This alert is relevant to Australians who use Ingress-NGINX Controller for Kubernetes.

These vulnerabilities impact versions prior to:

• NGINX Controller version 1.12.1 and 1.11.5

This alert is intended to be understood by technical users. Customers are encouraged to patch to the latest version.

Background / What has happened?

• Kubernetes maintainers have published an advisory detailing the following vulnerabilities in Ingress-NGINX Controller that could allow unauthenticated remote code execution and full cluster takeover:
  • CVE-2025-1097
  • CVE-2025-1098
  • CVE-2025-1974
  • CVE-2025-24513
  • CVE-2025-24514
• Ingress-NGINX Controller enables configurable routing of external traffic to services within a Kubernetes cluster.
• Exploitation of these vulnerabilities could allow an actor to execute arbitrary code, access all cluster secrets across namespaces, and potentially lead to complete cluster takeover.

Mitigation / How do I stay secure?

The ASD’s ACSC recommends businesses, organisations, and government entities:

• Review the advice and monitor the guidance at the official Kubernetes maintainer’s Ingress-NGINX Github Repository Kubernetes – Ingress-NGINX Releases
• Update to the latest version of Ingress-NGINX Controller.
• Ensure the admission webhook endpoint is not exposed externally.

Further information and details can be found at:

• Kubernetes – Ingress-NGINX Releases
• Remote Code Execution Vulnerabilities in Ingress NGINX | Wiz Blog

Assistance / Where can I go for help?

Organisations or individuals that have been impacted or require assistance can contact us via 1300 CYBER1 (1300 292 371).