Executive Summary
Recent public disclosures have identified two critical vulnerabilities affecting NGINX and Ingress-NGINX: CVE-2026-42945 and CVE-2025-1974. Both vulnerabilities are now accompanied by publicly available proof-of-concept (PoC) exploit code, significantly increasing the risk of exploitation. These flaws enable unauthenticated remote code execution (RCE) and unsafe configuration injection, threatening millions of web servers and Kubernetes clusters globally. Active exploitation has been observed in the wild, and organizations are urged to take immediate remediation steps to protect their infrastructure.
Technical Information
The first vulnerability, CVE-2026-42945, impacts the core of NGINX. It is a buffer overflow in the ngx_http_rewrite_module, which can be triggered by a malicious configuration. Specifically, the vulnerability arises when a rewrite directive is followed by another rewrite, if, or set directive, and an unnamed PCRE capture (such as $1 or $2) is used in a replacement string containing a question mark (?). This flaw affects NGINX versions 0.6.27 through 1.30.0. While the vendor rates the severity as medium, practical exploitation can lead to remote code execution, especially on systems where Address Space Layout Randomization (ASLR) is disabled. The vulnerability is addressed in versions 1.31.0 and 1.30.1. The official advisory and technical details are available at the NGINX Security Advisories, and a working PoC is published at DepthFirstDisclosures/Nginx-Rift.
The second vulnerability, CVE-2025-1974, affects the Ingress-NGINX controller for Kubernetes. This is a critical unsafe configuration injection vulnerability (CVSS 9.8) that allows unauthenticated remote code execution via the Validating Admission Controller. Any workload on the pod network can exploit this flaw without credentials by injecting arbitrary NGINX directives through annotations such as configuration-snippet. This can result in arbitrary code execution within the ingress controller pod and, in certain configurations, escalate to a full cluster compromise. The vulnerability affects all Ingress-NGINX controller versions prior to v1.12.1 and v1.11.5, and is fixed in those versions. The PoC exploit is available at IngressNightmare-RCE-POC.
Both vulnerabilities are highly impactful due to the ubiquity of NGINX as a web server and reverse proxy, and the widespread use of Ingress-NGINX in Kubernetes environments. The attack surface is broad, encompassing internet-facing web servers and internal Kubernetes workloads. The technical exploitation of these vulnerabilities leverages configuration injection and buffer overflow techniques, which are well-understood and easily automated by attackers.
Exploitation in the Wild
There is clear evidence of exploitation attempts in the wild for both vulnerabilities. SecurityWeek and GBHackers have reported that PoC code for both CVE-2026-42945 and CVE-2025-1974 is publicly available and being actively used by threat actors. Community discussions on Reddit confirm that scanning and exploitation attempts against unpatched NGINX servers are ongoing. Attackers are leveraging automated tools to identify vulnerable instances and deploy malicious configurations or payloads.
For CVE-2025-1974, the attack surface is particularly concerning in Kubernetes environments, as any pod with network access to the Validating Admission Controller can exploit the flaw without authentication. This enables lateral movement and privilege escalation within clusters. For CVE-2026-42945, internet-facing NGINX servers with vulnerable rewrite configurations are being targeted, with attackers attempting to trigger the buffer overflow and achieve code execution or denial of service.
APT Groups using this vulnerability
As of this advisory, there is no public attribution of these vulnerabilities to specific Advanced Persistent Threat (APT) groups. However, the combination of public PoC code, ease of exploitation, and the critical nature of the affected infrastructure makes these vulnerabilities highly attractive to both opportunistic cybercriminals and sophisticated threat actors. The technical characteristics of these flaws align with tactics observed in APT campaigns, such as exploiting public-facing applications (MITRE ATT&CK T1190), leveraging command and scripting interpreters for RCE (T1059), and exploiting remote services for lateral movement (T1210). Organizations should anticipate that APT groups may incorporate these exploits into their toolkits in the near future.
Affected Product Versions
The affected products and versions are as follows. For CVE-2026-42945, all versions of NGINX from 0.6.27 through 1.30.0 are vulnerable, including all corresponding versions of NGINX Plus based on these releases. Versions 1.31.0 and 1.30.1 are not vulnerable. For CVE-2025-1974, all versions of the Ingress-NGINX controller prior to v1.12.1 and v1.11.5 are affected. Versions v1.12.1 and v1.11.5 and above are not vulnerable. Organizations should review their deployments to determine exposure and prioritize upgrades accordingly.
Workaround and Mitigation
Immediate mitigation steps are critical to reduce risk. Organizations should upgrade NGINX to version 1.31.0 or 1.30.1 to address CVE-2026-42945. For Kubernetes environments, upgrade the Ingress-NGINX controller to v1.12.1 or v1.11.5 to remediate CVE-2025-1974. In addition to patching, disable risky annotations such as configuration-snippet and server-snippet in Ingress-NGINX configurations. Restrict network access to the Validating Admission Webhook to trusted workloads only, and apply strict Role-Based Access Control (RBAC) policies to prevent unauthorized ingress creation or modification. Monitor for unusual configuration changes, unexpected processes running as the NGINX user, and suspicious annotations or Lua code in ingress controller pods. Proactive monitoring and incident response readiness are essential given the active exploitation landscape.
References
NGINX Security Advisories: https://nginx.org/en/security_advisories.html
DepthFirstDisclosures/Nginx-Rift PoC: https://github.com/DepthFirstDisclosures/Nginx-Rift
IngressNightmare-RCE-POC: https://github.com/dttuss/IngressNightmare-RCE-POC
SecurityWeek: https://www.securityweek.com/poc-code-published-for-critical-nginx-vulnerability/
GBHackers: https://gbhackers.com/poc-released-for-18-year-old-nginx-flaw/
Reddit: https://www.reddit.com/r/tech_x/comments/1tcup05/ai_just_found_an_18yearold_nginx_critical_remote/
MITRE ATT&CK TTPs: T1190, T1059, T1210
Rescana is here for you
Rescana empowers organizations to manage third-party risk and supply chain security with our advanced TPRM platform. Our solution provides continuous monitoring, automated risk assessments, and actionable intelligence to help you stay ahead of emerging threats. While this advisory focuses on the latest NGINX vulnerabilities, our platform is designed to help you identify, assess, and mitigate risks across your entire digital ecosystem. For any questions or to discuss your organization’s exposure, we are happy to assist at ops@rescana.com.
