{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/serena-agent--1.5.2/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.3,"id":"CVE-2026-49471"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["serena-agent (\u003c 1.5.2)"],"_cs_severities":["high"],"_cs_tags":["remote-code-execution","dns-rebinding","persistence","command-and-control","python","flask","agent"],"_cs_type":"advisory","_cs_vendors":["Serena"],"content_html":"\u003cp\u003eCVE-2026-49471 details a critical vulnerability in the Serena agent, affecting versions prior to 1.5.2. This vulnerability stems from an unauthenticated Flask web dashboard that is automatically enabled by default on a fixed and predictable TCP port 24282. The dashboard lacks authentication, CSRF protection, and Host header validation, making it susceptible to DNS rebinding attacks. An attacker can trick a victim, running the vulnerable Serena agent, into visiting a malicious webpage. This webpage leverages DNS rebinding to proxy requests to the local Serena dashboard, poisoning its persistent memory store with attacker-controlled content. When the agent subsequently processes this memory, it executes the injected commands via \u003ccode\u003esubprocess.Popen\u003c/code\u003e with \u003ccode\u003eshell=True\u003c/code\u003e, leading to full OS-level remote code execution. This allows attackers to achieve persistence, exfiltrate data, access agent logs, and perform denial-of-service.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker registers a domain (e.g., \u003ccode\u003eattacker.com\u003c/code\u003e) with a short DNS Time-To-Live (TTL) and hosts a malicious webpage.\u003c/li\u003e\n\u003cli\u003eA victim, running a vulnerable Serena agent (version \u0026lt; 1.5.2) with the default \u003ccode\u003eweb_dashboard: true\u003c/code\u003e setting, visits the attacker-controlled webpage.\u003c/li\u003e\n\u003cli\u003eThe attacker's webpage immediately rebinds its DNS resolution from the attacker's server to \u003ccode\u003e127.0.0.1\u003c/code\u003e after the initial page load.\u003c/li\u003e\n\u003cli\u003eMalicious JavaScript on the webpage sends a POST request to \u003ccode\u003eattacker.com:24282/save_memory\u003c/code\u003e, which the victim's browser now resolves to the local Serena agent's dashboard due to the DNS rebinding.\u003c/li\u003e\n\u003cli\u003eSerena's unauthenticated Flask dashboard on TCP 24282 accepts the \u003ccode\u003e/save_memory\u003c/code\u003e request, writing attacker-controlled content (e.g., an \u003ccode\u003eexecute_shell_command\u003c/code\u003e) to the agent's persistent memory store.\u003c/li\u003e\n\u003cli\u003eIn a subsequent agent session or when processing new tasks, the Serena agent reads the poisoned memory from disk.\u003c/li\u003e\n\u003cli\u003eThe Serena agent then attempts to execute the attacker-controlled command using \u003ccode\u003esubprocess.Popen(command, shell=True)\u003c/code\u003e, where \u003ccode\u003eshell=True\u003c/code\u003e enables direct shell command execution.\u003c/li\u003e\n\u003cli\u003eThis results in full OS-level remote code execution on the victim's machine, allowing the attacker to exfiltrate data, maintain persistence, or further compromise the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCVE-2026-49471 poses a severe risk to any user operating the Serena agent with its default configuration. Successful exploitation allows an attacker, without any credentials or prior access, to gain OS-level remote code execution on the victim's system. Beyond RCE, attackers can inject persistent prompt-injection payloads into the agent's memory, read sensitive agent activity logs (including conversation history and project details), overwrite the Serena configuration file, and trigger a denial-of-service by shutting down the agent. While no specific victim counts are provided, all users of affected Serena agent versions are at risk if targeted by a malicious webpage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch CVE-2026-49471\u003c/strong\u003e by upgrading Serena agent to version 1.5.2 or later immediately.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDeploy the Sigma rule\u003c/strong\u003e provided in this brief to detect suspicious process execution originating from the Serena agent.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEnable Sysmon process-creation logging\u003c/strong\u003e (Event ID 1) on endpoints running the Serena agent to activate detection of suspicious shell activity.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eBlock known attacker infrastructure\u003c/strong\u003e such as \u003ccode\u003eattacker.com\u003c/code\u003e at the DNS resolver or web proxy to prevent initial access via DNS rebinding and potential C2 communication.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eReview Serena agent configuration\u003c/strong\u003e and consider disabling \u003ccode\u003eweb_dashboard: true\u003c/code\u003e if its functionality is not explicitly required in your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-08T21:13:57Z","date_published":"2026-07-08T21:13:57Z","id":"https://feed.craftedsignal.io/briefs/2026-07-serena-rce-dns-rebinding/","summary":"An unspecified attacker can achieve remote code execution in Serena agent versions prior to 1.5.2 by leveraging an unauthenticated Flask dashboard, DNS rebinding, and memory poisoning, enabling persistent attacker-controlled command execution.","title":"Serena Agent Unauthenticated RCE via DNS Rebinding (CVE-2026-49471)","url":"https://feed.craftedsignal.io/briefs/2026-07-serena-rce-dns-rebinding/"}],"language":"en","title":"CraftedSignal Threat Feed - Serena-Agent (\u003c 1.5.2)","version":"https://jsonfeed.org/version/1.1"}