Research
← view all postsIngressNightmare: How Jed’s Active Validation
Detects Critical Kubernetes
Vulnerabilities in Real-Time
Maor Angel, Security Researcher
In modern cybersecurity, it is not enough to simply identify vulnerabilities; security teams must validate attack paths and assess real-world exploitability instead of dealing with endless alerts.
The recent discovery of the “IngressNightmare” vulnerabilities (CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, and CVE-2025-1974) by Wiz researchers has sent shockwaves through the Kubernetes community. With a critical CVSS score of 9.8, these unauthenticated remote code execution vulnerabilities in Ingress NGINX present an immediate risk to thousands of production Kubernetes environments worldwide.
Jed Security’s Active Validation AI engine takes vulnerability detection to the next level by integrating directly with client environments to map potential attack paths and replicate vulnerabilities and create exploits in an emulated environment, ensuring an accurate understanding of exposure.
In this blog, we will explore how Wiz discovered these critical vulnerabilities, the technical details behind IngressNightmare, and how Jed Security’s Active Validation Engine helps customers detect and validate these threats before they can be exploited.
Understanding IngressNightmare: What Wiz Discovered
In February 2025, Wiz security researchers identified a series of critical vulnerabilities in Ingress NGINX, the most widely used Kubernetes ingress controller. These vulnerabilities, collectively named “IngressNightmare,” allow attackers to execute arbitrary code on the Ingress NGINX pod without authentication.
The key findings from Wiz include:
✅ Unauthenticated Access: The vulnerabilities allow attackers to send specially crafted HTTP requests that bypass authentication mechanisms.
✅ Remote Code Execution: Successful exploitation leads to execution of arbitrary code within the Ingress NGINX pod.
✅ Container Escape Potential: In some configurations, the vulnerabilities could be chained to enable container escape and lateral movement within the cluster.
The most concerning aspect is that these vulnerabilities affect the default configurations of Ingress NGINX, potentially impacting thousands of production Kubernetes environments that handle external traffic.
Technical Deep Dive: The Vulnerability Mechanics
Each of the four CVEs play a role in enabling attackers to inject malicious NGINX directives and trigger remote code execution:
- CVE-2025-1097: Auth-TLS-Match-CN injection flaw. This flaw allows attackers to inject arbitrary directives into NGINX configuration by exploiting improper input sanitization in the authentication mechanism.
- CVE-2025-1098: Mirror UID injection through unquoted values. This vulnerability enables attackers to manipulate the mirror configuration to execute arbitrary code within the ingress controller.
- CVE-2025-24514: Auth-URL annotation injection vulnerability. This flaw allows attackers to inject arbitrary NGINX directives by exploiting a vulnerability in the Ingress controller’s URL processing mechanism.
- CVE-2025-1974: Critical RCE via abuse of NGINX’s ssl_engine directive during config validation. This vulnerability allows attackers to load malicious shared libraries, enabling remote code execution on the ingress controller.
Active Validation and Exploit Simulation
Detecting security vulnerabilities is only half the battle—understanding whether they are truly exploitable is where security teams gain real value. Many security tools flood teams with alerts about vulnerabilities like IngressNightmare, but without validation, these findings often lack the context needed to prioritize and respond effectively.
At Jed Security, our Active Validation Engine takes vulnerability detection a step further by simulating real-world exploitation scenarios in a safe and controlled manner. Rather than relying on theoretical risk scores and CVSS ratings, our system actively interacts with the vulnerable application to determine whether identified IngressNightmare vulnerabilities can actually be weaponized in your specific environment.
How It Works
✅ Detection: The system first identifies potential IngressNightmare vulnerabilities across your Kubernetes infrastructure and attack surface.
✅ Validation: Instead of assuming risk, the engine attempts to exploit the vulnerability in a non-destructive, read-only manner to confirm if it leads to a security breach in your specific environment.
✅ Prioritization: By confirming exploitability, security teams can prioritize threats that pose real risks rather than chasing false positives.
With Jed Security’s Active Validation Engine, security teams can confidently separate low-risk theoretical threats from high-priority exploitable vulnerabilities, ensuring that remediation efforts focus on the risks that matter most.
Real World Example
Our active validation research confirms that in many real-world Kubernetes deployments, IngressNightmare vulnerabilities are exploitable without authentication. Once exploited, attackers gain access to the ingress controller pod, which often has permissions to read secrets from all namespaces — paving the way to a full cluster takeover.
Attack Path Simulation
The following diagram illustrates the attack path identified by Jed’s Active Validation process for IngressNightmare vulnerabilities:
Proof-of-Concept (PoC) Exploit Code
Jed’s Active Validation Engine generated the following PoC to safely demonstrate IngressNightmare exploitation in a test environment:
Why Jed Security Stands Out
Jed Security combines vulnerability detection, validation, and exploit simulation. Our customers benefit from:
- High-fidelity alerts with real exploit paths.
- Elimination of false positives.
- Validation of remediation effectiveness.
- Proactive, attack-path driven defense.
Conclusion
IngressNightmare is a sobering example of how a single vulnerable component can threaten an entire Kubernetes cluster. Jed Security’s Active Validation ensures that your alerts are actionable, validated, and prioritized — empowering your teams to act swiftly on real threats.
Jed Security is a cloud-native CTEM platform that helps organizations efficiently identify, prioritize, and mitigate external threats, while streamlining operations and eliminating wasted time on irrelevant issues.
Reduce noise to threats. Reduce threats to action.
Sign up to see a demo.
Maor Angel, Security Researcher
Latest Posts
-
News
Lorem ipsum dolor sit amet, consectetur adipiscing elit
