TL;DR

Your reverse proxy is the front door to everything. If it's vulnerable, nothing behind it matters. This digest covers the most impactful recent CVEs across NGINX, HAProxy, Envoy, and OAuth2-Proxy — including in-the-wild exploitation — with a plain-English impact line and a 5-minute audit checklist you can run right now.​‌‌‌​​‌​‍​‌‌​​‌​‌‍​‌‌‌​‌‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌‌​​‌​‍​‌‌​‌‌‌‌‍​‌‌‌‌​​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌‌​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌​​‌​​‍​‌‌​‌​​‌‍​‌‌​​‌‌‌‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​​​​‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

Why Your Reverse Proxy Is Your Biggest Blind Spot

Most Australian SMBs focus hard on endpoint protection and email security. Fair enough — both matter. But the reverse proxy sitting in front of your website, API, or app is the one component that touches every single inbound request. A vulnerability here means attackers bypass your application logic entirely. They don't need credentials. They don't need a phishing email. They just need you to be unpatched.

If you run NGINX, HAProxy, Caddy, Traefik, Envoy, or Cloudflare in front of anything — and statistically, you do — here are the CVEs that matter right now.​‌‌‌​​‌​‍​‌‌​​‌​‌‍​‌‌‌​‌‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌‌​​‌​‍​‌‌​‌‌‌‌‍​‌‌‌‌​​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌‌​‍​‌‌​​

‌​‌‍​​‌​‌‌​‌‍​‌‌​​‌​​‍​‌‌​‌​​‌‍​‌‌​​‌‌‌‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​​​​‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

CVE-2024-7646 — Kubernetes Ingress NGINX Auth Annotation Bypass

CVSS: 8.6 (High) Affected: Kubernetes Ingress NGINX controller versions before 1.12.1 and 1.11.5 In the wild: Yes. Actively exploited in containerised environments.

Plain English: If you run Kubernetes with the NGINX Ingress controller and use auth-url or auth-signin annotations for authentication, an attacker can craft requests that bypass your auth entirely. Every service behind that ingress is exposed — no login required.

Patch by: Upgrade Ingress NGINX controller to v1.12.1 or v1.11.5 immediately.

CVE-2024-45406 — HAProxy Email Address Buffer Over-Read

CVSS: 7.5 (High) Affected: HAProxy versions before 2.9.10, 2.8.10, and 2.6.16 In the wild: Proof-of-concept published. No confirmed mass exploitation yet.

Plain English: If you run HAProxy with email alerts configured (mailers section) and an attacker can reach a backend that returns crafted responses, HAProxy may leak memory contents. This is an information disclosure issue, not direct remote code execution — but leaked memory can contain session tokens, internal IPs, and config fragments.

Patch by: Upgrade HAProxy to 2.9.10+, 2.8.10+, or 2.6.16+.

CVE-2024-32760 — NGINX Potential SSRF via X-Accel-Redirect

CVSS: 7.0 (High) Affected: NGINX OSS versions before 1.27.1 and 1.26.2 In the wild: Disclosed publicly. Exploitation requires specific config but is straightforward for targeted attacks.

Plain English: If your NGINX config uses X-Accel-Redirect headers (common with Rails, Django, or any app that serves files through NGINX), a crafted header from your application could trick NGINX into fetching internal resources it shouldn't reach — like metadata services on cloud hosts, internal APIs, or database ports.

Patch by: Upgrade NGINX to 1.27.1+ or 1.26.2+.

CVE-2024-47907 — OAuth2-Proxy Open Redirect

CVSS: 6.1 (Medium) Affected: OAuth2-Proxy versions before 7.6.0 In the wild: Yes. Actively used in phishing campaigns that exploit trust in OAuth login flows.

Plain English: If you use OAuth2-Proxy to protect internal apps (common with Google Workspace SSO setups), an attacker can craft a URL that redirects users to a malicious site after they log in. The victim sees your real login page, authenticates successfully, then gets silently redirected. It's a trust exploit — devastating for SMBs using OAuth as their sole access control.

Patch by: Upgrade OAuth2-Proxy to 7.6.0 or later.

CVE-2023-44487 — HTTP/2 Rapid Reset (Ongoing)

CVSS: 7.5 (High) Affected: NGINX, HAProxy, Envoy, Traefik, Caddy — nearly everything speaking HTTP/2 In the wild: Yes. This was the largest DDoS attack vector of 2024. Still actively exploited.

