{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/configuration-modification/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AVideo"],"_cs_severities":["high"],"_cs_tags":["avideo","cdn","configuration-modification","vulnerability"],"_cs_type":"advisory","_cs_vendors":["AVideo"],"content_html":"\u003cp\u003eAVideo, an open source video platform, contains a critical vulnerability (CVE-2026-33719) within its CDN plugin. Versions up to and including 26.0 are affected. The vulnerability stems from the endpoints \u003ccode\u003eplugin/CDN/status.json.php\u003c/code\u003e and \u003ccode\u003eplugin/CDN/disable.json.php\u003c/code\u003e using key-based authentication with an empty string as the default key. Critically, when the CDN plugin is enabled but the key remains at its default (empty) state, the authentication check is bypassed entirely. This allows any unauthenticated attacker to fully modify the CDN configuration through mass-assignment via the \u003ccode\u003epar\u003c/code\u003e request parameter. This includes the ability to manipulate CDN URLs, storage credentials, and even the authentication key itself. A patch has been released in commit adeff0a31ba04a56f411eef256139fd7ed7d4310. This is significant because it can lead to complete compromise of the video delivery infrastructure.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies an AVideo instance with the CDN plugin enabled.\u003c/li\u003e\n\u003cli\u003eThe attacker checks the CDN configuration by sending a GET request to \u003ccode\u003eplugin/CDN/status.json.php\u003c/code\u003e without any authentication headers to confirm if CDN plugin is enabled and running with default configuration.\u003c/li\u003e\n\u003cli\u003eIf the CDN key is the default empty string, the attacker crafts a malicious POST request to \u003ccode\u003eplugin/CDN/status.json.php\u003c/code\u003e or \u003ccode\u003eplugin/CDN/disable.json.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe POST request includes the \u003ccode\u003epar\u003c/code\u003e parameter containing a JSON object with modified CDN settings, such as CDN URLs and storage credentials.\u003c/li\u003e\n\u003cli\u003eDue to the bypassed authentication, the AVideo server processes the request and updates the CDN configuration.\u003c/li\u003e\n\u003cli\u003eThe attacker can modify the CDN URL to point to a malicious server hosting malware or phishing content.\u003c/li\u003e\n\u003cli\u003eLegitimate users requesting video content are redirected to the attacker's malicious CDN.\u003c/li\u003e\n\u003cli\u003eThe attacker can also steal storage credentials and compromise the CDN's data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-33719 allows an unauthenticated attacker to take complete control over the video delivery infrastructure. This can result in serving malicious content to users, data exfiltration from the CDN storage, or complete disruption of video services. The number of victims depends on the popularity of the affected AVideo instances. This vulnerability impacts any organization using AVideo with the CDN plugin enabled and the default configuration, including educational institutions, media companies, and content creators.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch from commit adeff0a31ba04a56f411eef256139fd7ed7d4310 or upgrade to a version of AVideo that includes this fix to remediate CVE-2026-33719.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM to detect potential exploitation attempts targeting the \u003ccode\u003eplugin/CDN/status.json.php\u003c/code\u003e and \u003ccode\u003eplugin/CDN/disable.json.php\u003c/code\u003e endpoints.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to \u003ccode\u003eplugin/CDN/status.json.php\u003c/code\u003e or \u003ccode\u003eplugin/CDN/disable.json.php\u003c/code\u003e endpoints without proper authentication headers, as these may indicate an attempted exploit.\u003c/li\u003e\n\u003cli\u003eAs a temporary workaround, configure a strong, non-default key for the CDN plugin to prevent the authentication bypass.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-29T12:00:00Z","date_published":"2024-01-29T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-avideo-cdn-config-vuln/","summary":"AVideo is vulnerable to unauthenticated configuration modification in its CDN plugin due to a bypassed key validation check when the default empty key is used, allowing modification of CDN URLs, storage credentials, and the authentication key itself.","title":"AVideo CDN Plugin Unauthenticated Configuration Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-avideo-cdn-config-vuln/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Claude","Copilot","Cursor","Ollama"],"_cs_severities":["medium"],"_cs_tags":["genai","configuration-modification","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["Anthropic","Cursor","GitHub","Ollama"],"content_html":"\u003cp\u003eThis