A heap overflow that sat quietly in NGINX since 2008 is now being sprayed across the internet by automated scanners, and the attackers driving the campaigns against a separate data-center tool are using an AI vulnerability hunter to do reconnaissance. If you run NGINX anywhere — and statistically, you probably do — the next few days matter more than the next few sprints.
Why CVE-2026-42945 Is Worse Than the CVSS Score Suggests
According to VulnCheck, CVE-2026-42945 is a heap buffer overflow in ngx_http_rewrite_module affecting NGINX versions 0.6.27 through 1.30.0, with a CVSS score of 9.2. AI-native security company depthfirst dated the bug to 2008 — 18 years in production. Active exploitation against VulnCheck’s honeypot networks began within days of public disclosure, though the end goals of the campaigns are still unknown.
Why it matters: NGINX powers a massive chunk of the public web, and the rewrite module is one of the most-used components in production configs. Even though security researcher Kevin Beaumont notes that reaching remote code execution requires ASLR to be disabled and the attacker must know the specific NGINX config, the worker-crash denial-of-service path is trivially exploitable on its own. AlmaLinux maintainers explicitly called out that “not easy is not impossible” and recommended treating the bug as urgent.
Practical example: if you operate a multi-tenant SaaS behind NGINX and an attacker can knock worker processes offline with a crafted HTTP request, your uptime SLA evaporates with one curl loop. Even if RCE never materializes for your environment, the DoS vector alone is enough to ruin a weekend.
The take: patching this is non-negotiable this week, not next quarter — the gap between disclosure and weaponization keeps shrinking, and an 18-year-old bug in default-installed software is the kind of thing nation-state and ransomware crews bookmark for re-use.
The openDCIM Chain Is a Preview of AI-Assisted Mass Exploitation
The same VulnCheck disclosure flagged active exploitation of two critical openDCIM flaws — CVE-2026-28515 (a missing authorization bug exposing LDAP configuration) and CVE-2026-28517 (an OS command injection in report_network_map.php via an unsanitized dot parameter) — both rated 9.3. They sit alongside CVE-2026-28516, a 9.3 SQL injection, all discovered by VulnCheck researcher Valentin Lobstein in February 2026. Lobstein’s writeup shows the three can be chained into remote code execution and a reverse shell over five HTTP requests.
Why it matters: Caitlin Condon, VP of security research at VulnCheck, reported that the attacker activity originates from a single Chinese IP and uses what appears to be a customized implementation of Vulnhuntr — an AI vulnerability discovery tool — to automatically locate vulnerable installations before dropping a PHP web shell. Attackers are no longer manually fingerprinting hosts; they’re letting an LLM-based scanner do the dirty work at machine speed.
Practical example: if you’re a colocation provider or an enterprise data-center team running openDCIM to manage rack inventory, an AI scanner doesn’t care that you’re obscure. It will find your endpoint, chain the three CVEs, and drop a shell before your on-call rotation finishes their coffee. Teams running data-center and supply chain software should treat infrastructure-management tools as Tier-1 attack surface, not back-office plumbing.
The take: the openDCIM campaign is a dress rehearsal. Expect the same pattern — Vulnhuntr-style AI recon plus a chained-CVE payload — to hit healthcare imaging gateways, ICS bridges, and SCADA web UIs within the next two quarters.
What Defaults Are Hiding in Your NGINX Config Right Now
The most uncomfortable detail in Beaumont’s analysis is that exploitation depends on a specific NGINX configuration being present, and on the attacker discovering it. That sounds like a mitigating factor until you remember how copy-pasted production NGINX configs are. Stack Overflow snippets and vendor tutorials get cloned across thousands of repos; the rewrite rules that make you vulnerable are also the rules most teams never audit.
Why it matters: Default AlmaLinux installs have ASLR enabled, but containerized deployments, custom kernels, and embedded appliances frequently ship with weaker memory protections. If your infrastructure includes hardware load balancers, IoT gateways, or vendor appliances that bundle NGINX, the ASLR assumption may not hold — and you may not even have a patching mechanism. For regulated environments such as healthcare platforms handling patient data, an unpatched NGINX worker is also an unpatched HIPAA control.
Practical example: imagine you operate a hospital intake portal where a vendor-supplied NGINX appliance sits in front of an EHR. The appliance hasn’t received a firmware update in eight months. CVE-2026-42945 hits, F5 ships a fix for upstream NGINX, but your vendor’s release cadence is quarterly. You’re exposed until they ship — and exposed again every time they don’t.
The take: this CVE will quietly shift how procurement teams evaluate appliance vendors. Patch cadence is about to become a contract clause, not a footnote.
FAQ
Q: What is CVE-2026-42945 and who is affected?
A: CVE-2026-42945 is a heap buffer overflow in NGINX’s ngx_http_rewrite_module, rated CVSS 9.2, affecting NGINX Plus and NGINX Open versions 0.6.27 through 1.30.0. According to depthfirst, the vulnerability has existed since 2008. Any organization running an unpatched NGINX instance with a vulnerable rewrite configuration should apply the F5 fix immediately.
Q: Can attackers really get remote code execution from this NGINX bug? A: Yes, but with caveats. Per Kevin Beaumont and AlmaLinux maintainers, reliable RCE requires ASLR to be disabled and the attacker to know the specific NGINX configuration in use. On default AlmaLinux installs, ASLR is enabled. However, the denial-of-service path — crashing worker processes with crafted HTTP requests — is exploitable without those conditions and is already being attempted in the wild.
Q: How are attackers finding vulnerable openDCIM installations so quickly? A: VulnCheck’s Caitlin Condon reported that the observed campaign uses a customized version of Vulnhuntr, an AI-based vulnerability discovery tool, to automatically scan for vulnerable openDCIM instances and drop a PHP web shell. It’s one of the first publicly documented cases of AI recon in a live exploitation campaign.
Key Takeaways
- Patch NGINX to a version above 1.30.0 this week — the exploitation window is already open and the worker-crash DoS path bypasses the ASLR mitigation that protects against full RCE.
- Audit every appliance, container image, and vendor product in your stack that bundles NGINX; upstream patches mean nothing if your vendor’s release cycle is measured in quarters.
- Treat infrastructure-management tools like openDCIM as Tier-1 attack surface — the same AI scanning techniques will be turned on similar niche admin software within months.
- Bake patch-cadence SLAs into vendor contracts for any product running in your perimeter; the gap between CVE disclosure and weaponization no longer leaves room for goodwill.
- Expect AI-assisted vulnerability discovery tools like Vulnhuntr to become standard offensive tooling — defensive teams should adopt equivalent AI scanners internally before attackers fingerprint their environments first.