{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/log-parsing/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-62184"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["luci-app-banip"],"_cs_severities":["low"],"_cs_tags":["vulnerability","log-parsing","ip-spoofing","openwrt"],"_cs_type":"advisory","_cs_vendors":["OpenWrt"],"content_html":"\u003cp\u003eA significant vulnerability, CVE-2026-62184, has been identified in \u003ccode\u003eluci-app-banip\u003c/code\u003e, an application designed for banIP functionality on OpenWrt systems. This flaw stems from a log parsing issue where the \u003ccode\u003eawk\u003c/code\u003e-based parser in \u003ccode\u003eluci-app-banip\u003c/code\u003e indiscriminately extracts the first IPv4 address it encounters in log lines, regardless of its actual position or context. This design error allows an unauthenticated remote attacker to inject an arbitrary IP address into an attacker-controlled input field, such as a login username. By leveraging this vulnerability, an attacker can manipulate \u003ccode\u003eluci-app-banip\u003c/code\u003e to incorrectly identify and block a legitimate target's IP address, effectively causing a denial of service for an innocent party, while the attacker's true origin IP remains unblocked and free to continue malicious activities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies and accesses a system running \u003ccode\u003eluci-app-banip\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to interact with an application function that logs user-controlled input, such as a login attempt using a username field.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts the input field (e.g., username) to include a legitimate IPv4 address embedded within a seemingly normal string (e.g., \u003ccode\u003evaliduser;1.2.3.4\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eluci-app-banip\u003c/code\u003e application processes the interaction, generating a log entry containing the crafted input.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eawk\u003c/code\u003e-based parser within \u003ccode\u003eluci-app-banip\u003c/code\u003e analyzes this log entry for potential malicious IP addresses.\u003c/li\u003e\n\u003cli\u003eDue to the parsing vulnerability, \u003ccode\u003eluci-app-banip\u003c/code\u003e incorrectly extracts the embedded IP address (\u003ccode\u003e1.2.3.4\u003c/code\u003e) as the malicious source IP.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eluci-app-banip\u003c/code\u003e then initiates an action to block the system associated with the extracted IP address (\u003ccode\u003e1.2.3.4\u003c/code\u003e), which belongs to a legitimate user or service.\u003c/li\u003e\n\u003cli\u003eThe legitimate user or service at \u003ccode\u003e1.2.3.4\u003c/code\u003e experiences a denial of service due to being mistakenly blocked, while the attacker's actual IP address remains unblocked, allowing them to persist.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability can lead to significant disruption and operational challenges. If successfully exploited, \u003ccode\u003eluci-app-banip\u003c/code\u003e will mistakenly block legitimate users or services, causing a denial of service for innocent parties. This can impact critical system access, interrupt network operations, and create a false sense of security for defenders as the true attacker remains unblocked and undetected by the banIP mechanism. While no specific victim counts or sectors were identified in the disclosure, any organization utilizing \u003ccode\u003eluci-app-banip\u003c/code\u003e on OpenWrt is susceptible to this type of evasion and misdirection, potentially leading to prolonged attacks or service outages.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-62184 by updating \u003ccode\u003eluci-app-banip\u003c/code\u003e to a version that addresses the log parsing vulnerability.\u003c/li\u003e\n\u003cli\u003eMonitor log sources for \u003ccode\u003eluci-app-banip\u003c/code\u003e for repeated blocking of known legitimate IP addresses that do not originate suspicious activity.\u003c/li\u003e\n\u003cli\u003eReview authentication logs for \u003ccode\u003eluci-app-banip\u003c/code\u003e-enabled systems for unusual login attempts that contain embedded IP addresses in username or other input fields.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-13T22:21:29Z","date_published":"2026-07-13T22:21:29Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-62184-luci-app-banip/","summary":"A log parsing vulnerability in OpenWrt's luci-app-banip allows an unauthenticated remote attacker to inject arbitrary IPv4 addresses into log lines via crafted input fields, leading to the misidentification and blocking of legitimate users or services while the true attacker remains unblocked.","title":"CVE-2026-62184 - luci-app-banip Log Parsing Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-62184-luci-app-banip/"}],"language":"en","title":"CraftedSignal Threat Feed - Log-Parsing","version":"https://jsonfeed.org/version/1.1"}