Critical — CraftedSignal Threat Feed

Arelle Unauthenticated Remote Code Execution Vulnerability

hello@craftedsignal.io — Mon, 04 May 2026 18:16:32 +0000

Arelle versions prior to 2.39.10 are susceptible to an unauthenticated remote code execution (RCE) vulnerability. The vulnerability resides in the /rest/configure REST endpoint, which improperly handles the plugins query parameter. This parameter is forwarded to the plugin manager without proper authentication or authorization checks. An attacker can exploit this flaw by providing a URL pointing to a malicious Python file via the plugins parameter. Upon receiving this request, the Arelle webserver downloads and executes the attacker-supplied Python code within the context of the Arelle process. This grants the attacker control over the Arelle server with the same privileges as the Arelle process. This vulnerability poses a significant risk, especially in environments where Arelle servers are exposed to the internet or untrusted networks.

Attack Chain

An unauthenticated attacker sends a crafted HTTP GET request to the /rest/configure endpoint of the Arelle web server.
The request includes the plugins query parameter, which contains a URL pointing to a malicious Python file hosted on an attacker-controlled server.
The Arelle web server receives the request and, without proper authentication or authorization, forwards the plugins parameter to the plugin manager.
The plugin manager downloads the Python file from the attacker-supplied URL using standard HTTP(S) protocols.
The Arelle process executes the downloaded Python code using the Python interpreter.
The malicious Python code executes arbitrary commands on the Arelle server, potentially installing malware, creating reverse shells, or exfiltrating sensitive data.
The attacker gains control of the Arelle server and can perform further actions, such as accessing internal network resources.

Impact

Successful exploitation of this vulnerability allows an unauthenticated attacker to achieve remote code execution on the Arelle server. This could lead to complete compromise of the server, including sensitive data theft, malware deployment, and further lateral movement within the network. The potential impact includes data breaches, service disruption, and reputational damage. Given the severity and ease of exploitation, any Arelle instance running a version prior to 2.39.10 is at critical risk.

Recommendation

Immediately upgrade Arelle to version 2.39.10 or later to patch CVE-2026-42796.
Deploy the Sigma rule “Detect Arelle Plugin Download via REST Endpoint” to identify exploitation attempts targeting the vulnerable /rest/configure endpoint.
Monitor web server logs for suspicious requests to the /rest/configure endpoint containing the plugins parameter.
Implement network segmentation to limit the potential impact of a compromised Arelle server.

BusyBox DHCPv6 Client Heap Buffer Overflow Vulnerability (CVE-2026-29004)

hello@craftedsignal.io — Mon, 04 May 2026 18:16:26 +0000

CVE-2026-29004 is a critical heap buffer overflow vulnerability affecting BusyBox before commit 42202bf. The vulnerability resides in the DHCPv6 client (udhcpc6), specifically within the DNS_SERVERS option handler located in networking/udhcp/d6_dhcpc.c. A network-adjacent attacker can exploit this flaw by sending a malicious DHCPv6 response containing a malformed D6_OPT_DNS_SERVERS option. This manipulation leads to incorrect heap buffer allocation calculations in the option_to_env() function, causing memory corruption. Successful exploitation can result in a denial of service or, more severely, arbitrary code execution on vulnerable embedded systems lacking heap hardening. The scope of impact is potentially broad, given BusyBox’s widespread use in embedded devices.

Attack Chain

Attacker identifies a target embedded system running a vulnerable version of BusyBox with the DHCPv6 client enabled.
The attacker crafts a malicious DHCPv6 response packet.
The crafted packet includes a D6_OPT_DNS_SERVERS option with a size that exceeds the expected buffer allocation.
The attacker transmits the crafted DHCPv6 response packet to the target system on the local network.
The target system’s udhcpc6 client receives the malicious DHCPv6 response.
The udhcpc6 client processes the D6_OPT_DNS_SERVERS option, triggering the vulnerable option_to_env() function.
The option_to_env() function calculates an insufficient buffer size based on the malformed option.
A heap buffer overflow occurs when copying the oversized DNS server list, leading to memory corruption, denial-of-service, or arbitrary code execution.

Impact

Successful exploitation of CVE-2026-29004 can have severe consequences. A denial-of-service condition could disrupt the functionality of the affected embedded system. More critically, arbitrary code execution allows attackers to gain complete control over the device, potentially leading to data theft, device compromise, or use in botnet activities. Given BusyBox’s prevalence in embedded systems, a large number of devices are potentially vulnerable.

Recommendation

Apply the patch addressing CVE-2026-29004 by updating to a version of BusyBox after commit 42202bf.
Deploy the Sigma rule “Detect Suspicious DHCPv6 DNS Server Option Size” to identify potentially malicious DHCPv6 responses in network traffic.
Monitor network traffic for unusually large DHCPv6 DNS_SERVERS options as indicated by the Sigma rule and network connection logs.

OpenMRS Module Upload Path Traversal Vulnerability

hello@craftedsignal.io — Mon, 04 May 2026 17:39:31 +0000

OpenMRS, an open-source enterprise electronic medical record system platform, is vulnerable to a path traversal (Zip Slip) vulnerability in its module upload functionality. Discovered in versions 2.7.8 and earlier, as well as versions 2.8.0 through 2.8.5, the vulnerability resides in the POST /openmrs/ws/rest/v1/module endpoint. An authenticated attacker with administrative privileges can exploit this flaw by uploading a specially crafted .omod archive containing malicious ZIP entries with directory traversal sequences. This can allow the attacker to write files outside of the intended module directory, potentially leading to arbitrary file write and remote code execution on the server. The vulnerability stems from incomplete path validation within the WebModuleUtil.startModule() function, an oversight compared to other extraction methods within the same codebase that are properly protected.

Attack Chain

The attacker authenticates to the OpenMRS instance with valid admin credentials via Basic Auth.
The attacker crafts a malicious .omod file containing a ZIP entry with a path traversal payload, such as web/module/../../../../.jsp.
The attacker sends a POST request to the /openmrs/ws/rest/v1/module endpoint, uploading the malicious .omod file.
The server receives the request and parses the uploaded .omod file, treating it as a ZIP archive.
During module loading via WebModuleUtil.startModule(), the server extracts entries under the web/module/ directory.
Due to an incomplete check, the entry web/module/../../../../.jsp passes the initial validation.
The server attempts to write the extracted file to a path constructed by concatenating the traversed path, resulting in writing the file outside the intended WEB-INF/view/module/ directory.
If the written file is a JSP script, accessing it via a browser triggers server-side execution, achieving Remote Code Execution (RCE).

Impact

Successful exploitation of this vulnerability allows an attacker to write arbitrary files within the web application root directory of the OpenMRS instance. This can lead to remote code execution, allowing the attacker to gain complete control of the affected server. Given OpenMRS’s use in healthcare environments, a successful attack could compromise sensitive patient data, disrupt medical operations, and damage the reputation of the affected organization. The number of potentially affected installations is unknown, but the vulnerability impacts a widely used version of the platform.

Recommendation

Apply the patch or upgrade to a version of OpenMRS that includes the fix for CVE-2026-40076 to address the path traversal vulnerability.
Deploy the Sigma rule Detect OpenMRS Malicious Module Upload to identify exploitation attempts based on HTTP requests to the /openmrs/ws/rest/v1/module endpoint with suspicious file extensions in the query parameters.
Enable webserver logging to capture HTTP request data and facilitate detection and investigation efforts.
Monitor file creation events within the web application root directory for suspicious JSP files. Use the Sigma rule Detect JSP File Creation in Web Application Root as a starting point.
Enforce the module.allow_web_admin restriction consistently across all module upload entry points, including the REST API to prevent bypass.

Qualcomm PLC FW Buffer Overflow via Incorrect Authorization (CVE-2026-25293)

hello@craftedsignal.io — Mon, 04 May 2026 17:16:22 +0000

CVE-2026-25293 describes a buffer overflow vulnerability affecting Qualcomm’s Programmable Logic Controller Firmware (PLC FW). The root cause is an incorrect authorization mechanism within the firmware. This flaw could allow an attacker to potentially overwrite memory buffers, leading to arbitrary code execution or denial of service. The vulnerability was disclosed in Qualcomm’s May 2026 security bulletin. Successful exploitation of this vulnerability could allow unauthorized modification of PLC configurations, potentially impacting industrial control systems and automation processes. The affected PLC FW is used in a range of industrial applications, increasing the scope and severity of this vulnerability.

Attack Chain

Attacker identifies a vulnerable PLC FW device on the network.
The attacker leverages CVE-2026-25293 to bypass authorization checks.
A crafted network packet is sent to the PLC FW, exploiting the buffer overflow.
The overflowed buffer overwrites critical memory regions.
Attacker gains control of PLC FW execution flow.
Malicious code is injected into the PLC memory space.
The injected code executes, potentially modifying PLC logic or disrupting operations.
The attacker achieves unauthorized control over the PLC, leading to disruption, data manipulation, or system compromise.

Impact

Successful exploitation of CVE-2026-25293 could allow attackers to gain complete control over Programmable Logic Controllers (PLCs). This could lead to significant disruptions in industrial control systems, manufacturing processes, and other automated systems. The vulnerability affects Qualcomm PLC FW, potentially impacting a large number of devices across various sectors. The high CVSS score of 9.6 reflects the critical impact of this vulnerability, including the potential for complete system compromise and denial of service.

Recommendation

Apply the security patches provided by Qualcomm as detailed in their May 2026 security bulletin (https://docs.qualcomm.com/product/publicresources/securitybulletin/may-2026-bulletin.html) to remediate CVE-2026-25293.
Deploy the Sigma rule “Detect Suspicious Network Traffic to PLC Devices” to identify potential exploitation attempts.
Implement strict network segmentation to limit the attack surface and prevent lateral movement to PLC devices.
Monitor network traffic for unexpected patterns or unauthorized access attempts to PLC devices.

NetBox RCE via Jinja2 Template Injection (CVE-2026-29514)

hello@craftedsignal.io — Mon, 04 May 2026 17:16:22 +0000

NetBox, a widely-used infrastructure resource modeling application, is vulnerable to remote code execution (RCE) in versions 4.3.5 through 4.5.4. This vulnerability, identified as CVE-2026-29514, resides in the RenderTemplateMixin.get_environment_params() method. An authenticated attacker with exporttemplate or configtemplate permissions can exploit this flaw by injecting malicious Python callables into the environment_params field. Successful exploitation allows the attacker to bypass the Jinja2 SandboxedEnvironment, achieving arbitrary code execution as the NetBox service user. This RCE can lead to complete system compromise, data exfiltration, or denial of service. Defenders should prioritize patching and implement the detection measures outlined below.

Attack Chain

An authenticated user logs into the NetBox web application with exporttemplate or configtemplate permissions.
The attacker crafts a malicious request to modify or create an export/config template.
Within the request, the attacker injects a Python callable, such as subprocess.getoutput, into the environment_params field. The finalize parameter of the Jinja2 environment is set to this callable.
NetBox processes the request, and the Jinja2 environment is initialized with the attacker-controlled finalize parameter.
When the template is rendered, every expression outside the sandbox’s call interception mechanism is processed.
The injected callable (subprocess.getoutput) is invoked on the rendered expression.
The subprocess.getoutput callable executes arbitrary shell commands as the NetBox service user.
The attacker gains remote code execution, potentially leading to full system compromise or data exfiltration.

Impact

Successful exploitation of CVE-2026-29514 allows an authenticated attacker to execute arbitrary code on the NetBox server. The impact includes potential full system compromise, data exfiltration, and denial of service. Given that NetBox is often used to manage critical infrastructure information, a successful attack could have significant consequences, potentially affecting numerous organizations that rely on accurate network data.

Recommendation

Upgrade NetBox to a patched version (4.5.5 or later) to remediate CVE-2026-29514.
Implement the provided Sigma rule to detect attempts to inject malicious callables into environment_params via webserver logs.
Review and restrict exporttemplate and configtemplate permissions to only those users who require them.

Critical Authentication Bypass Vulnerability in MOVEit Automation (CVE-2026-4670)

hello@craftedsignal.io — Mon, 04 May 2026 15:08:49 +0000

Progress MOVEit Automation is affected by a critical authentication bypass vulnerability, CVE-2026-4670, which has a CVSS score of 9.8. Successful exploitation allows an unauthenticated remote attacker to gain administrative access to the vulnerable service. Additionally, a high severity privilege escalation vulnerability, CVE-2026-5174, exists due to improper input validation. While there is no current evidence of active exploitation in the wild, the historical targeting of Managed File Transfer (MFT) solutions, such as the 2023 Cl0p ransomware campaigns targeting MOVEit Transfer, heightens the urgency of patching this vulnerability. The affected versions of MOVEit Automation include versions prior to 2024.0.0, versions 2024.0.0 before 2024.1.8, versions 2025.0.0 before 2025.0.9, and versions 2025.1.0 before 2025.1.5. Defenders should prioritize patching to prevent potential exploitation.

Attack Chain

An unauthenticated attacker sends a specially crafted request to the MOVEit Automation server, exploiting CVE-2026-4670 (authentication bypass).
The vulnerable MOVEit Automation software fails to properly validate the attacker’s identity, granting them unauthorized access.
The attacker gains access to the MOVEit Automation application with administrative privileges.
The attacker leverages CVE-2026-5174 (improper input validation) to further escalate privileges within the application.
The attacker manipulates sensitive file transfer workflows, potentially modifying file permissions or altering transfer schedules.
The attacker exfiltrates sensitive data stored within MOVEit Automation.
Alternatively, the attacker could deploy malicious scripts or backdoors to maintain persistence and control over the system.
The attacker achieves complete control over the MOVEit Automation server, potentially impacting connected systems and data integrity.

Impact

Successful exploitation of CVE-2026-4670 allows an unauthenticated attacker to gain administrative access to Progress MOVEit Automation servers. This can lead to the compromise of sensitive data, disruption of file transfer workflows, and potential deployment of ransomware or other malicious payloads. Given the history of MOVEit products being targeted, a successful attack could have widespread impact across various sectors that rely on MOVEit for secure file transfer, potentially affecting thousands of organizations.

Recommendation

Immediately patch all affected MOVEit Automation installations to versions 2025.1.5 or later, 2025.0.9 or later, or 2024.1.8 or later as recommended by Progress Software to remediate CVE-2026-4670 and CVE-2026-5174.
Upscale monitoring and detection capabilities to identify any suspicious activity related to MOVEit Automation, as recommended by the CCB.
Implement the provided Sigma rule “Detect MOVEit Automation Authentication Bypass Attempt” to identify potential exploitation attempts targeting CVE-2026-4670 based on web server logs.

SambaBox OS Command Injection Vulnerability (CVE-2026-3120)

hello@craftedsignal.io — Mon, 04 May 2026 12:16:29 +0000

CVE-2026-3120 is a critical vulnerability affecting SambaBox, a product by Profelis Information and Consulting Trade and Industry Limited Company. This vulnerability, categorized as an Improper Control of Generation of Code (‘Code Injection’), allows for OS Command Injection. Specifically, SambaBox versions 5.1 up to (but not including) version 5.3 are affected. An attacker with high privileges can exploit this vulnerability to execute arbitrary commands on the underlying operating system, potentially leading to full system compromise. This vulnerability was reported by the Computer Emergency Response Team of the Republic of Turkey (USOM). Defenders should patch affected systems immediately or apply mitigations to prevent exploitation.

Attack Chain

An attacker with high privileges gains access to the SambaBox management interface.
The attacker crafts a malicious request containing an OS command within a vulnerable input field.
The SambaBox application fails to properly sanitize or validate the input.
The application generates code incorporating the unsanitized input.
The generated code is executed by the underlying operating system.
The injected OS command is executed with the privileges of the SambaBox application.
The attacker gains the ability to execute arbitrary commands on the server.
The attacker leverages the command execution to achieve persistence, escalate privileges further, or exfiltrate sensitive data.

Impact

Successful exploitation of CVE-2026-3120 allows an attacker to execute arbitrary commands on the SambaBox server. This could lead to complete system compromise, including data theft, modification, or destruction. The vulnerability affects SambaBox installations from version 5.1 before 5.3, potentially impacting all organizations using these versions. Given the high CVSS score of 7.2, this vulnerability poses a significant risk.

Recommendation

Upgrade SambaBox to version 5.3 or later to patch CVE-2026-3120.
Apply the following Sigma rule to detect potential exploitation attempts by monitoring for suspicious process execution: “Detect SambaBox Command Injection”.
Monitor web server logs for unusual requests targeting SambaBox applications, specifically looking for attempts to inject OS commands.

Compromised Bitwarden CLI npm Package Enables Credential Theft and Information Exfiltration

hello@craftedsignal.io — Mon, 04 May 2026 11:28:56 +0000

A compromised Bitwarden CLI npm package allows a remote, anonymous attacker to steal credentials and exfiltrate sensitive information. The specific version of the compromised package is not detailed in the advisory. This supply chain attack targets developers and users who rely on the Bitwarden CLI for managing their passwords and secrets. This attack has the potential to expose sensitive credentials, leading to unauthorized access to systems and data. Defenders need to monitor for unusual activity related to the Bitwarden CLI and its usage within their environments to mitigate this risk.

Attack Chain

Attacker compromises a Bitwarden CLI npm package through techniques such as typosquatting, account compromise, or dependency confusion.
Unsuspecting developers or users download and install the compromised package from the npm registry.
During installation, the malicious package executes malicious code injected by the attacker.
The malicious code collects Bitwarden credentials and other sensitive information stored in the CLI’s configuration.
The compromised package establishes a covert communication channel (e.g., HTTPS) to an attacker-controlled server.
Stolen credentials and sensitive information are exfiltrated to the attacker’s server.
The attacker uses the stolen credentials to access victim’s Bitwarden vaults or other systems.
The attacker may further escalate privileges and compromise additional systems within the victim’s environment using the stolen credentials.

Impact

Successful exploitation leads to the theft of sensitive credentials and information stored within Bitwarden CLI. The number of victims is currently unknown. Organizations using the compromised package could experience unauthorized access to critical systems, data breaches, and potential financial losses. The targeted sectors are broad, encompassing any organization utilizing the Bitwarden CLI for password management and secret storage.

Recommendation

Monitor npm package installations for unusual activity or unexpected dependencies using process creation logs and file integrity monitoring.
Implement strict code review processes for all third-party dependencies, especially those related to security tools like Bitwarden CLI.
Deploy the Sigma rule detecting suspicious network connections from the Bitwarden CLI executable to identify potential data exfiltration.
Enforce multi-factor authentication (MFA) on Bitwarden accounts to mitigate the impact of credential theft.
Regularly audit and review the permissions and access rights associated with Bitwarden CLI credentials.

Rancher Vulnerability Allows Remote Code Execution and File Manipulation

hello@craftedsignal.io — Mon, 04 May 2026 11:26:16 +0000

A vulnerability exists within Rancher that allows a remote, authenticated attacker to execute arbitrary code and manipulate files on the system. The specific details of the vulnerability are not provided in the source, but the impact allows for significant control over the Rancher instance. This issue affects Rancher installations and poses a severe risk, as successful exploitation can lead to complete system compromise, data breaches, and unauthorized access to managed resources. Defenders should prioritize identifying and mitigating this vulnerability to prevent potential attacks.

Attack Chain

The attacker gains valid credentials to a Rancher instance through credential harvesting or other means.
The attacker authenticates to the Rancher web interface or API.
The attacker exploits an unspecified vulnerability to inject and execute arbitrary code on the Rancher server.
The attacker leverages the code execution vulnerability to escalate privileges within the Rancher system.
The attacker uses the escalated privileges to manipulate critical Rancher configuration files.
The attacker uses file manipulation capabilities to inject malicious code into Rancher-managed containers or infrastructure.
The attacker establishes persistent access through backdoors or compromised service accounts.
The attacker pivots to other systems or exfiltrates sensitive data.

Impact

Successful exploitation of this vulnerability can lead to complete compromise of the Rancher instance, including the ability to control and manipulate all managed Kubernetes clusters and related infrastructure. This can result in significant data breaches, service disruptions, and unauthorized access to sensitive resources. The number of victims and sectors targeted are currently unknown, but the severity of the potential impact necessitates immediate attention.

Recommendation

Deploy the Sigma rule detecting suspicious Rancher process execution and tune for your environment to identify potential exploitation attempts.
Investigate any unauthorized file modifications within the Rancher installation directory using the provided file integrity monitoring rule.
Monitor Rancher access logs for unusual login patterns or suspicious API calls.

OPNsense Multiple Vulnerabilities Leading to Remote Code Execution

hello@craftedsignal.io — Mon, 04 May 2026 11:09:07 +0000

Multiple unspecified vulnerabilities in OPNsense allow a remote, anonymous attacker to bypass security restrictions and achieve arbitrary code execution. The vulnerabilities stem from inadequate input validation and insufficient privilege checks within the OPNsense firewall software. While the specific vulnerable components are not detailed in the advisory, successful exploitation would grant an attacker complete control over the affected OPNsense instance. This can lead to a complete breach of the network perimeter, allowing the attacker to pivot to internal systems, intercept network traffic, or disrupt network services. Given the critical role of OPNsense as a network gateway, organizations using this software should prioritize detection and mitigation efforts.

Attack Chain

The attacker identifies a vulnerable OPNsense instance accessible over the network.
The attacker crafts a malicious request targeting a specific, undisclosed vulnerable endpoint. This request exploits a flaw in input validation or authentication.
The vulnerable OPNsense component processes the malicious request without proper sanitization or authorization checks.
The injected payload bypasses security restrictions, potentially exploiting a command injection or similar vulnerability.
The injected payload executes arbitrary code on the OPNsense system, gaining initial access.
The attacker leverages the initial foothold to escalate privileges within the OPNsense system.
The attacker establishes persistence, ensuring continued access even after system reboots or security updates.
The attacker pivots to other systems within the network, using the compromised OPNsense instance as a launchpad for further attacks, or exfiltrates sensitive data.

Impact

Successful exploitation of these vulnerabilities allows a remote attacker to execute arbitrary code on the OPNsense firewall. This gives the attacker full control of the firewall, allowing them to intercept network traffic, modify firewall rules, and potentially pivot to internal networks. The impact is a complete compromise of the network perimeter, potentially affecting all systems and data behind the firewall. The number of affected organizations is currently unknown.

Recommendation

Monitor OPNsense webserver logs for suspicious POST requests to unusual or sensitive endpoints, using a webserver category Sigma rule (see example below).
Implement network intrusion detection systems (NIDS) rules to detect exploitation attempts against OPNsense services.
While specific CVEs are unavailable, stay informed about OPNsense security updates and apply them immediately upon release.

Langflow Multiple Vulnerabilities Allow Code Execution

hello@craftedsignal.io — Mon, 04 May 2026 10:39:06 +0000

Langflow is vulnerable to multiple security flaws that could allow a remote attacker to execute arbitrary code on the affected system. Successful exploitation of these vulnerabilities requires the attacker to be authenticated. The specific nature of these vulnerabilities is not detailed in the advisory, however the potential impact is severe, allowing for complete system compromise if successfully exploited. Defenders should prioritize identifying and mitigating installations of Langflow that are exposed to untrusted networks or users.

Attack Chain

An authenticated attacker gains initial access to the Langflow application.
The attacker crafts a malicious request targeting one of the unspecified vulnerabilities.
The malicious request is sent to the Langflow server.
The Langflow server processes the request, triggering the vulnerability.
The vulnerability allows the attacker to inject arbitrary code into the Langflow process.
The injected code executes within the context of the Langflow application.
The attacker leverages the initial code execution to escalate privileges.
The attacker achieves arbitrary code execution on the underlying system.

Impact

Successful exploitation of these vulnerabilities allows a remote, authenticated attacker to execute arbitrary code on the Langflow server. This could lead to a complete compromise of the affected system, including the theft of sensitive data, the installation of malware, and the disruption of services. Given the lack of specific vulnerability details, it is difficult to estimate the precise number of potentially affected installations.

Recommendation

Monitor Langflow application logs for suspicious activity indicative of unauthorized access or code execution.
Deploy the Sigma rules provided in this brief to your SIEM to detect potential exploitation attempts.
Implement strict access controls for the Langflow application to minimize the attack surface.

Totolink N300RH Buffer Overflow Vulnerability (CVE-2026-7750)

hello@craftedsignal.io — Mon, 04 May 2026 10:16:01 +0000

A buffer overflow vulnerability, identified as CVE-2026-7750, affects Totolink N300RH router version 3.2.4-B20220812. The vulnerability resides in the setMacFilterRules function within the /cgi-bin/cstecgi.cgi file, which handles POST requests. Attackers can exploit this flaw by sending a specially crafted POST request with an overly long mac_address parameter, triggering a buffer overflow. Successful exploitation allows for arbitrary code execution on the device. The vulnerability is remotely exploitable, and a public exploit is available, increasing the risk of widespread attacks. Defenders should prioritize patching or mitigating this vulnerability to prevent potential compromise of affected devices.

Attack Chain

The attacker identifies a vulnerable Totolink N300RH router running firmware version 3.2.4-B20220812.
The attacker crafts a malicious POST request targeting the /cgi-bin/cstecgi.cgi endpoint.
Within the POST request, the attacker includes the mac_address parameter, injecting a string longer than the buffer allocated for it.
The setMacFilterRules function processes the POST request without proper bounds checking on the mac_address argument.
The overly long mac_address value overflows the buffer, overwriting adjacent memory regions.
The attacker carefully crafts the overflow to overwrite the return address, redirecting execution flow to attacker-controlled code.
The injected code executes with the privileges of the web server, allowing the attacker to execute arbitrary commands.
The attacker gains complete control over the router, potentially using it for further malicious activities such as network pivoting, data exfiltration, or denial-of-service attacks.

Impact

Successful exploitation of CVE-2026-7750 allows a remote attacker to execute arbitrary code on the vulnerable Totolink N300RH device. This could lead to a complete compromise of the router, allowing the attacker to control network traffic, steal sensitive information, or use the router as a bot in a larger attack. Given the public availability of the exploit, a large number of unpatched devices could be vulnerable to automated attacks, potentially impacting thousands of users.

Recommendation

Apply available patches or firmware updates provided by Totolink to address CVE-2026-7750.
Implement network intrusion detection system (IDS) rules to detect and block suspicious POST requests targeting the /cgi-bin/cstecgi.cgi endpoint with excessively long mac_address parameters.
Deploy the Sigma rules in this brief to your SIEM to detect exploitation attempts.
Monitor web server logs for unusual POST requests to /cgi-bin/cstecgi.cgi, focusing on requests with large mac_address values.

GNU InetUtils Multiple Vulnerabilities Allow Code Execution and Information Disclosure

hello@craftedsignal.io — Mon, 04 May 2026 09:54:58 +0000

GNU InetUtils is susceptible to multiple vulnerabilities that could lead to serious security breaches. These vulnerabilities could allow an attacker to execute arbitrary code on the affected system and also enable them to disclose sensitive information. The specific nature of these vulnerabilities is not detailed in the advisory, but the potential impact is significant, requiring immediate attention from system administrators to mitigate potential risks associated with vulnerable InetUtils installations. Given the lack of specific CVEs or exploitation details, organizations should prioritize identifying and patching potentially vulnerable systems.

Attack Chain

An attacker identifies a vulnerable InetUtils service running on a target system.
The attacker crafts a malicious input specifically designed to exploit a buffer overflow or similar vulnerability within a utility like ftp, telnet, or rcp.
The malicious input is sent to the vulnerable InetUtils service. This could be achieved by sending a specially crafted request to the service’s listening port.
The vulnerability is triggered, leading to arbitrary code execution within the context of the InetUtils service.
The attacker leverages the initial code execution to escalate privileges on the system, potentially gaining root or administrator access.
With elevated privileges, the attacker installs persistent backdoors for future access.
The attacker proceeds to gather sensitive information from the compromised system, such as user credentials, configuration files, or database contents.
Finally, the attacker exfiltrates the stolen data to an external server under their control.

Impact

Successful exploitation of these vulnerabilities can lead to arbitrary code execution, potentially granting an attacker complete control over the compromised system. This could result in data breaches, system downtime, and reputational damage. The advisory does not specify the number of victims or sectors targeted, but the potential impact is widespread due to the common usage of InetUtils. A successful attack could lead to the complete compromise of affected systems and networks.

Recommendation

Identify all systems running GNU InetUtils and determine the installed version.
Monitor network traffic for suspicious activity targeting InetUtils services (e.g., unusual commands or large data transfers) using network_connection logs.
Deploy the provided Sigma rules to your SIEM to detect potential exploitation attempts targeting InetUtils.
Investigate and patch any identified vulnerabilities in GNU InetUtils immediately upon patch availability from the vendor.