detection identifies suspicious modifications to configuration files associated with Generative AI (GenAI) tools such as Cursor, Claude, Copilot, and Ollama. Attackers may attempt to inject malicious Model Context Protocol (MCP) server configurations into these files. This allows them to hijack AI agents for various malicious purposes, including persistence, establishing command and control (C2) channels, or exfiltrating sensitive data. The attack vectors can include direct modification via malware or compromised scripts, supply chain attacks through tainted dependencies, and prompt injection attacks where the GenAI tool is manipulated into altering its own settings. Successful modification allows unauthorized MCP servers to execute arbitrary commands upon subsequent invocations of the affected AI tool. The timeframe for detection looks back 9 months.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Compromise:\u003c/strong\u003e An attacker gains initial access via malware, compromised scripts, or supply chain vulnerabilities targeting GenAI development environments.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eConfiguration Discovery:\u003c/strong\u003e The attacker identifies the location of GenAI tool configuration files, such as \u003ccode\u003e.cursor/mcp.json\u003c/code\u003e, \u003ccode\u003e.claude/\u003c/code\u003e, or \u003ccode\u003e.config/github-copilot/\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMalicious Modification:\u003c/strong\u003e The attacker modifies the configuration file, injecting a malicious MCP server URL or unauthorized plugin configurations. This could be achieved through direct file modification using scripting tools, or via prompt injection techniques.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence via MCP:\u003c/strong\u003e The attacker leverages the injected malicious MCP server for persistence. The GenAI tool will load the attacker's server on next invocation.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCommand and Control:\u003c/strong\u003e The injected MCP server establishes a command and control (C2) channel, allowing the attacker to remotely control the compromised AI agent.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration or Code Execution:\u003c/strong\u003e Once the MCP server is running, the attacker executes arbitrary commands or exfiltrates sensitive data via the compromised AI agent. This data can include API keys, proprietary code, or customer data accessible by the GenAI tool.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e The attacker uses the compromised GenAI tool as a pivot point to move laterally within the network, accessing other sensitive systems or data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to the compromise of sensitive data handled by the GenAI tool, including API keys, source code, and user data. The attacker could also use the compromised AI agent for persistence, allowing them to maintain a foothold within the targeted environment. Successful exploitation could lead to significant data breaches, intellectual property theft, and reputational damage. The rule's description mentions the Cybereason blog on weaponized AI and MCPs, noting it being used for account takeover.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect unusual processes modifying GenAI configuration files based on the file paths specified in the \u003ccode\u003efile.path\u003c/code\u003e field of the rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by examining the modifying process's origin, parent process tree, and network connections.\u003c/li\u003e\n\u003cli\u003eMonitor file integrity using tools like Sysmon or auditd on the GenAI configuration file paths to detect unauthorized modifications.\u003c/li\u003e\n\u003cli\u003eImplement network-level blocking for any unauthorized MCP server URLs discovered in compromised configuration files.\u003c/li\u003e\n\u003cli\u003eRotate any potentially exposed API keys or credentials that may have been compromised through the GenAI configuration files.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-genai-config-modify/","summary":"This rule detects unusual modifications to GenAI tool configuration files, potentially indicating an attacker injecting malicious MCP server configurations to hijack AI agents for persistence, command and control, or data exfiltration.","title":"Unusual Modification of GenAI Tool Configuration File","url":"https://feed.craftedsignal.io/briefs/2024-01-genai-config-modify/"}],"language":"en","title":"CraftedSignal Threat Feed - Configuration-Modification","version":"https://jsonfeed.org/version/1.1"}