{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/access-control/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7468"}],"_cs_exploited":false,"_cs_products":["smart-admin"],"_cs_severities":["medium"],"_cs_tags":["access-control","vulnerability","web-application"],"_cs_type":"advisory","_cs_vendors":["1024-lab"],"content_html":"\u003cp\u003eA security vulnerability, CVE-2026-7468, has been identified in 1024-lab smart-admin, specifically in versions up to 3.30.0. This flaw resides within an unspecified function of the \u003ccode\u003e/smart-admin-api/druid/index.html\u003c/code\u003e file, a component of the Demo Site. The vulnerability stems from improper access controls, which could allow unauthorized remote access. The public disclosure of an exploit increases the risk of exploitation. While the 1024-lab project was notified through an issue report, a response or patch has not yet been released, making systems running vulnerable versions susceptible to attack. This vulnerability allows for potential compromise of the application and sensitive data.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable instance of 1024-lab smart-admin running a version up to 3.30.0.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request targeting the \u003ccode\u003e/smart-admin-api/druid/index.html\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe request exploits the improper access control vulnerability to bypass authentication or authorization checks.\u003c/li\u003e\n\u003cli\u003eThe system incorrectly processes the request, granting the attacker unintended access to restricted resources or functionality.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages this unauthorized access to read sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker further exploits the vulnerability to modify data or application configurations.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised application to pivot to other systems or data within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-7468 allows attackers to gain unauthorized access to sensitive data and functionality within the 1024-lab smart-admin application. The impact could range from information disclosure to complete system compromise, depending on the specific function affected and the attacker\u0026rsquo;s objectives. As the vulnerability resides in a \u0026lsquo;Demo Site\u0026rsquo; component, the impact is likely to be proof-of-concept or low, but could be more significant if the application is in production.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests targeting the \u003ccode\u003e/smart-admin-api/druid/index.html\u003c/code\u003e endpoint to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect unauthorized access attempts.\u003c/li\u003e\n\u003cli\u003eApply any available patches or updates released by 1024-lab to address CVE-2026-7468.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T01:16:03Z","date_published":"2026-04-30T01:16:03Z","id":"/briefs/2026-04-smart-admin-access-control/","summary":"CVE-2026-7468 is an improper access control vulnerability in 1024-lab smart-admin up to version 3.30.0, affecting the /smart-admin-api/druid/index.html file, which can be exploited remotely.","title":"1024-lab smart-admin Improper Access Control Vulnerability (CVE-2026-7468)","url":"https://feed.craftedsignal.io/briefs/2026-04-smart-admin-access-control/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.2,"id":"CVE-2026-6823"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["vulnerability","insecure-configuration","access-control"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eHKUDS OpenHarness, a tool whose function is not explicitly defined in the source material, prior to the remediation implemented in pull request #147, exhibits an insecure default configuration. This vulnerability arises because remote channels inherit the setting \u003ccode\u003eallow_from = [\u0026quot;*\u0026quot;]\u003c/code\u003e. This overly permissive configuration allows any remote sender to bypass admission checks, effectively negating intended access controls. The vulnerability was reported on April 21, 2026. Exploitation requires an attacker to reach the configured channel, opening a pathway to host-backed agent runtimes. Successful exploitation can lead to unauthorized file disclosure and read access via default-enabled read-only tools within the OpenHarness environment. Defenders should ensure they are running a version of OpenHarness patched with PR #147 or later.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains network access to the OpenHarness instance.\u003c/li\u003e\n\u003cli\u003eAttacker identifies a configured remote channel.\u003c/li\u003e\n\u003cli\u003eAttacker leverages the inherited \u003ccode\u003eallow_from = [\u0026quot;*\u0026quot;]\u003c/code\u003e configuration to bypass admission controls.\u003c/li\u003e\n\u003cli\u003eAttacker interacts with a host-backed agent runtime.\u003c/li\u003e\n\u003cli\u003eAttacker exploits default-enabled read-only tools available within the runtime.\u003c/li\u003e\n\u003cli\u003eAttacker gains unauthorized read access to sensitive files on the system.\u003c/li\u003e\n\u003cli\u003eAttacker exfiltrates the disclosed files.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to bypass intended access controls and gain unauthorized read access to files accessible to the OpenHarness agent. This could lead to the disclosure of sensitive information, potentially impacting confidentiality. The scope of the impact depends on the data accessible to the agent runtime and the sensitivity of those files. Given the default-enabled nature of the vulnerability, any OpenHarness deployment prior to PR #147 is potentially vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade HKUDS OpenHarness to a version including or following the remediation provided in \u003ca href=\"https://github.com/HKUDS/OpenHarness/pull/147\"\u003ePR #147\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor network connections to the OpenHarness instance for unexpected remote channel access, using a network monitoring solution.\u003c/li\u003e\n\u003cli\u003eAudit the configuration of OpenHarness channels to ensure that \u003ccode\u003eallow_from\u003c/code\u003e is not set to \u003ccode\u003e[\u0026quot;*\u0026quot;]\u003c/code\u003e, but rather to a restrictive set of trusted senders.