NGINX rewrite module, is used to redirect or modify web requests.
The NGINX vulnerability known as CVE-2026-42945, is a programming mistake in the software where it writes or reads more data in memory than it should, causing a heap buffer overflow and is 18 year old, where in certain rewrite rules are configured in a vulnerable way.
This enables attackers to send specially crafted network requests that cause the NGINX server process to crash. Further attackers don’t need any authentication to send malformed requests to servers. The vulnerability was discovered with the help of AI models in recent months, missed by scanners and humans over the years.
The attack can be leveraged & Potential Impact
Nginx is one of the most popular web servers, powering almost one third of all websites on the internet, and is integrated into many commercial products as well.
Crash or restart the NGINX server remotely
Cause websites or applications to become unavailable
Launch Denial-of-Service (DoS) attacks
In worst case if a Windows/Linux security protection called ASLR (Address Space Layout Randomization) is disabled:
Attackers may be able to run malicious code on the server
This could potentially lead to full server compromise
Attackers require no authentication and can be performed remotely, while 5.7 million internet-facing NGINX servers may be exposed
Exploitation is already happening in real-world attacks
The vulnerable code has reportedly existed for nearly 18 years
Vulnerability
Details
CVE ID
CVE-2026-42945
Severity
High / Critical
Affected Product
NGINX OSS & NGINX Plus
Impact
DoS / Possible Remote Code Execution
Attack Requirement
Specially crafted web requests
Authentication Needed
No
Researchers also found additional medium-severity vulnerabilities affecting:
HTTP/3 QUIC module
HTTP/2 proxy mode
SSL module
SCGI and uWSGI modules
Charset handling module
These may cause:
Memory exhaustion
Data leakage
Spoofing attacks
Service instability
This causes a buffer overflow in the NGINX worker process, meaning the server tries to handle more data than expected in memory. As a result, the NGINX service crashes and restarts, causing a Denial-of-Service (DoS) condition.
Immediate Patching Recommendation
Upgrade to the latest patched NGINX versions immediately.
Review and modify vulnerable rewrite rules.
Restrict unnecessary internet exposure of NGINX servers.
Monitor for unexpected NGINX crashes or restarts.
Ensure ASLR and other OS-level security protections remain enabled.
The recently disclosed NGINX vulnerability (CVE-2026-42945) affecting the ngx_http_rewrite_module can allow unauthenticated attackers to remotely crash vulnerable servers and, in certain conditions, potentially execute malicious code.
How GaarudNode Helps Secure Against This Vulnerability
GaarudNode helps organizations proactively identify, prioritize, and remediate such vulnerabilities across the complete application and infrastructure lifecycle through its unified Shift-Left and Shift-Right security capabilities.
Security Capability
How It Helps
Continuous OS & Infrastructure Vulnerability Scanning
Detects vulnerable NGINX OSS and NGINX Plus versions across servers, containers, and cloud workloads
Missing Patch Detection
Identifies systems missing critical NGINX security updates and tracks remediation status
Misconfiguration Assessment
Detects insecure rewrite rules and vulnerable NGINX configurations that may trigger the flaw
CSPM (Cloud Security Posture Management)
Identifies internet-exposed NGINX instances and insecure cloud deployments
Network Security Visibility
Detects externally exposed web services and risky attack surfaces
Runtime Monitoring (Shift Right)
Monitors abnormal NGINX crashes, unexpected restarts, and suspicious traffic patterns linked to exploitation attempts
Risk Prioritization
Correlates internet exposure, vulnerable configurations, and exploitability to prioritize remediation
Unified Risk Dashboard
Provides centralized visibility across applications, infrastructure, cloud, OS, and network risks
A newly disclosed Windows zero-day vulnerability named ‘MiniPlasma’ allows attackers to gain SYSTEM-level privileges on fully patched Windows 11 systems.
The vulnerability affects the Windows Cloud Files Mini Filter Driver (cldflt.sys), a core component used by cloud synchronization services such as Microsoft OneDrive.
Researchers released a public proof-of-concept (PoC) exploit, increasing the risk of real-world exploitation by threat actors and ransomware groups.
The flaw enables a normal user account to escalate privileges without requiring administrator access, making it highly dangerous in enterprise environments.
The exploit reportedly abuses:
Weak access validation
Registry interactions
Undocumented Windows APIs
Logic flaws in the cloud synchronization subsystem
How enterprise will address the risk
Researchers claim the same underlying weakness still exists and remains exploitable.The vulnerability is still present in fully patched systems running the latest May 2026 updates. The original proof-of-concept code published by Forshaw worked without modification.
The flaw allows attackers with physical access to bypass BitLocker protections and gain unrestricted shell access to encrypted volumes through the Windows Recovery Environment (WinRE).
The attack is triggered by placing specially crafted files inside a specific directory on a USB drive or directly in the EFI partition.
