thehackernews.com via Reddit

NGINX CVE-2026-42945 exploited in wild days after patch

cybersecurity cybersecurity vulnerabilities

Key insights

  • CVE-2026-42945 is a CVSS 9.2 unauthenticated heap overflow in NGINX's rewrite module, dormant in the codebase since 2008.
  • VulnCheck confirmed active in-the-wild exploitation within days of the May 13 patch, compressing the safe response window to near zero.
  • Operators must upgrade to NGINX 1.30.1 or 1.31.0 immediately; millions of production sites running NGINX face direct exposure.

Why this matters

NGINX underpins the reverse proxy and load-balancing layer for a large share of global web infrastructure, including AI inference APIs and model-serving endpoints, so a CVSS 9.2 unauthenticated RCE is a systemic risk rather than a point vulnerability. The 2008 origin date means any organization that skipped continuous patching has been carrying this exposure unknowingly for years, and the speed of exploitation confirms that disclosed CVEs at this severity are now weaponized in days, not weeks. For AI founders and technical leaders running customer-facing model APIs or data pipelines behind NGINX, active exploitation means unauthenticated attackers could reach model weights, training data, and customer queries before a patch window opens.

Summary

CVE-2026-42945, a heap buffer overflow in NGINX's rewrite module present since 2008, is now being actively exploited in the wild. VulnCheck confirmed in-the-wild attacks just days after F5 issued the May 13 patch. The flaw scores CVSS 9.2 and requires no authentication. Servers with specific rewrite directive patterns are vulnerable to worker process crashes or full remote code execution where ASLR is disabled. Given NGINX's role as the foundation for millions of production deployments, the exposure window between disclosure and mass exploitation proved vanishingly short. Essentially: (F5/NGINX, VulnCheck) are the core actors here, with VulnCheck providing the in-the-wild confirmation while operators race to absorb a patch dropped less than a week ago. - Unauthenticated RCE is achievable on systems where ASLR is disabled and matching rewrite directive patterns are configured. - The vulnerability has existed in the codebase since 2008, meaning latent risk was present for nearly 18 years. - Update to NGINX 1.30.1 (stable) or 1.31.0 (mainline) immediately. The window from patch release to confirmed active exploitation collapsing to days resets what a credible patch SLA looks like for any organization running NGINX in production.

Potential risks and opportunities

Risks

  • Enterprises running NGINX-fronted AI inference APIs (self-hosted Hugging Face, Replicate, or proprietary model endpoints) face unauthenticated RCE exposure until patched, with model weights and customer query logs directly at risk.
  • Cloud providers offering managed NGINX configurations (AWS, DigitalOcean, Linode) face SLA and liability exposure if customer workloads are compromised during the current active exploitation window before patches propagate.
  • Organizations operating on monthly or quarterly vulnerability scan cycles have already missed the exploitation onset, leaving internet-facing NGINX deployments exposed with no automated detection of compromise.

Opportunities

  • WAF and edge security vendors (Cloudflare, Fastly, Imperva) can deploy virtual patching signatures immediately, converting enterprise patch-lag into a direct expansion opportunity for managed protection contracts.
  • Continuous compliance and container security platforms (Wiz, Orca Security, Anchore) gain urgent budget conversations with DevSecOps teams burned by the speed of exploitation and seeking automated patch-status visibility.
  • Alternative and complementary web server vendors (Caddy, Envoy Proxy, HAProxy) gain competitive leverage in infrastructure evaluations as platform teams reassess concentration risk in single-vendor web-server stacks.

What we don't know yet

  • Which specific rewrite directive patterns trigger the exploit -- F5's advisory does not enumerate them, leaving operators unable to fully assess exposure without patching outright.
  • Whether threat intelligence vendors have attributed the active in-the-wild campaign to a specific group or financially motivated actor as of May 17, 2026.
  • How many of the millions of NGINX-served production sites run configurations with ASLR disabled, which is the precondition for full RCE rather than a crash-only outcome.

Originally reported by thehackernews.com

Read the original article →

Original headline: NGINX CVE-2026-42945 Now Actively Exploited in the Wild Days After Public Disclosure and Patch