Skip to main content
Emerging ThreatsMalware & Ransomware

NGINX Flaw CVE-2026-42945 Actively Exploited, Threatens Worker Crashes and RCE

Brightly-lit web server room with equipment on a rack and a monitor screen in the background.

"It relies on a specific NGINX config to be vulnerable, and for an attacker to know or discover the config to exploit it," security researcher Kevin Beaumont said.

CVE-2026-42945: heap buffer overflow in ngx_http_rewrite_module

A newly disclosed vulnerability, tracked as CVE-2026-42945 and assigned a CVSS score of 9.2, is a heap buffer overflow in the ngx_http_rewrite_module that affects NGINX Plus and NGINX Open. The flaw impacts NGINX versions 0.6.27 through 1.30.0. According to AI-native security company depthfirst, the vulnerability was introduced in 2008.

Successful exploitation can allow an unauthenticated attacker to crash worker processes or execute remote code with crafted HTTP requests. The possibility of remote code execution (RCE) is constrained by runtime protections: code execution is possible only on devices where Address Space Layout Randomization (ASLR) is turned off.

Exploit conditions: configuration knowledge and ASLR

Multiple observers emphasize that exploitation is not unconditional. Kevin Beaumont noted the exploit "relies on a specific NGINX config" and on an attacker discovering that configuration. The security advisory and reporting underline that RCE requires ASLR to be disabled — ASLR is explicitly described as "a safeguard against memory-based attacks."

AlmaLinux maintainers assessed that "turning the heap overflow into reliable code execution is not trivial in the default configuration, and on systems with ASLR enabled (which is the default on every supported AlmaLinux release), we do not expect a generic, reliable exploit to be easy to produce." They added a cautionary note: "That said, 'not easy' is not 'impossible,' and the worker-crash DoS is exploitable enough on its own that we recommend treating this as urgent."

VulnCheck: weaponization and honeypot detections

VulnCheck reported that threat actors have begun to weaponize CVE-2026-42945, with exploitation attempts detected against its honeypot networks. The nature of the attack activity and the end goals are presently unknown. VulnCheck's findings prompted the advisory point that "users are advised to apply the latest fixes from F5 to secure their networks against active threats."

openDCIM: two active exploits and a three-flaw chain to RCE

Concurrently, VulnCheck revealed exploitation efforts targeting two critical openDCIM vulnerabilities, both rated 9.3 on the CVSS scale:

  • CVE-2026-28515 — a missing authorization vulnerability that could allow an authenticated user to access LDAP configuration functionality regardless of their assigned privileges. In Docker deployments where REMOTE_USER is set without authentication enforcement, the endpoint may be reachable without credentials, allowing unauthorized modification of application configuration.
  • CVE-2026-28517 — an operating system command injection vulnerability in the "report_network_map.php" component that processes a parameter called "dot" without sanitization and passes it directly to a shell command, resulting in arbitrary code execution.

These were discovered alongside CVE-2026-28516 (CVSS 9.3), an SQL injection vulnerability, by VulnCheck security researcher Valentin Lobstein in February 2026. According to Lobstein, the three flaws can be chained to achieve remote code execution over five HTTP requests and spawn a reverse shell.

Caitlin Condon, vice president of security research at VulnCheck, described the observed attacker behavior: "The cluster of attacker activity we're observing so far originates from a single Chinese IP and uses what appears to be a customized implementation of AI vuln discovery tool Vulnhuntr to automatically check for vulnerable installations before dropping a PHP web shell."

What this means for NGINX operators, AlmaLinux maintainers, and defenders monitoring VulnCheck activity

  • NGINX operators: the exploit can cause worker crashes and, under specific conditions, RCE. The report's explicit action is to "apply the latest fixes from F5" to secure networks against active threats; operators should prioritize those fixes and review configurations that enable the vulnerable ngx_http_rewrite_module.
  • AlmaLinux maintainers and system administrators on distributions with ASLR enabled: AlmaLinux maintainers expect that a generic, reliable exploit for RCE is unlikely on systems where ASLR is enabled (their default), but they stress the worker-crash denial-of-service is sufficiently exploitable to warrant urgent treatment.
  • Defenders and incident responders watching VulnCheck signals: VulnCheck has seen automated scanning and exploitation attempts against honeypots, and VulnCheck researchers report activity originating from a single IP that uses an AI-assisted discovery tool and ultimately drops a PHP web shell. Monitoring for automated probes, unexpected worker crashes, and indicators of PHP web-shell deployment is consistent with the threat activity described.

The factual record from VulnCheck, depthfirst, and AlmaLinux presents a dual operational picture: a high-severity NGINX flaw now under active probing, and a separate, actively abused cluster of openDCIM flaws that can be chained to full remote code execution. The immediate, concrete steps called for in the reporting are straightforward — apply the fixes published by the vendor and watch for automated scanning and web-shell indicators — but the alerts also leave open an urgent question: will attackers combine these parallel campaigns or focus them against specific targets? For now, the known next steps are the vendor fixes and heightened monitoring; the end goals of the actors remain unknown.

https://thehackernews.com/2026/05/nginx-cve-2026-42945-exploited-in-wild.html