NGINX CVE-2026-42945 Exploited in the Wild, Causing Worker Crashes and Possible RCE

A recently disclosed security vulnerability affecting NGINX Plus and NGINX Open has been actively exploited shortly after its public announcement, as reported by VulnCheck. The flaw, identified as CVE-2026-42945 with a CVSS score of 9.2, is a heap buffer overflow in the ngx_http_rewrite_module. This vulnerability impacts NGINX versions from 0.6.27 to 1.30.0 and was introduced back in 2008, according to the AI-native security company depthfirst. The exploitation of this flaw allows an unauthenticated attacker to crash worker processes or execute remote code through specially crafted HTTP requests. However, remote code execution is only feasible on systems where Address Space Layout Randomization (ASLR) is disabled, which is a security feature designed to protect against memory-based attacks. Security researcher Kevin Beaumont highlighted that the vulnerability requires a specific NGINX configuration to be exploitable, and attackers need to identify or discover this configuration to exploit it. AlmaLinux maintainers have also assessed the situation, noting that converting the heap overflow into reliable code execution is challenging in default configurations, especially on systems with ASLR enabled. They emphasized that while creating a reliable exploit is difficult, it is not impossible, and the potential for a worker-crash denial-of-service (DoS) attack makes this vulnerability urgent to address. VulnCheck's latest findings indicate that threat actors have started to exploit this flaw, with attempts detected against its honeypot networks. Although the specific nature and objectives of these attacks remain unclear, users are strongly advised to implement the latest security patches from F5 to protect their networks from these active threats. In addition to the NGINX vulnerability, VulnCheck has uncovered exploitation efforts targeting two critical vulnerabilities in openDCIM, an open-source application for data center infrastructure management. These vulnerabilities, both rated 9.3 on the CVSS scale, include CVE-2026-28515, a missing authorization flaw, and CVE-2026-28517, an operating system command injection vulnerability. CVE-2026-28515 allows an authenticated user to access LDAP configuration functionality without proper privileges, potentially enabling unauthorized modifications. In Docker deployments where REMOTE_USER is set without authentication enforcement, this endpoint can be accessed without credentials. CVE-2026-28517 impacts the "report_network_map.php" component, which processes unsanitized input, leading to arbitrary code execution. These vulnerabilities, along with CVE-2026-28516, an SQL injection flaw, were discovered by VulnCheck security researcher Valentin Lobstein. The three flaws can be combined to achieve remote code execution through five HTTP requests, enabling attackers to spawn a reverse shell. VulnCheck has observed attacker activity originating from a single Chinese IP, using a customized AI vulnerability discovery tool to identify vulnerable installations before deploying a PHP web shell.