{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/nats.io/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["NATS server"],"_cs_severities":["high"],"_cs_tags":["nats.io","mqtt","acl-bypass","vulnerability"],"_cs_type":"advisory","_cs_vendors":["NATS.io"],"content_html":"\u003cp\u003eNATS.io is a high-performance open-source pub-sub distributed communication technology used in cloud, on-premise, IoT, and edge computing environments. A critical vulnerability exists in the NATS server that allows MQTT clients to bypass Access Control List (ACL) checks when using the MQTT client interface. Specifically, ACLs are not enforced in the \u003ccode\u003e$MQTT.\u0026gt;\u003c/code\u003e namespace, which handles MQTT subjects. This flaw affects NATS server versions prior to v2.12.6 and v2.11.15, potentially enabling malicious MQTT clients to publish or subscribe to topics they should not have access to, leading to information disclosure or unauthorized control of the NATS messaging system. The vulnerability is identified as CVE-2026-33217 and presents a significant security risk for organizations relying on NATS for secure communication.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a NATS server running a vulnerable version (prior to v2.12.6 or v2.11.15) with MQTT enabled.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes an MQTT client connection to the NATS server.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts MQTT PUBLISH or SUBSCRIBE messages targeting subjects within the \u003ccode\u003e$MQTT.\u0026gt;\u003c/code\u003e namespace.\u003c/li\u003e\n\u003cli\u003eThe NATS server, due to the vulnerability, fails to apply configured ACLs to the MQTT messages.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully publishes or subscribes to MQTT topics without proper authorization.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to MQTT data or control over MQTT devices connected to the NATS server.\u003c/li\u003e\n\u003cli\u003eThe attacker can then leverage the unauthorized access for malicious purposes such as data exfiltration or disruption of services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability (CVE-2026-33217) can lead to unauthorized access to sensitive MQTT data within the NATS messaging system. This can affect any organization using NATS for MQTT communication, especially in IoT environments where MQTT is prevalent. The impact ranges from information disclosure to complete compromise of MQTT-controlled devices or services. The number of potential victims is dependent on the number of NATS deployments using MQTT functionality and running vulnerable versions, but given the widespread adoption of NATS, the potential impact is significant.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade NATS server instances to version v2.12.6 or v2.11.15 or later to remediate CVE-2026-33217.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u003ccode\u003eDetect Suspicious MQTT Namespace Access\u003c/code\u003e to identify potential exploitation attempts targeting the \u003ccode\u003e$MQTT.\u0026gt;\u003c/code\u003e namespace.\u003c/li\u003e\n\u003cli\u003eMonitor NATS server logs for suspicious activity related to MQTT connections and subject access using the \u003ccode\u003e$MQTT.\u0026gt;\u003c/code\u003e namespace.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-24T12:00:00Z","date_published":"2024-01-24T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-nats-mqtt-acl-bypass/","summary":"A vulnerability in NATS.io versions before v2.12.6 or v2.11.15 allows MQTT clients to bypass ACL checks for MQTT subjects due to ACLs not being applied in the `$MQTT.\u003e` namespace, potentially allowing unauthorized access and control of MQTT communications.","title":"NATS.io MQTT ACL Bypass Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-nats-mqtt-acl-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - Nats.io","version":"https://jsonfeed.org/version/1.1"}