have public exposure, it is crucial to fix the vulnerability,” Luttwak said. “Anything that uses Kubernetes clusters should immediately find if they use Ingress NGINX and update — because this breaks all of the isolation mechanisms in Kubernetes.”

Wiz, which last week announced an agreement to be acquired by Google for $32 billion, has a track record for discovering significant cloud vulnerabilities going back through much of its five-year history as a company.

Notable discoveries by Wiz researchers have included the “OMIGOD” vulnerabilities of 2021, which impacted Microsoft’s Open Management Infrastructure (OMI) and saw widespread exploitation, as well as 2021’s “ChaosDB” flaw, which affected Microsoft’s Cosmos DB service and was fixed before a potentially massive cloud compromise could occur.