The flaw is disturbing as the vulnerable component exists exclusively within the WinRE image, not in standard Windows installations, and an identical component appears in normal installations but without the triggering functionality.
Microsoft has not publicly addressed the claim and neither dedicated emergency patch or confirmed whether MiniPlasma represents a new vulnerability class .
Google Threat Intelligence Group (GTIG) has tracked and found how attackers have models pose as security researchers or firmware experts to perform analyses on embedded systems and protocols. The zeroday exploit set to target popular open-source web administration tool, generated using AI. Observations revealed hackers are deploying agentic tools to partially automate research and exploit validation.
This shifts AI from a passive assistant to a system that independently executes parts of offensive workflows.
Theis report provide insights derived from Mandiant incident response engagements, Gemini and GTIG’s proactive research. The highlights aim at the threat environment where AI serves dual purpose. On one hand to disrupt advance cyber threats from hackers and other AI tools acting as high value agents for cyber attacks.
Here are key highlights of the threat research:
Vulnerability Discovery and Exploit Generation: For the first time, GTIG has identified a threat actor using a zero-day exploit that we believe was developed with AI. The criminal threat actor planned to use it in a mass exploitation event but our proactive counter discovery may have prevented its use.
AI-Augmented Development for Defense Evasion: AI-driven coding has accelerated the development of infrastructure suites and polymorphic malware by adversaries. These AI-enabled development cycles facilitate defense evasion by enabling the creation of obfuscation networks and the integration of AI-generated decoy logic in malware that google have linked to suspected Russia-nexus threat actors.
Autonomous Malware Operations: AI-enabled malware, such as PROMPTSPY, signal a shift toward autonomous attack orchestration, where models interpret system states to dynamically generate commands and manipulate victim environments. Analysis of this malware revealed previously unreported capabilities and use cases for its integration with AI.
AI-Augmented Research and IO: Adversaries continue to leverage AI as a high speed research assistant for attack lifecycle support, while shifting toward agentic workflows to operationalize autonomous attack frameworks.
Obfuscated LLM Access: Threat actors now pursue anonymized, premium tier access to models through professionalized middleware and automated registration pipelines to illicitly bypass usage limits. This infrastructure enables large scale misuse of services while subsidizing operations through trial abuse and programmatic account cycling.
Supply Chain Attacks: Adversaries like “TeamPCP” (aka UNC6780) have begun targeting AI environments and software dependencies as an initial access vector. These supply chain attacks result in multiple types of machine learning (ML)-focused risks outlined in the Secure AI Framework (SAIF) taxonomy, namely Insecure Integrated Component (IIC) and Rogue Actions (RA).
Hackers leveraging AI for vulnerability development and Zeroday exploitation
Cybercriminal groups are increasingly leveraging AI to support vulnerability discovery and exploit development.
Google Researchers observed threat actors planning large-scale exploitation campaigns using AI-assisted techniques.
A zero-day vulnerability was identified in a Python script capable of bypassing Two-Factor Authentication (2FA) in a popular open-source web administration tool. The exploit required valid user credentials but bypassed 2FA due to a hardcoded trust assumption within the application logic. Analysis suggests the vulnerability discovery and exploit development were likely assisted by an AI model due to:
Structured and highly “textbook” Python coding style
Excessive educational docstrings
Hallucinated CVSS scoring
LLM-like formatting patterns and helper classes
Unlike traditional vulnerabilities such as memory corruption or input validation flaws, this issue was a high-level semantic logic flaw difficult for conventional scanners to detect. Frontier AI models are becoming increasingly capable of:
Understanding developer intent
Identifying hardcoded security assumptions
Detecting hidden logic inconsistencies
Surfacing vulnerabilities missed by static analysis and fuzzing tools
The incident highlights the growing risk of AI-assisted zero-day discovery and exploitation by threat actors and as AI use datasets containing historical vulnerabilities to help models better reason about security flaws.
“For the first time, GTIG has identified a threat actor using a zero-day exploit that we believe was developed with AI,” GTIG researchers say.
What can be the consequences specifically at a time when new AI models unlike Anthropic’s Mythos, which were announced last month and appear to be good at finding such holes that Anthropic shared.
Rob Joyce, the former cybersecurity director of the National Security Agency, said that it can be difficult to know whether a human or machine wrote computer code, adding that, “A.I.-authored code does not announce itself.”
The Zeroday Defect
The report’s main findings involves a zero-day exploit that GTIG assessed was likely developed with AI assistance.
The vulnerability affected a popular open-source, web-based system administration tool and allowed two-factor authentication to be bypassed, although valid user credentials were still required.
The zero-day flaw was detected by the Google Threat Intelligence Group within the past few months and was exploited by “prominent cybercrime threat actors” in a script of the Python programming language.
