Identifying Critical KUBERNETES Vulnerabilities

Wiz Research discovered critical RCE vulnerabilities (CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, CVE-2025-1974) dubbed #IngressNightmare affecting Ingress NGINX Controller for Kubernetes. These unauthenticated vulnerabilities can lead to cluster takeover by exploiting the admission controller component. Technical Impact: IngressNightmare vulnerabilities allow attackers to inject arbitrary NGINX configurations via the admission controller, facilitating RCE through the `ssl_engine` directive which can load malicious shared libraries. Attack Vector: By sending specifically crafted Ingress objects to the unauthenticated admission controller endpoint, attackers can inject configuration directives that execute during the `nginx -t` validation process. Exploitation Chain: 1) Upload a malicious shared library using NGINX's client body buffer functionality 2) Exploit annotation parsing vulnerabilities to inject `ssl_engine` directive referencing the uploaded library 3) Gain pod access with elevated permissions to access secrets across all namespaces. Detection Opportunities: Monitor for unexpected HTTP requests to the admission webhook endpoint, suspicious library loads, and abnormal admission review requests. Affected Versions: All Ingress NGINX Controller versions prior to 1.11.5 and 1.12.1 are vulnerable.

Principle of least privilege example.... 🔒 Critical Security Announcement: A loophole in Google Kubernetes Engine (GKE) dubbed Sys:All has been uncovered, posing a significant threat to Kubernetes clusters. This vulnerability allows threat actors with Google accounts to seize control, potentially leading to data breaches and malicious activities. With an estimated 250,000 active GKE clusters at risk, it's crucial for users to heed Google's response and security recommendations. Just a few things to consider: Misconception in system:authenticated Group: The vulnerability stems from a misconception that the system:authenticated group in GKE includes only verified and deterministic identities. In reality, it includes any Google authenticated account, even outside the organization. Data Exposure and Trojanizing Container Images: The Sys:All vulnerability has led to the exposure of sensitive data, including JWT tokens, GCP API keys, AWS keys, Google OAuth credentials, private keys, and credentials to container registries. This information could be used to trojanize container images. Security Recommendations: Google recommends users not to bind the system:authenticated group to any RBAC roles, assess whether clusters have unsafe bindings, and review and remove any unsafe bindings. Users are advised to ensure that the system:authenticated group is not overprivileged. #devsecops #cybersecurity #productsecurity #supplychainsecurity

A Necessary Wake-Up Call: Reflecting on #IngressNightmare and Security By Design Today, I'm sharing our latest analysis on the critical ingress-nginx vulnerabilities (CVE-2025-1974) that have sent shockwaves through the Kubernetes community. With a CVSS score of 9.8, these vulnerabilities potentially expose thousands of production clusters to complete compromise. 🫨🫨🫨 While I commend the ingress-nginx team for their swift response with patches, this incident highlights something our CTO Emile Vauge has advocated for years: security cannot be bolted on as an afterthought—it must be architected from day one. The fundamental design decisions made when building cloud-native infrastructure have profound security implications that may not become apparent for years. At Traefik Labs, we've seen how architectural choices made a decade ago—statically linked binaries, strongly typed parsing, and minimal network surface area—have proven critical in preventing similar vulnerabilities. This isn't about pointing fingers, but about learning collectively. As our industry matures, we must prioritize secure-by-design principles in everything we build. Read our full analysis: https://lnkd.in/gVjH2dTH What architectural choices are you making today that will determine your security posture tomorrow? And, do you have the right technology partners alongside to guide you on this journey? #CloudNative #Kubernetes #CyberSecurity #IngressNightmare #SecurityByDesign