Security vendor Pluto Security has published details of a critical vulnerability in the open-source nginx UI web server configuration tool that has been under active exploitation by cybercriminals since March.
News of the flaw, identified as CVE-2026-33032, first appeared on the National Vulnerability Database (NVD) on March 30, the same day that threat intelligence companies VulnCheck and Recorded Future’s Insikt Group noted it was under active exploitation.
What users didn’t have at that point were any details on the flaw from Pluto Security, the company that discovered it earlier that month. This week, the company rectified this, publishing a full breakdown of the vulnerability.
Nginx UI is a convenient real-time dashboard and control panel interface for managing nginx single-node and cluster nodes without having to resort to the command line interface (CLI).
The vulnerability, with a CVSS score of 9.8, relates to the software’s support for Model Context Protocol (MCP) servers, which was added in late 2025 and enables communication between nginx web servers and AI models though two HTTP-accessible MCP URL endpoints.
Unfortunately, in the case of nginx UI, one of these endpoints, /mcp_message, was implemented without authentication, a weakness Pluto Security dubbed ‘MCPwn’.
“This exposes 12 MCP tools, including config writes with automatic nginx reload, to any host on the network. One unauthenticated API call is all it takes to inject a config and take over nginx,” said Pluto Security.
Leveraging MCPwn, an attacker would be able to intercept all traffic, harvest admin credentials, maintain persistent access, conduct infrastructure reconnaissance via nginx configuration files, and kill the service, the company said.
MCP attack surface
Nginx UI’s user base of hundreds of thousands is relatively small compared to the vast global popularity of the nginx web server. Many of its installations will also be internal and therefore not directly exposed to remote attack. However, using Shodan, Pluto Security was still able to find 2,689 vulnerable nginx UI instances reachable from the internet, it said.
“This is a clear example of how AI integrations can unintentionally expand the attack surface,” commented Pluto Security’s CEO, Shahar Bahat. “MCP servers aren’t just developer tools, they’re privileged access points into production systems.”
MCP has been implemented at breakneck speed to enable AI agents, leading to the adoption of tools without the risks they create being understood, Bahat pointed out.
“This vulnerability shows how a single exposed endpoint can enable full compromise. AI integration layers must be treated as part of the attack surface, not an afterthought,” she said.
To security teams, this will be reminiscent of the problems experienced when APIs started to boom a decade ago. By enabling an integration layer such as MCP, and the tools used to manage it, developers risk inadvertently creating a new layer of vulnerability.
As Bahat put it: “AI integration endpoints expose the same capabilities as the core application, but often skip its security controls.” When planning MCP integrations, Pluto Security recommends giving MCP endpoints the same security attention as APIs, auditing Server-Sent Events (SSE) endpoints and fully testing authentication parameters.
A priority fix
The fact that the nginx vulnerability has been under exploitation for at least a month should make applying the recommended fix, version 2.3.4, released March 15, a priority for anyone using this software, since nginx servers represent a big prize for threat actors. In February, attackers were discovered exploiting the ‘React2Shell’ vulnerability (CVE-2025-55182) inReact Server Components (RSC) to target nginx servers.
For those who can’t patch immediately, the stopgap workaround is to disable MCP, or lock the IP whitelist to trusted hosts, as well as reviewing access logs for unusual configuration changes.
No Responses