On March 24th, researchers at Wiz Research discovered a series of unauthenticated Remote Code Execution vulnerabilities in the Ingress NGINX Controller for Kubernetes. CVEs have been cataloged by NIST as:
- CVE-2025-1097
- CVE-2025-1098
- CVE-2025-24514
- CVE-2025-1974
Prior to public disclosure, the issue was fixed in Ingress NGINX Controller versions 1.12.1 and 1.11.5.
The vulnerability could allow for unauthorized access to all secrets stored across all namespaces in the Kubernetes cluster by attackers, which could result in a cluster takeover.
Is this affecting Optimizely?
All Optimizely products and services have been reviewed by Product and Security Engineering - exposed instances have subsequently been patched and updates pushed to production.
Should you have any questions or need further information please do not hesitate to contact our support team at support@optimizely.com.
Please sign in to leave a comment.