Nginx
Open-source web server and reverse proxy; its worker process was exploited in PAN-OS attack.
Last refreshed: 8 May 2026 · Appears in 1 active topic
Timeline for nginx
CL-STA-1132 exploited PAN-OS since 16 April, log destruction confirmed
Cybersecurity: Threats and Defences- What is nginx used for?
- nginx is an open-source web server and reverse proxy used to serve websites, route HTTP traffic to backend applications, load-balance requests across servers, and cache static content. It is one of the two most widely used web servers globally.
- How was nginx used in the PAN-OS firewall attack?
- PAN-OS uses nginx to serve its Authentication Portal. CL-STA-1132 exploited CVE-2026-0300 to inject shellcode into the PAN-OS nginx worker process, gaining code execution on the firewall and then deploying tunnelling tools for covert command-and-control.Source: event
- Can nginx be embedded in other products?
- Yes. nginx is widely embedded in commercial appliances and operating systems, including Palo Alto Networks' PAN-OS, where it serves internal web components. Vulnerabilities in the host application can expose nginx's network-facing worker processes to exploitation.
Background
nginx (pronounced "engine-x") is a high-performance, open-source web server, reverse proxy, load balancer, and HTTP cache, originally developed by Igor Sysoev and released in 2004. It is one of the two most widely deployed web server software packages globally (alongside Apache), used both as a standalone web server and as a reverse proxy in front of application servers. nginx's event-driven, non-blocking architecture enables it to handle large numbers of concurrent connections with minimal memory overhead, making it the dominant choice for high-traffic web infrastructure.
In many modern application deployments, nginx's worker processes sit at the network edge, handling inbound HTTP/HTTPS connections and forwarding requests to upstream services. Because these workers run with broad network access and handle all inbound traffic, they are high-value targets: code execution within an nginx worker process gives an attacker a foothold on the host with the network reach of the proxy itself.
PAN-OS, Palo Alto Networks' firewall operating system, uses nginx internally to serve web-facing components including the User-ID Authentication Portal. In U#3, the Chinese-nexus threat actor CL-STA-1132 exploited CVE-2026-0300 in the PAN-OS Authentication Portal to inject shellcode directly into the nginx worker process . The injected shellcode ran with nginx worker privileges, providing an initial execution environment from which the attacker deployed EarthWorm and ReverseSocks5 tunnel software for covert C2 communications.