https://feed.craftedsignal.io/tags/access-control/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioThu, 30 Apr 2026 01:16:03 +0000https://feed.craftedsignal.io/briefs/2026-04-smart-admin-access-control/Thu, 30 Apr 2026 01:16:03 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-smart-admin-access-control/CVE-2026-7468 is an improper access control vulnerability in 1024-lab smart-admin up to version 3.30.0, affecting the /smart-admin-api/druid/index.html file, which can be exploited remotely.A security vulnerability, CVE-2026-7468, has been identified in 1024-lab smart-admin, specifically in versions up to 3.30.0. This flaw resides within an unspecified function of the /smart-admin-api/druid/index.html file, a component of the Demo Site. The vulnerability stems from improper access controls, which could allow unauthorized remote access. The public disclosure of an exploit increases the risk of exploitation. While the 1024-lab project was notified through an issue report, a response or patch has not yet been released, making systems running vulnerable versions susceptible to attack. This vulnerability allows for potential compromise of the application and sensitive data.

Attack Chain

1. The attacker identifies a vulnerable instance of 1024-lab smart-admin running a version up to 3.30.0.
2. The attacker crafts a malicious request targeting the /smart-admin-api/druid/index.html endpoint.
3. The request exploits the improper access control vulnerability to bypass authentication or authorization checks.
4. The system incorrectly processes the request, granting the attacker unintended access to restricted resources or functionality.
5. The attacker leverages this unauthorized access to read sensitive data.
6. The attacker further exploits the vulnerability to modify data or application configurations.
7. The attacker uses the compromised application to pivot to other systems or data within the network.

Impact

Successful exploitation of CVE-2026-7468 allows attackers to gain unauthorized access to sensitive data and functionality within the 1024-lab smart-admin application. The impact could range from information disclosure to complete system compromise, depending on the specific function affected and the attacker’s objectives. As the vulnerability resides in a ‘Demo Site’ component, the impact is likely to be proof-of-concept or low, but could be more significant if the application is in production.

Recommendation

• Monitor web server logs for suspicious requests targeting the /smart-admin-api/druid/index.html endpoint to detect potential exploitation attempts.
• Deploy the provided Sigma rule to detect unauthorized access attempts.
• Apply any available patches or updates released by 1024-lab to address CVE-2026-7468.

]]>mediumadvisoryaccess-controlvulnerabilityweb-applicationhttps://feed.craftedsignal.io/briefs/2026-04-openharness-default-config/Wed, 22 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-openharness-default-config/HKUDS OpenHarness prior to PR #147 remediation contains an insecure default configuration vulnerability where remote channels inherit permissive access, potentially leading to unauthorized file disclosure and read access.HKUDS OpenHarness, a tool whose function is not explicitly defined in the source material, prior to the remediation implemented in pull request #147, exhibits an insecure default configuration. This vulnerability arises because remote channels inherit the setting allow_from = ["*"]. This overly permissive configuration allows any remote sender to bypass admission checks, effectively negating intended access controls. The vulnerability was reported on April 21, 2026. Exploitation requires an attacker to reach the configured channel, opening a pathway to host-backed agent runtimes. Successful exploitation can lead to unauthorized file disclosure and read access via default-enabled read-only tools within the OpenHarness environment. Defenders should ensure they are running a version of OpenHarness patched with PR #147 or later.

Attack Chain

1. Attacker gains network access to the OpenHarness instance.
2. Attacker identifies a configured remote channel.
3. Attacker leverages the inherited allow_from = ["*"] configuration to bypass admission controls.
4. Attacker interacts with a host-backed agent runtime.
5. Attacker exploits default-enabled read-only tools available within the runtime.
6. Attacker gains unauthorized read access to sensitive files on the system.
7. Attacker exfiltrates the disclosed files.

Impact

Successful exploitation of this vulnerability allows attackers to bypass intended access controls and gain unauthorized read access to files accessible to the OpenHarness agent. This could lead to the disclosure of sensitive information, potentially impacting confidentiality. The scope of the impact depends on the data accessible to the agent runtime and the sensitivity of those files. Given the default-enabled nature of the vulnerability, any OpenHarness deployment prior to PR #147 is potentially vulnerable.

Recommendation

• Upgrade HKUDS OpenHarness to a version including or following the remediation provided in PR #147.
• Monitor network connections to the OpenHarness instance for unexpected remote channel access, using a network monitoring solution.
• Audit the configuration of OpenHarness channels to ensure that allow_from is not set to ["*"], but rather to a restrictive set of trusted senders.

