A critical NGINX vulnerability, identified as CVE-2026-42945, is actively being exploited in the wild just days after its public disclosure. The flaw, a heap buffer overflow in the ngx_http_rewrite_module, impacts NGINX Plus and NGINX Open versions ranging from 0.6.27 to 1.30.0. Security researchers at VulnCheck confirmed the active exploitation, highlighting the urgent need for users to apply patches to mitigate potential risks associated with this severe server security issue.
According to AI-native security company depthfirst, this vulnerability was introduced into the NGINX codebase as early as 2008. While the CVSS score of 9.2 indicates a critical severity rating, successful remote code execution (RCE) is contingent upon specific configurations. Attackers must target devices where Address Space Layout Randomization (ASLR), a standard security measure to prevent memory-based attacks, is disabled. However, even without RCE, the vulnerability can be leveraged to cause worker process crashes, leading to denial-of-service (DoS) conditions.
Active Exploitation of NGINX Vulnerability and openDCIM Flaws
The active exploitation of the NGINX vulnerability was detected by VulnCheck on their honeypot networks, though the specific goals and nature of the ongoing attack activities remain under investigation. Security researcher Kevin Beaumont noted that successful exploitation requires a specific NGINX configuration to be in place and for the attacker to possess knowledge of this configuration. Similarly, AlmaLinux maintainers assessed that achieving reliable code execution is non-trivial in default configurations, especially on systems with ASLR enabled, which is standard on their releases. Nevertheless, they emphasized that a worker-crash DoS is sufficiently exploitable to warrant immediate attention, recommending users treat the situation as urgent.
F5, the vendor responsible for NGINX Plus, has released patches to address this critical security flaw. Users are strongly advised to update their NGINX installations to the latest available versions to protect their systems from active threats. This proactive patching is crucial given the rapid shift from vulnerability discovery to real-world exploitation, a trend observed across various software products.
Simultaneous Exploitation of openDCIM Vulnerabilities
In parallel to the NGINX situation, VulnCheck has also reported that threat actors are actively exploiting two critical vulnerabilities within openDCIM, an open-source application widely used for data center infrastructure management. These flaws, both carrying a CVSS score of 9.3, present significant security risks. The first, CVE-2026-28515, is a missing authorization vulnerability that allows authenticated users to access and potentially modify LDAP configurations, regardless of their assigned privileges. In certain Docker deployments, this endpoint might even be reachable without any authentication.
The second exploited vulnerability, CVE-2026-28517, is an operating system command injection flaw within the “report_network_map.php” component. This component processes a parameter named “dot” without adequate sanitization, passing it directly to a shell command, thereby enabling arbitrary code execution. These two vulnerabilities were discovered alongside CVE-2026-28516, an SQL injection flaw, by VulnCheck security researcher Valentin Lobstein in February 2026. Lobstein indicated that these three vulnerabilities can be chained together to achieve remote code execution and establish a reverse shell through a series of five HTTP requests.
Caitlin Condon, vice president of security research at VulnCheck, stated that observed attacker activity targeting openDCIM originates from a single Chinese IP address. The attackers appear to be employing a customized version of the AI vulnerability discovery tool Vulnhuntr to automatically scan for vulnerable installations before deploying a PHP web shell. This coordinated exploitation highlights a growing trend of sophisticated, automated attacks targeting widely used infrastructure management software. Organizations relying on openDCIM should prioritize applying the latest security updates to safeguard their data center environments.
The rapid exploitation of both the NGINX vulnerability and the openDCIM flaws underscores the dynamic nature of the cybersecurity landscape. The swift rise of automated attack tools, especially those leveraging AI, means that vulnerabilities are being weaponized more quickly than ever. Users of affected software should remain vigilant and ensure their systems are up-to-date with the latest security patches. Future developments will likely focus on how vendors adapt their patching strategies and how security researchers can develop more effective detection and prevention mechanisms against these evolving threats.