Ingress NGINX Controller Remote Code Execution (RCE) Scanner

Ingress NGINX Controller is an essential component of Kubernetes environments, serving as a reverse proxy and load balancer to manage external access to services within a cluster. It enables the routing of HTTP and HTTPS traffic, making Kubernetes workloads accessible. Various organizations, including cloud service providers and enterprises, rely on it to efficiently manage ingress traffic and enforce security policies. The controller supports advanced configurations, including authentication, rate limiting, and load balancing. Given its pivotal role, security vulnerabilities in the Ingress NGINX Controller can have severe consequences. Proper configuration and regular updates are crucial for securing Kubernetes clusters using this controller.

The detected vulnerability in the Ingress NGINX Controller allows remote code execution (RCE) by exploiting flaws in its admission controller. Malicious actors can take advantage of misconfigurations and inject arbitrary NGINX configurations through crafted ingress objects. This vulnerability impacts Kubernetes clusters by exposing their admission controllers to unauthorized access. Attackers can use this flaw to execute arbitrary commands within the cluster. If exploited, it grants access to critical cluster secrets across all namespaces. The severity of this vulnerability necessitates immediate remediation to prevent cluster takeover.

The vulnerability primarily affects the admission controller component of the Ingress NGINX Controller. Attackers can remotely inject arbitrary NGINX configuration directives through malicious ingress objects. The flaw allows execution of arbitrary code by leveraging various annotations such as `auth-url`, `auth-tls-match-cn`, `mirror-target`, and `mirror-host`. By sending crafted AdmissionReview requests to the exposed controller, attackers can manipulate configurations, leading to RCE. The elevated privileges of the admission controller increase the impact, as it can access sensitive secrets within the cluster. The lack of authentication mechanisms further exacerbates the risk.

Exploitation of this vulnerability can result in a complete cluster takeover. Attackers gaining unauthorized access to the Kubernetes cluster may retrieve and manipulate secrets from all namespaces. The compromise of critical workloads can lead to further lateral movement within an organization's infrastructure. Sensitive data such as API keys, tokens, and certificates can be exposed, leading to further security breaches. Additionally, attackers may deploy malicious pods or modify existing deployments to maintain persistence. The overall impact can be catastrophic, affecting the confidentiality, integrity, and availability of Kubernetes environments.

REFERENCES

• https://thehackernews.com/2025/03/ingress-nginx-controller-vulnerabilities.html
• https://www.wiz.io/blog/ingress-nginx-kubernetes-vulnerabilities