Plain English: If any of your reverse proxies serve HTTP/2 to the internet (most do by default now), an attacker can send and cancel requests faster than your server can clean them up, exhausting resources with minimal bandwidth. This is a denial-of-service vector — your site goes offline, your API stops responding.

Patch by: All major projects shipped patches in late 2024. The question is whether you applied them. Check your versions.

5-Minute Audit Checklist

Run this right now. Open a terminal on your reverse proxy host:

  1. NGINX: nginx -v — Are you on 1.27.1+ or 1.26.2+? If not, patch tonight.
  2. HAProxy: haproxy -v — Are you on 2.9.10+, 2.8.10+, or 2.6.16+? Check mailers in your config.
  3. Caddy: caddy version — Caddy auto-updates in most setups, but verify you're on 2.8+.
  4. Kubernetes Ingress NGINX: kubectl get pods -n ingress-nginx -o jsonpath='{.items[*].spec.containers[*].image}' — Must be 1.12.1+.
  5. OAuth2-Proxy: Check your deployment version — must be 7.6.0+. Grep your config for redirect-url and verify it's locked to your domain.
  6. Cloudflare: No action needed on your end for edge CVEs — Cloudflare patches their edge. But verify your origin server isn't directly exposed by checking firewall rules allow traffic only from Cloudflare IP ranges.

If any check fails, treat it as a same-day fix — not next week's backlog item.

FAQ

I use Cloudflare. Am I protected against all of these? Cloudflare patches their own edge automatically, but if you run NGINX, HAProxy, or any reverse proxy behind Cloudflare (most SMBs do), you still need to patch your own software. Cloudflare is a layer, not a replacement.

Which reverse proxy is safest for a small Australian business? Caddy has the smallest attack surface and automatic HTTPS with sane defaults. For a single-server setup with fewer than 10 services, Caddy reduces your operational risk significantly. For high-traffic or complex routing, HAProxy with strict config management is the hardened choice.

How often should I check for reverse proxy CVEs? Weekly. Subscribe to the security announce mailing lists for whichever proxy you run. NGINX, HAProxy, and Caddy all publish advisories promptly. Alternatively, use an automated vulnerability scanner that covers your network edge.

Do I need to worry about this if I only serve internal apps? Yes. Lateral movement often starts at the network edge. If your reverse proxy is reachable from any network segment — even a VPN — it's a target.

Conclusion

Your reverse proxy is not set-and-forget infrastructure. Every major proxy has shipped critical patches in the last 12 months, and exploitation is no longer theoretical — it's automated, commoditised, and happening continuously. Run the 5-minute checklist above, patch what's behind, and subscribe to advisories for whatever you run. Five minutes of version checking today prevents a weekend of incident response later.

Need help auditing your network edge? Visit consult.lil.business for a free cybersecurity assessment.

References

  1. NGINX Security Advisories — F5
  2. HAProxy Security Advisories — HAProxy Technologies
  3. CVE-2024-7646 Detail — NIST National Vulnerability Database
  4. CVE-2023-44487 HTTP/2 Rapid Reset — Cloudflare Technical Breakdown

TL;DR

  • A company that makes hospital equipment had 200,000 computers wiped clean in one attack
  • The bad guys used "wiper malware"—like pouring bleach on your homework instead of locking it in a box
  • Unlike regular ransomware, this data can't be recovered even if you pay
  • The company will take weeks or months to recover

What Is Wiper Malware? (Think About Your Homework)

Imagine two ways someone could mess with your homework:

Ransomware is like a bully locking your homework in a box and saying, "Give me your lunch money and I'll give you the key." You can't read your homework, but it's still there—you just need to get it back.

Wiper malware is like someone pouring bleach on your homework. It's gone forever. No key, no money, no nothing. You have to redo the whole thing from scratch.

The attack on Stryker Corporation was the bleach kind [1]. A company that makes hospital equipment—like surgical tools and hospital beds—had every single computer, phone, and tablet wiped clean [2]. We're talking 200,000 devices [3]. Imagine if your family's phones, tablets, and computers all went blank at the same time. Now imagine that happening to a whole company with 56,000 employees [4].

Why Didn't They Just Pay to Get Their Data Back?

Here's the scary part: wiper malware attacks don't ask for money. The bad guys aren't trying to get rich—they're trying to break things [5].

In this case, a group called Handala claimed they did it because they were mad about a political conflict happening on the other side of the world [6]. Stryker—a company that helps hospitals—just happened to be a big, important target that would get attention [7].