XZ Utility Vulnerability Allows Remote Code Execution

hello@craftedsignal.io — Mon, 04 May 2026 09:34:36 +0000

A vulnerability exists within the xz compression utility that allows for arbitrary code execution. While the specific details of the vulnerability are not disclosed in this advisory, the potential impact is severe. An unauthenticated, remote attacker can leverage this flaw to execute code on a vulnerable system. The affected component is the xz utility, a widely used data compression tool in Linux distributions. Defenders should assume a broad potential impact, including data compromise, system instability, and potential for lateral movement within a compromised network. The lack of detailed information necessitates immediate investigation and patching.

Attack Chain

The attacker identifies a vulnerable system running the xz utility.
The attacker crafts a malicious payload designed to exploit the undisclosed vulnerability within xz.
The attacker delivers the malicious payload to the vulnerable system. The specific delivery mechanism is not detailed (e.g., network service, malicious file).
The xz utility processes the malicious payload, triggering the vulnerability.
Due to the vulnerability, the attacker gains the ability to execute arbitrary code on the targeted system.
The attacker’s code executes with the privileges of the xz process, potentially allowing for elevated privileges.
The attacker may then install a backdoor or other persistent mechanism to maintain access to the compromised system.
The attacker pivots to other systems on the network or exfiltrates sensitive data.

Impact

Successful exploitation of this vulnerability allows a remote attacker to execute arbitrary code on the targeted system. This can lead to complete system compromise, data theft, and further malicious activities within the network. Given the widespread use of the xz utility, a large number of systems are potentially vulnerable. The impact could range from disruption of services to significant data breaches.

Recommendation

Investigate systems running the xz utility for suspicious activity.
Deploy the Sigma rules provided below to detect potential exploitation attempts.
Monitor process execution for unexpected activity originating from the xz utility using process_creation logs.
Implement network monitoring to identify suspicious connections originating from systems where xz is used.

Totolink WA300 Buffer Overflow Vulnerability (CVE-2026-7719)

hello@craftedsignal.io — Mon, 04 May 2026 02:15:58 +0000

A critical buffer overflow vulnerability, identified as CVE-2026-7719, has been discovered in Totolink WA300 version 5.2cu.7112_B20190227. This vulnerability resides within the loginauth function of the /cgi-bin/cstecgi.cgi file, affecting the POST Request Handler component. The vulnerability is triggered by manipulating the http_host argument in a POST request. The exploit is publicly available, increasing the risk of widespread exploitation. This vulnerability allows for remote code execution, potentially granting attackers full control over the affected device. The affected version was released in February 2019. Defenders should prioritize patching or mitigating this vulnerability to prevent potential compromise.

Attack Chain

The attacker identifies a vulnerable Totolink WA300 device running firmware version 5.2cu.7112_B20190227.
The attacker crafts a malicious HTTP POST request targeting the /cgi-bin/cstecgi.cgi endpoint.
The crafted POST request includes a specially crafted http_host argument designed to overflow the buffer in the loginauth function.
The vulnerable loginauth function processes the http_host argument without proper bounds checking.
The oversized http_host argument overwrites adjacent memory regions, including the return address on the stack.
Upon completion of the loginauth function, the overwritten return address is used, redirecting execution to attacker-controlled code.
The attacker-controlled code executes with elevated privileges, allowing the attacker to execute arbitrary commands on the device.
The attacker gains complete control of the device, potentially using it for malicious purposes such as botnet participation, data theft, or further network penetration.

Impact

Successful exploitation of CVE-2026-7719 allows a remote attacker to execute arbitrary code on the vulnerable Totolink WA300 device. This can lead to complete device compromise, allowing the attacker to steal sensitive information, use the device as a botnet node, or pivot to other devices on the network. Given the public availability of the exploit, widespread exploitation is possible, potentially affecting a large number of home and small business networks using the vulnerable device.

Recommendation

Deploy the Sigma rule Detect Totolink WA300 HTTP Host Buffer Overflow Attempt to identify exploitation attempts in web server logs.
Monitor web server logs for POST requests to /cgi-bin/cstecgi.cgi with unusually long http_host headers.
Consider deploying a web application firewall (WAF) rule to filter out malicious requests targeting CVE-2026-7719.
Upgrade to a patched version of the firmware or replace the affected device to remediate the vulnerability.

Totolink WA300 Buffer Overflow Vulnerability in UploadCustomModule

hello@craftedsignal.io — Mon, 04 May 2026 01:16:05 +0000

A buffer overflow vulnerability has been identified in Totolink WA300 wireless router, specifically version 5.2cu.7112_B20190227. The vulnerability resides within the UploadCustomModule function of the /cgi-bin/cstecgi.cgi file, a component of the POST Request Handler. The identified vulnerability allows a remote attacker to cause a buffer overflow through manipulation of the File argument within a crafted POST request. Public proof-of-concept exploit code is available, increasing the likelihood of exploitation. This vulnerability poses a significant risk, as successful exploitation could lead to arbitrary code execution, potentially allowing attackers to fully compromise affected devices. Defenders should prioritize detection and mitigation strategies to prevent exploitation.

Attack Chain

Attacker identifies a vulnerable Totolink WA300 device running firmware version 5.2cu.7112_B20190227.
Attacker crafts a malicious POST request targeting the /cgi-bin/cstecgi.cgi endpoint.
The POST request includes a File argument with a payload exceeding the buffer size allocated for the UploadCustomModule function.
The UploadCustomModule function processes the POST request without proper bounds checking on the File argument.
The oversized File argument overwrites adjacent memory regions, including potentially critical program data and control flow instructions.
The buffer overflow allows the attacker to inject and execute arbitrary code on the device.
The attacker gains remote shell access to the device with elevated privileges.
The attacker could then use the compromised device to pivot into the internal network or cause a denial-of-service condition.

Impact

Successful exploitation of this buffer overflow vulnerability can lead to complete compromise of the affected Totolink WA300 device. An attacker could gain unauthorized access to the device’s configuration, intercept network traffic, or use the device as a bot in a larger attack. Given the high CVSS score of 8.8, the impact is considered critical. Home and small business networks using the affected router model are at risk. The vulnerability allows for remote code execution, leading to significant potential for damage.

Recommendation

Deploy the Sigma rule Detect Totolink WA300 UploadCustomModule Buffer Overflow Attempt to detect malicious POST requests targeting the vulnerable endpoint.
Monitor web server logs for POST requests to /cgi-bin/cstecgi.cgi with unusually large File parameters, as indicated in the Sigma rule.
Apply any available firmware updates from Totolink to patch CVE-2026-7717 if they become available.
Implement network segmentation to limit the impact of a compromised router on other internal network resources.

Multiple Vulnerabilities in Mozilla Thunderbird Allow for Remote Code Execution and Data Breach

hello@craftedsignal.io — Mon, 04 May 2026 00:00:00 +0000

On May 4, 2026, CERT-FR published an advisory regarding multiple vulnerabilities affecting Mozilla Thunderbird. Specifically, Thunderbird versions prior to 150.0.1 and Thunderbird ESR versions prior to 140.10.1 are vulnerable. Successful exploitation of these vulnerabilities could allow an attacker to achieve remote code execution, compromise the confidentiality of data, and bypass security policies. The advisory highlights the urgency for users and organizations utilizing affected versions to apply the necessary patches to mitigate these risks. These vulnerabilities underscore the importance of maintaining up-to-date software versions to defend against potential exploitation.

Attack Chain

Attacker identifies a target using a vulnerable version of Mozilla Thunderbird (ESR < 140.10.1 or < 150.0.1).
Attacker crafts a malicious email or leverages a compromised website to deliver a specially crafted exploit.
The user opens the malicious email or visits the compromised website within Thunderbird.
The exploit triggers a vulnerability in Thunderbird, such as CVE-2026-7320 (or another from the listed CVEs), leading to code execution.
Attacker gains initial access to the user’s system with the privileges of the Thunderbird process.
Attacker escalates privileges, if necessary, to gain a higher level of control over the system.
Attacker executes arbitrary commands to install malware, exfiltrate sensitive data, or perform other malicious actions.
The attacker achieves their objective, such as data theft, system compromise, or establishing a persistent foothold.

Impact

Successful exploitation of these vulnerabilities could have severe consequences. An attacker could remotely execute arbitrary code, potentially leading to full system compromise. Sensitive data stored within Thunderbird, such as emails, contacts, and passwords, could be exposed. The security policy bypass could allow attackers to perform actions that are normally restricted, further compromising the system’s security. This can lead to significant financial losses, reputational damage, and legal liabilities for affected organizations.

Recommendation

Immediately upgrade Mozilla Thunderbird to version 150.0.1 or later, or Thunderbird ESR to version 140.10.1 or later, to patch the vulnerabilities described in Mozilla security advisories mfsa2026-38 and mfsa2026-39.
Deploy the Sigma rule “Detect Thunderbird Spawning Suspicious Processes” to identify potential exploitation attempts via unusual child processes.
Monitor process creation events for Thunderbird spawning command interpreters or script engines using the Sigma rule “Detect Thunderbird Running External Commands”.
Review and harden email security policies to prevent the delivery of malicious emails that could exploit these vulnerabilities.

Tiandy Easy7 Integrated Management Platform OS Command Injection Vulnerability

hello@craftedsignal.io — Sun, 03 May 2026 14:16:27 +0000

A critical vulnerability, CVE-2026-7698, has been identified in Tiandy Easy7 Integrated Management Platform version 7.17.0. This vulnerability resides within the /Easy7/rest/systemInfo/updateDbBackupInfo file, specifically related to the week argument. Successful exploitation allows for arbitrary OS command injection. This vulnerability is remotely exploitable, meaning an attacker can trigger it over the network without needing local access. Publicly available exploit code exists, increasing the likelihood of exploitation. The vendor was notified but has not responded. Defenders should take immediate action to mitigate this risk.

Attack Chain

An attacker identifies a vulnerable Tiandy Easy7 Integrated Management Platform running version 7.17.0.
The attacker crafts a malicious HTTP request targeting the /Easy7/rest/systemInfo/updateDbBackupInfo endpoint.
The crafted request includes a payload within the week argument designed to inject OS commands.
The vulnerable application fails to properly sanitize or validate the week argument.
The application executes the injected OS command with the privileges of the web server.
The attacker gains arbitrary code execution on the server.
The attacker can then perform further actions such as installing malware, exfiltrating data, or pivoting to other systems on the network.

Impact

Successful exploitation of CVE-2026-7698 allows an attacker to execute arbitrary commands on the affected system. This could lead to complete system compromise, data breaches, denial of service, or further lateral movement within the network. Given the publicly available exploit, organizations using Tiandy Easy7 Integrated Management Platform 7.17.0 are at immediate risk.

Recommendation

Apply available patches from Tiandy if they become available.
Monitor web server logs for requests to /Easy7/rest/systemInfo/updateDbBackupInfo containing suspicious characters or command injection attempts. Deploy the Sigma rule Detect Suspicious Requests to updateDbBackupInfo to your SIEM.
Implement input validation and sanitization on the week argument within the /Easy7/rest/systemInfo/updateDbBackupInfo endpoint.
Monitor process creation events for unusual processes spawned by the web server, using the Sigma rule Detect OS Command Injection via Web Request.
Review and restrict network access to the Tiandy Easy7 Integrated Management Platform to only authorized users and systems.

Edimax BR-6428nC Buffer Overflow Vulnerability (CVE-2026-7684)

hello@craftedsignal.io — Sun, 03 May 2026 07:16:25 +0000

A buffer overflow vulnerability, tracked as CVE-2026-7684, affects Edimax BR-6428nC devices up to version 1.16. The vulnerability resides in the /goform/setWAN file, specifically within the handling of the pptpDfGateway argument. An unauthenticated attacker can exploit this flaw remotely by sending a crafted request to the device. Publicly available exploit code exists, increasing the risk of widespread exploitation. The vendor was notified but did not respond, suggesting that a patch is unlikely and highlighting the need for mitigation strategies.

Attack Chain

The attacker identifies an Edimax BR-6428nC device running a vulnerable firmware version (<= 1.16).
The attacker crafts a malicious HTTP POST request targeting the /goform/setWAN endpoint.
The request includes the pptpDfGateway parameter with a value exceeding the expected buffer size.
The device processes the request, and the oversized pptpDfGateway value overflows the buffer, overwriting adjacent memory regions.
The attacker carefully crafts the overflow to overwrite the return address, redirecting execution flow.
Execution is redirected to attacker-controlled code injected within the overflowed buffer.
The attacker gains arbitrary code execution on the device, potentially achieving full system control.
The attacker could then use this control to modify device settings, intercept network traffic, or establish a persistent backdoor.

Impact

Successful exploitation of this vulnerability can allow an attacker to gain complete control of the Edimax BR-6428nC device. This could enable the attacker to intercept and modify network traffic, access sensitive information, or use the device as a point of entry for further attacks within the network. Given the public availability of exploit code, the risk of widespread exploitation is significant.

Recommendation

Deploy the Sigma rule Edimax_BR_6428nC_Buffer_Overflow_setWAN to detect suspicious HTTP requests targeting the vulnerable endpoint and parameter.
Consider blocking or rate-limiting access to the /goform/setWAN endpoint from untrusted networks.
Since the vendor is unresponsive and a patch is unlikely, network segmentation and access control policies are the best mitigation options.

Edimax BR-6208AC Buffer Overflow Vulnerability

hello@craftedsignal.io — Sun, 03 May 2026 07:16:25 +0000

A buffer overflow vulnerability, CVE-2026-7685, has been identified in Edimax BR-6208AC routers up to version 1.02. The vulnerability resides within the /goform/setWAN file, specifically related to the pptpDfGateway argument. Successful exploitation of this flaw could allow a remote attacker to execute arbitrary code or cause a denial-of-service condition. Publicly available exploits exist, increasing the risk of widespread exploitation. The vendor was notified but has not responded. Given the ease of exploitation and the potential for significant impact, this vulnerability poses a critical threat to affected devices.

Attack Chain

Attacker identifies an Edimax BR-6208AC router with firmware version 1.02 or earlier exposed to the internet.
The attacker crafts a malicious HTTP POST request targeting the /goform/setWAN endpoint.
Within the POST request, the attacker includes the pptpDfGateway argument, injecting a payload exceeding the buffer’s expected size.
The router’s web server processes the malicious request without proper input validation on the size of the pptpDfGateway argument.
The oversized payload overwrites adjacent memory regions on the stack, potentially including return addresses or other critical data.
When the function attempts to return, it jumps to an address controlled by the attacker, leading to arbitrary code execution.
The attacker executes commands to gain control of the device, potentially installing malware or modifying router settings.

Impact

Successful exploitation of this vulnerability can lead to complete compromise of the Edimax BR-6208AC router. An attacker could leverage this access to perform a variety of malicious activities, including eavesdropping on network traffic, injecting malicious code into web pages served by the router, or using the router as a bot in a larger botnet. Given the availability of public exploits, unpatched devices are at immediate risk of compromise.

Recommendation

Deploy the Sigma rule Detect Edimax BR-6208AC setWAN Buffer Overflow Attempt to identify exploitation attempts in web server logs.
Inspect web server logs for POST requests to /goform/setWAN containing unusually long pptpDfGateway parameters, as detected by the Sigma rule Detect Long pptpDfGateway Parameter.
Apply appropriate network segmentation to limit the blast radius of compromised devices and prevent lateral movement.

Shenzhen Libituo Technology LBT-T300-HW1 Buffer Overflow Vulnerability

hello@craftedsignal.io — Sun, 03 May 2026 03:16:15 +0000

A buffer overflow vulnerability, identified as CVE-2026-7675, affects Shenzhen Libituo Technology LBT-T300-HW1 devices with firmware versions up to 1.2.8. The vulnerability resides in the start_lan function within the /apply.cgi file. By manipulating the Channel/ApCliSsid argument, a remote attacker can trigger a buffer overflow, potentially leading to arbitrary code execution. Publicly available exploit code exists for this vulnerability. The vendor was notified about the vulnerability, but there has been no response. This vulnerability is considered critical due to the potential for remote exploitation and the availability of exploit code.

Attack Chain

The attacker identifies a vulnerable Shenzhen Libituo Technology LBT-T300-HW1 device running firmware version 1.2.8 or earlier.
The attacker crafts a malicious HTTP request targeting the /apply.cgi endpoint.
The HTTP request includes a specially crafted Channel/ApCliSsid argument designed to overflow the buffer in the start_lan function.
The vulnerable start_lan function receives the malicious input and attempts to process it without proper bounds checking.
The buffer overflow occurs, overwriting adjacent memory regions, including potentially the return address on the stack.
The attacker gains control of the program execution flow by overwriting the return address with the address of malicious code.
The injected code executes with the privileges of the web server process.
The attacker achieves arbitrary code execution, potentially gaining full control of the device.

Impact

Successful exploitation of this vulnerability allows a remote attacker to execute arbitrary code on the affected device. Given that this is a router, this could lead to complete compromise of the device, including the ability to intercept and manipulate network traffic, install malware, or use the device as part of a botnet. Due to the public availability of the exploit, widespread exploitation is possible.

Recommendation

Apply network intrusion detection system (NIDS) rules to detect and block malicious HTTP requests targeting /apply.cgi with excessively long Channel/ApCliSsid values.
Deploy the Sigma rule Detect-LBT-T300-HW1-applycgi-buffer-overflow to your SIEM and tune for your environment to identify exploitation attempts.
Monitor web server logs for suspicious POST requests to /apply.cgi and analyze the length of the Channel/ApCliSsid parameter.

Shenzhen Libituo Technology LBT-T300-HW1 Buffer Overflow Vulnerability

hello@craftedsignal.io — Sun, 03 May 2026 02:17:12 +0000

A buffer overflow vulnerability, identified as CVE-2026-7674, affects Shenzhen Libituo Technology LBT-T300-HW1 devices up to version 1.2.8. The vulnerability resides within the Web Management Interface, specifically in the start_single_service function. By sending a crafted request to the device and manipulating the vpn_pptp_server or vpn_l2tp_server arguments, an attacker can trigger a buffer overflow, potentially leading to arbitrary code execution. This vulnerability can be exploited remotely, making it a significant threat to affected devices. The vendor was notified but did not respond, increasing the risk of exploitation.

Attack Chain

The attacker identifies a vulnerable LBT-T300-HW1 device with version 1.2.8 or earlier.
The attacker crafts a malicious HTTP request targeting the Web Management Interface.
The malicious request includes a payload designed to overflow the buffer when processing the vpn_pptp_server or vpn_l2tp_server arguments.
The crafted request is sent to the start_single_service function.
The start_single_service function attempts to process the overly long input without proper bounds checking.
The buffer overflow overwrites adjacent memory regions, including potentially executable code or critical data structures.
The attacker gains control of the device by redirecting execution flow to attacker-controlled code injected into the buffer.
The attacker executes arbitrary code on the device, potentially gaining persistent access or causing denial of service.

Impact

Successful exploitation of this vulnerability allows a remote attacker to execute arbitrary code on the affected LBT-T300-HW1 device. This could lead to complete system compromise, including data theft, modification of device settings, or use of the device as a bot in a larger attack. Given the lack of vendor response, many devices could be vulnerable if exposed to the internet.

Recommendation

Deploy the Sigma rule Detect Suspicious VPN Server Configuration via Web Interface to detect potential exploitation attempts targeting the vulnerable start_single_service function in web server logs.
Monitor network traffic for unusually long strings passed as values for vpn_pptp_server and vpn_l2tp_server parameters in HTTP requests to the device’s web interface.
Apply any available patches or firmware updates released by Shenzhen Libituo Technology to address CVE-2026-7674.

OS Command Injection Vulnerability in p_69_branch_monkey_mcp Preview Endpoint (CVE-2026-7590)

hello@craftedsignal.io — Sat, 02 May 2026 12:00:00 +0000

A critical OS command injection vulnerability, CVE-2026-7590, has been identified in the Preview Endpoint of eyal-gor’s p_69_branch_monkey_mcp. This vulnerability affects versions up to commit 69bc71874ce40050ef45fde5a435855f18af3373. A remote attacker can exploit this flaw by manipulating the dev_script argument within the branch_monkey_mcp/bridge_and_local_actions/routes/advanced.py file. Successful exploitation allows for arbitrary command execution on the host operating system. The exploit is publicly available, increasing the risk of widespread exploitation. The vendor has been notified but has not yet responded. The lack of versioning makes it difficult to determine the exact scope of affected installations.

Attack Chain

The attacker identifies a vulnerable instance of p_69_branch_monkey_mcp running a web server.
The attacker crafts a malicious HTTP request targeting the Preview Endpoint.
The request includes a payload in the dev_script argument designed to inject OS commands via the branch_monkey_mcp/bridge_and_local_actions/routes/advanced.py file.
The web server processes the request, passing the attacker-controlled dev_script argument to a function that executes system commands without proper sanitization.
The injected OS command is executed by the server, potentially with the privileges of the web server user. For example, an attacker could inject ls -la to list directory contents.
The output of the injected command is returned to the attacker via the web server’s response, confirming successful command execution.
The attacker leverages the initial command execution to escalate privileges, install persistent backdoors, or move laterally within the network, depending on the server’s configuration and accessible resources.
The attacker achieves their final objective, such as data exfiltration, system compromise, or denial of service.

Impact

Successful exploitation of CVE-2026-7590 allows a remote attacker to execute arbitrary OS commands on the affected server. This could lead to complete system compromise, including data theft, malware installation, and denial of service. The lack of version information makes it difficult to ascertain the number of vulnerable installations, but given the publicly available exploit, widespread exploitation is possible. Organizations using p_69_branch_monkey_mcp are at high risk.

Recommendation

Monitor web server logs for suspicious requests targeting the Preview Endpoint and containing potentially malicious payloads in the dev_script parameter as described in the attack chain. Use the “p_69_branch_monkey_mcp_command_injection” Sigma rule.
Inspect process creation events for unexpected processes spawned by the web server, indicating potential command injection. Use the “p_69_branch_monkey_mcp_unexpected_process” Sigma rule.
Implement input validation and sanitization on the dev_script parameter in the branch_monkey_mcp/bridge_and_local_actions/routes/advanced.py file to prevent command injection.
Although specific vulnerable versions are unavailable, immediately investigate and patch any instances of p_69_branch_monkey_mcp due to the public exploit availability.

WordPress Widget Options Plugin Remote Code Execution Vulnerability (CVE-2026-2052)

hello@craftedsignal.io — Sat, 02 May 2026 08:16:27 +0000

The Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets plugin, versions 4.2.2 and earlier, contains a Remote Code Execution (RCE) vulnerability (CVE-2026-2052). This flaw stems from the plugin’s Display Logic feature, which utilizes the eval() function to process user-supplied expressions. The plugin’s implemented blocklist/allowlist is insufficient, making it bypassable through techniques involving array_map with string concatenation. Furthermore, the plugin lacks proper authorization enforcement on the extended_widget_opts_block attribute. This vulnerability allows authenticated attackers with Contributor-level access or higher to inject and execute arbitrary code on the underlying server. The vendor partially addressed this vulnerability in version 4.2.0.

Attack Chain

An attacker authenticates to the WordPress application as a Contributor or higher-level user.
The attacker navigates to the Widget Options settings within the WordPress admin panel.
The attacker crafts a malicious Display Logic expression designed to execute arbitrary PHP code. This involves bypassing the blocklist/allowlist using techniques such as array_map and string concatenation.
The attacker injects the malicious Display Logic expression into the extended_widget_opts_block attribute.
The WordPress application processes the widget options, including the malicious Display Logic expression. Due to the lack of proper sanitization and authorization, the eval() function executes the attacker-supplied PHP code.
The attacker’s code executes with the permissions of the web server user, potentially allowing the attacker to read or write files, execute system commands, or compromise the entire server.
The attacker may establish persistence by writing a backdoor to a file on the server or by creating a new administrator account.

Impact

Successful exploitation of CVE-2026-2052 allows an attacker to execute arbitrary code on the WordPress server. This can lead to complete compromise of the website, including data theft, defacement, and the installation of malware. Since the vulnerability requires Contributor access or higher, the impact is significant if such accounts are compromised through other means (e.g., phishing, credential stuffing). The lack of proper input sanitization and authorization makes this a critical vulnerability.

Recommendation

Upgrade the “The Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets” plugin to the latest version to patch CVE-2026-2052.
Deploy the Sigma rule “Detect WordPress Widget Options RCE Attempt” to your SIEM to detect exploitation attempts.
Review user roles and permissions to minimize the number of users with Contributor or higher-level access.
Monitor web server logs for unusual activity, particularly requests to /wp-admin/options.php related to widget options.

WordPress User Verification Plugin Authentication Bypass Vulnerability

hello@craftedsignal.io — Sat, 02 May 2026 05:16:01 +0000

The User Verification by PickPlugins plugin, a popular WordPress plugin, contains a critical authentication bypass vulnerability (CVE-2026-7458) affecting all versions up to and including 2.0.46. The flaw resides within the user_verification_form_wrap_process_otpLogin function, where a loose PHP comparison operator is used to validate OTP codes. This weakness allows unauthenticated attackers to bypass the OTP verification process and log in as any user with a verified email address, potentially gaining administrative access. Successful exploitation requires the attacker to submit the string “true” as the OTP value. This vulnerability poses a significant risk to WordPress sites using the affected plugin, potentially leading to complete site compromise.

Attack Chain

An unauthenticated attacker identifies a WordPress site using a vulnerable version of the User Verification by PickPlugins plugin (<= 2.0.46).
The attacker navigates to the OTP login form provided by the plugin.
The attacker enters the email address of a target user, such as an administrator.
The attacker intercepts the OTP request and instead of a numerical code, submits the string “true” as the OTP value.
The vulnerable user_verification_form_wrap_process_otpLogin function processes the submitted OTP. Due to the loose PHP comparison (e.g., == instead of ===), the string “true” evaluates to true, bypassing the intended OTP validation.
The plugin incorrectly authenticates the attacker as the targeted user.
The attacker gains unauthorized access to the targeted user’s account, potentially gaining administrative privileges.
The attacker can now perform actions such as modifying website content, installing malicious plugins, or exfiltrating sensitive data.

Impact

Successful exploitation of CVE-2026-7458 allows unauthenticated attackers to bypass the OTP verification mechanism and gain unauthorized access to any user account with a verified email address on a vulnerable WordPress site. This can lead to complete compromise of the affected WordPress site, enabling attackers to modify content, inject malicious code, steal sensitive data, or use the site for malicious purposes. Given the plugin’s popularity, this vulnerability could impact a large number of WordPress websites.

Recommendation

Upgrade the User Verification by PickPlugins plugin to the latest version (greater than 2.0.46) to patch CVE-2026-7458.
Monitor WordPress access logs for unusual login attempts or the presence of “true” as OTP values to identify potential exploitation attempts. Deploy the Detect Successful Authentication Bypass via True OTP Sigma rule.
Implement stricter input validation and sanitization for OTP codes to prevent similar bypass vulnerabilities.

WordPress User Registration Advanced Fields Plugin Arbitrary File Upload Vulnerability

hello@craftedsignal.io — Sat, 02 May 2026 05:16:00 +0000

The User Registration Advanced Fields plugin for WordPress, specifically versions up to and including 1.6.20, contains an arbitrary file upload vulnerability (CVE-2026-4882) due to insufficient file type validation in the URAF_AJAX::method_upload function. This flaw enables unauthenticated attackers to upload any file type to the affected server, which can lead to remote code execution if the uploaded file is strategically placed and executed. The vulnerability is exploitable only if a “Profile Picture” field is active within the registration form. This poses a significant threat to websites using the plugin, as attackers can potentially gain full control of the server.

Attack Chain

An unauthenticated attacker identifies a WordPress site using the vulnerable User Registration Advanced Fields plugin (<= 1.6.20) with the “Profile Picture” field enabled.
The attacker crafts a malicious HTTP request to the URAF_AJAX::method_upload function, bypassing any client-side file type checks.
The attacker uploads a web shell (e.g., a PHP file) disguised as a legitimate file type or without any extension to evade basic detection mechanisms.
The vulnerable plugin saves the file to the WordPress uploads directory without proper validation.
The attacker identifies the exact file path of the uploaded web shell on the server.
The attacker sends another HTTP request directly to the uploaded web shell.
The web shell executes on the server, providing the attacker with remote code execution capabilities.
The attacker can then leverage the web shell to perform various malicious activities, such as installing malware, defacing the website, or exfiltrating sensitive data.

Impact

Successful exploitation of this vulnerability (CVE-2026-4882) allows unauthenticated attackers to upload arbitrary files to a vulnerable WordPress website, potentially leading to remote code execution. This can result in complete compromise of the affected website, including data theft, website defacement, and malware infections. The CVSS v3.1 base score for this vulnerability is 9.8, indicating a critical severity level. The impact includes potential damage to reputation, financial losses, and legal liabilities.

Recommendation

Upgrade the User Registration Advanced Fields plugin to the latest version (greater than 1.6.20) to patch CVE-2026-4882.
Implement file type validation on the server-side, restricting allowed file extensions for profile picture uploads.
Monitor web server logs for suspicious file upload activity targeting the URAF_AJAX::method_upload function to detect potential exploitation attempts. Deploy the Sigma rule Detect Suspicious WordPress File Uploads to your SIEM.
Implement strict file permission policies to prevent uploaded files from being executed as scripts.

