A critical vulnerability that has lurked inside the NGINX codebase for nearly two decades has finally drawn the attention of attackers. Tracked as CVE-2026-42945, the flaw is a heap buffer overflow in the `ngx_http_rewrite_module` that affects every version of NGINX Open Source and NGINX Plus from 0.6.27 through 1.30.0. Assigned a CVSS score of 9.2, it now stands as one of the most severe NGINX vulnerabilities disclosed in years — and according to threat intelligence firm VulnCheck, exploitation attempts are already underway.
## The Vulnerability: What Exactly Is Broken
The bug resides in NGINX’s HTTP rewrite module, the component responsible for processing URL rewriting directives such as `rewrite`, `return`, and `if`. Researchers at depthfirst, an AI-native security company, traced the vulnerability’s origin back to 2008 — meaning it predates the public debut of many of the technologies that now sit behind NGINX reverse proxies.
At a technical level, the flaw is a classic heap buffer overflow. When a specially crafted HTTP request hits an NGINX server with a vulnerable rewrite configuration, the attacker can corrupt memory on the heap. In the simplest case, this causes NGINX worker processes to crash — a denial-of-service (DoS) scenario that takes the web server offline. In a more dangerous scenario, the memory corruption can be weaponized for remote code execution (RCE), allowing an unauthenticated attacker to run arbitrary commands on the target system.
There is, however, an important caveat. Reliable code execution depends on Address Space Layout Randomization (ASLR) being disabled on the target machine. ASLR, which randomizes memory addresses to thwart exploit development, is enabled by default on every modern Linux distribution — including AlmaLinux, Ubuntu, Debian, and RHEL derivatives. Security researcher Kevin Beaumont summarized the situation succinctly: the exploit “relies on a specific NGINX config to be vulnerable, and for an attacker to know or discover the config to exploit it. To reach RCE, also ASLR needs to have been disabled on the box.”
The AlmaLinux maintainers offered a similarly measured assessment, noting that “turning the heap overflow into reliable code execution is not trivial in the default configuration, and on systems with ASLR enabled, we do not expect a generic, reliable exploit to be easy to produce.” They also added a crucial qualifier: “‘Not easy’ is not ‘impossible,’ and the worker-crash DoS is exploitable enough on its own that we recommend treating this as urgent.”
That last point matters. Even if RCE requires a rare set of conditions, the DoS vector is trivial to trigger. A single malicious HTTP request can bring down worker processes, opening the door to sustained availability attacks against any vulnerable NGINX deployment.
## Active Exploitation in the Wild
On the surface, the ASLR requirement might make this vulnerability seem like a theoretical concern. VulnCheck’s telemetry says otherwise. The company’s honeypot network has detected live exploitation attempts in the wild, just days after public disclosure. The source of the attacks and their ultimate objectives remain unclear — the campaign is still active and under investigation — but the fact that threat actors have already operationalized the exploit changes the urgency calculation significantly.
The pattern fits a familiar playbook. When a high-impact vulnerability in a widely deployed piece of internet infrastructure is disclosed, attackers race to scan for and exploit vulnerable instances before patches are applied. NGINX powers roughly one-third of all websites globally, including some of the largest platforms on the internet. The sheer size of the attack surface makes this an attractive target for both opportunistic criminals and more sophisticated threat groups.
## A Broader Campaign: openDCIM Flaws Also Under Fire
The NGINX vulnerability is not the only target drawing attention. VulnCheck simultaneously reported active exploitation of two critical flaws in openDCIM, an open-source data center infrastructure management application. Both carry a CVSS score of 9.3:
– **CVE-2026-28515** — A missing authorization check that allows an authenticated user (or an unauthenticated user in certain Docker deployments where `REMOTE_USER` is set without enforcement) to access LDAP configuration functionality and modify application settings.
– **CVE-2026-28517** — An operating system command injection in the `report_network_map.php` component. The vulnerability processes a parameter called `dot` without sanitization and passes it directly to a shell command, enabling arbitrary code execution.
These two flaws, together with a companion SQL injection (CVE-2026-28516, also CVSS 9.3), can be chained to achieve remote code execution over just five HTTP requests and spawn a reverse shell. According to Caitlin Condon, vice president of security research at VulnCheck, the observed attack cluster originates from a single Chinese IP address using what appears to be a customized implementation of the AI vulnerability discovery tool Vulnhuntr to automatically identify vulnerable installations before dropping a PHP web shell.
The openDCIM campaign, while narrower in scope than the NGINX vulnerability, is notable for demonstrating how attackers are increasingly chaining multiple flaws together and automating discovery with AI-assisted tooling — compressing the window between vulnerability disclosure and mass exploitation.
## What Administrators Should Do Now
The remediation path is straightforward: **patch immediately**. F5, the company behind NGINX, has released fixes covering all affected versions. The specific patched versions depend on the distribution channel:
– **NGINX Open Source**: Upgrade to the latest stable release (1.30.1 or newer).
– **NGINX Plus**: Apply the update through the F5 customer portal.
– **Distribution-provided packages**: AlmaLinux, Debian, Ubuntu, RHEL, and other distributions have begun shipping backported fixes. Check your package manager for available updates.
For environments where immediate patching is not possible, several mitigations can reduce risk. First, **restrict access to NGINX servers** at the network level — the exploit requires an HTTP request to reach the vulnerable rewrite module, so limiting which IP addresses can connect to port 80/443 narrows the attack surface. Second, **audit NGINX configurations** for rewrite rules that process user-supplied input (e.g., `rewrite` directives that reference request variables). If a rewrite configuration is not strictly necessary, consider disabling it temporarily. Third, **enable and verify ASLR** on all systems; while this does not prevent the DoS vector, it makes reliable RCE exploitation dramatically harder.
For openDCIM users, the advice is even clearer: if the application is internet-facing, take it offline until patches are applied. The exploit chain is reliable and provides attackers with a reverse shell — essentially full remote access to the underlying operating system.
## The Bigger Picture
CVE-2026-42945 is a reminder that age does not equal safety in software security. An 18-year-old bug, introduced in 2008 and only now discovered, lives inside one of the most trusted pieces of internet infrastructure ever built. It also highlights the accelerating tempo of exploit development: the gap between public disclosure and active in-the-wild exploitation is now measured in days, not weeks or months.
For defenders, the lesson is clear. Patch latency is a liability. The organizations that survive the next high-severity infrastructure vulnerability will be the ones that treat every critical CVE as an active threat — because increasingly, attackers already do.
—
🔗 Related Articles
- Defend Against YellowKey: BitLocker Bypass Fix
- Nx Console VS Code Extension Hit by Supply Chain Attack
- GitHub Actions Supply Chain Attack Steals CI/CD Secrets
Discover more from Susiloharjo
Subscribe to get the latest posts sent to your email.