CVE-2023-23596 in NGINX Proxy Managerinfo

Summary

by MITRE • 01/20/2023

jc21 NGINX Proxy Manager through 2.9.19 allows OS command injection. When creating an access list, the backend builds an htpasswd file with crafted username and/or password input that is concatenated without any validation, and is directly passed to the exec command, potentially allowing an authenticated attacker to execute arbitrary commands on the system. NOTE: this is not part of any NGINX software shipped by F5.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 10/14/2025

The jc21 NGINX Proxy Manager through version 2.9.19 contains a critical operating system command injection vulnerability that represents a severe security risk for organizations relying on this proxy management solution. This vulnerability exists within the access list creation functionality where the application constructs htpasswd files using user-supplied input without proper sanitization or validation. The flaw stems from improper input handling where crafted username and password parameters are directly concatenated and passed to system execution commands without adequate security controls.

The technical implementation of this vulnerability involves the backend processing of user input during access list creation where authentication credentials are not properly validated or escaped before being used in system calls. When an authenticated attacker provides malicious input containing command injection payloads within the username or password fields, the application fails to sanitize this input and directly passes it to exec commands. This design flaw creates a direct pathway for arbitrary code execution on the underlying system where the proxy manager is installed, potentially allowing attackers to escalate privileges and gain full system control.

From an operational impact perspective, this vulnerability significantly undermines the security posture of any organization using affected versions of jc21 NGINX Proxy Manager. The attack requires only authenticated access, which means that an attacker with valid credentials could leverage this vulnerability to execute commands with the privileges of the proxy manager service account. This could result in complete system compromise, data exfiltration, and potential lateral movement within the network. The vulnerability is particularly concerning as it affects a widely used proxy management solution that many organizations rely on for their web infrastructure.

The vulnerability aligns with CWE-78, which specifically addresses OS command injection flaws in software systems. This classification indicates that the application fails to properly escape or validate user-supplied input before using it in system calls, creating a direct execution path for malicious commands. The ATT&CK framework would categorize this as a command execution technique under the execution tactic, potentially enabling adversaries to establish persistence, escalate privileges, or conduct further reconnaissance activities. Organizations should consider this vulnerability as a critical threat requiring immediate remediation, especially given that it affects a component not officially distributed by F5, indicating it's a third-party module that requires independent security management.

The recommended mitigation strategy involves immediate patching of the jc21 NGINX Proxy Manager to version 2.9.20 or later, which contains the necessary input validation and sanitization fixes. Organizations should also implement network segmentation and access controls to limit the impact of potential exploitation. Additionally, monitoring for unusual authentication patterns and system command execution should be implemented as part of defensive measures. Security teams should conduct thorough assessments of their proxy infrastructure and ensure that all third-party components are properly maintained and updated according to vendor security advisories.

Reservation

01/15/2023

Disclosure

01/20/2023

Moderation

accepted

CPE

ready

EPSS

0.15198

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!