Security researchers are warning that a newly disclosed vulnerability affecting NGINX Plus and NGINX Open Source has already entered active exploitation.

The flaw, tracked as:

  • CVE-2026-42945
  • CVSS Score: 9.2

is a heap buffer overflow vulnerability within:

  • ngx_http_rewrite_module

affecting NGINX versions:

  • 0.6.27 through 1.30.0

According to researchers, the vulnerability has existed in the codebase since 2008.

Technical Details

The vulnerability allows attackers to send specially crafted HTTP requests capable of:

  • Crashing NGINX worker processes
  • Triggering denial-of-service (DoS)
  • Potentially achieving remote code execution (RCE)

However, successful RCE exploitation depends on several environmental conditions.

ASLR Dependency

Researchers note that reliable remote code execution generally requires:

  • Address Space Layout Randomization (ASLR) disabled

ASLR is enabled by default on most modern Linux distributions, making exploitation significantly more difficult in hardened environments.

Security researcher Kevin Beaumont stated:

“It relies on a specific NGINX config to be vulnerable, and for an attacker to know or discover the config to exploit it.”

Exploitation Already Observed

Threat intelligence company VulnCheck confirmed that attackers have already begun weaponizing the flaw.

The company observed exploitation attempts against its honeypot infrastructure shortly after public disclosure.

At this time:

  • The attackers’ objectives remain unclear
  • No public malware family has been linked
  • Exploit activity appears opportunistic

Administrators are strongly advised to apply patches released by:

  • F5
  • NGINX maintainers

as soon as possible.

openDCIM Vulnerabilities Also Under Attack

Researchers also disclosed active exploitation attempts targeting several critical vulnerabilities in:

  • openDCIM

an open-source data center infrastructure management platform.

The exploited flaws include:

CVE-2026-28515 — Missing Authorization

CVSS: 9.3

This vulnerability allows unauthorized access to LDAP configuration functionality due to insufficient authorization checks.

In Docker deployments using:

REMOTE_USER

without proper authentication enforcement, attackers may gain access without credentials.

Potential impacts include:

  • Unauthorized configuration modification
  • Privilege abuse
  • Expanded attack surface exposure

CVE-2026-28517 — Command Injection

CVSS: 9.3

A command injection flaw exists in:

report_network_map.php

The vulnerable component processes a parameter named:

dot

without sanitization before passing it directly into shell commands.

This enables attackers to execute arbitrary operating system commands remotely.

CVE-2026-28516 — SQL Injection

CVSS: 9.3

Researchers also identified an SQL injection vulnerability that can be chained with the other flaws.

According to VulnCheck researcher Valentin Lobstein:

  • The vulnerabilities can be chained in only five HTTP requests
  • Attackers can achieve full remote code execution
  • Reverse shells can be deployed rapidly

AI-Assisted Exploitation Activity

VulnCheck researchers reported that observed attacks originated from:

  • A Chinese IP address cluster

The activity reportedly leveraged a modified version of:

  • Vulnhuntr

an AI-assisted vulnerability discovery and exploitation tool.

The tooling was allegedly used to:

  • Identify vulnerable installations automatically
  • Validate exploitability
  • Deploy PHP web shells on compromised systems

Security Recommendations

Organizations running affected software should take immediate action.

NGINX Mitigation

  • Apply the latest NGINX and F5 security updates
  • Verify ASLR remains enabled
  • Audit exposed rewrite configurations
  • Monitor worker crashes and unusual HTTP payloads

openDCIM Mitigation

  • Patch all vulnerable openDCIM installations immediately
  • Restrict access to administrative endpoints
  • Disable exposed Docker authentication bypasses
  • Review web server logs for suspicious requests
  • Hunt for unauthorized PHP files and reverse shells

Conclusion

The rapid weaponization of CVE-2026-42945 demonstrates how quickly threat actors operationalize newly disclosed vulnerabilities, particularly when public technical details become available.

At the same time, active exploitation of chained openDCIM vulnerabilities highlights the increasing use of automated and AI-assisted offensive tooling in real-world attacks.

Organizations relying on internet-facing infrastructure management systems or exposed NGINX deployments should prioritize remediation immediately.