GitHub’s Repositories Targeted by TeamPCP
securing Git repositories is no longer optional, it’s essential.
Continue ReadingIntrucept
Security Vulnerabilities in NGINX Causing DoS in RCE
NGINX rewrite module, is used to redirect or modify web requests.
The NGINX vulnerability known as CVE-2026-42945, is a programming mistake in the software where it writes or reads more data in memory than it should, causing a heap buffer overflow and is 18 year old, where in certain rewrite rules are configured in a vulnerable way.
This enables attackers to send specially crafted network requests that cause the NGINX server process to crash. Further attackers don’t need any authentication to send malformed requests to servers. The vulnerability was discovered with the help of AI models in recent months, missed by scanners and humans over the years.
The attack can be leveraged & Potential Impact
Nginx is one of the most popular web servers, powering almost one third of all websites on the internet, and is integrated into many commercial products as well.
- Crash or restart the NGINX server remotely
- Cause websites or applications to become unavailable
- Launch Denial-of-Service (DoS) attacks
In worst case if a Windows/Linux security protection called ASLR (Address Space Layout Randomization) is disabled:
- Attackers may be able to run malicious code on the server
- This could potentially lead to full server compromise
- Attackers require no authentication and can be performed remotely, while 5.7 million internet-facing NGINX servers may be exposed
- Exploitation is already happening in real-world attacks
- The vulnerable code has reportedly existed for nearly 18 years
| Vulnerability | Details |
|---|---|
| CVE ID | CVE-2026-42945 |
| Severity | High / Critical |
| Affected Product | NGINX OSS & NGINX Plus |
| Impact | DoS / Possible Remote Code Execution |
| Attack Requirement | Specially crafted web requests |
| Authentication Needed | No |
Researchers also found additional medium-severity vulnerabilities affecting:
- HTTP/3 QUIC module
- HTTP/2 proxy mode
- SSL module
- SCGI and uWSGI modules
- Charset handling module
These may cause:
- Memory exhaustion
- Data leakage
- Spoofing attacks
- Service instability
This causes a buffer overflow in the NGINX worker process, meaning the server tries to handle more data than expected in memory. As a result, the NGINX service crashes and restarts, causing a Denial-of-Service (DoS) condition.
Immediate Patching Recommendation
Upgrade to the latest patched NGINX versions immediately.
- Review and modify vulnerable rewrite rules.
- Restrict unnecessary internet exposure of NGINX servers.
- Monitor for unexpected NGINX crashes or restarts.
- Ensure ASLR and other OS-level security protections remain enabled.
The recently disclosed NGINX vulnerability (CVE-2026-42945) affecting the ngx_http_rewrite_module can allow unauthenticated attackers to remotely crash vulnerable servers and, in certain conditions, potentially execute malicious code.
How GaarudNode Helps Secure Against This Vulnerability
GaarudNode helps organizations proactively identify, prioritize, and remediate such vulnerabilities across the complete application and infrastructure lifecycle through its unified Shift-Left and Shift-Right security capabilities.
| Security Capability | How It Helps |
|---|---|
| Continuous OS & Infrastructure Vulnerability Scanning | Detects vulnerable NGINX OSS and NGINX Plus versions across servers, containers, and cloud workloads |
| Missing Patch Detection | Identifies systems missing critical NGINX security updates and tracks remediation status |
| Misconfiguration Assessment | Detects insecure rewrite rules and vulnerable NGINX configurations that may trigger the flaw |
| CSPM (Cloud Security Posture Management) | Identifies internet-exposed NGINX instances and insecure cloud deployments |
| Network Security Visibility | Detects externally exposed web services and risky attack surfaces |
| Runtime Monitoring (Shift Right) | Monitors abnormal NGINX crashes, unexpected restarts, and suspicious traffic patterns linked to exploitation attempts |
| Risk Prioritization | Correlates internet exposure, vulnerable configurations, and exploitability to prioritize remediation |
| Unified Risk Dashboard | Provides centralized visibility across applications, infrastructure, cloud, OS, and network risks |
Sources: NGINX: DoS vulnerability is being attacked | heise online
ZeroDay Vulnerability ‘MiniPlasma’ Grant’s Attackers SYSTEM privileges
A newly disclosed Windows zero-day vulnerability named ‘MiniPlasma’ allows attackers to gain SYSTEM-level privileges on fully patched Windows 11 systems.
- The vulnerability affects the Windows Cloud Files Mini Filter Driver (cldflt.sys), a core component used by cloud synchronization services such as Microsoft OneDrive.
- Researchers released a public proof-of-concept (PoC) exploit, increasing the risk of real-world exploitation by threat actors and ransomware groups.
- The flaw enables a normal user account to escalate privileges without requiring administrator access, making it highly dangerous in enterprise environments.
- The exploit reportedly abuses:
- Weak access validation
- Registry interactions
- Undocumented Windows APIs
- Logic flaws in the cloud synchronization subsystem
How enterprise will address the risk
Researchers claim the same underlying weakness still exists and remains exploitable.The vulnerability is still present in fully patched systems running the latest May 2026 updates. The original proof-of-concept code published by Forshaw worked without modification.
The flaw allows attackers with physical access to bypass BitLocker protections and gain unrestricted shell access to encrypted volumes through the Windows Recovery Environment (WinRE).
The attack is triggered by placing specially crafted files inside a specific directory on a USB drive or directly in the EFI partition.
