{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/coolercontrol/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.2,"id":"CVE-2026-5208"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["command-injection","privilege-escalation","coolercontrol"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCoolerControl/coolercontrold, a system monitoring and management tool, is susceptible to a command injection vulnerability (CVE-2026-5208) in versions prior to 4.0.0. The vulnerability stems from insufficient sanitization of user-supplied input used to create alert names. An authenticated attacker with high privileges can inject arbitrary bash commands into the alert name field. Due to the application\u0026rsquo;s execution context, these injected commands are executed with root privileges, potentially leading to complete system compromise. The vulnerability was reported and patched in version 4.0.0. This poses a significant risk to organizations using affected versions of CoolerControl/coolercontrold, as it allows for trivial privilege escalation and arbitrary code execution.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to the CoolerControl/coolercontrold application with high-privilege credentials.\u003c/li\u003e\n\u003cli\u003eAttacker navigates to the alert configuration section of the application.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious alert name containing injected bash commands (e.g., \u003ccode\u003etest; rm -rf /;\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eAttacker saves the new alert configuration with the injected command in the alert name.\u003c/li\u003e\n\u003cli\u003eWhen the alert is triggered or processed by the application, the injected command is executed within the context of the CoolerControl/coolercontrold process.\u003c/li\u003e\n\u003cli\u003eDue to insufficient input validation, the operating system executes the injected command, in this example \u003ccode\u003erm -rf /\u003c/code\u003e which would recursively delete every file on the system.\u003c/li\u003e\n\u003cli\u003eThe injected commands are executed with root privileges, resulting in arbitrary code execution.\u003c/li\u003e\n\u003cli\u003eThe attacker gains complete control of the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5208 allows an attacker to execute arbitrary code with root privileges on the affected system. This could lead to complete system compromise, including data theft, data destruction, denial of service, and the installation of backdoors or other malicious software. Since this can be exploited via an application setting, a wide range of systems could be impacted.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade CoolerControl/coolercontrold to version 4.0.0 or later to patch CVE-2026-5208, as mentioned in the vulnerability description.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious Alert Creation\u003c/code\u003e to identify attempts to inject commands into alert names.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for suspicious commands executed by the CoolerControl/coolercontrold process. Enable Sysmon process-creation logging to facilitate this.\u003c/li\u003e\n\u003cli\u003eReview existing alert configurations for any suspicious or unexpected commands.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-08T12:16:22Z","date_published":"2026-04-08T12:16:22Z","id":"/briefs/2026-04-coolercontrol-cmd-injection/","summary":"CoolerControl/coolercontrold versions before 4.0.0 are vulnerable to command injection, allowing authenticated attackers with high privileges to execute arbitrary code as root by injecting bash commands into alert names.","title":"CoolerControl Command Injection Vulnerability (CVE-2026-5208)","url":"https://feed.craftedsignal.io/briefs/2026-04-coolercontrol-cmd-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — Coolercontrol","version":"https://jsonfeed.org/version/1.1"}