{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/mitm/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2025-14821"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["libssh","mitm","windows","cve-2025-14821","insecure-configuration"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical vulnerability, CVE-2025-14821, has been identified in the libssh library. This flaw arises from an insecure default configuration on Windows systems. Specifically, libssh automatically loads configuration files from the \u003ccode\u003eC:\\etc\u003c/code\u003e directory. Critically, this directory can be created and modified by unprivileged local users. This allows a malicious local user to manipulate the SSH configuration, facilitating man-in-the-middle attacks, downgrading connection security, and manipulating trusted host information. Successful exploitation grants attackers the ability to intercept and potentially modify SSH communications, posing a significant risk to data confidentiality, integrity, and availability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker creates the directory \u003ccode\u003eC:\\etc\u003c/code\u003e if it does not already exist.\u003c/li\u003e\n\u003cli\u003eAttacker creates a malicious SSH configuration file (e.g., \u003ccode\u003essh_config\u003c/code\u003e) within the \u003ccode\u003eC:\\etc\u003c/code\u003e directory. This configuration can specify settings to downgrade encryption or redirect connections.\u003c/li\u003e\n\u003cli\u003eA legitimate user initiates an SSH connection using an application that leverages the vulnerable libssh library.\u003c/li\u003e\n\u003cli\u003elibssh automatically loads the attacker-controlled configuration file from \u003ccode\u003eC:\\etc\\ssh_config\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe malicious configuration settings are applied, potentially downgrading the encryption algorithm used for the SSH connection.\u003c/li\u003e\n\u003cli\u003eThe attacker intercepts the SSH traffic, performing a man-in-the-middle attack due to the weakened encryption or connection redirection.\u003c/li\u003e\n\u003cli\u003eThe attacker can now eavesdrop on or modify the SSH communication, gaining unauthorized access to sensitive information or injecting malicious commands.\u003c/li\u003e\n\u003cli\u003eAttacker maintains persistent access or exfiltrates sensitive data obtained through the compromised SSH session.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2025-14821 allows a local attacker to perform man-in-the-middle attacks on SSH connections. This can lead to the compromise of sensitive data transmitted over SSH, such as credentials, configuration files, or confidential documents. The ability to manipulate trusted host information further exacerbates the risk, potentially allowing attackers to impersonate legitimate servers. The vulnerability affects any Windows system using a vulnerable version of libssh and could impact organizations across all sectors that rely on SSH for secure communication and remote administration.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor for the creation or modification of files within the \u003ccode\u003eC:\\etc\u003c/code\u003e directory, particularly configuration files like \u003ccode\u003essh_config\u003c/code\u003e, using file integrity monitoring (FIM) rules on Windows systems.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule provided to detect the creation of the \u003ccode\u003eC:\\etc\u003c/code\u003e directory by non-system processes.\u003c/li\u003e\n\u003cli\u003eRestrict write access to the \u003ccode\u003eC:\\etc\u003c/code\u003e directory and its contents using appropriate file system permissions on Windows systems.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-07T17:16:25Z","date_published":"2026-04-07T17:16:25Z","id":"/briefs/2026-04-libssh-mitm/","summary":"CVE-2025-14821 in libssh allows local man-in-the-middle attacks, SSH downgrade attacks, and trusted host manipulation due to insecure default configuration loading from a world-writable directory on Windows.","title":"libssh Insecure Configuration Allows Local MITM Attacks (CVE-2025-14821)","url":"https://feed.craftedsignal.io/briefs/2026-04-libssh-mitm/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.4,"id":"CVE-2026-35560"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-35560","athena","odbc","man-in-the-middle","mitm","credential-theft"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA man-in-the-middle (MitM) vulnerability has been identified in the Amazon Athena ODBC driver. Specifically, versions prior to 2.1.0.0 exhibit improper certificate validation within the identity provider connection components. This flaw allows a threat actor positioned in the network to intercept authentication credentials when the driver attempts to connect to external identity providers. This vulnerability, identified as CVE-2026-35560, poses a significant risk to organizations utilizing affected versions of the Athena ODBC driver with external identity providers. The lack of proper certificate validation can lead to credential compromise and subsequent unauthorized access to sensitive data within Athena. This does not affect connections directly to Athena.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker positions themselves in a privileged network location between the user\u0026rsquo;s machine and the external identity provider.\u003c/li\u003e\n\u003cli\u003eThe user attempts to establish a connection to Amazon Athena using the vulnerable ODBC driver version (prior to 2.1.0.0). The connection is configured to use an external identity provider for authentication.\u003c/li\u003e\n\u003cli\u003eThe ODBC driver initiates a connection to the configured external identity provider.\u003c/li\u003e\n\u003cli\u003eThe attacker intercepts the network traffic between the ODBC driver and the identity provider.\u003c/li\u003e\n\u003cli\u003eDue to the lack of proper certificate validation in the vulnerable ODBC driver, the attacker can present a fraudulent certificate to the driver without triggering an error.