]]>highadvisoryvulnerabilityinsecure-configurationaccess-controlhttps://feed.craftedsignal.io/briefs/2026-04-luanti-access/Thu, 16 Apr 2026 01:16:11 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-luanti-access/Luanti 5 before 5.15.2 allows unintended access to an insecure environment if a crafted mod intercepts requests when secure mods are enabled, potentially leading to unauthorized access and control.Luanti 5, a software package (details not provided in source), prior to version 5.15.2, suffers from an improper access control vulnerability (CVE-2026-40960). This flaw can be exploited when at least one mod is configured as either secure.trusted_mods or secure.http_mods. Under these conditions, a specially crafted malicious mod can intercept requests intended for the insecure environment or HTTP API, effectively bypassing intended security controls. The vulnerability allows the malicious mod to gain unauthorized access to sensitive resources, potentially leading to data breaches or system compromise. Organizations using affected versions of Luanti 5 are urged to upgrade to version 5.15.2 or implement mitigating controls to prevent exploitation.

Attack Chain

1. An attacker identifies a Luanti 5 instance running a version prior to 5.15.2 with at least one mod configured as secure.trusted_mods or secure.http_mods.
2. The attacker crafts a malicious mod designed to intercept HTTP requests.
3. The attacker deploys the crafted mod to the Luanti 5 environment.
4. The malicious mod intercepts requests directed towards the insecure environment or HTTP API.
5. Due to the vulnerability, the malicious mod gains unauthorized access to the targeted environment or API.
6. The attacker leverages the gained access to perform unauthorized actions, such as reading sensitive data or manipulating system configurations.
7. The attacker exfiltrates sensitive data or establishes persistent access for future malicious activities.

Impact

Successful exploitation of CVE-2026-40960 can lead to complete compromise of the insecure environment or HTTP API within Luanti 5. This could result in unauthorized access to sensitive data, modification of system configurations, or complete system takeover. The severity of the impact depends on the specific functionality and data exposed by the insecure environment, but could include data breaches, financial loss, or reputational damage.

Recommendation

• Upgrade Luanti 5 to version 5.15.2 or later to patch CVE-2026-40960.
• If upgrading is not immediately feasible, review the configuration of secure.trusted_mods and secure.http_mods and remove any untrusted or unnecessary mods.
• Monitor Luanti 5 webserver logs for suspicious HTTP requests originating from unusual or newly deployed mods using the provided Sigma rule.
• Implement strict access control policies for deploying and managing Luanti 5 mods to prevent unauthorized installation of malicious modules.

]]>highadvisorycve-2026-40960luantiaccess-controlhttps://feed.craftedsignal.io/briefs/2026-04-unifi-play-access-control/Mon, 13 Apr 2026 22:16:28 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-unifi-play-access-control/An improper access control vulnerability in UniFi Play PowerAmp and Audio Port allows a malicious actor with access to the UniFi Play network to obtain WiFi credentials.CVE-2026-22566 describes an improper access control vulnerability affecting UniFi Play devices. Specifically, UniFi Play PowerAmp (version 1.0.35 and earlier) and UniFi Play Audio Port (version 1.0.24 and earlier) are vulnerable. A malicious actor who has already gained access to the UniFi Play network can exploit this vulnerability to obtain UniFi Play WiFi credentials. This vulnerability was reported by HackerOne and assigned a CVSS v3.1 base score of 7.5. The vulnerability was published on April 13, 2026. Updating the affected devices to the specified fixed versions is recommended to mitigate the risk.

Attack Chain

1. The attacker gains initial access to the UniFi Play network. (This step is a prerequisite and not detailed in the advisory)
2. The attacker leverages an access control flaw in the UniFi Play PowerAmp or Audio Port software.
3. A specially crafted request is sent to the vulnerable device via the local network.
4. The vulnerable device improperly handles the access control check.
5. The device divulges the stored WiFi credentials.
6. The attacker captures the exposed WiFi credentials.
7. The attacker uses the WiFi credentials to gain broader access to the wireless network.

Impact

Successful exploitation of CVE-2026-22566 allows an attacker with existing access to a UniFi Play network to obtain WiFi credentials. This could lead to unauthorized access to the wireless network, potentially compromising other devices and sensitive information on the network. While the specific number of affected users is unknown, any network utilizing vulnerable versions of UniFi Play PowerAmp or Audio Port is at risk. The impact is elevated if the compromised WiFi network provides access to critical infrastructure or sensitive data.

