F5 Patches Critical NGINX Vulnerabilities Enabling RCE and DoS Attacks On June 17, 2026, F5 issued an out-of-band security advisory (K000161614) addressing multiple high-severity vulnerabilities in NGINX components, including Open Source, NGINX Plus, NGINX Instance Manager, and related modules. The flaws, which could lead to remote code execution (RCE) and denial-of-service (DoS) attacks, prompted urgent patching recommendations from F5 and national CERTs. The most severe issue, CVE-2026-42530 (CVSS 8.1/9.2), affects the NGINX `ngx_http_v3_module` when HTTP/3 QUIC is enabled. A remote attacker could exploit a use-after-free flaw in the QPACK encoder stream to crash NGINX worker processes, causing DoS or potential RCE on systems with disabled or bypassable ASLR. Affected versions include NGINX Open Source (1.31.0–1.31.1), NGINX Gateway Fabric (2.0.0–2.6.3), and NGINX Ingress Controller (5.0.0–5.5.0), with fixes available in NGINX Open Source 1.31.2 and Gateway Fabric 2.6.4. A second high-severity flaw, CVE-2026-42055 (CVSS 8.1/9.2), impacts NGINX Plus and Open Source when using the `ngx_http_proxy_v2_module` or gRPC with HTTP/2 backends. Malicious HTTP/2 or gRPC traffic could trigger memory-handling errors, leading to crashes or RCE. Patched versions include NGINX Plus 37.0.2.1 and NGINX Open Source 1.31.2/1.30.3, though some products like NGINX Instance Manager and App Protect modules remain unpatched. Additional vulnerabilities in NGINX Gateway Fabric (CVE-2026-11311, CVE-2026-50107) could disrupt routing and service integrity, with fixes available in version 2.6.4. F5 recommends immediate upgrades for affected deployments and interim mitigations, such as disabling HTTP/3/QUIC, restricting HTTP/2/gRPC exposure, and enforcing access controls. Administrators are advised to monitor F5’s security notifications for further updates.

Critical NGINX Vulnerability "nginx-poolslip" Exposes Millions of Servers to Remote Attacks A newly disclosed high-severity vulnerability in NGINX, tracked as CVE-2026-9256 (dubbed nginx-poolslip), is forcing administrators into an emergency patch cycle. The flaw affects both NGINX Open Source (versions 0.1.17–1.30.1 and 1.31.0) and NGINX Plus (R32–R36 and 37.0.0), enabling remote, unauthenticated attackers to exploit it over plain HTTP. The vulnerability resides in the ngx_http_rewrite_module, the same component targeted in the earlier "NGINX Rift" flaw (CVE-2026-42945). It occurs when a rewrite directive uses regex patterns with overlapping PCRE capture groups (e.g., `^/((.))$`) paired with replacement strings referencing multiple captures (e.g., `$1$2`). This triggers a heap buffer overflow (CWE-122) in the NGINX worker process, potentially leading to control-flow hijacking* via manipulated memory pool cleanup handlers. Unlike the Rift bug which exploited a buffer-size miscalculation nginx-poolslip abuses a pointer "slip" across adjacent linked structures in the same memory pool, bypassing the previous patch. Exploitation can result in denial-of-service (DoS) crashes or, in environments with disabled ASLR or bypassable protections, remote code execution (RCE). The flaw is rated High (8.1 CVSS v3.1) and Critical (9.2 CVSS v4.0). ### Affected Systems & Mitigations The vulnerability impacts a vast footprint, including reverse proxies, API gateways, and Kubernetes ingress controllers. Fixed versions include: - NGINX Open Source: Upgrade to 1.30.2 or 1.31.1. - NGINX Plus: Update to R36 P5, R32 P7, or R37.0.1.1. Downstream products such as NGINX Instance Manager, F5 WAF for NGINX, NGINX App Protect (WAF/DoS), NGINX Gateway Fabric, and NGINX Ingress Controller inherit the vulnerability but lack immediate fixes. The 0.x branch of NGINX Open Source will not receive patches. As a temporary workaround, F5 recommends replacing unnamed regex captures with named captures (e.g., `rewrite (?<user_id>.*)` instead of `$1`). The flaw was discovered by Mufeed VH (Winfunc Research), Nebula Security, and Vexera AI, with proof-of-concept exploits already circulating. No control-plane exposure exists; the issue is confined to the data plane.

