Hackers Actively Exploiting Critical NGIN NGINX Vulnerability

Threat actors are actively exploiting a newly disclosed critical vulnerability in NGINX. Security researchers report observing real-world attacks mere days after the flaw’s public release.

Security researcher Patrick Garrity from VulnCheck revealed that threat actors are actively targeting CVE-2026-42945, a heap buffer overflow flaw affecting both NGINX Open Source and NGINX Plus.

The vulnerability has quickly moved from disclosure to exploitation, highlighting how rapidly attackers weaponize newly published flaws.

According to VulnCheck’s Initial Access team, the vulnerability allows an unauthenticated attacker to crash NGINX worker processes by sending specially crafted HTTP requests.

Hackers Exploit NGINX RCE

While this alone can cause denial-of-service (DoS) conditions, the risk becomes more severe under specific configurations.

In rare cases where Address Space Layout Randomization (ASLR) is disabled, attackers may be able to achieve remote code execution (RCE).

However, researchers note that such scenarios are unlikely in modern deployments, as ASLR is widely enabled by default across most systems.

Another important limitation is that exploitation requires a specific NGINX rewrite configuration.

This means not every exposed NGINX server is vulnerable, reducing the overall attack surface. Still, the scale of potential exposure remains significant.

In a LinkedIn post, VulnCheck researcher Patrick Garrity said Censys data indicates around 5.7 million internet-facing NGINX servers could be running vulnerable versions.

While only a subset of these systems may meet the exact conditions for exploitation, the large number underscores the urgency for patching and mitigation.

The rapid emergence of in-the-wild exploitation suggests that attackers are actively scanning for misconfigured or unpatched servers.

Early exploitation activity is often linked to opportunistic threat actors seeking initial access into target environments before organizations can respond.

This vulnerability is particularly concerning because NGINX is widely used as a web server, reverse proxy, and load balancer across enterprise environments, cloud infrastructure, and critical applications.

A successful compromise could allow attackers to disrupt services or potentially gain deeper access to backend systems.

Security experts strongly advise organizations to review their NGINX configurations and apply patches or updates as soon as they become available.

Additionally, administrators should ensure that security protections like ASLR remain enabled and audit rewrite rules that could expose systems to this flaw.

The incident once again highlights a growing trend in cybersecurity: the shrinking window between vulnerability disclosure and active exploitation.

Organizations that delay patching even for a few days may already be at risk. As threat actors continue to automate scanning and exploitation, proactive vulnerability management remains one of the most effective defenses against emerging cyber threats.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.