{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/utcp-cli/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["utcp-cli"],"_cs_severities":["critical"],"_cs_tags":["command-injection","rce","utcp-cli"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eThe \u003ccode\u003eutcp-cli\u003c/code\u003e package before version 1.1.2 contains a command injection vulnerability within the \u003ccode\u003e_substitute_utcp_args\u003c/code\u003e method of \u003ccode\u003ecli_communication_protocol.py\u003c/code\u003e. This flaw stems from the direct insertion of user-controlled \u003ccode\u003etool_args\u003c/code\u003e values into shell command strings without proper sanitization or escaping. Subsequently, these crafted commands are executed using \u003ccode\u003e/bin/bash -c\u003c/code\u003e on Unix-like systems or \u003ccode\u003epowershell.exe -Command\u003c/code\u003e on Windows, enabling a malicious actor to inject arbitrary shell commands. This vulnerability poses a significant risk, as it allows for complete Remote Code Execution (RCE) on the affected host. The issue has been addressed in \u003ccode\u003eutcp-cli\u003c/code\u003e version 1.1.2 by implementing shell-quoting of all substituted values using \u003ccode\u003eshlex.quote\u003c/code\u003e on Unix and PowerShell single-quoted literals on Windows systems, which mitigates the risk of metacharacter injection. The vulnerability was reported by @ZeroXJacks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious payload containing shell metacharacters.\u003c/li\u003e\n\u003cli\u003eThe attacker supplies this payload as a value within the \u003ccode\u003etool_args\u003c/code\u003e dictionary.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003e_substitute_utcp_args\u003c/code\u003e method substitutes the attacker-controlled value into a command string.\u003c/li\u003e\n\u003cli\u003eDue to the lack of sanitization, the command string now contains the injected shell metacharacters.\u003c/li\u003e\n\u003cli\u003eThe command string is embedded within a shell script.\u003c/li\u003e\n\u003cli\u003eThe shell script is executed using \u003ccode\u003e/bin/bash -c\u003c/code\u003e or \u003ccode\u003epowershell.exe -Command\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe injected shell metacharacters are interpreted, executing arbitrary commands.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves Remote Code Execution on the host system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to execute arbitrary commands on the host system with the privileges of the \u003ccode\u003eutcp-cli\u003c/code\u003e application. This can lead to complete system compromise, including data exfiltration, malware installation, and denial-of-service. Given the severity and ease of exploitation, any system running a vulnerable version of \u003ccode\u003eutcp-cli\u003c/code\u003e is at critical risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade \u003ccode\u003eutcp-cli\u003c/code\u003e to version 1.1.2 or later to remediate CVE-2026-45369.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect utcp-cli Command Injection Attempt via Argument Substitution\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately feasible, restrict or audit user-supplied input to \u003ccode\u003etool_args\u003c/code\u003e to mitigate the risk of command injection.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-14T20:56:40Z","date_published":"2026-05-14T20:56:40Z","id":"https://feed.craftedsignal.io/briefs/2026-05-utcp-cli-command-injection/","summary":"The `utcp-cli` package is vulnerable to command injection. The `_substitute_utcp_args` method in `cli_communication_protocol.py` inserts user-controlled values directly into shell command strings without sanitization, allowing an attacker to inject arbitrary shell commands, resulting in full Remote Code Execution. The vulnerability is fixed in version 1.1.2.","title":"utcp-cli Command Injection Vulnerability via Unsanitized Argument Substitution (CVE-2026-45369)","url":"https://feed.craftedsignal.io/briefs/2026-05-utcp-cli-command-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — Utcp-Cli","version":"https://jsonfeed.org/version/1.1"}