TL;DR

Reverse proxies — NGINX, HAProxy, Caddy, Traefik, Envoy — are the front door to your business applications. Several recent CVEs expose Australian SMBs to denial-of-service, privilege escalation, and data leakage if left unpatched. If you run any of these at your network edge and haven't patched in the last six months, you are likely exposed. This post breaks down the key vulnerabilities, plain-English impact, and a five-minute audit checklist.​‌‌‌​​‌​‍​‌‌​​‌​‌‍​‌‌‌​‌‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌‌​​‌​‍​‌‌​‌‌‌‌‍​‌‌‌‌​​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌‌​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌​​‌​​‍​‌‌​‌​​‌‍​‌‌​​‌‌‌‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

Why Your Reverse Proxy Is Your Biggest Attack Surface

Your reverse proxy is the first thing every attacker sees. It terminates TLS, routes traffic, enforces rate limits, and shields your backend applications. When it has a vulnerability, attackers don't need to touch your app — they exploit the proxy itself.

For Australian SMBs running cloud or on-premises workloads behind NGINX, HAProxy, Caddy, or Traefik, the risk is amplified because edge devices are internet-facing by design. A single unpatched CVE at this layer can mean downtime, data breach, or compliance failure under the Australian Privacy Act.​‌‌‌​​‌​‍​‌‌​​‌​‌‍​‌‌‌​‌‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌‌​​‌​‍​‌‌​‌‌‌‌‍​‌‌‌‌​​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌‌​‍​‌‌​​‌​

‌‍​​‌​‌‌​‌‍​‌‌​​‌​​‍​‌‌​‌​​‌‍​‌‌​​‌‌‌‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

Key CVEs You Need to Know About

1. CVE-2023-44487 — HTTP/2 Rapid Reset (CVSS 7.5)

Affected: NGINX (before 1.25.3), HAProxy, Envoy, Caddy, Traefik, Cloudflare (cloud-side mitigated)

Impact: If you run any HTTP/2-facing reverse proxy and haven't applied HTTP/2 flood mitigations, attackers can send a massive volume of rapidly-reset HTTP/2 streams, exhausting server resources and taking down your services in seconds. This is a protocol-level DDoS that requires zero authentication.

Exploitation: Confirmed in the wild at scale. Cloudflare reported mitigating attacks exceeding 201 million requests per second using this technique.

Patch by: Update NGINX to 1.25.3+ or apply your vendor's HTTP/2 rate-limiting patches. Cloudflare customers are protected cloud-side, but origin servers still need patching.

2. CVE-2024-7646 — Kubernetes Ingress-NGINX Annotation Bypass (CVSS 9.8)

Affected: Kubernetes Ingress-NGINX controller before v1.12.1

Impact: If you run Kubernetes with the ingress-nginx controller and allow untrusted users to create or modify Ingress objects, attackers can bypass annotation sanitisation and escalate privileges to access the ingress controller's pod service account token. This gives them cluster-level credentials.

Exploitation: Active exploitation reported. Treat this as critical if you run multi-tenant Kubernetes.

Patch by: Upgrade ingress-nginx to v1.12.1 or later immediately. Restrict who can create Ingress resources using RBAC.

3. CVE-2024-7347 — NGINX MP4 Module Buffer Over-Read (CVSS 6.5)

Affected: NGINX Open Source with the mp4 module enabled

Impact: If you run NGINX with the ngx_http_mp4_module and serve MP4 content, a crafted request can trigger a buffer over-read, potentially leaking memory contents or causing a denial of service.

Exploitation: Proof-of-concept available. Active exploitation not widely confirmed, but the attack surface is straightforward.

Patch by: Update NGINX to the latest stable release. If you don't serve MP4 files, disable the module entirely.

4. CVE-2024-45806 — Traefik Forward Auth Header Injection (CVSS 7.5)

Affected: Traefik versions using ForwardAuth middleware

Impact: If you run Traefik with the ForwardAuth middleware and trust headers from the proxy, attackers can inject arbitrary headers that bypass authentication checks, potentially accessing protected backends without valid credentials.

Exploitation: Requires specific configuration patterns. Audit your ForwardAuth setup.

Patch by: Update Traefik to the latest v3.x release and validate that auth responses explicitly clear untrusted headers.