CVE-2026-31431 'Copy Fail' Linux Kernel Privilege Escalation

hello@craftedsignal.io — Sat, 02 May 2026 03:06:08 +0000

CVE-2026-31431, known as “Copy Fail,” is a high-severity local privilege escalation vulnerability affecting the Linux kernel’s cryptographic subsystem. The vulnerability resides within the algif_aead module of the AF_ALG (userspace crypto API) and results from improper memory handling during in-place operations. An unprivileged user can exploit this flaw to corrupt the cache of readable files, including setuid binaries, resulting in unauthorized root privilege escalation. This vulnerability impacts a wide range of Linux distributions, including Ubuntu 24.04 LTS, Amazon Linux 2023, Red Hat Enterprise Linux (RHEL 10.1), and SUSE 16, as well as other distributions like Debian, Fedora, and Arch Linux. The availability of a working proof-of-concept exploit has raised concerns about potential widespread exploitation, leading to its addition to the CISA KEV catalog.

Attack Chain

Reconnaissance: The attacker gains limited visibility into the environment (e.g., compromised CI runner, web container) and identifies the kernel version. Kernel version information is obtained without elevated privileges.
Script Execution: The attacker executes a compact Python script that interacts with standard kernel interfaces, without relying on networking, compilation, or third-party libraries.
AF_ALG Abuse: The script abuses an interaction between the AF_ALG (asynchronous crypto) socket interface, the splice() system call and improper error handling during a failed copy operation.
Kernel Page Cache Corruption: This interaction leads to a controlled 4-byte overwrite in the kernel page cache, corrupting sensitive kernel-managed data.
Privilege Escalation: By corrupting kernel structures associated with credentials or execution context, the attacker escalates their process to UID 0.
Boundary Breach: The system’s privilege boundary is broken, neutralizing SELinux/AppArmor protections, and bypassing local security controls.
Lateral Movement/Container Escape: The attacker can now use the root privileges gained to perform lateral movement or escape the container.

Impact

Successful exploitation of CVE-2026-31431 leads to full root privilege escalation, resulting in high impact to confidentiality, integrity, and availability. This could facilitate container breakout, multi-tenant compromise, and lateral movement within shared environments. The vulnerability’s reliability, stealth (in-memory-only modification), and cross-platform applicability make it particularly dangerous in cloud, CI/CD, and Kubernetes environments.

Recommendation

Identify all instances of affected products and versions in your environment and prioritize patching (CVE-2026-31431).
Deploy the Sigma rule for suspicious process execution under /tmp, often used in exploit PoCs, and tune for your environment.
Monitor for suspicious AF_ALG socket creation events, as indicated in the Attack Chain, using the provided Sigma rule.
If patches are unavailable, consider implementing network isolation and access controls as interim mitigation measures.

WordPress Temporary Login Plugin Authentication Bypass (CVE-2026-7567)

hello@craftedsignal.io — Fri, 01 May 2026 10:15:58 +0000

CVE-2026-7567 is an authentication bypass vulnerability that affects the Temporary Login plugin for WordPress, specifically versions up to and including 1.0.0. The vulnerability stems from a failure to properly validate the ’temp-login-token’ GET parameter within the maybe_login_temporary_user() function. By supplying an array as the value for this parameter, attackers can circumvent the intended empty() check. This leads to the sanitize_key() function returning an empty string, which is then used in a database query to fetch users. WordPress ignores empty meta_value parameters, causing the query to return all users with the _temporary_login_token meta key. Consequently, an unauthenticated attacker can effectively authenticate as any user with an active temporary login session by sending a single, maliciously crafted GET request. This poses a severe risk to website security, as it allows unauthorized access to user accounts and potentially sensitive data.

Attack Chain

An unauthenticated attacker identifies a WordPress site using the vulnerable Temporary Login plugin (version <= 1.0.0).
The attacker crafts a malicious GET request targeting the WordPress site’s login endpoint, including the ’temp-login-token’ parameter as an array (e.g., temp-login-token[]=).
The web server receives the GET request.
The maybe_login_temporary_user() function processes the request.
Due to improper input validation, the empty() check is bypassed when the ’temp-login-token’ parameter is an array.
sanitize_key() processes the array and returns an empty string as the meta_value.
WordPress executes a database query using the empty meta_value, effectively retrieving all users with active temporary login tokens.
The attacker is granted unauthorized access to the account of a targeted temporary user, bypassing normal authentication procedures.

Impact

Successful exploitation of CVE-2026-7567 allows unauthenticated attackers to bypass login restrictions and gain unauthorized access to WordPress user accounts utilizing the vulnerable Temporary Login plugin. The severity is high, as it allows complete compromise of user accounts without requiring any valid credentials. The impact includes potential data theft, account takeover, website defacement, and other malicious activities, depending on the privileges of the compromised user account.

Recommendation

Apply the available patch or upgrade the Temporary Login plugin to a version greater than 1.0.0 to remediate CVE-2026-7567.
Deploy the Sigma rule Detect WordPress Temporary Login Authentication Bypass Attempt to detect exploitation attempts by monitoring HTTP requests with array-based temp-login-token parameters in the query string.
Implement input validation on the web server to reject requests containing array-based parameters where scalar strings are expected.

Totolink NR1800X Stack-Based Buffer Overflow Vulnerability

hello@craftedsignal.io — Fri, 01 May 2026 03:16:01 +0000

A critical security vulnerability, CVE-2026-7546, affects Totolink NR1800X routers running firmware version 9.1.0u.6279_B20210910. The vulnerability resides within the find_host_ip function of the lighttpd web server component. By exploiting this flaw, a remote, unauthenticated attacker can trigger a stack-based buffer overflow through manipulation of the Host argument in an HTTP request. The publicly disclosed exploit allows attackers to potentially gain complete control of the device. This vulnerability poses a significant risk to home and small business networks utilizing the affected Totolink router model, as successful exploitation leads to arbitrary code execution.

Attack Chain

The attacker identifies a vulnerable Totolink NR1800X router running firmware version 9.1.0u.6279_B20210910.
The attacker crafts a malicious HTTP request targeting the router’s web interface.
The crafted request includes a Host header with a string exceeding the buffer size allocated in the find_host_ip function within the lighttpd component.
The router’s lighttpd server processes the HTTP request and passes the Host header value to the vulnerable function.
The find_host_ip function attempts to store the oversized Host value in a stack-allocated buffer.
A stack-based buffer overflow occurs due to the insufficient buffer size.
The overflow overwrites adjacent memory on the stack, potentially including the return address.
The attacker gains arbitrary code execution on the device.

Impact

Successful exploitation of CVE-2026-7546 allows a remote attacker to execute arbitrary code on the vulnerable Totolink NR1800X device. This can lead to complete control of the router, allowing the attacker to modify router settings, intercept network traffic, or use the compromised router as a pivot point for further attacks within the network. Given the nature of stack-based buffer overflows, the attacker can potentially install persistent backdoors or malware. This presents a significant risk to users, potentially exposing sensitive data and infrastructure to unauthorized access.

Recommendation

Apply available patches released by Totolink to remediate CVE-2026-7546.
Monitor network traffic for suspicious HTTP requests targeting Totolink routers, specifically looking for abnormally long Host headers with the Sigma rule “Detect Suspiciously Long Host Header”.
Implement network segmentation to limit the impact of a compromised router.
Review and harden router configurations, including disabling remote administration if not required.

Totolink NR1800X Command Injection Vulnerability

hello@craftedsignal.io — Fri, 01 May 2026 03:16:01 +0000

A command injection vulnerability, identified as CVE-2026-7548, affects Totolink NR1800X router version 9.1.0u.6279_B20210910. The vulnerability resides within the sub_41A68C function of the /cgi-bin/cstecgi.cgi file. By manipulating the setUssd argument, a remote attacker can inject arbitrary commands into the system. Publicly available exploit code makes exploitation easier. This vulnerability poses a significant risk as it allows unauthenticated remote attackers to execute arbitrary commands on the affected device, potentially leading to full system compromise.

Attack Chain

The attacker identifies a vulnerable Totolink NR1800X device running firmware version 9.1.0u.6279_B20210910.
The attacker sends a crafted HTTP request to the /cgi-bin/cstecgi.cgi endpoint.
The HTTP request includes the setUssd argument with a malicious payload designed to inject a command.
The sub_41A68C function processes the setUssd argument without proper sanitization.
The injected command is executed by the system with the privileges of the web server process.
The attacker gains initial access and can execute arbitrary commands on the device.
The attacker may then use the command execution to escalate privileges, install malware, or pivot to other devices on the network.

Impact

Successful exploitation of this vulnerability allows an attacker to execute arbitrary commands on the affected Totolink NR1800X router. This could lead to complete compromise of the device, allowing the attacker to control network traffic, modify router settings, or use the router as a pivot point to attack other devices on the network. Given the wide usage of Totolink routers, a large number of devices could be vulnerable.

Recommendation

Monitor web server logs for requests to /cgi-bin/cstecgi.cgi containing suspicious characters or command injection attempts in the setUssd parameter, using the Sigma rule provided below.
Implement rate limiting on the /cgi-bin/cstecgi.cgi endpoint to mitigate brute-force exploitation attempts.
Apply available patches provided by Totolink to address the CVE-2026-7548 vulnerability.
Deploy the Sigma rule to your SIEM and tune for your environment.

CVE-2026-7339: Heap Buffer Overflow in WebRTC

hello@craftedsignal.io — Fri, 01 May 2026 02:21:27 +0000

CVE-2026-7339 is a critical heap buffer overflow vulnerability affecting the WebRTC (Web Real-Time Communication) component in Google Chrome and Microsoft Edge (Chromium-based). This vulnerability stems from improper memory management within WebRTC, potentially allowing a remote attacker to execute arbitrary code by crafting malicious web content. As Microsoft Edge ingests Chromium, it is also vulnerable. Users of Chrome and Edge are affected. Defenders should apply available patches promptly to mitigate potential exploitation.

Attack Chain

An attacker crafts a malicious website designed to trigger the WebRTC vulnerability.
The victim visits the malicious website using a vulnerable version of Chrome or Edge.
The website uses JavaScript to initiate a WebRTC session.
The crafted WebRTC data triggers a heap buffer overflow during memory allocation within the WebRTC component.
The overflow overwrites adjacent memory regions on the heap.
The attacker carefully crafts the overflow data to overwrite critical program data or function pointers.
The corrupted data leads to arbitrary code execution within the context of the browser process.
The attacker gains control of the user’s browser and potentially the underlying system.

Impact

Successful exploitation of CVE-2026-7339 can lead to arbitrary code execution, allowing an attacker to potentially install malware, steal sensitive information, or take control of the affected system. Given the widespread use of Chrome and Edge, this vulnerability could impact a large number of users across various sectors, including individuals, businesses, and government organizations.

Recommendation

Apply the latest security updates for Google Chrome and Microsoft Edge (Chromium-based) to patch CVE-2026-7339.
Deploy the Sigma rule “Detect WebRTC Heap Overflow Attempt” to identify potential exploitation attempts targeting CVE-2026-7339.
Monitor web server logs for unusual requests or patterns associated with WebRTC usage that could indicate exploitation attempts.

Chromium Use-After-Free Vulnerability in GPU Component (CVE-2026-7357)

hello@craftedsignal.io — Fri, 01 May 2026 02:21:27 +0000

CVE-2026-7357 is a critical use-after-free vulnerability residing within the GPU component of the Chromium rendering engine. This flaw directly impacts Google Chrome and, due to Microsoft Edge’s reliance on Chromium, also affects Edge users. A remote attacker could potentially exploit this vulnerability to execute arbitrary code on a targeted system. The vulnerability stems from improper memory management within the GPU processing routines. While the specific exploitation details are not provided in this brief, successful exploitation generally involves crafting malicious web content to trigger the vulnerability during GPU operations.

Attack Chain

Attacker crafts a malicious HTML page containing JavaScript that triggers specific GPU functions.
User visits the malicious website using Chrome or Edge.
The browser’s rendering engine processes the malicious JavaScript, leading to the allocation and subsequent freeing of a memory region in the GPU component.
The attacker’s JavaScript code then attempts to access the previously freed memory region, triggering the use-after-free vulnerability.
By manipulating the memory layout, the attacker can overwrite the freed memory with controlled data.
The overwritten memory is later accessed by the GPU, leading to the execution of attacker-controlled code.
The attacker gains arbitrary code execution within the context of the browser process.
The attacker leverages the code execution to escalate privileges or perform other malicious activities.

Impact

Successful exploitation of CVE-2026-7357 can lead to arbitrary code execution on the victim’s machine. The attacker could potentially install malware, steal sensitive data, or take control of the affected system. Given the widespread use of Chrome and Edge, this vulnerability poses a significant risk to a large number of users.

Recommendation

Apply the latest security updates for Google Chrome to address CVE-2026-7357.
Apply the latest security updates for Microsoft Edge to address CVE-2026-7357.
Deploy the Sigma rule “Detect Suspicious WebAssembly Execution” to identify potential exploitation attempts involving WebAssembly.

Chromium Use-After-Free Vulnerability in GPU Component (CVE-2026-7333)

hello@craftedsignal.io — Fri, 01 May 2026 02:21:27 +0000

CVE-2026-7333 is a critical use-after-free vulnerability residing in the GPU component of the Chromium browser engine. This flaw allows an attacker to potentially corrupt memory and execute arbitrary code in the context of the browser process. As Microsoft Edge is built upon the Chromium engine, it is also susceptible to this vulnerability. Public details are limited, but exploitation likely involves crafting malicious web content that triggers the use-after-free condition within the GPU processing routines. This vulnerability poses a significant threat as it could allow attackers to compromise user systems simply by visiting a malicious website.

Attack Chain

Attacker crafts a malicious HTML page containing JavaScript that interacts with the GPU functionality of the browser.
The user visits the malicious page via a phishing email or drive-by download.
The JavaScript code triggers the use-after-free vulnerability in the Chromium GPU component.
The vulnerability allows the attacker to corrupt memory allocated for GPU processing.
The attacker manipulates memory to gain control of program execution.
The attacker injects malicious code into the browser process.
The injected code executes with the privileges of the browser process, allowing the attacker to perform actions such as stealing cookies, credentials, or installing malware.
The attacker gains persistent access to the compromised system and exfiltrates sensitive data.

Impact

A successful exploitation of CVE-2026-7333 could allow an attacker to execute arbitrary code on a user’s system. This could lead to the theft of sensitive information, installation of malware, or complete system compromise. Given the widespread use of Chromium-based browsers such as Chrome and Edge, this vulnerability has the potential to affect millions of users. The impact is considered critical due to the ease of exploitation and the potential for widespread damage.

Recommendation

Apply the latest security updates for Google Chrome and Microsoft Edge to patch CVE-2026-7333.
Deploy the Sigma rule “Detect Suspicious GPU Process Creation” to identify potential exploitation attempts.
Enable process creation logging with command-line arguments to detect suspicious processes spawned by the browser (logsource: process_creation).

Chromium Use-After-Free Vulnerability in Codecs (CVE-2026-7348)

hello@craftedsignal.io — Fri, 01 May 2026 02:21:27 +0000

CVE-2026-7348 is a critical use-after-free vulnerability residing within the Codecs component of the Chromium browser engine. This vulnerability affects applications that utilize the Chromium engine, most notably Google Chrome and Microsoft Edge. While the specific details of the vulnerability are documented in Google Chrome Releases, the underlying issue stems from improper memory management within the Codecs library. Successful exploitation could allow an attacker to execute arbitrary code within the context of the affected browser, potentially leading to data theft, system compromise, or other malicious activities. This vulnerability requires immediate attention from organizations utilizing Chrome or Edge.

Attack Chain

An attacker crafts a malicious web page containing specially crafted media content designed to trigger the use-after-free condition in the Codecs library.
The user visits the malicious web page using Google Chrome or Microsoft Edge.
The browser attempts to process the malicious media content, triggering the vulnerable code path within the Codecs library.
The use-after-free condition is triggered when the browser attempts to access memory that has already been freed.
The attacker leverages the use-after-free condition to corrupt memory and gain control of program execution.
The attacker injects and executes arbitrary code within the context of the browser process.
The attacker gains unauthorized access to sensitive data, such as cookies, credentials, or browsing history.
The attacker potentially escalates privileges or installs malware on the user’s system.

Impact

Successful exploitation of CVE-2026-7348 allows an attacker to execute arbitrary code within the context of the affected browser (Chrome or Edge). This can lead to sensitive information disclosure, such as credentials or browsing history. The attacker could potentially gain full control of the user’s system. Given the widespread use of Chromium-based browsers, a successful exploit could impact a significant number of users across various sectors.

Recommendation

Upgrade Google Chrome to the latest version that addresses this vulnerability; refer to Google Chrome Releases.
Ensure Microsoft Edge is updated to the latest version incorporating the Chromium security patch.
Deploy the Sigma rule “Detect Chromium Codecs Use-After-Free Exploit Attempt” to identify potential exploitation attempts via webserver logs.
Enable webserver logging to capture HTTP requests, which is required for the provided Sigma rule.

Chromium Use-After-Free Vulnerability in Cast (CVE-2026-7338)

hello@craftedsignal.io — Fri, 01 May 2026 02:21:27 +0000

CVE-2026-7338 is a critical use-after-free vulnerability residing within the Cast component of the Chromium browser engine. Google Chrome and Microsoft Edge (Chromium-based) are both affected by this flaw. While the provided source does not specify the exact vulnerable versions, it indicates that Microsoft Edge ingests Chromium, and thus is affected by vulnerabilities addressed in Chromium releases. Successful exploitation of this vulnerability could lead to arbitrary code execution in the context of the user running the browser. This poses a significant risk, as attackers could potentially gain control of the user’s system. Defenders should prioritize patching affected browsers.

Attack Chain

An attacker crafts a malicious webpage or injects malicious code into a legitimate website that utilizes the Cast functionality.
The victim visits the malicious website or interacts with the compromised legitimate website using an affected browser (Chrome or Edge).
The malicious webpage triggers the use-after-free vulnerability in the Cast component.
The vulnerability allows the attacker to access memory that has already been freed.
The attacker overwrites the freed memory with attacker-controlled data.
The attacker manipulates the memory layout to redirect program execution.
The browser attempts to execute code from the attacker-controlled memory location.
This results in arbitrary code execution within the context of the browser process.

Impact

Successful exploitation of CVE-2026-7338 allows an attacker to execute arbitrary code on a victim’s machine. This can lead to complete system compromise, data theft, installation of malware, or other malicious activities. Given the widespread use of Chromium-based browsers like Chrome and Edge, this vulnerability has the potential to impact a large number of users across various sectors. The severity is critical due to the potential for remote code execution.

Recommendation

Apply the latest security updates for Google Chrome to address CVE-2026-7338 as detailed in Google Chrome Releases.
Apply the latest security updates for Microsoft Edge (Chromium-based) to address CVE-2026-7338, ensuring the ingested Chromium version contains the fix.
Deploy the Sigma rules provided in this brief to your SIEM to detect potential exploitation attempts targeting the Cast component.
Enable enhanced browser security features, such as sandboxing and site isolation, to limit the impact of potential exploits.

Chromium Heap Buffer Overflow Vulnerability (CVE-2026-7353)

hello@craftedsignal.io — Fri, 01 May 2026 02:21:27 +0000

CVE-2026-7353 is a critical heap buffer overflow vulnerability residing within the Skia graphics library, a core component of the Chromium open-source project. This vulnerability impacts applications that utilize Chromium, including Google Chrome and Microsoft Edge. While the specific details of exploitation are not provided in this brief, the nature of a heap buffer overflow suggests a high potential for arbitrary code execution. Successful exploitation could allow an attacker to gain control of the affected browser process. Given the widespread use of Chromium-based browsers, this vulnerability poses a significant risk to a large user base. Defenders should prioritize patching and consider implementing mitigations to detect and prevent potential exploitation attempts.

Attack Chain

An attacker crafts a malicious web page or injects malicious content into a trusted website.
The victim visits the malicious web page or interacts with the injected content using a Chromium-based browser (Chrome or Edge).
The browser’s rendering engine, utilizing the Skia library, processes the malicious content, triggering the heap buffer overflow in Skia.
The overflow allows the attacker to overwrite adjacent memory regions in the heap.
By carefully crafting the overflowed data, the attacker can overwrite critical data structures within the browser process.
The attacker gains control of the execution flow by overwriting function pointers or other control data.
The attacker executes arbitrary code within the context of the browser process.
The attacker could then perform actions such as installing malware, stealing sensitive data, or further compromising the system.

Impact

Successful exploitation of CVE-2026-7353 allows for arbitrary code execution within the context of the affected browser process. This can lead to a complete compromise of the user’s browser session, potentially enabling the attacker to steal credentials, inject malicious code into other websites, or install malware on the victim’s system. Given the widespread use of Chrome and Edge, the potential impact is significant, affecting potentially millions of users.

Recommendation

Apply the latest security updates for Google Chrome and Microsoft Edge to patch CVE-2026-7353.
Deploy the following Sigma rule to detect potential exploitation attempts based on suspicious process execution originating from the browser (see “Detect Suspicious Process Creation from Browser”).
Enable enhanced browser security features such as site isolation to mitigate the impact of successful exploitation.

Compromised PyTorch Lightning Packages on PyPI Steal Developer Credentials

hello@craftedsignal.io — Fri, 01 May 2026 00:45:31 +0000

On April 30, 2026, two malicious versions (2.6.2 and 2.6.3) of the widely used pytorch-lightning package were published to the PyPI registry after the publisher account was compromised. These versions contain embedded malicious code designed to steal developer credentials and republish infected versions of repositories to which the stolen tokens have access. The attack is triggered upon importing the package, initiating a background process that silently harvests credentials from a wide array of services, including AWS, Azure, Google Cloud, and GitHub, as well as local environment variables and credential files. Version 2.6.3 was published just 13 minutes after 2.6.2, and was intended to evade detection.

Attack Chain

Attacker compromises the publisher account for the pytorch-lightning package on PyPI.
Attacker publishes malicious versions 2.6.2 and 2.6.3 to PyPI.
A modified __init__.py file within the package initiates a background process upon import.
The background process executes silently, without any visible output or indication of compromise to the user.
The malicious package downloads a runtime (Bun) from GitHub.
The package executes a large, obfuscated JavaScript file, targeting AWS, Azure, Google Cloud, GitHub, and local credential stores.
Stolen credentials, including cloud provider keys, API tokens, and secrets, are exfiltrated to attacker-controlled infrastructure.
The malware attempts to download and execute a second-stage payload from attacker-controlled infrastructure, expanding the scope of the attack.

Impact

Organizations that downloaded and used versions 2.6.2 or 2.6.3 of the pytorch-lightning package are at high risk of compromise. The malicious package is designed to steal a wide range of credentials, including cloud provider keys, API tokens, and secrets stored in environment variables. This can lead to unauthorized access to sensitive data and systems, potentially resulting in data breaches, financial losses, and reputational damage. The malware’s ability to download and execute secondary payloads further increases the potential impact.

Recommendation

Immediately remove versions 2.6.2 and 2.6.3 of the lightning package from all systems where they are installed (see overview).
Audit systems for unauthorized processes and review outbound network connections to detect potential compromises (see overview).
Rotate all cloud provider keys (AWS, Azure, GCP), API tokens (GitHub, CI/CD systems), and secrets stored in environment variables to prevent further unauthorized access (see Attack Chain).
Implement the Detect Suspicious PyPI Package Installation Sigma rule to identify potential malicious packages being installed in the future (see rules).
Implement the Detect Credential Harvesting via Bun Sigma rule to catch execution of the malicious JavaScript payload (see rules).
Pin dependencies to known-good versions and verify package integrity before use to prevent future supply chain attacks (see references).

UTT HiPER 1200GW Buffer Overflow Vulnerability

hello@craftedsignal.io — Fri, 01 May 2026 00:16:25 +0000

A buffer overflow vulnerability has been identified in UTT HiPER 1200GW devices with firmware versions up to 2.5.3-170306. The flaw resides within the strcpy function of the /goform/formRemoteControl file, which handles remote control functionalities. A remote attacker can exploit this vulnerability by sending a specially crafted request to trigger the buffer overflow, potentially leading to arbitrary code execution on the affected device. Publicly available exploit code exists, increasing the risk of exploitation. This vulnerability poses a significant threat to organizations using the affected UTT HiPER 1200GW devices, as it could allow attackers to gain unauthorized access and control over the device and potentially the network it is connected to.

Attack Chain

Attacker identifies a vulnerable UTT HiPER 1200GW device exposed to the internet.
Attacker crafts a malicious HTTP request targeting the /goform/formRemoteControl endpoint.
The malicious request includes a payload designed to overflow the buffer when processed by the strcpy function.
The vulnerable strcpy function within /goform/formRemoteControl copies the attacker-controlled data without proper bounds checking.
The buffer overflow overwrites adjacent memory regions, potentially including critical program data or execution pointers.
The attacker leverages the overflow to inject and execute arbitrary code on the device.
The attacker gains control of the device, potentially escalating privileges.
The attacker uses the compromised device to pivot to other systems on the network, exfiltrate sensitive data, or cause further damage.

Impact

Successful exploitation of this vulnerability could lead to complete compromise of the affected UTT HiPER 1200GW device. Attackers could gain unauthorized access to sensitive data, disrupt device functionality, or use the device as a foothold for further attacks within the network. Given that public exploits are available, the risk of widespread exploitation is high. While the exact number of affected devices is unknown, organizations using UTT HiPER 1200GW devices should take immediate action to mitigate this vulnerability.

Recommendation

Apply available patches or firmware updates from UTT to address the buffer overflow vulnerability in UTT HiPER 1200GW devices.
Monitor network traffic for suspicious requests targeting the /goform/formRemoteControl endpoint, and deploy the Sigma rule Detect Suspicious Requests to FormRemoteControl to identify potentially malicious activity.
Implement input validation and sanitization measures to prevent buffer overflows in web applications.
Consider network segmentation to limit the impact of a compromised device on other systems within the network.
Review and restrict access to the device’s web interface to only authorized personnel.

HKUDS OpenHarness Remote Code Execution via /bridge Slash Command (CVE-2026-7551)

hello@craftedsignal.io — Thu, 30 Apr 2026 22:17:40 +0000

HKUDS OpenHarness is vulnerable to a remote code execution flaw (CVE-2026-7551) affecting the /bridge slash command. This vulnerability permits remote attackers, who are authorized by the OpenHarness configuration, to execute arbitrary operating system commands on the host system. The attack leverages the /bridge spawn command, which, when supplied with attacker-controlled command text, is processed by the bridge session manager and executed through a shared shell subprocess. This execution context grants attackers the ability to spawn shell sessions with the privileges of the OpenHarness process user, potentially exposing local files, credentials, workspace state, and repository contents. Successful exploitation results in a complete compromise of the OpenHarness instance.

Attack Chain

Attacker identifies an accessible OpenHarness instance with the vulnerable /bridge slash command enabled.
The attacker authenticates or gains access to a communication channel (e.g., chat application) accepted by OpenHarness.
The attacker crafts a malicious /bridge spawn command containing OS commands to be executed.
The attacker sends the crafted /bridge spawn command to the OpenHarness instance via the configured communication channel.
OpenHarness processes the /bridge command and forwards the attacker-controlled command text to the bridge session manager.
The bridge session manager executes the injected OS commands through a shared shell subprocess.
The attacker gains a shell session with the privileges of the OpenHarness process user.
The attacker accesses local files, credentials, workspace state, and repository contents, potentially exfiltrating sensitive data or establishing persistence.

Impact

Successful exploitation of CVE-2026-7551 allows attackers to execute arbitrary operating system commands on the OpenHarness server. This grants them the ability to spawn shell sessions as the OpenHarness process user, which can lead to the exposure of sensitive information such as local files, credentials, workspace state, and repository contents. The impact of this vulnerability is significant, potentially allowing for complete system compromise and data exfiltration, but the exact number of victims is currently unknown.

Recommendation

Apply available patches or updates provided by HKUDS to address CVE-2026-7551 on all OpenHarness instances.
Implement input validation and sanitization on the /bridge slash command to prevent the injection of malicious OS commands.
Monitor process creation events for suspicious shell executions originating from the OpenHarness process using the provided Sigma rule.
Restrict network access to the OpenHarness server to only authorized users and systems.
Review OpenHarness configurations to ensure that only trusted communication channels are accepted.

