<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>ShiroiAdmin &lt; 1.4 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/shiroiadmin--1.4/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Sun, 12 Jul 2026 09:18:26 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/shiroiadmin--1.4/feed.xml" rel="self" type="application/rss+xml"/><item><title>Unrestricted File Upload Vulnerability in hcr707305003 shiroiAdmin</title><link>https://feed.craftedsignal.io/briefs/2026-07-shiroiadmin-unrestricted-upload/</link><pubDate>Sun, 12 Jul 2026 09:18:26 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-shiroiadmin-unrestricted-upload/</guid><description>A remote unrestricted file upload vulnerability (CVE-2026-15488) exists in hcr707305003 shiroiAdmin versions 1.1 and 1.3, allowing attackers to upload arbitrary files by manipulating the 'File' argument in FileController::upload, potentially leading to remote code execution.</description><content:encoded><![CDATA[<p>A high-severity vulnerability, identified as CVE-2026-15488, has been discovered in hcr707305003 shiroiAdmin versions 1.1 and 1.3. This flaw, residing in the <code>FileController::upload</code> function located within <code>app/common/controller/FileController.php</code>, allows for unrestricted file uploads. Attackers can remotely exploit this vulnerability by manipulating the 'File' argument during an upload request, enabling them to bypass security checks and place arbitrary files, including web shells, onto the server. This can lead to remote code execution and full compromise of the affected system. A public exploit for this vulnerability exists, increasing the urgency for immediate patching. The vendor, hcr707305003, was contacted but did not respond to the disclosure.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker identifies an internet-facing hcr707305003 shiroiAdmin 1.1 or 1.3 instance.</li>
<li>Attacker crafts an HTTP POST request targeting the <code>FileController::upload</code> function in <code>app/common/controller/FileController.php</code>.</li>
<li>The attacker manipulates the 'File' argument within the request to include a malicious file, such as a web shell (e.g., <code>shell.php</code>, <code>cmd.jsp</code>, <code>malware.asp</code>).</li>
<li>The vulnerable <code>FileController::upload</code> function processes the request without proper validation of the uploaded file's type or content.</li>
<li>The malicious file (web shell) is successfully uploaded and stored on the web server in an accessible location.</li>
<li>The attacker sends a subsequent HTTP GET or POST request to access and execute the uploaded web shell.</li>
<li>The web shell provides the attacker with arbitrary code execution capabilities on the underlying server.</li>
<li>Attacker leverages code execution for further compromise, such as data exfiltration, privilege escalation, or deploying additional malware.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-15488 leads to arbitrary code execution on the server hosting hcr707305003 shiroiAdmin. This allows attackers to gain full control over the compromised system, potentially enabling them to steal sensitive data, deface websites, install additional malware, establish persistence, or pivot to other systems within the network. Since a public exploit is available, any organization utilizing affected versions of shiroiAdmin is at critical risk of immediate and severe compromise.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2026-15488 immediately by upgrading hcr707305003 shiroiAdmin to version 1.4 or higher.</li>
<li>Deploy the Sigma rule &quot;Detects CVE-2026-15488 Exploitation - Unrestricted File Upload&quot; to your SIEM and monitor web server logs for suspicious POST requests to the <code>FileController::upload</code> endpoint with malicious file extensions.</li>
<li>Ensure web server logging is comprehensive, capturing HTTP method, URI stem, URI query, and response status codes.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>vulnerability</category><category>web</category><category>file-upload</category><category>remote-code-execution</category></item></channel></rss>