Security Advisory

Cybersecurity News Security Advisory

Security Vulnerabilities in NGINX Causing DoS in RCE

NGINX rewrite module, is used to redirect or modify web requests.

The NGINX vulnerability known as CVE-2026-42945, is a programming mistake in the software where it writes or reads more data in memory than it should, causing a heap buffer overflow and is 18 year old, where in certain rewrite rules are configured in a vulnerable way.

This enables attackers to send specially crafted network requests that cause the NGINX server process to crash. Further attackers don’t need any authentication to send malformed requests to servers. The vulnerability was discovered with the help of AI models in recent months, missed by scanners and humans over the years.

The attack can be leveraged & Potential Impact

Nginx is one of the most popular web servers, powering almost one third of all websites on the internet, and is integrated into many commercial products as well. 

  • Crash or restart the NGINX server remotely
  • Cause websites or applications to become unavailable
  • Launch Denial-of-Service (DoS) attacks

In worst case if a Windows/Linux security protection called ASLR (Address Space Layout Randomization) is disabled:

  • Attackers may be able to run malicious code on the server
  • This could potentially lead to full server compromise
  • Attackers require no authentication and can be performed remotely, while 5.7 million internet-facing NGINX servers may be exposed
  • Exploitation is already happening in real-world attacks
  • The vulnerable code has reportedly existed for nearly 18 years
VulnerabilityDetails
CVE IDCVE-2026-42945
SeverityHigh / Critical
Affected ProductNGINX OSS & NGINX Plus
ImpactDoS / Possible Remote Code Execution
Attack RequirementSpecially crafted web requests
Authentication NeededNo

Researchers also found additional medium-severity vulnerabilities affecting:

  • HTTP/3 QUIC module
  • HTTP/2 proxy mode
  • SSL module
  • SCGI and uWSGI modules
  • Charset handling module

These may cause:

  • Memory exhaustion
  • Data leakage
  • Spoofing attacks
  • Service instability

This causes a buffer overflow in the NGINX worker process, meaning the server tries to handle more data than expected in memory. As a result, the NGINX service crashes and restarts, causing a Denial-of-Service (DoS) condition.

Immediate Patching Recommendation

Upgrade to the latest patched NGINX versions immediately.

  • Review and modify vulnerable rewrite rules.
  • Restrict unnecessary internet exposure of NGINX servers.
  • Monitor for unexpected NGINX crashes or restarts.
  • Ensure ASLR and other OS-level security protections remain enabled.

The recently disclosed NGINX vulnerability (CVE-2026-42945) affecting the ngx_http_rewrite_module can allow unauthenticated attackers to remotely crash vulnerable servers and, in certain conditions, potentially execute malicious code.

How GaarudNode Helps Secure Against This Vulnerability

GaarudNode helps organizations proactively identify, prioritize, and remediate such vulnerabilities across the complete application and infrastructure lifecycle through its unified Shift-Left and Shift-Right security capabilities.

Security CapabilityHow It Helps
Continuous OS & Infrastructure Vulnerability ScanningDetects vulnerable NGINX OSS and NGINX Plus versions across servers, containers, and cloud workloads
Missing Patch DetectionIdentifies systems missing critical NGINX security updates and tracks remediation status
Misconfiguration AssessmentDetects insecure rewrite rules and vulnerable NGINX configurations that may trigger the flaw
CSPM (Cloud Security Posture Management)Identifies internet-exposed NGINX instances and insecure cloud deployments
Network Security VisibilityDetects externally exposed web services and risky attack surfaces
Runtime Monitoring (Shift Right)Monitors abnormal NGINX crashes, unexpected restarts, and suspicious traffic patterns linked to exploitation attempts
Risk PrioritizationCorrelates internet exposure, vulnerable configurations, and exploitability to prioritize remediation
Unified Risk DashboardProvides centralized visibility across applications, infrastructure, cloud, OS, and network risks

Sources: NGINX: DoS vulnerability is being attacked | heise online

Security Advisory

Open Claw Vulnerabilities Reflect AI Agents Operate with High privilege

Open Claw Vulnerabilities Reflect How AI Agents Operate with High privilege

Continue Reading
Security Advisory

Critical Vulnerability in Exim Affects Exim Mail Transfer Agent

Security updates released for Exim Mail Transfer Agent (MTA) and addressed multiple possible remote-triggered critical vulnerabilities allowing RCE.

The flaw affected outdated Exim deployments. It is a user-after-free (UAF) flaw triggered during the TLS shutdown while handling BDAT chunked SMTP traffic.