IBM Turbonomic prometurbo Agent Privilege Escalation via Excessive Permissions (CVE-2026-6389)

hello@craftedsignal.io — Thu, 30 Apr 2026 22:16:26 +0000

CVE-2026-6389 affects IBM Turbonomic prometurbo agent versions 8.16.0 through 8.17.6. The vulnerability stems from the agent granting excessive cluster-wide permissions within IBM Turbonomic Application Resource Management. A successful exploit allows an attacker who has compromised the operator or its associated service account to gain unrestricted read access to all secrets within the cluster. This vulnerability was reported on April 30, 2026, and poses a significant risk to organizations using the affected versions, potentially leading to complete cluster compromise. Defenders should prioritize patching and monitoring for unauthorized access to sensitive resources.

Attack Chain

Attacker gains initial access to the Kubernetes cluster, potentially through exploiting a vulnerability in a separate application or service running within the cluster, or via compromised credentials.
The attacker identifies the IBM Turbonomic prometurbo agent and its associated service account within the compromised cluster.
The attacker leverages the compromised service account or operator to interact with the Kubernetes API, exploiting the excessive cluster-wide permissions granted to the prometurbo agent.
The attacker utilizes the unrestricted read access to enumerate and exfiltrate sensitive credentials stored as secrets within the cluster, including database passwords, API keys, and other sensitive information.
Using the stolen credentials, the attacker escalates privileges by accessing other services and resources within the cluster, such as deploying malicious pods or modifying existing deployments.
The attacker achieves persistence by creating or modifying service accounts, roles, and role bindings to maintain access to the cluster even if the initial point of compromise is remediated.
The attacker moves laterally within the cluster, compromising additional nodes and workloads to expand their control and access to sensitive data.
The attacker achieves full cluster compromise, gaining complete control over all resources and data within the Kubernetes environment.

Impact

A successful exploitation of CVE-2026-6389 can lead to a full compromise of the Kubernetes cluster. This includes unrestricted access to sensitive data and the ability to control all workloads and resources within the environment. The impact includes potential data breaches, service disruptions, and significant financial and reputational damage. Organizations in any sector using the affected versions of IBM Turbonomic are at risk, and the severity is heightened in environments handling sensitive data or critical infrastructure.

Recommendation

Upgrade IBM Turbonomic prometurbo agent to a version beyond 8.17.6 to patch CVE-2026-6389.
Review and restrict the permissions granted to the prometurbo agent service account, adhering to the principle of least privilege (reference: CVE-2026-6389).
Implement Kubernetes audit logging to monitor for unauthorized access to secrets and other sensitive resources (reference: Kubernetes documentation).
Deploy the Sigma rule “Detect Kubernetes Secret Access via Turbonomic Agent” to identify potential exploitation attempts (reference: Sigma rule below).
Monitor for unusual activity originating from the prometurbo agent service account, such as attempts to access or exfiltrate large amounts of data (reference: network_connection log source).
Implement network segmentation to limit the potential impact of a compromised cluster, preventing lateral movement to other environments.

IBM Langflow Desktop Vulnerable to Remote Command Execution (CVE-2026-6543)

hello@craftedsignal.io — Thu, 30 Apr 2026 22:16:26 +0000

IBM Langflow Desktop, a tool designed to build and experiment with language models, versions 1.0.0 through 1.8.4, contains a remote command execution vulnerability (CVE-2026-6543). An attacker with the ability to influence Langflow’s execution can inject and execute arbitrary commands with the same privileges as the Langflow process. This flaw can be exploited to read sensitive environment variables containing API keys and database credentials, modify critical files, and propagate further attacks within the internal network. The vulnerability poses a significant risk to organizations utilizing affected versions of Langflow Desktop, potentially leading to data breaches and system compromise. Defenders should prioritize patching or implementing mitigations to prevent exploitation.

Attack Chain

Attacker gains initial access to a system with Langflow Desktop installed (versions 1.0.0 - 1.8.4). This could be achieved through social engineering or by compromising a user account with access to the system.
The attacker crafts a malicious input or payload designed to exploit the command execution vulnerability within Langflow.
The attacker triggers Langflow to process the malicious payload, leveraging the vulnerability to inject and execute arbitrary commands.
The injected command executes with the privileges of the Langflow process, allowing the attacker to interact with the underlying operating system.
The attacker leverages command execution to read sensitive environment variables, potentially obtaining API keys, database credentials, or other sensitive information.
The attacker uses the acquired credentials to access sensitive data or systems within the internal network, escalating their privileges and expanding their reach.
The attacker modifies critical files or installs malicious software, establishing persistence and compromising the integrity of the system.
The attacker launches further attacks on the internal network, leveraging the compromised system as a pivot point to compromise additional systems and data.

Impact

Successful exploitation of CVE-2026-6543 allows attackers to execute arbitrary commands on systems running vulnerable versions of IBM Langflow Desktop. This can lead to the exposure of sensitive environment variables containing API keys and database credentials, the modification of critical files, and the launching of further attacks on the internal network. The impact can range from data breaches and system compromise to complete control over affected systems and networks. Given the nature of Langflow, targeted sectors likely include organizations involved in AI/ML development and related fields.

Recommendation

Upgrade IBM Langflow Desktop to a patched version beyond 1.8.4 to remediate CVE-2026-6543, as recommended by IBM.
Deploy the Sigma rule “Detect Langflow Process Spawning Suspicious Processes” to identify potential exploitation attempts based on unusual child processes spawned by Langflow.
Monitor network connections from Langflow Desktop instances for suspicious outbound traffic, indicating potential data exfiltration or command-and-control activity.
Implement least privilege principles to limit the impact of successful exploitation by restricting the permissions of the Langflow process.

code-projects Plugin 4.1.2cu.5137 Buffer Overflow Vulnerability

hello@craftedsignal.io — Thu, 30 Apr 2026 22:16:26 +0000

A critical buffer overflow vulnerability, identified as CVE-2026-7503, has been discovered in code-projects Plugin version 4.1.2cu.5137. The vulnerability resides within the setWiFiMultipleConfig function in the /lib/cste_modules/wireless.so library, which is part of the /cgi-bin/cstecgi.cgi executable. Successful exploitation is achieved through manipulation of the wepkey2 argument, allowing for remote code execution. The vulnerability is considered highly critical due to the availability of a public exploit, increasing the likelihood of widespread exploitation and potential compromise of affected systems. This poses a significant threat to devices utilizing the vulnerable plugin version.

Attack Chain

Attacker identifies a system running code-projects Plugin 4.1.2cu.5137.
The attacker crafts a malicious HTTP request targeting the /cgi-bin/cstecgi.cgi endpoint.
The request includes a specially crafted payload for the wepkey2 argument within the setWiFiMultipleConfig function.
The vulnerable function setWiFiMultipleConfig processes the malicious input without proper bounds checking.
The oversized wepkey2 argument overflows the buffer, overwriting adjacent memory regions.
The attacker injects malicious code into the memory space via the buffer overflow.
The injected code executes, granting the attacker control over the affected system.

Impact

Successful exploitation of CVE-2026-7503 can lead to complete system compromise, allowing attackers to execute arbitrary code, steal sensitive information, or cause denial-of-service conditions. Due to the ready availability of an exploit, any system running the vulnerable code-projects plugin version 4.1.2cu.5137 is at immediate risk. The lack of specific victim numbers or sector targeting information in the provided source does not diminish the critical nature of the vulnerability given the high CVSS score (8.8) and public exploit.

Recommendation

Deploy the Sigma rule “Detect Code-Projects WiFi Configuration Buffer Overflow Attempt” to your SIEM to detect exploitation attempts targeting the vulnerable setWiFiMultipleConfig function and monitor web server logs (cs-uri-query).
Apply input validation and sanitization to prevent buffer overflows. This issue occurs within the /lib/cste_modules/wireless.so library called by /cgi-bin/cstecgi.cgi.
Monitor network traffic for suspicious requests targeting the /cgi-bin/cstecgi.cgi endpoint, as this is the entry point for exploiting CVE-2026-7503.

SSCMS v7.4.0 SQL Injection Vulnerability in stl:sqlContent Tag

hello@craftedsignal.io — Thu, 30 Apr 2026 21:16:34 +0000

SSCMS v7.4.0 is susceptible to a SQL injection vulnerability (CVE-2026-7435) within the stl:sqlContent tag. The vulnerability arises because the queryString attribute is passed directly to database execution without adequate sanitization or parameterization. This flaw enables attackers to inject malicious SQL code by crafting encrypted payloads and submitting them to the /api/stl/actions/dynamic endpoint. Successful exploitation can lead to unauthorized access to the database, disclosure of sensitive information, authentication bypass, modification of data, or even complete compromise of the database. This vulnerability poses a significant risk to organizations using the affected SSCMS version, potentially leading to severe data breaches and system disruption.

Attack Chain

The attacker identifies an SSCMS v7.4.0 instance.
The attacker crafts a malicious SQL injection payload, specifically targeting the queryString attribute within the stl:sqlContent tag.
The attacker encrypts the crafted SQL injection payload.
The attacker sends the encrypted payload to the /api/stl/actions/dynamic endpoint using an HTTP POST request.
The SSCMS application receives the request and processes the stl:sqlContent tag without proper sanitization.
The application executes the attacker-controlled SQL query against the database.
The attacker gains unauthorized access to the database, potentially extracting sensitive data or modifying existing records.
The attacker may escalate privileges or move laterally within the compromised system, depending on the level of access gained.

Impact

Successful exploitation of this SQL injection vulnerability could lead to severe consequences. An attacker could gain complete control over the SSCMS database, potentially exposing sensitive user data, confidential business information, or proprietary intellectual property. Data breaches resulting from this vulnerability could lead to significant financial losses, reputational damage, and legal liabilities. The lack of specifics about victim count or sectors targeted makes quantification difficult, but the potential impact is high for any organization using the affected software.

Recommendation

Apply any available patches or updates for SSCMS v7.4.0 to address the SQL injection vulnerability described in CVE-2026-7435.
Implement input validation and sanitization measures to prevent SQL injection attacks, specifically focusing on the queryString attribute of the stl:sqlContent tag.
Deploy the Sigma rule Detect Suspicious SSCMS stl:sqlContent Requests to identify potential exploitation attempts targeting the /api/stl/actions/dynamic endpoint.

Synway SMG Gateway Management Software Unauthenticated OS Command Injection

hello@craftedsignal.io — Thu, 30 Apr 2026 17:16:25 +0000

Synway SMG Gateway Management Software is susceptible to an OS command injection vulnerability (CVE-2025-71284) within the RADIUS configuration endpoint. An unauthenticated remote attacker can exploit this flaw by sending a specially crafted POST request to /en/9-2radius.php. The vulnerability lies in the improper sanitization of the radius_address POST parameter, which is directly incorporated into a sed command. The Shadowserver Foundation observed the first exploitation evidence on 2025-07-11 (UTC). Successful exploitation allows the attacker to execute arbitrary shell commands on the affected system, potentially compromising the entire gateway. This vulnerability poses a significant risk to organizations using the Synway SMG Gateway, as it enables unauthenticated remote code execution.

Attack Chain

An unauthenticated attacker identifies a Synway SMG Gateway Management Software instance exposed to the network.
The attacker crafts a malicious POST request targeting the /en/9-2radius.php endpoint.
The POST request includes parameters such as radius_address, radius_address2, shared_secret2, source_ip, timeout, or retry along with save=1 and enable_radius=1.
The radius_address parameter contains an OS command injection payload.
The application improperly sanitizes the radius_address parameter and incorporates it into a sed command.
The injected command is executed by the operating system, granting the attacker arbitrary code execution privileges.
The attacker establishes a reverse shell to maintain persistence and expand their foothold.
The attacker pivots within the network, gaining access to sensitive data or systems, and potentially establishing a long-term presence.

Impact

Successful exploitation of this vulnerability allows an unauthenticated attacker to execute arbitrary commands on the Synway SMG Gateway. This could lead to complete system compromise, data theft, disruption of services, and further propagation of attacks within the network. Given the high CVSS score (9.8), this vulnerability represents a critical threat. The number of affected systems and organizations is currently unknown.

Recommendation

Deploy the Sigma rule “Synway SMG Gateway Radius Command Injection Attempt” to your SIEM to detect exploitation attempts based on suspicious POST requests to the vulnerable endpoint.
Apply input validation and sanitization to the radius_address, radius_address2, shared_secret2, source_ip, timeout, and retry parameters in the RADIUS configuration endpoint.
Monitor web server logs for POST requests to /en/9-2radius.php containing suspicious characters or command sequences indicative of command injection attacks to activate the “Synway SMG Gateway Radius Command Injection Attempt” rule.

Mini Shai-Hulud Supply Chain Attack Targets SAP NPM Packages

hello@craftedsignal.io — Thu, 30 Apr 2026 14:27:36 +0000

The Mini Shai-Hulud campaign, active as of April 2026, targets SAP NPM packages used in the SAP Cloud Application Programming (CAP) ecosystem and SAP cloud deployment workflows. Four package versions were compromised: mbt 1.2.48, @cap-js/db-service 2.10.1, @cap-js/postgres 2.2.2, and @cap-js/sqlite 2.2.2. These packages, with over 500,000 combined weekly downloads, are essential for SAP’s Cloud MTA Build Tool and database services for CAP software. The attackers injected a preinstall script that fetches and executes a Bun binary, bypassing security monitoring. The malicious versions were available for a short window of 2-4 hours before being unpublished and superseded by clean versions. Wiz attributes this activity to TeamPCP due to a shared RSA public key used to encrypt the exfiltrated secrets.

Attack Chain

The attacker compromises an NPM token, possibly exposed through CircleCI.
The attacker injects a malicious preinstall script into the targeted SAP NPM packages (mbt, @cap-js/db-service, @cap-js/postgres, @cap-js/sqlite).
When a user installs the compromised package, the preinstall script executes.
The script fetches a Bun ZIP archive from a GitHub repository.
The script extracts the Bun archive and executes the included Bun binary.
The Bun binary steals local credentials, GitHub and NPM tokens, AWS, Azure, GCP, GitHub Action, and Kubernetes secrets.
The stolen data is exfiltrated to public GitHub repositories with the description “A Mini Shai-Hulud has Appeared”.
The malware propagates by modifying package tarballs, updating versions, repackaging them, and publishing them using stolen GitHub Actions tokens.

Impact

The Mini Shai-Hulud attack poses a significant threat to developers and organizations using SAP CAP, a framework for S/4HANA extensions, Fiori app backends, MTAs, and integration flows. With over 500,000 weekly downloads of the affected packages, a large number of systems could have been affected. Successful exploitation allows attackers to steal sensitive credentials and cloud secrets, potentially leading to unauthorized access to critical SAP systems, cloud infrastructure, and source code repositories. This access could be used for further malicious activities, including data breaches, financial fraud, and supply chain compromise.

Recommendation

Organizations using SAP Business Technology Platform workflows, SAP CAP, or MTA-based deployment pipelines should immediately check if they installed the malicious package versions (mbt 1.2.48, @cap-js/db-service 2.10.1, @cap-js/postgres 2.2.2, @cap-js/sqlite 2.2.2) during the exposure window.
Implement network monitoring rules to detect connections to unusual GitHub repositories created to host stolen data. Monitor for repositories with the description “A Mini Shai-Hulud has Appeared”.
Monitor process execution for the execution of bun binaries in unusual or unexpected locations to identify systems where compromised packages were installed. Deploy the Sigma rule Detect Bun Execution From NPM Package to detect this behavior.

Local Privilege Escalation Vulnerability 'Copy Fail' in Linux Kernel

hello@craftedsignal.io — Thu, 30 Apr 2026 13:54:47 +0000

A local privilege escalation vulnerability, “Copy Fail” (CVE-2026-31431), impacts Linux kernels released since 2017. Discovered by Theori’s AI-driven pentesting platform Xint Code, the vulnerability allows an unprivileged local attacker to gain root permissions. Theori reported the finding to the Linux kernel security team on March 23, 2026, and patches became available within a week. A proof-of-concept exploit was published, demonstrating a 732-byte script that can root every Linux distribution shipped since 2017. This vulnerability stems from a logic bug in the Linux kernel’s authencesn cryptographic template. Theori demonstrated successful exploits on Ubuntu 24.04, Amazon Linux 2023, RHEL 10.1, and SUSE 16.

Attack Chain

An unprivileged local attacker gains access to a vulnerable Linux system.
The attacker utilizes the AF_ALG socket-based interface to access Linux kernel crypto functions from user space.
The attacker uses the splice() system call to perform a controlled 4-byte write in the page cache of a readable file, instead of a normal buffer.
The attacker targets a setuid-root binary file for modification.
The 4-byte write alters the behavior of the setuid-root binary.
The attacker executes the modified setuid-root binary.
Due to the altered behavior, the binary grants the attacker elevated privileges.
The attacker gains root privileges on the system.

Impact

Successful exploitation of the Copy Fail vulnerability (CVE-2026-31431) allows an unprivileged local attacker to gain root privileges on a vulnerable Linux system. Theori demonstrated and confirmed the exploit on Ubuntu 24.04, Amazon Linux 2023, RHEL 10.1, and SUSE 16, highlighting the widespread impact. Multi-tenant Linux hosts, Kubernetes/container clusters, CI runners/build farms, and cloud SaaS environments running user code are at high risk.

Recommendation

Apply available kernel patches for CVE-2026-31431 on affected Linux distributions, prioritizing multi-tenant environments (e.g., Ubuntu 24.04 LTS, Amazon Linux 2023, RHEL 10.1, SUSE 16).
As an interim mitigation, disable the vulnerable crypto interface by blocking AF_ALG socket creation or disabling the algif_aead module, as described in the overview.
Monitor for the execution of unusual processes after the modification of binaries in /tmp or /var/tmp using the Sigma rule “Detect Suspicious Splice Usage for Privilege Escalation”.
Deploy the Sigma rule “Detect algif_aead module removal” to detect attempts to disable the vulnerable module.

Critical Authentication Bypass Vulnerability in cPanel & WHM (CVE-2026-41940)

hello@craftedsignal.io — Thu, 30 Apr 2026 12:16:14 +0000

A critical authentication bypass vulnerability, CVE-2026-41940, affects all versions of cPanel & WHM. This vulnerability allows unauthenticated remote attackers to gain administrative access to affected systems due to improper handling of session data. Public technical analyses and proof-of-concept code are available, significantly lowering the barrier to exploitation. There are indications that the vulnerability has been actively exploited in the wild, potentially as a zero-day. cPanel & WHM is commonly exposed to the internet and manages hosting environments, making it an attractive target for attackers seeking control over hosting infrastructures and numerous websites.

Attack Chain

An unauthenticated attacker identifies a cPanel & WHM server exposed to the internet.
The attacker crafts a malicious HTTP request targeting the cPanel & WHM login endpoint.
The crafted request manipulates session creation and processing by injecting controlled data into the session files.
This injected data alters authentication-related attributes within the session, bypassing the normal authentication flow.
The attacker successfully establishes a session that is treated as fully authenticated without providing valid credentials.
With administrative privileges, the attacker gains full control over the cPanel server.
The attacker accesses hosted websites and databases, potentially compromising sensitive data.
The attacker establishes persistence through backdoors or additional user accounts, ensuring continued access to the compromised system.

Impact

Successful exploitation of CVE-2026-41940 allows attackers to gain complete control over cPanel & WHM servers. This can lead to the compromise of hosted websites, databases, and sensitive customer data. Given the central role of cPanel in hosting environments, this vulnerability can result in large-scale compromise affecting multiple customers and services. The widespread use of cPanel & WHM makes this a high-impact vulnerability.

Recommendation

Apply the security patch provided by cPanel to address CVE-2026-41940 immediately after thorough testing to prevent exploitation.
Implement increased monitoring and detection capabilities to identify suspicious activity related to CVE-2026-41940 as recommended by CCB.
Review web server logs for unusual patterns or requests targeting cPanel login endpoints to detect potential exploitation attempts. Create a Sigma rule based on webserver logs.
Monitor for unauthorized changes to user accounts or the creation of new administrative accounts on cPanel servers. Create a Sigma rule based on process creation logs.

ABB Edgenius Management Portal Authentication Bypass Vulnerability

hello@craftedsignal.io — Thu, 30 Apr 2026 12:00:00 +0000

ABB Edgenius Management Portal versions 3.2.0.0 and 3.2.1.1 are vulnerable to an authentication bypass (CVE-2025-10571). An attacker who has gained network access to a vulnerable Edgenius deployment can send a specially crafted message to the system node, bypassing authentication controls. Successful exploitation allows an attacker to install and run arbitrary code, uninstall applications, and modify the configuration of installed applications. ABB reported this vulnerability to CISA. ABB has released version 3.2.2.0 to address the vulnerability. As a mitigation, ABB advises customers to disable the Edgenius Management Portal until the upgrade can be applied.

Attack Chain

The attacker gains access to the network where the Edgenius Management Portal is deployed.
The attacker identifies a vulnerable ABB Edgenius Management Portal instance (versions 3.2.0.0 or 3.2.1.1).
The attacker crafts a malicious message designed to exploit the authentication bypass vulnerability (CVE-2025-10571).
The attacker sends the specially crafted message to the system node of the Edgenius Management Portal.
The vulnerable Edgenius Management Portal improperly processes the crafted message, bypassing authentication.
The attacker leverages the bypassed authentication to install and execute arbitrary code on the system.
The attacker uninstalls applications, further compromising the system’s functionality.
The attacker modifies the configuration of installed applications to maintain persistence and control.

Impact

Successful exploitation of this vulnerability allows an attacker to gain full control over the ABB Edgenius Management Portal. The attacker can install malicious software, uninstall critical applications, and modify configurations, leading to significant disruption of industrial processes, data theft, or further lateral movement within the OT network. Affected sectors include critical manufacturing and information technology, with deployments worldwide.

Recommendation

Upgrade to ABB Ability Edgenius version 3.2.2.0 to remediate CVE-2025-10571, as this version contains the vendor fix.
Until the upgrade is applied, disable the Edgenius Management Portal to mitigate the vulnerability as recommended by ABB.
Minimize network exposure for all control system devices by ensuring they are not accessible from the internet, as suggested by CISA.
Locate control system networks and remote devices behind firewalls, isolating them from business networks per CISA recommendations.
Implement the Sigma rule “Detect ABB Edgenius Management Portal Exploitation Attempt” to identify potential exploitation attempts based on network traffic patterns.

ABB Ability Symphony Plus Engineering Vulnerabilities Allow Remote Code Execution

hello@craftedsignal.io — Thu, 30 Apr 2026 12:00:00 +0000

ABB Ability Symphony Plus Engineering versions 2.2 through 2.4 SP2 are susceptible to multiple vulnerabilities originating in the included PostgreSQL database. An attacker gaining access to the S+ Client Server network could exploit CVE-2023-5869 (Integer Overflow), CVE-2023-39417 (SQL Injection), and CVE-2024-7348 (TOCTOU race condition) to execute arbitrary code and potentially compromise the entire ABB system. This poses a significant risk to organizations in critical infrastructure sectors, including Chemical, Critical Manufacturing, Energy, and Water/Wastewater, as these systems are vital for operational control and safety. Successful exploitation could result in loss of control, data breaches, or disruption of essential services. ABB released S+ Engineering 2.4 SP2 RU1 in December 2024 as a fix.

Attack Chain

Attacker gains initial access to the target network, specifically the S+ Client Server network, possibly through existing vulnerabilities or misconfigurations.
Attacker authenticates to the PostgreSQL database server used by ABB Ability Symphony Plus Engineering.
Attacker exploits CVE-2023-5869 by providing crafted data to trigger an integer overflow, enabling arbitrary code execution.
Alternatively, the attacker exploits CVE-2023-39417 by injecting malicious SQL code through extension scripts, leading to arbitrary code execution with administrator privileges.
Alternatively, the attacker exploits CVE-2024-7348, leveraging a TOCTOU race condition to execute arbitrary SQL functions with elevated privileges using a PostgreSQL utility.
The attacker executes arbitrary code within the context of the compromised ABB Ability Symphony Plus Engineering application or the underlying PostgreSQL database.
The attacker leverages the compromised system to move laterally within the OT network, potentially targeting other critical systems or data repositories.
Attacker achieves complete compromise of the ABB Ability Symphony Plus Engineering system, allowing manipulation of industrial processes, data exfiltration, or denial of service.

Impact

Successful exploitation of these vulnerabilities in ABB Ability Symphony Plus Engineering can have severe consequences, particularly in critical infrastructure sectors. Affected sectors include chemical, critical manufacturing, energy, and water/wastewater facilities worldwide. A compromised system could allow attackers to manipulate industrial processes, leading to equipment damage, environmental incidents, or disruption of essential services like power generation or water treatment. The vulnerabilities could allow attackers to gain unauthorized access to sensitive data, intellectual property, or control systems, resulting in significant financial losses, reputational damage, and potential safety risks.

Recommendation

Immediately upgrade ABB Ability Symphony Plus Engineering to version 2.4 SP2 RU1 (re-leased in December 2024) or later, as recommended by ABB, to address the identified vulnerabilities (Vendor fix).
Review and enforce network segmentation and firewall configurations to restrict access to the S+ client/server network, mitigating the risk of external attackers exploiting these vulnerabilities (Mitigation).
Monitor network traffic for suspicious activity indicative of PostgreSQL exploitation attempts. Deploy the Sigma rule Detect Suspicious PostgreSQL Utility Execution to identify potential exploitation of CVE-2024-7348.
Enable logging of PostgreSQL queries and analyze logs for SQL injection attempts, specifically looking for suspicious use of extension scripts. Deploy the Sigma rule Detect SQL Injection in PostgreSQL Logs to identify potential exploitation of CVE-2023-39417.

Multiple Vulnerabilities in FreeBSD OS Allow Privilege Escalation and Arbitrary Code Execution

hello@craftedsignal.io — Thu, 30 Apr 2026 11:09:06 +0000

FreeBSD OS is susceptible to multiple vulnerabilities that could allow a remote attacker to compromise the system. These vulnerabilities can be exploited to gain elevated privileges, including superuser rights, execute arbitrary code with administrative privileges, manipulate sensitive data, disclose confidential information, or cause a denial-of-service condition. The specific nature of these vulnerabilities is not disclosed, but the potential impact is severe, making patching and monitoring critical. This poses a significant risk to organizations relying on FreeBSD for critical infrastructure components, potentially leading to data breaches, system outages, and reputational damage.

Attack Chain

An attacker identifies a vulnerable FreeBSD system exposed to a network.
The attacker exploits a vulnerability to gain initial access.
The attacker leverages a privilege escalation vulnerability to gain root privileges.
The attacker executes arbitrary code with elevated privileges.
The attacker installs a backdoor for persistent access.
The attacker manipulates system data to compromise integrity.
The attacker exfiltrates sensitive information from the compromised system.
The attacker causes a denial-of-service condition, disrupting services.

Impact

Successful exploitation of these vulnerabilities can lead to a complete compromise of FreeBSD systems. This could result in data breaches, system outages, and unauthorized access to sensitive information. The absence of specific victim counts or sector targeting details in the source material suggests a broad potential impact across various industries and organizations utilizing FreeBSD. The ultimate consequence is a loss of confidentiality, integrity, and availability of affected systems and data.

Recommendation

Deploy the Sigma rules provided to your SIEM to detect exploitation attempts.
Monitor system logs for suspicious activity indicative of compromise (related to privilege escalation, unauthorized code execution).
Apply available patches and updates to FreeBSD OS as soon as they are released to remediate known vulnerabilities.

Multiple Vulnerabilities in CUPS

hello@craftedsignal.io — Thu, 30 Apr 2026 09:43:58 +0000

Multiple vulnerabilities have been identified in CUPS, a popular open-source printing system. These vulnerabilities can be exploited by an attacker to bypass security measures, execute arbitrary code, escalate privileges, manipulate data, or cause a denial-of-service (DoS) condition. The specifics of the vulnerabilities are not detailed in the source document, but the potential impact suggests a high level of risk. Defenders should monitor CUPS deployments for suspicious activity.

Attack Chain

Attacker gains initial access to a system with a vulnerable CUPS installation.
The attacker exploits a vulnerability in CUPS (specific CVE not identified) to bypass authentication or authorization controls.
Leveraging the bypassed security measures, the attacker executes arbitrary code within the context of the CUPS service.
The attacker escalates privileges, potentially gaining root or system-level access, due to insecure configurations or further vulnerabilities within CUPS.
With elevated privileges, the attacker manipulates sensitive data related to print jobs, configurations, or user information.
Alternatively, the attacker triggers a denial-of-service condition, rendering the printing service unavailable by exploiting a resource exhaustion vulnerability.
The attacker leverages the compromised CUPS service as a pivot point to gain access to other systems on the network.
The final objective is to compromise sensitive data, disrupt printing services, or gain a foothold for further attacks within the network.

Impact

Successful exploitation of these CUPS vulnerabilities could lead to significant damage, including unauthorized access to sensitive documents, disruption of critical printing services, and potential compromise of other systems on the network. The lack of specific victim numbers or sector targeting in the source document suggests this is a general advisory.