Allow hackers to bypass two-factor authentication on “a popular open-source, web-based system administration tool,” though the hackers also would have needed access to valid credentials like user names and passwords to be successful, the company said.
Malware Evasion Techniques via AI
Hackers are also leveraging malware evasion techniques and sandbox evasions and other tricks to stay out of sight. As defenders increasingly rely on AI to accelerate and improve threat detection, a subtle but alarming new contest has emerged between attackers and defenders.
GTIG identified several malware families or tools with LLM-enabled obfuscation features, including PROMPTFLUX, HONESTCUE, CANFAIL, and LONGSTREAM.
Here is an example:
In June 2025, a malware sample was anonymously uploaded to VirusTotal from the Netherlands. At first glance, it looked incomplete. Some parts of the code weren’t fully functional, and it printed system information that would usually be exfiltrated to an external server.
The sample contained several sandbox evasion techniques and included an embedded TOR client, but otherwise resembled a test run, a specialized component or an early-stage experiment. What stood out, however, was a string embedded in the code that appeared to be written for an AI, not a human. It was crafted with the intention of influencing automated, AI-driven analysis, not to deceive a human looking at the code.
The malware includes a hardcoded C++ string, visible in the code snippet below:
In-memory prompt injection.
Hackers can leverage these emerging AI Evasion techniques to bypass AI-powered security systems by manipulating how Large Language Models (LLMs) interpret, analyze, and classify malicious content or activity.
How Attackers May Use AI Evasion Techniques
Prompt Injection Attacks Attackers craft malicious inputs that manipulate AI models into ignoring security rules, revealing sensitive information, or executing unintended actions.
Bypassing AI-Based Detection Threat actors can design malware, phishing emails, or malicious scripts in ways that appear legitimate to AI-powered detection systems.
Manipulating Context & Intent AI systems rely heavily on context and language interpretation. Attackers may exploit ambiguous wording, hidden instructions, or layered prompts to confuse AI defenses.
Generating Adaptive Malware AI-generated malware can dynamically modify behavior, code structure, or communication patterns to evade traditional and AI-driven security tools.
Automating Social Engineering AI can help create highly convincing phishing messages, fake identities, and impersonation attempts that are harder for AI-based defenses to detect.
Conclusion: AI is significantly strengthening cybersecurity defenses.
Security teams are leveraging AI for real-time threat detection, behavioral analytics, automated incident response, vulnerability management, and proactive risk assessment. While attackers currently benefit from AI-driven automation and exploitation capabilities, defenders are expected to gain a stronger long-term advantage as AI evolves into a core component of secure software development, proactive cyber defense, and intelligent security operations.
NIST’s NVD program aimed to analyze all CVEs to add details — such as severity scores and product lists that mostly assisted cybersecurity professionals prioritize and mitigate vulnerabilities.
Summary: Microsoft released its April 2026 Patch Tuesday addressing 165 security vulnerabilities across Windows, Office, SharePoint, Microsoft Defender, .NET Framework, Azure, SQL Server and other components.
The April release brings in relevant update and significant accessibility improvements, display and hardware enhancements, and several quality-of-life additions across Settings and File Explorer.
The first of the two zero-days is CVE-2026-32201, a spoofing vulnerability leading to cross-site scripting (XSS) in Microsoft SharePoint Server.The issue stems from an input validation failure that lets an attacker inject malicious scripts through improperly sanisised input fields.
Elevation of privilege (EoP) vulnerabilities accounted for 57.1% of the vulnerabilities patched this month, followed by information disclosure vulnerabilities and remote code execution (RCE) vulnerabilities at 12.3% each.
OEM
Microsoft
Severity
Critical
Date of Announcement
2026-04-14
No. of Vulnerability
165
Actively Exploited
Yes
Exploited in Wild
Yes
Advisory Version
1.0
Overview
This is the second-largest Patch Tuesday release in Microsoft’s history. The update includes two zero-day vulnerabilities one actively exploited in the wild (SharePoint spoofing) and one publicly disclosed (Microsoft Defender privilege escalation linked to the BlueHammer exploit).
