Create accountLogin

Recent searches

No recent searches

Search options

Only available when logged in.
social.tchncs.de is one of the many independent Mastodon servers you can use to participate in the fediverse.
A friendly server from Germany – which tends to attract techy people, but welcomes everybody. This is one of the oldest Mastodon instances.

Administered by:

Server stats:

3.9K
active users

social.tchncs.de: AboutProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.6

#ingressnightmare

16 posts16 participants1 post today
Public
Matthias Luft

Quite some #IngressNightmare #CVE-2025-1974 PoCs on GitHub now that look good at a cursory review:

github.com/hakaioffsec/Ingress

github.com/yoshino-s/CVE-2025-

github.com/Esonhugh/ingressNig

github.com/hi-unc1e/CVE-2025-1

github.com/lufeirider/IngressN

github.com/zwxxb/CVE-2025-1974

github.com/rjhaikal/POC-Ingres

Quick note on exploits trying to use `nginx.ingress.kubernetes.io/server-snippet`: That annotation has been identified as an issue before and has been disabled to mitigate CVE-2021-25742.

This is a PoC code to exploit the IngressNightmare vulnerabilities (CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, and CVE-2025-1974). - hakaioffsec/IngressNightmare-PoC
GitHubGitHub - hakaioffsec/IngressNightmare-PoC: This is a PoC code to exploit the IngressNightmare vulnerabilities (CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, and CVE-2025-1974).This is a PoC code to exploit the IngressNightmare vulnerabilities (CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, and CVE-2025-1974). - hakaioffsec/IngressNightmare-PoC
Public
Lenin alevski 🕵️💻

After my last post analyzing the NGINX #IngressNightmare vulnerability, I’m excited to share a new addition to my Kubernetes Security: Advanced Exploitation series!

Inspired by the excellent research from the Wiz team on CVE-2025-1974, I’ve created a hands-on lab that walks you through exploiting this issue step by step. You can try it out here:
🔗 github.com/Alevsk/dvka/tree/ma

This lab offers a safe environment to:

1. Reproduce the vulnerability
2. Understand how the exploit works
👉 github.com/Alevsk/dvka/blob/ma
3. Generate your own indicators of compromise (IOCs)

It’s a great way to deepen your Kubernetes security knowledge and gain hands-on experience with real-world exploitation techniques. Have fun learning, and feel free to share any thoughts or questions!

Public
Ravi Nayyar

'... series of unauthenticated ... [RCE] vulnerabilities in Ingress NGINX Controller for Kubernetes dubbed #IngressNightmare ...

'... about 43% of cloud environments are vulnerable to these vulnerabilities, with our research uncovering over 6,500 clusters, including Fortune 500 companies, that publicly expose vulnerable Kubernetes ingress controllers’ admission controllers to the public internet ...

'Using Ingress-NGINX is one of the most common methods for exposing Kubernetes applications externally.

'Our research show that over 41% of internet-facing clusters are running Ingress-NGINX'.
wiz.io/blog/ingress-nginx-kube

wiz.io · Remote Code Execution Vulnerabilities in Ingress NGINX | Wiz BlogWiz Research uncovered RCE vulnerabilities (CVE-2025-1097, 1098, 24514, 1974) in Ingress NGINX for Kubernetes allowing cluster-wide secret access.
Public *
Bret Mogilefsky

Attention all k8s people: There's an #IngressNightmare in progress.
> "Based on our analysis, about 43% of cloud environments are vulnerable to these vulnerabilities, with our research uncovering over 6,500 clusters, including Fortune 500 companies, that publicly expose vulnerable Kubernetes ingress controllers’ admission controllers to the public internet—putting them at immediate critical risk."
wiz.io/blog/ingress-nginx-kube

wiz.io · Remote Code Execution Vulnerabilities in Ingress NGINX | Wiz BlogWiz Research uncovered RCE vulnerabilities (CVE-2025-1097, 1098, 24514, 1974) in Ingress NGINX for Kubernetes allowing cluster-wide secret access.
Public
Wiz :verified:

#IngressNightmare: Wiz Research uncovers a critical vulnerability in Ingress-NGINX 🚨

Wiz Research found a novel attack vector in one of Kubernetes's most fundamental projects, Ingress-NGINX, which is rated CVSS 9.8.

Why does this matter?
Ingress-NGINX is found in over 40% of cloud environments. If you're using this project, your infrastructure could be at risk.

🔑 What's at risk?
This vulnerability allows attackers to gain access to all secrets across all namespaces in a Kubernetes cluster — essentially enabling a cluster takeover.