\u003c/li\u003e\n\u003cli\u003eThe ODBC driver, trusting the fraudulent certificate, proceeds with the authentication process and transmits the user\u0026rsquo;s credentials to the attacker-controlled server.\u003c/li\u003e\n\u003cli\u003eThe attacker captures the user\u0026rsquo;s authentication credentials (e.g., username and password or an access token).\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials to authenticate to the external identity provider or directly to resources protected by those credentials, potentially gaining unauthorized access to sensitive data within Amazon Athena or other connected services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows a man-in-the-middle attacker to intercept authentication credentials used to connect to external identity providers. This could lead to unauthorized access to an organization\u0026rsquo;s Amazon Athena data and other resources protected by the compromised credentials. The severity of the impact depends on the privileges associated with the compromised user account. If successful, the attacker could potentially read, modify, or delete sensitive data stored in Athena, leading to data breaches, financial losses, and reputational damage. The number of potential victims is directly proportional to the number of organizations using affected versions of the Athena ODBC driver with external identity providers.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Amazon Athena ODBC driver to version 2.1.0.0 or later to remediate the improper certificate validation vulnerability as documented in CVE-2026-35560.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for unexpected connections to external identity providers from machines running the Athena ODBC driver. Use network connection logs to identify suspicious activity.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the potential impact of a successful man-in-the-middle attack, reducing the attacker\u0026rsquo;s ability to intercept traffic.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-03T21:17:12Z","date_published":"2026-04-03T21:17:12Z","id":"/briefs/2024-01-athena-odbc-mitm/","summary":"A man-in-the-middle vulnerability exists in Amazon Athena ODBC driver versions prior to 2.1.0.0 due to improper certificate validation, potentially allowing attackers to intercept authentication credentials when connecting to external identity providers.","title":"Amazon Athena ODBC Driver Man-in-the-Middle Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-athena-odbc-mitm/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["unifi","mitm","credential-theft","cve-2019-25652"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2019-25652 affects UniFi Network Controller versions prior to 5.10.22 and 5.11.x before 5.11.18. The vulnerability stems from an improper certificate verification process during SMTP connections. An attacker positioned on an adjacent network can exploit this weakness to conduct man-in-the-middle (MitM) attacks. By presenting a false SSL certificate, the attacker can intercept SMTP traffic intended for the UniFi Network Controller, potentially gaining access to sensitive information…\u003c/p\u003e\n","date_modified":"2026-03-27T22:16:19Z","date_published":"2026-03-27T22:16:19Z","id":"/briefs/2026-03-unifi-cert-bypass/","summary":"UniFi Network Controller versions before 5.10.22 and 5.11.x before 5.11.18 contain an improper certificate verification vulnerability, enabling adjacent network attackers to perform man-in-the-middle attacks by presenting a fraudulent SSL certificate during SMTP connections to intercept traffic and steal credentials.","title":"UniFi Network Controller Improper Certificate Verification Vulnerability (CVE-2019-25652)","url":"https://feed.craftedsignal.io/briefs/2026-03-unifi-cert-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","Sysmon"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","persistence","root certificate","mitm"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic"],"content_html":"\u003cp\u003eAttackers can install malicious root certificates to subvert trust controls and bypass security measures. Once a malicious root certificate is installed, attackers can sign malicious files, making them appear as legitimate software from trusted vendors like Microsoft. This allows the attacker to execute code undetected and maintain persistence on the system. Furthermore, a rogue root certificate can be used in adversary-in-the-middle attacks to decrypt SSL traffic, enabling the collection of sensitive data. This activity is typically achieved through registry modifications. Monitoring for these modifications can help security teams identify potential compromise attempts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system, possibly through phishing or exploiting a software vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker elevates privileges to administrator or SYSTEM level, required to modify the trusted root certificate store.\u003c/li\u003e\n\u003cli\u003eThe attacker uses tools like certutil.exe or PowerShell to import a malicious root certificate into the Windows registry.\u003c/li\u003e\n\u003cli\u003eThe registry keys \u003ccode\u003eHKLM\\Software\\Microsoft\\SystemCertificates\\Root\\Certificates\u003c/code\u003e or \u003ccode\u003eHKLM\\Software\\Policies\\Microsoft\\SystemCertificates\\Root\\Certificates\u003c/code\u003e are modified to add the new certificate.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the newly installed root certificate to sign malicious executables or scripts.\u003c/li\u003e\n\u003cli\u003eThe signed malicious files are executed, bypassing signature-based detection mechanisms.\u003c/li\u003e\n\u003cli\u003eThe attacker intercepts and decrypts SSL traffic, collecting sensitive data like credentials or financial information.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence by using the trusted certificate to repeatedly sign and execute malicious code.