Exim is a widely used open-source mail transfer agent deployed across enterprise, ISP, academic, and government infrastructures for internet-connected Unix systems. CVE-2026-45185 was discovered and reported by XBOW researcher Federico Kirschbaum. It impacts Exim versions 4.97 through 4.99.2 on builds compiled with GnuTLS that have STARTTLS and CHUNKING advertised. OpenSSL-based builds are not affected.

The Exim Project has confirmed

  • All versions prior to 4.99.3 are obsolete.
  • Legacy 3.x versions are more than 20 years outdated and should no longer be used.
  • Version 4.99.3 is the latest security release addressing remotely triggerable issues.

The vulnerability impacts some Exim versions before 4.99.3 that use the default GNU Transport Layer Security (GnuTLS) library for secure communication. It is a user-after-free (UAF) flaw triggered during the TLS shutdown while handling BDAT chunked SMTP traffic.

There is a great deal of flexibility in the way mail can be routed, and there are extensive facilities for checking incoming mail. Exim can be installed in place of sendmail, although the configuration of Exim is quite different.

Vulnerability Exploitation

Attackers exploiting the vulnerability could execute commands on the server as well as access Exim data and emails, and potentially pivot further into the environment depending on server permissions and configuration.

Findings from EXBOW research:

 XBOW Native successfully produced a working exploit for a simplified target Exim server that had no Address Space Layout Randomization (ASLR) and non-PIE (Position Independent Executables) binary.

In a second attempt, the LLM achieved an exploit on a machine with ASLR, but still a non-PIE binary.

“[…] instead of continuing to attack glibc’s allocator with off-the-shelf mechanisms, XBOW Native had taken on Exim’s own allocator,” XBOW researchers say.

Despite the surprising result below, it was the human researcher who won the race, with assistance from the LLM for tasks such as assembling files and testing exploitation avenues.

Threat actors commonly target internet-facing mail transfer agents due to their direct exposure to external networks and critical role in enterprise communication infrastructure.

Threat Context

Security AreaDetails
ProductExim Mail Transfer Agent (MTA)
Current Secure Version4.99.3
Affected VersionsAll versions prior to 4.99.3
Legacy RiskExim 3.x releases are obsolete
Attack SurfaceInternet-facing SMTP services
Potential ImpactRemote exploitation, mail service compromise, unauthorized access

Indicators of Concern (IoCs / Risk Indicators)

TypeIndicatorDescription
Network ActivityUnusual SMTP connectionsSuspicious external mail interactions
Service BehaviourUnexpected Exim crashes/restartsPossible exploitation attempts
Log ActivityUnauthorized mail relay eventsPotential abuse of mail routing
AuthenticationUnknown SMTP authentication attemptsCredential abuse indicators
System ActivityUnexpected child process executionPossible remote code execution attempts

Mitigations

  • Upgrade all Exim installations to version 4.99.3 immediately.
  • Identify and decommission obsolete Exim 3.x deployments.
  • Restrict unnecessary external exposure of SMTP services.
  • Audit mail server configurations and relay permissions.

For users of Ubuntu and Debian-based Linux distributions should apply the available Exim updates (v4.99.3) through their package managers.

Sources: Exim Remote Code Execution Vulnerability

Sources: New critical Exim mailer flaw allows remote code execution

Security Advisory

‘Bleeding Llama’ Vulnerability in Ollama Expose Entire Process Memory

Ollama Deployments under attack

Continue Reading
Cybersecurity News Security Advisory

Qualcomm Chipset Vulnerability Allows RCE

Multi-Component Qualcomm Vulnerabilities

Continue Reading
Security Advisory

PAN-OS Firewall of PaloAlto Vulnerability Exploited for RCE

CVE 2026-0300 is a critical vulnerability with CVSS score of 9.3

PaloAlto Networks has issued strict advisory for its customers after an actively exploited zero-day vulnerability, affected its firewall operating system, PAN-OS. CVE 2026-0300 allows attackers to gain full control of affected systems without authentication.

The zero-day bug stems from a buffer overflow weakness, allowing unauthenticated attackers to execute arbitrary code with root privileges on Internet-exposed PA-Series and VM-Series firewalls via specially crafted packets.

Active Exploitation Observed in the Wild

Palo Alto Networks confirmed that exploitation attempts have already been observed in its advisory and urged its customers and organizations to mitigate exposure immediately.