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-22T12:00:00Z","date_published":"2026-04-22T12:00:00Z","id":"/briefs/2026-04-openharness-default-config/","summary":"HKUDS OpenHarness prior to PR #147 remediation contains an insecure default configuration vulnerability where remote channels inherit permissive access, potentially leading to unauthorized file disclosure and read access.","title":"HKUDS OpenHarness Insecure Default Configuration Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-openharness-default-config/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-40960"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-40960","luanti","access-control"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eLuanti 5, a software package (details not provided in source), prior to version 5.15.2, suffers from an improper access control vulnerability (CVE-2026-40960). This flaw can be exploited when at least one mod is configured as either \u003ccode\u003esecure.trusted_mods\u003c/code\u003e or \u003ccode\u003esecure.http_mods\u003c/code\u003e. Under these conditions, a specially crafted malicious mod can intercept requests intended for the insecure environment or HTTP API, effectively bypassing intended security controls. The vulnerability allows the malicious mod to gain unauthorized access to sensitive resources, potentially leading to data breaches or system compromise. Organizations using affected versions of Luanti 5 are urged to upgrade to version 5.15.2 or implement mitigating controls to prevent exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a Luanti 5 instance running a version prior to 5.15.2 with at least one mod configured as \u003ccode\u003esecure.trusted_mods\u003c/code\u003e or \u003ccode\u003esecure.http_mods\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious mod designed to intercept HTTP requests.\u003c/li\u003e\n\u003cli\u003eThe attacker deploys the crafted mod to the Luanti 5 environment.\u003c/li\u003e\n\u003cli\u003eThe malicious mod intercepts requests directed towards the insecure environment or HTTP API.\u003c/li\u003e\n\u003cli\u003eDue to the vulnerability, the malicious mod gains unauthorized access to the targeted environment or API.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the gained access to perform unauthorized actions, such as reading sensitive data or manipulating system configurations.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data or establishes persistent access for future malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-40960 can lead to complete compromise of the insecure environment or HTTP API within Luanti 5. This could result in unauthorized access to sensitive data, modification of system configurations, or complete system takeover. The severity of the impact depends on the specific functionality and data exposed by the insecure environment, but could include data breaches, financial loss, or reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Luanti 5 to version 5.15.2 or later to patch CVE-2026-40960.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately feasible, review the configuration of \u003ccode\u003esecure.trusted_mods\u003c/code\u003e and \u003ccode\u003esecure.http_mods\u003c/code\u003e and remove any untrusted or unnecessary mods.\u003c/li\u003e\n\u003cli\u003eMonitor Luanti 5 webserver logs for suspicious HTTP requests originating from unusual or newly deployed mods using the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement strict access control policies for deploying and managing Luanti 5 mods to prevent unauthorized installation of malicious modules.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-16T01:16:11Z","date_published":"2026-04-16T01:16:11Z","id":"/briefs/2026-04-luanti-access/","summary":"Luanti 5 before 5.15.2 allows unintended access to an insecure environment if a crafted mod intercepts requests when secure mods are enabled, potentially leading to unauthorized access and control.","title":"Luanti 5 Improper Access Control Vulnerability (CVE-2026-40960)","url":"https://feed.craftedsignal.io/briefs/2026-04-luanti-access/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-22566"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["vulnerability","access-control","unifi"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-22566 describes an improper access control vulnerability affecting UniFi Play devices. Specifically, UniFi Play PowerAmp (version 1.0.35 and earlier) and UniFi Play Audio Port (version 1.0.24 and earlier) are vulnerable. A malicious actor who has already gained access to the UniFi Play network can exploit this vulnerability to obtain UniFi Play WiFi credentials. This vulnerability was reported by HackerOne and assigned a CVSS v3.1 base score of 7.5. The vulnerability was published on April 13, 2026. Updating the affected devices to the specified fixed versions is recommended to mitigate the risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the UniFi Play network. (This step is a prerequisite and not detailed in the advisory)\u003c/li\u003e\n\u003cli\u003eThe attacker leverages an access control flaw in the UniFi Play PowerAmp or Audio Port software.\u003c/li\u003e\n\u003cli\u003eA specially crafted request is sent to the vulnerable device via the local network.\u003c/li\u003e\n\u003cli\u003eThe vulnerable device improperly handles the access control check.\u003c/li\u003e\n\u003cli\u003eThe device divulges the stored WiFi credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker captures the exposed WiFi credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the WiFi credentials to gain broader access to the wireless network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-22566 allows an attacker with existing access to a UniFi Play network to obtain WiFi credentials. This could lead to unauthorized access to the wireless network, potentially compromising other devices and sensitive information on the network. While the specific number of affected users is unknown, any network utilizing vulnerable versions of UniFi Play PowerAmp or Audio Port is at risk. The impact is elevated if the compromised WiFi network provides access to critical infrastructure or sensitive data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update UniFi Play PowerAmp to version 1.0.38 or later and UniFi Play Audio Port to version 1.1.9 or later to remediate CVE-2026-22566.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious activity originating from UniFi Play devices after the vulnerability was disclosed (2026-04-13).\u003c/li\u003e\n\u003cli\u003eSegment the UniFi Play network from other critical networks to limit the impact of a potential breach.\u003c/li\u003e\n\u003cli\u003eImplement network access control policies to restrict access to sensitive resources from the UniFi Play network, even after applying the patch.