Recommendation

Monitor CUPS server logs for unexpected process execution and privilege escalation attempts (enable process_creation logging and deploy the “Detect Suspicious CUPS Process Execution” Sigma rule).
Inspect CUPS configuration files for unauthorized modifications that could indicate malicious activity (enable file_event logging and deploy the “Detect Suspicious CUPS Configuration Modification” Sigma rule).
Analyze network traffic to and from CUPS servers for anomalous patterns that may indicate exploitation attempts or data exfiltration (enable network_connection logging).

GIMP Multiple Vulnerabilities Allow Remote Code Execution

hello@craftedsignal.io — Thu, 30 Apr 2026 09:18:57 +0000

Multiple vulnerabilities in GIMP allow a remote, anonymous attacker to execute arbitrary code on a vulnerable system. The specific vulnerabilities are not detailed in the advisory, but the potential impact is significant, as successful exploitation could allow an attacker to gain complete control over the affected system. This threat is relevant to organizations and individuals using GIMP in their environments. Defenders should focus on detecting anomalous process execution originating from GIMP or unexpected network connections initiated by the application.

Attack Chain

An attacker crafts a malicious image or file designed to exploit a vulnerability in GIMP.
The attacker delivers the malicious file to a target user, potentially through social engineering or a compromised website.
The target user opens the malicious file with GIMP.
GIMP parses the malicious file, triggering the unspecified vulnerability.
The vulnerability allows the attacker to execute arbitrary code within the context of the GIMP process.
The attacker leverages the initial code execution to escalate privileges or establish persistence on the system.
The attacker may then install malware, exfiltrate sensitive data, or perform other malicious activities.
The attacker achieves their objective, such as data theft, system compromise, or disruption of services.

Impact

Successful exploitation of these vulnerabilities can lead to arbitrary code execution, potentially granting an attacker complete control over the affected system. This could result in data theft, malware installation, system compromise, or disruption of services. The advisory does not specify the number of potential victims, but given the popularity of GIMP, the impact could be widespread.

Recommendation

Monitor process execution for unexpected child processes spawned by GIMP to detect potential exploitation attempts. Deploy the Sigma rule GIMP Suspicious Child Processes to your SIEM.
Monitor network connections originating from GIMP for connections to unusual or malicious domains. Deploy the Sigma rule GIMP Suspicious Network Connections to your SIEM.

Multiple Vulnerabilities in Wazuh Allow for Code Execution and Data Manipulation

hello@craftedsignal.io — Thu, 30 Apr 2026 09:09:10 +0000

Multiple vulnerabilities have been identified within Wazuh, a widely used security information and event management (SIEM) and extended detection and response (XDR) platform. While the specific CVEs and technical details remain undisclosed in this initial advisory, the potential impact is significant. A remote, unauthenticated attacker could exploit these vulnerabilities to achieve a range of malicious outcomes, including denial of service, arbitrary code execution, data manipulation, sensitive information disclosure, and the circumvention of security controls. The vulnerabilities affect Wazuh installations across Linux, Windows, and macOS environments. Due to the broad functionality of Wazuh in security monitoring and incident response, successful exploitation could lead to widespread compromise within targeted organizations.

Attack Chain

The attacker identifies a vulnerable Wazuh instance accessible over the network.
The attacker exploits a vulnerability to bypass authentication or authorization controls.
The attacker leverages an arbitrary code execution vulnerability to gain remote shell access to the Wazuh server.
The attacker escalates privileges to gain root or SYSTEM level access on the Wazuh server.
The attacker manipulates Wazuh configuration files to disable security alerts or modify monitoring rules.
The attacker injects malicious code into Wazuh agents to compromise endpoints managed by the platform.
The attacker uses the compromised Wazuh infrastructure to exfiltrate sensitive data collected by the platform.
The attacker launches denial-of-service attacks against monitored systems using compromised Wazuh agents.

Impact

Successful exploitation of these vulnerabilities could have severe consequences. An attacker could gain complete control over the Wazuh platform, disabling security monitoring, manipulating security data, and compromising monitored endpoints. This could lead to undetected data breaches, widespread malware infections, and significant disruption of IT operations. The lack of specific vulnerability information makes it difficult to assess the exact scope of impact, but the wide deployment of Wazuh in security-critical environments means that numerous organizations are potentially at risk.

Recommendation

Monitor Wazuh server process creation for unusual child processes that might indicate exploitation, using the “Wazuh Server Suspicious Process” Sigma rule.
Inspect Wazuh server logs for authentication bypass attempts and unauthorized configuration changes.
Block network connections originating from newly created Wazuh agent processes using the “Wazuh Agent Outbound Connection” Sigma rule, to prevent lateral movement.

CVE-2026-1005 Integer Underflow in AES-GCM/CCM/ARIA-GCM Decryption

hello@craftedsignal.io — Thu, 30 Apr 2026 07:46:18 +0000

CVE-2026-1005 describes an integer underflow vulnerability within a Microsoft product’s implementation of AES-GCM, CCM, and ARIA-GCM decryption algorithms. This flaw allows an attacker to trigger an out-of-bounds memory access. While the specific product affected is not detailed in the provided source, the vulnerability lies within the cryptographic functions used for data decryption, indicating a potential impact on confidentiality and integrity. Successful exploitation could allow an attacker to execute arbitrary code or disclose sensitive information. Given the widespread use of these encryption algorithms, this vulnerability poses a significant risk.

Attack Chain

Attacker identifies a system utilizing the vulnerable Microsoft product and its AES-GCM/CCM/ARIA-GCM decryption implementation.
Attacker crafts a malicious input designed to trigger the integer underflow during the decryption process.
The crafted input is sent to the vulnerable system for decryption. This could be via a network protocol, file processing, or other data ingestion method.
The vulnerable decryption routine processes the input, leading to an integer underflow.
The integer underflow results in an out-of-bounds memory access during the decryption operation.
This out-of-bounds memory access allows the attacker to read sensitive data from memory locations outside the intended buffer.
Alternatively, the attacker leverages the out-of-bounds write to overwrite critical data structures or executable code within the process’s memory space.
If code is overwritten, the attacker gains arbitrary code execution within the context of the vulnerable process.

Impact

Successful exploitation of CVE-2026-1005 could lead to unauthorized information disclosure, allowing attackers to steal sensitive data that was intended to be protected by encryption. In a more severe scenario, the vulnerability can be leveraged for arbitrary code execution, enabling attackers to gain control over the affected system. The lack of specific product information makes it difficult to quantify the exact number of potential victims, but the vulnerability’s presence in widely used cryptographic functions implies a broad impact across various sectors and applications.

Recommendation

Monitor for unexpected memory access patterns in processes performing AES-GCM/CCM/ARIA-GCM decryption, using a host-based intrusion detection system (HIDS).
Deploy the Sigma rule “Detect Potential Exploitation of CVE-2026-1005” to identify suspicious processes that might be exploiting the vulnerability.
Apply any available patches or updates released by Microsoft to address CVE-2026-1005 as soon as they are released.

Tenda 4G300 Stack-Based Buffer Overflow Vulnerability

hello@craftedsignal.io — Thu, 30 Apr 2026 03:16:01 +0000

A stack-based buffer overflow vulnerability has been identified in Tenda 4G300 routers, specifically version US_4G300V1.0Mt_V1.01.42_CN_TDC01. The vulnerability resides within the sub_427C3C function located in the /goform/SafeMacFilter file. An attacker can exploit this flaw by manipulating the page argument in a crafted request, leading to a buffer overflow and potentially allowing for arbitrary code execution on the affected device. The vulnerability, identified as CVE-2026-7470, poses a significant risk as remote exploitation is possible, and a proof-of-concept exploit is publicly available, increasing the likelihood of malicious actors leveraging this vulnerability.

Attack Chain

The attacker identifies a Tenda 4G300 router running the vulnerable firmware version US_4G300V1.0Mt_V1.01.42_CN_TDC01.
The attacker crafts a malicious HTTP POST request targeting the /goform/SafeMacFilter endpoint.
The crafted request includes the page argument with a payload exceeding the buffer size allocated for it within the sub_427C3C function.
The router processes the HTTP request, passing the oversized page argument to the vulnerable function.
The sub_427C3C function attempts to write the oversized data into a stack-based buffer, causing a buffer overflow.
The buffer overflow overwrites adjacent memory on the stack, including the return address.
The attacker redirects execution flow to a malicious code payload injected into the request or elsewhere in memory.
The injected code executes with the privileges of the router process, potentially allowing the attacker to gain full control of the device.

Impact

Successful exploitation of this vulnerability can lead to complete compromise of the Tenda 4G300 router. An attacker could gain unauthorized access to the device’s configuration, intercept network traffic, or use the router as a launching point for further attacks against other devices on the network or the internet. Given the widespread use of these routers in homes and small businesses, a successful attack could impact a large number of users.

Recommendation

Monitor web server logs for unusual POST requests to /goform/SafeMacFilter with abnormally long page parameters. Use the provided Sigma rule to detect suspicious activity.
Implement rate limiting on the /goform/SafeMacFilter endpoint to mitigate potential brute-force exploitation attempts.
Apply any available patches or firmware updates released by Tenda to address CVE-2026-7470.
Deploy the Sigma rules in this brief to your SIEM and tune for your environment.

Multiple Vulnerabilities in Red Hat Linux Kernel

hello@craftedsignal.io — Thu, 30 Apr 2026 00:00:00 +0000

On April 30, 2026, CERT-FR published an advisory regarding multiple vulnerabilities in the Red Hat Linux kernel. These vulnerabilities, detailed in Red Hat Security Advisories RHSA-2026:10756, RHSA-2026:10996, and RHSA-2026:11313, can lead to significant security risks including arbitrary code execution, privilege escalation, and remote denial of service. The affected systems include various versions and architectures of Red Hat CodeReady Linux Builder and Red Hat Enterprise Linux. Successful exploitation of these vulnerabilities could allow attackers to gain unauthorized access, control systems, or disrupt services, impacting the confidentiality, integrity, and availability of affected systems.

Attack Chain

Initial Compromise (via unconfirmed vector): An attacker identifies a vulnerable Red Hat Linux system running an affected kernel version. While the exact exploit vector isn’t specified in the advisory, it involves a vulnerability in the kernel.
Exploit Trigger: The attacker triggers a specific kernel vulnerability, such as those identified as CVE-2026-23001 or CVE-2026-31402, by sending a crafted input to a vulnerable kernel component. The specific method depends on the nature of each CVE.
Code Execution: Upon successful exploitation, the attacker achieves arbitrary code execution within the kernel context. This allows the attacker to run malicious code directly on the system.
Privilege Escalation: Leveraging the code execution capability, the attacker exploits another vulnerability (e.g., CVE-2025-68741) to escalate privileges to root or SYSTEM. This may involve exploiting race conditions, memory corruption bugs, or other privilege escalation flaws within the kernel.
System Control: With elevated privileges, the attacker gains full control over the compromised system. They can now access sensitive data, modify system configurations, install backdoors, or move laterally to other systems within the network.
Lateral Movement (Optional): The attacker uses the compromised system as a launching point to attack other systems on the network, potentially exploiting other vulnerabilities or using stolen credentials.
Persistence (Optional): The attacker establishes persistence on the compromised system to maintain access even after reboots. This may involve installing rootkits, modifying system startup scripts, or creating rogue user accounts.
Denial of Service/Data Exfiltration/etc.: Depending on their objectives, the attacker may use the compromised system to launch denial-of-service attacks against other targets, exfiltrate sensitive data, or cause other damage.

Impact

Successful exploitation of these kernel vulnerabilities can lead to complete system compromise, allowing attackers to execute arbitrary code, escalate privileges, and cause denial of service. The wide range of affected Red Hat Enterprise Linux and CodeReady Linux Builder versions implies a potentially large number of vulnerable systems. This can result in significant data breaches, system downtime, financial losses, and reputational damage for affected organizations.

Recommendation

Apply the patches provided in Red Hat Security Advisories RHSA-2026:10756, RHSA-2026:10996, and RHSA-2026:11313 to remediate the vulnerabilities.
Prioritize patching systems based on their criticality and exposure to external networks.
Monitor systems for suspicious activity that may indicate exploitation attempts, focusing on unexpected kernel module loads or privilege escalations using process_creation logging.
Deploy the Sigma rule detecting suspicious kernel module loading to identify potential rootkit installation attempts.
Investigate any alerts generated by the deployed Sigma rules to determine the scope and impact of potential compromises.

UTT HiPER 1250GW Buffer Overflow Vulnerability (CVE-2026-7420)

hello@craftedsignal.io — Wed, 29 Apr 2026 23:16:20 +0000

A critical buffer overflow vulnerability, CVE-2026-7420, has been identified in UTT HiPER 1250GW devices. The vulnerability exists in versions up to 3.2.7-210907-180535. The vulnerability lies within the strcpy function in the route/goform/ConfigAdvideo file, where the ‘Profile’ argument is not properly validated, leading to a buffer overflow condition. This allows unauthenticated remote attackers to potentially execute arbitrary code on the device. Publicly available exploits exist, increasing the risk of exploitation. Defenders should implement mitigations and detection strategies immediately.

Attack Chain

The attacker identifies a vulnerable UTT HiPER 1250GW device exposed to the internet.
The attacker crafts a malicious HTTP request targeting the route/goform/ConfigAdvideo endpoint.
The HTTP request includes a ‘Profile’ argument with a payload exceeding the buffer size allocated for it.
The strcpy function attempts to copy the oversized ‘Profile’ argument into the undersized buffer.
The buffer overflow occurs, overwriting adjacent memory regions.
The attacker injects malicious code into the overflowed memory region to gain code execution.
The attacker achieves remote code execution on the UTT HiPER 1250GW device.
The attacker gains control of the device, potentially using it for further malicious activities such as lateral movement, data exfiltration, or denial-of-service attacks.

Impact

Successful exploitation of this vulnerability allows a remote attacker to execute arbitrary code on the UTT HiPER 1250GW device. This can lead to complete compromise of the device, potentially enabling attackers to gain unauthorized access to the network it is connected to, exfiltrate sensitive data, or use the device as a bot in a botnet. The impact is significant, especially if these devices are used in critical infrastructure or sensitive environments.

Recommendation

Apply available patches or firmware updates for UTT HiPER 1250GW devices to remediate CVE-2026-7420.
Implement network segmentation to isolate UTT HiPER 1250GW devices from critical network segments.
Deploy the Sigma rule Detect UTT HiPER Buffer Overflow Attempt to identify malicious HTTP requests targeting the route/goform/ConfigAdvideo endpoint.
Monitor web server logs for unusual activity and large ‘Profile’ argument values in requests to route/goform/ConfigAdvideo to identify potential exploitation attempts.

Compromised SAP npm Packages Steal Developer Credentials

hello@craftedsignal.io — Wed, 29 Apr 2026 22:43:44 +0000

On April 29, 2026, security researchers discovered that multiple official SAP npm packages were compromised in a supply-chain attack, suspected to be carried out by TeamPCP. The compromised packages, including @cap-js/sqlite (v2.2.2), @cap-js/postgres (v2.2.2), @cap-js/db-service (v2.10.1), and mbt (v1.2.48), support SAP’s Cloud Application Programming Model (CAP) and Cloud MTA, commonly used in enterprise development. The attack involves injecting a malicious ‘preinstall’ script into these packages, which executes automatically during installation. This script downloads and executes a heavily obfuscated JavaScript payload designed to steal sensitive credentials from developer machines and CI/CD environments. This incident highlights the ongoing risk of supply chain attacks targeting widely used development tools.

Attack Chain

Initial Compromise: Threat actors compromise official SAP npm packages (@cap-js/sqlite, @cap-js/postgres, @cap-js/db-service, mbt). The exact method of initial compromise is currently unknown, but a misconfigured CircleCI job is suspected.
Package Modification: The compromised npm packages are modified to include a malicious ‘preinstall’ script.
Installation Trigger: When developers install the compromised packages using npm install, the ‘preinstall’ script executes automatically.
Payload Download: The ‘preinstall’ script launches a loader named setup.mjs that downloads the Bun JavaScript runtime from GitHub.
Execution of Information Stealer: The Bun runtime is used to execute a heavily obfuscated execution.js payload, which acts as an information stealer.
Credential Theft: The information stealer targets a wide variety of credentials, including npm and GitHub authentication tokens, SSH keys, cloud credentials for AWS, Azure, and Google Cloud, Kubernetes configurations and secrets, and CI/CD pipeline secrets and environment variables. It also attempts to extract secrets directly from the CI runner’s memory by scanning /proc//maps and /proc//mem.
Data Exfiltration: The stolen data is encrypted and uploaded to public GitHub repositories under the victim’s account. These repositories include the description “A Mini Shai-Hulud has Appeared”.
Lateral Movement: The malware searches GitHub commits for the string OhNoWhatsGoingOnWithGitHub:, decoding matching commit messages into GitHub tokens to gain further access and propagate to other packages and repositories, injecting the same malicious code.

Impact

This supply chain attack can lead to the theft of sensitive credentials, allowing attackers to gain unauthorized access to internal systems, cloud infrastructure, and source code repositories. The compromised credentials and secrets can be used for lateral movement within the victim’s network, data exfiltration, and further supply chain attacks. The use of stolen credentials to modify other packages increases the scope of the attack, potentially impacting a large number of developers and organizations using the compromised SAP packages.

Recommendation

Monitor npm package installations for the presence of preinstall scripts executing unusual processes, such as the execution of setup.mjs or the download of the Bun JavaScript runtime from GitHub; implement the Detect Suspicious NPM Package Preinstall Script Sigma rule.
Implement the Detect GitHub Repository Creation with "A Mini Shai-Hulud has Appeared" Description Sigma rule to detect exfiltration attempts via public GitHub repositories.
Audit CI/CD pipeline configurations and restrict access to sensitive credentials and secrets to prevent exposure via misconfigured jobs; remediate the reported CircleCI misconfiguration.
Monitor process memory for credential harvesting activity targeting Runner processes in CI/CD environments, specifically looking for reads of /proc//maps and /proc//mem as outlined in the overview.
Deprecate and remove the compromised packages @cap-js/sqlite (v2.2.2), @cap-js/postgres (v2.2.2), @cap-js/db-service (v2.10.1), and mbt (v1.2.48) from your development and CI/CD environments.

UTT HiPER 1250GW Buffer Overflow Vulnerability

hello@craftedsignal.io — Wed, 29 Apr 2026 22:16:22 +0000

A buffer overflow vulnerability, identified as CVE-2026-7418, has been discovered in UTT HiPER 1250GW devices with firmware versions up to 3.2.7-210907-180535. The vulnerability resides within the strcpy function in the route/goform/NTP file. A remote attacker can exploit this vulnerability by manipulating the Profile argument during NTP configuration. Successful exploitation could lead to arbitrary code execution on the affected device. The vulnerability has been publicly disclosed, increasing the risk of exploitation. This poses a significant threat to organizations using the affected UTT HiPER 1250GW devices, as attackers could potentially gain control of the device and use it as a foothold for further malicious activities within the network.

Attack Chain

The attacker identifies a vulnerable UTT HiPER 1250GW device with a firmware version up to 3.2.7-210907-180535.
The attacker crafts a malicious HTTP request targeting the /route/goform/NTP endpoint.
The crafted request includes a specially designed Profile argument containing a payload that exceeds the buffer size allocated for it.
The web server on the UTT HiPER 1250GW device receives the HTTP request and passes the Profile argument to the strcpy function.
The strcpy function copies the oversized Profile argument into the undersized buffer, leading to a buffer overflow.
The buffer overflow overwrites adjacent memory regions, potentially including critical program data or executable code.
The attacker gains arbitrary code execution on the device with the privileges of the web server process.
The attacker can then use this foothold to further compromise the device or the network it is connected to, potentially leading to data exfiltration or denial-of-service attacks.

Impact

Successful exploitation of CVE-2026-7418 can allow a remote attacker to execute arbitrary code on the affected UTT HiPER 1250GW device. This could allow the attacker to gain full control of the device, potentially leading to data exfiltration, denial-of-service attacks, or further compromise of the network to which the device is connected. The vulnerability has a CVSS v3.1 score of 8.8, indicating a high severity. Given the public availability of the exploit, organizations using the affected devices are at increased risk.

Recommendation

Apply available patches or firmware updates provided by UTT to address CVE-2026-7418 on HiPER 1250GW devices.
Deploy the Sigma rule Detect Suspicious NTP Profile Argument to detect exploitation attempts against the /route/goform/NTP endpoint.
Monitor web server logs for suspicious requests targeting the /route/goform/NTP endpoint with unusually long Profile arguments to identify potential exploitation attempts.

PolarVista xcode-mcp-server OS Command Injection Vulnerability

hello@craftedsignal.io — Wed, 29 Apr 2026 22:16:22 +0000

PolarVista xcode-mcp-server version 1.0.0 is vulnerable to OS command injection (CVE-2026-7416). This vulnerability exists in the build_project/run_tests function within the src/index.ts file of the MCP Interface component. An attacker can remotely inject operating system commands by manipulating the Request argument. The vulnerability has been publicly disclosed, increasing the risk of exploitation. The vendor has been notified but has not yet responded, leaving systems exposed. This poses a significant risk to organizations using this software, as successful exploitation allows complete system compromise.

Attack Chain

The attacker identifies a vulnerable instance of PolarVista xcode-mcp-server 1.0.0.
The attacker crafts a malicious request targeting the build_project/run_tests function in src/index.ts.
The malicious request includes an OS command injection payload within the Request argument.
The application fails to properly sanitize or validate the Request argument.
The application executes the injected OS command on the server.
The attacker gains arbitrary code execution on the server, potentially escalating privileges.
The attacker installs malware, such as a reverse shell, to maintain persistent access.
The attacker performs reconnaissance, lateral movement, and data exfiltration within the compromised network.

Impact

Successful exploitation of this vulnerability allows a remote attacker to execute arbitrary operating system commands on the affected server. This can lead to complete system compromise, data breaches, and denial of service. There are no reported victims or sectors targeted at this time, but given the ease of exploitation and public availability, the risk is high.

Recommendation

Apply available patches from PolarVista as soon as they are released to remediate CVE-2026-7416.
Implement input validation and sanitization for the Request argument in the build_project/run_tests function to prevent command injection.
Monitor web server logs for suspicious requests targeting the build_project/run_tests endpoint.
Deploy the Sigma rule “Detect Suspicious xcode-mcp-server Requests” to identify potential exploitation attempts.

n8n XML Node Prototype Pollution Leading to RCE

hello@craftedsignal.io — Wed, 29 Apr 2026 21:25:53 +0000

A critical vulnerability, CVE-2026-42232, exists within the n8n workflow automation tool. This flaw allows an authenticated user, who possesses permissions to create or modify workflows, to achieve remote code execution (RCE). The attack vector involves exploiting global prototype pollution through the XML Node. Versions affected include those prior to 1.123.32, versions 2.17.0 up to but not including 2.17.4, and versions 2.18.0 up to but not including 2.18.1. Defenders should prioritize patching n8n instances due to the high potential for complete system compromise if exploited.

Attack Chain

An attacker authenticates to an n8n instance with workflow creation/modification privileges.
The attacker crafts a malicious workflow that leverages the XML Node to inject a payload designed to trigger prototype pollution.
The crafted XML node manipulates global object prototypes within the n8n application.
The attacker introduces a property into a global object prototype that can be exploited by another node.
The attacker adds a secondary node (e.g., Function node) that leverages the polluted prototype property.
The secondary node’s execution triggers the polluted prototype, leading to arbitrary code execution.
The attacker executes arbitrary commands on the n8n server.
The attacker gains complete control of the n8n server, potentially leading to data exfiltration, lateral movement, or other malicious activities.

Impact

Successful exploitation of this vulnerability allows an attacker to execute arbitrary code on the n8n server. This can lead to full system compromise, including data exfiltration, credential theft, and lateral movement within the network. Given the nature of n8n as an automation platform, successful attacks can severely impact connected systems and services. This vulnerability affects n8n users who have not upgraded to patched versions.

Recommendation

Upgrade n8n to version 1.123.32, 2.17.4, 2.18.1, or later to remediate CVE-2026-42232.
As a temporary mitigation, limit workflow creation and editing permissions to only fully trusted users as suggested in the advisory.
As a temporary mitigation, disable the XML node by adding n8n-nodes-base.xml to the NODES_EXCLUDE environment variable as suggested in the advisory.

n8n Prototype Pollution in XML Webhook Body Parser Leads to RCE

hello@craftedsignal.io — Wed, 29 Apr 2026 21:25:02 +0000

A critical vulnerability exists within the n8n workflow automation platform, specifically affecting the parsing of XML request bodies in webhook handlers. This flaw stems from the use of the xml2js library, which is susceptible to prototype pollution attacks. An authenticated user possessing the capability to create or modify workflows can leverage this vulnerability by sending a specially crafted XML payload. Successful exploitation results in the pollution of the JavaScript object prototype. Attackers can chain this pollution with the Git node’s SSH operations to achieve arbitrary remote code execution (RCE) on the underlying n8n host. The vulnerability affects n8n versions prior to 1.123.32, versions 2.17.0 to 2.17.3, and versions 2.18.0 to 2.18.0.

Attack Chain

An attacker authenticates to the n8n instance.
The attacker crafts a malicious XML payload designed to exploit the prototype pollution vulnerability in the xml2js library.
The attacker creates or modifies a workflow containing a webhook node configured to receive XML data.
The attacker sends the crafted XML payload to the webhook endpoint.
The xml2js library parses the malicious XML, inadvertently polluting the JavaScript object prototype with attacker-controlled properties.
The attacker includes a Git node in the workflow.
The polluted prototype modifies the behavior of the Git node’s SSH operations.
When the workflow executes, the Git node’s SSH operation is hijacked due to the prototype pollution, leading to arbitrary code execution on the n8n host.

Impact

Successful exploitation allows a malicious actor to execute arbitrary code on the n8n server. This grants them complete control over the n8n instance and potentially the underlying infrastructure. The vulnerability impacts any n8n instance accessible to authenticated users who can create or modify workflows. The number of affected installations is unknown, but the potential impact is high due to the sensitive nature of workflows often managed by n8n, which can include access to other systems and data.

Recommendation

Upgrade n8n to version 1.123.32, 2.17.4, 2.18.1, or later to patch the vulnerability as described in the overview.
Deploy the Sigma rule “Detect n8n Prototype Pollution via Crafted XML Payload” to detect malicious XML payloads targeting the vulnerability. Enable webserver logs to activate this rule.
Limit workflow creation and editing permissions to trusted users to mitigate the risk of exploitation, as described in the workaround.

Hyperledger Fabric SDK Java Deserialization RCE

hello@craftedsignal.io — Wed, 29 Apr 2026 20:41:58 +0000

The fabric-sdk-java client SDK, a deprecated component of Hyperledger Fabric, contains a critical vulnerability related to insecure deserialization. Specifically, the Channel.java file implements readObject() and exposes deSerializeChannel() methods that call ObjectInputStream.readObject() on untrusted byte arrays without configuring an ObjectInputFilter. This omission allows an attacker to inject malicious serialized Java objects, leading to remote code execution (RCE). While fabric-sdk-java has been deprecated since Hyperledger Fabric v2.5 and replaced by org.hyperledger.fabric:fabric-gateway, organizations that have not yet migrated are still vulnerable. This issue highlights the risks associated with using deprecated software and the importance of migrating to supported versions. The vulnerability exists in versions 1.0.0 through 2.2.26.

Attack Chain

Attacker crafts a malicious serialized Java object using a tool like ysoserial. For example, java -jar ysoserial.jar CommonsCollections6 "touch /tmp/pwned" > malicious_channel.ser.
The attacker gains the ability to supply crafted serialized Channel bytes to the client application. This could involve compromising a local channel file.
The attacker injects the malicious serialized data through an application that accepts Channel bytes from external sources.
The vulnerable deSerializeChannel() method in Channel.java is called with the attacker-controlled byte array.
Inside deSerializeChannel(), an ObjectInputStream is created from the byte array.
The readObject() method of ObjectInputStream is called without any ObjectInputFilter, deserializing the malicious object.
The deserialization process triggers the execution of a gadget chain embedded in the malicious object.
The gadget chain executes arbitrary code on the server, achieving RCE.

Impact

Successful exploitation of this vulnerability allows an attacker to execute arbitrary code on the server running the vulnerable fabric-sdk-java application. This can lead to complete system compromise, data breaches, and other malicious activities. The severity is critical due to the potential for unauthenticated remote code execution. Organizations still using the deprecated fabric-sdk-java are at high risk until they migrate to the supported fabric-gateway.

Recommendation

Migrate to org.hyperledger.fabric:fabric-gateway immediately as the primary remediation, as it does not use Java serialization.
For organizations unable to migrate immediately, apply the suggested fix of adding an ObjectInputFilter to whitelist only expected classes as described in the advisory.
Implement runtime monitoring of Java deserialization to detect and prevent exploitation attempts.
Enable logging of deserialization events to aid in incident response.

