NGINX Rewrite Module Flaw (CVE-2026-42945) Enables Unauthenticated RCE

/HIGH
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW threat-intelvulnerability
NGINX Rewrite Module Flaw (CVE-2026-42945) Enables Unauthenticated RCE

The Hacker News reports a critical vulnerability, CVE-2026-42945, impacting NGINX Plus and NGINX Open, which remained undetected for 18 years. Discovered by depthfirst, this heap buffer overflow in the ngx_http_rewrite_module carries a CVSS v4 score of 9.2, indicating severe potential impact.

This flaw allows unauthenticated attackers to achieve remote code execution (RCE) or trigger a denial-of-service condition. Given NGINX’s pervasive use as a web server and reverse proxy, the implications are substantial. An RCE vulnerability of this nature in a widely deployed component like NGINX is a direct pathway into an organization’s network perimeter.

Attackers will undoubtedly prioritize exploiting this. The unauthenticated nature of the vulnerability means there is no barrier to entry beyond network reachability. Defenders should assume active exploitation is imminent, if not already underway, especially against internet-facing NGINX instances.

What This Means For You

  • If your organization uses NGINX Plus or NGINX Open, you need to identify all instances running the `ngx_http_rewrite_module`. Prioritize patching immediately. This isn't a theoretical threat; it's a critical RCE that bypasses authentication. Your internet-facing NGINX servers are prime targets. Verify your patching cadence and ensure this update is pushed out with urgency.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1203 Exploitation for Client Execution Initial Access

🛡️ Detection Rules

1 rule · 6 SIEM formats

1 detection rule auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high vulnerability event-type

Exploitation Attempt — NGINX

Sigma YAML — free preview

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-42945 RCE NGINX Plus and NGINX Open affected by heap buffer overflow
CVE-2026-42945 Buffer Overflow ngx_http_rewrite_module vulnerable to heap buffer overflow
CVE-2026-42945 RCE Unauthenticated Remote Code Execution via ngx_http_rewrite_module

Written by SCW Vulnerability Desk

Take action on this incident
📡 Monitor nginx.com Free · 1 watchlist slot · instant alerts on new breaches 🔍 Threat intel on NGINX All breaches, IOCs & vendor exposure

Related coverage on NGINX

Fragnesia Linux Flaw (CVE-2026-46300) Grants Root Privileges

Linux distributions are actively patching a critical kernel privilege escalation vulnerability, dubbed Fragnasia and tracked as CVE-2026-46300. BleepingComputer reports this high-severity flaw enables attackers to...

threat-inteldata-breachmalwarevulnerabilitybleepingcomputer
/SCW Vulnerability Desk /MEDIUM /⚑ 2 IOCs

Windows YellowKey & GreenPlasma Zero-Days Released

A security researcher has publicly released details on two critical Windows zero-day vulnerabilities, dubbed YellowKey and GreenPlasma, according to SecurityWeek. These exploits represent significant risks...

threat-intelvulnerabilitymicrosoft
/SCW Vulnerability Desk /MEDIUM /⚑ 2 IOCs /⚙ 3 Sigma

Microsoft BitLocker Zero-Day Exposes Protected Drives

A cybersecurity researcher has publicly released proof-of-concept (PoC) exploits for two unpatched Microsoft Windows vulnerabilities, dubbed YellowKey and GreenPlasma. BleepingComputer reports that these flaws include...

threat-inteldata-breachmalwarevulnerabilitymicrosofttools
/SCW Vulnerability Desk /HIGH /⚑ 2 IOCs /⚙ 1 Sigma