Lead Story | CVSS 9.2 Critical — Public PoC Available · No Confirmed ITW Exploitation | Enterprise · Cloud+DevOps · IT Ops |
|
NGINX Rift: An Autonomous AI Found an 18-Year-Old Heap Overflow in NGINX’s Rewrite Module — CVE-2026-42945 Now Has a Public PoC
A crafted HTTP request hitting a rewrite directive that combines unnamed PCRE captures with a question mark in the replacement — followed by a second rewrite, if, or set directive — corrupts the worker-process heap; reliable DoS on hardened systems, RCE where ASLR is disabled. F5 patched May 13.
CVE-2026-42945, dubbed NGINX Rift, is a heap buffer overflow in NGINX’s rewrite module present in every version since 0.6.27 — an 18-year exposure with a CVSS v4 score of 9.2 Critical (F5 and most press; nginx.org’s own advisory rates it “medium”) patched on May 13. The flaw was discovered by depthfirst, an autonomous AI-driven vulnerability analysis system; the public PoC and CVE credit go to Zhenpeng (Leo) Lin of depthfirst. No in-the-wild exploitation has been confirmed at time of writing, but the PoC was on GitHub by the day of disclosure, lowering the bar significantly. The trigger is a rewrite directive combining unnamed PCRE captures ($1, $2) with a question mark in the replacement string, followed by a second rewrite, if, or set directive — a pattern common in production NGINX configurations. NVD → The Hacker News →
Affected: NGINX Open Source 0.6.27–1.30.0; NGINX Plus R32–R36. Fix: NGINX Open Source 1.30.1 or 1.31.0; NGINX Plus R32 P6 or R36 P4, or upgrade to R37 (a new major release under F5’s LTS/CR model, not a patch level). If patching must wait, swap unnamed PCRE captures for named captures in rewrite directives to close the vulnerable code path. Scope extends past public servers — any internal reverse proxy or load balancer is reachable from a compromised host on the same network segment.
→ Key Takeaway Apply F5’s May 13 NGINX security update to all NGINX and NGINX Plus deployments immediately — a working public PoC is circulating. If patching is delayed, replace unnamed PCRE captures ($1, $2) with named captures in rewrite directives as an interim mitigation; this closes the vulnerable code path without disabling rewrite functionality. Ask your team for a current inventory of NGINX versions across your environment — internal reverse proxies and load balancers included — and confirm patching is complete before the weekend. HARDENED does not endorse or recommend specific vendors. Tools are listed for awareness only. |
Quick Hits
| 01 |
Google Disrupts First AI-Assisted Zero-Day in the Wild — Attackers Likely Used AI to Develop a 2FA Bypass, Planned for Mass Exploitation
Google’s Threat Intelligence Group confirmed on May 11 that it disrupted a planned mass exploitation campaign in which an unnamed threat actor likely used an AI model to develop a functional zero-day bypassing two-factor authentication in a popular open-source web administration tool (GTIG attribution based on machine-generated code hallmarks: over-pedagogical docstrings, hallucinated CVSS score, characteristic Python structure). The flaw requires valid credentials to chain with — it bypasses the 2FA step after credential compromise rather than functioning as a standalone unauthenticated bypass. Google states this is the first zero-day GTIG identifies as developed with AI assistance, intended for a mass exploitation campaign that was disrupted before deployment. The targeted tool and attacker group remain undisclosed; ask your security team whether web-based administration interfaces in your environment are internet-exposed and whether those systems’ 2FA implementations have been audited recently. Google Cloud Blog →
| Intel — AI-Assisted Exploit · First Confirmed | Enterprise · Cloud+DevOps |
|
| 02 |
Nitrogen Ransomware Confirms Foxconn North American Breach — Intel, Apple, Google, Dell, Nvidia Named in 8TB Claim; Apple Files Absent from Published Sample
