<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Anyquery ( &lt; 0.4.5) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/anyquery---0.4.5/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 14 Jul 2026 19:16:28 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/anyquery---0.4.5/feed.xml" rel="self" type="application/rss+xml"/><item><title>Anyquery Arbitrary File Write (AFW) Leads to Remote Code Execution (RCE)</title><link>https://feed.craftedsignal.io/briefs/2026-07-anyquery-afw-rce/</link><pubDate>Tue, 14 Jul 2026 19:16:28 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-anyquery-afw-rce/</guid><description>Anyquery in server mode is vulnerable to arbitrary file write (AFW) due to its failure to restrict native SQLite disk manipulation commands like `ATTACH DATABASE`. Unauthenticated attackers can connect to the MySQL-compatible server port and write arbitrary files (e.g., PHP webshells, malicious cronjobs) to any path writable by the Anyquery process, which can lead to remote code execution (RCE) with the privileges of the Anyquery process, significantly impacting system integrity and availability.</description><content:encoded><![CDATA[<p>A critical vulnerability (CVE-2026-50006) has been identified in Anyquery versions prior to 0.4.5, specifically when the application is operating in <code>server</code> mode. Unauthenticated attackers can leverage this flaw by connecting to the exposed MySQL-compatible server port. The vulnerability stems from Anyquery's failure to restrict SQLite's <code>ATTACH DATABASE</code> command, allowing adversaries to write arbitrary files to the underlying filesystem. This Arbitrary File Write (AFW) can be exploited to achieve Remote Code Execution (RCE) by dropping malicious files such as PHP web shells into web server directories or injecting cronjob entries into system directories like <code>/etc/cron.d</code>. This means an attacker can gain control over the affected system with the privileges of the running Anyquery process, posing a severe threat to data integrity and system availability.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An unauthenticated attacker connects to the exposed Anyquery MySQL-compatible server port (e.g., 8070).</li>
<li>The attacker executes an <code>ATTACH DATABASE</code> SQL command to specify a new SQLite database file and a sensitive target path on the victim's filesystem (e.g., <code>/etc/cron.d/pwn</code> or <code>/var/www/html/shell.php</code>).</li>
<li>The attacker creates a table within the newly attached database using <code>CREATE TABLE</code>.</li>
<li>The attacker injects a malicious payload (e.g., a reverse shell command for a cronjob, or PHP <code>system()</code> function for a web shell) into the table using an <code>INSERT INTO</code> SQL command.</li>
<li>Anyquery writes the SQLite database file containing the malicious payload to the specified sensitive path.</li>
<li>A system service (e.g., cron daemon, web server) attempts to process the newly created file, ignoring the SQLite binary header and parsing the valid injected malicious code.</li>
<li>The malicious code (e.g., reverse shell, web shell commands) is executed with the privileges of the Anyquery process, leading to Remote Code Execution.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>This vulnerability carries a CVSS score of 9.1 (Critical), indicating high severity. If exploited, the integrity of the affected system is severely compromised as arbitrary files can be written or overwritten, potentially corrupting critical system data. Availability is also highly impacted, as overwriting essential system files or configurations can lead to a complete Denial of Service (DoS). When Anyquery runs with elevated privileges (e.g., as root) or can write to critical directories like web roots or cronjob folders, the AFW escalates directly to Remote Code Execution (RCE) with a CVSS score of 9.8 (Critical), allowing full system compromise, persistence, and potential privilege escalation.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2026-50006 by upgrading Anyquery to version 0.4.5 or later immediately.</li>
<li>Deploy the Sigma rules in this brief to your SIEM and tune for your environment to detect suspicious file creations by the <code>anyquery</code> process.</li>
<li>Enable <code>file_event</code> logging for Linux endpoints to capture file creations in sensitive directories like <code>/etc/cron.d/</code> and <code>/var/www/html/</code>.</li>
<li>Enable <code>process_creation</code> logging to monitor for suspicious <code>anyquery</code> process command-line arguments, especially <code>--host 0.0.0.0</code>.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>arbitrary-file-write</category><category>rce</category><category>anyquery</category><category>sqlite</category><category>server-mode</category><category>vulnerability</category></item></channel></rss>