Critical NGINX JavaScript Vulnerability (CVE-2026-8711) Enables Remote Code Execution A newly disclosed vulnerability in NGINX JavaScript (njs), tracked as CVE-2026-8711, exposes systems to severe security risks, including denial-of-service (DoS) attacks and remote code execution (RCE). The flaw stems from a heap-based buffer overflow in the `ngx_http_js_module`, specifically in how the `js_fetch_proxy` directive processes client-controlled variables (e.g., `$http_host`, `$uri`, or `$args`) when combined with the `()` operation in NGINX JavaScript. Unauthenticated attackers can exploit this vulnerability by sending crafted requests, potentially gaining control over the NGINX worker process. The issue affects configurations where `js_fetch_proxy` is enabled with user-supplied input, making it a critical concern for organizations relying on NGINX for web traffic management. No patch has been publicly disclosed at this time, leaving affected deployments vulnerable until mitigations are implemented. The impact extends to environments where NGINX is used as a reverse proxy, load balancer, or web server, particularly in high-traffic or security-sensitive applications. Further details on exploitation conditions and affected versions are expected to emerge as security researchers analyze the flaw.

Critical 18-Year-Old NGINX Vulnerability Exposes Systems to Remote Code Execution A severe heap buffer overflow vulnerability, tracked as CVE-2026-42945 (CVSS 9.2), has been disclosed in NGINX, one of the world’s most widely deployed web servers. The flaw, present in the ngx_http_rewrite_module since 2008, enables unauthenticated remote code execution (RCE) under specific configuration conditions. The vulnerability arises when an unnamed PCRE capture (e.g., `$1`, `$2`) is used in a replacement string containing a `?`, followed immediately by another `rewrite`, `if`, or `set` directive. While the flaw is critical, exploitation requires an exact configuration match, limiting its immediate impact to affected deployments. Patches have been released in NGINX versions 1.30.1 and 1.31.0, with mitigation also possible by rewriting configurations to use named captures instead. A proof-of-concept (PoC) exploit has been made public, increasing the urgency for organizations to assess and remediate their NGINX instances. The disclosure underscores the risks of long-standing vulnerabilities in foundational software, particularly as attackers refine exploitation techniques. Enterprises relying on NGINX are advised to verify their configurations and apply updates promptly.

Critical Nginx UI Vulnerability (CVE-2026-33032) Actively Exploited in the Wild A severe authentication bypass flaw in Nginx UI, tracked as CVE-2026-33032 (CVSS 9.8), is under active exploitation, allowing unauthenticated attackers to seize control of affected Nginx web servers. Discovered by Pluto Security, the vulnerability stems from a missing authentication check in the application’s Model Context Protocol (MCP) integration. The flaw affects the /mcp_message endpoint, which lacks authentication middleware entirely, while the /mcp endpoint enforces proper security controls. Compounding the issue, the IP whitelist mechanism defaults to a fail-open state an empty whitelist permits all traffic, enabling attackers to send unauthenticated HTTP POST requests and execute administrative tools. With 2,689 publicly exposed Nginx UI instances identified via Shodan, the risk is widespread. Exploitation grants attackers full control, including: - Service takeover via configuration file modifications (e.g., nginx_config_add), triggering immediate server reloads. - Traffic interception by redirecting requests to attacker-controlled endpoints to harvest credentials and session tokens. - Credential harvesting through injected logging directives capturing admin authorization headers. - Configuration exfiltration, exposing backend topologies and TLS certificate paths. - Service disruption by forcing invalid configurations to crash Nginx. A public proof-of-concept exploit is circulating, and active attacks have been confirmed by Pluto Security, VulnCheck (which added the flaw to its Known Exploited Vulnerabilities list), and Recorded Future’s Insikt Group. The release of exploit code on GitHub has lowered the barrier for low-skilled attackers. The vulnerability was patched in Nginx UI version 2.3.4, which adds authentication to the /mcp_message endpoint. Temporary mitigations include disabling MCP or restricting the IP whitelist to trusted addresses. Organizations are advised to review logs and configurations for signs of compromise.

Critical Nginx UI Vulnerability (CVE-2026-27944) Under Active Exploitation A newly disclosed critical vulnerability in Nginx’s user interface (CVE-2026-27944) is already being probed by threat actors, just days after its public release on 5 March. The flaw, rated 9.8 on the CVSS scale, affects versions of Nginx UI prior to 2.3.3 and stems from two key issues: missing authentication on the `api/backup` endpoint and encryption keys exposed in HTTP response headers. Exploitation allows unauthenticated attackers to download and decrypt full server backups, potentially exposing credentials, configuration data, and encryption keys. A proof-of-concept exploit is already available, increasing the risk of widespread attacks. Security researchers at watchTowr have detected active scanning targeting the vulnerable endpoint over the past four days, with attackers attempting to identify and compromise exposed systems. While the flaw impacts Nginx UI not the core Nginx web server its severity has prompted urgent warnings to patch immediately. The vulnerability highlights the risks of exposing management interfaces to the public internet, though affected organizations can mitigate the threat by upgrading to Nginx UI 2.3.3 or later.

