Patch now! Attackers take control of Nginx servers
Attackers are currently exploiting a critical security vulnerability in Nginx. Instances in Germany are also threatened.
(Image: solarseven/Shutterstock.com)
Security researchers are warning of worldwide attacks on Nginx web servers. Attackers gain full control over servers. A security patch has been available since March of this year, but has apparently not yet been installed universally.
According to researchers, vulnerable servers are still publicly accessible via the internet in Germany as well. However, the extent to which the attacks are occurring is currently unclear.
Background
According to a warning, the “critical” vulnerability (CVE-2026-33032) affects nginx-ui MCP (Model Context Protocol). Because HTTP endpoints accessible via /mcp_message can be addressed without authentication, remote attackers can exploit the vulnerability with crafted HTTP requests. Subsequently, they can change configurations, among other things, and thus gain full control over instances.
Security researchers from Pluto, among others, are warning of the attacks in a report. In it, they explain in detail how attacks occur and how the security problem is composed. Additionally, they state that they have encountered almost 2700 vulnerable instances accessible via the internet worldwide using the Shodan search engine. The majority of these are in China and the USA. In Germany, according to the scan, there are 235 instances.
Videos by heise
Install Security Update Now!
The secured Nginx version v.2.3.4 has been available for download since mid-March of this year. The current release is v.2.3.6. Server administrators should react immediately. Those who cannot install the security patch right away should deactivate MCP for temporary protection.
In the security researchers' post, administrators can find hints on how to identify systems that have already been successfully attacked.
(des)
