<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Incusd &lt; 7.1.0 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/incusd--7.1.0/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 03 Jul 2026 10:36:22 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/incusd--7.1.0/feed.xml" rel="self" type="application/rss+xml"/><item><title>Incus S3 Multipart Upload Path Traversal Leading to RCE (CVE-2026-48753)</title><link>https://feed.craftedsignal.io/briefs/2026-07-incus-s3-path-traversal-rce/</link><pubDate>Fri, 03 Jul 2026 10:36:22 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-incus-s3-path-traversal-rce/</guid><description>The Incus `incusd` daemon, specifically its S3 protocol multipart upload endpoint in versions prior to 7.1.0, is vulnerable to CVE-2026-48753, a critical path traversal flaw via the `uploadId` parameter, enabling unauthenticated attackers to write arbitrary files to any location on the host system, which can be leveraged for persistent arbitrary command execution.</description><content:encoded><![CDATA[<p>A critical path traversal vulnerability, tracked as CVE-2026-48753, has been identified in the Incus <code>incusd</code> daemon affecting versions prior to 7.1.0. This flaw resides within the S3 protocol's multipart upload endpoint, specifically in the handling of the <code>uploadId</code> parameter. Attackers can leverage this unsanitized parameter to inject path traversal sequences (e.g., <code>../../</code>) and write arbitrary files to sensitive locations on the host system. This arbitrary file write capability can be escalated to achieve persistent arbitrary command execution, for instance, by creating malicious cron jobs in <code>/etc/cron.d</code>. The successful exploitation of this vulnerability would grant an unauthenticated attacker the ability to execute commands with the privileges of the Incus service, posing a significant risk of full system compromise for affected Linux deployments utilizing Incus's S3 functionality.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker identifies a vulnerable Incus instance (version &lt; 7.1.0) with an exposed S3 API, typically via <code>incus config set core.storage_buckets_address</code>.</li>
<li>The attacker crafts a multipart S3 <code>PUT</code> request, targeting an S3 bucket configured on the vulnerable Incus instance.</li>
<li>The <code>uploadId</code> query parameter within the <code>PUT</code> request is maliciously manipulated, containing path traversal sequences such as <code>../../../../etc/cron.d</code>.</li>
<li>The request body is populated with the content of a malicious cron job entry, for example, <code>* * * * * root /bin/sh -c 'id &gt; /incus-s3-uploadid-bash-rce; rm -f /etc/cron.d/part-00001'</code>.</li>
<li>Due to the vulnerability in <code>internal/server/storage/s3/local/multipart.go</code>, Incus concatenates the unsanitized <code>uploadId</code> directly into the target file path during the upload process.</li>
<li>This results in an arbitrary file write on the host system, placing the malicious cron job content into a file like <code>/etc/cron.d/part-00001</code>.</li>
<li>The system's cron daemon periodically executes entries found in <code>/etc/cron.d</code>, triggering the newly created malicious job, leading to arbitrary command execution (e.g., <code>id &gt; /incus-s3-uploadid-bash-rce</code>).</li>
<li>The executed cron job also includes a command to delete itself (<code>rm -f /etc/cron.d/part-00001</code>), providing persistent remote code execution while attempting to remove forensic evidence.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The primary impact of CVE-2026-48753 is the ability for an unauthenticated attacker to achieve arbitrary file write on the host system where Incus is running. This directly enables arbitrary command execution, as demonstrated by the ability to install persistent cron jobs. Successful exploitation can lead to a complete compromise of the Incus host, allowing attackers to establish persistence, exfiltrate data, disrupt services, or pivot to other systems within the network. This vulnerability is critical due to its unauthenticated nature and the severe consequences of command execution.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li><strong>Patch CVE-2026-48753 immediately</strong> by upgrading your Incus installation to version 7.1.0 or later as advised by the advisory.</li>
<li><strong>Deploy the Sigma rule in this brief</strong> to your SIEM/EDR to detect exploitation attempts of CVE-2026-48753 by monitoring for suspicious S3 PUT requests.</li>
<li><strong>Monitor web server access logs</strong> for HTTP PUT requests to S3 endpoints that contain path traversal sequences (<code>../../</code> or <code>..%2F..%2F</code>) in the <code>uploadId</code> query parameter.</li>
<li><strong>Enable comprehensive file integrity monitoring</strong> for critical system directories like <code>/etc/cron.d</code>, <code>/tmp</code>, and other common locations for malicious file drops.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>path-traversal</category><category>rce</category><category>incus</category><category>s3</category><category>linux</category><category>vulnerability</category></item></channel></rss>