Critical Nginx UI Vulnerability Exploited for Over a Month, Exposing Web Servers to Full Compromise A critical vulnerability (CVE-2025-55182, CVSS 9.8) in the open-source nginx UI web server configuration tool has been actively exploited by cybercriminals since March, security vendor Pluto Security revealed this week. The flaw, dubbed ‘MCPwn’, stems from an unauthenticated Model Context Protocol (MCP) endpoint introduced in late 2025 to facilitate AI model integration allowing attackers to hijack nginx servers with a single API call. Exploitation enables threat actors to intercept traffic, harvest admin credentials, maintain persistent access, and manipulate nginx configurations, including injecting malicious settings or disabling the service entirely. Pluto Security identified 2,689 vulnerable nginx UI instances exposed to the internet via Shodan, despite the tool’s relatively small user base compared to nginx’s global footprint. The vulnerability mirrors risks seen during the API boom a decade ago, where rapid integration outpaced security controls. MCP endpoints, designed to bridge nginx and AI models, were implemented without authentication, creating a privileged attack surface. Pluto Security’s CEO warned that AI integration layers must be treated as part of the core attack surface, not an afterthought. The flaw was first disclosed on the National Vulnerability Database (NVD) on March 30, coinciding with reports from VulnCheck and Recorded Future’s Insikt Group confirming active exploitation. While a patch (nginx UI 2.3.4) was released on March 15, organizations unable to update immediately can mitigate risks by disabling MCP or restricting access via IP whitelisting. Security teams are advised to review logs for unusual configuration changes. Nginx UI, a dashboard for managing nginx servers without CLI access, has seen accelerated adoption of MCP tools to support AI agents often without full risk assessments. The incident underscores how privileged integration layers can inadvertently expand attack surfaces when security is deprioritized.

Threat Actors Exploit React2Shell Vulnerability to Hijack NGINX Web Traffic Researchers at Datadog Security Labs have uncovered a multi-stage, automated campaign where threat actors exploit the React2Shell vulnerability to compromise NGINX web servers, redirecting traffic for malicious purposes. The attacks primarily target organizations in Asia particularly those with domains ending in .in, .id, .pe, .bd, .edu, .gov, and .th as well as Chinese hosting infrastructure, often running Boato Panel for server management. Once inside a network, attackers deploy toolkits containing scripts for target discovery, persistence, and malicious configuration file creation. These files manipulate NGINX’s routing rules to hijack web traffic, enabling activities such as: - Fingerprinting organizational traffic - Injecting malware into users’ devices - Redirecting visitors to phishing pages to steal credentials The shift toward NGINX exploitation reflects a broader trend: as defenses like MFA and password managers strengthen, attackers are reverting to infrastructure-level attacks such as session cookie theft to bypass modern security controls. Notably, two IP addresses now account for 56% of observed exploitation attempts, a sharp consolidation from over 1,000 unique sources earlier. Defensive measures highlighted by researchers include: - Monitoring NGINX configuration file integrity to detect unauthorized changes - Applying the latest security patches, particularly for React and NGINX - Locking down configuration files to prevent tampering The attacks underscore the risks of unpatched vulnerabilities and poorly secured web infrastructure, with compromised sites facing reputational damage if flagged for hosting malware. The use of AI-driven exploitation tools further lowers the barrier for attackers, making server-side vulnerabilities a fast and cost-effective target.

Pwn2Own Berlin 2026 Highlights Major Exploits as Zero-Days and Breaches Surge The second and third days of Pwn2Own Berlin 2026 saw researchers earn $385,750 in bounties, pushing the event’s total payout to $1.298 million. Among the notable exploits, Microsoft Exchange Server was successfully compromised, contributing to the growing tally. DEVCORE was crowned "Master of Pwn" after demonstrating multiple high-impact vulnerabilities. In parallel, Chaotic Eclipse disclosed MiniPlasma, a zero-day in Windows, suggesting an incomplete or overlooked security fix from 2020. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a Microsoft Exchange Server flaw and a Cisco Catalyst SD-WAN vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, signaling active exploitation risks. A critical 18-year-old flaw (CVE-2026-42945) in NGINX, the world’s most widely deployed web server, was also uncovered, with experts warning of ongoing attacks. Meanwhile, Grafana confirmed a GitHub token breach after a cybercrime group claimed responsibility, while ShinyHunters breached 7-Eleven, exposing franchisee data and Salesforce records. Additional incidents included: - A public Amazon S3 bucket leaking sensitive guest data from Japanese hotel platform Tabiq. - OpenAI suffering a supply chain attack via malicious TanStack packages. - Broadcom releasing a security update for a VMware Fusion root access bug. - The Ghostwriter group resuming cyberattacks on Ukrainian government targets. - Researchers identifying YellowKey and GreenPlasma, two new Windows zero-days. - A Linux Kernel bug (Fragnesia) enabling local root access attacks. - Attackers exploiting a Funnel Builder vulnerability to inject e-skimmers into e-commerce stores. The event underscored persistent threats across enterprise software, cloud services, and critical infrastructure, with zero-days and supply chain attacks remaining dominant vectors.