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-13T22:16:28Z","date_published":"2026-04-13T22:16:28Z","id":"/briefs/2026-04-unifi-play-access-control/","summary":"An improper access control vulnerability in UniFi Play PowerAmp and Audio Port allows a malicious actor with access to the UniFi Play network to obtain WiFi credentials.","title":"UniFi Play Improper Access Control Vulnerability (CVE-2026-22566)","url":"https://feed.craftedsignal.io/briefs/2026-04-unifi-play-access-control/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-22564"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-22564","unifi-play","access-control","ssh"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-22564 is a critical vulnerability affecting UniFi Play PowerAmp (version 1.0.35 and earlier) and UniFi Play Audio Port (version 1.0.24 and earlier) devices. This improper access control flaw allows a malicious actor, who has already gained access to the UniFi Play network, to enable SSH access on the affected devices. This unauthorized SSH access can then be leveraged to make arbitrary changes to the system configuration, potentially leading to full device compromise and further network exploitation. Successful exploitation requires network access to the UniFi Play devices. The vulnerability was reported by HackerOne and affects devices that have not been updated to the patched versions (PowerAmp 1.0.38 or Audio Port 1.1.9).\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the UniFi Play network through unspecified means (e.g., compromised credentials, network misconfiguration, or physical access).\u003c/li\u003e\n\u003cli\u003eThe attacker identifies vulnerable UniFi Play PowerAmp or Audio Port devices on the network running versions 1.0.35 or earlier (PowerAmp) and 1.0.24 or earlier (Audio Port).\u003c/li\u003e\n\u003cli\u003eThe attacker exploits the improper access control vulnerability (CVE-2026-22564) by sending a crafted request to the vulnerable device.\u003c/li\u003e\n\u003cli\u003eThis request bypasses access controls, enabling SSH access on the device.\u003c/li\u003e\n\u003cli\u003eThe attacker uses an SSH client (e.g., OpenSSH) to connect to the device using the enabled SSH service, likely with default or easily guessable credentials (not specified in source, but common).\u003c/li\u003e\n\u003cli\u003eOnce authenticated, the attacker executes privileged commands via the SSH shell.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies system configurations, installs malicious software, or exfiltrates sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistent access to the compromised device and potentially uses it as a pivot point for further attacks within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-22564 allows an attacker to gain unauthorized SSH access and make arbitrary changes to vulnerable UniFi Play devices. This can result in complete device compromise, allowing for data theft, installation of malware, and disruption of services. The vulnerability has a CVSS v3.1 score of 9.8 (Critical), indicating a high potential for severe impact. The scope of impact depends on the network configuration and the data handled by the compromised UniFi Play devices.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update UniFi Play PowerAmp devices to version 1.0.38 or later and UniFi Play Audio Port devices to version 1.1.9 or later to patch CVE-2026-22564.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious SSH connections to UniFi Play devices, especially from unexpected sources. Implement the provided Sigma rule targeting SSH login events.\u003c/li\u003e\n\u003cli\u003eConduct a thorough review of the UniFi Play network to identify and remediate any potential initial access vectors that could be exploited to reach the vulnerable devices.\u003c/li\u003e\n\u003cli\u003eReview and harden default credentials on all network devices, including UniFi Play devices, to prevent attackers from easily gaining access after enabling SSH.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-13T22:16:28Z","date_published":"2026-04-13T22:16:28Z","id":"/briefs/2026-04-unifi-play-ssh-enable/","summary":"CVE-2026-22564 is an improper access control vulnerability in UniFi Play PowerAmp and Audio Port devices that allows an attacker with network access to enable SSH and make unauthorized system changes.","title":"UniFi Play Improper Access Control Allows SSH Enablement","url":"https://feed.craftedsignal.io/briefs/2026-04-unifi-play-ssh-enable/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-35660"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-35660","openclaw","access-control","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOpenClaw, a yet-to-be-defined application, suffers from an insufficient access control vulnerability (CVE-2026-35660) affecting versions prior to 2026.3.23. The vulnerability exists within the Gateway agent\u0026rsquo;s \u003ccode\u003e/reset\u003c/code\u003e endpoint.  An attacker possessing \u003ccode\u003eoperator.write\u003c/code\u003e permissions can exploit this flaw to reset administrative sessions, circumventing the intended \u003ccode\u003eoperator.admin\u003c/code\u003e requirement.  Specifically, the vulnerability allows attackers to invoke \u003ccode\u003e/reset\u003c/code\u003e or \u003ccode\u003e/new\u003c/code\u003e messages including an explicit \u003ccode\u003esessionKey\u003c/code\u003e to manipulate arbitrary sessions. This could lead to unauthorized access and modification of sensitive system configurations, depending on the scope of the OpenClaw application. The vulnerability was disclosed on April 10, 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized \u003ccode\u003eoperator.write\u003c/code\u003e privileges within the OpenClaw application, potentially through account compromise or privilege escalation from another vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the Gateway agent\u0026rsquo;s \u003ccode\u003e/reset\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a specific \u003ccode\u003esessionKey\u003c/code\u003e belonging to an administrative user.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker could send a \u003ccode\u003e/new\u003c/code\u003e message containing the admin\u0026rsquo;s \u003ccode\u003esessionKey\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDue to the insufficient access control, the Gateway agent processes the request, incorrectly resetting the targeted admin session.\u003c/li\u003e\n\u003cli\u003eThe administrative user is forcibly logged out of their session, disrupting their work.