Intrucept

Cybersecurity News Security Advisory

Security Vulnerabilities in NGINX Causing DoS in RCE

NGINX rewrite module, is used to redirect or modify web requests.

The NGINX vulnerability known as CVE-2026-42945, is a programming mistake in the software where it writes or reads more data in memory than it should, causing a heap buffer overflow and is 18 year old, where in certain rewrite rules are configured in a vulnerable way.

This enables attackers to send specially crafted network requests that cause the NGINX server process to crash. Further attackers don’t need any authentication to send malformed requests to servers. The vulnerability was discovered with the help of AI models in recent months, missed by scanners and humans over the years.

The attack can be leveraged & Potential Impact

Nginx is one of the most popular web servers, powering almost one third of all websites on the internet, and is integrated into many commercial products as well. 

  • Crash or restart the NGINX server remotely
  • Cause websites or applications to become unavailable
  • Launch Denial-of-Service (DoS) attacks

In worst case if a Windows/Linux security protection called ASLR (Address Space Layout Randomization) is disabled:

  • Attackers may be able to run malicious code on the server
  • This could potentially lead to full server compromise
  • Attackers require no authentication and can be performed remotely, while 5.7 million internet-facing NGINX servers may be exposed
  • Exploitation is already happening in real-world attacks
  • The vulnerable code has reportedly existed for nearly 18 years
VulnerabilityDetails
CVE IDCVE-2026-42945
SeverityHigh / Critical
Affected ProductNGINX OSS & NGINX Plus
ImpactDoS / Possible Remote Code Execution
Attack RequirementSpecially crafted web requests
Authentication NeededNo

Researchers also found additional medium-severity vulnerabilities affecting:

  • HTTP/3 QUIC module
  • HTTP/2 proxy mode
  • SSL module
  • SCGI and uWSGI modules
  • Charset handling module

These may cause:

  • Memory exhaustion
  • Data leakage
  • Spoofing attacks
  • Service instability

This causes a buffer overflow in the NGINX worker process, meaning the server tries to handle more data than expected in memory. As a result, the NGINX service crashes and restarts, causing a Denial-of-Service (DoS) condition.

Immediate Patching Recommendation

Upgrade to the latest patched NGINX versions immediately.

  • Review and modify vulnerable rewrite rules.
  • Restrict unnecessary internet exposure of NGINX servers.
  • Monitor for unexpected NGINX crashes or restarts.
  • Ensure ASLR and other OS-level security protections remain enabled.

The recently disclosed NGINX vulnerability (CVE-2026-42945) affecting the ngx_http_rewrite_module can allow unauthenticated attackers to remotely crash vulnerable servers and, in certain conditions, potentially execute malicious code.

How GaarudNode Helps Secure Against This Vulnerability

GaarudNode helps organizations proactively identify, prioritize, and remediate such vulnerabilities across the complete application and infrastructure lifecycle through its unified Shift-Left and Shift-Right security capabilities.

Security CapabilityHow It Helps
Continuous OS & Infrastructure Vulnerability ScanningDetects vulnerable NGINX OSS and NGINX Plus versions across servers, containers, and cloud workloads
Missing Patch DetectionIdentifies systems missing critical NGINX security updates and tracks remediation status
Misconfiguration AssessmentDetects insecure rewrite rules and vulnerable NGINX configurations that may trigger the flaw
CSPM (Cloud Security Posture Management)Identifies internet-exposed NGINX instances and insecure cloud deployments
Network Security VisibilityDetects externally exposed web services and risky attack surfaces
Runtime Monitoring (Shift Right)Monitors abnormal NGINX crashes, unexpected restarts, and suspicious traffic patterns linked to exploitation attempts
Risk PrioritizationCorrelates internet exposure, vulnerable configurations, and exploitability to prioritize remediation
Unified Risk DashboardProvides centralized visibility across applications, infrastructure, cloud, OS, and network risks

Sources: NGINX: DoS vulnerability is being attacked | heise online

Cybersecurity News

ZeroDay Vulnerability ‘MiniPlasma’ Grant’s Attackers SYSTEM privileges

A newly disclosed Windows zero-day vulnerability named ‘MiniPlasma’ allows attackers to gain SYSTEM-level privileges on fully patched Windows 11 systems.

  • The vulnerability affects the Windows Cloud Files Mini Filter Driver (cldflt.sys), a core component used by cloud synchronization services such as Microsoft OneDrive.
  • Researchers released a public proof-of-concept (PoC) exploit, increasing the risk of real-world exploitation by threat actors and ransomware groups.
  • The flaw enables a normal user account to escalate privileges without requiring administrator access, making it highly dangerous in enterprise environments.

  • The exploit reportedly abuses:
    • Weak access validation
    • Registry interactions
    • Undocumented Windows APIs
    • Logic flaws in the cloud synchronization subsystem

How enterprise will address the risk

Researchers claim the same underlying weakness still exists and remains exploitable.The vulnerability is still present in fully patched systems running the latest May 2026 updates. The original proof-of-concept code published by Forshaw worked without modification.

The flaw allows attackers with physical access to bypass BitLocker protections and gain unrestricted shell access to encrypted volumes through the Windows Recovery Environment (WinRE).

The attack is triggered by placing specially crafted files inside a specific directory on a USB drive or directly in the EFI partition.

The flaw is disturbing as the vulnerable component exists exclusively within the WinRE image, not in standard Windows installations, and an identical component appears in normal installations but without the triggering functionality.

Microsoft has not publicly addressed the claim and neither dedicated emergency patch or confirmed whether MiniPlasma represents a new vulnerability class .

