A newly disclosed high-severity security vulnerability affecting NGINX Plus and NGINX Open Source is now being actively exploited in real-world attacks, according to threat intelligence researchers. Tracked as CVE-2026-42945, the flaw carries a CVSS score of 9.2 and impacts a core component used widely in web infrastructure.
Heap Buffer Overflow in Core Rewrite Module
The vulnerability is a heap buffer overflow located in the ngx_http_rewrite_module, a fundamental part of NGINX responsible for handling URL rewriting and request processing.
Security analysts report that the flaw has existed in the codebase for years, having been introduced as early as 2008. It affects a wide range of versions, from NGINX 0.6.27 through 1.30.0, making it a long-standing issue present in both legacy and modern deployments.
Active Exploitation Detected in the Wild
Security firm VulnCheck confirmed that attackers have already begun exploiting the vulnerability in live environments. Honeypot telemetry shows attempts to trigger the bug using specially crafted HTTP requests.
While the exact objectives of attackers remain unclear, the activity suggests early-stage exploitation campaigns that could evolve into more destructive attacks.
Impact: Service Disruption and Potential Remote Code Execution
The flaw can be abused in multiple ways depending on system configuration:
- Denial-of-service (DoS): Attackers can crash NGINX worker processes using malformed requests
- Possible remote code execution (RCE): Under specific conditions, attackers may achieve code execution on affected systems
However, researchers caution that full exploitation is not straightforward. Achieving RCE typically requires:
- A vulnerable and specific NGINX configuration
- Knowledge or discovery of the target setup
- Systems where Address Space Layout Randomization (ASLR) is disabled
Security expert Kevin Beaumont noted that while remote code execution is theoretically possible, environmental restrictions significantly raise the difficulty of successful exploitation.
Security Experts: Risk Still Requires Urgent Action
Despite the complexity of full exploitation, security professionals warn that the vulnerability should be treated as critical due to its crash potential and active exploitation attempts.
Maintainers of AlmaLinux also emphasized that:
- Exploitation into reliable RCE is difficult under default secure configurations
- Systems with ASLR enabled are significantly more resistant
- However, denial-of-service attacks remain highly practical and likely
This combination of partial exploitability and active attacker interest makes the flaw particularly concerning for production environments.
Related Exploitation in openDCIM Increases Threat Landscape
Alongside the NGINX vulnerability, researchers have also identified active exploitation of multiple critical flaws in openDCIM, an open-source data center management platform.
The vulnerabilities include:
- CVE-2026-28515: Authorization bypass allowing unauthorized access to LDAP configuration features
- CVE-2026-28517: Command injection in
report_network_map.php enabling arbitrary system execution
- CVE-2026-28516: SQL injection vulnerability that can be chained with other flaws
Security researchers report that these issues can be combined into a full attack chain, enabling remote code execution through a sequence of HTTP requests.
Attack Activity Suggests Automated Exploitation Tools
Threat intelligence teams observed malicious activity originating from a single Chinese IP address. The attacks appear to use automated tooling, potentially enhanced with AI-assisted vulnerability scanning capabilities, to identify exposed systems and deploy web shells.
According to VulnCheck researchers, the attacker behavior includes automated reconnaissance followed by deployment of PHP-based backdoors on vulnerable servers.
Conclusion
The active exploitation of CVE-2026-42945 highlights the ongoing risk posed by long-standing vulnerabilities in widely deployed web infrastructure. While full system compromise may require specific conditions, the ability to crash servers and potentially escalate to remote code execution makes this flaw a serious concern.
Organizations running NGINX are strongly advised to apply vendor updates immediately and review configuration hardening measures to reduce exposure to exploit attempts.
