Close Menu
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice

Subscribe to Updates

Get the latest creative news from FooBar about art, design and business.

What's Hot

Iran-Linked MuddyWater Poses as Ransomware Gang to Mask Espionage

June 25, 2026

CISA Warns of Actively Exploited Joomla JCE Flaw Allowing PHP Code Execution

June 24, 2026

Researchers Trick AI Browsers Into Leaking Credentials

June 24, 2026
Facebook X (Twitter) Instagram
Thursday, June 25
Facebook X (Twitter) Instagram Pinterest Vimeo
Cyberwire Daily
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice
Cyberwire Daily
Home»News»NGINX CVE-2026-42945 Exploited in the Wild, Causing Worker Crashes and Possible RCE
News

NGINX CVE-2026-42945 Exploited in the Wild, Causing Worker Crashes and Possible RCE

Team-CWDBy Team-CWDMay 24, 2026No Comments3 Mins Read
Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
Share
Facebook Twitter LinkedIn Pinterest Email


A newly disclosed security flaw impacting NGINX Plus and NGINX Open has come under active exploitation in the wild, days after its public disclosure, according to VulnCheck.

The vulnerability, tracked as CVE-2026-42945 (CVSS score: 9.2), is a heap buffer overflow in ngx_http_rewrite_module affecting NGINX versions 0.6.27 through 1.30.0. According to AI-native security company depthfirst, the vulnerability was introduced in 2008.

Successful exploitation of the flaw can permit an unauthenticated attacker to crash worker processes or execute remote code with crafted HTTP requests. However, it bears noting that code execution is possible only on devices where Address Space Layout Randomization (ASLR), a safeguard against memory-based attacks, is turned off.

“It relies on a specific NGINX config to be vulnerable, and for an attacker to know or discover the config to exploit it,” security researcher Kevin Beaumont said. “To reach RCE [remote code execution], also ASLR needs to have been disabled on the box.”

In a similar assessment, AlmaLinux maintainers said: “Turning the heap overflow into reliable code execution is not trivial in the default configuration, and on systems with ASLR enabled (which is the default on every supported AlmaLinux release), we do not expect a generic, reliable exploit to be easy to produce.”

“That said, ‘not easy’ is not ‘impossible,’ and the worker-crash DoS is exploitable enough on its own that we recommend treating this as urgent,” the maintainers added.

The latest findings from VulnCheck show that threat actors have begun to weaponize the flaw, with exploitation attempts detected against its honeypot networks. The nature of the attack activity and the end goals are presently unknown. Users are advised to apply the latest fixes from F5 to secure their networks against active threats.

Flaws in openDCIM Also Exploited

The development comes as VulnCheck also revealed exploitation efforts targeting two critical flaws in openDCIM, an open-source application used for data center infrastructure management. The vulnerabilities, both rated 9.3 on the CVSS scoring system, are listed below –

  • CVE-2026-28515 – A missing authorization vulnerability that could allow an authenticated user to access LDAP configuration functionality regardless of their assigned privileges. In Docker deployments where REMOTE_USER is set without authentication enforcement, the endpoint may be reachable without credentials, allowing unauthorized modification of application configuration.
  • CVE-2026-28517 – An operating system command injection vulnerability impacting the “report_network_map.php” component that processes a parameter called “dot” without sanitization and passes it directly to a shell command, resulting in arbitrary code execution.

The two vulnerabilities were discovered alongside CVE-2026-28516 (CVSS score: 9.3), an SQL injection vulnerability in openDCIM, by VulnCheck security researcher Valentin Lobstein in February 2026. According to Lobstein, the three flaws can be chained to achieve remote code execution over five HTTP requests and spawn a reverse shell.

“The cluster of attacker activity we’re observing so far originates from a single Chinese IP and uses what appears to be a customized implementation of AI vuln discovery tool Vulnhuntr to automatically check for vulnerable installations before dropping a PHP web shell,” Caitlin Condon, vice president of security research at VulnCheck, said.



Source

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
Previous ArticleGrafana GitHub Token Breach Led to Codebase Download and Extortion Attempt
Next Article Pre-Stuxnet Fast16 Malware Tampered with Nuclear Weapons Simulations
Team-CWD
  • Website

Related Posts

News

CISA Warns of Actively Exploited Joomla JCE Flaw Allowing PHP Code Execution

June 24, 2026
News

Researchers Trick AI Browsers Into Leaking Credentials

June 24, 2026
News

Google Vertex AI SDK Flaw Let Attackers Hijack Model Uploads via Bucket Squatting

June 24, 2026
Add A Comment
Leave A Reply Cancel Reply

Latest News

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202522 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views

Why SOC Burnout Can Be Avoided: Practical Steps

November 14, 20259 Views

Cyber M&A Roundup: Cyber Giants Strengthen AI Security Offerings

December 1, 20258 Views
Stay In Touch
  • Facebook
  • YouTube
  • TikTok
  • WhatsApp
  • Twitter
  • Instagram
Most Popular

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202522 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views
Our Picks

Beware of threats lurking in booby-trapped PDF files

October 7, 2025

Is it time for internet services to adopt identity verification?

January 14, 2026

How chatbots can help spread scams

October 14, 2025

Subscribe to Updates

Get the latest news from cyberwiredaily.com

Facebook X (Twitter) Instagram Pinterest
  • Home
  • Contact
  • Privacy Policy
  • Terms of Use
  • California Consumer Privacy Act (CCPA)
© 2026 All rights reserved.

Type above and press Enter to search. Press Esc to cancel.