Wiz Research disclosed critical unauthenticated remote code execution (RCE) vulnerabilities, collectively named #IngressNightmare, affecting the Ingress NGINX Controller for Kubernetes. Exploiting these flaws could allow attackers to gain complete control over Kubernetes clusters by accessing all stored secrets. The vulnerabilities, identified as CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, and CVE-2025-1974, stem from the unauthenticated network access to the admission controller and the ability to inject malicious NGINX configurations. The research details how these injections, particularly through annotation parsers and the mirror UID, combined with a code execution vulnerability in the NGINX configuration testing phase, enable RCE by loading arbitrary shared libraries. Patches are available in Ingres ...