NGINX flaw exploited in the wild could allow RCE

Security firms VulnCheck and depthfirst reported active exploitation of a heap buffer overflow in NGINX’s ngx_http_rewrite_module, tracked as CVE-2026-42945, days after the vulnerability was publicly disclosed. Affected NGINX Plus and Open releases range from 0.6.27 through 1.30.0. Exploitation has resulted in worker process crashes and can, in certain conditions, enable remote code execution.

The flaw carries a CVSS score of 9.2. Depthfirst’s analysis found the defect was introduced in 2008. An unauthenticated attacker can trigger the issue by sending crafted HTTP requests that reach the vulnerable rewrite logic. Depthfirst reported that successful code execution requires Address Space Layout Randomization (ASLR) to be disabled and a server configuration that exposes the vulnerable rewrite path.

Security researcher Kevin Beaumont noted the exploit depends on a specific NGINX configuration being reachable and on ASLR being turned off to achieve reliable remote code execution. AlmaLinux maintainers wrote that on systems with ASLR enabled-the default on supported AlmaLinux releases-they do not expect a generic, reliable exploit to be simple to produce, but they warned that the worker-crash denial-of-service is exploitable enough to require urgent attention.

VulnCheck’s telemetry showed exploitation attempts against its honeypot networks and flagged active weaponization of the flaw. The company recommended applying official fixes from F5, which maintains NGINX Plus and supports community releases. The purpose of the observed attacks has not been disclosed.

In a separate cluster of activity, VulnCheck researchers reported exploitation efforts targeting openDCIM, an open-source data center infrastructure management tool. Researchers identified two additional critical flaws, CVE-2026-28515, a missing-authorization issue, and CVE-2026-28517, an operating-system command injection in report_network_map.php. These two flaws, together with CVE-2026-28516, an SQL injection disclosed earlier, can be chained to achieve remote code execution in as few as five HTTP requests and spawn a reverse shell, researcher Valentin Lobstein found.

VulnCheck reported the openDCIM activity appears to originate from a single Chinese IP and uses an apparent customized implementation of an AI-driven vulnerability discovery tool called Vulnhuntr to locate vulnerable installations before deploying a PHP web shell. Caitlin Condon, vice president of security research at VulnCheck, described the pattern as automated scanning followed by web-shell deployment from that single source.

Vendors and researchers have published advisories and updates. Administrators are reported to be auditing server configurations for exposed rewrite logic, ensuring ASLR is enabled on hosts where possible, applying vendor patches, checking for unexpected web shells or configuration changes, and restricting access to management interfaces. NGINX’s rewrite module is commonly enabled for URL handling and redirects, and the long history of the flaw means older, unpatched systems may remain vulnerable.