{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/sustainable-irrigation-platform-sip--5.2.16/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-60114"}],"_cs_exploited":true,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Sustainable Irrigation Platform (SIP) \u003c= 5.2.16"],"_cs_severities":["high"],"_cs_tags":["path-traversal","arbitrary-file-write","web-application","remote-code-execution","persistence","privilege-escalation"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-60114 is a critical path traversal vulnerability affecting the Sustainable Irrigation Platform (SIP) up to and including version 5.2.16. This flaw allows an authenticated attacker, or one who bypasses authentication via a default passphrase, to write arbitrary files to any location on the server. The vulnerability stems from insufficient validation of keys within JSON backup files during the restore process, which are then used to construct file paths. Compounding this issue is the use of a default passphrase \u0026quot;opendoor\u0026quot; or a completely missing passphrase requirement in the default configuration, making it easier for attackers to exploit. Successful exploitation can lead to remote code execution, establishment of persistence, and privilege escalation by overwriting critical system files or placing malicious executables. While the vulnerability is known, specific details about active exploitation in the wild are not currently available.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eGain Access to Restore Functionality:\u003c/strong\u003e An attacker obtains or bypasses authentication to access the Sustainable Irrigation Platform's restore feature. This could involve using the default passphrase \u0026quot;opendoor\u0026quot; or exploiting a configuration where no passphrase is required.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCraft Malicious JSON Backup File:\u003c/strong\u003e The attacker creates a specially malformed JSON backup file designed to exploit the path traversal vulnerability.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEmbed Path Traversal Keys:\u003c/strong\u003e Within the crafted JSON, the attacker includes unvalidated keys that contain directory traversal sequences (e.g., \u003ccode\u003e../../\u003c/code\u003e) to manipulate the intended file write path.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInitiate Restore Operation:\u003c/strong\u003e The attacker uploads the malicious JSON backup file through the SIP's restore functionality.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSystem Processes Crafted JSON:\u003c/strong\u003e The SIP application processes the uploaded JSON file without properly sanitizing or validating the embedded path traversal characters in the keys.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eArbitrary File Write:\u003c/strong\u003e As a result, the SIP application writes files contained within the backup to arbitrary, attacker-specified locations on the underlying operating system, outside the intended data directory.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAchieve Impact:\u003c/strong\u003e By writing malicious files (e.g., web shells, configuration files, or executables) to critical directories, the attacker achieves remote code execution, establishes persistence mechanisms, or elevates privileges on the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-60114 grants an attacker the ability to write arbitrary files to any location on the server running the Sustainable Irrigation Platform. This can directly lead to remote code execution, allowing the attacker to completely compromise the server. Further impacts include achieving persistent access to the system by deploying backdoors or malicious services, and elevating privileges to gain full control. While no specific victim counts or targeted sectors are currently disclosed, any organization using affected versions of SIP is at risk of severe data breaches, system unavailability, and unauthorized access if this vulnerability is exploited.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-60114 immediately by upgrading Sustainable Irrigation Platform (SIP) to a version beyond 5.2.16.\u003c/li\u003e\n\u003cli\u003eChange the default passphrase 'opendoor' or enforce a strong, unique passphrase if using the restore functionality on affected versions.