Sources: Windows MiniPlasma Zero-Day Exposes SYSTEM Access Risk

Blogs

AI-Generated Coding Tools Are Not Free of Errors

AI coding

Continue Reading
Security Advisory

Open Claw Vulnerabilities Reflect AI Agents Operate with High privilege

Open Claw Vulnerabilities Reflect How AI Agents Operate with High privilege

Continue Reading
Security Advisory

‘Bleeding Llama’ Vulnerability in Ollama Expose Entire Process Memory

Ollama Deployments under attack

Continue Reading
Cybersecurity News Security Advisory

Qualcomm Chipset Vulnerability Allows RCE

Multi-Component Qualcomm Vulnerabilities

Continue Reading
Security Advisory

PAN-OS Firewall of PaloAlto Vulnerability Exploited for RCE

CVE 2026-0300 is a critical vulnerability with CVSS score of 9.3

PaloAlto Networks has issued strict advisory for its customers after an actively exploited zero-day vulnerability, affected its firewall operating system, PAN-OS. CVE 2026-0300 allows attackers to gain full control of affected systems without authentication.

The zero-day bug stems from a buffer overflow weakness, allowing unauthenticated attackers to execute arbitrary code with root privileges on Internet-exposed PA-Series and VM-Series firewalls via specially crafted packets.

Active Exploitation Observed in the Wild

Palo Alto Networks confirmed that exploitation attempts have already been observed in its advisory and urged its customers and organizations to mitigate exposure immediately.

What did the vulnerability affect:

  • PAN-OS 10.2 below 10.2.7-h34, 10.2.10-h36, 10.2.13-h21, 10.2.16-h7, 10.2.18-h6
  • PAN-OS 11.1 below 11.1.4-h33, 11.1.6-h32, 11.1.7-h6, 11.1.10-h25, 11.1.13-h5, 11.1.15
  • PAN-OS 11.2 below 11.2.4-h17, 11.2.7-h13, 11.2.10-h6, 11.2.12
  • PAN-OS 12.1 below 12.1.4-h5, 12.1.7

Excluded from vulnerability are Prisma Access, Cloud Next-Generation Firewall (Cloud NGFW), and Panorama appliances are not impacted by this vulnerability.

PoC of CVE 2026-0300

PaloAlto published a PoC on May 6, showing how an unauthenticated request to the User-ID Authentication Portal can reliably trigger the buffer overflow and achieve root-level RCE on affected PAN-OS versions.

While the repository is framed as research code and includes legal disclaimers, it materially lowers the barrier to exploitation by validating exploit mechanics.

Palo Alto Networks has not shared details about who is behind the attacks and has not released indicators of compromise at the time of writing.

Patching & Remediation

Since security patches takes time, PaloAlto recommends reducing exposure is the most effective way to contain risk. Palo Alto Networks proactively alerted customers to the zero-day, a step that allowed defenders to take action on potentially exposed instances. 

If the User-ID Authentication Portal is not required for business operations, Palo Alto Networks recommends disabling it entirely. Firewalls that do not have the Authentication Portal enabled are not affected by this vulnerability.

The company has stated that security fixes will be released in stages between May 13-28, depending on the PAN‑OS version in use.

In advance of these patches, Palo Alto released a Threat Prevention signature on May 5 for PAN-OS 11.1 and newer to help detect or block exploitation attempts. Applying this signature, where supported, provides interim protection but does not replace the need to reduce exposure and deploy patches once available.

For security teams, immediate focus should be on identifying PA-Series and VM-Series firewalls with the User-ID Authentication Portal enabled, confirming whether those services are reachable from untrusted networks, and scheduling timely deployment of Palo Alto’s fixes as they are released.

Monitoring unexpected firewall behavior or unplanned configuration changes provides additional awareness during the period of active exploitation.

A similar authentication bypass vulnerability (CVE-2025-0108) was discovered in Palo Alto Networks PAN-OS allows unauthenticated attackers with network access to bypass authentication on the management web interface on 20 feb 2025. https://intruceptlabs.com/2025/02/palo-alto-firewall-vulnerabilities-under-active-exploitation/

Firewall infrastructure attack increased in recent years so are the Stakes for Enterprise and Critical Infrastructure

Firewalls are the prime targets because if firewall can be controlled the entire network is in hands of hackers. In recent years, the frequency and success of exploits targeting firewall vulnerabilities have been alarmingly high. Threat actors take on management interfaces, login pages and authentication portals as most common targets for both opportunistic and targeted campaigns.

A successful compromise in the firewall can allow attackers to:

  • Intercept entire network traffic
  • Disable security protections
  • Move laterally inside corporate networks
  • Establish persistent backdoors

For stronger defense allow Intrucept to proactively test your defenses by identifying vulnerabilities fast. You can start the process to enhance your security posture and protect your digital assets from evolving threats.

Call us for a demohttps://intruceptlabs.com/contact/

Sources: https://fieldeffect.com/blog/palo-alto-firewall-zero-day-unauthenticated-root-access#:~:text=On%20May%205%2C%202026%2C%20Palo,systems%20accessible%20from%20untrusted%20networks.

Sources: https://www.bleepingcomputer.com/news/security/palo-alto-networks-warns-of-actively-exploited-firewall-zero-day

Cybersecurity News Security Advisory

Copy Fail Bug, A Critical Local Privilege Escalation in Linux Kernel Exploited in the wild

Copy Fail vulnerability in Kernel Linux

Continue Reading
Blogs Cybersecurity News

Trellix Source Code Breach, Raise Incident Response Protocol Concern

Trellix Source Code Breach exposes vulnerabilites

Continue Reading
Cybersecurity News Security Advisory

SAP npm Packages Targeted with Malware ‘Supply Chain Risk’-Patch Now

Supply chain attack

Continue Reading
Scroll to top