Recommendation

• Immediately update UniFi Play PowerAmp to version 1.0.38 or later and UniFi Play Audio Port to version 1.1.9 or later to remediate CVE-2026-22566.
• Monitor network traffic for suspicious activity originating from UniFi Play devices after the vulnerability was disclosed (2026-04-13).
• Segment the UniFi Play network from other critical networks to limit the impact of a potential breach.
• Implement network access control policies to restrict access to sensitive resources from the UniFi Play network, even after applying the patch.

]]>mediumadvisoryvulnerabilityaccess-controlunifihttps://feed.craftedsignal.io/briefs/2026-04-unifi-play-ssh-enable/Mon, 13 Apr 2026 22:16:28 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-unifi-play-ssh-enable/CVE-2026-22564 is an improper access control vulnerability in UniFi Play PowerAmp and Audio Port devices that allows an attacker with network access to enable SSH and make unauthorized system changes.CVE-2026-22564 is a critical vulnerability affecting UniFi Play PowerAmp (version 1.0.35 and earlier) and UniFi Play Audio Port (version 1.0.24 and earlier) devices. This improper access control flaw allows a malicious actor, who has already gained access to the UniFi Play network, to enable SSH access on the affected devices. This unauthorized SSH access can then be leveraged to make arbitrary changes to the system configuration, potentially leading to full device compromise and further network exploitation. Successful exploitation requires network access to the UniFi Play devices. The vulnerability was reported by HackerOne and affects devices that have not been updated to the patched versions (PowerAmp 1.0.38 or Audio Port 1.1.9).

Attack Chain

1. The attacker gains initial access to the UniFi Play network through unspecified means (e.g., compromised credentials, network misconfiguration, or physical access).
2. The attacker identifies vulnerable UniFi Play PowerAmp or Audio Port devices on the network running versions 1.0.35 or earlier (PowerAmp) and 1.0.24 or earlier (Audio Port).
3. The attacker exploits the improper access control vulnerability (CVE-2026-22564) by sending a crafted request to the vulnerable device.
4. This request bypasses access controls, enabling SSH access on the device.
5. The attacker uses an SSH client (e.g., OpenSSH) to connect to the device using the enabled SSH service, likely with default or easily guessable credentials (not specified in source, but common).
6. Once authenticated, the attacker executes privileged commands via the SSH shell.
7. The attacker modifies system configurations, installs malicious software, or exfiltrates sensitive data.
8. The attacker maintains persistent access to the compromised device and potentially uses it as a pivot point for further attacks within the network.

Impact

Successful exploitation of CVE-2026-22564 allows an attacker to gain unauthorized SSH access and make arbitrary changes to vulnerable UniFi Play devices. This can result in complete device compromise, allowing for data theft, installation of malware, and disruption of services. The vulnerability has a CVSS v3.1 score of 9.8 (Critical), indicating a high potential for severe impact. The scope of impact depends on the network configuration and the data handled by the compromised UniFi Play devices.

Recommendation

• Immediately update UniFi Play PowerAmp devices to version 1.0.38 or later and UniFi Play Audio Port devices to version 1.1.9 or later to patch CVE-2026-22564.
• Monitor network traffic for suspicious SSH connections to UniFi Play devices, especially from unexpected sources. Implement the provided Sigma rule targeting SSH login events.
• Conduct a thorough review of the UniFi Play network to identify and remediate any potential initial access vectors that could be exploited to reach the vulnerable devices.
• Review and harden default credentials on all network devices, including UniFi Play devices, to prevent attackers from easily gaining access after enabling SSH.

]]>criticaladvisorycve-2026-22564unifi-playaccess-controlsshhttps://feed.craftedsignal.io/briefs/2026-04-openclaw-reset-vuln/Fri, 10 Apr 2026 17:50:21 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-openclaw-reset-vuln/OpenClaw before 2026.3.23 contains an insufficient access control vulnerability in the Gateway agent /reset endpoint that allows callers with operator.write permission to reset admin sessions by invoking /reset or /new messages with an explicit sessionKey, bypassing operator.admin requirements.OpenClaw, a yet-to-be-defined application, suffers from an insufficient access control vulnerability (CVE-2026-35660) affecting versions prior to 2026.3.23. The vulnerability exists within the Gateway agent’s /reset endpoint. An attacker possessing operator.write permissions can exploit this flaw to reset administrative sessions, circumventing the intended operator.admin requirement. Specifically, the vulnerability allows attackers to invoke /reset or /new messages including an explicit sessionKey to manipulate arbitrary sessions. This could lead to unauthorized access and modification of sensitive system configurations, depending on the scope of the OpenClaw application. The vulnerability was disclosed on April 10, 2026.

Attack Chain

1. An attacker gains unauthorized operator.write privileges within the OpenClaw application, potentially through account compromise or privilege escalation from another vulnerability.
2. The attacker crafts a malicious HTTP request targeting the Gateway agent’s /reset endpoint.
3. The crafted request includes a specific sessionKey belonging to an administrative user.
4. Alternatively, the attacker could send a /new message containing the admin’s sessionKey.
5. Due to the insufficient access control, the Gateway agent processes the request, incorrectly resetting the targeted admin session.
6. The administrative user is forcibly logged out of their session, disrupting their work.
7. The attacker could potentially hijack the reset session depending on implementation details.
8. The attacker could then use their elevated access to perform unauthorized actions, such as modifying critical system configurations or accessing sensitive data.

Impact

Successful exploitation of CVE-2026-35660 allows attackers with operator.write privileges to reset arbitrary admin sessions in OpenClaw. This can lead to denial of service for legitimate administrators, and potentially allow the attacker to hijack the reset session or perform unauthorized actions, leading to data breaches or system compromise, depending on the application’s functionalities and the scope of admin privileges. The severity is rated as high with a CVSS score of 8.1.

Recommendation

• Upgrade OpenClaw to version 2026.3.23 or later to patch CVE-2026-35660.
• Review and enforce strict access control policies for the OpenClaw application, ensuring that operator.write privileges are only granted to trusted users.
• Monitor web server logs for suspicious requests to the /reset endpoint, especially those containing explicit sessionKey parameters and correlate with user roles.
• Deploy the Sigma rule “Detect OpenClaw Session Reset Attempt” to detect exploitation attempts (see below).

]]>highadvisorycve-2026-35660openclawaccess-controlprivilege-escalationhttps://feed.craftedsignal.io/briefs/2026-04-openclaw-access-control-bypass/Thu, 09 Apr 2026 22:16:29 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-openclaw-access-control-bypass/OpenClaw before 2026.3.25 contains an improper access control vulnerability (CVE-2026-34512) in the HTTP /sessions/:sessionKey/kill route, allowing any authenticated user to terminate arbitrary subagent sessions.OpenClaw versions prior to 2026.3.25 are susceptible to an improper access control vulnerability, tracked as CVE-2026-34512. This flaw resides in the /sessions/:sessionKey/kill HTTP route and allows any bearer-authenticated user, regardless of their assigned privileges, to execute admin-level session termination functions. The vulnerability stems from a lack of proper scope validation, enabling attackers to bypass intended ownership and operator scope restrictions. By sending crafted, authenticated requests, an attacker can leverage the killSubagentRunAdmin function to terminate arbitrary subagent sessions. This unauthorized session termination could disrupt legitimate operations and lead to a denial-of-service condition for affected subagents.

Attack Chain

1. An attacker authenticates to the OpenClaw application using any valid user account, obtaining a bearer token.
2. The attacker identifies a target subagent session to terminate. This could involve enumerating active sessions or targeting a specific subagent.
3. The attacker crafts an HTTP POST request to the /sessions/:sessionKey/kill route, replacing :sessionKey with the session key of the target subagent.
4. The attacker includes the bearer token in the Authorization header of the HTTP request.
5. The OpenClaw server receives the request and, due to the missing scope validation, executes the killSubagentRunAdmin function.
6. The killSubagentRunAdmin function terminates the targeted subagent session, regardless of the attacker’s permissions.
7. The targeted subagent is disconnected and its operations are interrupted.
8. The attacker can repeat this process to terminate other subagent sessions, potentially causing widespread disruption.

Impact

Successful exploitation of CVE-2026-34512 allows any authenticated user to terminate arbitrary subagent sessions within the OpenClaw environment. This can lead to denial-of-service conditions for targeted subagents, potentially disrupting critical workflows and impacting overall system availability. While the specific number of potential victims is unknown, any OpenClaw deployment utilizing versions prior to 2026.3.25 is vulnerable. The impact is significant, as it allows low-privileged users to perform actions intended only for administrators.

Recommendation

• Upgrade OpenClaw to version 2026.3.25 or later to patch CVE-2026-34512.
• Deploy the Sigma rule Detect OpenClaw Unauthorized Session Termination to identify potential exploitation attempts.
• Monitor web server logs for unusual activity targeting the /sessions/:sessionKey/kill route.
• Implement strict access control policies and regularly review user permissions within OpenClaw to minimize the potential impact of compromised accounts.

