{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/cockpit-359/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Cockpit 359"],"_cs_severities":["high"],"_cs_tags":["rce","webapps","exploit"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eA remote code execution (RCE) vulnerability affects Cockpit version 359. A public exploit (EDB-52572) demonstrating the vulnerability has been published on Exploit-DB. Cockpit is a web-based system administration interface. The existence of a public exploit significantly raises the risk to systems running unpatched instances of Cockpit 359. Attackers can leverage this exploit to execute arbitrary code on the target system, potentially leading to complete system compromise. Defenders should prioritize patching or mitigating this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable Cockpit 359 instance accessible over the network.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP request containing the RCE exploit.\u003c/li\u003e\n\u003cli\u003eThe malicious request is sent to the vulnerable Cockpit instance.\u003c/li\u003e\n\u003cli\u003eThe Cockpit application processes the request, triggering the RCE vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary code on the server, such as injecting a web shell.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the web shell for further reconnaissance within the compromised network.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to gain administrative access.\u003c/li\u003e\n\u003cli\u003eThe attacker deploys malware or exfiltrates sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of the RCE vulnerability in Cockpit 359 allows attackers to execute arbitrary code on the affected system. This can lead to complete system compromise, data breaches, and further lateral movement within the network. The availability of a public exploit makes this vulnerability easily exploitable by both sophisticated and unsophisticated threat actors. Organizations using Cockpit 359 are at high risk until they apply the necessary patches or implement mitigation measures.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Cockpit 359 RCE Attempt\u003c/code\u003e to your SIEM to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eApply available patches for Cockpit 359 to remediate the RCE vulnerability.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity targeting Cockpit instances to detect unusual requests.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-21T13:31:32Z","date_published":"2026-05-21T13:31:32Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cockpit-rce/","summary":"Cockpit version 359 is vulnerable to remote code execution, and a public exploit is available on Exploit-DB, increasing the risk for unpatched systems.","title":"Cockpit 359 Remote Code Execution Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-cockpit-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Cockpit 359","version":"https://jsonfeed.org/version/1.1"}