Cockpit CMS Authenticated Remote Code Execution via Code Injection

hello@craftedsignal.io — Wed, 29 Apr 2026 20:16:29 +0000

Cockpit CMS is vulnerable to remote code execution due to insufficient input validation in the /cockpit/collections/save_collection endpoint. An authenticated attacker with collection management privileges can inject arbitrary PHP code into collection rules parameters. This vulnerability, identified as CVE-2026-34965, allows attackers to inject malicious PHP code through rule parameters. The injected code is then written directly to server-side PHP files and executed via the include() function, leading to arbitrary command execution on the underlying server. This poses a significant risk to organizations using Cockpit CMS, potentially leading to complete system compromise.

Attack Chain

Attacker authenticates to the Cockpit CMS application with valid collection management credentials.
Attacker navigates to the /cockpit/collections/save_collection endpoint.
Attacker crafts a malicious request to the /cockpit/collections/save_collection endpoint containing PHP code within collection rules parameters.
The application saves the attacker-supplied PHP code into a PHP file on the server.
The application uses the include() function to execute the PHP file.
The injected PHP code executes arbitrary commands on the underlying server, granting the attacker control of the system.

Impact

Successful exploitation of this vulnerability allows an attacker to execute arbitrary commands on the underlying server. This can lead to complete system compromise, including data theft, modification, or deletion. Given the high CVSS score (8.8), this vulnerability poses a critical risk, especially for internet-facing Cockpit CMS installations. Organizations in any sector using Cockpit CMS are potentially affected.

Recommendation

Apply the patch or upgrade to a version of Cockpit CMS that addresses CVE-2026-34965 to remediate the vulnerability.
Deploy the Sigma rule Detect Suspicious Cockpit CMS Save Collection Activity to identify potential exploitation attempts in web server logs.
Monitor web server logs for POST requests to /cockpit/collections/save_collection with suspicious characters or PHP code in the request body, as detected by the Sigma rule Detect PHP Code Injection in Cockpit CMS Collections.

Tenda W308R DNS Hijacking Vulnerability (CVE-2018-25316)

hello@craftedsignal.io — Wed, 29 Apr 2026 20:16:27 +0000

Tenda W308R v2 running firmware V5.07.48 is susceptible to a cookie session weakness (CVE-2018-25316) that enables unauthenticated attackers to perform DNS hijacking. This vulnerability stems from insufficient session validation. An attacker can exploit this weakness by sending specially crafted GET requests to the goform/AdvSetDns endpoint. The malicious request includes a crafted admin language cookie, which bypasses authentication checks and allows modification of the device’s DNS server settings. Successful exploitation allows the attacker to redirect the router’s DNS queries to a malicious server under their control. This poses a significant risk to end-users, as it can lead to phishing attacks, malware distribution, and other malicious activities.

Attack Chain

The attacker identifies a vulnerable Tenda W308R v2 router running firmware V5.07.48 exposed to the internet.
The attacker crafts a malicious HTTP GET request targeting the goform/AdvSetDns endpoint.
The GET request includes a crafted “admin language cookie” designed to bypass authentication.
The router receives the malicious GET request and, due to insufficient session validation, incorrectly authenticates the attacker.
The router processes the malicious request, modifying the DNS server settings to attacker-controlled DNS servers.
Users connected to the compromised router now resolve domain names through the attacker’s DNS server.
The attacker’s DNS server redirects users to malicious websites, potentially serving malware or phishing pages.
Users unknowingly interact with the malicious content, leading to data theft, system compromise, or other harmful outcomes.

Impact

Successful exploitation of this vulnerability allows an attacker to control DNS resolution for all devices connected to the affected Tenda W308R v2 router. This can lead to widespread redirection to phishing sites designed to steal credentials, or to sites hosting malware that infects user devices. Given the widespread use of Tenda routers, this vulnerability could impact a large number of home and small business networks. A successful attack allows the attacker to perform man-in-the-middle attacks, eavesdrop on network traffic, and compromise connected devices.

Recommendation

Deploy the Sigma rule Detect Tenda Router DNS Hijack Attempt to identify attempts to exploit this vulnerability by monitoring for suspicious requests to the /goform/AdvSetDns endpoint (log source: webserver).
Monitor web server logs for requests containing a crafted admin language cookie to the /goform/AdvSetDns endpoint, indicating potential exploitation attempts (log source: webserver).
Apply available patches or firmware updates from Tenda to address the cookie session weakness and prevent unauthorized DNS modifications.
Consider replacing the affected device if a patch is unavailable, especially in high-risk environments.

Tenda Router DNS Hijacking via Cookie Session Weakness

hello@craftedsignal.io — Wed, 29 Apr 2026 20:16:27 +0000

Tenda W3002R, A302, and W309R wireless routers running firmware version V5.07.64_en are susceptible to a cookie session weakness (CVE-2018-25317). This vulnerability allows unauthenticated attackers to remotely modify DNS settings on the affected devices. The attack exploits insufficient session validation, enabling malicious actors to inject commands and redirect user traffic to attacker-controlled DNS servers. This poses a significant risk as it can lead to phishing attacks, malware distribution, and credential theft. Exploitation is straightforward, requiring only a crafted HTTP GET request, making it accessible to unsophisticated attackers. The vulnerability was reported in April 2026.

Attack Chain

An unauthenticated attacker identifies a vulnerable Tenda router with firmware V5.07.64_en.
The attacker crafts an HTTP GET request targeting the /goform/AdvSetDns endpoint.
The crafted GET request includes a malicious admin language cookie designed to bypass session validation.
The attacker injects modified DNS server addresses into the GET request parameters (primary DNS and secondary DNS).
The vulnerable router processes the malicious GET request without proper session validation.
The router updates its DNS settings to the attacker-specified DNS servers.
Users connected to the compromised router now resolve domain names through the attacker’s DNS server.
The attacker can redirect user traffic to malicious websites or intercept sensitive information.

Impact

Successful exploitation of CVE-2018-25317 allows attackers to perform DNS hijacking on vulnerable Tenda routers, potentially affecting all connected users. By controlling the DNS server, attackers can redirect users to phishing sites, distribute malware, or intercept sensitive communications. Given the ease of exploitation, a large number of routers could be compromised, leading to widespread disruption and data theft. The severity is heightened because no authentication is required to change the DNS settings.

Recommendation

Deploy the Sigma rule Detect Tenda Router DNS Setting Modification to monitor web server logs for requests to the /goform/AdvSetDns endpoint.
Apply network-level filtering to block connections to known malicious DNS servers based on threat intelligence feeds.
Although no firmware update is available, consider replacing end-of-life Tenda routers (W3002R/A302/W309R with V5.07.64_en) with more secure models.

Free Download Manager 2.0 Built 417 Local Buffer Overflow Vulnerability

hello@craftedsignal.io — Wed, 29 Apr 2026 20:16:25 +0000

Free Download Manager (FDM) version 2.0 Built 417 is susceptible to a local buffer overflow vulnerability (CVE-2018-25304) within its URL import functionality. This vulnerability, discovered and reported by VulnCheck, allows an attacker to craft a malicious URL file. When a user imports this specially crafted file through the “File > Import > Import lists of downloads” menu, the application attempts to process the ‘Location’ header response, triggering a buffer overflow. This overflow overwrites the Structured Exception Handler (SEH) chain, enabling the attacker to execute arbitrary code within the context of the FDM process. This vulnerability can be exploited locally by tricking a user into importing a malicious file.

Attack Chain

Attacker crafts a malicious .url file containing an overly long Location header value designed to cause a buffer overflow.
The victim is convinced to download the malicious .url file (e.g., through social engineering).
The victim opens Free Download Manager 2.0 Built 417.
The victim navigates to “File > Import > Import lists of downloads” within FDM.
The victim selects the downloaded malicious .url file and initiates the import process.
FDM parses the malicious .url file and attempts to process the long Location header.
The excessively long Location header causes a buffer overflow, overwriting the SEH chain.
When an exception is triggered (due to the overflow), the overwritten SEH chain is used to redirect execution to attacker-controlled code, resulting in arbitrary code execution.

Impact

Successful exploitation of this buffer overflow vulnerability allows an attacker to execute arbitrary code on the victim’s system with the privileges of the Free Download Manager process. This could lead to complete system compromise, data theft, or installation of malware. While specific victim counts are unavailable, the vulnerability poses a significant risk to users of Free Download Manager 2.0 Built 417.

Recommendation

Monitor for process creation events originating from Free Download Manager after importing a .url file to detect potential exploitation attempts (see Sigma rule “Detect Free Download Manager Suspicious Process Creation After Import”).
Implement file integrity monitoring (FIM) on the Free Download Manager executable directory to detect unauthorized modifications potentially related to exploitation.
Consider using application control solutions to restrict the execution of unsigned or untrusted code within the Free Download Manager process.

AgentFlow Arbitrary Code Execution via Pipeline Path Manipulation (CVE-2026-7466)

hello@craftedsignal.io — Wed, 29 Apr 2026 19:16:27 +0000

AgentFlow is susceptible to an arbitrary code execution vulnerability identified as CVE-2026-7466. This flaw stems from insufficient validation of the pipeline_path parameter within the /api/runs and /api/runs/validate endpoints. By crafting malicious POST requests and supplying a user-controlled pipeline_path, an attacker can induce the AgentFlow API to load and execute arbitrary Python pipeline files present on the server’s filesystem. Successful exploitation leads to code execution within the security context of the user running AgentFlow, potentially granting the attacker full control over the affected system. This vulnerability poses a significant threat to organizations utilizing AgentFlow, as it can lead to data breaches, system compromise, and other malicious activities.

Attack Chain

Attacker identifies an AgentFlow instance running a vulnerable version.
Attacker crafts a POST request to the /api/runs endpoint, including a pipeline_path parameter.
The pipeline_path parameter is set to the path of a malicious Python file already existing on the AgentFlow server (or uploaded previously through other means).
The attacker sends the malicious POST request to the /api/runs endpoint.
AgentFlow processes the request without properly validating the pipeline_path.
AgentFlow loads and executes the Python file specified in the pipeline_path.
The attacker-controlled Python code executes with the privileges of the AgentFlow process.
The attacker achieves arbitrary code execution, potentially leading to complete system compromise, data exfiltration, or denial of service.

Impact

Successful exploitation of CVE-2026-7466 allows an attacker to execute arbitrary code on the AgentFlow server. This can lead to a complete compromise of the system, including the theft of sensitive data, modification of critical system files, or the installation of backdoors for persistent access. The severity of the impact depends on the privileges of the user account running AgentFlow, but in many cases, it can lead to full system administrator access.

Recommendation

Implement input validation and sanitization on the pipeline_path parameter within the /api/runs and /api/runs/validate endpoints to prevent arbitrary file loading and execution.
Monitor web server logs for POST requests to /api/runs and /api/runs/validate containing suspicious pipeline_path values (see example Sigma rule below).
Restrict file system permissions to limit the ability of the AgentFlow user to read and execute arbitrary Python files.
Apply available patches or updates for AgentFlow as soon as they are released to address this vulnerability.

cPanel and WHM Authentication Bypass Vulnerability (CVE-2026-41940)

hello@craftedsignal.io — Wed, 29 Apr 2026 16:16:25 +0000

On April 28, 2026, a critical authentication bypass vulnerability (CVE-2026-41940) was disclosed affecting cPanel and WHM. This vulnerability impacts versions prior to 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, and 11.136.0.5. The vulnerability exists within the login flow, allowing unauthenticated remote attackers to bypass authentication and gain unauthorized access to the control panel. Successful exploitation grants attackers complete control over the affected cPanel and WHM instances, potentially leading to data theft, server compromise, and further malicious activities. This vulnerability poses a significant risk to web hosting providers and their customers.

Attack Chain

An unauthenticated attacker sends a crafted HTTP request to the cPanel/WHM login page, exploiting the authentication bypass vulnerability.
The vulnerable cPanel/WHM version fails to properly validate the request, allowing the attacker to bypass the login process.
The attacker gains unauthorized access to the cPanel/WHM interface.
The attacker enumerates the server to identify valuable files, directories, and database configurations.
The attacker leverages the compromised cPanel/WHM access to upload malicious scripts or binaries.
The attacker executes uploaded payloads to establish persistent access, such as a web shell.
The attacker uses the web shell to perform arbitrary commands on the server, including escalating privileges.
The attacker exfiltrates sensitive data, defaces websites, or deploys ransomware.

Impact

Successful exploitation of CVE-2026-41940 can lead to complete compromise of cPanel and WHM servers. This can result in data breaches, website defacement, and denial-of-service attacks. The vulnerability affects a wide range of cPanel and WHM installations, potentially impacting thousands of web hosting providers and their customers. The high CVSS score (9.8) reflects the severity of the risk and the ease with which it can be exploited.

Recommendation

Immediately upgrade cPanel and WHM installations to versions 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, or 11.136.0.5, or later to patch CVE-2026-41940.
Monitor web server logs for unusual activity and unauthorized access attempts to the cPanel/WHM interface by deploying the Sigma rule DetectCpanelAuthBypassAccess.
Implement strict access control policies to limit access to cPanel/WHM administrative interfaces and monitor the user activity by deploying the Sigma rule DetectCpanelAccountManipulation.

Multiple Vulnerabilities in Spring Boot Allow Authorization Bypass and Potential RCE

hello@craftedsignal.io — Wed, 29 Apr 2026 12:00:00 +0000

A set of critical vulnerabilities has been discovered in Spring Boot, a widely used Java framework for building web applications and backend services. These vulnerabilities, including CVE-2026-40976 (CVSS 9.1), CVE-2026-40973 (CVSS 7.0), and CVE-2026-40972 (CVSS 7.5), pose a significant threat to organizations using affected versions (specifically versions before 4.0.6, 3.5.14, 3.4.16, 3.3.19, and 2.7.33). Successful exploitation could lead to unauthorized access, session hijacking, and remote code execution, impacting the confidentiality, integrity, and availability of critical business systems. The initial advisory was released by CCB Belgium on April 28, 2026, urging immediate patching.

Attack Chain

Initial Access (CVE-2026-40976 - Authentication Bypass): An attacker sends a crafted HTTP request to a vulnerable Spring Boot application endpoint.
Exploit Default Configuration: If the application is servlet-based, relies on the default Spring Security filter chain, depends on spring-boot-actuator-autoconfigure, and does not depend on spring-boot-health, the default web security configuration fails to enforce authorization.
Unauthorized Access: Due to the authorization bypass, the attacker gains unauthorized access to all application endpoints without proper authentication.
Session Hijacking (CVE-2026-40973): A local attacker exploits the vulnerability to take control of the ApplicationTemp directory.
Code Execution (CVE-2026-40973): Once in control of the ApplicationTemp directory, the attacker can potentially execute arbitrary code within the context of the application.
Timing Attack (CVE-2026-40972): An attacker on the same network conducts a timing attack against the DevTools remote secret.
Remote Code Execution (CVE-2026-40972): By successfully exploiting the timing attack, the attacker can potentially achieve remote code execution on the vulnerable server.
Impact: The attacker gains full control of the system, allowing for data exfiltration, system compromise, and operational downtime.

Impact

Successful exploitation of these Spring Boot vulnerabilities can lead to significant damage, including unauthorized access to sensitive data, complete system compromise, and extended operational downtime. The potential number of victims is vast, considering the widespread use of Spring Boot in various sectors including finance, healthcare, and e-commerce. If an attacker successfully exploits these vulnerabilities, they could steal sensitive customer data, disrupt critical business operations, or deploy ransomware, resulting in significant financial losses and reputational damage.

Recommendation

Immediately patch Spring Boot applications to the latest versions (>=4.0.6, >=3.5.14, >=3.4.16, >=3.3.19, >=2.7.33) to address CVE-2026-40976, CVE-2026-40973, and CVE-2026-40972.
Deploy the Sigma rule “Detect Suspicious Access to Actuator Endpoints” to identify potential exploitation attempts targeting CVE-2026-40976 by monitoring access to sensitive actuator endpoints.
Upscale monitoring and detection capabilities to identify any related suspicious activity as recommended by the CCB.
Investigate and remediate any potentially compromised systems following the patching process.

LLM-Based Compromised User Triage

hello@craftedsignal.io — Tue, 28 Apr 2026 17:17:03 +0000

This Elastic Security rule, designed for Elastic Cloud deployments 9.3.0 and later, leverages an Elastic Managed LLM to analyze correlated security alerts and identify potentially compromised user accounts. The rule aggregates alerts associated with a single user, examining patterns, MITRE ATT&CK tactic progression, unusual geographic locations, and multi-host activity. The LLM then provides a verdict (compromised, benign, or suspicious) and a confidence score. It aims to reduce analyst workload by surfacing users exhibiting indicators of credential theft or unauthorized access and is intended to be used in conjunction with other detection mechanisms to provide a higher-order analysis.

Attack Chain

Multiple security alerts are triggered across various data sources, such as endpoint activity, network traffic, and authentication logs.
Alerts are aggregated and correlated by user.name and user.id, filtering out system accounts and noisy rule types.
The rule extracts key alert details, including rule names, threat tactics, techniques, affected hosts, source IPs, and event datasets.
An alert summary is constructed, including the user’s name, email, number of alerts, distinct rules triggered, affected hosts, time window, and maximum risk score.
The LLM analyzes the alert summary, considering multi-host activity, credential access alerts, unusual source IPs, and tactic progression.
The LLM provides a verdict (TP, FP, or SUSPICIOUS), a confidence score, and a brief summary explaining the assessment.
The rule filters results to surface only compromised or suspicious accounts with a confidence score above 0.7.
ECS fields are mapped for timeline visibility and alert exclusion and the analyst is presented with a high-confidence alert.

Impact

A successful attack using compromised credentials can lead to unauthorized access to sensitive data, lateral movement within the network, and potentially data exfiltration or ransomware deployment. This detection rule helps to quickly identify compromised user accounts, allowing security teams to respond promptly and prevent further damage. The rule reduces the amount of time analysts spend manually triaging alerts and helps them prioritize high-risk users based on an LLM’s assessment.

Recommendation

Ensure that your Elastic Cloud deployment is running version 9.3.0 or later to leverage the ES|QL COMPLETION command with Elastic’s managed LLM.
Review the Esql.summary field in the generated alerts to understand the LLM’s assessment of why the user was flagged.
Investigate alerts where the Esql.confidence score is above 0.9, as these indicate strong indicators of compromise.
Examine the Esql.kibana_alert_rule_name_values and Esql.kibana_alert_rule_threat_tactic_name_values to understand which detection rules triggered and what MITRE ATT&CK tactics were observed.
Use the provided investigation steps in the rule’s note to conduct a thorough investigation, checking for unusual login times, locations, password resets, and MFA changes.

D-Link DIR-825M Remote Buffer Overflow Vulnerability

hello@craftedsignal.io — Tue, 28 Apr 2026 15:16:37 +0000

A buffer overflow vulnerability exists in D-Link DIR-825M router version 1.1.12. The vulnerability is located within the sub_414BA8 function of the /boafrm/formWanConfigSetup file. An attacker can exploit this flaw by manipulating the submit-url argument, leading to arbitrary code execution on the device. This vulnerability is remotely exploitable, and a proof-of-concept exploit is publicly available, increasing the risk of widespread attacks. Exploitation does not require authentication by default, and could allow an attacker to gain complete control over the device. This poses a significant threat to home and small business networks relying on this router model.

Attack Chain

The attacker identifies a vulnerable D-Link DIR-825M router running firmware version 1.1.12.
The attacker crafts a malicious HTTP POST request targeting the /boafrm/formWanConfigSetup endpoint.
The attacker includes the submit-url argument in the POST request, injecting a buffer overflow payload.
The crafted payload overflows the buffer in the sub_414BA8 function during the processing of the submit-url argument.
The buffer overflow overwrites critical memory regions, including the return address.
When the sub_414BA8 function returns, control is redirected to the attacker-controlled address.
The attacker’s payload executes arbitrary code, potentially downloading and executing a secondary payload.
The attacker gains remote shell access to the router.

Impact

Successful exploitation of this buffer overflow vulnerability allows a remote attacker to execute arbitrary code on the D-Link DIR-825M router. This can lead to complete compromise of the device, allowing the attacker to eavesdrop on network traffic, modify router settings, or use the router as a botnet node for further malicious activities. Given the widespread use of D-Link routers in home and small business networks, a successful attack could compromise a large number of devices and networks.

Recommendation

Apply available firmware updates from D-Link to patch CVE-2026-7289.
Deploy the following Sigma rule to detect suspicious POST requests to /boafrm/formWanConfigSetup with overly long submit-url parameters.
Monitor web server logs for suspicious activity related to the /boafrm/formWanConfigSetup endpoint.

Tenda HG3 v2.0 Stack-Based Buffer Overflow in formUploadConfig

hello@craftedsignal.io — Tue, 28 Apr 2026 12:00:00 +0000

A stack-based buffer overflow vulnerability has been identified in Tenda HG3 version 2.0. The vulnerability exists within the formUploadConfig function of the /boaform/formIPv6Routing file. A remote attacker can exploit this by manipulating the destNet argument, potentially leading to arbitrary code execution on the device. The vulnerability, identified as CVE-2026-7151, has a publicly available exploit, increasing the risk of exploitation. This poses a significant threat to users of Tenda HG3 v2.0 routers, potentially allowing attackers to gain unauthorized access and control over the device. The CVSS v3.1 score is rated as 8.8 (HIGH).

Attack Chain

Attacker identifies a Tenda HG3 v2.0 router with default or known credentials, or no authentication at all.
The attacker sends a crafted HTTP POST request to /boaform/formIPv6Routing.
The request targets the formUploadConfig function.
The destNet argument within the HTTP POST data is manipulated with a string exceeding the buffer size.
The formUploadConfig function processes the oversized destNet argument without proper bounds checking.
This causes a stack-based buffer overflow, overwriting adjacent memory regions on the stack.
The attacker gains arbitrary code execution on the device by overwriting the return address or other critical data on the stack.
The attacker can then leverage this to gain full control of the device, potentially modifying settings, injecting malware, or using it as part of a botnet.

Impact

Successful exploitation of this vulnerability allows a remote attacker to execute arbitrary code on the affected Tenda HG3 v2.0 router. This could lead to complete compromise of the device, allowing the attacker to monitor network traffic, change router settings, or use the device as a launchpad for further attacks against other devices on the network. Given the potential for widespread exploitation due to the publicly available exploit, a large number of Tenda HG3 v2.0 users are at risk.

Recommendation

Monitor web server logs for unusual POST requests to /boaform/formIPv6Routing with excessively long destNet parameters to detect potential exploit attempts (see example Sigma rule below).
Implement rate limiting for requests to /boaform/formIPv6Routing to mitigate brute-force exploitation attempts.
Apply available patches or firmware updates from Tenda to address CVE-2026-7151 on vulnerable HG3 2.0 devices.
Consider deploying a web application firewall (WAF) rule to filter out malicious requests targeting the destNet parameter in /boaform/formIPv6Routing.

Totolink A8000RU OS Command Injection Vulnerability

hello@craftedsignal.io — Tue, 28 Apr 2026 09:17:41 +0000

A critical vulnerability, CVE-2026-7241, has been identified in Totolink A8000RU router firmware version 7.1cu.643_b20200521. This vulnerability resides within the CGI Handler component, specifically in the setWiFiBasicCfg function of the /cgi-bin/cstecgi.cgi file. Successful exploitation allows a remote attacker to inject and execute arbitrary operating system commands by manipulating the wifiOff argument. The vulnerability has been publicly disclosed, increasing the risk of exploitation. This poses a significant threat to users of the affected router model, potentially leading to complete system compromise.

Attack Chain

The attacker identifies a Totolink A8000RU router running firmware version 7.1cu.643_b20200521.
The attacker sends a crafted HTTP request to the /cgi-bin/cstecgi.cgi endpoint.
The HTTP request targets the setWiFiBasicCfg function.
The attacker injects malicious OS commands into the wifiOff argument of the HTTP request.
The CGI handler processes the request without proper sanitization of the wifiOff argument.
The injected OS commands are executed by the system with the privileges of the web server.
The attacker gains remote shell access or performs other malicious actions, such as modifying router settings.

Impact

Successful exploitation of this vulnerability allows a remote attacker to execute arbitrary operating system commands on the affected Totolink A8000RU router. This can lead to complete compromise of the device, potentially enabling the attacker to eavesdrop on network traffic, modify router configuration, or use the router as a node in a botnet. Given the widespread use of Totolink routers, a successful attack could impact numerous home and small business networks.

Recommendation

Deploy the Sigma rule “Detect Totolink A8000RU Command Injection Attempt” to your SIEM to identify exploitation attempts targeting the vulnerable endpoint.
Apply the Sigma rule “Detect Suspicious CGI Request Arguments” to identify unusual commands in cgi requests.
Monitor web server logs for requests to /cgi-bin/cstecgi.cgi with suspicious characters or commands in the wifiOff parameter, as this is the attack vector described in CVE-2026-7241.

D-Link DI-8100 Remote Buffer Overflow Vulnerability

hello@craftedsignal.io — Tue, 28 Apr 2026 09:16:18 +0000

A critical buffer overflow vulnerability, identified as CVE-2026-7248, affects the D-Link DI-8100 router, specifically version 16.07.26A1. The vulnerability resides within the tgfile_htm function of the tgfile.htm file, a component of the CGI endpoint. By crafting a malicious request targeting the fn argument, a remote, unauthenticated attacker can trigger a buffer overflow, potentially leading to arbitrary code execution. This vulnerability is particularly concerning as a proof-of-concept exploit has been publicly released, increasing the likelihood of exploitation. Routers are often targeted due to their exposure to the internet and the potential to compromise entire networks.

Attack Chain

The attacker identifies a vulnerable D-Link DI-8100 router running firmware version 16.07.26A1.
The attacker crafts a malicious HTTP request targeting the tgfile.htm CGI endpoint.
The malicious request includes an overly long string in the fn argument.
The router’s web server processes the request and passes the fn argument to the tgfile_htm function.
The tgfile_htm function fails to properly validate the length of the fn argument.
A buffer overflow occurs when the overly long fn argument is copied into a fixed-size buffer.
The buffer overflow overwrites adjacent memory, potentially including return addresses or other critical data.
The attacker gains arbitrary code execution on the router, potentially allowing them to take full control of the device.

Impact

Successful exploitation of this vulnerability allows an attacker to remotely execute arbitrary code on the D-Link DI-8100 router. This could lead to a complete compromise of the device, allowing the attacker to intercept network traffic, modify router settings, or use the router as a launchpad for further attacks against other devices on the network. Given the public availability of an exploit, widespread exploitation is possible, potentially affecting numerous home and small business networks.

Recommendation

Monitor web server logs for abnormally long fn parameters in requests to /tgfile.htm using the provided Sigma rule to detect potential exploitation attempts.
Implement rate limiting on HTTP requests to the router’s web interface to mitigate brute-force exploitation attempts.
Since the source material only identifies a vulnerability, without a patch, consider replacing the affected device.

Totolink A8000RU Command Injection Vulnerability (CVE-2026-7244)

hello@craftedsignal.io — Tue, 28 Apr 2026 09:16:17 +0000

A critical security vulnerability, identified as CVE-2026-7244, has been discovered in Totolink A8000RU router firmware version 7.1cu.643_b20200521. This flaw resides within the CGI handler, specifically in the setWiFiEasyGuestCfg function located in the /cgi-bin/cstecgi.cgi file. By manipulating the merge argument, a remote attacker can inject and execute arbitrary operating system commands on the affected device. The vulnerability is remotely exploitable and a proof-of-concept exploit has been publicly released, increasing the risk of widespread exploitation. This poses a significant threat as it allows for complete control over the device, potentially leading to data breaches, network compromise, and botnet recruitment.

Attack Chain

The attacker sends a malicious HTTP request to the /cgi-bin/cstecgi.cgi endpoint on the Totolink A8000RU router.
The request targets the setWiFiEasyGuestCfg function.
The attacker crafts the request to include a payload in the merge argument designed to inject an OS command.
The cstecgi.cgi script processes the request and passes the merge argument to a system call without proper sanitization.
The injected OS command is executed with the privileges of the web server.
The attacker gains arbitrary code execution on the router’s operating system.
The attacker can then install malware, change router settings, or use the router as a pivot point to attack other devices on the network.

Impact

Successful exploitation of CVE-2026-7244 grants an attacker complete control over the vulnerable Totolink A8000RU router. This can lead to a variety of malicious activities, including data exfiltration, denial-of-service attacks, and the installation of persistent backdoors. Given the availability of a public exploit, a large number of devices could be compromised quickly. This could result in widespread botnet infections, impacting home users and small businesses relying on these routers for network connectivity.