]]>highadvisoryaccess-controlvulnerabilitywebserverhttps://feed.craftedsignal.io/briefs/2026-04-technostrobe-access-control/Sun, 05 Apr 2026 14:16:17 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-technostrobe-access-control/CVE-2026-5569 describes a remote improper access control vulnerability in the /Technostrobe/ endpoint of Technostrobe HI-LED-WR120-G2 5.5.0.1R6.03.30, potentially leading to unauthorized access and control of affected devices.A critical vulnerability, CVE-2026-5569, affects Technostrobe HI-LED-WR120-G2 devices running firmware version 5.5.0.1R6.03.30. The vulnerability resides within the /Technostrobe/ endpoint and stems from improper access control mechanisms. This flaw allows remote attackers to potentially bypass security restrictions and gain unauthorized access. The existence of a public exploit exacerbates the risk, making exploitation easier. The vendor has been notified but has not provided a patch or workaround. Multiple devices are potentially affected, increasing the scope of potential impact. Given the nature of the affected device, successful exploitation could lead to disruption of critical lighting systems.

Attack Chain

1. Reconnaissance: The attacker identifies Technostrobe HI-LED-WR120-G2 devices exposed on the network.
2. Vulnerability Identification: The attacker determines the firmware version (5.5.0.1R6.03.30) to confirm vulnerability to CVE-2026-5569.
3. Exploit Delivery: The attacker leverages the publicly available exploit to craft malicious requests targeting the /Technostrobe/ endpoint.
4. Authentication Bypass: The crafted requests bypass the existing access controls due to the improper privilege assignment.
5. Unauthorized Access: The attacker gains unauthorized access to sensitive functionalities and data within the device.
6. Configuration Modification: The attacker modifies the device configuration, potentially disrupting normal operations.
7. Privilege Escalation: The attacker escalates privileges, gaining full control over the device.
8. Lateral Movement/Impact: The attacker uses the compromised device as a pivot point for lateral movement within the network or causes a denial of service condition by manipulating lighting configurations.

Impact

Successful exploitation of CVE-2026-5569 could allow attackers to gain unauthorized control over Technostrobe HI-LED-WR120-G2 lighting systems. The impact can range from disruptive (e.g., remotely disabling or misconfiguring lighting) to more severe, such as using compromised devices as entry points to internal networks. Affected sectors include any that rely on these lighting systems, such as industrial facilities, airports, and entertainment venues. The number of affected devices is currently unknown.

Recommendation

• Deploy the Sigma rule “Detect Technostrobe HI-LED-WR120-G2 Exploitation Attempt” to identify attempts to exploit CVE-2026-5569 by monitoring web server logs for requests to the /Technostrobe/ endpoint.
• Isolate Technostrobe HI-LED-WR120-G2 devices from the public internet where possible to limit the attack surface.
• Monitor network traffic for unusual activity originating from or destined to Technostrobe HI-LED-WR120-G2 devices, focusing on connections to unusual or external IP addresses.

]]>highadvisorycve-2026-5569access-controltechnostrobehttps://feed.craftedsignal.io/briefs/2026-04-tenda-4g03-pro-access-control/Sat, 04 Apr 2026 23:16:44 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-tenda-4g03-pro-access-control/CVE-2026-5526 describes an improper access control vulnerability in the Tenda 4G03 Pro router's /bin/httpd file, allowing remote attackers to potentially gain unauthorized access.A security vulnerability, identified as CVE-2026-5526, affects the Tenda 4G03 Pro router, specifically versions up to 1.0/1.1/04.03.01.53/192.168.0.1. The flaw resides within an unspecified function of the /bin/httpd file, leading to improper access controls. A remote attacker could exploit this vulnerability, potentially gaining unauthorized access to the device. Publicly available exploits exist, increasing the risk of exploitation. This issue was reported on April 4, 2026, and poses a significant threat due to the ease of remote exploitation.

Attack Chain

1. Attacker identifies a Tenda 4G03 Pro router with a publicly accessible web interface.
2. The attacker crafts a malicious HTTP request targeting the /bin/httpd file.
3. The malicious request exploits the improper access control vulnerability (CVE-2026-5526).
4. The router’s /bin/httpd process improperly handles the request, bypassing access controls.
5. The attacker gains unauthorized access to sensitive functionalities of the router.
6. The attacker modifies router configurations, such as DNS settings or firewall rules.
7. The attacker could potentially use the compromised router as a pivot point for further network attacks.