\u003c/li\u003e\n\u003cli\u003eMonitor system logs for unusual file write activities outside expected application directories, especially related to the SIP application processes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-14T15:22:15Z","date_published":"2026-07-14T15:22:15Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-60114-sip-path-traversal/","summary":"A path traversal vulnerability (CVE-2026-60114) in Sustainable Irrigation Platform (SIP) through version 5.2.16 allows attackers with access to the restore functionality to write files to arbitrary locations by uploading crafted JSON backup files containing unvalidated keys, leading to potential remote code execution, persistence, and privilege escalation.","title":"CVE-2026-60114 Sustainable Irrigation Platform Path Traversal Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-60114-sip-path-traversal/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-58479"},{"cvss":8.1,"id":"CVE-2026-58476"},{"cvss":8.2,"id":"CVE-2026-58477"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Sustainable Irrigation Platform (SIP) through version 5.2.16","Sustainable Irrigation Platform (SIP) \u003c= 5.2.16"],"_cs_severities":["critical"],"_cs_tags":["command-injection","web-vulnerability","rce","ot","ics","cve-2026-58479"],"_cs_type":"advisory","_cs_vendors":["Sustainable Irrigation Platform"],"content_html":"\u003cp\u003eSustainable Irrigation Platform (SIP) through version 5.2.16 contains a critical command injection vulnerability, CVE-2026-58479, specifically within its optional \u003ccode\u003ecli_control\u003c/code\u003e plugin. This flaw enables unauthenticated attackers, or those utilizing Cross-Site Request Forgery (CSRF), to achieve arbitrary operating-system command execution. Attackers can store a malicious payload through the plugin's HTTP endpoint, then trigger its execution by activating an associated irrigation station. The vulnerability is exacerbated by the absence of passphrase protection or the use of a default 'opendoor' passphrase, which facilitates unauthorized access and command execution on the underlying host. This vulnerability has a CVSS v3.1 Base Score of 9.8, indicating its critical severity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable Sustainable Irrigation Platform (SIP) instance running the \u003ccode\u003ecli_control\u003c/code\u003e plugin, exposed to the internet or an accessible internal network.\u003c/li\u003e\n\u003cli\u003eThe attacker determines the plugin's HTTP endpoint responsible for storing payloads, potentially leveraging unauthenticated access or a Cross-Site Request Forgery (CSRF) attack.\u003c/li\u003e\n\u003cli\u003eA malicious operating system command payload is crafted, designed to achieve the attacker's objective (e.g., establishing a reverse shell or exfiltrating data).\u003c/li\u003e\n\u003cli\u003eThe attacker sends an HTTP request to the \u003ccode\u003ecli_control\u003c/code\u003e plugin's endpoint to inject and store the crafted malicious payload.\u003c/li\u003e\n\u003cli\u003eExploiting the lack of strong passphrase protection or the default 'opendoor' passphrase, the attacker activates the associated irrigation station, triggering the execution of the stored command.\u003c/li\u003e\n\u003cli\u003eThe injected operating system commands are executed on the underlying host system, granting the attacker arbitrary code execution capabilities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful exploitation of CVE-2026-58479 grants attackers arbitrary command execution on the underlying host system, potentially leading to full system compromise. This can result in unauthorized control over the irrigation infrastructure, data exfiltration, service disruption, or further lateral movement within the network. Given that Sustainable Irrigation Platforms are often deployed in critical infrastructure or agricultural sectors, the impact could range from significant financial losses due to system manipulation to widespread operational disruption.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-58479 on all Sustainable Irrigation Platform (SIP) instances to version 5.2.17 or later immediately.\u003c/li\u003e\n\u003cli\u003eEnsure strong, unique passphrases are used for all SIP configurations, and immediately change any default 'opendoor' passphrases mentioned in the CVE-2026-58479 details.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to restrict access to SIP instances and their \u003ccode\u003ecli_control\u003c/code\u003e plugin HTTP endpoints from untrusted networks.\u003c/li\u003e\n\u003cli\u003eMonitor webserver logs for unusual HTTP requests targeting the \u003ccode\u003ecli_control\u003c/code\u003e plugin, particularly those containing command injection characters in URI paths or query parameters.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-14T15:21:31Z","date_published":"2026-07-14T15:18:33Z","id":"https://feed.craftedsignal.io/briefs/2026-07-sustainable-irrigation-platform-rce/","summary":"A critical command injection vulnerability (CVE-2026-58479) exists in the optional cli_control plugin of Sustainable Irrigation Platform (SIP) versions up to 5.2.16, allowing unauthenticated or CSRF attackers to execute arbitrary operating-system commands by storing a malicious payload via the plugin's HTTP endpoint and triggering execution by activating an associated irrigation station.","title":"Command Injection in Sustainable Irrigation Platform cli_control Plugin","url":"https://feed.craftedsignal.io/briefs/2026-07-sustainable-irrigation-platform-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - Sustainable Irrigation Platform (SIP) \u003c= 5.2.16","version":"https://jsonfeed.org/version/1.1"}