NGINX CVE-2026-42945 Exploited in the Wild, Causes Worker Crashes and Possible RCE
A newly disclosed security flaw affecting NGINX Plus and NGINX Open has come under active exploitation in the wild, days after its public disclosure, according to VulnCheck.
The vulnerability, tracked as CVE-2026-42945 (CVSS score: 9.2), is a buffer overflow in the ngx_http_rewrite_module affecting NGINX versions 0.6.27 to 1.30.0. According to AI-native security company deepfirst, the vulnerability was introduced in 2008.
Successful exploitation of the flaw could allow an unauthorized attacker to intercept worker processes or execute remote code via crafted HTTP requests. However, it should be noted that running the code is only possible on devices where Address Space Layout Randomization (ASLR), which is a defense against memory-based attacks, is disabled.
“It relies on a specific configuration of NGINX to be vulnerable, and for the attacker to know or obtain a configuration to exploit it,” said security researcher Kevin Beaumont. “Access to RCE [remote code execution]and ASLR needs to be disabled in the box.”
In the same test, the AlmaLinux maintainers said: “Converting the stack to a reliable code execution is not trivial in the default configuration, and on systems with ASLR enabled (which is the default in all supported AlmaLinux releases), we do not expect a common, reliable exploit to be easy to reproduce.”
“That said, it’s not ‘easy’ not ‘impossible,’ and the DoS of the worker crash is exploitable enough on its own that we recommend this be treated as an emergency,” the maintainers added.
Recent findings from VulnCheck indicate that threat actors have begun exploiting this flaw, with exploit attempts detected against its honeypot networks. The nature of the offensive activity and the final goals are unknown at this time. Users are advised to apply the latest fixes from F5 to protect their networks from active threats.
Bugs in openDCIM Re-Exploitable
The development comes as VulnCheck also revealed exploit attempts targeting two critical flaws in openDCIM, an open source application used for data center infrastructure management. The vulnerabilities, both rated 9.3 on the CVSS scoring system, are listed below –
- CVE-2026-28515 – A missing authorization vulnerability could allow an authorized user to access LDAP configuration functionality regardless of assigned privileges. In Docker implementations where REMOTE_USER is set without authentication being used, the endpoint may be accessed without credentials, allowing unauthorized modification of the application’s configuration.
- CVE-2026-28517 – An operating system injection vulnerability affecting the “report_network_map.php” component that processes a parameter called “dot” without hygiene and passes it directly to a shell command, resulting in unintended code execution.
Two vulnerabilities were discovered next to CVE-2026-28516 (CVSS score: 9.3), a SQL injection vulnerability in openDCIM, by VulnCheck security researcher Valentin Lobstein in February 2026. According to Lobstein, the three vulnerabilities can be tied to exploit wild code and five times the HTTP request.
“The cluster of attacker activity we’ve seen so far originates from a single IP in China and uses what appears to be a customized implementation of the AI vulnerability detection tool Vulnhuntr to automatically scan for vulnerable installations before dropping a PHP web shell,” said Caitlin Condon, vice president of security research at VulnCheck.
