{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/remote-takeover/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Nginx-UI"],"_cs_severities":["critical"],"_cs_tags":["nginx-ui","nginx","unauthenticated","remote-takeover","CVE-2026-33032"],"_cs_type":"advisory","_cs_vendors":["Nginx-UI"],"content_html":"\u003cp\u003eThe nginx-ui MCP (Model Context Protocol) integration exposes two HTTP endpoints: \u003ccode\u003e/mcp\u003c/code\u003e and \u003ccode\u003e/mcp_message\u003c/code\u003e. While \u003ccode\u003e/mcp\u003c/code\u003e requires authentication, the \u003ccode\u003e/mcp_message\u003c/code\u003e endpoint only applies IP whitelisting - and the default IP whitelist is empty, which the middleware treats as \u0026quot;allow all\u0026quot;. This vulnerability, affecting nginx-ui versions 1.99 and earlier, allows any network attacker to invoke all MCP tools without authentication via the \u003ccode\u003e/mcp_message\u003c/code\u003e endpoint. This includes restarting nginx, creating/modifying/deleting nginx configuration files, and triggering automatic config reloads. Successful exploitation leads to complete nginx service takeover. This is critical for defenders as it provides an unauthenticated pathway to control a critical piece of infrastructure typically fronting web applications.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker sends an HTTP POST request to \u003ccode\u003ehttp://target:9000/mcp_message\u003c/code\u003e with a JSON payload.\u003c/li\u003e\n\u003cli\u003eThe request bypasses authentication checks due to the missing \u003ccode\u003eAuthRequired()\u003c/code\u003e middleware on the \u003ccode\u003e/mcp_message\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eIPWhiteList()\u003c/code\u003e middleware allows all requests because the default IP whitelist is empty.\u003c/li\u003e\n\u003cli\u003eThe request is routed to the \u003ccode\u003emcp.ServeHTTP()\u003c/code\u003e handler.\u003c/li\u003e\n\u003cli\u003eThe attacker invokes the \u003ccode\u003enginx_config_add\u003c/code\u003e MCP tool to create a malicious nginx configuration file, for example in \u003ccode\u003e/etc/nginx/conf.d/\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003enginx_config_add\u003c/code\u003e tool writes the malicious configuration file to disk.\u003c/li\u003e\n\u003cli\u003eAfter the config is written, \u003ccode\u003enginx_config_add\u003c/code\u003e attempts to reload nginx configuration via \u003ccode\u003enginx.Control(nginx.Reload)\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker now controls the Nginx webserver and can intercept traffic, redirect users, and exfiltrate data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability grants an unauthenticated attacker complete control over the nginx service. This allows the attacker to intercept traffic, rewrite server blocks, capture credentials and session tokens, and disrupt service by writing invalid configurations. All existing nginx configurations are readable via \u003ccode\u003enginx_config_get\u003c/code\u003e, potentially revealing backend topology and authentication headers. This poses a significant risk to organizations relying on nginx-ui to manage their web servers.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch suggested in the advisory by adding \u003ccode\u003emiddleware.AuthRequired()\u003c/code\u003e to the \u003ccode\u003e/mcp_message\u003c/code\u003e route to prevent unauthenticated access (reference: GitHub advisory).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect Nginx-UI MCP Message Endpoint Usage\u0026quot; to identify potential exploit attempts in your environment (reference: Sigma rule below).\u003c/li\u003e\n\u003cli\u003eMonitor network connections to port 9000 (default nginx-ui port) for suspicious POST requests to \u003ccode\u003e/mcp_message\u003c/code\u003e (reference: IOC).\u003c/li\u003e\n\u003cli\u003eConsider changing the default IP whitelist behavior to deny-all when unconfigured (reference: GitHub advisory).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T12:00:00Z","date_published":"2024-01-09T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-nginx-ui-takeover/","summary":"Nginx-UI is vulnerable to unauthenticated remote takeover due to a missing authentication check on the `/mcp_message` endpoint, allowing attackers to invoke MCP tools without authentication, leading to arbitrary nginx configuration modification, traffic interception, service disruption, configuration exfiltration, and credential harvesting; the default empty IP whitelist allows access from any network attacker.","title":"Unauthenticated Remote Takeover of Nginx-UI via MCP Endpoint","url":"https://feed.craftedsignal.io/briefs/2024-01-nginx-ui-takeover/"}],"language":"en","title":"CraftedSignal Threat Feed - Remote-Takeover","version":"https://jsonfeed.org/version/1.1"}