https://feed.craftedsignal.io/products/mirofish/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 03 Jan 2024 12:00:00 +0000https://feed.craftedsignal.io/briefs/2024-01-03-mirofish-command-injection/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-03-mirofish-command-injection/A command injection vulnerability exists in 666ghj MiroFish version 0.1.2 via the SimulationIPCClient.send_command function, allowing remote attackers to execute arbitrary commands.A command injection vulnerability, identified as CVE-2026-7058, affects 666ghj MiroFish up to version 0.1.2. The vulnerability resides in the SimulationIPCClient.send_command function within the backend/app/services/simulation_ipc.py file, specifically within the Inter-Process Communication component. This flaw allows a remote attacker to inject and execute arbitrary commands on the system. Public disclosure of the exploit exists, increasing the risk of exploitation. The vendor was notified, but has not yet responded. This vulnerability poses a significant risk as it allows for complete system compromise.

Attack Chain

1. Attacker identifies a vulnerable MiroFish instance running version 0.1.2 or earlier.
2. Attacker crafts a malicious command injection payload.
3. Attacker sends a request to the SimulationIPCClient.send_command function via the Inter-Process Communication mechanism.
4. The vulnerable function SimulationIPCClient.send_command fails to properly sanitize the attacker-supplied input.
5. The unsanitized input is passed to a system call.
6. The system executes the injected command with the privileges of the MiroFish process.
7. The attacker gains arbitrary code execution on the server.
8. The attacker can then perform actions such as installing malware, exfiltrating data, or pivoting to other systems on the network.

Impact

Successful exploitation of this command injection vulnerability (CVE-2026-7058) allows an attacker to execute arbitrary commands on the affected system. This could lead to complete system compromise, data breaches, denial of service, or further lateral movement within the network. Given the public availability of the exploit, organizations using MiroFish 0.1.2 or earlier are at high risk.

Recommendation

• Apply appropriate input validation and sanitization to the SimulationIPCClient.send_command function to prevent command injection.
• Monitor web server logs for suspicious requests targeting the backend/app/services/simulation_ipc.py endpoint (see rules below).
• Deploy the Sigma rules provided to detect potential exploitation attempts.

]]>highadvisorycommand-injectionvulnerabilityipchttps://feed.craftedsignal.io/briefs/2024-01-mirofish-auth-bypass/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-mirofish-auth-bypass/A missing authentication vulnerability (CVE-2026-7042) exists in 666ghj MiroFish up to version 0.1.2, allowing remote attackers to bypass authentication via manipulation of the REST API Endpoint's create_app function.A critical authentication bypass vulnerability, tracked as CVE-2026-7042, has been identified in 666ghj MiroFish software up to version 0.1.2. The vulnerability lies within the create_app function of the backend/app/__init__.py file, which manages the REST API Endpoint. A remote attacker can exploit this flaw by manipulating specific parameters within API requests, effectively bypassing authentication mechanisms. This allows unauthorized access to sensitive functionalities and data. Public exploits are available, increasing the risk of widespread exploitation. The vendor was notified, but has not yet responded.

Attack Chain

1. The attacker identifies a vulnerable MiroFish instance running version 0.1.2 or earlier.
2. The attacker crafts a malicious HTTP request targeting the REST API Endpoint.
3. The crafted request manipulates parameters intended for the create_app function, specifically designed to bypass authentication checks.
4. The vulnerable create_app function fails to properly validate the request due to the missing authentication check.
5. The application grants unauthorized access to protected resources or functionalities.
6. The attacker performs unauthorized actions, such as data exfiltration, modification, or deletion, depending on the exposed API endpoints.
7. The attacker leverages the initial access to further compromise the system or pivot to other internal resources.

Impact

Successful exploitation of CVE-2026-7042 allows an attacker to bypass authentication controls in MiroFish applications. This can lead to unauthorized access to sensitive data, modification of application settings, or complete system compromise. The lack of authentication on the REST API endpoint can have severe implications for data confidentiality, integrity, and availability. Given the availability of a public exploit, affected organizations are at immediate risk.

Recommendation

• Monitor web server logs for suspicious HTTP requests targeting the REST API Endpoint with unusual parameters, using the provided Sigma rule that detects anomalous HTTP methods in webserver logs.
• Apply any available patches or updates from 666ghj to address CVE-2026-7042 immediately.
• Review the affected backend/app/__init__.py file for authentication logic flaws and implement necessary security measures.

]]>highadvisorycve-2026-7042authentication-bypassrest-api