Share
## https://sploitus.com/exploit?id=AA8B1B33-B80B-55C8-B0E4-259D40E1996E
Nginx UI Discovery Scanner - CVE-2026-27944 Version Detector

https://img.shields.io/badge/python-3.6+-blue.svg

https://img.shields.io/badge/license-MIT-green

https://img.shields.io/badge/threading-multi--threaded-brightgreen

Author: NULL200OK

A high‑performance, multi‑threaded scanner to discover Nginx UI web interfaces, detect their version, and identify instances vulnerable to CVE‑2026‑27944 (versions ≤ 2.3.2).

The tool uses passive fingerprinting (titles, headers, body patterns) and probes common API endpoints to accurately identify Nginx UI installations across large networks.

🔍 **Features**

Flexible target input – scan a single host, a CIDR range (e.g., 192.168.1.0/24), or a list from a file.

Multi‑port scanning – checks common Nginx UI ports (80, 443, 8080, 8443, 9000, 9001, 9080, 9443) or custom lists.

Fingerprinting – identifies Nginx UI via:

Page title (Nginx UI)

HTTP headers (Server, X-Powered-By)

Body regex patterns (version strings, UI identifiers)

Version extraction – from /api/version JSON, embedded HTML/JS, or response headers.

Direct vulnerability check – detects the presence of the /api/backup endpoint with the X-Backup-Security header (a clear sign of CVE‑2026‑27944).

Confidence scoring – reduces false positives by combining multiple detection signals.

Vulnerable‑only mode – show only instances that are confirmed vulnerable.

Output to JSON/CSV – save results for further analysis.

Fast multi‑threading – scan hundreds of hosts in seconds.

🚨 **Why This Matters**

CVE‑2026‑27944 is a critical vulnerability in Nginx UI ≤ 2.3.2 that allows any unauthenticated attacker to download and decrypt the server’s full backup, exposing:

User credentials and session tokens

SSL private keys

Application secrets

Full Nginx configuration

This scanner helps you quickly locate vulnerable instances in your environment before attackers do.

⚙️ Installation

bash

git clone https://github.com/NULL200OK/nginx-ui-scanner.git

cd nginx-ui-scanner

pip install requests

No additional dependencies are required (the scanner does not need pycryptodome).

🔧 Usage

text

usage: nginxui_discover.py [-h] (--target TARGET | --cidr CIDR | --file FILE) [--port PORT] [--ports PORTS] [--ssl] [--threads THREADS] [--timeout TIMEOUT] [--output OUTPUT] [--vulnerable-only] [--no-banner]

Examples

bash

# Scan a single host (default ports)

python3 nginxui_discover.py --target 192.168.1.100

# Scan a CIDR range with 50 threads, save JSON results

python3 nginxui_discover.py --cidr 192.168.1.0/24 --threads 50 --output results.json

# Scan from a file, show only vulnerable instances

python3 nginxui_discover.py --file targets.txt --vulnerable-only

# Scan a specific port with HTTPS forced

python3 nginxui_discover.py --target example.com --port 8443 --ssl

**Output**

text

Nginx UI Discovery Scanner - CVE-2026-27944 Version Detection

Threads: 20 | Timeout: 5s | Date: 2026-03-10 14:23:45


[*] Starting scan of 256 targets × 8 ports = 2048 checks

[42/2048] 🔴 VULNERABLE | http://192.168.1.105:9000 | v2.3.2 | confidence: 85%

[87/2048] 🟢 PATCHED | https://192.168.1.110:8443 | v2.4.0 | confidence: 72%

...

**SCAN SUMMARY**

Nginx UI instances found: 12

  - Vulnerable (≤2.3.2): 3
  - 
  - Patched/Unknown: 9
  - 
📚 How It Works

Build scan jobs – expands targets and ports into a list of (host, port) pairs.

Multi‑threaded probing – for each combination, sends HTTP requests to common paths:

/ – root page

/api/version – version API

/api/backup – vulnerable endpoint

/login, /dashboard, /static/js/main.js – additional fingerprints

Fingerprint analysis – examines responses for Nginx UI indicators and assigns a confidence score.

Version extraction – uses JSON parsing, header inspection, and regex on the page body.

Vulnerability check – marks as vulnerable if version ≤ 2.3.2 or the /api/backup endpoint returns the X-Backup-Security header.

Real‑time reporting – displays results as they come in; saves to file if requested.

⚠️ Disclaimer

This tool is intended for authorized security assessments and educational purposes only.

Unauthorized scanning of networks you do not own or have explicit permission to test is illegal. The author (NULL200OK) assumes no liability for misuse.

📄 License

MIT License – see LICENSE for details.

📬 References

CVE‑2026‑27944 (placeholder)

Nginx UI Official Site