<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Flask - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/flask/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 08 Jul 2026 21:13:57 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/flask/feed.xml" rel="self" type="application/rss+xml"/><item><title>Serena Agent Unauthenticated RCE via DNS Rebinding (CVE-2026-49471)</title><link>https://feed.craftedsignal.io/briefs/2026-07-serena-rce-dns-rebinding/</link><pubDate>Wed, 08 Jul 2026 21:13:57 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-serena-rce-dns-rebinding/</guid><description>An unspecified attacker can achieve remote code execution in Serena agent versions prior to 1.5.2 by leveraging an unauthenticated Flask dashboard, DNS rebinding, and memory poisoning, enabling persistent attacker-controlled command execution.</description><content:encoded><![CDATA[<p>CVE-2026-49471 details a critical vulnerability in the Serena agent, affecting versions prior to 1.5.2. This vulnerability stems from an unauthenticated Flask web dashboard that is automatically enabled by default on a fixed and predictable TCP port 24282. The dashboard lacks authentication, CSRF protection, and Host header validation, making it susceptible to DNS rebinding attacks. An attacker can trick a victim, running the vulnerable Serena agent, into visiting a malicious webpage. This webpage leverages DNS rebinding to proxy requests to the local Serena dashboard, poisoning its persistent memory store with attacker-controlled content. When the agent subsequently processes this memory, it executes the injected commands via <code>subprocess.Popen</code> with <code>shell=True</code>, leading to full OS-level remote code execution. This allows attackers to achieve persistence, exfiltrate data, access agent logs, and perform denial-of-service.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker registers a domain (e.g., <code>attacker.com</code>) with a short DNS Time-To-Live (TTL) and hosts a malicious webpage.</li>
<li>A victim, running a vulnerable Serena agent (version &lt; 1.5.2) with the default <code>web_dashboard: true</code> setting, visits the attacker-controlled webpage.</li>
<li>The attacker's webpage immediately rebinds its DNS resolution from the attacker's server to <code>127.0.0.1</code> after the initial page load.</li>
<li>Malicious JavaScript on the webpage sends a POST request to <code>attacker.com:24282/save_memory</code>, which the victim's browser now resolves to the local Serena agent's dashboard due to the DNS rebinding.</li>
<li>Serena's unauthenticated Flask dashboard on TCP 24282 accepts the <code>/save_memory</code> request, writing attacker-controlled content (e.g., an <code>execute_shell_command</code>) to the agent's persistent memory store.</li>
<li>In a subsequent agent session or when processing new tasks, the Serena agent reads the poisoned memory from disk.</li>
<li>The Serena agent then attempts to execute the attacker-controlled command using <code>subprocess.Popen(command, shell=True)</code>, where <code>shell=True</code> enables direct shell command execution.</li>
<li>This results in full OS-level remote code execution on the victim's machine, allowing the attacker to exfiltrate data, maintain persistence, or further compromise the system.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>CVE-2026-49471 poses a severe risk to any user operating the Serena agent with its default configuration. Successful exploitation allows an attacker, without any credentials or prior access, to gain OS-level remote code execution on the victim's system. Beyond RCE, attackers can inject persistent prompt-injection payloads into the agent's memory, read sensitive agent activity logs (including conversation history and project details), overwrite the Serena configuration file, and trigger a denial-of-service by shutting down the agent. While no specific victim counts are provided, all users of affected Serena agent versions are at risk if targeted by a malicious webpage.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li><strong>Patch CVE-2026-49471</strong> by upgrading Serena agent to version 1.5.2 or later immediately.</li>
<li><strong>Deploy the Sigma rule</strong> provided in this brief to detect suspicious process execution originating from the Serena agent.</li>
<li><strong>Enable Sysmon process-creation logging</strong> (Event ID 1) on endpoints running the Serena agent to activate detection of suspicious shell activity.</li>
<li><strong>Block known attacker infrastructure</strong> such as <code>attacker.com</code> at the DNS resolver or web proxy to prevent initial access via DNS rebinding and potential C2 communication.</li>
<li><strong>Review Serena agent configuration</strong> and consider disabling <code>web_dashboard: true</code> if its functionality is not explicitly required in your environment.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>remote-code-execution</category><category>dns-rebinding</category><category>persistence</category><category>command-and-control</category><category>python</category><category>flask</category><category>agent</category></item></channel></rss>