Threat Signal Report

Kubernetes Ingress-nginx Controller RCE

What is the Vulnerability?	On March 24, researchers disclosed a set of five vulnerabilities, collectively known as "IngressNightmare,” affecting Ingress-nginx, one of the popular ingress controllers available for Kubernetes. Using Ingress-NGINX is one of the most common methods for exposing Kubernetes applications externally. CVE-2025-1974 is considered the most serious of the five and has been assigned a CVSS score of 9.8 (critical). When chained with one of the lower severity vulnerabilities, it allows for unauthenticated remote code execution. This exploitation could result in the exposure of sensitive information that the controller can access. Consequently, unauthenticated attackers have the potential to compromise the system by executing unauthorized code.
What is the recommended Mitigation?	Kubernetes has responded publicly to the disclosure of CVE-2025-1974, encouraging users to install patches released by the Ingress-nginx team that remediates CVE-2025-1974 including all five vulnerabilities listed: https://github.com/kubernetes/ingress-nginx/releases Upgrade ingress-nginx to v1.11.5, v1.12.1, or any later version. FortiGuard Labs recommends users to follow instructions and mitigation steps as mentioned on the vendor’s advisory: Ingress-nginx CVE-2025-1974: What You Need to Know \| Kubernetes First, determine if your clusters are using ingress-nginx. Affected Versions: < v1.11.0, v1.11.0 - 1.11.4 and v1.12.0 Enforce strict network policies so only the Kubernetes API Server can access the admission controller. Temporarily disable the admission controller component of Ingress-NGINX if you cannot upgrade right away.
What FortiGuard Coverage is available?	FortiGuard Labs has available IPS protection to detect and block any attack attempts targeting the CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, and CVE-2025-1974. Intrusion Prevention \| FortiGuard Labs Lacework FortiCNAPP has available Continuous Security and Posture Analysis: IngressNightmare: Understanding CVE‑2025‑1974 in Kubernetes Ingress-NGINX \| FortiGuard Labs -Behavior Anomaly Detection flags, such as unexplained container processes and suspicious user activities, aligning with CVE-2025-1974. -Posture analysis that detects high-risk Kubernetes settings, such as enabled snippet annotations, and identifies additional misconfigurations (e.g. privileged containers or open service ports). The FortiGuard Incident Response team can be engaged to help with any suspected compromise. FortiGuard Labs will provide updates as more information becomes available.