Recommendation

Monitor web server logs for requests to /cgi-bin/cstecgi.cgi with suspicious parameters in the query string, especially related to the merge argument to detect exploitation attempts (see rule: “Detect Totolink A8000RU Command Injection Attempt”).
Implement network intrusion detection system (NIDS) rules to identify malicious payloads being sent to the affected endpoint (see rule: “Detect Totolink A8000RU Command Injection - Network”).
Apply the Sigma rule “Detect Totolink A8000RU Command Injection in Logs” to your SIEM to identify successful command injection attempts based on web server logs.
Monitor for unusual process execution originating from the web server process, indicating potential exploitation.
Unfortunately, a patch is not available so consider migrating to a more secure router.

VMware Tanzu Spring Boot Multiple Vulnerabilities

hello@craftedsignal.io — Tue, 28 Apr 2026 08:31:28 +0000

Multiple vulnerabilities exist in VMware Tanzu Spring Boot that could be exploited by malicious actors. While the specific CVEs and technical details of these vulnerabilities are not disclosed, the potential impact is significant. An attacker could leverage these vulnerabilities to achieve arbitrary code execution, circumvent security controls, manipulate or disclose confidential data, and even hijack authenticated user sessions. Given the widespread use of Spring Boot in enterprise applications, these vulnerabilities pose a substantial risk to organizations utilizing this framework. Defenders should prioritize identifying and mitigating these vulnerabilities to prevent potential exploitation.

Attack Chain

An attacker identifies a vulnerable endpoint in a Tanzu Spring Boot application.
The attacker crafts a malicious request designed to exploit a vulnerability, such as a deserialization flaw or an SQL injection point.
The malicious request bypasses input validation or authentication mechanisms due to the vulnerability.
The exploited vulnerability allows the attacker to execute arbitrary code within the context of the Spring Boot application.
The attacker leverages the code execution to gain access to sensitive data, such as database credentials or API keys.
The attacker uses the compromised credentials to access other systems or resources within the network.
The attacker escalates privileges within the Spring Boot application or the underlying operating system.
The attacker establishes persistence and maintains long-term access to the compromised system, potentially leading to data exfiltration or further malicious activities.

Impact

Successful exploitation of these vulnerabilities could lead to a wide range of damaging outcomes. Attackers could gain unauthorized access to sensitive data, disrupt critical business processes, or deploy ransomware. The lack of specific details regarding the number of victims and targeted sectors makes it difficult to quantify the precise impact, but the potential for widespread disruption is considerable, especially given the prevalence of Spring Boot applications. The ability to execute arbitrary code provides attackers with significant control over affected systems.

Recommendation

Investigate Tanzu Spring Boot applications for unusual process execution using the rule “Detect Suspicious Spring Boot Process Execution”.
Monitor web server logs for suspicious requests that could be indicative of vulnerability exploitation with the rule “Detect Malicious Request to Spring Boot Application”.
Implement strict input validation and output encoding measures in Tanzu Spring Boot applications to prevent common web application vulnerabilities.

Multiple Vulnerabilities in Atlassian Products

hello@craftedsignal.io — Tue, 28 Apr 2026 08:31:27 +0000

Multiple vulnerabilities exist in Atlassian’s Bamboo, Bitbucket, Confluence, and Jira products. While specific CVEs are not detailed in this advisory, the potential impact is significant. An attacker exploiting these vulnerabilities could achieve arbitrary code execution, allowing for complete system compromise. They could also bypass security measures, potentially disabling logging or other security controls. Data manipulation and disclosure could lead to sensitive information compromise and unauthorized modifications. Cross-site scripting (XSS) attacks could be leveraged to steal user credentials or perform actions on behalf of unsuspecting users. Defenders need to ensure the Atlassian suite is fully patched and monitored.

Attack Chain

Initial Access: An attacker identifies a vulnerable Atlassian product instance (Bamboo, Bitbucket, Confluence, or Jira) accessible over the network.
Vulnerability Exploitation: The attacker leverages an unknown vulnerability to inject malicious code into the application, possibly through a crafted HTTP request.
Code Execution: The injected code executes within the context of the Atlassian application, allowing the attacker to run arbitrary commands on the server.
Privilege Escalation: The attacker leverages the initial code execution to escalate privileges, potentially gaining root or administrator access.
Defense Evasion: The attacker attempts to disable security logging or other monitoring mechanisms to avoid detection.
Data Manipulation/Exfiltration: The attacker accesses sensitive data stored within the Atlassian application or connected databases, manipulating or exfiltrating it for malicious purposes.
Lateral Movement: Using compromised credentials or established footholds, the attacker moves laterally to other systems within the network.
Impact: The attacker achieves their final objective, such as deploying ransomware, stealing intellectual property, or disrupting business operations.

Impact

Successful exploitation of these vulnerabilities could result in significant damage, including complete compromise of Atlassian servers, data breaches, and disruption of critical business processes. The number of potential victims is substantial, as these Atlassian products are widely used across various industries. The impact ranges from data loss and financial damage to reputational harm and legal liabilities.

Recommendation

Deploy the Sigma rules provided in this brief to detect potential exploitation attempts targeting Atlassian products.
Monitor web server logs for suspicious activity, especially HTTP requests targeting Atlassian applications, to detect potential vulnerability exploitation.
Enable and review audit logs within Atlassian products (Bamboo, Bitbucket, Confluence, Jira) for suspicious activity.
Implement network segmentation to limit the potential impact of a successful breach originating from a compromised Atlassian server.

Totolink A8000RU OS Command Injection Vulnerability (CVE-2026-7240)

hello@craftedsignal.io — Tue, 28 Apr 2026 08:16:02 +0000

A critical vulnerability, CVE-2026-7240, has been identified in Totolink A8000RU router firmware version 7.1cu.643_b20200521. This flaw resides within the CGI Handler component, specifically in the setVpnAccountCfg function of the /cgi-bin/cstecgi.cgi file. By exploiting this vulnerability, a remote attacker can inject arbitrary operating system commands by manipulating the User argument. Publicly available exploit code exists, increasing the risk of widespread exploitation. This vulnerability poses a significant threat as it allows complete control of the affected device, potentially leading to network compromise and data exfiltration.

Attack Chain

The attacker identifies a Totolink A8000RU router running firmware version 7.1cu.643_b20200521 accessible via the web interface.
The attacker crafts a malicious HTTP request targeting the /cgi-bin/cstecgi.cgi endpoint.
The crafted request includes the setVpnAccountCfg function call with a payload injected into the User argument. The payload contains OS commands to be executed on the router.
The router’s CGI Handler processes the request without proper sanitization of the User argument.
The injected OS commands are executed with the privileges of the web server process.
The attacker gains remote shell access to the router.
The attacker leverages the compromised router to pivot within the network, potentially accessing sensitive data or other internal systems.
The attacker could modify the router’s configuration, intercept network traffic, or use it as a launching point for further attacks.

Impact

Successful exploitation of CVE-2026-7240 allows a remote, unauthenticated attacker to execute arbitrary commands on the affected Totolink A8000RU router. This could lead to a complete compromise of the device, potentially exposing sensitive information, enabling unauthorized network access, and facilitating further attacks within the network. Given the ease of exploitation and the availability of public exploits, organizations using this router model are at high risk of experiencing significant security breaches.

Recommendation

Deploy the Sigma rule Detect Totolink A8000RU Command Injection Attempt to identify exploitation attempts against vulnerable Totolink routers. Enable webserver logging to capture the necessary request data.
Apply the Sigma rule Detect Totolink A8000RU Malicious User Agent to detect potential exploit attempts based on modified User-Agent headers.
Monitor webserver logs for requests to /cgi-bin/cstecgi.cgi containing suspicious characters or command sequences in the cs-uri-query field, indicative of command injection attempts.
Given the public availability of exploit code, organizations using the Totolink A8000RU 7.1cu.643_b20200521 are advised to replace the device if a patch is not available from the vendor.

Tenda HG3 2.0 Command Injection Vulnerability

hello@craftedsignal.io — Mon, 27 Apr 2026 22:16:18 +0000

Tenda HG3 2.0 is vulnerable to a command injection vulnerability (CVE-2026-7160) affecting the formTracert function in the /boaform/formTracert file. A remote attacker can exploit this by manipulating the datasize argument to inject arbitrary commands into the system. The vulnerability has a CVSS v3.1 score of 8.8, indicating a high severity. Public disclosure and potential exploitation make this a critical issue for users of the Tenda HG3 2.0 router. Successful exploitation allows an attacker to execute arbitrary commands on the device, potentially leading to complete system compromise.

Attack Chain

The attacker identifies a vulnerable Tenda HG3 2.0 router with an exposed web interface.
The attacker crafts a malicious HTTP request targeting the /boaform/formTracert endpoint.
The malicious request includes a manipulated datasize argument designed to inject a command.
The web server processes the request and passes the manipulated datasize argument to the formTracert function.
The formTracert function fails to properly sanitize the input, allowing the injected command to be executed by the system.
The injected command executes with the privileges of the web server process.
The attacker gains arbitrary code execution on the router.

Impact

Successful exploitation of this vulnerability allows a remote attacker to execute arbitrary commands on the Tenda HG3 2.0 router. This can lead to complete compromise of the device, including modification of router settings, interception of network traffic, and potential use of the router as a botnet node. Given the high base score of 8.8, this poses a significant risk to affected users.

Recommendation

Apply available patches or firmware updates provided by Tenda to address CVE-2026-7160.
Monitor web server logs for suspicious POST requests to /boaform/formTracert with unusual datasize parameters, as covered by the Sigma rule “Detect Tenda HG3 Command Injection Attempt”.
Implement network intrusion detection system (IDS) rules to detect and block exploit attempts targeting this vulnerability.

Apache MINA Arbitrary Code Execution Vulnerability

hello@craftedsignal.io — Mon, 27 Apr 2026 16:09:56 +0000

A critical arbitrary code execution vulnerability, CVE-2026-41635, has been identified in Apache MINA, an open-source network application framework. The vulnerability affects versions 2.0.0 through 2.0.27, 2.1.0 through 2.1.10, and 2.2.0 through 2.2.5. The flaw lies within the AbstractIoBuffer.resolveClass() method, where a branch lacks class validation, bypassing the classname allowlist. This allows remote attackers with low privileges to execute arbitrary code on systems using Apache MINA when the IoBuffer.getObject() method is called. Successful exploitation can lead to full system compromise, data exfiltration, and further attacks on interconnected systems. It is imperative that organizations using Apache MINA apply the necessary patches immediately to mitigate this critical risk.

Attack Chain

The attacker identifies a vulnerable application using Apache MINA versions 2.0.0-2.0.27, 2.1.0-2.1.10, or 2.2.0-2.2.5.
The attacker crafts a malicious payload containing serialized Java objects designed to exploit the class validation bypass in AbstractIoBuffer.resolveClass().
The attacker sends a network request to the vulnerable application that triggers the IoBuffer.getObject() method.
The IoBuffer.getObject() method deserializes the attacker-controlled data without proper class validation due to the flaw in AbstractIoBuffer.resolveClass().
The malicious serialized object executes arbitrary code within the context of the application.
The attacker gains control of the application server.
The attacker uses their access to move laterally within the network.
The attacker exfiltrates sensitive data or deploys ransomware.

Impact

Successful exploitation of CVE-2026-41635 allows attackers to execute arbitrary code on systems utilizing vulnerable versions of Apache MINA. This can lead to a full compromise of the affected system, including data exfiltration, denial of service, or further attacks on interconnected systems. The vulnerability is remotely exploitable with low privileges, increasing the potential for widespread impact across various sectors relying on Apache MINA for network communication. A successful attack poses a high risk to the confidentiality, integrity, and availability of affected systems and data.

Recommendation

Immediately patch Apache MINA to the latest version to remediate CVE-2026-41635, as recommended by the vendor advisory (https://lists.apache.org/thread/1l91w1mqsb3lwfd504fs045ylxntt2tm).
Implement network monitoring to detect suspicious activity related to deserialization attempts, as suggested by the CCB’s recommendation to upscale monitoring capabilities.
Deploy the Sigma rule “Detect Apache MINA Vulnerable Class Deserialization Attempt” to identify potential exploitation attempts based on suspicious class names in network traffic.

Tenda F456 Router Buffer Overflow Vulnerability (CVE-2026-7101)

hello@craftedsignal.io — Mon, 27 Apr 2026 09:19:31 +0000

A critical buffer overflow vulnerability, identified as CVE-2026-7101, has been discovered in Tenda F456 router version 1.0.0.5. The vulnerability resides in the fromWrlclientSet function within the /goform/WrlclientSet file, which is part of the router’s httpd component. Successful exploitation allows remote attackers to execute arbitrary code on the device. Publicly available exploit code exists, increasing the risk of widespread exploitation. This vulnerability poses a significant threat to home and small business networks using the affected Tenda router model, potentially leading to complete device compromise and unauthorized network access. The vulnerability was published on 2026-04-27 and is tracked by VulDB.

Attack Chain

An attacker identifies a vulnerable Tenda F456 router running firmware version 1.0.0.5.
The attacker crafts a malicious HTTP request targeting the /goform/WrlclientSet endpoint.
The crafted request includes an oversized payload designed to overflow the buffer in the fromWrlclientSet function.
The httpd process attempts to process the request without proper bounds checking.
The buffer overflow occurs, overwriting adjacent memory regions, including critical program data and execution pointers.
The attacker gains control of the program execution flow.
The attacker executes arbitrary code on the router, potentially including shell commands or custom malware.
The attacker achieves complete control of the router, potentially enabling network reconnaissance, data exfiltration, or further attacks on the local network.

Impact

Successful exploitation of this buffer overflow vulnerability allows a remote attacker to execute arbitrary code on the Tenda F456 router. This can lead to complete device compromise, allowing the attacker to control network traffic, modify router settings, or use the compromised device as a pivot point for further attacks within the network. Given the wide usage of Tenda routers in home and small business environments, a successful widespread exploitation could impact thousands of users.

Recommendation

Upgrade to a patched firmware version if available from the vendor.
Implement network segmentation to limit the impact of a compromised router.
Monitor web server logs for suspicious activity targeting the /goform/WrlclientSet endpoint using the provided Sigma rule.
Implement an IPS rule to detect and block exploit attempts targeting CVE-2026-7101.

Tenda F456 Router Buffer Overflow Vulnerability

hello@craftedsignal.io — Mon, 27 Apr 2026 04:16:09 +0000

A critical buffer overflow vulnerability, identified as CVE-2026-7081, affects Tenda F456 router version 1.0.0.5. The vulnerability resides in the fromGstDhcpSetSer function within the /goform/GstDhcpSetSer file, a component of the device’s httpd service. Successful exploitation allows a remote attacker to execute arbitrary code on the device. Publicly available exploit code increases the risk of widespread exploitation. This vulnerability poses a significant threat as it can lead to complete compromise of the affected device, potentially allowing attackers to gain unauthorized access to the network, steal sensitive information, or use the device as part of a botnet.

Attack Chain

The attacker identifies a vulnerable Tenda F456 router (version 1.0.0.5) exposed to the internet.
The attacker crafts a malicious HTTP POST request targeting the /goform/GstDhcpSetSer endpoint.
The HTTP request includes the dips argument, which is intentionally oversized to trigger the buffer overflow.
The vulnerable fromGstDhcpSetSer function processes the request without proper bounds checking.
The oversized dips argument overwrites adjacent memory regions on the stack.
The attacker carefully crafts the overflow to overwrite the return address with an address pointing to attacker-controlled code.
The fromGstDhcpSetSer function returns, causing execution to jump to the attacker’s code.
The attacker’s code executes with the privileges of the httpd process, potentially leading to full device compromise.

Impact

Successful exploitation of this vulnerability allows a remote attacker to execute arbitrary code on the affected Tenda F456 router. This can result in complete device compromise, including the ability to modify device settings, intercept network traffic, and potentially use the compromised device as a pivot point for further attacks within the network. Given the widespread use of Tenda routers, a large number of devices could be vulnerable, making this a significant security concern.

Recommendation

Monitor web server logs for suspicious POST requests to /goform/GstDhcpSetSer with unusually long dips parameter values to detect potential exploitation attempts.
Deploy the provided Sigma rule Detect Tenda F456 Buffer Overflow Attempt to identify malicious HTTP requests.
Since no patch is available, consider replacing the affected Tenda F456 routers (version 1.0.0.5) with more secure alternatives.

Linksys MR9600 Command Injection Vulnerability (CVE-2026-6992)

hello@craftedsignal.io — Sun, 26 Apr 2026 12:00:00 +0000

A command injection vulnerability, CVE-2026-6992, affects the Linksys MR9600 router, specifically version 2.0.6.206937. The vulnerability resides in the JNAP Action Handler component within the /etc/init.d/run_central2.sh script. Attackers can remotely exploit this flaw by manipulating the pin argument passed to the BTRequestGetSmartConnectStatus function. This allows for the execution of arbitrary operating system commands on the affected device. A public exploit is available, increasing the risk of exploitation. The vendor was notified but did not respond.

Attack Chain

The attacker sends a crafted HTTP request to the Linksys MR9600 router.
The request targets the JNAP Action Handler component, specifically the /etc/init.d/run_central2.sh script.
The BTRequestGetSmartConnectStatus function is invoked by the crafted request.
The attacker injects malicious OS commands within the pin argument of the BTRequestGetSmartConnectStatus function.
The router’s firmware processes the request, failing to properly sanitize the pin argument.
The injected OS commands are executed with the privileges of the running process, potentially root.
The attacker gains control of the router, potentially allowing for further malicious activities, such as network traffic interception or modification of router settings.

Impact

Successful exploitation of CVE-2026-6992 allows a remote attacker to execute arbitrary commands on the Linksys MR9600 router. This can lead to a complete compromise of the device, allowing the attacker to monitor network traffic, change router configurations, or use the router as a foothold for further attacks within the network. Given the availability of a public exploit, the risk of widespread exploitation is high.

Recommendation

Deploy the Sigma rule Detect CVE-2026-6992 Exploitation Attempt to identify exploitation attempts in web server logs.
Apply the Sigma rule Detect Suspicious Shell Activity via Web Request to detect potential command injection attempts.
Monitor web server logs for requests containing suspicious characters in the cs-uri-query field that target /etc/init.d/run_central2.sh to uncover exploitation attempts.

Tenda F456 Router Buffer Overflow Vulnerability

hello@craftedsignal.io — Sun, 26 Apr 2026 11:16:06 +0000

A buffer overflow vulnerability has been identified in Tenda F456 router, specifically version 1.0.0.5. The vulnerability resides within the fromSafeClientFilter function located in the /goform/SafeClientFilter file. Successful exploitation allows a remote attacker to inject and execute arbitrary code. Publicly available exploit code exists, increasing the risk of widespread exploitation targeting vulnerable Tenda F456 devices. This issue poses a significant threat to network security, as a compromised router can lead to data breaches, denial of service, or further network intrusion.

Attack Chain

The attacker identifies a Tenda F456 router running firmware version 1.0.0.5 exposed to the internet.
The attacker crafts a malicious HTTP POST request targeting the /goform/SafeClientFilter endpoint.
The crafted request includes a specially designed payload within the menufacturer/Go argument. This payload is designed to trigger a buffer overflow in the fromSafeClientFilter function.
The fromSafeClientFilter function processes the malicious input without proper bounds checking.
The oversized payload overwrites adjacent memory regions, potentially including return addresses or other critical data.
When the fromSafeClientFilter function attempts to return, the overwritten return address is used, redirecting execution flow to attacker-controlled memory.
The attacker-controlled memory contains shellcode or other malicious instructions.
The router executes the attacker’s code, granting the attacker control over the device.

Impact

Successful exploitation of this vulnerability can result in complete compromise of the Tenda F456 router. An attacker can gain unauthorized access to network traffic, modify router settings, or use the compromised device as a launchpad for further attacks within the network. Given the public availability of exploit code, a large number of Tenda F456 routers could be targeted, potentially affecting numerous home and small business networks. A successful attack could lead to data theft, service disruption, and reputational damage.

Recommendation

Apply any available patches or firmware updates released by Tenda to address CVE-2026-7033 on the F456 1.0.0.5 routers.
Implement network intrusion detection systems (IDS) or intrusion prevention systems (IPS) rules to detect and block malicious requests targeting the /goform/SafeClientFilter endpoint.
Deploy the Sigma rules provided below to your SIEM to detect exploitation attempts targeting the vulnerable endpoint.
Monitor web server logs for suspicious POST requests to /goform/SafeClientFilter with abnormally large menufacturer/Go argument values.

Tenda HG10 HG7_HG9_HG10re_300001138_en_xpon Buffer Overflow Vulnerability

hello@craftedsignal.io — Sat, 25 Apr 2026 18:18:16 +0000

A buffer overflow vulnerability, identified as CVE-2026-6988, has been discovered in Tenda HG10 HG7_HG9_HG10re_300001138_en_xpon. The vulnerability resides within the Boa Service, specifically affecting the formRoute function located in the /boaform/formRouting file. Successful exploitation of this flaw enables a remote attacker to overwrite memory by crafting a malicious request with a manipulated nextHop argument. This can lead to arbitrary code execution on the affected device. Given the potential for remote exploitation and the availability of a published exploit, this vulnerability poses a significant threat.

Attack Chain

The attacker identifies a vulnerable Tenda HG10 HG7_HG9_HG10re_300001138_en_xpon device with the vulnerable Boa web service exposed.
The attacker crafts a malicious HTTP request targeting the /boaform/formRouting endpoint.
The crafted request includes a specially crafted nextHop argument, exceeding the buffer size allocated for it.
The Boa service processes the request without proper bounds checking on the nextHop argument.
The oversized nextHop argument overwrites adjacent memory regions, including critical program data or return addresses.
The overwritten return address redirects execution flow to attacker-controlled code.
The attacker executes arbitrary code on the device with the privileges of the Boa service.
The attacker gains control of the device, potentially leading to data exfiltration, device hijacking, or further network compromise.

Impact

Successful exploitation of CVE-2026-6988 can lead to complete compromise of the affected Tenda HG10 HG7_HG9_HG10re_300001138_en_xpon device. This may result in unauthorized access to the device’s configuration, sensitive data exposure, or the device being used as a bot in a larger attack. Given that this device is likely used in home or small business environments, a successful attack could lead to significant data breaches, financial losses, and reputational damage. The availability of a public exploit increases the likelihood of widespread exploitation.

Recommendation

Apply available patches or firmware updates released by Tenda to address CVE-2026-6988 as soon as possible.
Implement network segmentation to limit the exposure of Tenda devices to the internet or untrusted networks.
Monitor web server logs for suspicious activity targeting the /boaform/formRouting endpoint to detect potential exploit attempts (webserver log source).
Deploy the Sigma rule “Detect Tenda HG10 Buffer Overflow Attempt” to identify malicious HTTP requests exploiting the nextHop argument (Sigma rule).
Implement rate limiting on the /boaform/formRouting endpoint to mitigate potential brute-force exploitation attempts.

Rclone Unauthenticated Remote Code Execution Vulnerabilities

hello@craftedsignal.io — Sat, 25 Apr 2026 12:00:00 +0000

Two critical unauthenticated remote code execution vulnerabilities, CVE-2026-41176 and CVE-2026-41179, have been discovered in Rclone versions prior to 1.73.5. Rclone is a command-line program used to manage files on cloud storage services. These vulnerabilities can be exploited if the Rclone remote control (RC) API is enabled without proper authentication (e.g., --rc-user/--rc-pass/--rc-htpasswd). An attacker with network access to a vulnerable Rclone instance can bypass authentication, execute arbitrary commands, and potentially gain full system compromise. As organizations increasingly rely on cloud storage, vulnerabilities in tools like Rclone can have significant impact by enabling data theft and lateral movement. The vulnerabilities were reported on April 24, 2026, with no known active exploitation as of April 23, 2026.

Attack Chain

The attacker identifies a target system running Rclone with the RC API enabled.
The attacker verifies the RC API is exposed on a reachable network address (e.g., not only localhost) and is not protected by HTTP authentication.
For CVE-2026-41179, the attacker sends a single crafted HTTP request to the RC endpoint, leveraging the WebDAV backend initialization process.
This crafted request triggers the execution of arbitrary commands on the target system without authentication.
For CVE-2026-41176, the attacker bypasses authentication controls to access sensitive administrative functionality.
The attacker manipulates Rclone configuration or invokes operational RC methods to execute arbitrary commands.
The attacker gains local file read/write access, potentially stealing sensitive data or uploading malicious payloads.
The attacker achieves full system compromise, enabling data theft, lateral movement within the network, or denial of service.

Impact

Successful exploitation of CVE-2026-41176 and CVE-2026-41179 can lead to full system compromise, data theft, lateral movement, or denial of service. Specifically, attackers can achieve local file read, file write, or shell access, depending on the environment. The impact includes potential exposure of sensitive cloud data and configurations, which could compromise the integrity and confidentiality of stored information. Given Rclone’s popularity among organizations managing cloud storage, a successful attack could affect a large number of victims across various sectors.

Recommendation

Upgrade Rclone to version 1.73.5 or later to patch CVE-2026-41176 and CVE-2026-41179 as recommended by the vendor.
Enable global HTTP authentication on RC servers using --rc-user, --rc-pass, or --rc-htpasswd to mitigate the unauthenticated access, as mentioned in the description of the vulnerabilities.
Implement network-level controls (e.g., firewall rules) to restrict access to RC server endpoints and the RC service, as suggested by CCB.
Deploy the Sigma rule “Detect Rclone RC API Access Without Authentication” to identify potentially vulnerable Rclone instances within your environment.

ERB Deserialization Bypass via def_module/def_method/def_class

hello@craftedsignal.io — Sat, 25 Apr 2026 12:00:00 +0000

Ruby versions before ERB 2.2.0 implemented an @_init instance variable guard in ERB#result and ERB#run to prevent code execution upon deserialization via Marshal.load. This guard is intended to block execution when an ERB object is reconstructed from untrusted data. However, the methods ERB#def_method, ERB#def_module, and ERB#def_class were not given the same protection, creating a bypass. An attacker capable of triggering Marshal.load on untrusted data in a Ruby application with the erb gem loaded can exploit ERB#def_module (using its zero-argument, default-parameter form) as a code execution sink. This bypass impacts Ruby on Rails applications that import untrusted serialized data, Ruby tools employing Marshal.load for caching or IPC, and legacy Rails applications (pre-7.0) utilizing Marshal for cookie session serialization. This bypass renders the @_init mitigation ineffective across all ERB versions from 2.2.0 through 6.0.3. Combined with the DeprecatedInstanceVariableProxy gadget (present in all ActiveSupport versions through 7.2.3), this enables a universal RCE gadget chain for Ruby 3.2+ applications using Rails. The vulnerability is identified as CVE-2026-41316.

Attack Chain

The attacker crafts a malicious Ruby object containing an ERB instance and/or an ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy instance.
The ERB instance has its @src instance variable set to a string containing malicious code with the “end\nsystem(‘id’)\ndef x” payload.
The vulnerable application calls Marshal.load on the crafted object, triggering deserialization.
During deserialization, the DeprecatedInstanceVariableProxy is instantiated (if used), which then invokes the ERB#def_module method via method_missing.
The ERB#def_module method calls ERB#def_method without checking the @_init guard.
Inside ERB#def_method, the malicious code in @src is wrapped in a method definition and evaluated via module_eval.
The “end\nsystem(‘id’)\ndef x” payload causes the system('id') command to execute during the module_eval call, bypassing the intended deserialization protection.
The attacker achieves arbitrary code execution on the target system, gaining the ability to perform malicious actions.

Impact

Successful exploitation allows an attacker to execute arbitrary code on the target system. This affects Ruby applications, including Ruby on Rails, which use Marshal.load on untrusted data. Specific impact includes potential compromise of web servers and the ability to read sensitive files, modify data, or install malware. Vulnerable applications include those using Marshal.load for caching, data import, or IPC, and legacy Rails applications (pre-7.0) using Marshal for cookie session serialization. This bypass renders the @_init mitigation ineffective across all ERB versions from 2.2.0 through 6.0.3.

Recommendation

Upgrade your erb gem to version 4.0.3.1, 4.0.4.1, 6.0.1.1, or 6.0.4 to patch the vulnerability as described in the “Patches” section.
Avoid using Marshal.load on untrusted data, as it is inherently unsafe. Consider using alternative serialization formats like JSON or YAML.
Deploy the “Detect ERB def_module Code Execution via Deserialization” Sigma rule to detect exploitation attempts.

Gemini CLI Remote Code Execution via Workspace Trust and Tool Allowlisting Bypasses

hello@craftedsignal.io — Fri, 24 Apr 2026 19:30:01 +0000

Gemini CLI (@google/gemini-cli) versions prior to 0.39.1 and version 0.40.0-preview.2, along with the run-gemini-cli GitHub Action versions prior to 0.1.22, are susceptible to remote code execution due to insecure workspace trust handling and tool allowlisting bypasses. The vulnerability arises from the automatic trust of workspace folders in headless mode, allowing malicious environment variables within the .gemini/ directory to be exploited. Furthermore, in --yolo mode, the tool allowlist was previously ignored, enabling prompt injection and code execution via commands like run_shell_command. This poses a risk, especially in CI/CD environments that process untrusted inputs such as pull requests. The patched version 0.39.1 enforces explicit folder trust in headless mode and properly evaluates tool allowlists under --yolo, mitigating these risks. This impacts all Gemini CLI GitHub Actions and requires users to review their workflows.