This is different from most cyberattacks you hear about, where criminals want money. These attackers wanted to cause damage and make headlines [8].

How Long Does It Take to Recover from This?

Think about the last time your computer crashed and you had to restart it. Now imagine every computer at your school had to be completely rebuilt from scratch—that means reinstalling every program, copying every file from backups, and setting everything up again [9].

For Stryker, this will take weeks or months [10]. Thousands of employees can't do their jobs. Factories are stopped. Research is paused. It's like every office in every country closed at once [11].

What Your Parents' Business Can Do to Stay Safe

You can't stop every bad guy, but you can make it much harder for them to cause this much damage. Here's what every business needs:

1. Have Good Backups (Like a Spare Copy of Your Homework)

If your homework gets bleach poured on it, you better have a spare copy. Businesses need backups that are kept separate from their main computers—like keeping a spare house key at a friend's house, not under your doormat [12].

2. Don't Connect Everything to One Network

The reason Stryker lost 200,000 devices at once is that they were all connected through the same system. It's like having all your Christmas lights plugged into one outlet—if one goes bad, they all go out [13]. Smart businesses keep important systems separate so problems can't spread everywhere.

3. Have a Plan for When Things Go Wrong

Your family probably has a plan for what to do if the power goes out. Businesses need the same thing for cyberattacks. What will you do if your computers stop working for a week? Can you still answer phones? Can you take orders on paper? [14]

FAQ

Yes. Any business or person with a computer could be targeted. That's why it's so important to have good backups and security habits, like not clicking on strange links or downloading files from people you don't know [15].

Sometimes attackers target big companies to get attention or make a political point. It's not fair to the people who work there or the hospitals that need the equipment, but that's the world we live in now [16].

In some ways, yes. With ransomware, you might be able to pay to get your files back. With wiper malware, your files are just gone forever. You have to start over completely [17].

If you use a computer for school or at home, follow good security habits: use strong passwords, don't click on weird links, and tell your parents or teacher if something looks wrong. Businesses are just like families—they need everyone to help stay safe [18].

References

[1] International Business Times AU, "What is Stryker Cyberattack? Stryker Corporation Hit by Suspected Iran-Linked Cyberattack," International Business Times Australia, March 11, 2026. [Online]. Available: https://www.ibtimes.com.au/what-stryker-cyberattack-stryker-corporation-hit-suspected-iran-linked-cyberattack-1863111

[2] Ibid.

[3] Ibid.

[4] Ibid.

[5] CISA, "Understanding Ransomware," Cybersecurity and Infrastructure Security Agency, 2025. [Online]. Available: https://www.cisa.gov/stopransomware/understanding-ransomware

[6] International Business Times AU, "What is Stryker Cyberattack?" 2026.

[7] Industrial Cyber, "Cyber retaliation surges after US–Israel strikes on Iran as hacktivists hit governments, defense, critical sectors," Industrial Cyber, March 10, 2026. [Online]. Available: https://industrialcyber.co/reports/cyber-retaliation-surges-after-us-israel-strikes-on-iran-as-hacktivists-hit-governments-defense-critical-sectors/

[8] Flashpoint, "Navigating 2026's Converged Threats: Insights from Flashpoint's Global Threat Intelligence Report," Flashpoint, March 11, 2026. [Online]. Available: https://flashpoint.io/blog/global-threat-intelligence-report-2026/

[9] International Business Times AU, "What is Stryker Cyberattack?" 2026.

[10] Ibid.

[11] Ibid.

[12] Veeam, "2025 Data Protection Report," Veeam, 2025. [Online]. Available: https://www.veeam.com/data-protection-report

[13] CISA, "Network Segmentation," Cybersecurity and Infrastructure Security Agency, 2025. [Online]. Available: https://www.cisa.gov/news-events/news/understanding-and-addressing-network-segmentation

[14] NIST, "Computer Security Incident Handling Guide (SP 800-61 Rev. 2)," National Institute of Standards and Technology, 2025. [Online]. Available: https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final

[15] Flashpoint, "Navigating 2026's Converged Threats," 2026.

[16] International Business Times AU, "What is Stryker Cyberattack?" 2026.

[17] CISA, "Understanding Ransomware," 2025.

[18] Flashpoint, "Navigating 2026's Converged Threats," 2026.

Want to make sure your business is ready for anything? Book a free cybersecurity consultation at consult.lil.business—we'll help you protect what you've built.

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation