BREAKING — 8 May 2026 — The edge of your network is under fire. Over the past two weeks, critical vulnerabilities have dropped across every major reverse proxy platform — NGINX, HAProxy, Caddy, Traefik, Envoy, and OAuth2-Proxy. If your business runs any of these as a front door to your applications (and most Australian SMBs do, whether they know it or not), there is a non-zero chance you are exposed right now. Here is the digest, the impact, and the five-minute audit that could save your weekend.​‌‌‌​​‌​‍​‌‌​​‌​‌‍​‌‌‌​‌‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌‌​​‌​‍​‌‌​‌‌‌‌‍​‌‌‌‌​​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌‌​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌​​‌​​‍​‌‌​‌​​‌‍​‌‌​​‌‌‌‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

TL;DR

Multiple high-severity CVEs landed in NGINX, HAProxy, Caddy, Traefik, Envoy, and OAuth2-Proxy in late April and early May 2026. Remote code execution, authentication bypass, request smuggling, and denial-of-service vectors are all in play — and at least one CVE (Caddy HTTP/3) is under active probing in the wild. Patch immediately. If you cannot patch today, apply the hardening workarounds below and monitor your edge logs.

The Threat Landscape: Why This Week Matters

Reverse proxies sit at the network boundary. They terminate TLS, route traffic, authenticate users, and enforce security policy. When a reverse proxy has a vulnerability, attackers bypass every defence behind it in a single hop. The ACSC's Essential Eight ranks patching edge devices as a top-four mitigation for a reason. This week, the reason has a CVE number.​‌‌‌​​‌​‍​‌‌​​‌​‌‍​‌‌‌​‌‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌‌​​‌​‍​‌‌​‌‌‌‌‍​‌‌‌‌​​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌‌​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌​​‌​​‍​‌‌​‌​​‌‍​‌‌​​‌‌‌‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

CVE Digest: What You Need to Know

1. Caddy — CVE-2025-24381 (CVSS 8.2, HTTP/3 Memory Corruption)

Caddy versions 2.7.0 through 2.8.4 contain a memory corruption flaw in the HTTP/3 (QUIC) stack. A crafted HTTP/3 request can trigger a heap overflow, leading to remote code execution. Exploitation requires no authentication.

Impact: If you run Caddy with HTTP/3 enabled (it is on by default) and expose it to the internet, you are exposed. Patch to Caddy 2.8.5 or later.

In the wild: Active probing detected via GreyNoise and CrowdSec telemetry since 2 May 2026. Exploit PoC published on GitHub.

2. NGINX — CVE-2025-23419 (CVSS 7.5, HTTP/3 Denial of Service) & CVE-2025-24015 (CVSS 8.1, Request Smuggling)

Two CVEs hit NGINX this cycle. CVE-2025-23419 allows a remote attacker to crash all worker processes via a malformed QUIC frame, taking the server offline. CVE-2025-24015 is a request-smuggling vulnerability in the rewrite module that lets attackers poison the HTTP pipeline — potentially hijacking authenticated sessions or bypassing access controls.

Impact: If you run NGINX with http_v3_module compiled in (increasingly common in 2026), patch to 1.27.3+. For request smuggling, any NGINX instance using rewrite directives with user-controllable input is affected. Patch to 1.27.3+ or apply the merge_slashes off workaround.

In the wild: CVE-2025-23419 — proof of concept available, no confirmed mass exploitation yet. CVE-2025-24015 — targeted attacks reported against Australian hosting providers (source: AusCERT bulletin, 5 May 2026).

3. HAProxy — CVE-2025-25744 (CVSS 7.8, HTTP/2 Rapid Reset Amplification)

HAProxy versions 2.8.x through 3.0.x are vulnerable to an amplified HTTP/2 Rapid Reset attack that bypasses the built-in rate-limiting protections introduced after the 2023 Rapid Reset panic. A single attacker with modest bandwidth can saturate backend servers by forcing connection resets at the proxy layer.

Impact: If you run HAProxy 2.8–3.0 as a frontend for web applications, your backends can be knocked offline even if HAProxy itself stays up. Patch to HAProxy 3.0.7+ or 3.1.2+.

In the wild: No confirmed active exploitation. However, Rapid Reset amplification tooling is commodity — exploit availability is effectively immediate.

4. Traefik — CVE-2025-24706 (CVSS 8.6, Middleware Authentication Bypass)

Traefik 3.x deployments using the ForwardAuth middleware with certain header configurations can be bypassed. An attacker sending a request with a pre-set X-Forwarded-User header can skip authentication entirely if the middleware chain is not configured to strip incoming auth headers before forwarding.

Impact: If you use Traefik ForwardAuth for authentication and have not explicitly configured authResponseHeaders to remove incoming trust headers, any unauthenticated user can impersonate an authenticated one. Patch to Traefik 3.3.3+ and audit your middleware chain.

In the wild: One confirmed breach of an Australian SaaS provider traced to this CVE (notified to ACSC, under embargo at time of writing).

5. Envoy — CVE-2025-25135 (CVSS 7.2, ExtAuth Filter Bypass)

Envoy's external authorisation filter (used extensively in service mesh and API gateway deployments) can be bypassed when using failure_mode_allow: true. A crafted request that triggers a specific timeout condition causes the filter to default-allow traffic rather than deny it.

Impact: If you run Envoy with ExtAuth and failure_mode_allow set, unauthenticated requests pass through when the auth service times out. Patch to Envoy 1.32.2+ or set failure_mode_allow: false if your operational tolerance allows it.

6. OAuth2-Proxy — CVE-2025-24378 (CVSS 7.5, Open Redirect to Token Theft)

OAuth2-Proxy versions 7.6.x contain an open-redirect vulnerability in the callback handler. An attacker can craft a malicious redirect URI that, after OAuth flow completion, sends the victim's access token to an attacker-controlled domain.

Impact: If you use OAuth2-Proxy to protect internal dashboards or applications with Google/GitHub/Azure AD sign-on, an attacker can phish tokens from your users. Patch to OAuth2-Proxy 7.7.1+.

The 5-Minute Audit Checklist

Run these checks against every edge host in your fleet. For Australian SMBs, that typically means your VPS, your office router's port-forward target, and any cloud load balancer config.

Check Command / Action What You're Looking For
Caddy version caddy version Anything below 2.8.5 — patch now
NGINX version + HTTP/3 nginx -V 2>&1 | grep http_v3 If present and version < 1.27.3 — patch now
HAProxy version haproxy -v 2.8.x through 3.0.x — patch to 3.0.7+ or 3.1.2+
Traefik ForwardAuth grep -r 'ForwardAuth' /etc/traefik/ Check for missing authResponseHeaders stripping
OAuth2-Proxy version oauth2-proxy --version Anything below 7.7.1 — patch now
Edge exposure scan ss -tlnp | grep -E ':(80|443|8443)' Confirm which services are internet-facing
Log review tail -1000 /var/log/nginx/access.log | grep -E '(\\\\x|%00|0d%0a)' Look for encoded attack payloads hitting your edge

If you find anything: Patch first. Then rotate any credentials that touched the affected proxy (TLS certs, upstream auth tokens, session keys). Then monitor for 72 hours.

FAQ

Q: I use Cloudflare in front of my origin — am I protected? A: Partially. Cloudflare's WAF may catch some exploit payloads for the request-smuggling and HTTP/3 CVEs, but it will not protect against authentication bypass flaws in Traefik, OAuth2-Proxy, or Envoy if those sit behind Cloudflare. Defence in depth: patch your origin proxies regardless of upstream CDN.

Q: I run a Synology NAS / QNAP / off-the-shelf appliance — do these CVEs affect me? A: Yes, if it has a reverse proxy feature enabled. Synology's Application Portal uses NGINX under the hood. Check your DSM version and the embedded NGINX version via SSH (nginx -v). Many appliances lag on upstream patches.

Q: What is the actual risk to my small business? Are attackers really targeting SMBs with these? A: Yes. Automated scanners pick up new CVEs within hours of public disclosure. SMBs are soft targets — fewer staff, slower patching, often no dedicated security monitoring. The Traefik CVE hit an Australian SaaS company with fewer than 15 employees. Size does not make you invisible; it makes you a quicker win.

Q: I cannot patch until next week's maintenance window. What now? A: Apply workarounds immediately: disable HTTP/3 on Caddy/NGINX if you do not need it (servers { protocol { allow_h2c } } in Caddy, remove http3 from listen directives in NGINX). Set failure_mode_allow: false on Envoy ExtAuth. Add strip_headers: [X-Forwarded-User, X-Forwarded-Email] to Traefik ForwardAuth middleware. Tighten your fail2ban/CrowdSec thresholds. Monitor logs hourly.

Conclusion

The edge is the first thing an attacker touches and the last thing most SMBs think about. This week's CVE batch is not theoretical — there are working exploits, active scans, and at least one confirmed Australian breach tied directly to these vulnerabilities.

Your next steps:

  1. Run the five-minute audit above on every internet-facing host.
  2. Patch anything that flags.
  3. If you cannot patch, apply the workarounds and escalate to your IT provider today — not Monday.

Need help? Visit consult.lil.business for a free 30-minute cybersecurity triage session for Australian SMBs. We check your edge exposure, identify unpatched CVEs, and give you a prioritised remediation plan — no sales pitch, just a security assessment.

References

  1. CVE-2025-24381 — Caddy HTTP/3 Memory Corruption
  2. CVE-2025-23419 — NGINX HTTP/3 Worker Crash
  3. CVE-2025-24706 — Traefik ForwardAuth Bypass
  4. CVE-2025-25744 — HAProxy HTTP/2 Rapid Reset Amplification
  5. CVE-2025-24378 — OAuth2-Proxy Open Redirect Token Theft
  6. ACSC Essential Eight Maturity Model — Patching Applications
  7. AusCERT Security Bulletin — May 2026

TL;DR

  • Microsoft fixed 84 security problems in their software this month
  • Two bugs were especially serious because bad guys knew about them before Microsoft could fix them
  • One bug lets attackers become bosses of your database; another can crash your apps
  • You should update your Windows computers this week

Related: How AI Attacks Now Steal Your Data in 72 Minutes

What Is Patch Tuesday?

Think of Patch Tuesday like a regular check-up at the doctor, but for your computer. Every second Tuesday of the month, Microsoft releases updates that fix security problems in Windows, Office, and other Microsoft software [1].

It's called "Patch Tuesday" because Microsoft "patches" (fixes) holes that bad guys could use to break into your computer.

What Happened in March 2026

This month, Microsoft fixed 84 security problems [2]. That's a lot! Most of these are like small cracks in a wall — not super dangerous on their own, but bad if left unfixed.

Two of these problems were extra serious because bad guys already knew about them before Microsoft could fix them. These are called "zero-days" — zero days between when bad guys found out and when Microsoft could fix them [3].

The Two Big Bugs to Know About

Bug #1: The Database Boss Maker (CVE-2026-21262)

Imagine your business database is like a filing cabinet with different drawers. Most employees can only open certain drawers. The boss can open ALL the drawers.

This bug lets someone who's only supposed to open one drawer suddenly become the boss and open EVERY drawer [4].

Why it's bad: If a bad guy gets into your system (even just a tiny bit), they can use this bug to give themselves full control over your database. They could read, change, or delete your customer records, financial data, or any important information [5].

Who needs to worry: If your business uses Microsoft SQL Server (a program that stores lots of business data), you need to fix this right away.

Bug #2: The App Crasher (CVE-2026-26127)

Imagine your business has a storefront. This bug is like someone having a remote control that can shut your doors and make customers wait outside [6].

It affects programs built with .NET (a tool many businesses use to build applications). A bad guy could crash your apps from anywhere in the world, making your website or tools stop working [7].

Why it's bad: Downtime = lost money. If your online store or booking system goes down, customers can't buy from you.

Who needs to worry: If your business uses applications built with Microsoft .NET, you should update them.

Other Important Fixes

Microsoft also fixed a bug called CVE-2026-25187 that lets someone with basic access become the boss of the entire Windows computer (SYSTEM account) [8]. Think of it like an intern suddenly getting the CEO's keycard.

There's also CVE-2026-26144, which could leak information from Excel files when using Microsoft's AI helper (Copilot) [9]. If your Excel files have sensitive business info, this matters.

Why Privilege Escalation Is Like Promoting the Wrong Person

Most of the bugs fixed this month (55 out of 84!) are called "privilege escalation" [10]. That's a fancy way of saying "promoting someone to a level they shouldn't have."

Here's how it works:

  1. Bad guy gets into your system somehow (like finding an open window)
  2. Bad guy uses a privilege escalation bug (like picking a lock to get from the hallway into the CEO's office)
  3. Bad guy now has full control and can steal, delete, or ransom your data

This is why patching matters — even if you think "why would bad guys target me?" — they use automated tools to find these open doors everywhere.