Attack Chain

Attacker submits a malicious pull request to a repository using Gemini CLI in a GitHub Actions workflow.
The workflow, running in headless mode, automatically trusts the workspace folder (versions prior to 0.39.1).
The attacker’s pull request includes a crafted .gemini/ directory containing malicious environment variables.
Gemini CLI loads the malicious environment variables, leading to code execution.
Alternatively, the attacker injects a malicious prompt leveraging run_shell_command when --yolo is used.
The run_shell_command executes arbitrary commands on the runner due to the bypassed tool allowlist (versions prior to 0.39.1).
The attacker gains control of the CI/CD runner, potentially exfiltrating secrets or injecting malicious code into the deployment pipeline.
Successful exploitation leads to code execution on the CI/CD runner, data exfiltration, or supply chain compromise.

Impact

The vulnerability impacts workflows utilizing Gemini CLI in headless mode, particularly those processing untrusted inputs such as pull requests from external contributors. Successful exploitation can lead to remote code execution on the CI/CD runner, potentially enabling attackers to exfiltrate sensitive information, such as API keys and credentials, or inject malicious code into the application deployment pipeline. This can lead to a supply chain compromise. All Gemini CLI GitHub Actions are affected, requiring users to review and update their workflows.

Recommendation

Upgrade @google/gemini-cli to version 0.39.1 or later, or 0.40.0-preview.3 if using a preview version.
Upgrade actions/google-github-actions/run-gemini-cli to version 0.1.22 or later.
For workflows running on trusted inputs, set GEMINI_TRUST_WORKSPACE: 'true' in the GitHub Actions workflow.
For workflows processing untrusted inputs, review the hardening guidance in google-github-actions/run-gemini-cli and set the environment variable accordingly.
Review and harden tool allowlists in ~/.gemini/settings.json to restrict the commands that can be executed, especially when using the --yolo flag.

BridgeHead FileStore Unauthenticated Remote Code Execution via Apache Axis2

hello@craftedsignal.io — Fri, 24 Apr 2026 16:16:36 +0000

BridgeHead FileStore versions prior to 24A, released in early 2024, expose a critical security vulnerability. Specifically, the Apache Axis2 administration module is accessible on network endpoints with default credentials. This flaw allows unauthenticated remote attackers to execute arbitrary operating system commands. The vulnerability stems from insecure default configurations within the FileStore application and the underlying Axis2 web service framework. Successful exploitation grants complete control over the affected system, potentially leading to data breaches, system compromise, and further lateral movement within the network. This vulnerability poses a significant risk to organizations using vulnerable versions of BridgeHead FileStore.

Attack Chain

The attacker identifies a BridgeHead FileStore instance running a vulnerable version of the software on a network-accessible endpoint.
The attacker accesses the Apache Axis2 administration console, which is exposed due to a misconfiguration.
The attacker authenticates to the Axis2 admin console using default credentials, bypassing authentication controls.
The attacker uploads a malicious Java archive (WAR file) containing a web service designed to execute arbitrary commands.
The attacker deploys the malicious web service through the Axis2 administration interface.
The attacker crafts a SOAP request to the deployed malicious web service, embedding the operating system command to be executed.
The vulnerable FileStore instance processes the SOAP request, executing the attacker-controlled command on the host operating system.
The attacker gains remote code execution, achieving complete control over the compromised system.

Impact

Successful exploitation of CVE-2026-39920 allows unauthenticated attackers to execute arbitrary OS commands on systems running vulnerable versions of BridgeHead FileStore. This can lead to complete system compromise, data breaches, denial of service, and further lateral movement within the network. While the exact number of affected organizations is unknown, the widespread use of BridgeHead FileStore in data protection and archiving scenarios makes this a critical vulnerability. The consequences of a successful attack could include the loss of sensitive data, disruption of business operations, and significant financial losses.

Recommendation

Apply the update to FileStore version 24A or later to remediate the vulnerability as mentioned in the product updates page (https://www.bridgeheadsoftware.com/rapid-data-protection-product-updates/).
Monitor web server logs for suspicious POST requests to the Axis2 administration console (/axis2/servlet/AdminServlet) as it is a key component of the exploitation. Use the “Detect Axis2 Admin Access” Sigma rule to identify unauthorized access attempts.
Implement network segmentation to limit the exposure of BridgeHead FileStore instances and the Axis2 administration module.
Review and enforce strong authentication policies for all web-based administration interfaces.

Ray Data Remote Code Execution via Parquet Arrow Extension Type Deserialization

hello@craftedsignal.io — Fri, 24 Apr 2026 16:15:00 +0000

Ray Data, a component of the Ray distributed computing framework, is susceptible to remote code execution (RCE) due to unsafe deserialization of Parquet file metadata. The vulnerability stems from Ray’s registration of custom Arrow extension types (ray.data.arrow_tensor, ray.data.arrow_tensor_v2, ray.data.arrow_variable_shaped_tensor) within PyArrow. When a Parquet file containing these extension types is processed, the __arrow_ext_deserialize__ function is invoked, leading to the execution of arbitrary code through cloudpickle.loads() on the field’s metadata, prior to any data being read. This issue affects Ray versions 2.49.0 through 2.54.0, introduced in July 2025 via commit f6d21db1a4. Successful exploitation does not require authentication or network access to a Ray cluster. Instead, it hinges on the framework reading a maliciously crafted Parquet file, which can originate from various sources like cloud storage, HuggingFace datasets, or shared file systems.

Attack Chain

An attacker crafts a Parquet file containing a column with a ray.data.arrow_tensor, ray.data.arrow_tensor_v2, or ray.data.arrow_variable_shaped_tensor extension type.
The attacker injects a malicious payload in the ARROW:extension:metadata field of the Parquet file, serialized using cloudpickle.
The attacker places the crafted Parquet file in a location accessible to a Ray Data pipeline, such as a HuggingFace dataset, a shared filesystem, or a cloud storage bucket.
A Ray Data pipeline, using functions like ray.data.read_parquet(), pyarrow.parquet.read_table(), or pandas.read_parquet(), attempts to read the Parquet file.
During schema parsing, PyArrow encounters the custom Arrow extension type and automatically calls the __arrow_ext_deserialize__ method.
The __arrow_ext_deserialize__ method invokes _deserialize_with_fallback(), which attempts to deserialize the metadata using cloudpickle.loads().
The cloudpickle.loads() function executes the attacker’s arbitrary code from the crafted Parquet metadata.
The attacker achieves arbitrary command execution as the user running the Ray worker process, potentially leading to full server compromise.

Impact

This vulnerability affects Ray versions 2.49.0 through 2.54.0, impacting any process utilizing Ray Data that reads Parquet files. The global registration of extension types in PyArrow means that all Parquet reads within the affected process are vulnerable. An attacker can achieve arbitrary command execution as the Ray worker process user, leading to full server compromise, without requiring authentication or cluster access. Successful exploitation allows attackers to compromise systems by simply placing a malicious Parquet file in a location that a Ray Data pipeline processes.

Recommendation

Upgrade Ray to a patched version beyond 2.54.0 to remediate the vulnerability, ensuring the fix addresses the cloudpickle.loads() call in the deserialization path.
Implement strict input validation and sanitization for Parquet files before processing them with Ray Data to prevent the execution of malicious payloads embedded in the ARROW:extension:metadata field.
Monitor for suspicious process execution originating from python processes using cloudpickle.loads() with the intent of arbitrary code execution.
Deploy the Sigma rule Detect Ray Data Parquet Deserialization RCE to detect exploitation attempts by monitoring for specific metadata within Parquet files.

Stripe Webhook Signature Bypass via Empty Secret Enables Unlimited Quota Fraud

hello@craftedsignal.io — Fri, 24 Apr 2026 15:43:25 +0000

A critical vulnerability exists in the Stripe webhook handler that allows an unauthenticated attacker to forge webhook events and credit arbitrary quota to their account without making any payment. Disclosed on 2025-04-15 and patched the same day in v0.12.10, the vulnerability stems from three compounding flaws: the Stripe webhook endpoint does not reject requests when StripeWebhookSecret is empty (the default), any attacker can compute valid webhook signatures when the HMAC secret is empty, and the Recharge function does not validate that the order’s PaymentMethod matches the callback source. This enables cross-gateway exploitation where orders created via any payment method can be fulfilled through a forged Stripe webhook. This vulnerability allows for financial fraud through unlimited API quota acquisition without payment.

Attack Chain

Attacker registers a user account on the target platform.
Attacker calls POST /api/user/pay to create an Epay top-up order, setting the amount. The order is stored with a pending status.
Attacker queries GET /api/user/topup/self to retrieve the trade_no of the pending order.
Attacker computes an HMAC-SHA256 signature with an empty key over a crafted checkout.session.completed payload. This payload contains the stolen trade_no as the client_reference_id.
Attacker sends a POST request to /api/stripe/webhook with the forged payload and a crafted Stripe-Signature header.
The server verifies the signature, which passes because the StripeWebhookSecret is empty.
The server calls the Recharge() function, which finds the Epay order by trade_no, marks the order as success, and credits the attacker’s account with the full quota.
The attacker repeats steps 2-6 indefinitely to accumulate unlimited credits, leading to financial fraud.

Impact

This vulnerability allows attackers to obtain unlimited API quota without payment, leading to financial fraud. The operator of the vulnerable system faces financial losses due to fraudulent quota consumption against upstream AI providers such as OpenAI, Anthropic, and Google. The fraudulent top-ups can appear as normal transactions in system logs, making detection challenging. Due to the default insecure configuration, virtually all deployments with any payment method enabled are vulnerable, creating a wide exposure.

Recommendation

Set StripeWebhookSecret to a non-empty value to prevent empty-key HMAC forgery, mitigating the primary attack vector (Flaw 1).
Apply a reverse proxy (Nginx, Caddy, etc.) to deny access to /api/stripe/webhook if Stripe is not configured, as a temporary workaround.
Deploy the Sigma rule Detect Forged Stripe Webhook Request to identify potential exploitation attempts by monitoring requests to the webhook endpoint with empty secrets or invalid signatures.
Upgrade to v0.12.10 immediately, as it addresses all three flaws completely.

OpenClaw Remote Code Execution via Node Scope Gate Bypass (CVE-2026-41352)

hello@craftedsignal.io — Fri, 24 Apr 2026 12:00:00 +0000

OpenClaw before version 2026.3.31 suffers from a remote code execution vulnerability (CVE-2026-41352). This flaw exists because a device-paired node can bypass the node scope gate authentication mechanism. An attacker who has already obtained device pairing credentials can exploit this vulnerability to execute arbitrary node commands on the host system. This occurs because the application doesn’t perform adequate node pairing validation, allowing malicious actors to potentially gain complete control over the affected system if successfully exploited. Defenders should prioritize patching to version 2026.3.31 or later to mitigate this risk.

Attack Chain

The attacker gains initial access to the OpenClaw system. This may involve social engineering or other means of obtaining device pairing credentials.
The attacker leverages the device pairing credentials to authenticate to a device-paired node.
The attacker attempts to execute a node command on the host system.
Due to the missing authorization check (CWE-862), the node scope gate authentication mechanism is bypassed.
The system incorrectly validates the request, failing to properly verify node pairing.
The attacker successfully executes an arbitrary node command on the host system.
The attacker escalates privileges, potentially gaining full control over the system.
The attacker can then perform malicious activities such as data exfiltration, system compromise, or lateral movement within the network.

Impact

Successful exploitation of CVE-2026-41352 allows an attacker with valid device pairing credentials to execute arbitrary commands on the host system. This can lead to a complete compromise of the OpenClaw system and potentially the entire network. The number of potential victims is dependent on the number of deployments of OpenClaw before version 2026.3.31. The impact includes data breaches, system downtime, and reputational damage.

Recommendation

Upgrade OpenClaw to version 2026.3.31 or later to patch CVE-2026-41352.
Monitor OpenClaw systems for unauthorized command execution attempts. While no specific IOCs are available, monitor for unexpected process executions originating from the OpenClaw application.

Marimo Pre-Authentication Remote Code Execution Vulnerability (CVE-2026-39987)

hello@craftedsignal.io — Fri, 24 Apr 2026 12:00:00 +0000

A pre-authentication remote code execution vulnerability, CVE-2026-39987, exists within the Marimo application. This vulnerability allows an unauthenticated attacker to gain shell access and execute arbitrary system commands on the affected system. Given the nature of the vulnerability, all versions of Marimo are potentially affected unless patched or mitigated. Successful exploitation could lead to complete system compromise, data theft, or denial of service. The vulnerability was publicly disclosed in April 2026 and organizations using Marimo should take immediate action to address it.

Attack Chain

The attacker sends a specially crafted request to the Marimo server.
The Marimo application fails to properly validate or sanitize the input within the request.
This input is processed by the server without proper authorization checks.
Due to the lack of input validation, the attacker injects malicious code into the application.
The injected code is executed with the privileges of the Marimo process.
The attacker gains shell access to the underlying operating system.
The attacker executes arbitrary system commands, potentially installing malware or exfiltrating data.
The attacker establishes persistence for continued access to the compromised system.

Impact

Successful exploitation of CVE-2026-39987 allows an unauthenticated attacker to execute arbitrary system commands on a server running Marimo. This could lead to complete compromise of the system, including data theft, malware installation, or denial of service. The number of potential victims is dependent on the number of Marimo deployments, but given the pre-authentication nature of the vulnerability, any unpatched instance is at risk. Sectors particularly at risk are those relying on Marimo for critical services or data management.

Recommendation

Apply mitigations provided by the vendor to address CVE-2026-39987 or discontinue use of the product.
Deploy the Sigma rule “Detect Marimo Exploitation Attempt” to identify potential exploitation attempts targeting CVE-2026-39987 within web server logs.
Monitor network traffic for suspicious outbound connections originating from Marimo servers, which could indicate successful exploitation.
Follow applicable BOD 22-01 guidance for cloud services if Marimo is deployed in a cloud environment.

Apache ActiveMQ Vulnerabilities Allow RCE and XSS

hello@craftedsignal.io — Fri, 24 Apr 2026 09:09:10 +0000

Multiple vulnerabilities in Apache ActiveMQ allow a remote, authenticated attacker to execute arbitrary code or perform cross-site scripting (XSS) attacks. While specific CVEs and attack vectors are not detailed in this advisory, the presence of both RCE and XSS vulnerabilities suggests a high risk to organizations using affected versions of ActiveMQ. Exploitation requires authentication, implying that attackers may need to compromise credentials or exploit other vulnerabilities to gain initial access. This combination of vulnerabilities could lead to complete system compromise, data theft, or service disruption. The lack of specific version information makes it crucial for organizations to identify and patch all potentially vulnerable ActiveMQ instances.

Attack Chain

Initial Access: The attacker gains valid credentials to access the ActiveMQ management console or API, potentially through credential stuffing, phishing, or exploiting other vulnerabilities.
Authentication: The attacker authenticates to the ActiveMQ instance using the compromised credentials.
Vulnerability Exploitation (RCE): The attacker exploits a deserialization or other RCE vulnerability to inject malicious code into the ActiveMQ server. This may involve crafting a specific message or request to trigger the vulnerability.
Code Execution: The injected code executes within the context of the ActiveMQ server process, granting the attacker control over the system.
Privilege Escalation (if necessary): The attacker attempts to escalate privileges to gain root or system-level access, depending on the initial privileges of the ActiveMQ process.
Lateral Movement: The attacker uses the compromised ActiveMQ server as a pivot point to move laterally within the network, targeting other systems and resources.
Vulnerability Exploitation (XSS): Simultaneously or independently, the attacker exploits an XSS vulnerability within the ActiveMQ web console. This may involve injecting malicious JavaScript code into the console.
Impact: The attacker deploys ransomware, exfiltrates sensitive data, or disrupts critical services, depending on their objectives. The XSS vulnerability allows the attacker to steal administrator cookies or inject further malicious content.

Impact

Successful exploitation of these vulnerabilities could lead to complete compromise of the ActiveMQ server, potentially affecting all connected systems and applications. The lack of specifics makes it difficult to determine the exact number of potential victims; however, given the widespread use of ActiveMQ in enterprise environments, the impact could be significant. Consequences include data breaches, service disruption, financial loss, and reputational damage. The combination of RCE and XSS vulnerabilities allows attackers to pursue a wide range of malicious objectives, from data theft to system destruction.

Recommendation

Identify all Apache ActiveMQ instances within your environment and determine their versions.
Consult the Apache ActiveMQ security advisories to identify specific vulnerabilities affecting your versions and apply the necessary patches.
Implement strong authentication and authorization controls to restrict access to the ActiveMQ management console and API.
Deploy the Sigma rule to detect potential exploitation attempts against ActiveMQ instances.
Review and harden the ActiveMQ configuration to minimize the attack surface and reduce the risk of exploitation.
Implement network segmentation to limit the impact of a successful compromise of an ActiveMQ instance.

PhantomRPC: Windows RPC Privilege Escalation Vulnerability

hello@craftedsignal.io — Fri, 24 Apr 2026 08:00:12 +0000

Kaspersky researchers discovered a critical vulnerability in the Windows Remote Procedure Call (RPC) architecture, dubbed PhantomRPC, that enables local privilege escalation. The flaw allows an attacker to create a rogue RPC server and, by exploiting existing processes with impersonation privileges (such as those running as Local Service or Network Service), elevate their own permissions to SYSTEM. The vulnerability resides in the architectural design of RPC itself, making it potentially exploitable across all Windows versions. The researcher has demonstrated five different exploitation paths escalating privileges from various local or network service contexts. This issue has been disclosed to Microsoft, but a patch has not yet been released. Due to the fundamental nature of the vulnerability, the number of potential attack vectors is effectively unlimited.

Attack Chain

The attacker gains initial access to the system with low privileges.
The attacker identifies a service running with SeImpersonatePrivilege, such as Local Service or Network Service.
The attacker crafts a malicious RPC server application designed to exploit the PhantomRPC vulnerability.
The attacker triggers a connection from the target service (e.g., Group Policy Client service) to the attacker’s malicious RPC server via ALPC.
The malicious RPC server uses RpcImpersonateClient API to impersonate the SYSTEM account.
The attacker’s malicious RPC server executes code within the security context of the SYSTEM account.
The attacker leverages the elevated privileges to perform arbitrary actions, such as installing malware, creating new accounts, or accessing sensitive data.

Impact

Successful exploitation of PhantomRPC allows a low-privileged attacker to gain complete control over the affected system by escalating privileges to SYSTEM. This can lead to complete system compromise, including data theft, malware installation, and denial of service. The vulnerability affects all Windows versions and given the number of potential attack vectors, it poses a significant risk to a large number of systems. While the exact number of potential victims remains unknown, the widespread use of RPC in Windows makes this a highly critical issue.

Recommendation

Monitor for the creation of suspicious ALPC ports, especially those targeting services with SeImpersonatePrivilege. Use the Sigma rule Detect Suspicious ALPC Port Creation to identify potential exploitation attempts.
Monitor for processes calling the RpcImpersonateClient API, especially those originating from unusual or untrusted processes. Use the Sigma rule Detect RpcImpersonateClient API Call from Unusual Process to identify potential exploitation attempts.
Restrict access to services with SeImpersonatePrivilege where possible, limiting the potential attack surface.

Flowise Multiple Vulnerabilities

hello@craftedsignal.io — Fri, 24 Apr 2026 06:24:08 +0000

Flowise is susceptible to multiple vulnerabilities that could allow a malicious actor to perform several harmful actions. These vulnerabilities, if successfully exploited, could lead to arbitrary code execution, allowing the attacker to gain control of the system. Furthermore, the attacker could bypass security measures put in place to protect the application and its data. Information disclosure could also occur, potentially exposing sensitive data. Finally, the attacker could manipulate files, leading to data corruption or other malicious activities. The lack of specific vulnerability details makes precise mitigation challenging, but the wide range of potential impacts necessitates immediate attention and proactive defense measures.

Attack Chain

An attacker identifies a vulnerable Flowise instance.
The attacker exploits a vulnerability that allows arbitrary code execution. This could involve sending a specially crafted request to the server.
The attacker executes malicious code on the server, potentially escalating privileges.
The attacker uses the gained access to bypass security measures, such as authentication or authorization controls.
The attacker accesses sensitive information stored within the Flowise application or its database, leading to data leakage.
The attacker modifies or deletes critical files, disrupting the application’s functionality or causing data loss.
The attacker maintains persistence through backdoors or other methods to ensure continued access.

Impact

Successful exploitation of these vulnerabilities could result in a complete compromise of the Flowise application and the underlying system. This could lead to significant data breaches, financial losses, and reputational damage. Affected organizations could face regulatory penalties and legal liabilities. The wide range of potential impacts, including arbitrary code execution, security bypass, information disclosure, and file manipulation, makes this a critical threat requiring immediate attention.

Recommendation

Monitor web server logs for suspicious activity and unusual HTTP requests targeting Flowise to detect potential exploitation attempts. Deploy the Sigma rule Detect Suspicious Flowise HTTP Requests to identify potentially malicious requests.
Implement a Web Application Firewall (WAF) with rules to block common attack patterns and payloads that could exploit the vulnerabilities in Flowise.
Enable verbose logging on the Flowise application to capture detailed information about user activity and system events. This can aid in identifying and investigating suspicious behavior. Deploy the Sigma rule Detect Flowise Log Tampering to detect potential log manipulation.

Multiple Vulnerabilities in Cisco Products Allow for Remote Code Execution

hello@craftedsignal.io — Fri, 24 Apr 2026 05:43:56 +0000

A cluster of vulnerabilities affects Cisco ASA (Adaptive Security Appliance), Cisco Secure Firewall Threat Defense, Cisco IOS, Cisco IOS XE, and Cisco IOS XR. A remote attacker, either authenticated or anonymous, can exploit these vulnerabilities to bypass authentication mechanisms and execute arbitrary code with administrator privileges. The broad scope of affected products, ranging from security appliances to core networking infrastructure, makes this a critical issue for organizations relying on Cisco technology. Successful exploitation could lead to widespread network compromise and data breaches.

Attack Chain

Attacker identifies a vulnerable Cisco device (ASA, Firewall Threat Defense, IOS, IOS XE, or IOS XR).
Attacker exploits a vulnerability allowing authentication bypass.
Upon successful authentication bypass, the attacker gains unauthorized access to the device.
Attacker leverages another vulnerability on the compromised system to inject and execute arbitrary code.
The code executes with administrator privileges, granting the attacker full control over the device.
Attacker uses the compromised device as a pivot point to move laterally within the network.
Attacker compromises additional systems and exfiltrates sensitive data.

Impact

Successful exploitation of these vulnerabilities can lead to complete compromise of affected Cisco devices, allowing attackers to gain full administrative control. This can result in significant data breaches, service disruptions, and the potential for lateral movement within the network to compromise other critical systems. The broad range of affected Cisco products means a wide array of organizations are potentially at risk.

Recommendation

Deploy the Sigma rules to your SIEM and tune for your environment to detect exploitation attempts.
Consult Cisco’s security advisories for specific vulnerability details and apply the appropriate patches or mitigations as soon as they become available.

UAT-4356 FIRESTARTER Backdoor Targeting Cisco Firepower Devices

hello@craftedsignal.io — Thu, 23 Apr 2026 15:11:53 +0000

Cisco Talos reported that UAT-4356 continues to actively target Cisco Firepower devices running the Firepower eXtensible Operating System (FXOS). In early 2024, Cisco Talos attributed the ArcaneDoor campaign to UAT-4356, a state-sponsored actor focused on gaining access to network perimeter devices for espionage. The actor exploits n-day vulnerabilities CVE-2025-20333 and CVE-2025-20362 to gain unauthorized access to vulnerable devices. Upon successful exploitation, UAT-4356 deploys a custom-built backdoor called “FIRESTARTER,” which shares technical capabilities with RayInitiator’s Stage 3 shellcode. FIRESTARTER enables remote access and the execution of arbitrary code within the LINA process, a core component of Cisco’s ASA and FTD appliances. This allows the attackers to maintain persistent access to compromised systems.

Attack Chain

UAT-4356 exploits CVE-2025-20333 and/or CVE-2025-20362 on Cisco Firepower devices running FXOS to gain initial access.
The attacker manipulates the CSP_MOUNT_LIST to establish persistence for the FIRESTARTER backdoor.
The FIRESTARTER backdoor is written to /opt/cisco/platform/logs/var/log/svc_samcore.log and the CSP_MOUNT_LIST is updated to copy itself to /usr/bin/lina_cs.
After a graceful reboot, FIRESTARTER is executed from /usr/bin/lina_cs.
FIRESTARTER restores the original CSP_MOUNT_LIST from /tmp/CSP_MOUNTLIST.tmp and removes the temporary copy and the trojanized /usr/bin/lina_cs file from disk.
FIRESTARTER reads the LINA process’ memory, searching for specific byte sequences to verify memory layout.
FIRESTARTER copies the next stage shellcode to the last 0x200 bytes of the “libstdc++.so” memory region.
The attacker overwrites an internal data structure in the LINA process to replace a pointer to a legitimate WebVPN XML handler function with the address of the malicious shellcode. This allows execution of arbitrary shellcode received via WebVPN requests.

Impact

Compromised Cisco Firepower devices allow UAT-4356 to gain a foothold on network perimeters for espionage. Successful exploitation and deployment of the FIRESTARTER backdoor enable attackers to execute arbitrary shellcode, potentially leading to data exfiltration, further network compromise, or disruption of services. The number of victims is currently unknown, but this campaign targets network perimeter devices, which could impact organizations across various sectors.

Recommendation

Deploy the file integrity monitoring rule to detect the creation or modification of /usr/bin/lina_cs and /opt/cisco/platform/logs/var/log/svc_samcore.log (see “File Creation in Suspicious Directory”).
Apply software upgrade recommendations outlined in Cisco’s Security Advisory to mitigate CVE-2025-20333 and CVE-2025-20362.
Monitor network traffic for WebVPN requests containing unexpected XML payloads that might be used to trigger the FIRESTARTER backdoor.

OpenC3 COSMOS SQL Injection Vulnerability in QuestDB Time-Series Database

hello@craftedsignal.io — Thu, 23 Apr 2026 14:12:02 +0000

A SQL injection vulnerability has been identified in the OpenC3 COSMOS Time-Series Database (TSDB) component, which utilizes QuestDB. The vulnerability resides within the tsdb_lookup function in the cvt_model.rb file, where user-supplied input is directly incorporated into SQL queries without proper sanitization. An authenticated attacker with “tlm” permissions, which includes Admin, Operator, Viewer, or Runner roles, can exploit this flaw to inject arbitrary SQL commands. This can lead to unauthorized data access, modification, or deletion within the TSDB. The affected versions are OpenC3 rubygems package versions >= 6.7.0 and < 7.0.0-rc3. Successful exploitation allows attackers to compromise the confidentiality, integrity, and availability of telemetry data stored within the COSMOS system.

Attack Chain

An attacker authenticates to the COSMOS system with a role that possesses “tlm” permissions (Admin, Operator, Viewer, or Runner).
The attacker crafts a malicious JSON-RPC request targeting the get_tlm_values endpoint.
Within the request body, the attacker injects a SQL payload into the start_time parameter, such as ' OR 1=1 --.
The tsdb_lookup function incorporates the unsanitized input into a SQL query.
The injected SQL payload manipulates the query logic, allowing the attacker to bypass intended restrictions.
The attacker can then exfiltrate all telemetry data within the database by manipulating the SQL query.
The attacker modifies the SQL payload to execute arbitrary commands, such as DROP TABLE statements.
The attacker successfully deletes historical data from the database, impacting data availability and system integrity.

Impact

Successful exploitation of this SQL injection vulnerability allows an attacker to perform unauthorized actions on the OpenC3 COSMOS Time-Series Database (TSDB). An attacker with “tlm” permissions can disclose sensitive telemetry data, modify existing data, or delete data altogether. The vulnerability impacts systems running OpenC3 rubygems package versions >= 6.7.0 and < 7.0.0-rc3. Depending on the role of the compromised account and the specific SQL commands executed, an attacker could potentially cause significant disruption to operations relying on the integrity and availability of telemetry data.

Recommendation

Upgrade the rubygems/openc3 package to version 7.0.0-rc3 or later to remediate the SQL injection vulnerability.
Implement input sanitization on user-supplied data within the tsdb_lookup function in cvt_model.rb to prevent SQL injection attacks.
Deploy the Sigma rule “Detect Suspicious OpenC3 Telemetry Requests” to identify potential exploitation attempts targeting the get_tlm_values endpoint.
Review and restrict “tlm” permissions to the get_tlm_values RPC endpoint according to the principle of least privilege, limiting access to only those users who require it.