Impact

Successful exploitation of CVE-2026-5526 could allow attackers to remotely compromise Tenda 4G03 Pro routers. This can lead to unauthorized access to the device’s configuration, modification of settings, or use of the router as a stepping stone for further attacks within the network. Given the availability of public exploits, unpatched devices are at significant risk. While the exact number of affected devices is unknown, the widespread use of Tenda routers makes this a potentially significant issue.

Recommendation

• Monitor web server logs for suspicious requests targeting /bin/httpd using the provided Sigma rule.
• Apply available firmware updates or patches from Tenda to address CVE-2026-5526 as soon as they are released.
• Implement network segmentation to limit the impact of a compromised router.
• Enforce strong password policies for router administration to prevent unauthorized access.
• Review and update firewall rules to restrict access to the router’s web interface from untrusted networks.
• Deploy the provided Sigma rule to detect suspicious process execution originating from the web server process.

]]>highadvisorycve-2026-5526tendarouteraccess-controlhttps://feed.craftedsignal.io/briefs/2024-01-hcl-dpc-privesc/Thu, 26 Mar 2026 14:16:07 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-hcl-dpc-privesc/A missing functional level access control vulnerability in HCL Aftermarket DPC (CVE-2025-55261) allows an attacker to escalate privileges, potentially compromising the application and leading to data theft or manipulation.<p>CVE-2025-55261 describes a critical vulnerability affecting HCL Aftermarket DPC. The vulnerability stems from a missing functional level access control, enabling an attacker to escalate their privileges within the application. This escalation could lead to a full compromise of the HCL Aftermarket DPC system. This vulnerability was published on March 26, 2026, and poses a significant risk to organizations utilizing the affected software. Successful exploitation could result in unauthorized…</p> highadvisoryprivilege-escalationaccess-controlweb-applicationhttps://feed.craftedsignal.io/briefs/2026-03-kiteworks-access-control/Wed, 25 Mar 2026 15:16:37 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-kiteworks-access-control/Kiteworks Core versions 9.2.0 and 9.2.1 contain an access control vulnerability (CVE-2026-23514) due to improper ownership management, allowing authenticated users to access unauthorized content, which can be mitigated by upgrading to version 9.2.2 or later.<p>Kiteworks Core, a private data network (PDN) solution, is vulnerable to an access control issue in versions 9.2.0 and 9.2.1. This vulnerability, identified as CVE-2026-23514, stems from improper ownership management (CWE-282) within the application. An authenticated user can exploit this flaw to gain access to content they are not authorized to view or modify. The vulnerability was disclosed on March 25, 2026. Organizations using affected versions of Kiteworks Core are advised to upgrade to…</p> highadvisoryaccess-controlvulnerabilitykiteworkshttps://feed.craftedsignal.io/briefs/2026-03-paxton-net2-vulns/Thu, 19 Mar 2026 22:15:35 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-paxton-net2-vulns/Vulnerabilities in Paxton Net2 Access Control Units (ACUs) could allow unauthorized remote access and control of secured doors, potentially affecting prisons and other high-security facilities.A Reddit post highlights potential vulnerabilities within Paxton Net2 Access Control Units (ACUs). While the specifics of the vulnerabilities are not detailed in the Reddit post itself, the linked article allegedly describes how these flaws can be exploited to remotely unlock doors controlled by the Net2 system, potentially impacting prisons or other facilities using this access control technology. The potential for remote exploitation raises significant concerns about physical security bypass. Defenders should investigate their exposure to this product and monitor for anomalous network activity to or from these devices.

Attack Chain

1. Attacker identifies a vulnerable Paxton Net2 ACU connected to the network.
2. Attacker leverages an unspecified vulnerability to gain unauthorized access to the ACU.
3. Attacker authenticates or bypasses authentication on the ACU to gain control.
4. Attacker sends a command to the ACU to unlock a specific door.
5. The ACU executes the command, releasing the electronic lock on the door.
6. Attacker gains physical access through the unlocked door.

Impact

Successful exploitation of these vulnerabilities could lead to unauthorized physical access to secured areas. In a prison setting, this could enable escapes and security breaches. Other facilities, such as data centers or government buildings, could also be at risk. The number of affected facilities is unknown.

Recommendation

• Investigate internal usage of Paxton Net2 ACUs and determine firmware versions.
• Monitor network traffic to and from Net2 ACUs for unexpected communications, as highlighted in the overview.
• Review logs from Net2 ACUs for suspicious activity, if available, focusing on unusual unlock events.
• Deploy the Sigma rule for unexpected user agents to detect reconnaissance activity targeting these devices.
• Block access to https://it4sec.substack.com/p/hacking-prison-doors-remotely-like at the web proxy, as this site may contain exploit information.

]]>highadvisoryaccess-controlphysical-securityvulnerabilityhttps://feed.craftedsignal.io/briefs/2024-01-icacls-access-rights-modification/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-icacls-access-rights-modification/Detection of icacls.exe, cacls.exe, or xcacls.exe being used to modify file or directory permissions, often used by APTs and coinminers for defense evasion and persistence.This analytic detects the modification of file and directory security permissions through command-line tools like icacls.exe, cacls.exe, and xcacls.exe. These tools are legitimate Windows utilities but are often abused by threat actors, including APT groups and coinminer scripts, to evade detection, maintain persistence, and hinder incident response. The detection focuses on command-line arguments indicating modifications to access rights (e.g., granting full control or modifying permissions). Detecting this activity is crucial as it can lead to unauthorized access, data exfiltration, and system compromise, ultimately impeding remediation efforts and prolonging the attacker’s presence on the compromised system. The detection leverages endpoint detection and response (EDR) data focusing on process execution and command-line analysis.

Attack Chain

1. Initial Access: The attacker gains initial access to the system through methods such as phishing, exploiting vulnerabilities, or compromised credentials.
2. Privilege Escalation: The attacker escalates privileges to obtain necessary permissions for modifying file and directory access rights. This can be achieved through exploiting system vulnerabilities or using stolen credentials with elevated privileges.
3. Tool Deployment: The attacker deploys or utilizes existing system tools like icacls.exe, cacls.exe, or xcacls.exe to modify access control lists (ACLs) on files and directories.
4. Access Rights Modification: The attacker uses the deployed tools to modify the ACLs of critical system files or directories, potentially granting themselves full control or restricting access for legitimate users and security software. Specific command-line arguments like *:R*, *:W*, *:F*, *:C*, *:N*, */P*, and */E* are used to manipulate access rights.
5. Defense Evasion: By modifying access rights, the attacker attempts to evade detection by security software and hinders incident response efforts by restricting access to forensic data or security tools.
6. Persistence: The attacker establishes persistence by modifying the access rights of startup scripts or registry keys, ensuring that their malicious code executes even after system reboots.
7. Lateral Movement: The attacker uses the modified access rights to access files and directories on other systems within the network, facilitating lateral movement and further compromise.
8. Impact: The attacker achieves their final objective, such as data exfiltration, system disruption, or deploying ransomware, by leveraging the modified access rights to access and manipulate sensitive data or critical system resources.

Impact

Successful exploitation allows attackers to persist on the system, evade detection, and potentially move laterally within the network. Modification of file and directory permissions can hinder investigation, impede remediation efforts, and maintain persistent access to the compromised environment. The impact ranges from data theft to complete system compromise and denial of service. This activity is often associated with APT groups and coinminer operations.

Recommendation

• Enable Sysmon process creation logging (Event ID 1) to capture the execution of icacls.exe, cacls.exe, and xcacls.exe.
• Deploy the Sigma rule “Detect Suspicious Icacls Usage” to your SIEM to identify instances of access right modifications via icacls.exe, cacls.exe, and xcacls.exe.
• Investigate any instances where these tools are used to modify access rights, especially when command-line arguments include *:R*, *:W*, *:F*, *:C*, *:N*, */P*, and */E*.
• Monitor Windows Event Log Security (4688) for process creation events to correlate with Sysmon data.

]]>highadvisorydefense-evasionpersistencewindowsaccess-controlhttps://feed.craftedsignal.io/briefs/2024-01-02-openremote-privesc/Tue, 02 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-02-openremote-privesc/OpenRemote is vulnerable to privilege escalation, allowing an attacker with write:admin privileges in one Keycloak realm to gain administrator access to the master realm by manipulating Keycloak realm roles due to missing authorization checks in the updateUserRealmRoles function.OpenRemote, a digital twin platform, is susceptible to a privilege escalation vulnerability (CVE-2026-41166) affecting versions prior to 1.22.1 of the openremote-manager component. An attacker possessing write:admin privileges in any Keycloak realm can exploit this flaw to escalate privileges to the master realm. This is achieved by calling the Manager API’s updateUserRealmRoles function to modify Keycloak realm roles for users in other realms, including the master realm. The vulnerability lies in the absence of authorization checks within the UserResourceImpl.java file, which fails to validate if the caller has administrative rights over the realm they are attempting to modify. This oversight allows an attacker to grant themselves or another user administrative privileges on the master realm, leading to full Keycloak administrator access.

