CVE-2025-1097, CVE-2025-1098, CVE-2025-24514 and CVE-2025-1974, a series of unauthenticated Remote Code Execution vulnerabilities in Ingress NGINX Controller for Kubernetes dubbed #IngressNightmare are found. Exploitation of these vulnerabilities leads to unauthorized access to all secrets stored across all namespaces in the Kubernetes cluster by attackers, which can result in cluster takeover.

VIP Authentication Hub requires an NGINX ingress, so customers should assess their current version and either upgrade or adjust their configuration to mitigate this exploit.

VIP Authentication Hub 

Version: 3.3.x

Details about the vulnerabilities are listed here.

https://www.wiz.io/blog/ingress-nginx-kubernetes-vulnerabilities
https://kubernetes.io/blog/2025/03/24/ingress-nginx-cve-2025-1974/

This vulnerability is fixed in Ingress NGINX Controller version 1.12.1 and 1.11.5. It is strongly recommend that cluster admins: 

• Update to the latest version of Ingress NGINX Controller 1.11.5 which is tested with VIP Authentication Hub. 1.12.1 is not yet certified with VIP AuthHub so not recommended at this time.

• Ensure the admission webhook endpoint is not exposed externally. If you can’t upgrade immediately consider disabling it.

  • Command to check : helm get values <nginxReleaseName> -n <nginxNameSpace> -o yaml --all | grep -A25 admissionWebhooks
        
• If it is not set to false, run the below command
  • helm get values <nginxReleaseName> -n <nginxNameSpace> -o yaml > ingress-override.yaml
  • helm upgrade <nginxReleaseName> -n <nginxNameSpace> ingress-nginx/ingress-nginx --version=4.11.2 -f ingress-override.yaml --set controller.admissionWebhooks.enabled=false

VIP Authentication Hub document is updated to reflect the latest Ingress-Nginx version which is not vulnerable.

Deploying Ingress Controller in VIP Auth Hub