The flaw is disturbing as the vulnerable component exists exclusively within the WinRE image, not in standard Windows installations, and an identical component appears in normal installations but without the triggering functionality.
Microsoft has not publicly addressed the claim and neither dedicated emergency patch or confirmed whether MiniPlasma represents a new vulnerability class .
Sources: Windows MiniPlasma Zero-Day Exposes SYSTEM Access Risk
Open Claw Vulnerabilities Reflect AI Agents Operate with High privilege
Open Claw Vulnerabilities Reflect How AI Agents Operate with High privilege
Continue Reading
‘Bleeding Llama’ Vulnerability in Ollama Expose Entire Process Memory
Ollama Deployments under attack
Continue Reading
Qualcomm Chipset Vulnerability Allows RCE
Multi-Component Qualcomm Vulnerabilities
Continue Reading
PAN-OS Firewall of PaloAlto Vulnerability Exploited for RCE
CVE 2026-0300 is a critical vulnerability with CVSS score of 9.3
PaloAlto Networks has issued strict advisory for its customers after an actively exploited zero-day vulnerability, affected its firewall operating system, PAN-OS. CVE 2026-0300 allows attackers to gain full control of affected systems without authentication.
The zero-day bug stems from a buffer overflow weakness, allowing unauthenticated attackers to execute arbitrary code with root privileges on Internet-exposed PA-Series and VM-Series firewalls via specially crafted packets.
Active Exploitation Observed in the Wild
Palo Alto Networks confirmed that exploitation attempts have already been observed in its advisory and urged its customers and organizations to mitigate exposure immediately.
What did the vulnerability affect:
- PAN-OS 10.2 below 10.2.7-h34, 10.2.10-h36, 10.2.13-h21, 10.2.16-h7, 10.2.18-h6
- PAN-OS 11.1 below 11.1.4-h33, 11.1.6-h32, 11.1.7-h6, 11.1.10-h25, 11.1.13-h5, 11.1.15
- PAN-OS 11.2 below 11.2.4-h17, 11.2.7-h13, 11.2.10-h6, 11.2.12
- PAN-OS 12.1 below 12.1.4-h5, 12.1.7
Excluded from vulnerability are Prisma Access, Cloud Next-Generation Firewall (Cloud NGFW), and Panorama appliances are not impacted by this vulnerability.
PoC of CVE 2026-0300
PaloAlto published a PoC on May 6, showing how an unauthenticated request to the User-ID Authentication Portal can reliably trigger the buffer overflow and achieve root-level RCE on affected PAN-OS versions.
While the repository is framed as research code and includes legal disclaimers, it materially lowers the barrier to exploitation by validating exploit mechanics.
Palo Alto Networks has not shared details about who is behind the attacks and has not released indicators of compromise at the time of writing.
Patching & Remediation
Since security patches takes time, PaloAlto recommends reducing exposure is the most effective way to contain risk. Palo Alto Networks proactively alerted customers to the zero-day, a step that allowed defenders to take action on potentially exposed instances.
If the User-ID Authentication Portal is not required for business operations, Palo Alto Networks recommends disabling it entirely. Firewalls that do not have the Authentication Portal enabled are not affected by this vulnerability.
The company has stated that security fixes will be released in stages between May 13-28, depending on the PAN‑OS version in use.
In advance of these patches, Palo Alto released a Threat Prevention signature on May 5 for PAN-OS 11.1 and newer to help detect or block exploitation attempts. Applying this signature, where supported, provides interim protection but does not replace the need to reduce exposure and deploy patches once available.
For security teams, immediate focus should be on identifying PA-Series and VM-Series firewalls with the User-ID Authentication Portal enabled, confirming whether those services are reachable from untrusted networks, and scheduling timely deployment of Palo Alto’s fixes as they are released.
Monitoring unexpected firewall behavior or unplanned configuration changes provides additional awareness during the period of active exploitation.
A similar authentication bypass vulnerability (CVE-2025-0108) was discovered in Palo Alto Networks PAN-OS allows unauthenticated attackers with network access to bypass authentication on the management web interface on 20 feb 2025. https://intruceptlabs.com/2025/02/palo-alto-firewall-vulnerabilities-under-active-exploitation/
Firewall infrastructure attack increased in recent years so are the Stakes for Enterprise and Critical Infrastructure
Firewalls are the prime targets because if firewall can be controlled the entire network is in hands of hackers. In recent years, the frequency and success of exploits targeting firewall vulnerabilities have been alarmingly high. Threat actors take on management interfaces, login pages and authentication portals as most common targets for both opportunistic and targeted campaigns.
A successful compromise in the firewall can allow attackers to:
- Intercept entire network traffic
- Disable security protections
- Move laterally inside corporate networks
- Establish persistent backdoors
For stronger defense allow Intrucept to proactively test your defenses by identifying vulnerabilities fast. You can start the process to enhance your security posture and protect your digital assets from evolving threats.
Call us for a demo–https://intruceptlabs.com/contact/
Sources: https://fieldeffect.com/blog/palo-alto-firewall-zero-day-unauthenticated-root-access#:~:text=On%20May%205%2C%202026%2C%20Palo,systems%20accessible%20from%20untrusted%20networks.
Copy Fail Bug, A Critical Local Privilege Escalation in Linux Kernel Exploited in the wild
Copy Fail vulnerability in Kernel Linux
Continue Reading
Trellix Source Code Breach, Raise Incident Response Protocol Concern
Trellix Source Code Breach exposes vulnerabilites
Continue Reading
Recent Comments