<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Cve-2026-33488 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/cve-2026-33488/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 23 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/cve-2026-33488/feed.xml" rel="self" type="application/rss+xml"/><item><title>WWBN AVideo PGP 2FA Bypass via Weak Key Generation</title><link>https://feed.craftedsignal.io/briefs/2024-01-23-avideo-pgp-bypass/</link><pubDate>Tue, 23 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-23-avideo-pgp-bypass/</guid><description>WWBN AVideo platform versions up to 26.0 generate weak 512-bit RSA keys for PGP 2FA, which can be easily factored to derive the private key and bypass the second authentication factor. Additionally, key generation endpoints lack authentication checks, exposing the system to resource exhaustion attacks.</description><content:encoded><![CDATA[<p>WWBN AVideo, an open-source video platform, contains a critical vulnerability (CVE-2026-33488) in versions up to and including 26.0. The vulnerability lies in the LoginControl plugin's PGP 2FA system, where the <code>createKeys()</code> function generates weak 512-bit RSA keys. These keys have been publicly factorable since 1999, making them susceptible to relatively quick compromise using commodity hardware. An attacker who retrieves a target user's public key can factor the 512-bit RSA modulus within hours, derive the complete private key, and decrypt any PGP 2FA challenge issued by the system, effectively bypassing the two-factor authentication. Furthermore, the <code>generateKeys.json.php</code> and <code>encryptMessage.json.php</code> endpoints lack authentication checks, allowing anonymous users to trigger CPU-intensive key generation, potentially leading to denial-of-service conditions. A patch is available in commit 00d979d87f8182095c8150609153a43f834e351e.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker identifies a target user on an AVideo platform running a vulnerable version (&lt;= 26.0).</li>
<li>The attacker accesses the target user's public key, likely exposed through the AVideo application or via direct request to the <code>generateKeys.json.php</code> endpoint, which lacks authentication.</li>
<li>The attacker utilizes readily available tools and commodity hardware to factor the 512-bit RSA modulus of the obtained public key.</li>
<li>The factoring process yields the target user's private key in a matter of hours.</li>
<li>The attacker intercepts a PGP 2FA challenge intended for the target user. This might be achieved through network sniffing or by compromising the user's email account.</li>
<li>The attacker uses the derived private key to decrypt the intercepted PGP 2FA challenge.</li>
<li>The attacker submits the decrypted challenge response to the AVideo platform.</li>
<li>The AVideo platform incorrectly validates the response, granting the attacker unauthorized access to the target user's account.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-33488 allows attackers to completely bypass the PGP 2FA mechanism in WWBN AVideo platforms. This leads to unauthorized access to user accounts, potentially enabling attackers to steal sensitive video content, manipulate platform settings, or compromise user data. The lack of authentication on key generation endpoints can also lead to resource exhaustion and denial of service, disrupting the platform's availability. The impact is significant due to the complete circumvention of a critical security control.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Apply the patch from commit 00d979d87f8182095c8150609153a43f834e351e to remediate CVE-2026-33488.</li>
<li>Implement authentication checks for the <code>generateKeys.json.php</code> and <code>encryptMessage.json.php</code> endpoints to prevent unauthorized key generation and potential denial-of-service attacks.</li>
<li>Deploy the Sigma rule &quot;Detect AVideo Key Generation Endpoint Access&quot; to monitor for unauthorized access to the vulnerable <code>generateKeys.json.php</code> and <code>encryptMessage.json.php</code> endpoints.</li>
<li>Review web server access logs for unusual activity related to the <code>/plugins/loginControl/</code> path.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>avideo</category><category>pgp</category><category>2fa</category><category>bypass</category><category>cve-2026-33488</category><category>credential-access</category></item></channel></rss>