nginx UI and Organizations using nginx UI: Critical nginx UI tool vulnerability opens web servers to full compromise

Critical Nginx UI Vulnerability Exploited for Over a Month, Exposing Web Servers to Full Compromise

A critical vulnerability (CVE-2025-55182, CVSS 9.8) in the open-source nginx UI web server configuration tool has been actively exploited by cybercriminals since March, security vendor Pluto Security revealed this week. The flaw, dubbed ‘MCPwn’, stems from an unauthenticated Model Context Protocol (MCP) endpoint introduced in late 2025 to facilitate AI model integration allowing attackers to hijack nginx servers with a single API call.

Exploitation enables threat actors to intercept traffic, harvest admin credentials, maintain persistent access, and manipulate nginx configurations, including injecting malicious settings or disabling the service entirely. Pluto Security identified 2,689 vulnerable nginx UI instances exposed to the internet via Shodan, despite the tool’s relatively small user base compared to nginx’s global footprint.

The vulnerability mirrors risks seen during the API boom a decade ago, where rapid integration outpaced security controls. MCP endpoints, designed to bridge nginx and AI models, were implemented without authentication, creating a privileged attack surface. Pluto Security’s CEO warned that AI integration layers must be treated as part of the core attack surface, not an afterthought.

The flaw was first disclosed on the National Vulnerability Database (NVD) on March 30, coinciding with reports from VulnCheck and Recorded Future’s Insikt Group confirming active exploitation. While a patch (nginx UI 2.3.4) was released on March 15, organizations unable to update immediately can mitigate risks by disabling MCP or restricting access via IP whitelisting. Security teams are advised to review logs for unusual configuration changes.

Nginx UI, a dashboard for managing nginx servers without CLI access, has seen accelerated adoption of MCP tools to support AI agents often without full risk assessments. The incident underscores how privileged integration layers can inadvertently expand attack surfaces when security is deprioritized.

Source: https://www.csoonline.com/article/4159248/critical-nginx-ui-tool-vulnerability-opens-web-servers-to-full-compromise.html

NGINX cybersecurity rating report: https://www.rankiteo.com/company/nginx

"id": "NGI1776291864",
"linkid": "nginx",
"type": "Vulnerability",
"date": "3/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"

{'affected_entities': [{'location': 'Global',
                        'name': 'Organizations using nginx UI',
                        'type': 'Organizations'}],
 'attack_vector': 'Unauthenticated API call (MCP endpoint)',
 'data_breach': {'sensitivity_of_data': 'High (admin credentials, traffic '
                                        'interception)',
                 'type_of_data_compromised': 'Admin credentials, traffic data'},
 'date_detected': 'March 2025',
 'date_publicly_disclosed': 'March 30, 2025',
 'description': 'A critical vulnerability (CVE-2025-55182, CVSS 9.8) in the '
                'open-source nginx UI web server configuration tool has been '
                'actively exploited by cybercriminals since March. The flaw, '
                'dubbed ‘MCPown’, stems from an unauthenticated Model Context '
                'Protocol (MCP) endpoint, allowing attackers to hijack nginx '
                'servers with a single API call. Exploitation enables threat '
                'actors to intercept traffic, harvest admin credentials, '
                'maintain persistent access, and manipulate nginx '
                'configurations, including injecting malicious settings or '
                'disabling the service entirely.',
 'impact': {'data_compromised': 'Admin credentials, traffic interception',
            'operational_impact': 'Malicious configuration injection, service '
                                  'disruption',
            'systems_affected': 'nginx UI instances (2,689 exposed to the '
                                'internet)'},
 'lessons_learned': 'AI integration layers must be treated as part of the core '
                    'attack surface, not an afterthought. Privileged '
                    'integration layers can inadvertently expand attack '
                    'surfaces when security is deprioritized.',
 'post_incident_analysis': {'corrective_actions': 'Patch implementation, '
                                                  'disabling MCP, IP '
                                                  'whitelisting, log reviews',
                            'root_causes': 'Unauthenticated MCP endpoint '
                                           'introduced for AI model '
                                           'integration without security '
                                           'controls'},
 'recommendations': 'Apply patch (nginx UI 2.3.4), disable MCP or restrict '
                    'access via IP whitelisting, review logs for unusual '
                    'configuration changes.',
 'references': [{'source': 'Pluto Security'},
                {'source': 'National Vulnerability Database (NVD)'},
                {'source': 'VulnCheck'},
                {'source': 'Recorded Future’s Insikt Group'},
                {'source': 'Shodan'}],
 'response': {'containment_measures': 'Disable MCP or restrict access via IP '
                                      'whitelisting',
              'enhanced_monitoring': 'Review logs for unusual configuration '
                                     'changes',
              'remediation_measures': 'Patch to nginx UI 2.3.4'},
 'title': 'Critical Nginx UI Vulnerability Exploited for Over a Month, '
          'Exposing Web Servers to Full Compromise',
 'type': 'Vulnerability Exploitation',
 'vulnerability_exploited': 'CVE-2025-55182 (CVSS 9.8)'}