Security researchers are warning that a newly disclosed vulnerability affecting NGINX Plus and NGINX Open Source has already entered active exploitation.
The flaw, tracked as:
- CVE-2026-42945
- CVSS Score: 9.2
is a heap buffer overflow vulnerability within:
ngx_http_rewrite_module
affecting NGINX versions:
0.6.27through1.30.0
According to researchers, the vulnerability has existed in the codebase since 2008.
Technical Details
The vulnerability allows attackers to send specially crafted HTTP requests capable of:
- Crashing NGINX worker processes
- Triggering denial-of-service (DoS)
- Potentially achieving remote code execution (RCE)
However, successful RCE exploitation depends on several environmental conditions.
ASLR Dependency
Researchers note that reliable remote code execution generally requires:
- Address Space Layout Randomization (ASLR) disabled
ASLR is enabled by default on most modern Linux distributions, making exploitation significantly more difficult in hardened environments.
Security researcher Kevin Beaumont stated:
“It relies on a specific NGINX config to be vulnerable, and for an attacker to know or discover the config to exploit it.”
Exploitation Already Observed
Threat intelligence company VulnCheck confirmed that attackers have already begun weaponizing the flaw.
The company observed exploitation attempts against its honeypot infrastructure shortly after public disclosure.
At this time:
- The attackers’ objectives remain unclear
- No public malware family has been linked
- Exploit activity appears opportunistic
Administrators are strongly advised to apply patches released by:
- F5
- NGINX maintainers
as soon as possible.
openDCIM Vulnerabilities Also Under Attack
Researchers also disclosed active exploitation attempts targeting several critical vulnerabilities in:
- openDCIM
an open-source data center infrastructure management platform.
The exploited flaws include:
CVE-2026-28515 — Missing Authorization
CVSS: 9.3
This vulnerability allows unauthorized access to LDAP configuration functionality due to insufficient authorization checks.
In Docker deployments using:
REMOTE_USER
without proper authentication enforcement, attackers may gain access without credentials.
Potential impacts include:
- Unauthorized configuration modification
- Privilege abuse
- Expanded attack surface exposure
CVE-2026-28517 — Command Injection
CVSS: 9.3
A command injection flaw exists in:
report_network_map.php
The vulnerable component processes a parameter named:
dot
without sanitization before passing it directly into shell commands.
This enables attackers to execute arbitrary operating system commands remotely.
CVE-2026-28516 — SQL Injection
CVSS: 9.3
Researchers also identified an SQL injection vulnerability that can be chained with the other flaws.
According to VulnCheck researcher Valentin Lobstein:
- The vulnerabilities can be chained in only five HTTP requests
- Attackers can achieve full remote code execution
- Reverse shells can be deployed rapidly
AI-Assisted Exploitation Activity
VulnCheck researchers reported that observed attacks originated from:
- A Chinese IP address cluster
The activity reportedly leveraged a modified version of:
- Vulnhuntr
an AI-assisted vulnerability discovery and exploitation tool.
The tooling was allegedly used to:
- Identify vulnerable installations automatically
- Validate exploitability
- Deploy PHP web shells on compromised systems
Security Recommendations
Organizations running affected software should take immediate action.
NGINX Mitigation
- Apply the latest NGINX and F5 security updates
- Verify ASLR remains enabled
- Audit exposed rewrite configurations
- Monitor worker crashes and unusual HTTP payloads
openDCIM Mitigation
- Patch all vulnerable openDCIM installations immediately
- Restrict access to administrative endpoints
- Disable exposed Docker authentication bypasses
- Review web server logs for suspicious requests
- Hunt for unauthorized PHP files and reverse shells
Conclusion
The rapid weaponization of CVE-2026-42945 demonstrates how quickly threat actors operationalize newly disclosed vulnerabilities, particularly when public technical details become available.
At the same time, active exploitation of chained openDCIM vulnerabilities highlights the increasing use of automated and AI-assisted offensive tooling in real-world attacks.
Organizations relying on internet-facing infrastructure management systems or exposed NGINX deployments should prioritize remediation immediately.