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful installation of a malicious root certificate allows attackers to bypass security controls, leading to the execution of arbitrary code and potential data theft. This can result in significant data breaches, financial losses, and reputational damage. Attackers can use this technique to maintain a long-term presence on compromised systems, making detection and remediation more challenging. While no specific victim counts are available, the technique is broadly applicable across many sectors and can affect any organization running Windows systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Root Certificate Modification\u0026rdquo; to your SIEM to detect registry modifications related to root certificate installation.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon registry event logging to provide the necessary data for the Sigma rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule, focusing on processes modifying the registry keys related to root certificates.\u003c/li\u003e\n\u003cli\u003eReview the \u0026ldquo;False Positives\u0026rdquo; section in the rule documentation to tune the Sigma rule for your environment.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious SSL decryption activity following the detection of a root certificate modification.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-root-cert-modification/","summary":"The modification of root certificates on Windows systems by unauthorized processes can allow attackers to masquerade malicious files as valid signed components and intercept/decrypt SSL traffic, leading to defense evasion and data collection.","title":"Windows Root Certificate Modification Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-root-cert-modification/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.7,"id":"CVE-2026-41468"}],"_cs_exploited":false,"_cs_products":["Sicuro24 SicuroWeb","AngularJS"],"_cs_severities":["high"],"_cs_tags":["cve-2026-41468","angularjs","template-injection","mitm"],"_cs_type":"advisory","_cs_vendors":["Beghelli"],"content_html":"\u003cp\u003eBeghelli Sicuro24 SicuroWeb is vulnerable due to its inclusion of AngularJS version 1.5.2, which is an end-of-life component with known sandbox escape primitives. This vulnerability, tracked as CVE-2026-41468, can be exploited via template injection present within the SicuroWeb application. When combined, these vulnerabilities allow a network-adjacent attacker to bypass the AngularJS sandbox and achieve arbitrary JavaScript execution within the browser sessions of SicuroWeb operators. The attack is facilitated by plaintext HTTP deployments, where a man-in-the-middle (MITM) attacker can inject the malicious payload without requiring active user interaction. This issue exposes operators to potential session hijacking, DOM manipulation, and persistent browser compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker positions themselves as a Man-in-the-Middle (MITM) on the network.\u003c/li\u003e\n\u003cli\u003eOperator initiates a session with the vulnerable Beghelli Sicuro24 SicuroWeb application over plaintext HTTP.\u003c/li\u003e\n\u003cli\u003eThe MITM attacker intercepts the HTTP traffic between the operator and the SicuroWeb application.\u003c/li\u003e\n\u003cli\u003eThe attacker injects a malicious AngularJS template injection payload into the HTTP response destined for the operator\u0026rsquo;s browser.\u003c/li\u003e\n\u003cli\u003eThe operator\u0026rsquo;s browser processes the injected HTTP response, rendering the malicious AngularJS template.\u003c/li\u003e\n\u003cli\u003eThe injected AngularJS template leverages known sandbox escape primitives present in AngularJS 1.5.2.\u003c/li\u003e\n\u003cli\u003eThe sandbox escape allows the attacker to execute arbitrary JavaScript code within the operator\u0026rsquo;s browser session.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the arbitrary JavaScript execution to perform actions such as session hijacking, DOM manipulation for credential harvesting, or establishing persistent browser compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-41468 can lead to significant compromise of Beghelli Sicuro24 SicuroWeb operator sessions. An attacker can hijack active sessions, steal credentials through DOM manipulation, or establish persistent control over the operator\u0026rsquo;s browser. Due to the lack of specific victim numbers or sector targeting information, the potential scope of damage is difficult to quantify but highly dependent on the privileges associated with compromised operator accounts. A successful attack could enable unauthorized access to sensitive data, system configurations, or control functions managed by the SicuroWeb application.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious AngularJS Template Injection\u003c/code\u003e to identify potential exploitation attempts against web applications leveraging AngularJS, focusing on HTTP requests containing suspicious template expressions.\u003c/li\u003e\n\u003cli\u003eImplement network monitoring for HTTP traffic to detect potential MITM attacks, focusing on connections to the SicuroWeb application, using the rule \u003ccode\u003eDetect Plaintext HTTP Traffic\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eUpgrade Beghelli Sicuro24 SicuroWeb to a version that no longer utilizes AngularJS 1.5.2 or implement a robust Content Security Policy (CSP) to mitigate the impact of potential template injection attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-beghelli-sicuro24-angularjs/","summary":"Beghelli Sicuro24 SicuroWeb is vulnerable to arbitrary JavaScript execution due to embedding an end-of-life AngularJS 1.5.2 component with known sandbox escape primitives combined with template injection, enabling attackers to compromise operator browser sessions via MITM attacks.","title":"Beghelli Sicuro24 SicuroWeb AngularJS Sandbox Escape via Template Injection","url":"https://feed.craftedsignal.io/briefs/2024-01-03-beghelli-sicuro24-angularjs/"}],"language":"en","title":"CraftedSignal Threat Feed — Mitm","version":"https://jsonfeed.org/version/1.1"}