\u003c/li\u003e\n\u003cli\u003eThe attacker could potentially hijack the reset session depending on implementation details.\u003c/li\u003e\n\u003cli\u003eThe attacker could then use their elevated access to perform unauthorized actions, such as modifying critical system configurations or accessing sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-35660 allows attackers with \u003ccode\u003eoperator.write\u003c/code\u003e privileges to reset arbitrary admin sessions in OpenClaw. This can lead to denial of service for legitimate administrators, and potentially allow the attacker to hijack the reset session or perform unauthorized actions, leading to data breaches or system compromise, depending on the application\u0026rsquo;s functionalities and the scope of admin privileges. The severity is rated as high with a CVSS score of 8.1.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenClaw to version 2026.3.23 or later to patch CVE-2026-35660.\u003c/li\u003e\n\u003cli\u003eReview and enforce strict access control policies for the OpenClaw application, ensuring that \u003ccode\u003eoperator.write\u003c/code\u003e privileges are only granted to trusted users.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests to the \u003ccode\u003e/reset\u003c/code\u003e endpoint, especially those containing explicit \u003ccode\u003esessionKey\u003c/code\u003e parameters and correlate with user roles.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect OpenClaw Session Reset Attempt\u0026rdquo; to detect exploitation attempts (see below).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-10T17:50:21Z","date_published":"2026-04-10T17:50:21Z","id":"/briefs/2026-04-openclaw-reset-vuln/","summary":"OpenClaw before 2026.3.23 contains an insufficient access control vulnerability in the Gateway agent /reset endpoint that allows callers with operator.write permission to reset admin sessions by invoking /reset or /new messages with an explicit sessionKey, bypassing operator.admin requirements.","title":"OpenClaw Insufficient Access Control in Gateway Agent Session Reset (CVE-2026-35660)","url":"https://feed.craftedsignal.io/briefs/2026-04-openclaw-reset-vuln/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-34512"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["access-control","vulnerability","webserver"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOpenClaw versions prior to 2026.3.25 are susceptible to an improper access control vulnerability, tracked as CVE-2026-34512. This flaw resides in the \u003ccode\u003e/sessions/:sessionKey/kill\u003c/code\u003e HTTP route and allows any bearer-authenticated user, regardless of their assigned privileges, to execute admin-level session termination functions. The vulnerability stems from a lack of proper scope validation, enabling attackers to bypass intended ownership and operator scope restrictions. By sending crafted, authenticated requests, an attacker can leverage the \u003ccode\u003ekillSubagentRunAdmin\u003c/code\u003e function to terminate arbitrary subagent sessions. This unauthorized session termination could disrupt legitimate operations and lead to a denial-of-service condition for affected subagents.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the OpenClaw application using any valid user account, obtaining a bearer token.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a target subagent session to terminate. This could involve enumerating active sessions or targeting a specific subagent.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts an HTTP POST request to the \u003ccode\u003e/sessions/:sessionKey/kill\u003c/code\u003e route, replacing \u003ccode\u003e:sessionKey\u003c/code\u003e with the session key of the target subagent.\u003c/li\u003e\n\u003cli\u003eThe attacker includes the bearer token in the \u003ccode\u003eAuthorization\u003c/code\u003e header of the HTTP request.\u003c/li\u003e\n\u003cli\u003eThe OpenClaw server receives the request and, due to the missing scope validation, executes the \u003ccode\u003ekillSubagentRunAdmin\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ekillSubagentRunAdmin\u003c/code\u003e function terminates the targeted subagent session, regardless of the attacker\u0026rsquo;s permissions.\u003c/li\u003e\n\u003cli\u003eThe targeted subagent is disconnected and its operations are interrupted.\u003c/li\u003e\n\u003cli\u003eThe attacker can repeat this process to terminate other subagent sessions, potentially causing widespread disruption.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-34512 allows any authenticated user to terminate arbitrary subagent sessions within the OpenClaw environment. This can lead to denial-of-service conditions for targeted subagents, potentially disrupting critical workflows and impacting overall system availability. While the specific number of potential victims is unknown, any OpenClaw deployment utilizing versions prior to 2026.3.25 is vulnerable. The impact is significant, as it allows low-privileged users to perform actions intended only for administrators.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenClaw to version 2026.3.25 or later to patch CVE-2026-34512.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect OpenClaw Unauthorized Session Termination\u003c/code\u003e to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual activity targeting the \u003ccode\u003e/sessions/:sessionKey/kill\u003c/code\u003e route.\u003c/li\u003e\n\u003cli\u003eImplement strict access control policies and regularly review user permissions within OpenClaw to minimize the potential impact of compromised accounts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-09T22:16:29Z","date_published":"2026-04-09T22:16:29Z","id":"/briefs/2026-04-openclaw-access-control-bypass/","summary":"OpenClaw before 2026.3.25 contains an improper access control vulnerability (CVE-2026-34512) in the HTTP /sessions/:sessionKey/kill route, allowing any authenticated user to terminate arbitrary subagent sessions.","title":"OpenClaw Improper Access Control Vulnerability (CVE-2026-34512)","url":"https://feed.craftedsignal.io/briefs/2026-04-openclaw-access-control-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-5569"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-5569","access-control","technostrobe"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical vulnerability, CVE-2026-5569, affects Technostrobe HI-LED-WR120-G2 devices running firmware version 5.5.0.1R6.03.30. The vulnerability resides within the \u003ccode\u003e/Technostrobe/\u003c/code\u003e endpoint and stems from improper access control mechanisms. This flaw allows remote attackers to potentially bypass security restrictions and gain unauthorized access. The existence of a public exploit exacerbates the risk, making exploitation easier.  