🔒 What should you do?
A patch is available.
Upgrade to version v1.12.1, v1.11.5 to protect your environment.

Wiz research has worked closely with the Kubernetes maintainers over the last couple of months to mitigate this attack surface fully

📝 For full technical details and a remediation guide, check out our blog:

Wiz Research uncovers a critical vulnerability in Ingress-NGINX
Public
winnie, the disassembling bear

Multiple CVEs tied to admission controller component of Ingress NGINX Controller. In a nutshell the problem is:

"[...] a vulnerability in this phase that allows injecting an arbitrary NGINX configuration remotely, by sending a malicious ingress object directly to the admission controller through the network."

"[...]Exploitation of these vulnerabilities leads to unauthorized access to all secrets stored across all namespaces in the Kubernetes cluster by attackers, which can result in cluster takeover.[...]"

writeup: wiz.io/blog/ingress-nginx-kube

Mitigation:

Patch or ... "Ensure the admission webhook endpoint is not exposed externally"

Nuclei Template for detection of admission controller: gist.github.com/nirohfeld/7a7c

wiz.io · Remote Code Execution Vulnerabilities in Ingress NGINX | Wiz BlogWiz Research uncovered RCE vulnerabilities (CVE-2025-1097, 1098, 24514, 1974) in Ingress NGINX for Kubernetes allowing cluster-wide secret access.
#ingressnightmare
Public
esa

Fiksene for CVE-ene involvert i #ingressnightmare er jo også litt interessante:

* CVE-2025-1097 mer quoting:
github.com/kubernetes/ingress-

* CVE-2025-1098 mer & flyttet quoting:
github.com/kubernetes/ingress-

* CVE-2025-1974 diverse utkommentert kode, tydeligvis tester?:
github.com/kubernetes/ingress-

* CVE-2025-24513 bruke en ordentlig filepath-type:
github.com/kubernetes/ingress-

* CVE-2025-24514 mer sitering:
github.com/kubernetes/ingress-

Fixes: CVE-2025-1097 CVE-2025-1098 CVE-2025-1974 CVE-2025-24513 CVE-2025-24514
GitHubController: Several security fixes. by Gacko · Pull Request #13068 · kubernetes/ingress-nginxFixes: CVE-2025-1097 CVE-2025-1098 CVE-2025-1974 CVE-2025-24513 CVE-2025-24514
Public
Lenin alevski 🕵️💻

I spent some time diving into the details of the recent NGINX (ingress-nginx) exploit publication — #IngressNightmare — and here’s a simplified breakdown I put together:

TL;DR:
This attack targets NGINX by tricking it into executing a malicious configuration that leverages dangerous directives (like ssl_engine) to take over the Kubernetes Pod and escalate privileges.

First things first, the attacker needs to be inside the Kubernetes perimeter and able to communicate with the ingress-nginx-controller Pod. This is more common than you’d think — many clusters are deployed without any network segmentation policies in place.

From there, the attack unfolds in two phases:
1. Upload a malicious module to the file system of the ingress-nginx-controller Pod.
2. Send a configuration to ingress-nginx that uses the ssl_engine directive to load that malicious module.

The brilliance of this attack lies in the details. Let me walk you through how it works:

In the first step, the attacker exploits a feature called Client Body Buffers. When an HTTP request exceeds 8KB, NGINX starts writing the body to disk instead of keeping it in memory. To ensure the malicious module is properly staged for the next step, the attacker sets a Content-Length header that leaves the server “waiting” for more data.

Then comes phase two: the attacker floods the ingress-nginx-controller with requests containing an AdmissionReview that includes a config using ssl_engine, pointing to the malicious module injected earlier (e.g., /proc/$PID/fd/$FD). Since the attacker doesn’t know the exact process ID or file descriptor, they brute-force it. But because containerized environments typically have very few processes, this brute-force step is trivial.

Once the attacker guesses the correct combination, NGINX loads the malicious module — and just like that, command execution is achieved.

From that point on, the attacker can use the container’s service account token to read secrets, access config files, move laterally, and ultimately take control of the entire cluster.

wiz.io/blog/ingress-nginx-kube

wiz.io · Remote Code Execution Vulnerabilities in Ingress NGINX | Wiz BlogWiz Research uncovered RCE vulnerabilities (CVE-2025-1097, 1098, 24514, 1974) in Ingress NGINX for Kubernetes allowing cluster-wide secret access.
ExploreLive feeds
About