Kubernetes IngressNightmare: Wake Up and Fight Back with Microsegmentation

In the ever-evolving world of Kubernetes, vulnerabilities are bound to occur. Recently, a new set of critical vulnerabilities that affect the Kubernetes Ingress-NGINX controller has surfaced, which impacts a massive portion of cloud native environments and exposes them to unauthenticated remote code execution (RCE).

These vulnerabilities — CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, and CVE-2025-1974 — allow attackers to compromise Kubernetes workloads and potentially gain cluster-wide access. And with more than 40% of environments exposed, this is no niche issue.

But here’s the uncomfortable truth: Though the maintainers of Kubernetes have already released patches for these vulnerabilities, patching is not always immediate.

Kubernetes clusters can be running legacy applications, sensitive workloads, or they could be bound by change control processes that delay mitigation. In the interim, attackers can thrive in those windows of opportunity.

At Akamai, we believe security should not end at the perimeter. Modern attackers don’t stop at the first pod or node they compromise — they move laterally, escalate privileges, and go after the control plane, secrets, and high-value data.

That’s where microsegmentation comes in.

Ideally, even if an attacker makes it past the ingress controller, they should be met with a wall of segmentation that limits their movement and blocks escalation paths. Akamai helps our customers make that happen with real-time visibility, granular policy enforcement, and Zero Trust enforcement.

Attackers rely on stealth to access and expand within your IT ecosystem, but we can take that ability away from them.

• Akamai Guardicore Segmentation provides real-time traffic visualization, showing pod-to-pod, namespace-to-namespace, and service-to-service communication
  

• You’ll immediately see if unauthorized changes have been made to Ingress resources or if a compromised pod starts scanning the network

Think of it as your cluster's security radar, showing you what’s coming before it hits.

Most security tools just look at ingress and egress, but Akamai Guardicore Segmentation goes deeper by allowing you to control east-west traffic inside the cluster. With that level of granularity, security policies can then be created quickly to:

• Enforce namespace-level or workload-level segmentation
  

• Restrict which services can talk to one another — even within the same namespace
  

• Protect the Kubernetes control plane, API server, and etcd from internal threats

By using Akamai Guardicore Segmentation to create and enforce these policies, even if a pod becomes compromised via IngressNightmare, the threat cannot reach other sensitive workloads or APIs.

At Akamai, we believe a Zero Trust approach is the best way to secure Kubernetes deployments. And we believe that microsegmentation is the best way to implement those Zero Trust principles, such as:

• No pod should be able to talk to another pod by default just because it’s on the same network
  

• No namespace should reach external APIs unless explicitly allowed
  

• Strict verification of every connection should be enforced, based on identity, labels, and policy — not based on IP alone

By ensuring that only explicitly authorized connections are allowed, based on identity and intent — not network proximity — you can prevent a small vulnerability from turning into a full-blown security event.

We can’t stop vulnerabilities like IngressNightmare from being exploited. But we can help make sure that when the next one hits, your blast radius is near zero.

If you're running Kubernetes in production, this is your wake-up call. Now is the time to:

• Audit your east-west traffic
  

• Enforce microsegmentation around critical components
  

• Visualize ingress exposure points
  

• Stop lateral movement before it starts
  

Akamai is here to help you secure your clusters every step of the way.