Attack Chain

1. The attacker gains initial access to a Keycloak realm and obtains write:admin privileges for the OpenRemote client within that realm.
2. The attacker identifies a low-privilege user in the master Keycloak realm and retrieves their UUID.
3. The attacker authenticates as the user from their controlled realm to obtain a valid Bearer access token.
4. The attacker crafts a malicious API request targeting the vulnerable updateUserRealmRoles endpoint, specifying the master realm and the UUID of the target user.
5. The attacker sets the “roles” parameter in the request body to include the “admin” role, effectively granting the target user Keycloak administrator privileges in the master realm.
6. The attacker sends the crafted API request to the OpenRemote Manager API, bypassing the missing authorization check.
7. The OpenRemote application processes the request and updates the target user’s realm roles in the master Keycloak realm.
8. The attacker verifies the successful privilege escalation by confirming that the target user in the master realm now possesses the “admin” role via the Keycloak Admin Console, thus gaining full control over the master realm.

Impact

Successful exploitation of this vulnerability allows an attacker to gain complete control over the master Keycloak realm within OpenRemote. This grants the attacker the ability to manage all users, roles, and clients within the master realm, potentially leading to unauthorized access to sensitive data, disruption of services, and further lateral movement within the OpenRemote environment. Given that the master realm is typically used for managing the entire OpenRemote instance, the impact is critical.

Recommendation

• Upgrade to OpenRemote version 1.22.1 or later to patch CVE-2026-41166, addressing the improper access control in the updateUserRealmRoles function.
• Implement additional authorization checks within the UserResourceImpl.java file to validate that the caller has administrative rights over the target realm before allowing modifications to user realm roles.
• Deploy the provided Sigma rule Detect OpenRemote UserRealmRoles API Abuse to monitor for suspicious calls to the updateUserRealmRoles API endpoint targeting different realms.

]]>highadvisoryprivilege-escalationaccess-controlopenremotehttps://feed.craftedsignal.io/briefs/2024-01-02-heimdall-case-sensitivity/Tue, 02 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-02-heimdall-case-sensitivity/Heimdall performs case-sensitive host matching, which can lead to policy bypass because HTTP hostnames are case-insensitive, potentially leading to unauthorized access, data modification, or privilege escalation if the request host is part of the rule.Heimdall, a Go-based access management system, is susceptible to a case-sensitivity vulnerability in its host matching mechanism. HTTP hostnames are case-insensitive, but Heimdall performs host matching in a case-sensitive manner. Discovered and reported in April 2026, this discrepancy can result in Heimdall failing to match a rule for a request host that differs only in letter casing. Version 0.16.0 and later enforce secure defaults and refuse to start with an “allow all” configuration unless explicitly disabled using flags like --insecure-skip-secure-default-rule-enforcement or --insecure. The vulnerability affects Heimdall versions prior to 0.17.14 and can be exploited if rule matching relies on the request host, potentially leading to unintended access control bypass.

Attack Chain

1. The attacker identifies a Heimdall instance with host-based access control rules.
2. The attacker identifies a specific rule where the host is used for access control (e.g., admin.example.com).
3. The attacker crafts an HTTP request with a Host header that differs only in casing (e.g., Admin.Example.Com).
4. Heimdall fails to match the intended rule due to the case-sensitive comparison.
5. If no default rule is configured, Heimdall returns a “404 Not Found” error.
6. If a permissive default rule is configured (e.g., allowing anonymous access, which is discouraged since v0.16.0), Heimdall executes this default rule.
7. The attacker gains unauthorized access to resources or functionality that should be protected by the intended rule.
8. The attacker exploits the gained access to modify data, invoke functionality, or escalate privileges depending on the exposed functionality.

Impact

Bypassing access control policies enforced by Heimdall can lead to unauthorized access to sensitive data, modification of critical information, or invocation of restricted functionality. Depending on the exposed functionality, this could also lead to privilege escalation. The severity of the impact depends heavily on the misconfiguration of Heimdall’s rules, particularly the presence of overly permissive default rules. Successful exploitation can compromise the confidentiality, integrity, and availability of the protected application or service.

Recommendation

• Normalize request hosts to lowercase in layers in front of Heimdall to mitigate the case sensitivity issue.
• Avoid configuring permissive default rules. Remove or disable the --insecure or --insecure-skip-secure-default-rule-enforcement flags.
• When using the regex type for host matching, define expressions in a case-insensitive manner (e.g., (?i)^admin\.example\.com$).
• Upgrade to Heimdall version 0.17.14 or later to patch the vulnerability directly.

]]>highadvisorydefense-evasionpolicy-bypassaccess-control