A newly disclosed vulnerability in NGINX is already being actively exploited, raising serious concerns across the global cybersecurity community.
Tracked as CVE-2026-42945, the flaw affects both NGINX Open Source and NGINX Plus, potentially allowing attackers to crash servers or execute remote code under specific conditions.
Security researcher Patrick Garrity of VulnCheck revealed that exploitation attempts were observed within days of the vulnerability’s public disclosure.
According to VulnCheck’s Initial Access team, attackers are sending specially crafted HTTP requests to trigger a heap buffer overflow in the NGINX worker process.
This type of memory corruption can destabilise services and, in rare cases, enable remote code execution (RCE).
NGINX RCE Vulnerability
The vulnerability does not require authentication, making it particularly dangerous in exposed environments. “An unauthenticated attacker can crash the NGINX worker process,” VulnCheck noted in its release update.
While full remote code execution is possible only under specific conditions, such as systems running with Address Space Layout Randomization (ASLR) disabled, the risk remains significant given the widespread use of NGINX in modern infrastructure.
However, not all deployments are equally vulnerable. Exploitation depends on a specific rewrite configuration being enabled on the target server. This limits the number of truly exploitable systems, but identifying those systems at scale remains a challenge.
Despite these constraints, the exposure footprint is massive. VulnCheck’s analysis, supported by Censys data, identified approximately 5.7 million internet-facing NGINX servers running potentially affected versions.
Even if only a small percentage meet the exact exploitation criteria, the number of at-risk systems could still be substantial.
Security experts warn that attackers often move quickly to weaponize newly disclosed vulnerabilities, especially those affecting widely deployed infrastructure like NGINX. Early exploitation activity suggests that threat actors are actively scanning for misconfigured or unpatched servers.
Organizations using NGINX are strongly advised to review their configurations immediately, particularly any rewrite rules that could trigger the vulnerable code path.
Applying available patches or updates should be treated as a high priority. Additionally, enabling modern security protections such as ASLR and monitoring for unusual HTTP request patterns can help reduce risk.
This incident highlights a recurring issue in cybersecurity: even narrowly exploitable vulnerabilities can pose widespread threats when the software they affect is as ubiquitous as NGINX.
As attackers continue to automate discovery and exploitation, the window between disclosure and active attacks continues to shrink.
With active exploitation already underway, defenders have little time to react. Rapid patching, configuration audits, and continuous monitoring remain critical to preventing potential compromise.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
