CVE-2023-27224 – CVE-2023-27224 is a command injection vulnerabi... (How to Fix)

Q: What is the severity of CVE-2023-27224?

CVE-2023-27224 has a CVSS score of 9.8 (CRITICAL). CVE-2023-27224 is a command injection vulnerability in Nginx Proxy Manager v2.9.19 that allows attackers to execute arbitrary code via malicious Lua scripts in configuration files. This affects all users running the vulnerable version of Nginx Proxy Manager. The vulnerability enables remote code execution with potentially full system compromise.

📋 TL;DR

CVE-2023-27224 is a command injection vulnerability in Nginx Proxy Manager v2.9.19 that allows attackers to execute arbitrary code via malicious Lua scripts in configuration files. This affects all users running the vulnerable version of Nginx Proxy Manager. The vulnerability enables remote code execution with potentially full system compromise.

💻 Affected Systems

Products:

Nginx Proxy Manager

Versions: v2.9.19

Operating Systems: Linux, Windows, macOS, Docker

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments of version 2.9.19 are vulnerable regardless of configuration. The vulnerability is in the Lua script handling functionality.

📦 What is this software?

Nginx Proxy Manager by Jc21

View all CVEs affecting Nginx Proxy Manager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system takeover with attacker gaining root privileges, installing persistent backdoors, stealing sensitive data, and pivoting to other systems.

🟠

Likely Case

Attacker executes arbitrary commands to install cryptocurrency miners, create reverse shells, or deploy ransomware on the affected system.

🟢

If Mitigated

Attack limited to containerized environment with minimal privileges and no access to host system or sensitive data.

🌐 Internet-Facing: HIGH - Nginx Proxy Manager is typically deployed as an internet-facing reverse proxy, making it directly accessible to attackers.

🏢 Internal Only: MEDIUM - Internal deployments are still vulnerable to insider threats or compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public proof-of-concept demonstrates command injection via Lua script injection. Exploitation requires network access to the Nginx Proxy Manager interface.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v2.9.20 and later

Vendor Advisory: https://github.com/NginxProxyManager/nginx-proxy-manager

Restart Required: Yes

Instructions:

1. Backup current configuration. 2. Update Nginx Proxy Manager to version 2.9.20 or later. 3. Restart the Nginx Proxy Manager service. 4. Verify the update was successful.

🔧 Temporary Workarounds

Disable Lua Script Support

all

Remove or disable Lua script execution capabilities in Nginx configuration

Remove any Lua-related directives from nginx.conf and proxy host configurations

Network Segmentation

linux

Restrict access to Nginx Proxy Manager management interface

iptables -A INPUT -p tcp --dport 81 -s trusted_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 81 -j DROP

🧯 If You Can't Patch

Isolate the vulnerable system in a separate network segment with strict firewall rules
Implement application-level WAF with command injection detection rules

🔍 How to Verify

Check if Vulnerable:

Check Nginx Proxy Manager version via web interface at http://your-server:81 or run: docker ps | grep nginx-proxy-manager

Check Version:

docker exec nginx-proxy-manager cat /app/package.json | grep version

Verify Fix Applied:

Confirm version is 2.9.20 or later and test Lua script injection attempts are properly rejected

📡 Detection & Monitoring

Log Indicators:

Unusual Lua script execution in Nginx logs
Suspicious command execution patterns in system logs
Failed authentication attempts followed by configuration changes

Network Indicators:

Unexpected outbound connections from Nginx Proxy Manager
Command and control traffic patterns
Unusual payloads in HTTP requests to management interface

SIEM Query:

source="nginx-proxy-manager" AND (lua OR script OR exec OR system OR os.execute)

📊 Metadata

CVE ID: CVE-2023-27224

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-77

Published: March 22, 2023

Last Updated: February 25, 2025

🔗 References

https://github.com/LinuxProgramDevelop/NginxProxyManagerCommandInjectVulnInfo/blob/main/Nginx_proxy_manager_Command_Inject_vulnerability.pdf Exploit,Third Party Advisory
https://github.com/NginxProxyManager/nginx-proxy-manager Product
https://github.com/LinuxProgramDevelop/NginxProxyManagerCommandInjectVulnInfo/blob/main/Nginx_proxy_manager_Command_Inject_vulnerability.pdf Exploit,Third Party Advisory
https://github.com/NginxProxyManager/nginx-proxy-manager Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-27224, you might also want to check these: