{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/database/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-32650"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-32650","credential-access","database"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eAnviz CrossChex Standard is susceptible to a critical vulnerability (CVE-2026-32650) where an attacker can manipulate the TDS7 PreLogin process. By exploiting this flaw, an attacker can disable encryption mechanisms, causing sensitive database credentials to be transmitted in plaintext. This exposure enables unauthorized access to the underlying database, potentially leading to data breaches, modification of records, or other malicious activities. The vulnerability was disclosed in April 2026 and poses a significant risk to organizations utilizing the affected Anviz CrossChex Standard software. The vulnerability exists because the application allows for a downgrade to a less secure algorithm during negotiation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies an Anviz CrossChex Standard instance exposed to network access.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates a connection to the TDS7 PreLogin port.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious TDS7 PreLogin packet to negotiate a connection without encryption.\u003c/li\u003e\n\u003cli\u003eThe CrossChex Standard software, due to the vulnerability, accepts the unencrypted connection.\u003c/li\u003e\n\u003cli\u003eThe software transmits database credentials in plaintext over the unencrypted channel.\u003c/li\u003e\n\u003cli\u003eThe attacker intercepts the plaintext database credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the obtained credentials to authenticate directly to the database server.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the CrossChex Standard database, enabling them to read, modify, or delete sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-32650 allows unauthorized access to the Anviz CrossChex Standard database. This can lead to the exposure of sensitive employee data, including personal information and access control details. Depending on the database permissions, an attacker could also modify time and attendance records, manipulate user accounts, or even compromise the entire physical access control system managed by CrossChex Standard. The impact could range from privacy violations to significant security breaches affecting physical premises.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply available patches or updates for Anviz CrossChex Standard as provided by the vendor to remediate CVE-2026-32650.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for connections to the TDS7 PreLogin port that do not negotiate encryption using the provided network connection Sigma rule.\u003c/li\u003e\n\u003cli\u003eRestrict network access to the TDS7 PreLogin port only to trusted hosts and networks using firewall rules to mitigate the risk of unauthorized access.\u003c/li\u003e\n\u003cli\u003eEnable logging on the database server and monitor for successful logins from unusual IP addresses or accounts after applying the network connection Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-18T12:00:00Z","date_published":"2026-04-18T12:00:00Z","id":"/briefs/2026-04-anviz-crosschex-vuln/","summary":"Anviz CrossChex Standard is vulnerable to unauthorized database access due to the manipulation of TDS7 PreLogin, which disables encryption, leading to plaintext transmission of database credentials.","title":"Anviz CrossChex Standard TDS7 PreLogin Encryption Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-anviz-crosschex-vuln/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.2,"id":"CVE-2026-28224"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-28224","denial-of-service","firebird","database"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-28224 describes a denial-of-service vulnerability affecting Firebird, an open-source relational database management system. The vulnerability exists in versions prior to 5.0.4, 4.0.7, and 3.0.14. An unauthenticated attacker can exploit this vulnerability by sending a crafted \u003ccode\u003eop_crypt_key_callback\u003c/code\u003e packet to the server. When the server receives this packet without prior authentication, the \u003ccode\u003eport_server_crypt_callback\u003c/code\u003e handler is not initialized, resulting in a null pointer dereference. This leads to a server crash, effectively causing a denial-of-service condition. The attacker only needs to know the server\u0026rsquo;s IP address and port to trigger this vulnerability. The vulnerability has been patched in Firebird versions 5.0.4, 4.0.7 and 3.0.14.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable Firebird server by scanning for exposed ports (typically 3050).\u003c/li\u003e\n\u003cli\u003eThe attacker establishes a TCP connection with the targeted Firebird server on the identified port.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious \u003ccode\u003eop_crypt_key_callback\u003c/code\u003e packet. This packet does not require prior authentication.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted \u003ccode\u003eop_crypt_key_callback\u003c/code\u003e packet to the Firebird server.\u003c/li\u003e\n\u003cli\u003eUpon receiving the packet, the server attempts to process the request in the \u003ccode\u003eport_server_crypt_callback\u003c/code\u003e handler.\u003c/li\u003e\n\u003cli\u003eBecause no prior authentication has occurred, the \u003ccode\u003eport_server_crypt_callback\u003c/code\u003e handler is not properly initialized, leading to a null pointer dereference.\u003c/li\u003e\n\u003cli\u003eThe null pointer dereference causes the Firebird server process to crash.\u003c/li\u003e\n\u003cli\u003eThe Firebird database server becomes unavailable, resulting in a denial-of-service condition for legitimate users.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-28224 results in a denial-of-service condition, rendering the Firebird database server unavailable. This can disrupt applications and services that rely on the database, leading to data access issues, application downtime, and potential data loss if proper backup and recovery mechanisms are not in place. The number of affected organizations depends on the prevalence of vulnerable Firebird versions and their exposure to the network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Firebird servers to versions 5.0.4, 4.0.7, or 3.0.14 or later to patch CVE-2026-28224.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Unauthenticated Firebird Crypt Callback\u0026rdquo; to your SIEM to identify potential exploitation attempts targeting this vulnerability.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation and access control lists (ACLs) to restrict access to Firebird servers from untrusted networks, mitigating the risk of unauthorized exploitation (network_connection logs).\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious \u003ccode\u003eop_crypt_key_callback\u003c/code\u003e packets being sent to Firebird servers, particularly from untrusted sources (network_connection logs).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-18T10:00:00Z","date_published":"2026-04-18T10:00:00Z","id":"/briefs/2026-04-firebird-dos/","summary":"An unauthenticated attacker can trigger a denial-of-service condition on vulnerable Firebird servers by sending a specially crafted op_crypt_key_callback packet, leading to a null pointer dereference and server crash.","title":"Firebird Server Denial-of-Service Vulnerability (CVE-2026-28224)","url":"https://feed.craftedsignal.io/briefs/2026-04-firebird-dos/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.9,"id":"CVE-2026-40342"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["firebird","path-traversal","code-execution","cve-2026-40342","database"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eFirebird, an open-source relational database management system, is vulnerable to a path traversal flaw (CVE-2026-40342) in versions prior to 5.0.4, 4.0.7, and 3.0.14. This vulnerability resides within the external engine plugin loader. The loader concatenates a user-supplied engine name into a filesystem path without proper sanitization, leaving it open to path traversal attacks. An authenticated user with \u003ccode\u003eCREATE FUNCTION\u003c/code\u003e privileges can craft a malicious \u003ccode\u003eENGINE\u003c/code\u003e name containing path separators and \u003ccode\u003e..\u003c/code\u003e components. This allows them to load an arbitrary shared library from anywhere on the filesystem. The library\u0026rsquo;s initialization code executes immediately upon loading, before Firebird can validate the module, effectively granting code execution under the security context of the server\u0026rsquo;s operating system account. Upgrading to versions 5.0.4, 4.0.7, or 3.0.14 resolves this issue.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to the Firebird database server with an account possessing \u003ccode\u003eCREATE FUNCTION\u003c/code\u003e privileges.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious \u003ccode\u003eENGINE\u003c/code\u003e name that includes path traversal sequences (e.g., \u003ccode\u003e../../../../\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker uses the crafted \u003ccode\u003eENGINE\u003c/code\u003e name in a \u003ccode\u003eCREATE FUNCTION\u003c/code\u003e statement, specifying a path to an arbitrary shared library on the filesystem. For example, \u003ccode\u003eCREATE FUNCTION evil_func RETURNS INTEGER ENGINE '/path/to/evil/../../../../tmp/evil.so'\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe Firebird server\u0026rsquo;s plugin loader concatenates the provided \u003ccode\u003eENGINE\u003c/code\u003e name into a filesystem path without proper validation.\u003c/li\u003e\n\u003cli\u003eThe Firebird server attempts to load the shared library from the attacker-controlled path, effectively bypassing intended access controls.\u003c/li\u003e\n\u003cli\u003eThe operating system loads the shared library into the Firebird server\u0026rsquo;s process.\u003c/li\u003e\n\u003cli\u003eThe shared library\u0026rsquo;s initialization code executes immediately, granting the attacker arbitrary code execution within the context of the Firebird server process.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the Firebird server\u0026rsquo;s OS account, potentially leading to data exfiltration, system compromise, or denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to execute arbitrary code on the Firebird server with the privileges of the operating system account running the Firebird service. This can lead to full system compromise, including data exfiltration, modification, or destruction. Given the high CVSS score of 9.9, this vulnerability poses a critical risk to organizations using vulnerable Firebird versions. The impact could range from complete database compromise to lateral movement within the network, depending on the privileges of the Firebird service account.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Firebird servers to versions 5.0.4, 4.0.7, or 3.0.14 to patch CVE-2026-40342.\u003c/li\u003e\n\u003cli\u003eMonitor Firebird server logs for \u003ccode\u003eCREATE FUNCTION\u003c/code\u003e statements with suspicious \u003ccode\u003eENGINE\u003c/code\u003e names containing path traversal sequences, and deploy the Sigma rule \u003ccode\u003eDetect Firebird Create Function Path Traversal\u003c/code\u003e to your SIEM.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls to limit \u003ccode\u003eCREATE FUNCTION\u003c/code\u003e privileges to only authorized users, and enable audit logging on all Firebird database servers to monitor user activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-17T20:16:35Z","date_published":"2026-04-17T20:16:35Z","id":"/briefs/2026-04-firebird-path-traversal/","summary":"An authenticated user with CREATE FUNCTION privileges can exploit a path traversal vulnerability in Firebird versions prior to 5.0.4, 4.0.7, and 3.0.14, to load an arbitrary shared library leading to code execution as the server's OS account.","title":"Firebird Path Traversal Vulnerability Leads to Code Execution (CVE-2026-40342)","url":"https://feed.craftedsignal.io/briefs/2026-04-firebird-path-traversal/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["mysql","vulnerability","database"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis advisory from the German BSI highlights the risk of multiple vulnerabilities affecting Oracle MySQL. An attacker, either unauthenticated or authenticated, can remotely exploit these weaknesses. Successful exploitation could lead to complete compromise of the MySQL server, including unauthorized access to sensitive data, modification of data, and denial of service. The advisory does not specify particular versions or CVEs, indicating a broad range of potential issues. Defenders should prioritize patching and hardening MySQL instances to mitigate potential risks. Due to the widespread use of MySQL, this poses a significant threat to organizations relying on this database system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable Oracle MySQL instance exposed to the network.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to connect to the MySQL server, potentially anonymously or using stolen credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits a vulnerability in the MySQL server software, such as a buffer overflow or SQL injection flaw.\u003c/li\u003e\n\u003cli\u003eSuccessful exploitation allows the attacker to execute arbitrary code on the server.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to sensitive data stored in the database, such as user credentials or financial records.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies data within the database, potentially corrupting critical information or injecting malicious code.\u003c/li\u003e\n\u003cli\u003eThe attacker launches a denial-of-service attack against the MySQL server, rendering it unavailable to legitimate users.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves complete compromise of the MySQL server, potentially using it as a pivot point to access other systems on the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these MySQL vulnerabilities can lead to severe consequences. Potential impacts include data breaches, financial loss, data corruption, and service disruption. Organizations relying on MySQL for critical applications and data storage are particularly vulnerable. Without specific numbers of victims available, the widespread usage of MySQL implies broad potential impact across various sectors. Successful attacks may lead to significant reputational damage and legal liabilities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor MySQL server logs for suspicious activity, such as failed login attempts, unusual queries, and unexpected data modifications, to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to detect unusual processes spawned by the MySQL server to identify potential exploitation.\u003c/li\u003e\n\u003cli\u003eReview and enforce strong password policies for all MySQL user accounts to prevent unauthorized access to sensitive data.\u003c/li\u003e\n\u003cli\u003eEnsure that MySQL instances are not directly exposed to the internet without proper security controls, such as firewalls and intrusion detection systems.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-24T12:40:50Z","date_published":"2026-03-24T12:40:50Z","id":"/briefs/2026-03-mysql-vulns/","summary":"A remote attacker, either anonymous or authenticated, can exploit multiple vulnerabilities in Oracle MySQL to compromise confidentiality, integrity, and availability.","title":"Oracle MySQL Multiple Vulnerabilities","url":"https://feed.craftedsignal.io/briefs/2026-03-mysql-vulns/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2018-25272"}],"_cs_exploited":false,"_cs_products":["ELBA5 5.8.0"],"_cs_severities":["critical"],"_cs_tags":["rce","database","credential-access","cve-2018-25272","elba5"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eELBA5 version 5.8.0 is vulnerable to a remote code execution (RCE) vulnerability, identified as CVE-2018-25272. This flaw allows unauthenticated attackers to gain unauthorized access to the underlying database and execute arbitrary commands with SYSTEM level privileges on the host. The vulnerability stems from the application\u0026rsquo;s use of default credentials for database connection, weak password storage, and the availability of powerful stored procedures like \u003ccode\u003exp_cmdshell\u003c/code\u003e. Successful exploitation could lead to complete system compromise, sensitive data exposure, and the potential for lateral movement within the network. This vulnerability was published in 2018 but can still be relevant to organizations running older, unpatched versions of ELBA5.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable ELBA5 5.8.0 instance.\u003c/li\u003e\n\u003cli\u003eAttacker connects to the database using default connector credentials.\u003c/li\u003e\n\u003cli\u003eAttacker decrypts the DBA password stored within the database configuration.\u003c/li\u003e\n\u003cli\u003eAttacker enables the \u003ccode\u003exp_cmdshell\u003c/code\u003e stored procedure, if disabled.\u003c/li\u003e\n\u003cli\u003eAttacker executes arbitrary commands on the host system via \u003ccode\u003exp_cmdshell\u003c/code\u003e with SYSTEM privileges. For example, they might use \u003ccode\u003exp_cmdshell 'whoami'\u003c/code\u003e to verify their access level.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker adds a backdoor user to the BEDIENER table to maintain persistent access.\u003c/li\u003e\n\u003cli\u003eAttacker uses the newly created backdoor account to log into the application with elevated privileges.\u003c/li\u003e\n\u003cli\u003eAttacker exfiltrates sensitive data or performs other malicious actions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2018-25272 grants the attacker SYSTEM level access to the server hosting ELBA5. This allows for the complete compromise of the system, including data exfiltration, installation of malware, and potential lateral movement within the network. The attacker can access and potentially modify sensitive data stored within the ELBA5 database, impacting the confidentiality and integrity of the application\u0026rsquo;s data. The vulnerability allows for the addition of backdoor accounts, ensuring persistence even after the initial vulnerability is patched.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply any available patches or upgrades to ELBA5 to address CVE-2018-25272.\u003c/li\u003e\n\u003cli\u003eDisable or restrict access to the \u003ccode\u003exp_cmdshell\u003c/code\u003e stored procedure in the database to prevent command execution as described in the attack chain.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for suspicious usage of \u003ccode\u003exp_cmdshell\u003c/code\u003e using the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement strong password policies and avoid the use of default credentials, mitigating the initial access vector described in the attack chain.\u003c/li\u003e\n\u003cli\u003eAudit the BEDIENER table for unauthorized user accounts using the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eEnable database auditing to detect and respond to suspicious database activity, including attempts to decrypt passwords or modify user accounts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-elba5-rce/","summary":"ELBA5 version 5.8.0 contains a remote code execution vulnerability (CVE-2018-25272) that allows attackers to obtain database credentials and execute arbitrary commands with SYSTEM level permissions, potentially leading to complete system compromise.","title":"ELBA5 5.8.0 Remote Code Execution Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-elba5-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Database","version":"https://jsonfeed.org/version/1.1"}