Cyber Alert: NGINX Critical Vulnerability
FINRA firms should be aware of a security vulnerability that poses potentially severe risks to organizations using NGINX products. FINRA recommends sharing this Cyber Alert with appropriate information technology and information security personnel—as well as any third-party vendors that may use NGINX—to identify whether your firm is impacted and take immediate steps to protect your environments.
Background
On June 27, 2026, the National Vulnerability Database (NVD) updated the severity scores for the NGINX "Rift Chain" Remote Code Execution Vulnerability (CVE-2026-42945). Since the vulnerability’s May 2026 disclosure, it has been actively exploited, and FINRA has identified a growing number of potentially affected member firms. This critical heap-based buffer overflow flaw allows unauthenticated attackers to crash processes. On systems where Address Space Layout Randomization (ASLR) is disabled, attackers may also execute malicious code. Because NGINX commonly protects important backend systems and publicly available exploit codes exist, this vulnerability poses significant risk to firm infrastructure.
Note: On June 18, 2026, F5 released two additional patches for critical NGINX vulnerabilities (CVE-2026-42530 and CVE-2026-42055). Although these have not been exploited in the wild, firms should ensure they apply all available NGINX security updates.
Affected Products
The vulnerability exists in the ngx_http_rewrite_module, which is part of every standard NGINX build.
- NGINX Open Source 0.6.27 through 1.30.0 (patch: upgrade to 1.31.0 or 1.30.1)
- NGINX Plus R32 through R36 (patch: R36 P4 or R32 P6)
- NGINX Plus 37.0.0 through 37.0.1 (patch: 37.0.2.1)
- NGINX Instance Manager 2.16.0 through 2.22.0 (patch: 2.22.1)
- F5 WAF for NGINX 5.9.0 through 5.12.1 (patch: 5.13.0)
- NGINX App Protect WAF 4.9.0 through 4.16.0 and 5.1.0 through 5.8.0
- F5 DoS for NGINX 4.8.0 (patch: 4.9.0)
- NGINX App Protect DoS 4.3.0 through 4.7.0
- NGINX Gateway Fabric 1.3.0 through 1.6.2 and 2.0.0 through 2.6.0
- NGINX Ingress Controller 3.5.0 through 3.7.2, 4.0.0 through 4.0.1, and 5.0.0 through 5.4.2
Products not affected: BIG-IP, BIG-IQ, F5 AI Gateway, F5 Distributed Cloud, F5OS, F5 Silverline, NGINX One Console, Traffix SDC.
Additional details and recommended remediation steps can be found on the F5 Security Advisory K000161019.
Recommended Actions
Member firms and firm vendors using affected NGINX products are strongly encouraged to take the following steps:
- Apply patches immediately – Upgrade to patched versions listed in the F5 Security Advisory. Patch public-facing web servers, API gateways, and third-party appliances running NGINX first. Restart NGINX services after patching to ensure updates take effect.
- Implement temporary protections – Use Web Application Firewall (WAF) rules and access controls to limit exposure to vulnerable systems until patches can be applied. Note: These are temporary measures only; patching is still required.
- Monitor for signs of exploitation – Watch for unexpected crashes, service restarts, or performance degradation, which may indicate exploitation attempts.
- Review NGINX configurations – Examine rewrite rules that use variable references (such as $1, $2) in combination with query strings (?). Where possible, have IT staff or vendors implement safer configuration alternatives, such as named capture groups.
- Verify security features are enabled – Confirm that ASLR and other system-level protections are active on servers running NGINX.
- Check vendor and third-party systems – Verify whether vendors, appliances, or managed services embed vulnerable NGINX versions that may not be obvious from product banners.
This incident demonstrates how threat actors exploit vulnerabilities in widely used open source software. Such exploitation can expose sensitive business and customer data or render firm systems inoperable. Firms using NGINX—particularly for public-facing services—should heighten security vigilance and review configuration practices.
Reporting
FINRA encourages member firms that identify data breaches or attempted data breaches to contact your Risk Monitoring Analyst and report them to:
- FINRA using the Regulatory Tip Form found on FINRA.org;
- the SEC using the Tips, Complaints, and Referrals form or by calling (202) 551-4790; and
- the FBI using its Internet Crime Complaint Center or by calling 1-800-CALLFBI (1-800-225-5324).
Additionally, both the FBI and the Cybersecurity & Infrastructure Security Agency (CISA) urge organizations to promptly report cyber incidents to a local FBI Field Office or the FBI Internet Crime Complaint Center (IC3) at IC3.gov, and to CISA via CISA’s 24/7 Operations Center ([email protected] or 888-282-0870).
Questions related to this Alert or other cybersecurity-related topics can be emailed to the FINRA Cyber and Analytics Unit (CAU).
Want more intel? Access the Financial Intelligence Fusion Center.
FINRA's new Financial Intelligence Fusion Center (FIFC) is a secure portal where member firms can access and share timely, actionable cybersecurity and fraud threat intelligence. FIFC portal access can be entitled to staff at your member firm and its affiliates, so intelligence is shared with the appropriate people. Visit fifc.finra.org to learn more and to sign up.
Note: This Alert does not create new legal or regulatory requirements or new interpretations of existing requirements, nor does it relieve firms of any existing obligations under federal securities laws, regulations, and FINRA rules. Member firms may consider the information in this Alert in developing new, or modifying existing, policies and procedures that are reasonably designed to achieve compliance with relevant regulatory obligations based on the member firm’s size and business model. Moreover, some information may not be relevant due to certain firms’ business models, sizes, or practices.