NGINX Security Flaw Exploited in the Wild, Raising Concerns for Server Security
A critical security vulnerability in NGINX, a widely used web server software, has been actively exploited by threat actors, highlighting the ongoing challenges in server security. The flaw, tracked as CVE-2026-42945, is a heap buffer overflow in the ngxhttprewrite_module, affecting NGINX versions from 0.6.27 to 1.30.0. This vulnerability, with a CVSS score of 9.2, was introduced in 2008 and has now been weaponized by attackers.
The severity of this issue lies in its potential to allow unauthenticated attackers to crash worker processes or execute remote code. However, code execution is contingent upon the absence of Address Space Layout Randomization (ASLR), a security measure designed to prevent memory-based attacks. Security researcher Kevin Beaumont emphasizes that the vulnerability is configuration-dependent, requiring attackers to know or discover specific NGINX settings to exploit it.
Despite the complexity of achieving remote code execution, AlmaLinux maintainers note that the worker-crash Denial of Service (DoS) attack is already exploitable. They advise treating this as an urgent matter, especially considering the active exploitation attempts detected by VulnCheck. The security firm has observed threat actors weaponizing the flaw, targeting honeypot networks, and the nature of the attacks remains under investigation.
Additionally, VulnCheck has uncovered exploitation efforts targeting two critical vulnerabilities in openDCIM, an open-source application for data center infrastructure management. These vulnerabilities, CVE-2026-28515 and CVE-2026-28517, pose significant risks to application security and data integrity.
The first vulnerability, CVE-2026-28515, is a missing authorization issue that could enable authenticated users to access LDAP configuration functionality beyond their assigned privileges. In Docker deployments where REMOTE_USER is set without authentication enforcement, the endpoint may be accessible without credentials, leading to unauthorized configuration modifications.
The second vulnerability, CVE-2026-28517, is an operating system command injection flaw in the 'reportnetworkmap.php' component. It processes the 'dot' parameter without sanitization, allowing attackers to inject arbitrary shell commands and potentially execute code.
These vulnerabilities, along with a previously discovered SQL injection flaw (CVE-2026-28516), can be chained to achieve remote code execution over five HTTP requests and spawn a reverse shell, according to security researcher Valentin Lobstein. The coordinated attack activity, originating from a single Chinese IP, utilizes a customized AI vuln discovery tool, Vulnhuntr, to automate the process of identifying vulnerable installations.
In conclusion, the active exploitation of NGINX and openDCIM vulnerabilities underscores the ongoing threat landscape in server security. Organizations must remain vigilant, promptly apply patches, and implement robust security measures to protect their systems from potential attacks.
