In Kubernetes, the Ingress Controller's job is to accept the incoming traffic and route it to the relevant Kubernetes services. The Ingress NGINX Controller is one of the most popular Ingress Controllers available for Kubernetes and is based on the NGINX reverse proxy.  

According to the researchers at Wiz who discovered the flaws, these ingress-nginx vulnerabilities allow a remote, unauthenticated attacker to execute arbitrary commands in the affected environments and to take over the Kubernetes clusters. 

Three of the vulnerabilities — CVE-2025-24514 (CVSS score: 8.8), CVE-2025-1097 (CVSS score: 8.8), and CVE-2025-1098 (CVSS score: 8.8) — allow attackers to inject arbitrary NGINX configuration directives, including custom routing rules and security settings on affected systems. However, achieving RCE requires combining one of these flaws with CVE-2025-1974. This attack chain, dubbed IngressNightmare, carries a CVSS severity score of 9.8. 

Ingress nginx Kubernetes vulnerabilities 

DX O2 SaaS Environments (US and EU) 

Actions Taken: 

As part of the short-term approach, all the DX O2 SaaS environments are upgraded/patched with the following mitigation: 

• Disabled the admission controller component of the Ingress-NGINX Controller by setting controller.admissionWebhooks.enabled=false. 

 The Admission webhooks endpoint is not exposed externally in the DX O2 SaaS environments. So this change does not cause any functional impact. 

Actions Planned: 

• Upgrade the DX O2 SaaS Ingress Controller versions to a newer version not impacted by the vulnerabilities.  

DX O2 On-prem Environments:  

DX O2 is deployed on a Kubernetes cluster managed by the customer.  

There are no updates planned for the DX O2 On-premise environments since none of the shipped components are impacted. Also, the current vulnerability does not impact the nginx (doi-nginx) microservice, but only ingress-nginx which is part of the Kubernetes installation. 

• For customers on OpenShift/OKD, no action is required if HAProxy is used as the Ingress controller (default). However, if the Ingress Controller has been changed to Nginx Ingress, we recommend an update to the latest version, which addresses the vulnerability. Please reach out to Redhat for additional guidance. 

• For customers on Kubernetes with Nginx Ingress Controller versions < v1.11.0, v1.11.0 - v1.11.4, or v1.12.0, we recommend an update to the latest version ( v1.11.5 or v1.12.1), which addresses the vulnerability. For distributions other than open source Kubernetes, please reach out to the respective vendor for additional guidance. 

Should you have any further questions or concerns, please open a case with Broadcom Support. 

Related CVEs:  

CVE-2025-1097, CVE-2025-1098, CVE-2025-24514 

Products Affected: 

DX Operational Observability (DX O2) - SaaS 

DX Operational Observability (DX O2) - (On-Prem) 24.1, 24.2