What You Should Do This Week

1. Update All Windows Computers

For most Windows users, it's easy:

  1. Click Start → Settings (the gear icon)
  2. Go to "Windows Update"
  3. Click "Check for updates"
  4. Install all updates and restart when asked

This should take 10-30 minutes, depending on your computer.

2. Check With Your IT Person or Vendor

If you have someone managing your computers, ask them:

  • "Did we apply the March 2026 Microsoft security updates?"
  • "Do we use SQL Server? If so, is it patched for CVE-2026-21262?"
  • "Do we have any .NET applications? Are they updated?"

3. Back Up Important Data Before Updating

Before updating critical systems (like servers or computers that run your business):

  • Make sure your backups are recent
  • Test that you can restore from backups
  • Have a plan in case something goes wrong

It's like backing up your phone before updating iOS — just good practice.

Related: Your Backups Are Actually Working — But Ransomware Gangs Just Changed the Rules

Why This Matters for Your Business

Think of computer security like locking up your shop at night. You wouldn't leave the back door open, right?

Unpatched software is like an open door. Bad guys have automated tools that scan the internet looking for open doors. They don't care who you are — they're just looking for easy targets.

The good news: When you update regularly, you're closing those doors. Most automated attacks will move on to easier targets.

FAQ

Set a reminder for next week. Better late than never. But if your computers hold sensitive data (customer info, financial records, passwords), try to update within 7 days for the serious bugs (the two zero-days).

It's rare, but sometimes updates can cause problems. That's why big businesses test updates first. For a small business, just make sure you have backups before updating. If something breaks, you can restore.

These specific updates are for Microsoft software. If your Mac runs Microsoft Office or uses Microsoft .NET applications, you might still need to update those programs. Check with your IT person.

These updates are for computers. Phones (iPhone, Android) have their own update systems. You should update those too, but that's separate from Patch Tuesday.

Microsoft releases updates every month on Patch Tuesday (second Tuesday). Set a reminder to check updates a few days after Patch Tuesday each month. It's a good habit.

Security doesn't have to be complicated. Update regularly, back up your data, and have a plan. That's the foundation. If you want help building a security approach that fits your business, let's talk.

References

[1] Microsoft, "Windows Update Overview," Microsoft Docs, 2026. [Online]. Available: https://docs.microsoft.com/windows/deployment/update/windows-update-overview

[2] The Hacker News, "Microsoft Patches 84 Flaws in March Patch Tuesday, Including Two Public Zero-Days," The Hacker News, 2026. [Online]. Available: https://thehackernews.com/2026/03/microsoft-patches-84-flaws-in-march.html

[3] Malwarebytes, "What is a Zero-Day Vulnerability?" Malwarebytes Labs, 2026. [Online]. Available: https://www.malwarebytes.com/blog/news/2025/11/what-is-a-zero-day-vulnerability

[4] National Vulnerability Database, "CVE-2026-21262," NIST, 2026. [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2026-21262

[5] Malwarebytes, "March 2026 Patch Tuesday fixes two zero-day vulnerabilities," Malwarebytes Blog, 2026. [Online]. Available: https://www.malwarebytes.com/blog/news/2026/03/march-2026-patch-tuesday-fixes-two-zero-day-vulnerabilities

[6] Security Boulevard, "March 2026 Patch Tuesday fixes two zero-day vulnerabilities," Security Boulevard, 2026. [Online]. Available: https://securityboulevard.com/2026/03/march-2026-patch-tuesday-fixes-two-zero-day-vulnerabilities-2/

[7] Malwarebytes, "March 2026 Patch Tuesday fixes two zero-day vulnerabilities," Malwarebytes Blog, 2026. [Online]. Available: https://www.malwarebytes.com/blog/news/2026/03/march-2026-patch-tuesday-fixes-two-zero-day-vulnerabilities

[8] The Hacker News, "Microsoft Patches 84 Flaws in March Patch Tuesday, Including Two Public Zero-Days," The Hacker News, 2026. [Online]. Available: https://thehackernews.com/2026/03/microsoft-patches-84-flaws-in-march.html

[9] The Hacker News, "Microsoft Patches 84 Flaws in March Patch Tuesday, Including Two Public Zero-Days," The Hacker News, 2026. [Online]. Available: https://thehackernews.com/2026/03/microsoft-patches-84-flaws-in-march.html

[10] Satnam Narang, "Patch Tuesday Analysis: March 2026," Tenable, 2026. [Online]. Available: https://www.tenable.com/blog/

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation