A newly identified security vulnerability in NGINX Plus and NGINX Open is currently being exploited, as reported by VulnCheck, following its recent disclosure. This vulnerability, catalogued as CVE-2026-42945, has a CVSS score of 9.2 and involves a heap buffer overflow within the ngx_http_rewrite_module. It affects NGINX versions from 0.6.27 to 1.30.0 and was reportedly introduced in 2008 by the AI-native security firm, depthfirst.
Details of the Exploitation
The exploitation of this vulnerability facilitates an unauthenticated attacker in crashing worker processes or executing remote code through specifically crafted HTTP requests. Critical to note is that remote code execution can only be achieved if Address Space Layout Randomization (ASLR), a defense against memory-based attacks, is deactivated on the target system.
Security expert Kevin Beaumont highlighted that the vulnerability requires a particular NGINX configuration to be susceptible, and attackers must either know or discover this configuration to exploit it. Moreover, ASLR must be disabled for remote code execution to succeed.
Community Response and Recommendations
AlmaLinux maintainers have emphasized that converting the heap overflow into reliable code execution is challenging under default configurations. They note that systems with ASLR enabled, which is standard in all supported AlmaLinux releases, likely won’t see a straightforward, reliable exploit. Despite this difficulty, they warn that the potential for worker crashes alone makes addressing this issue urgent.
VulnCheck’s latest analyses indicate that threat actors are actively attempting to exploit this vulnerability, with observed attacks on their honeypot networks. The precise objectives of these attacks remain uncertain, but users are urged to implement the latest security updates from F5 to safeguard their networks from these active threats.
Additional Vulnerabilities in openDCIM
This situation coincides with reported exploitation efforts targeting critical vulnerabilities in openDCIM, an open-source tool for managing data center infrastructure. Two major vulnerabilities, both with a CVSS score of 9.3, have been identified:
- CVE-2026-28515: A missing authorization flaw that could allow authenticated users to access LDAP configuration features without appropriate privileges, especially in Docker setups lacking enforced authentication.
- CVE-2026-28517: A command injection vulnerability in the “report_network_map.php” component that processes unsanitized input, leading to arbitrary code execution.
Discovered by VulnCheck researcher Valentin Lobstein in February 2026, these vulnerabilities, alongside CVE-2026-28516 (an SQL injection issue), can be chained to achieve remote code execution via five HTTP requests, potentially deploying a reverse shell.
According to Caitlin Condon, VulnCheck’s vice president of security research, the observed attacker activity originates from a single Chinese IP and employs a customized AI vulnerability discovery tool to automate vulnerability checks before deploying a PHP web shell.
The active exploitation of these vulnerabilities underscores the critical need for timely patching and heightened vigilance in managing server and application security.
