{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/msrc/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:broadcom:rabbitmq_server:*:*:*:*:*:*:*:*"],"_cs_cves":[{"cvss":6.5,"id":"CVE-2026-57211"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["RabbitMQ management UI"],"_cs_severities":["high"],"_cs_tags":["vulnerability","ssrf","rabbitmq","windows","msrc"],"_cs_type":"advisory","_cs_vendors":["VMware"],"content_html":"\u003cp\u003eCVE-2026-57211, disclosed by Microsoft, describes a Server-Side Request Forgery (SSRF) vulnerability specifically affecting the RabbitMQ management UI when hosted on Windows operating systems. This vulnerability allows an unauthenticated remote attacker to craft requests that force the vulnerable RabbitMQ server to initiate outbound connections to arbitrary Universal Naming Convention (UNC) paths. This critical flaw could enable attackers to perform NTLM credential relay attacks by pointing the server to a malicious SMB share, leading to credential theft, or to conduct internal network reconnaissance by attempting connections to various internal network resources via UNC paths. While the advisory does not specify observed exploitation, the nature of SSRF in a management interface presents a significant risk to internal network security. Organizations utilizing RabbitMQ on Windows are strongly advised to review and apply the necessary security updates.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated remote attacker identifies a RabbitMQ instance running its management UI on a Windows server.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request to the RabbitMQ management UI.\u003c/li\u003e\n\u003cli\u003eThis crafted request includes a parameter or payload designed to trigger the Server-Side Request Forgery (SSRF) vulnerability.\u003c/li\u003e\n\u003cli\u003eThe vulnerability causes the RabbitMQ server to attempt to initiate an outbound network connection to an attacker-controlled Universal Naming Convention (UNC) path (e.g., \u003ccode\u003e\\\\attacker-ip\\share\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eIf the attacker controls an SMB server at the specified UNC path, the Windows server hosting RabbitMQ will attempt NTLM authentication, sending its hashed credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker captures these NTLM hashes, which can then be cracked offline or used in NTLM relay attacks to gain unauthorized access to other services or systems within the internal network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-57211 can lead to significant information disclosure and potential lateral movement within an organization's network. Attackers can leverage the SSRF to force the RabbitMQ server to connect to arbitrary internal or external UNC paths. This can result in NTLM credential leakage, where the server's NTLM hash is sent to an attacker-controlled SMB share, allowing for offline cracking or NTLM relay attacks. Furthermore, the ability to make arbitrary outbound connections can be used for internal network reconnaissance, mapping network topologies, and identifying other vulnerable services or devices, escalating the potential for further compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security update addressing CVE-2026-57211 released by VMware immediately to all affected RabbitMQ installations running on Windows.\u003c/li\u003e\n\u003cli\u003eRestrict outbound network connections from RabbitMQ servers to only necessary and trusted destinations to mitigate the impact of SSRF vulnerabilities.\u003c/li\u003e\n\u003cli\u003eImplement host-based firewalls or network segmentation to prevent RabbitMQ servers from initiating SMB connections to arbitrary UNC paths or untrusted internal hosts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-15T07:47:21Z","date_published":"2026-07-15T07:47:21Z","id":"https://feed.craftedsignal.io/briefs/2026-07-rabbitmq-unc-ssrf/","summary":"CVE-2026-57211 details a Server-Side Request Forgery (SSRF) vulnerability within the RabbitMQ management UI when deployed on Windows, enabling an attacker to coerce the server into making requests to arbitrary UNC paths, potentially leading to NTLM credential disclosure or internal network reconnaissance.","title":"RabbitMQ Management UI UNC SSRF Vulnerability (CVE-2026-57211) on Windows","url":"https://feed.craftedsignal.io/briefs/2026-07-rabbitmq-unc-ssrf/"}],"language":"en","title":"CraftedSignal Threat Feed - Msrc","version":"https://jsonfeed.org/version/1.1"}