{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/network-overlay/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["nebula-mesh (\u003c 0.7.1)"],"_cs_severities":["high"],"_cs_tags":["certificate-revocation","network-overlay","defense-evasion","persistence","network"],"_cs_type":"advisory","_cs_vendors":["ForgeKeep"],"content_html":"\u003cp\u003eA significant security flaw, tracked as CVE-2026-61699, has been identified in ForgeKeep's nebula-mesh, affecting versions prior to 0.7.1. This vulnerability prevents the enforcement of certificate revocation, allowing compromised or offboarded hosts to retain full access to the Nebula mesh network. Despite the Nebula server correctly adding a host's certificate fingerprint to a per-CA blocklist and attempting to distribute this information, the agent fails to process or apply these updates. Furthermore, the configuration generator does not include the \u003ccode\u003epki.blocklist\u003c/code\u003e entry in the agent's \u003ccode\u003econfig.yml\u003c/code\u003e. This creates a critical security blind spot, as an attacker who has exfiltrated a host's key and certificate can bypass administrative revocation actions and maintain unauthorized persistence on the network for the remaining lifetime of the certificate, which can be up to 365 days for mobile hosts or 30 days for agent hosts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Compromise\u003c/strong\u003e: An attacker successfully compromises a host within a Nebula mesh environment, gaining initial access through unrelated means (e.g., exploitation of another vulnerability or social engineering).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Exfiltration\u003c/strong\u003e: The attacker locates and exfiltrates the compromised host's Nebula client certificate (\u003ccode\u003ehost.crt\u003c/code\u003e) and private key (\u003ccode\u003ehost.key\u003c/code\u003e) files, which are used for authentication to the mesh.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eOperator Revocation Attempt\u003c/strong\u003e: Upon detecting the compromise or as part of a routine offboarding process, the network operator initiates a revocation action for the compromised host via the Nebula administrative UI or API.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eServer-Side Blocklist Update\u003c/strong\u003e: The Nebula server correctly processes the revocation, adds the compromised host's certificate fingerprint to its internal per-CA blocklist, and flags other agents for updates.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAgent Update Failure\u003c/strong\u003e: Neighboring Nebula agents poll the server and receive the \u003ccode\u003eblocklist\u003c/code\u003e information within the \u003ccode\u003eUpdatesResponse\u003c/code\u003e, but due to a flaw in \u003ccode\u003einternal/agent/poller.go\u003c/code\u003e, they decode and then discard this blocklist without applying it to their local configuration.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eConfiguration Generation Flaw\u003c/strong\u003e: Even if a configuration re-render is triggered, the \u003ccode\u003econfiggen\u003c/code\u003e component in \u003ccode\u003einternal/configgen/marshal.go\u003c/code\u003e and \u003ccode\u003einternal/configgen/generator.go\u003c/code\u003e lacks the necessary fields to include the \u003ccode\u003epki.blocklist\u003c/code\u003e entry in the generated \u003ccode\u003econfig.yml\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence Maintained\u003c/strong\u003e: The attacker, using the previously exfiltrated \u003ccode\u003ehost.key\u003c/code\u003e and \u003ccode\u003ehost.crt\u003c/code\u003e, continues to operate the compromised host (or a clone) within the Nebula mesh, establishing connections and maintaining full overlay network reachability to all peers, completely bypassing the intended revocation.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eProlonged Unauthorized Access\u003c/strong\u003e: The attacker retains unauthorized access for the full duration of the host's certificate validity (up to 30 days for agents and 365 days for mobile hosts), as the mesh peers continue to validate and accept the \u0026quot;revoked\u0026quot; certificate.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe failure to enforce certificate revocation in ForgeKeep's nebula-mesh allows an already compromised host to maintain unauthorized network access and persistence despite administrative actions to block it. This means that a host, once deemed untrustworthy and revoked by an operator, can continue to communicate within the overlay network for an extended period - up to 30 days for agent hosts and 365 days for mobile hosts. An attacker who has exfiltrated the necessary certificate and key material can leverage this flaw to sustain command and control, exfiltrate data, or launch further attacks from a seemingly blocked endpoint. The operational impact is a false sense of security, as the UI/API may show a host as blocked while it retains full mesh connectivity, making it a critical bypass for defense evasion and persistence.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eUpgrade immediately\u003c/strong\u003e: Patch affected ForgeKeep nebula-mesh installations to version 0.7.1 or later to address CVE-2026-61699.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMonitor post-revocation activity\u003c/strong\u003e: Implement out-of-band monitoring for any network activity originating from hosts that have been administratively revoked, as they may still be active on the Nebula mesh due to CVE-2026-61699.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eReview Nebula deployment\u003c/strong\u003e: Assess the integrity of all Nebula agents to ensure they are correctly updated and capable of processing and applying certificate blocklists.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImplement supplementary controls\u003c/strong\u003e: Apply additional network access controls (e.g., host-based firewalls, network segmentation) for critical services within the Nebula mesh to provide layered defense against unrevoked compromised nodes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-14T20:36:00Z","date_published":"2026-07-14T20:36:00Z","id":"https://feed.craftedsignal.io/briefs/2026-07-nebula-mesh-cert-revocation-bypass/","summary":"A high-severity vulnerability, CVE-2026-61699, in ForgeKeep's nebula-mesh allows compromised or offboarded hosts to bypass certificate revocation, enabling attackers to maintain full mesh network access for up to 365 days despite operator actions.","title":"ForgeKeep Nebula-Mesh Certificate Revocation Bypass Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-07-nebula-mesh-cert-revocation-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - Network-Overlay","version":"https://jsonfeed.org/version/1.1"}