https://feed.craftedsignal.io/tags/dotnet/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioFri, 17 Apr 2026 12:00:00 +0000https://feed.craftedsignal.io/briefs/2026-04-17-meridian-defense-gaps/Fri, 17 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-17-meridian-defense-gaps/Multiple defense-in-depth gaps exist in Meridian versions prior to 2.1.1, including high severity issues related to bypassing safety caps on collection mapping that can lead to resource exhaustion, along with medium and low severity issues affecting constructor selection, telemetry, retry mechanisms, and exception handling.Meridian versions before 2.1.1 contain multiple vulnerabilities stemming from defense-in-depth gaps within the Meridian.Mapping and Meridian.Mediator components. Two high-severity issues involve bypassing the advertised DefaultMaxCollectionItems and DefaultMaxDepth safety caps, particularly when using the IMapper.Map(source, destination) overload or .UseDestinationValue() on collection-typed properties. These flaws can lead to resource exhaustion. Additional medium-severity issues include constructor invariant bypass, OpenTelemetry stack-trace information disclosure, retry amplification, and notification fan-out amplification. The vulnerabilities were patched in version 2.1.1, released on April 16, 2026. The issues affect applications using the Meridian library for object-object mapping and mediation. Successful exploitation could lead to denial-of-service conditions, information disclosure, and unexpected application behavior.

Attack Chain

1. An attacker sends a crafted request to an application using Meridian, including a large or self-referential collection in the request payload.
2. The application’s mapping logic utilizes IMapper.Map(source, destination) or .UseDestinationValue() on a collection property, triggering the vulnerable code path.
3. The MappingEngine.TryMapCollectionOntoExisting method processes the collection without enforcing DefaultMaxCollectionItems, leading to excessive memory consumption.
4. Collection-item recursion fails to increment ResolutionContext.Depth, allowing self-referential graphs to bypass DefaultMaxDepth and cause a stack overflow.
5. The unbounded collection processing consumes excessive CPU and memory resources, potentially blocking the worker thread.
6. Alternatively, an attacker exploits the ObjectCreator.CreateWithConstructorMapping vulnerability by providing input that bypasses constructor invariants due to the widest constructor being selected.
7. The application experiences a denial-of-service condition due to resource exhaustion or exhibits unintended behavior due to bypassed constructor invariants.

Impact

Successful exploitation of these vulnerabilities can lead to significant consequences. An attacker can cause denial-of-service by exhausting server resources, potentially impacting all users of the affected application. Information disclosure is possible through OpenTelemetry stack traces, and bypassing constructor invariants can lead to unexpected application behavior and potential data corruption. The high-severity vulnerabilities related to collection mapping are particularly concerning due to the potential for easy exploitation through a single crafted request. The impact is mitigated by upgrading to version 2.1.1 of the Meridian.Mapping and Meridian.Mediator libraries.

Recommendation

• Immediately upgrade to Meridian version 2.1.1 to patch the identified vulnerabilities, as documented in the v2.1.1 CHANGELOG.
• For applications that cannot be immediately upgraded, avoid using mapper.Map(src, dst) and .UseDestinationValue() on collection-typed destination members as a temporary workaround.
• Implement explicit size limits on input collection deserialization before passing the payload to Meridian, as described in the Workarounds section of this brief.
• Consider disabling OpenTelemetry exception.stacktrace tag emission if your trace sink is not fully trusted, mitigating potential information disclosure.

]]>highadvisorydefense-in-depthresource-exhaustioninformation-disclosuredotnethttps://feed.craftedsignal.io/briefs/2026-04-dotnet-dos/Wed, 15 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-dotnet-dos/CVE-2026-26171 is a vulnerability in .NET that allows an unauthorized attacker to perform a denial-of-service attack over a network due to uncontrolled resource consumption.CVE-2026-26171 is a denial-of-service vulnerability affecting the .NET framework. This vulnerability stems from uncontrolled resource consumption, allowing an unauthenticated remote attacker to exhaust server resources. The vulnerability was published on April 14, 2026. Successful exploitation can lead to server unresponsiveness or complete service disruption. While the specific attack vector is not detailed in the source document, similar vulnerabilities in .NET have been exploited via crafted network requests that trigger excessive memory allocation or CPU usage. This vulnerability could affect any application running on a vulnerable .NET framework version, making it critical for organizations to patch their systems.

Attack Chain

1. An attacker identifies a .NET application running on a vulnerable system exposed to the network.
2. The attacker crafts a malicious network request designed to exploit the uncontrolled resource consumption vulnerability (CVE-2026-26171).
3. The crafted request is sent to the vulnerable .NET application.
4. The application processes the malicious request, triggering excessive resource allocation (e.g., memory or CPU).
5. Repeated or sustained malicious requests cause the server’s resources to become exhausted.
6. Legitimate user requests are delayed or rejected due to resource exhaustion.
7. The .NET application becomes unresponsive, leading to a denial-of-service condition.
8. The server hosting the .NET application may crash, resulting in complete service disruption.

Impact

Successful exploitation of CVE-2026-26171 can lead to a denial-of-service condition, rendering .NET applications and the services they provide unavailable. The impact ranges from temporary service disruption to complete server crashes. The vulnerability has a CVSS v3.1 score of 7.5, indicating a high severity. The number of affected applications depends on the prevalence of vulnerable .NET framework versions within an organization’s infrastructure. If successfully exploited, this can lead to significant business interruption and reputational damage.

Recommendation

• Apply the patch provided by Microsoft for CVE-2026-26171 as soon as possible to remediate the vulnerability (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26171).
• Monitor network traffic for suspicious patterns indicative of denial-of-service attacks, such as a sudden surge in requests to .NET application endpoints. Deploy the Sigma rule detecting a high number of connections from a single source IP.
• Implement resource monitoring on servers running .NET applications to detect unusual CPU or memory usage that may indicate exploitation attempts.
• Review and harden network segmentation to limit the potential impact of a successful denial-of-service attack.
• Consider using a Web Application Firewall (WAF) to filter malicious requests and mitigate potential exploitation attempts.

]]>highadvisoryCVE-2026-26171dotnetdenial-of-servicedosresource-consumptionhttps://feed.craftedsignal.io/briefs/2026-04-dotnet-spoofing/Tue, 14 Apr 2026 18:17:20 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-dotnet-spoofing/CVE-2026-32178 is a vulnerability in .NET that allows for network spoofing due to improper neutralization of special elements, potentially enabling attackers to impersonate legitimate entities.CVE-2026-32178 is a security vulnerability affecting .NET applications. This vulnerability stems from the improper neutralization of special elements, which can be exploited by an unauthorized attacker to perform spoofing attacks over a network. Successful exploitation of this vulnerability could allow an attacker to impersonate trusted entities or services, potentially leading to unauthorized access, data manipulation, or other malicious activities. The vulnerability was published on April 14, 2026. Given the widespread use of .NET in various applications and services, this vulnerability poses a significant risk to organizations utilizing affected .NET versions. Defenders need to implement appropriate mitigation strategies to prevent potential exploitation.

Attack Chain

1. The attacker identifies a vulnerable .NET application that processes network-based input.
2. The attacker crafts a malicious network request containing special elements designed to exploit the improper neutralization vulnerability (CVE-2026-32178).
3. The vulnerable .NET application processes the malicious request without properly neutralizing the special elements.
4. Due to the lack of proper neutralization, the application misinterprets the special elements in the request.
5. The application performs actions based on the misinterpreted data, such as modifying data or granting unauthorized access.
6. The attacker leverages the spoofed identity or altered data to further compromise the system or network.
7. The attacker gains unauthorized access to sensitive resources.

Impact

Successful exploitation of CVE-2026-32178 could allow an attacker to perform network spoofing, potentially impacting confidentiality, integrity, and availability of affected systems. While the specific number of victims is unknown, the widespread use of .NET increases the potential for broad impact across various sectors. Consequences can range from data breaches and financial loss to reputational damage.

Recommendation

• Apply the security update provided by Microsoft to patch CVE-2026-32178 as referenced in https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32178.
• Deploy the Sigma rules in this brief to your SIEM to detect potential exploitation attempts targeting .NET applications.
• Monitor network traffic for suspicious patterns indicative of spoofing attacks, focusing on traffic to and from .NET applications.

]]>mediumadvisorydotnetspoofingcve-2026-32178https://feed.craftedsignal.io/briefs/2026-04-tmds-dbus-vuln/Thu, 09 Apr 2026 17:16:30 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-tmds-dbus-vuln/Tmds.DBus and Tmds.DBus.Protocol are vulnerable to signal spoofing, resource exhaustion, and application crashes due to malformed messages from malicious D-Bus peers on the same bus.Tmds.DBus is a .NET library used for interacting with the D-Bus inter-process communication system. A vulnerability exists in versions prior to 0.92.0 for Tmds.DBus and 0.92.0 and 0.21.3 for Tmds.DBus.Protocol, allowing a malicious D-Bus peer on the same bus to perform several malicious actions. These include spoofing signals by impersonating the owner of a well-known name, exhausting system resources by sending messages with an excessive number of Unix file descriptors, and crashing the application by sending malformed message bodies that cause unhandled exceptions on the SynchronizationContext. This vulnerability could lead to denial of service or potentially allow for further exploitation within the affected application’s context. Defenders need to ensure they are running patched versions of this software.

Attack Chain

1. A malicious actor gains access to the same D-Bus instance as the target application.
2. The attacker identifies a well-known name that the target application utilizes.
3. The attacker crafts a malicious D-Bus message designed to impersonate the owner of the well-known name.
4. The attacker sends this spoofed signal to the target application through the D-Bus.
5. Alternatively, the attacker crafts a D-Bus message with an excessive number of Unix file descriptors.
6. The attacker sends the resource-intensive message, attempting to exhaust system resources.
7. Or the attacker crafts a malformed message body designed to cause an unhandled exception.
8. Successful exploitation leads to signal spoofing, resource exhaustion, or application crash, potentially leading to denial of service.

Impact

Successful exploitation of this vulnerability allows a malicious actor to disrupt services that rely on Tmds.DBus. By spoofing signals, an attacker can manipulate the behavior of applications. By exhausting system resources or crashing applications, the attacker can cause denial of service. While the specific number of victims or sectors affected is not detailed, the potential impact is significant for systems using vulnerable versions of Tmds.DBus.

Recommendation

• Upgrade Tmds.DBus to version 0.92.0 or later and Tmds.DBus.Protocol to version 0.92.0 or 0.21.3 or later to remediate CVE-2026-39959.
• Monitor D-Bus traffic for suspicious patterns, such as messages with excessive file descriptors, by creating custom monitoring tools.
• Implement application-level validation of D-Bus messages to prevent exploitation through malformed message bodies.

]]>highadvisorydbusvulnerabilitydotnethttps://feed.craftedsignal.io/briefs/2024-01-03-powershell-reflection-load/Wed, 03 Jan 2024 10:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-03-powershell-reflection-load/This analytic detects PowerShell scripts leveraging .NET reflection to load assemblies into memory, a technique commonly used by threat actors to bypass defenses and execute malicious code.This threat brief addresses the use of PowerShell to load .NET assemblies into memory using reflection, a technique frequently observed in advanced attacks. Threat actors, including those employing frameworks like Empire and Cobalt Strike, utilize this method to execute code directly in memory, evading traditional file-based security controls. The detection strategy focuses on PowerShell Script Block Logging (EventCode=4104), which captures the full commands executed, enabling analysis for specific reflection-related keywords. This behavior is a strong indicator of potential malicious activity, as it allows for unauthorized code execution, privilege escalation, and persistent access. Defenders should prioritize detection and response to such events to mitigate the risk of compromise. The technique allows attackers to bypass traditional defenses, execute code in memory, and potentially establish persistence within the targeted environment.

Attack Chain

1. Initial Access: The attacker gains initial access to the system, possibly through phishing or exploiting a vulnerability.
2. PowerShell Execution: The attacker executes PowerShell, often obfuscated or encoded, to avoid detection.
3. Reflection Assembly Loading: The PowerShell script uses reflection techniques, such as [System.Reflection.Assembly]::Load(), to load a .NET assembly directly into memory.
4. Bypassing Security Controls: The in-memory execution bypasses traditional security controls that scan files on disk.
5. Malicious Code Execution: The loaded assembly contains malicious code, which could be a payload for lateral movement, data exfiltration, or other malicious activities.
6. Privilege Escalation: The malicious code may attempt to escalate privileges to gain higher-level access to the system.
7. Persistence: The attacker establishes persistence by creating scheduled tasks or modifying registry keys.
8. Lateral Movement: The attacker uses the compromised system as a springboard to move laterally within the network, compromising additional systems.

Impact

Successful exploitation can lead to unauthorized code execution, privilege escalation, and persistent access within the environment. By loading .NET assemblies directly into memory, attackers can bypass traditional file-based security controls, making detection more challenging. This technique is often employed in advanced attacks, potentially affecting numerous systems across the network, leading to significant data breaches and system compromise. While specific victim counts are not available, the impact is considered high due to the potential for widespread damage and data loss.

Recommendation

• Enable PowerShell Script Block Logging (EventCode=4104) on all endpoints to capture the full commands executed, as referenced in the description.
• Deploy the provided Sigma rules to your SIEM to detect PowerShell scripts loading .NET assemblies into memory via reflection.
• Investigate and remediate any alerts generated by the Sigma rules, prioritizing systems with high-value data or critical functions.
• Regularly review and update PowerShell execution policies to restrict the execution of unsigned or untrusted scripts.
• Monitor PowerShell logs for suspicious activity, such as the use of reflection techniques to load assemblies from unusual locations.
• Consult the references provided, specifically the Microsoft .NET API documentation and the Palantir article on event tracing, to deepen your understanding of the attack techniques and potential mitigations.

]]>highadvisorypowershellreflectiondotnetmemory-injectionattack.executionattack.t1059.001