Patching as soon as possible is highly recommended. Alternatively, removing the ValidatingWebhook can be used as a stopgap to break the exploit chain until a new version can be deployed.
The following versions of K8s are affected by these vulnerabilities:
On March 24, 2025, security researchers1 disclosed several new vulnerabilities in ingress-nginx, a highly popular Kubernetes ingress controller used in many large Kubernetes deployments. The nature of ingress controllers’ purpose, which is to accept and handle incoming connections and traffic, dramatically increases the chances of exposure to exploitation.
Overview of IngressNightmare
IngressNightmare refers to a set of four vulnerabilities that can be exploited in an attack chain. The threat actor must exploit one of these three vulnerabilities initially:
CrowdStrike is committed to protecting our customers from the latest disclosed vulnerabilities. We are actively monitoring activity surrounding “IngressNightmare,” the name given to recently identified vulnerabilities in the Kubernetes (K8s) ingress-nginx controller.
- CVE-2025-24514: ingress-nginx controller — configuration injection via unsanitized auth-url annotation (High)
- CVE-2025-1097: ingress-nginx controller — configuration injection via unsanitized auth-tls-match-cn annotation (High)
- CVE-2025-1098: ingress-nginx controller — configuration injection via unsanitized mirror annotations (High)
Security teams can use this dashboard to quickly assess exposure across their infrastructure, prioritize remediation efforts, and verify that vulnerable controllers have been patched or replaced. The dashboard supports incident response activities by providing detailed information about affected systems and enabling targeted remediation actions.
The initial exploit must be chained with:
Impacted K8s Ingress-Nginx Controller
CVE-2025-1974 is the most critical vulnerability (CVSS 9.8) and exists in the Kubernetes ingress-nginx admission controller. This allows an arbitrary file upload and execution within the context of the ingress-nginx process, which runs with a service account with privileged access to all cluster secrets and cluster network access. As such, an attacker within the pod network could have access to all cluster secrets and the ability to move laterally within the cluster.
- All versions prior to v1.11.0
- v1.11.0 – 1.11.4
- v1.12.0
Customers may leverage the following CrowdStrike Falcon® Next-Gen SIEM dashboard to gain relevant visibility into their environment as it pertains to the outlined vulnerabilities:
Are You Vulnerable?
CrowdStrike Falcon Next-Gen SIEM Dashboard
As outlined in Figure 1 below, this dashboard provides visibility into environments potentially vulnerable to the IngressNightmare vulnerability (CVE-2025-1974) affecting ingress-nginx. It monitors Linux hosts, Kubernetes clusters, and public cloud environments that are running a Falcon sensor to identify vulnerable versions and track remediation progress.
In this blog, we discuss the significance of these vulnerabilities, how CrowdStrike protects its customers from adversaries attempting exploitation, and how this issue can be discovered within the CrowdStrike Falcon® platform.
We would like to recognize Amit Serper, Travis Lowe, Tony Gore, Adrian Godoy, Mihai Vasilescu, Suraj Sahu, Pablo Ramos, Raj Jammalamadaka, Lacie Griffin, and Josh Grunzweig for their contributions in authoring this publication.
