{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/mirofish/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7058"}],"_cs_exploited":false,"_cs_products":["MiroFish"],"_cs_severities":["high"],"_cs_tags":["command-injection","vulnerability","ipc"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA command injection vulnerability, identified as CVE-2026-7058, affects 666ghj MiroFish up to version 0.1.2. The vulnerability resides in the \u003ccode\u003eSimulationIPCClient.send_command\u003c/code\u003e function within the \u003ccode\u003ebackend/app/services/simulation_ipc.py\u003c/code\u003e file, specifically within the Inter-Process Communication component. This flaw allows a remote attacker to inject and execute arbitrary commands on the system. Public disclosure of the exploit exists, increasing the risk of exploitation. The vendor was notified, but has not yet responded. This vulnerability poses a significant risk as it allows for complete system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable MiroFish instance running version 0.1.2 or earlier.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious command injection payload.\u003c/li\u003e\n\u003cli\u003eAttacker sends a request to the \u003ccode\u003eSimulationIPCClient.send_command\u003c/code\u003e function via the Inter-Process Communication mechanism.\u003c/li\u003e\n\u003cli\u003eThe vulnerable function \u003ccode\u003eSimulationIPCClient.send_command\u003c/code\u003e fails to properly sanitize the attacker-supplied input.\u003c/li\u003e\n\u003cli\u003eThe unsanitized input is passed to a system call.\u003c/li\u003e\n\u003cli\u003eThe system executes the injected command with the privileges of the MiroFish process.\u003c/li\u003e\n\u003cli\u003eThe attacker gains arbitrary code execution on the server.\u003c/li\u003e\n\u003cli\u003eThe attacker can then perform actions such as installing malware, exfiltrating data, or pivoting to other systems on the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this command injection vulnerability (CVE-2026-7058) allows an attacker to execute arbitrary commands on the affected system. This could lead to complete system compromise, data breaches, denial of service, or further lateral movement within the network. Given the public availability of the exploit, organizations using MiroFish 0.1.2 or earlier are at high risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply appropriate input validation and sanitization to the \u003ccode\u003eSimulationIPCClient.send_command\u003c/code\u003e function to prevent command injection.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests targeting the \u003ccode\u003ebackend/app/services/simulation_ipc.py\u003c/code\u003e endpoint (see rules below).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided to detect potential exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-mirofish-command-injection/","summary":"A command injection vulnerability exists in 666ghj MiroFish version 0.1.2 via the SimulationIPCClient.send_command function, allowing remote attackers to execute arbitrary commands.","title":"MiroFish Command Injection Vulnerability (CVE-2026-7058)","url":"https://feed.craftedsignal.io/briefs/2024-01-03-mirofish-command-injection/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7042"}],"_cs_exploited":false,"_cs_products":["MiroFish"],"_cs_severities":["high"],"_cs_tags":["cve-2026-7042","authentication-bypass","rest-api"],"_cs_type":"advisory","_cs_vendors":["666ghj"],"content_html":"\u003cp\u003eA critical authentication bypass vulnerability, tracked as CVE-2026-7042, has been identified in 666ghj MiroFish software up to version 0.1.2. The vulnerability lies within the \u003ccode\u003ecreate_app\u003c/code\u003e function of the \u003ccode\u003ebackend/app/__init__.py\u003c/code\u003e file, which manages the REST API Endpoint. A remote attacker can exploit this flaw by manipulating specific parameters within API requests, effectively bypassing authentication mechanisms. This allows unauthorized access to sensitive functionalities and data. Public exploits are available, increasing the risk of widespread exploitation. The vendor was notified, but has not yet responded.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable MiroFish instance running version 0.1.2 or earlier.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the REST API Endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted request manipulates parameters intended for the \u003ccode\u003ecreate_app\u003c/code\u003e function, specifically designed to bypass authentication checks.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003ecreate_app\u003c/code\u003e function fails to properly validate the request due to the missing authentication check.\u003c/li\u003e\n\u003cli\u003eThe application grants unauthorized access to protected resources or functionalities.\u003c/li\u003e\n\u003cli\u003eThe attacker performs unauthorized actions, such as data exfiltration, modification, or deletion, depending on the exposed API endpoints.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the initial access to further compromise the system or pivot to other internal resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-7042 allows an attacker to bypass authentication controls in MiroFish applications. This can lead to unauthorized access to sensitive data, modification of application settings, or complete system compromise. The lack of authentication on the REST API endpoint can have severe implications for data confidentiality, integrity, and availability. Given the availability of a public exploit, affected organizations are at immediate risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor web server logs for suspicious HTTP requests targeting the REST API Endpoint with unusual parameters, using the provided Sigma rule that detects anomalous HTTP methods in webserver logs.\u003c/li\u003e\n\u003cli\u003eApply any available patches or updates from 666ghj to address CVE-2026-7042 immediately.\u003c/li\u003e\n\u003cli\u003eReview the affected \u003ccode\u003ebackend/app/__init__.py\u003c/code\u003e file for authentication logic flaws and implement necessary security measures.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-mirofish-auth-bypass/","summary":"A missing authentication vulnerability (CVE-2026-7042) exists in 666ghj MiroFish up to version 0.1.2, allowing remote attackers to bypass authentication via manipulation of the REST API Endpoint's create_app function.","title":"666ghj MiroFish REST API Authentication Bypass (CVE-2026-7042)","url":"https://feed.craftedsignal.io/briefs/2024-01-mirofish-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — MiroFish","version":"https://jsonfeed.org/version/1.1"}