{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/insecure-configuration/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.2,"id":"CVE-2026-6823"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["vulnerability","insecure-configuration","access-control"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eHKUDS OpenHarness, a tool whose function is not explicitly defined in the source material, prior to the remediation implemented in pull request #147, exhibits an insecure default configuration. This vulnerability arises because remote channels inherit the setting \u003ccode\u003eallow_from = [\u0026quot;*\u0026quot;]\u003c/code\u003e. This overly permissive configuration allows any remote sender to bypass admission checks, effectively negating intended access controls. The vulnerability was reported on April 21, 2026. Exploitation requires an attacker to reach the configured channel, opening a pathway to host-backed agent runtimes. Successful exploitation can lead to unauthorized file disclosure and read access via default-enabled read-only tools within the OpenHarness environment. Defenders should ensure they are running a version of OpenHarness patched with PR #147 or later.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains network access to the OpenHarness instance.\u003c/li\u003e\n\u003cli\u003eAttacker identifies a configured remote channel.\u003c/li\u003e\n\u003cli\u003eAttacker leverages the inherited \u003ccode\u003eallow_from = [\u0026quot;*\u0026quot;]\u003c/code\u003e configuration to bypass admission controls.\u003c/li\u003e\n\u003cli\u003eAttacker interacts with a host-backed agent runtime.\u003c/li\u003e\n\u003cli\u003eAttacker exploits default-enabled read-only tools available within the runtime.\u003c/li\u003e\n\u003cli\u003eAttacker gains unauthorized read access to sensitive files on the system.\u003c/li\u003e\n\u003cli\u003eAttacker exfiltrates the disclosed files.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to bypass intended access controls and gain unauthorized read access to files accessible to the OpenHarness agent. This could lead to the disclosure of sensitive information, potentially impacting confidentiality. The scope of the impact depends on the data accessible to the agent runtime and the sensitivity of those files. Given the default-enabled nature of the vulnerability, any OpenHarness deployment prior to PR #147 is potentially vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade HKUDS OpenHarness to a version including or following the remediation provided in \u003ca href=\"https://github.com/HKUDS/OpenHarness/pull/147\"\u003ePR #147\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor network connections to the OpenHarness instance for unexpected remote channel access, using a network monitoring solution.\u003c/li\u003e\n\u003cli\u003eAudit the configuration of OpenHarness channels to ensure that \u003ccode\u003eallow_from\u003c/code\u003e is not set to \u003ccode\u003e[\u0026quot;*\u0026quot;]\u003c/code\u003e, but rather to a restrictive set of trusted senders.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-22T12:00:00Z","date_published":"2026-04-22T12:00:00Z","id":"/briefs/2026-04-openharness-default-config/","summary":"HKUDS OpenHarness prior to PR #147 remediation contains an insecure default configuration vulnerability where remote channels inherit permissive access, potentially leading to unauthorized file disclosure and read access.","title":"HKUDS OpenHarness Insecure Default Configuration Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-openharness-default-config/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2025-14821"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["libssh","mitm","windows","cve-2025-14821","insecure-configuration"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical vulnerability, CVE-2025-14821, has been identified in the libssh library. This flaw arises from an insecure default configuration on Windows systems. Specifically, libssh automatically loads configuration files from the \u003ccode\u003eC:\\etc\u003c/code\u003e directory. Critically, this directory can be created and modified by unprivileged local users. This allows a malicious local user to manipulate the SSH configuration, facilitating man-in-the-middle attacks, downgrading connection security, and manipulating trusted host information. Successful exploitation grants attackers the ability to intercept and potentially modify SSH communications, posing a significant risk to data confidentiality, integrity, and availability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker creates the directory \u003ccode\u003eC:\\etc\u003c/code\u003e if it does not already exist.\u003c/li\u003e\n\u003cli\u003eAttacker creates a malicious SSH configuration file (e.g., \u003ccode\u003essh_config\u003c/code\u003e) within the \u003ccode\u003eC:\\etc\u003c/code\u003e directory. This configuration can specify settings to downgrade encryption or redirect connections.\u003c/li\u003e\n\u003cli\u003eA legitimate user initiates an SSH connection using an application that leverages the vulnerable libssh library.\u003c/li\u003e\n\u003cli\u003elibssh automatically loads the attacker-controlled configuration file from \u003ccode\u003eC:\\etc\\ssh_config\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe malicious configuration settings are applied, potentially downgrading the encryption algorithm used for the SSH connection.\u003c/li\u003e\n\u003cli\u003eThe attacker intercepts the SSH traffic, performing a man-in-the-middle attack due to the weakened encryption or connection redirection.\u003c/li\u003e\n\u003cli\u003eThe attacker can now eavesdrop on or modify the SSH communication, gaining unauthorized access to sensitive information or injecting malicious commands.\u003c/li\u003e\n\u003cli\u003eAttacker maintains persistent access or exfiltrates sensitive data obtained through the compromised SSH session.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2025-14821 allows a local attacker to perform man-in-the-middle attacks on SSH connections. This can lead to the compromise of sensitive data transmitted over SSH, such as credentials, configuration files, or confidential documents. The ability to manipulate trusted host information further exacerbates the risk, potentially allowing attackers to impersonate legitimate servers. The vulnerability affects any Windows system using a vulnerable version of libssh and could impact organizations across all sectors that rely on SSH for secure communication and remote administration.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor for the creation or modification of files within the \u003ccode\u003eC:\\etc\u003c/code\u003e directory, particularly configuration files like \u003ccode\u003essh_config\u003c/code\u003e, using file integrity monitoring (FIM) rules on Windows systems.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule provided to detect the creation of the \u003ccode\u003eC:\\etc\u003c/code\u003e directory by non-system processes.\u003c/li\u003e\n\u003cli\u003eRestrict write access to the \u003ccode\u003eC:\\etc\u003c/code\u003e directory and its contents using appropriate file system permissions on Windows systems.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-07T17:16:25Z","date_published":"2026-04-07T17:16:25Z","id":"/briefs/2026-04-libssh-mitm/","summary":"CVE-2025-14821 in libssh allows local man-in-the-middle attacks, SSH downgrade attacks, and trusted host manipulation due to insecure default configuration loading from a world-writable directory on Windows.","title":"libssh Insecure Configuration Allows Local MITM Attacks (CVE-2025-14821)","url":"https://feed.craftedsignal.io/briefs/2026-04-libssh-mitm/"}],"language":"en","title":"CraftedSignal Threat Feed — Insecure-Configuration","version":"https://jsonfeed.org/version/1.1"}