A critical NGINX vulnerability tracked as CVE-2026-42945 is being exploited in the wild days after public disclosure, according to a threat intelligence disclosure from VulnCheck. The flaw affects NGINX Plus and NGINX Open, carries a CVSS score of 9.2, and can let an unauthenticated attacker crash worker processes or execute remote code in some configurations.
KEY FACTS
- Bug type Heap buffer overflow in ngx_http_rewrite_module
- Affected versions NGINX 0.6.27 through 1.30.0
- Impact Worker process crashes and possible remote code execution
- Condition Remote code execution depends on ASLR being disabled
- Activity Exploitation attempts were seen against honeypot networks
The flaw was introduced in 2008, according to the report. Security researcher Kevin Beaumont said exploitation depends on a specific NGINX configuration and knowledge of that setup, while AlmaLinux maintainers said reliable code execution is not expected to be easy on systems with ASLR enabled. They still described the issue as urgent because denial of service is practical on its own.
The latest findings said threat actors have begun weaponizing the bug, although the nature of the attack activity and the end goal remain unknown. Users were advised to apply the latest fixes from F5.
VulnCheck also said it observed active exploitation attempts against two critical openDCIM flaws, CVE-2026-28515 and CVE-2026-28517. The advisory says one bug allows unauthorized access to LDAP configuration in some deployments and the other can lead to command injection in a network map reporting component.
An additional SQL injection flaw, CVE-2026-28516, was also identified in the same application. The report said the three openDCIM flaws can be chained to achieve remote code execution in five HTTP requests and spawn a reverse shell.
The activity described across NGINX and openDCIM shows how quickly newly disclosed flaws can be targeted once working exploit paths are available. For defenders, the practical concern is not only code execution but also service disruption and exposure of infrastructure management systems.
WHY IT MATTERS
Systems exposed to these flaws may face both immediate denial of service and, in some cases, full compromise. The disclosures point to the need for prompt patching and review of vulnerable configurations before attackers can automate further exploitation.