What did the vulnerability affect:

  • PAN-OS 10.2 below 10.2.7-h34, 10.2.10-h36, 10.2.13-h21, 10.2.16-h7, 10.2.18-h6
  • PAN-OS 11.1 below 11.1.4-h33, 11.1.6-h32, 11.1.7-h6, 11.1.10-h25, 11.1.13-h5, 11.1.15
  • PAN-OS 11.2 below 11.2.4-h17, 11.2.7-h13, 11.2.10-h6, 11.2.12
  • PAN-OS 12.1 below 12.1.4-h5, 12.1.7

Excluded from vulnerability are Prisma Access, Cloud Next-Generation Firewall (Cloud NGFW), and Panorama appliances are not impacted by this vulnerability.

PoC of CVE 2026-0300

PaloAlto published a PoC on May 6, showing how an unauthenticated request to the User-ID Authentication Portal can reliably trigger the buffer overflow and achieve root-level RCE on affected PAN-OS versions.

While the repository is framed as research code and includes legal disclaimers, it materially lowers the barrier to exploitation by validating exploit mechanics.

Palo Alto Networks has not shared details about who is behind the attacks and has not released indicators of compromise at the time of writing.

Patching & Remediation

Since security patches takes time, PaloAlto recommends reducing exposure is the most effective way to contain risk. Palo Alto Networks proactively alerted customers to the zero-day, a step that allowed defenders to take action on potentially exposed instances. 

If the User-ID Authentication Portal is not required for business operations, Palo Alto Networks recommends disabling it entirely. Firewalls that do not have the Authentication Portal enabled are not affected by this vulnerability.

The company has stated that security fixes will be released in stages between May 13-28, depending on the PAN‑OS version in use.

In advance of these patches, Palo Alto released a Threat Prevention signature on May 5 for PAN-OS 11.1 and newer to help detect or block exploitation attempts. Applying this signature, where supported, provides interim protection but does not replace the need to reduce exposure and deploy patches once available.

For security teams, immediate focus should be on identifying PA-Series and VM-Series firewalls with the User-ID Authentication Portal enabled, confirming whether those services are reachable from untrusted networks, and scheduling timely deployment of Palo Alto’s fixes as they are released.

Monitoring unexpected firewall behavior or unplanned configuration changes provides additional awareness during the period of active exploitation.

A similar authentication bypass vulnerability (CVE-2025-0108) was discovered in Palo Alto Networks PAN-OS allows unauthenticated attackers with network access to bypass authentication on the management web interface on 20 feb 2025. https://intruceptlabs.com/2025/02/palo-alto-firewall-vulnerabilities-under-active-exploitation/

Firewall infrastructure attack increased in recent years so are the Stakes for Enterprise and Critical Infrastructure

Firewalls are the prime targets because if firewall can be controlled the entire network is in hands of hackers. In recent years, the frequency and success of exploits targeting firewall vulnerabilities have been alarmingly high. Threat actors take on management interfaces, login pages and authentication portals as most common targets for both opportunistic and targeted campaigns.

A successful compromise in the firewall can allow attackers to:

  • Intercept entire network traffic
  • Disable security protections
  • Move laterally inside corporate networks
  • Establish persistent backdoors

For stronger defense allow Intrucept to proactively test your defenses by identifying vulnerabilities fast. You can start the process to enhance your security posture and protect your digital assets from evolving threats.

Call us for a demohttps://intruceptlabs.com/contact/

Sources: https://fieldeffect.com/blog/palo-alto-firewall-zero-day-unauthenticated-root-access#:~:text=On%20May%205%2C%202026%2C%20Palo,systems%20accessible%20from%20untrusted%20networks.

Sources: https://www.bleepingcomputer.com/news/security/palo-alto-networks-warns-of-actively-exploited-firewall-zero-day

Cybersecurity News Security Advisory

Copy Fail Bug, A Critical Local Privilege Escalation in Linux Kernel Exploited in the wild

Copy Fail vulnerability in Kernel Linux

Continue Reading
Cybersecurity News Security Advisory

SAP npm Packages Targeted with Malware ‘Supply Chain Risk’-Patch Now

Supply chain attack

Continue Reading
Security Advisory

Critical Vulnerability in cPanel & WHM; Patch Now

Critical vulnerability in cPanel and WHM that allows attackers to bypass authentication and gain root access to servers

Continue Reading
Security Advisory

Vulnerability in Nessus Enables Arbitrary Malicious Code Execution, Patch Now

Tenable has released Nessus Agent 11.1.3 to address this issues

Continue Reading
Scroll to top