What’s happening

A critical NGINX vulnerability — tracked as CVE-2026-42945 and nicknamed “NGINX Rift” — is now being exploited in the wild. As reported by Help Net Security, exploitation attempts began on 16 May, only three days after the bug and proof-of-concept code were made public. It’s a heap buffer overflow in the ngx_http_rewrite_module, carries a CVSS score of 9.2, and affects NGINX versions 0.6.27 through 1.30.0 — so almost every NGINX install older than the May patch.

Why it matters for Australian businesses

NGINX sits in front of an enormous amount of Australian web traffic — booking sites, member portals, e-commerce shops, internal apps, and most cloud-hosted WordPress fleets. VulnCheck estimates around 5.7 million internet-exposed NGINX servers run a vulnerable version. A successful exploit can crash the server or, where Address Space Layout Randomisation (ASLR) is disabled, run arbitrary code as the web server user. That’s the kind of foothold an attacker uses to drop a web shell and pivot deeper. F5 has released fixes in the official advisory.

What to do today

Patch to NGINX 1.30.1 (open source) or the equivalent NGINX Plus build straight away. If you can’t patch in the next 24 hours, confirm ASLR is enabled on every host running NGINX — that downgrades remote code execution to a denial-of-service worst case. Then check your web server logs for unusual POST requests against rewrite-heavy paths, and watch outbound connections from NGINX hosts for anything suspicious. If you’re on a managed platform (AWS, Azure, WP Engine, Kinsta), check your provider’s status page — most have already rolled the patch, but you should verify.

Not sure whether NGINX is in your stack, or whether your hosting provider has patched? That’s exactly the kind of thing our cybersecurity team tracks for clients on managed plans. Drop us a line if you’d like us to check.