Attack Chain

1. A fresh nginx-ui instance is deployed and exposed to the network.
2. An unauthenticated attacker sends a GET request to /api/install to verify the instance is unlocked ("lock": false, "timeout": false).
3. The attacker sends a POST request to /api/crypto/public_key to obtain the server’s RSA public key.
4. The attacker encrypts a JSON payload containing the attacker’s desired admin email, username, and password using the obtained public key. The payload is formatted as {"email":"attacker@example.com","username":"attacker","password":"Password12345"}.
5. The attacker base64-encodes the resulting ciphertext.
6. The attacker sends a POST request to /api/install with the base64-encoded ciphertext in the encrypted_params field (e.g., {"encrypted_params":"base64_encoded_ciphertext"}).
7. The server overwrites the initial admin user (ID 1) in the database with the attacker-provided credentials.
8. The attacker logs in to the nginx-ui interface with the attacker-controlled username and password, gaining complete control of the application.

Impact

Successful exploitation allows an attacker to gain complete control over the nginx-ui application. Since nginx-ui manages Nginx configurations, certificates, and other host-level settings, this can lead to unauthorized configuration changes, certificate management abuse, backup manipulation, service disruption, and broader operational takeover of the managed environment. This vulnerability affects fresh, uninitialized instances that are reachable over the network during the installation window.

Recommendation

• Deploy the Sigma rule “Detect Nginx-UI Unauthenticated Initial Admin Claim Attempt” to your SIEM to identify exploitation attempts based on requests to the /api/install endpoint.
• Apply network access controls to restrict access to the nginx-ui instance during the installation window.
• Monitor web server logs for POST requests to /api/install and /api/crypto/public_key from unusual source IP addresses.