Critical Vulnerability Patched in NGINX Plus and Open Source
A critical-severity security defect, present since 2008, has been patched in NGINX Plus and NGINX open source, with proof-of-concept code now publicly available.
A critical-severity security defect, which has been present in NGINX since 2008, has been patched this week in both NGINX Plus and NGINX open source. The vulnerability's long-standing nature underscores the importance of regular security audits and updates for foundational infrastructure software [SecurityWeek].
Following the disclosure and patching of the vulnerability, proof-of-concept (PoC) code has been published, increasing the risk of exploitation for organizations that have not yet updated their NGINX instances. The availability of PoC code typically accelerates the development of functional exploits by malicious actors.
Administrators of NGINX environments are strongly advised to update to the latest patched versions immediately to mitigate the risk of exploitation. Organizations should also review their patch management processes to ensure that critical infrastructure components are prioritized for updates.