18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated RCE
Overview
Researchers have identified multiple vulnerabilities in NGINX Plus and NGINX Open, including a severe flaw that has existed for 18 years. The most critical issue, a heap buffer overflow in the ngx_http_rewrite_module (CVE-2026-42945), could allow attackers to execute arbitrary code remotely without authentication. This vulnerability has a high severity score of 9.2 on the CVSS v4 scale. Organizations using these web servers are at risk, as the flaw could lead to significant security breaches. It is crucial for affected users to address this vulnerability promptly to safeguard their systems.
Key Takeaways
- Affected Systems: NGINX Plus, NGINX Open
- Action Required: Update to the latest version of NGINX Plus or NGINX Open that addresses this vulnerability.
- Timeline: Disclosed on [date]
Original Article Summary
Cybersecurity researchers have disclosed multiple security vulnerabilities impacting NGINX Plus and NGINX Open, including a critical flaw that remained undetected for 18 years. The vulnerability, discovered by depthfirst, is a heap buffer overflow issue impacting ngx_http_rewrite_module (CVE-2026-42945, CVSS v4 score: 9.2) that could allow an attacker to achieve remote code execution or cause a
Impact
NGINX Plus, NGINX Open
Exploitation Status
The exploitation status is currently unknown. Monitor vendor advisories and security bulletins for updates.
Timeline
Disclosed on [date]
Remediation
Update to the latest version of NGINX Plus or NGINX Open that addresses this vulnerability. Users should apply patches as soon as they are released and review their configurations to mitigate potential exploitation.
Additional Information
This threat intelligence is aggregated from trusted cybersecurity sources. For the most up-to-date information, technical details, and official vendor guidance, please refer to the original article linked below.
Related Topics: This incident relates to CVE, Vulnerability, RCE, and 2 more.