The vendor has been notified but has not provided a patch or workaround. Multiple devices are potentially affected, increasing the scope of potential impact. Given the nature of the affected device, successful exploitation could lead to disruption of critical lighting systems.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eReconnaissance:\u003c/strong\u003e The attacker identifies Technostrobe HI-LED-WR120-G2 devices exposed on the network.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVulnerability Identification:\u003c/strong\u003e The attacker determines the firmware version (5.5.0.1R6.03.30) to confirm vulnerability to CVE-2026-5569.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExploit Delivery:\u003c/strong\u003e The attacker leverages the publicly available exploit to craft malicious requests targeting the \u003ccode\u003e/Technostrobe/\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAuthentication Bypass:\u003c/strong\u003e The crafted requests bypass the existing access controls due to the improper privilege assignment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eUnauthorized Access:\u003c/strong\u003e The attacker gains unauthorized access to sensitive functionalities and data within the device.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eConfiguration Modification:\u003c/strong\u003e The attacker modifies the device configuration, potentially disrupting normal operations.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e The attacker escalates privileges, gaining full control over the device.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement/Impact:\u003c/strong\u003e The attacker uses the compromised device as a pivot point for lateral movement within the network or causes a denial of service condition by manipulating lighting configurations.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5569 could allow attackers to gain unauthorized control over Technostrobe HI-LED-WR120-G2 lighting systems. The impact can range from disruptive (e.g., remotely disabling or misconfiguring lighting) to more severe, such as using compromised devices as entry points to internal networks. Affected sectors include any that rely on these lighting systems, such as industrial facilities, airports, and entertainment venues. The number of affected devices is currently unknown.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Technostrobe HI-LED-WR120-G2 Exploitation Attempt\u0026rdquo; to identify attempts to exploit CVE-2026-5569 by monitoring web server logs for requests to the \u003ccode\u003e/Technostrobe/\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eIsolate Technostrobe HI-LED-WR120-G2 devices from the public internet where possible to limit the attack surface.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for unusual activity originating from or destined to Technostrobe HI-LED-WR120-G2 devices, focusing on connections to unusual or external IP addresses.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-05T14:16:17Z","date_published":"2026-04-05T14:16:17Z","id":"/briefs/2026-04-technostrobe-access-control/","summary":"CVE-2026-5569 describes a remote improper access control vulnerability in the /Technostrobe/ endpoint of Technostrobe HI-LED-WR120-G2 5.5.0.1R6.03.30, potentially leading to unauthorized access and control of affected devices.","title":"Technostrobe HI-LED-WR120-G2 Improper Access Control Vulnerability (CVE-2026-5569)","url":"https://feed.craftedsignal.io/briefs/2026-04-technostrobe-access-control/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-5526"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-5526","tenda","router","access-control"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA security vulnerability, identified as CVE-2026-5526, affects the Tenda 4G03 Pro router, specifically versions up to 1.0/1.1/04.03.01.53/192.168.0.1. The flaw resides within an unspecified function of the \u003ccode\u003e/bin/httpd\u003c/code\u003e file, leading to improper access controls. A remote attacker could exploit this vulnerability, potentially gaining unauthorized access to the device. Publicly available exploits exist, increasing the risk of exploitation. This issue was reported on April 4, 2026, and poses a significant threat due to the ease of remote exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a Tenda 4G03 Pro router with a publicly accessible web interface.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003e/bin/httpd\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eThe malicious request exploits the improper access control vulnerability (CVE-2026-5526).\u003c/li\u003e\n\u003cli\u003eThe router\u0026rsquo;s \u003ccode\u003e/bin/httpd\u003c/code\u003e process improperly handles the request, bypassing access controls.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to sensitive functionalities of the router.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies router configurations, such as DNS settings or firewall rules.\u003c/li\u003e\n\u003cli\u003eThe attacker could potentially use the compromised router as a pivot point for further network attacks.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5526 could allow attackers to remotely compromise Tenda 4G03 Pro routers. This can lead to unauthorized access to the device\u0026rsquo;s configuration, modification of settings, or use of the router as a stepping stone for further attacks within the network. Given the availability of public exploits, unpatched devices are at significant risk. While the exact number of affected devices is unknown, the widespread use of Tenda routers makes this a potentially significant issue.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests targeting \u003ccode\u003e/bin/httpd\u003c/code\u003e using the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eApply available firmware updates or patches from Tenda to address CVE-2026-5526 as soon as they are released.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the impact of a compromised router.\u003c/li\u003e\n\u003cli\u003eEnforce strong password policies for router administration to prevent unauthorized access.\u003c/li\u003e\n\u003cli\u003eReview and update firewall rules to restrict access to the router\u0026rsquo;s web interface from untrusted networks.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect suspicious process execution originating from the web server process.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-04T23:16:44Z","date_published":"2026-04-04T23:16:44Z","id":"/briefs/2026-04-tenda-4g03-pro-access-control/","summary":"CVE-2026-5526 describes an improper access control vulnerability in the Tenda 4G03 Pro router's /bin/httpd file, allowing remote attackers to potentially gain unauthorized access.","title":"Tenda 4G03 Pro Improper Access Control Vulnerability (CVE-2026-5526)","url":"https://feed.craftedsignal.io/briefs/2026-04-tenda-4g03-pro-access-control/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","access-control","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2025-55261 describes a critical vulnerability affecting HCL Aftermarket DPC. The vulnerability stems from a missing functional level access control, enabling an attacker to escalate their privileges within the application. This escalation could lead to a full compromise of the HCL Aftermarket DPC system. This vulnerability was published on March 26, 2026, and poses a significant risk to organizations utilizing the affected software. Successful exploitation could result in unauthorized…\u003c/p\u003e\n","date_modified":"2026-03-26T14:16:07Z","date_published":"2026-03-26T14:16:07Z","id":"/briefs/2024-01-hcl-dpc-privesc/","summary":"A missing functional level access control vulnerability in HCL Aftermarket DPC (CVE-2025-55261) allows an attacker to escalate privileges, potentially compromising the application and leading to data theft or manipulation.","title":"HCL Aftermarket DPC Missing Access Control Vulnerability (CVE-2025-55261)","url":"https://feed.craftedsignal.io/briefs/2024-01-hcl-dpc-privesc/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["access-control","vulnerability","kiteworks"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eKiteworks Core, a private data network (PDN) solution, is vulnerable to an access control issue in versions 9.2.0 and 9.2.1. This vulnerability, identified as CVE-2026-23514, stems from improper ownership management (CWE-282) within the application. An authenticated user can exploit this flaw to gain access to content they are not authorized to view or modify. The vulnerability was disclosed on March 25, 2026. Organizations using affected versions of Kiteworks Core are advised to upgrade to…\u003c/p\u003e\n","date_modified":"2026-03-25T15:16:37Z","date_published":"2026-03-25T15:16:37Z","id":"/briefs/2026-03-kiteworks-access-control/","summary":"Kiteworks Core versions 9.2.0 and 9.2.1 contain an access control vulnerability (CVE-2026-23514) due to improper ownership management, allowing authenticated users to access unauthorized content, which can be mitigated by upgrading to version 9.2.2 or later.","title":"Kiteworks Core Access Control Vulnerability (CVE-2026-23514)","url":"https://feed.craftedsignal.io/briefs/2026-03-kiteworks-access-control/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["access-control","physical-security","vulnerability"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA Reddit post highlights potential vulnerabilities within Paxton Net2 Access Control Units (ACUs). While the specifics of the vulnerabilities are not detailed in the Reddit post itself, the linked article allegedly describes how these flaws can be exploited to remotely unlock doors controlled by the Net2 system, potentially impacting prisons or other facilities using this access control technology. The potential for remote exploitation raises significant concerns about physical security bypass. Defenders should investigate their exposure to this product and monitor for anomalous network activity to or from these devices.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable Paxton Net2 ACU connected to the network.\u003c/li\u003e\n\u003cli\u003eAttacker leverages an unspecified vulnerability to gain unauthorized access to the ACU.\u003c/li\u003e\n\u003cli\u003eAttacker authenticates or bypasses authentication on the ACU to gain control.\u003c/li\u003e\n\u003cli\u003eAttacker sends a command to the ACU to unlock a specific door.\u003c/li\u003e\n\u003cli\u003eThe ACU executes the command, releasing the electronic lock on the door.\u003c/li\u003e\n\u003cli\u003eAttacker gains physical access through the unlocked door.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities could lead to unauthorized physical access to secured areas. In a prison setting, this could enable escapes and security breaches. Other facilities, such as data centers or government buildings, could also be at risk. The number of affected facilities is unknown.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eInvestigate internal usage of Paxton Net2 ACUs and determine firmware versions.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic to and from Net2 ACUs for unexpected communications, as highlighted in the overview.\u003c/li\u003e\n\u003cli\u003eReview logs from Net2 ACUs for suspicious activity, if available, focusing on unusual unlock events.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule for unexpected user agents to detect reconnaissance activity targeting these devices.\u003c/li\u003e\n\u003cli\u003eBlock access to \u003ccode\u003ehttps://it4sec.substack.com/p/hacking-prison-doors-remotely-like\u003c/code\u003e at the web proxy, as this site may contain exploit information.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-19T22:15:35Z","date_published":"2026-03-19T22:15:35Z","id":"/briefs/2026-03-paxton-net2-vulns/","summary":"Vulnerabilities in Paxton Net2 Access Control Units (ACUs) could allow unauthorized remote access and control of secured doors, potentially affecting prisons and other high-security facilities.","title":"Vulnerabilities in Paxton Net2 Access Control Units","url":"https://feed.craftedsignal.io/briefs/2026-03-paxton-net2-vulns/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","persistence","windows","access-control"],"_cs_type":"advisory","_cs_vendors":["Splunk"],"content_html":"\u003cp\u003eThis analytic detects the modification of file and directory security permissions through command-line tools like icacls.exe, cacls.exe, and xcacls.exe. These tools are legitimate Windows utilities but are often abused by threat actors, including APT groups and coinminer scripts, to evade detection, maintain persistence, and hinder incident response. The detection focuses on command-line arguments indicating modifications to access rights (e.g., granting full control or modifying permissions). Detecting this activity is crucial as it can lead to unauthorized access, data exfiltration, and system compromise, ultimately impeding remediation efforts and prolonging the attacker\u0026rsquo;s presence on the compromised system. The detection leverages endpoint detection and response (EDR) data focusing on process execution and command-line analysis.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: The attacker gains initial access to the system through methods such as phishing, exploiting vulnerabilities, or compromised credentials.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation: The attacker escalates privileges to obtain necessary permissions for modifying file and directory access rights. This can be achieved through exploiting system vulnerabilities or using stolen credentials with elevated privileges.\u003c/li\u003e\n\u003cli\u003eTool Deployment: The attacker deploys or utilizes existing system tools like \u003ccode\u003eicacls.exe\u003c/code\u003e, \u003ccode\u003ecacls.exe\u003c/code\u003e, or \u003ccode\u003excacls.exe\u003c/code\u003e to modify access control lists (ACLs) on files and directories.\u003c/li\u003e\n\u003cli\u003eAccess Rights Modification: The attacker uses the deployed tools to modify the ACLs of critical system files or directories, potentially granting themselves full control or restricting access for legitimate users and security software. Specific command-line arguments like \u003ccode\u003e*:R*\u003c/code\u003e, \u003ccode\u003e*:W*\u003c/code\u003e, \u003ccode\u003e*:F*\u003c/code\u003e, \u003ccode\u003e*:C*\u003c/code\u003e, \u003ccode\u003e*:N*\u003c/code\u003e, \u003ccode\u003e*/P*\u003c/code\u003e, and \u003ccode\u003e*/E*\u003c/code\u003e are used to manipulate access rights.\u003c/li\u003e\n\u003cli\u003eDefense Evasion: By modifying access rights, the attacker attempts to evade detection by security software and hinders incident response efforts by restricting access to forensic data or security tools.\u003c/li\u003e\n\u003cli\u003ePersistence: The attacker establishes persistence by modifying the access rights of startup scripts or registry keys, ensuring that their malicious code executes even after system reboots.\u003c/li\u003e\n\u003cli\u003eLateral Movement: The attacker uses the modified access rights to access files and directories on other systems within the network, facilitating lateral movement and further compromise.\u003c/li\u003e\n\u003cli\u003eImpact: The attacker achieves their final objective, such as data exfiltration, system disruption, or deploying ransomware, by leveraging the modified access rights to access and manipulate sensitive data or critical system resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to persist on the system, evade detection, and potentially move laterally within the network. Modification of file and directory permissions can hinder investigation, impede remediation efforts, and maintain persistent access to the compromised environment. The impact ranges from data theft to complete system compromise and denial of service. This activity is often associated with APT groups and coinminer operations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to capture the execution of \u003ccode\u003eicacls.exe\u003c/code\u003e, \u003ccode\u003ecacls.exe\u003c/code\u003e, and \u003ccode\u003excacls.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious Icacls Usage\u0026rdquo; to your SIEM to identify instances of access right modifications via icacls.exe, cacls.exe, and xcacls.exe.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances where these tools are used to modify access rights, especially when command-line arguments include \u003ccode\u003e*:R*\u003c/code\u003e, \u003ccode\u003e*:W*\u003c/code\u003e, \u003ccode\u003e*:F*\u003c/code\u003e, \u003ccode\u003e*:C*\u003c/code\u003e, \u003ccode\u003e*:N*\u003c/code\u003e, \u003ccode\u003e*/P*\u003c/code\u003e, and \u003ccode\u003e*/E*\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor Windows Event Log Security (4688) for process creation events to correlate with Sysmon data.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-icacls-access-rights-modification/","summary":"Detection of icacls.exe, cacls.exe, or xcacls.exe being used to modify file or directory permissions, often used by APTs and coinminers for defense evasion and persistence.","title":"Windows Files and Dirs Access Rights Modification via Icacls","url":"https://feed.craftedsignal.io/briefs/2024-01-icacls-access-rights-modification/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["openremote-manager"],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","access-control","openremote"],"_cs_type":"advisory","_cs_vendors":["OpenRemote"],"content_html":"\u003cp\u003eOpenRemote, a digital twin platform, is susceptible to a privilege escalation vulnerability (CVE-2026-41166) affecting versions prior to 1.22.1 of the openremote-manager component. An attacker possessing \u003ccode\u003ewrite:admin\u003c/code\u003e privileges in any Keycloak realm can exploit this flaw to escalate privileges to the \u003ccode\u003emaster\u003c/code\u003e realm. This is achieved by calling the Manager API\u0026rsquo;s \u003ccode\u003eupdateUserRealmRoles\u003c/code\u003e function to modify Keycloak realm roles for users in other realms, including the \u003ccode\u003emaster\u003c/code\u003e realm. The vulnerability lies in the absence of authorization checks within the \u003ccode\u003eUserResourceImpl.java\u003c/code\u003e file, which fails to validate if the caller has administrative rights over the realm they are attempting to modify. This oversight allows an attacker to grant themselves or another user administrative privileges on the master realm, leading to full Keycloak administrator access.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a Keycloak realm and obtains \u003ccode\u003ewrite:admin\u003c/code\u003e privileges for the OpenRemote client within that realm.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a low-privilege user in the \u003ccode\u003emaster\u003c/code\u003e Keycloak realm and retrieves their UUID.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates as the user from their controlled realm to obtain a valid Bearer access token.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious API request targeting the vulnerable \u003ccode\u003eupdateUserRealmRoles\u003c/code\u003e endpoint, specifying the \u003ccode\u003emaster\u003c/code\u003e realm and the UUID of the target user.\u003c/li\u003e\n\u003cli\u003eThe attacker sets the \u0026ldquo;roles\u0026rdquo; parameter in the request body to include the \u0026ldquo;admin\u0026rdquo; role, effectively granting the target user Keycloak administrator privileges in the master realm.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted API request to the OpenRemote Manager API, bypassing the missing authorization check.\u003c/li\u003e\n\u003cli\u003eThe OpenRemote application processes the request and updates the target user\u0026rsquo;s realm roles in the \u003ccode\u003emaster\u003c/code\u003e Keycloak realm.\u003c/li\u003e\n\u003cli\u003eThe attacker verifies the successful privilege escalation by confirming that the target user in the \u003ccode\u003emaster\u003c/code\u003e realm now possesses the \u0026ldquo;admin\u0026rdquo; role via the Keycloak Admin Console, thus gaining full control over the master realm.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to gain complete control over the \u003ccode\u003emaster\u003c/code\u003e Keycloak realm within OpenRemote. This grants the attacker the ability to manage all users, roles, and clients within the \u003ccode\u003emaster\u003c/code\u003e realm, potentially leading to unauthorized access to sensitive data, disruption of services, and further lateral movement within the OpenRemote environment. Given that the \u003ccode\u003emaster\u003c/code\u003e realm is typically used for managing the entire OpenRemote instance, the impact is critical.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to OpenRemote version 1.22.1 or later to patch CVE-2026-41166, addressing the improper access control in the \u003ccode\u003eupdateUserRealmRoles\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eImplement additional authorization checks within the \u003ccode\u003eUserResourceImpl.java\u003c/code\u003e file to validate that the caller has administrative rights over the target realm before allowing modifications to user realm roles.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u003ccode\u003eDetect OpenRemote UserRealmRoles API Abuse\u003c/code\u003e to monitor for suspicious calls to the updateUserRealmRoles API endpoint targeting different realms.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-02-openremote-privesc/","summary":"OpenRemote is vulnerable to privilege escalation, allowing an attacker with write:admin privileges in one Keycloak realm to gain administrator access to the master realm by manipulating Keycloak realm roles due to missing authorization checks in the updateUserRealmRoles function.","title":"OpenRemote Improper Access Control Leads to Privilege Escalation","url":"https://feed.craftedsignal.io/briefs/2024-01-02-openremote-privesc/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["heimdall"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","policy-bypass","access-control"],"_cs_type":"advisory","_cs_vendors":["dadrus"],"content_html":"\u003cp\u003eHeimdall, a Go-based access management system, is susceptible to a case-sensitivity vulnerability in its host matching mechanism. HTTP hostnames are case-insensitive, but Heimdall performs host matching in a case-sensitive manner. Discovered and reported in April 2026, this discrepancy can result in Heimdall failing to match a rule for a request host that differs only in letter casing. Version 0.16.0 and later enforce secure defaults and refuse to start with an \u0026ldquo;allow all\u0026rdquo; configuration unless explicitly disabled using flags like \u003ccode\u003e--insecure-skip-secure-default-rule-enforcement\u003c/code\u003e or \u003ccode\u003e--insecure\u003c/code\u003e. The vulnerability affects Heimdall versions prior to 0.17.14 and can be exploited if rule matching relies on the request host, potentially leading to unintended access control bypass.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a Heimdall instance with host-based access control rules.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a specific rule where the host is used for access control (e.g., \u003ccode\u003eadmin.example.com\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts an HTTP request with a \u003ccode\u003eHost\u003c/code\u003e header that differs only in casing (e.g., \u003ccode\u003eAdmin.Example.Com\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eHeimdall fails to match the intended rule due to the case-sensitive comparison.\u003c/li\u003e\n\u003cli\u003eIf no default rule is configured, Heimdall returns a \u0026ldquo;404 Not Found\u0026rdquo; error.\u003c/li\u003e\n\u003cli\u003eIf a permissive default rule is configured (e.g., allowing anonymous access, which is discouraged since v0.16.0), Heimdall executes this default rule.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to resources or functionality that should be protected by the intended rule.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits the gained access to modify data, invoke functionality, or escalate privileges depending on the exposed functionality.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eBypassing access control policies enforced by Heimdall can lead to unauthorized access to sensitive data, modification of critical information, or invocation of restricted functionality. Depending on the exposed functionality, this could also lead to privilege escalation. The severity of the impact depends heavily on the misconfiguration of Heimdall\u0026rsquo;s rules, particularly the presence of overly permissive default rules. Successful exploitation can compromise the confidentiality, integrity, and availability of the protected application or service.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eNormalize request hosts to lowercase in layers in front of Heimdall to mitigate the case sensitivity issue.\u003c/li\u003e\n\u003cli\u003eAvoid configuring permissive default rules. Remove or disable the \u003ccode\u003e--insecure\u003c/code\u003e or \u003ccode\u003e--insecure-skip-secure-default-rule-enforcement\u003c/code\u003e flags.\u003c/li\u003e\n\u003cli\u003eWhen using the \u003ccode\u003eregex\u003c/code\u003e type for host matching, define expressions in a case-insensitive manner (e.g., \u003ccode\u003e(?i)^admin\\.example\\.com$\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eUpgrade to Heimdall version 0.17.14 or later to patch the vulnerability directly.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-02-heimdall-case-sensitivity/","summary":"Heimdall performs case-sensitive host matching, which can lead to policy bypass because HTTP hostnames are case-insensitive, potentially leading to unauthorized access, data modification, or privilege escalation if the request host is part of the rule.","title":"Heimdall Host Matching Case-Sensitivity Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-02-heimdall-case-sensitivity/"}],"language":"en","title":"CraftedSignal Threat Feed — Access-Control","version":"https://jsonfeed.org/version/1.1"}