Vulnerability Management , Patch/Configuration Management Critical bug in F5 NGINX actively exploited May 18, 2026 Share By Steve Zurier (Adobe Stock) A critical CVSS v4.0 9.2 bug affecting F5’s NGINX Plus and NGINX Open Source was exploited in the wild. The flaw — CVE-2026-42945 — was described as a heap buffer overflow in the ngx_http_rewrite_module component that’s lurked in NGINX code since 2008. VulnCheck security researcher Patrick Garrity first reported news of the active exploitation on LinkedIn on May 16. Security pros were concerned about this flaw because NGINX runs in front of one-third of all websites worldwide and has been a trusted product for decades. First released in October 2004 as an open source product, F5 officially completed its acquisition of NGINX in May 2019. F5 released a patch for the flaw last week and pointed out that for systems with address space layout randomization (ASLR) disabled, a remote code execution (RCE) is possible. Sam Decker, threat intelligence engineer at Blackpoint Cyber, explained that for organizations that may not fully understand the role of NGINX in modern infrastructure, people should think of it as the front door to nearly every modern web application. Decker said it's the software that receives incoming traffic and decides where to send it, acting as a web server, reverse proxy, load balancer, and API gateway all at once. That means when a user hits a website or calls an API, there's a good chance NGINX touches the request before it ever reaches the actual application behind it. Decker added that because it sits in that position, a vulnerability in it carries a lot more weight than a flaw in something buried deeper in the stack. “From a defender's perspective, what stands out to us about this one is that NGINX tends to be infrastructure people trust and don't think about much,” said Decker. “It's been stable for a long time, so it often doesn't get the same scrutiny as other attack surfaces. When something like this hits, a lot of teams are starting from a place of limited visibility into what's actually happening at that layer, which makes an already tight patching timeline even harder to work with.” Uzair Gadit, chief executive officer at Secure.com, said NGINX sits in front of every type of site, from Fortune 500s to small developer projects. Gadit said any server running an unpatched NGINX version with a rewrite directive in its configuration is potentially exposed to unauthenticated remote code execution from anywhere on the internet — a massive blast radius. Gadit said organizations should upgrade to NGINX 1.31.0 (mainline) or 1.30.1 (stable) as soon as possible, and not wait for a scheduled maintenance window. If a full upgrade isn’t possible immediately, Gadit said teams should audit configuration files for the vulnerable pattern, and specifically for any combination of rewrite followed by set directives with the $args variable. Gadit said removing or restructuring that pattern blocks the trigger. Once patched, scan access logs for likely indicators of exploit attempts, such as unusual rewrite traffic and repeated worker crashes. Public PoC code already exists, so opportunistic scanning will follow quickly. “This augers a coming wave of similarly critical discoveries: NGINX has a sound security track record and a reputation for a clean codebase,” said Gadit. “If a critical bug can hide there for 18 years, it’s safe to assume that any C-based infrastructure deserves a second look, regardless of whether it’s previously been audited. AI-assisted vuln discovery will keep surfacing these kinds of findings, and the next critical CVE within trusted infrastructure is likely just around the corner.” James Wickett, chief executive officer of DryRun Security, said the NGINX flaw is a good example of how dangerous infrastructure logic bugs become once they’re operationalized in the wild. Wickett said this isn’t just about a vulnerable service sitting on the edge of the network, it’s about how modern environments increasingly rely on complex rewrite rules, proxy behavior, and request handling logic that most teams don’t fully model or validate from a security perspective. “What makes issues like this especially concerning is that the vulnerable behavior often exists inside configurations that were generated, copied, or modified over time through automation, infrastructure-as-code, or AI-assisted workflows,” said Wickett. “Teams are moving faster than ever, but very few organizations have strong visibility into how these layered configurations behave under unexpected conditions.” Robert Coles, senior manager of threat intelligence security at Black Duck, said from a defensive standpoint, this reinforces the need to maintain strong baseline configurations — particularly ensuring that foundational controls like ASLR remain enabled — alongside disciplined and timely patch management as fixes are released. Coles said it also highlights the importance of continuous exposure management to maintain visibility into where vulnerable versions or risky configurations exist across the environment. “Even when exploitation is not straightforward, the combination of broad footprint and active exploitation in the wild means organizations need to stay focused on hygiene, visibility, and prioritization to effectively reduce overall risk,” said Coles. Steve Zurier Related Patch/Configuration Management Researcher claims Microsoft silently patched Azure Backup for AKS vulnerability SC Staff May 18, 2026 The vulnerability reportedly discovered by Justin O'Leary allowed users with only the "Backup Contributor" role to gain cluster-admin privileges within Kubernetes clusters. Vulnerability Management 10.0 Cisco Catalyst SD-WAN Controller bug added to CISA’s KEV list Steve Zurier May 15, 2026 Maximum-severity bug an authentication bypass flaw that’s considered the highest value target in an attacker’s playbook. Vulnerability Management Microsoft warns of active exploitation of new Exchange Server zero-day vulnerability SC Staff May 15, 2026 The vulnerability, a cross-site scripting flaw with a CVSS score of 8.1, specifically impacts Outlook Web Access (OWA). Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Bug Buffer Overflow Disassembly You can skip this ad in 5 seconds