A critical vulnerability in the Nginx UI, tracked as CVE-2026-33032, is currently being exploited in the wild, allowing attackers to potentially take full control of affected Nginx servers. This flaw, which has a CVSS score of 9.8, affects versions 2.3.5 and earlier of the Nginx UI, a web interface for managing the Nginx web server.
The vulnerability arises from improper access control, specifically a missing authentication check (CWE-306) on the /mcp_message endpoint. While the /mcp endpoint requires both IP whitelisting and authentication, the /mcp_message endpoint does not, leaving it exposed to unauthenticated access. This oversight enables attackers to interact with the server without any credentials, potentially leading to a complete server takeover.
The flaw was disclosed on March 30, 2026, and has been actively exploited within just 13 days of its disclosure, highlighting the urgency for affected users to apply patches. The Exploit Prediction Scoring System (EPSS) for this vulnerability is 0.050, indicating a moderate likelihood of exploitation, yet the real-world attacks underscore the critical nature of this flaw.
Proof-of-concept (PoC) exploits are already available, with at least three known versions circulating, which further facilitates exploitation by threat actors. This availability of PoC code accelerates the risk of widespread attacks, making it imperative for organizations using Nginx UI to act swiftly.
Administrators are urged to update their systems immediately to mitigate the risk of exploitation. The vendor has released patches addressing this vulnerability, and users should ensure that their systems are updated to the latest version that includes these security fixes.
Given the severity and active exploitation of CVE-2026-33032, organizations should prioritize this update and review their server logs for any signs of unauthorized access or unusual activity. Implementing additional security measures, such as network segmentation and enhanced monitoring, can also help mitigate potential risks associated with this vulnerability.
CSURFACE