Nitrogen ransomware operators confirmed a breach of Foxconn manufacturing facilities in Wisconsin and Texas this week, claiming 8TB and 11 million files including confidential project documentation; Foxconn confirmed the attack, which forced some employees to fall back to pen and paper and sent others home until network access was restored. Nitrogen names Intel, Apple, Google, Dell, and Nvidia in its claimed haul — but Apple-related materials do not appear in Nitrogen’s published sample files, and the affected Mount Pleasant facility primarily produces televisions and data servers, making Apple device data unlikely per 9to5Mac and AppleInsider. For organizations with Foxconn in their supplier base, request confirmation that the affected North American facilities are not part of your component supply chain and verify that any shared portal or network access has not been affected. The Register →
| High — Ransomware · Supply Chain | Enterprise |
|
CVE Watch
|
CVE Watch
CVE-2026-20182 (Cisco Catalyst SD-WAN): CVSS 10.0 Auth Bypass Gives Unauthenticated Attackers Admin Access to the Controller, Then NETCONF Access to the WAN Fabric — CISA KEV May 14
CVE-2026-20182 is a CVSS 10.0 authentication bypass in the Cisco Catalyst SD-WAN Controller’s vdaemon service, reachable over DTLS on UDP port 12346 — an unauthenticated remote attacker can bypass authentication and gain administrative access to the controller as a high-privileged internal account, then leverage NETCONF (SSH on TCP/830) to manipulate configuration across the SD-WAN fabric. Cisco Talos clusters active exploitation with high confidence under UAT-8616, the same threat actor behind active CVE-2026-20127 exploitation since at least 2023; CVE-2026-20182 was found in the same vdaemon code during Rapid7’s CVE-2026-20127 investigation. Cisco PSIRT confirmed limited in-the-wild exploitation in the official advisory. CISA added CVE-2026-20182 to the Known Exploited Vulnerabilities catalog on May 14, reflecting confirmed in-the-wild exploitation, and issued Emergency Directive 26-03 the same day mandating remediation across Federal Civilian Executive Branch agencies by May 17 — a 72-hour window that signals the urgency CISA assigns to this flaw and a useful benchmark for organizations outside the FCEB. There are no workarounds — upgrading to a fixed software release is the only remediation path. Restrict access to UDP port 12346 to trusted SD-WAN fabric peers only — this port must remain reachable to controllers and edge devices in the overlay, so a blanket management-network restriction would break legitimate traffic. Cisco Advisory → The Hacker News →
| Vendor: Cisco · CVE: CVE-2026-20182 · CVSS: 10.0 Critical · Affected: Cisco Catalyst SD-WAN Controller (vSmart) & SD-WAN Manager (vManage) · Fix: Upgrade to fixed release (see Cisco advisory) · Exploitation: Confirmed — UAT-8616 (Cisco Talos), CISA KEV May 14 · CISA ED 26-03 (May 17 deadline) |
|
Compliance Tip of the Day
|
NIST CSF 2.0 — DE.CM-01 — Detect: Continuous Monitoring
Web Server Access Logs Are Your Earliest Warning for NGINX Rift — Only If They Leave the Host First
NGINX Rift exploitation arrives as a single crafted HTTP request — indistinguishable from routine traffic without log analysis, and invisible if access logs remain on a host that an attacker has compromised. NIST DE.CM-01 requires that networks and network services are monitored to find potentially adverse events; for web servers, reverse proxies, and load balancers, that obligation is met only when access logs are streaming to a SIEM in real time. Concrete action (DE.CM-01): Confirm that all NGINX, Apache, and web-facing proxy instances are forwarding access logs to your SIEM with a retention window appropriate to your detection and investigation timelines (we recommend at least 90 days) — the CVE-2026-42945 exploitation pattern leaves a characteristic HTTP request signature in access logs that is only available for detection if those logs leave the host before they can be erased. NIST CSF 2.0 reference: nist.gov/cyberframework.
|
|
