A newly disclosed security flaw impacting NGINX Plus and NGINX Open has come below lively exploitation within the wild, days after its public disclosure, in keeping with VulnCheck.
The vulnerability, tracked as CVE-2026-42945 (CVSS rating: 9.2), is a heap buffer overflow in ngx_http_rewrite_module affecting NGINX variations 0.6.27 by means of 1.30.0. Based on AI-native security firm depthfirst, the vulnerability was launched in 2008.
Profitable exploitation of the flaw can allow an unauthenticated attacker to crash employee processes or execute distant code with crafted HTTP requests. Nonetheless, it bears noting that code execution is feasible solely on units the place Tackle House Format Randomization (ASLR), a safeguard in opposition to memory-based assaults, is turned off.
“It depends on a selected NGINX config to be weak, and for an attacker to know or uncover the config to use it,” security researcher Kevin Beaumont stated. “To succeed in RCE [remote code execution], additionally ASLR must have been disabled on the field.”
In the same evaluation, AlmaLinux maintainers stated: “Turning the heap overflow into dependable code execution isn’t trivial within the default configuration, and on techniques with ASLR enabled (which is the default on each supported AlmaLinux launch), we don’t anticipate a generic, dependable exploit to be straightforward to supply.”
“That stated, ‘not straightforward’ isn’t ‘unattainable,’ and the worker-crash DoS is exploitable sufficient by itself that we advocate treating this as pressing,” the maintainers added.
The newest findings from VulnCheck present that menace actors have begun to weaponize the flaw, with exploitation makes an attempt detected in opposition to its honeypot networks. The character of the assault exercise and the top objectives are presently unknown. Customers are suggested to use the newest fixes from F5 to safe their networks in opposition to lively threats.
Flaws in openDCIM Additionally Exploited
The event comes as VulnCheck additionally revealed exploitation efforts focusing on two important flaws in openDCIM, an open-source software used for information heart infrastructure administration. The vulnerabilities, each rated 9.3 on the CVSS scoring system, are listed under –
- CVE-2026-28515 – A lacking authorization vulnerability that would permit an authenticated person to entry LDAP configuration performance no matter their assigned privileges. In Docker deployments the place REMOTE_USER is about with out authentication enforcement, the endpoint could also be reachable with out credentials, permitting unauthorized modification of software configuration.
- CVE-2026-28517 – An working system command injection vulnerability impacting the “report_network_map.php” part that processes a parameter known as “dot” with out sanitization and passes it on to a shell command, leading to arbitrary code execution.
The 2 vulnerabilities had been found alongside CVE-2026-28516 (CVSS rating: 9.3), an SQL injection vulnerability in openDCIM, by VulnCheck security researcher Valentin Lobstein in February 2026. Based on Lobstein, the three flaws might be chained to realize distant code execution over 5 HTTP requests and spawn a reverse shell.
“The cluster of attacker exercise we’re observing to date originates from a single Chinese language IP and makes use of what seems to be a custom-made implementation of AI vuln discovery instrument Vulnhuntr to robotically verify for weak installations earlier than dropping a PHP net shell,” Caitlin Condon, vp of security analysis at VulnCheck, stated.
