<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Remote-Takeover - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/remote-takeover/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 09 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/remote-takeover/feed.xml" rel="self" type="application/rss+xml"/><item><title>Unauthenticated Remote Takeover of Nginx-UI via MCP Endpoint</title><link>https://feed.craftedsignal.io/briefs/2024-01-nginx-ui-takeover/</link><pubDate>Tue, 09 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-nginx-ui-takeover/</guid><description>Nginx-UI is vulnerable to unauthenticated remote takeover due to a missing authentication check on the `/mcp_message` endpoint, allowing attackers to invoke MCP tools without authentication, leading to arbitrary nginx configuration modification, traffic interception, service disruption, configuration exfiltration, and credential harvesting; the default empty IP whitelist allows access from any network attacker.</description><content:encoded><![CDATA[<p>The nginx-ui MCP (Model Context Protocol) integration exposes two HTTP endpoints: <code>/mcp</code> and <code>/mcp_message</code>. While <code>/mcp</code> requires authentication, the <code>/mcp_message</code> endpoint only applies IP whitelisting - and the default IP whitelist is empty, which the middleware treats as &quot;allow all&quot;. This vulnerability, affecting nginx-ui versions 1.99 and earlier, allows any network attacker to invoke all MCP tools without authentication via the <code>/mcp_message</code> endpoint. This includes restarting nginx, creating/modifying/deleting nginx configuration files, and triggering automatic config reloads. Successful exploitation leads to complete nginx service takeover. This is critical for defenders as it provides an unauthenticated pathway to control a critical piece of infrastructure typically fronting web applications.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker sends an HTTP POST request to <code>http://target:9000/mcp_message</code> with a JSON payload.</li>
<li>The request bypasses authentication checks due to the missing <code>AuthRequired()</code> middleware on the <code>/mcp_message</code> endpoint.</li>
<li>The <code>IPWhiteList()</code> middleware allows all requests because the default IP whitelist is empty.</li>
<li>The request is routed to the <code>mcp.ServeHTTP()</code> handler.</li>
<li>The attacker invokes the <code>nginx_config_add</code> MCP tool to create a malicious nginx configuration file, for example in <code>/etc/nginx/conf.d/</code>.</li>
<li>The <code>nginx_config_add</code> tool writes the malicious configuration file to disk.</li>
<li>After the config is written, <code>nginx_config_add</code> attempts to reload nginx configuration via <code>nginx.Control(nginx.Reload)</code>.</li>
<li>The attacker now controls the Nginx webserver and can intercept traffic, redirect users, and exfiltrate data.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability grants an unauthenticated attacker complete control over the nginx service. This allows the attacker to intercept traffic, rewrite server blocks, capture credentials and session tokens, and disrupt service by writing invalid configurations. All existing nginx configurations are readable via <code>nginx_config_get</code>, potentially revealing backend topology and authentication headers. This poses a significant risk to organizations relying on nginx-ui to manage their web servers.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Apply the patch suggested in the advisory by adding <code>middleware.AuthRequired()</code> to the <code>/mcp_message</code> route to prevent unauthenticated access (reference: GitHub advisory).</li>
<li>Deploy the Sigma rule &quot;Detect Nginx-UI MCP Message Endpoint Usage&quot; to identify potential exploit attempts in your environment (reference: Sigma rule below).</li>
<li>Monitor network connections to port 9000 (default nginx-ui port) for suspicious POST requests to <code>/mcp_message</code> (reference: IOC).</li>
<li>Consider changing the default IP whitelist behavior to deny-all when unconfigured (reference: GitHub advisory).</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>nginx-ui</category><category>nginx</category><category>unauthenticated</category><category>remote-takeover</category><category>CVE-2026-33032</category></item></channel></rss>