Description
On March 24, 2025, multiple vulnerabilities CVE-2025-1097 (8.8), CVE-2025-1098(8.8), CVE-2025-24514 (8.8) and CVE-2025-1974(9.8) were disclosed in ingress-nginx, a widely used Kubernetes Ingress controller. An Ingress controller manages external HTTP/S traffic and directs it to services in a Kubernetes cluster. The most severe vulnerability, identified as CVE-2025-1974, has been assigned a CVSS score of 9.8. Exploitation of these vulnerabilities allows attackers to execute arbitrary code within the ingress-nginx controller container.
Impact
Successful exploitation of these vulnerabilities could allow attackers to execute arbitrary code within the ingress-nginx controller container. This access enables leveraging the ingress-nginx service account, which has read permissions to Kubernetes Secrets, potentially leading to the disclosure of sensitive information. Exploiting the vulnerability requires network access to the admission service, which by default is accessible only internally.
The affected versions include all releases prior to v1.11.15 and version v1.12.0. To mitigate these vulnerabilities, users should upgrade ingress-nginx to v1.11.5, v1.12.1, or any later version.
You can use the following command to check if ingress-nginx is deployed in your cluster, and with which version:
kubectl get pods -A -l app.kubernetes.io/name=ingress-nginx -o jsonpath="{.items[*].metadata.name} {.items[*].metadata.labels.app\.kubernetes\.io/version}"
Mapping the “IngressNightmare” in Your Organization
The first step in managing an incident is to map affected software within your organization’s assets.
Defender for Cloud, using Vulnerability Management solution, provides a comprehensive vulnerability assessment across all your devices.
Using Advanced Hunting
To map the presence of the (IngressNightmare) in your environment, you can use the following KQL query or this link, this query searches software vulnerabilities related to the specified CVE and summarizes them by device name, OS version and device ID:
let cveIds=dynamic(["CVE-2025-1097", "CVE-2025-1098", "CVE-2025-24514", "CVE-2025-1974"]);
ExposureGraphEdges
| where EdgeLabel == "affecting"
| where SourceNodeName in (cveIds)
| distinct ImageNodeId=TargetNodeId
Using Defender for Cloud security explorer
You can use the Cloud Security Explorer feature within Defender for Cloud to perform queries related to your posture across Azure, AWS, GCP, and code repositories. This allows you to investigate the specific CVE, identify affected machines, and understand the associated risks.
We have created specific queries for this CVE that help you to easily get an initial assessment of the threat this vulnerability creates for your organization, with choices for customization:
Recommendations for Mitigation and Best Practices
Mitigating risks associated with vulnerabilities requires a combination of proactive measures and real-time defenses. Make sure you regularly update and patch all software to address known vulnerabilities. Use Defender for Cloud vulnerability management to monitor and enforce patch compliance.
Conclusion
By following these guidelines and utilizing end-to-end integrated Microsoft Security products, organizations can better prepare for, prevent and respond to attacks, ensuring a more secure and resilient environment. While the above process provides a comprehensive approach to protecting your organization, continual monitoring, updating, and adapting to new threats are essential for maintaining robust security.
Microsoft