Here are the CVE addresses for Microsoft April 2026:
165 Microsoft CVEs
82 Non Microsoft CVEs
Breakdown of April 2026 Vulnerabilities
93 Elevation of Privilege (EoP)
20 Remote Code Execution
21 Information Disclosure
10 Denial of Service (DoS)
9 Spoofing
13 Security Feature Bypass
Vulnerability Name
CVE ID
Product Affected
Severity
CVSS Score
Windows Internet Key Exchange (IKE) Service Extensions RCE
CVE-2026-33824
Windows IKE Service
Critical
9.8
Windows TCP/IP Remote Code Execution (Wormable via IPv6)
CVE-2026-33827
Windows TCP/IP Stack
Critical
9.8
Windows Active DirectoryRemote Code Execution
CVE-2026-33826
Windows Active Directory
Critical
9.1
Remote Desktop Client Remote Code Execution
CVE-2026-32157
Remote Desktop Client
High
8.8
Microsoft Office Remote Code Execution (Preview Pane)
CVE-2026-32190
Microsoft Office
High
8.4
Microsoft Word Remote Code Execution (Preview Pane)
CVE-2026-33114
Microsoft Word
High
8.4
Microsoft Word Remote Code Execution (Preview Pane)
CVE-2026-33115
Microsoft Word
High
8.4
Technical Summary
This month’s Patch Tuesday is largely driven by Elevation of Privilege vulnerabilities, which make up a significant portion of the fixes and can be leveraged by attackers after initial access to escalate privileges and move laterally.
The release also includes several critical remote code execution issues in core Windows components. Notably, vulnerabilities such as those affecting the Windows IKE service and TCP/IP stack demonstrate the risk of unauthenticated or low-interaction exploitation, particularly in network-exposed scenarios. Other issues in Office, Word, and Remote Desktop highlight continued risk from user-driven attack vectors such as malicious documents and crafted connection files.
The update also addresses zero-day vulnerabilities, including one actively exploited and another publicly disclosed prior to patching, increasing the urgency for remediation.
Key vulnerabilities in this cycle show a mix of attack paths from preview pane-based document exploitation to wormable network flaws and Active Directory-based code execution through authenticated access.
This combination of network-level and user-interaction-based risks, along with the volume of privilege escalation issues, makes this a high-priority update cycle. Organizations should prioritize testing and deployment to reduce exposure across both endpoint and infrastructure layers.
CVE ID
System Affected
Vulnerability Details
Impact
CVE-2026-33824
Windows IKE Service Extensions
Unauthenticated attacker can send crafted UDP packets to IKEv2-enabled systems (UDP 500/4500), achieving full remote code execution with no prior access required
Remote Code Execution
CVE-2026-32190
Microsoft Office
Exploitation via preview pane allows execution of malicious payload without explicit user interaction beyond viewing file
Remote Code Execution
CVE-2026-33114 / 33115
Microsoft Word
Malicious document processed via preview triggers RCE; commonly used in phishing delivery chains
Remote Code Execution
CVE-2026-32157
Remote Desktop Client
RCE triggered when user connects using a crafted RDP file; attack surface includes lateral movement scenarios
Remote Code Execution
CVE-2026-33827
Windows TCP/IP Stack
Race condition in IPv6/IPsec stack enables unauthenticated wormable RCE across enterprise networks
Remote Code Execution
CVE-2026-33826
Windows Active Directory
Authenticated attacker executes code via crafted RPC calls within domain; high likelihood of privilege chaining
Remote Code Execution
Key Affected Products and Services
April 2026 updates address vulnerabilities across:
Windows Core Components
Kernel, TCP/IP stack, Active Directory, IKE Service, BitLocker, NTFS, SMB, and Remote Desktop components are impacted, including critical RCE and privilege escalation vulnerabilities.
Microsoft Office Suite
Word, Excel, and PowerPoint are affected by multiple remote code execution vulnerabilities, including cases exploitable through the preview pane.
SharePoint & Collaboration
SharePoint Server (2016, 2019, Subscription Edition) is impacted, including an actively exploited zero-day vulnerability requiring immediate attention.
Microsoft Defender
A publicly disclosed elevation of privilege vulnerability is addressed through updates to the Antimalware Platform.
.NET Framework & Developer Tools
.NET and related developer components, including Visual Studio, are affected by denial of service and privilege escalation vulnerabilities.
Azure & Cloud Services
Azure components such as Logic Apps and monitoring agents include vulnerabilities related to information disclosure and privilege escalation.
SQL Server
Multiple vulnerabilities affecting SQL Server components, including privilege escalation and remote code execution risks, are addressed.
Remediation:
Apply April 2026 security updates on all Windows systems as a priority
Here are some recommendations
Prioritize patching internet-facing and critical services, particularly SharePoint and core Windows components.
Ensure Microsoft Defender and other security components are updated to the latest platform versions.
Review network exposure and apply temporary mitigations where patching may be delayed.
Monitor for suspicious activity, especially related to privilege escalation, remote code execution, and authentication anomalies.
Validate that systems are aligned with ongoing platform security updates, including Secure Boot-related changes.
Conclusion: April 2026 Patch Tuesday addresses a significant number of vulnerabilities across Windows and related Microsoft products, including an actively exploited issue, multiple critical remote code execution flaws, and a high volume of privilege escalation vulnerabilities. Given the breadth of affected components and the potential for attack chaining, organizations should prioritize timely testing and deployment of updates, especially for critical and externally exposed systems.
Recent Comments