
Nginx
Open-source web server and reverse proxy; its worker process was exploited in PAN-OS attack.
Last refreshed: 8 May 2026 · Appears in 1 active topic
Timeline for nginx
Mentioned in: Arista refuses to patch KEV flaw
Cybersecurity: Threats and DefencesCL-STA-1132 exploited PAN-OS since 16 April, log destruction confirmed
Cybersecurity: Threats and DefencesWhat is nginx used for?
How was nginx used in the PAN-OS firewall attack?
Can nginx be embedded in other products?
Background
nginx (pronounced "engine-x") is a high-performance, open-source web server, reverse proxy, load balancer, and HTTP cache, originally developed by Igor Sysoev and released in 2004. It is one of the two most widely deployed web server software packages globally (alongside Apache), used both as a standalone web server and as a reverse proxy in front of application servers. nginx's event-driven, non-blocking architecture enables it to handle large numbers of concurrent connections with minimal memory overhead, making it the dominant choice for high-traffic web infrastructure.
In many modern application deployments, nginx's worker processes sit at the network edge, handling inbound HTTP/HTTPS connections and forwarding requests to upstream services. Because these workers run with broad network access and handle all inbound traffic, they are high-value targets: code execution within an nginx worker process gives an attacker a foothold on the host with the network reach of the proxy itself.
PAN-OS, Palo Alto Networks' firewall operating system, uses nginx internally to serve web-facing components including the User-ID Authentication Portal. In U#3, the Chinese-nexus threat actor CL-STA-1132 exploited CVE-2026-0300 in the PAN-OS Authentication Portal to inject shellcode directly into the nginx worker process . The injected shellcode ran with nginx worker privileges, providing an initial execution environment from which the attacker deployed EarthWorm and ReverseSocks5 tunnel software for covert C2 communications.