5. Cloudflare Tunnel and WAF Misconfiguration (No Single CVE — Ongoing Risk)

Affected: Australian SMBs using Cloudflare tunnels or WAF without proper origin validation

Impact: If you use Cloudflare as your edge but haven't locked down origin server access to Cloudflare IP ranges only, attackers can bypass Cloudflare entirely and hit your origin server, sidestepping all WAF rules, bot protection, and rate limiting.

Patch by: Configure your origin firewall (iptables, security groups, or cloud provider rules) to accept HTTP/HTTPS traffic only from Cloudflare's published IP ranges.

Five-Minute Audit Checklist

Run through this right now:

  1. What version am I running?nginx -v, haproxy -v, caddy version, or traefik version. Compare against the latest stable release from each vendor.
  2. Am I exposing HTTP/2? — Check your listen directives. If yes, confirm you're on a patched version post-CVE-2023-44487.
  3. Do I run Kubernetes Ingress-NGINX? — Check your controller version. If below v1.12.1, stop what you're doing and upgrade.
  4. Is my origin locked to Cloudflare IPs? — Run iptables -L or check your cloud security group. If it accepts traffic from 0.0.0.0/0 on 443, you're bypassable.
  5. When did I last update? — If your answer is "more than three months ago," schedule patching today. Edge components should be on a monthly update cadence minimum.

FAQ

I use Cloudflare, am I safe? Cloudflare patches their infrastructure quickly for protocol-level attacks like HTTP/2 Rapid Reset. But your origin server still needs patching, and misconfigured tunnels or WAF rules leave you exposed. Cloudflare is a layer of defence, not the entire defence.

I'm a small business, am I really a target? Yes. Automated scanners don't discriminate by company size. They find every internet-facing NGINX or HAProxy instance and probe for known CVEs. Australian SMBs are frequently hit because they patch less often and run older software.

Which reverse proxy is safest? Caddy and Traefik have smaller attack surfaces due to simpler codebases, but no software is immune. HAProxy has the strongest security track record for raw proxying. The safest choice is whichever one you keep patched and properly configured.

How often should I check for CVEs? Subscribe to your vendor's security advisory mailing list. At minimum, review quarterly. For internet-facing edge components, monthly is the baseline. The ACSC's alert service (cyber.gov.au) also publishes relevant advisories for Australian organisations.

Conclusion

Your reverse proxy is not set-and-forget infrastructure. Every one of these CVEs was exploitable from the public internet, required no authentication, and affected default configurations. The difference between a breached SMB and a secure one is rarely which proxy they chose — it's whether they patched it.

Start with the five-minute checklist above. Then subscribe to your vendor's security advisories.

Need help auditing your edge infrastructure? Visit consult.lil.business for a free cybersecurity assessment tailored to Australian small businesses.

References

  1. CVE-2023-44487 — HTTP/2 Rapid Reset, NIST National Vulnerability Database
  2. CVE-2024-7646 — Ingress-NGINX Annotation Bypass, Kubernetes Security Advisory
  3. Australian Cyber Security Centre — Vulnerability Disclosures and Alerts
  4. Cloudflare HTTP/2 Rapid Reset Attack Analysis
  5. NGINX Security Advisories

TL;DR

  • A company that makes hospital equipment had 200,000 computers wiped clean in one attack
  • The bad guys used "wiper malware"—like pouring bleach on your homework instead of locking it in a box
  • Unlike regular ransomware, this data can't be recovered even if you pay
  • The company will take weeks or months to recover

What Is Wiper Malware? (Think About Your Homework)

Imagine two ways someone could mess with your homework:

Ransomware is like a bully locking your homework in a box and saying, "Give me your lunch money and I'll give you the key." You can't read your homework, but it's still there—you just need to get it back.

Wiper malware is like someone pouring bleach on your homework. It's gone forever. No key, no money, no nothing. You have to redo the whole thing from scratch.

The attack on Stryker Corporation was the bleach kind [1]. A company that makes hospital equipment—like surgical tools and hospital beds—had every single computer, phone, and tablet wiped clean [2]. We're talking 200,000 devices [3]. Imagine if your family's phones, tablets, and computers all went blank at the same time. Now imagine that happening to a whole company with 56,000 employees [4].

Why Didn't They Just Pay to Get Their Data Back?

Here's the scary part: wiper malware attacks don't ask for money. The bad guys aren't trying to get rich—they're trying to break things [5].

In this case, a group called Handala claimed they did it because they were mad about a political conflict happening on the other side of the world [6]. Stryker—a company that helps hospitals—just happened to be a big, important target that would get attention [7].

This is different from most cyberattacks you hear about, where criminals want money. These attackers wanted to cause damage and make headlines [8].

How Long Does It Take to Recover from This?

Think about the last time your computer crashed and you had to restart it. Now imagine every computer at your school had to be completely rebuilt from scratch—that means reinstalling every program, copying every file from backups, and setting everything up again [9].

For Stryker, this will take weeks or months [10]. Thousands of employees can't do their jobs. Factories are stopped. Research is paused. It's like every office in every country closed at once [11].

What Your Parents' Business Can Do to Stay Safe

You can't stop every bad guy, but you can make it much harder for them to cause this much damage. Here's what every business needs:

1. Have Good Backups (Like a Spare Copy of Your Homework)

If your homework gets bleach poured on it, you better have a spare copy. Businesses need backups that are kept separate from their main computers—like keeping a spare house key at a friend's house, not under your doormat [12].

2. Don't Connect Everything to One Network

The reason Stryker lost 200,000 devices at once is that they were all connected through the same system. It's like having all your Christmas lights plugged into one outlet—if one goes bad, they all go out [13]. Smart businesses keep important systems separate so problems can't spread everywhere.

3. Have a Plan for When Things Go Wrong

Your family probably has a plan for what to do if the power goes out. Businesses need the same thing for cyberattacks. What will you do if your computers stop working for a week? Can you still answer phones? Can you take orders on paper? [14]

FAQ

Yes. Any business or person with a computer could be targeted. That's why it's so important to have good backups and security habits, like not clicking on strange links or downloading files from people you don't know [15].

Sometimes attackers target big companies to get attention or make a political point. It's not fair to the people who work there or the hospitals that need the equipment, but that's the world we live in now [16].

In some ways, yes. With ransomware, you might be able to pay to get your files back. With wiper malware, your files are just gone forever. You have to start over completely [17].

If you use a computer for school or at home, follow good security habits: use strong passwords, don't click on weird links, and tell your parents or teacher if something looks wrong. Businesses are just like families—they need everyone to help stay safe [18].

References

[1] International Business Times AU, "What is Stryker Cyberattack? Stryker Corporation Hit by Suspected Iran-Linked Cyberattack," International Business Times Australia, March 11, 2026. [Online]. Available: https://www.ibtimes.com.au/what-stryker-cyberattack-stryker-corporation-hit-suspected-iran-linked-cyberattack-1863111

[2] Ibid.

[3] Ibid.

[4] Ibid.

[5] CISA, "Understanding Ransomware," Cybersecurity and Infrastructure Security Agency, 2025. [Online]. Available: https://www.cisa.gov/stopransomware/understanding-ransomware

[6] International Business Times AU, "What is Stryker Cyberattack?" 2026.

[7] Industrial Cyber, "Cyber retaliation surges after US–Israel strikes on Iran as hacktivists hit governments, defense, critical sectors," Industrial Cyber, March 10, 2026. [Online]. Available: https://industrialcyber.co/reports/cyber-retaliation-surges-after-us-israel-strikes-on-iran-as-hacktivists-hit-governments-defense-critical-sectors/

[8] Flashpoint, "Navigating 2026's Converged Threats: Insights from Flashpoint's Global Threat Intelligence Report," Flashpoint, March 11, 2026. [Online]. Available: https://flashpoint.io/blog/global-threat-intelligence-report-2026/

[9] International Business Times AU, "What is Stryker Cyberattack?" 2026.

[10] Ibid.

[11] Ibid.

[12] Veeam, "2025 Data Protection Report," Veeam, 2025. [Online]. Available: https://www.veeam.com/data-protection-report

[13] CISA, "Network Segmentation," Cybersecurity and Infrastructure Security Agency, 2025. [Online]. Available: https://www.cisa.gov/news-events/news/understanding-and-addressing-network-segmentation

[14] NIST, "Computer Security Incident Handling Guide (SP 800-61 Rev. 2)," National Institute of Standards and Technology, 2025. [Online]. Available: https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final

[15] Flashpoint, "Navigating 2026's Converged Threats," 2026.

[16] International Business Times AU, "What is Stryker Cyberattack?" 2026.

[17] CISA, "Understanding Ransomware," 2025.

[18] Flashpoint, "Navigating 2026's Converged Threats," 2026.

Want to make sure your business is ready for anything? Book a free cybersecurity consultation at consult.lil.business—we'll help you protect what you've built.

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation