{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/network-protocol/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-60108"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Zeek (\u003c 8.0.9)"],"_cs_severities":["medium"],"_cs_tags":["cve","dos","zeek","network-protocol","vulnerability"],"_cs_type":"advisory","_cs_vendors":["Zeek"],"content_html":"\u003cp\u003eZeek before 8.0.9 contains an uncontrolled memory consumption vulnerability in the FTP analyzer that allows unauthenticated remote attackers to cause process termination by sending a crafted FTP control session negotiating AUTH GSSAPI followed by a large ADAT control line. Attackers can exploit the NVT_Analyzer component's lack of a maximum line length check, causing it to continuously double its internal buffer without bounds during base64 decoding of an attacker-controlled ADAT token, resulting in denial of service of the Zeek sensor. This vulnerability, tracked as CVE-2026-60108, impacts versions prior to 8.0.9 and poses a significant risk to the availability and stability of network monitoring operations where Zeek sensors are deployed, as it can be triggered remotely without authentication.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eUnauthenticated remote attacker establishes an FTP control connection to a vulnerable Zeek sensor.\u003c/li\u003e\n\u003cli\u003eAttacker sends a crafted FTP command to initiate GSSAPI authentication negotiation within the session.\u003c/li\u003e\n\u003cli\u003eZeek's FTP analyzer, specifically the NVT_Analyzer component, begins processing the GSSAPI authentication.\u003c/li\u003e\n\u003cli\u003eAttacker sends an excessively large Authentication Data (ADAT) control line within the ongoing FTP control session.\u003c/li\u003e\n\u003cli\u003eThe NVT_Analyzer attempts to base64 decode the large ADAT token without an internal buffer size limit.\u003c/li\u003e\n\u003cli\u003eThe NVT_Analyzer continuously allocates and reallocates memory, doubling its buffer size without bounds, in an attempt to handle the oversized input.\u003c/li\u003e\n\u003cli\u003eThis uncontrolled memory consumption rapidly exhausts the Zeek sensor's available system resources.\u003c/li\u003e\n\u003cli\u003eThe Zeek sensor process terminates unexpectedly, resulting in a complete denial of service for the network monitoring system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2026-60108 results in the unauthenticated remote termination of the Zeek sensor process. This leads to a denial of service, rendering the Zeek instance incapable of network traffic analysis and security monitoring. For organizations relying on Zeek for critical threat detection, incident response, and compliance logging, this means a complete loss of visibility over network activity during the attack, potentially allowing other malicious activities to go undetected.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-60108 immediately by updating all affected Zeek installations to version 8.0.9 or later to address the uncontrolled memory consumption vulnerability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-09T15:19:23Z","date_published":"2026-07-09T15:19:23Z","id":"https://feed.craftedsignal.io/briefs/2026-07-zeek-ftp-dos/","summary":"An uncontrolled memory consumption vulnerability in the Zeek FTP analyzer, versions prior to 8.0.9, allows unauthenticated remote attackers to cause process termination and denial of service of the Zeek sensor. This occurs when a crafted FTP control session with AUTH GSSAPI and a large ADAT control line exploits the NVT_Analyzer component's lack of a maximum line length check, leading to an unbounded internal buffer during base64 decoding.","title":"CVE-2026-60108 - Zeek FTP Analyzer Uncontrolled Memory Consumption leading to DoS","url":"https://feed.craftedsignal.io/briefs/2026-07-zeek-ftp-dos/"}],"language":"en","title":"CraftedSignal Threat Feed - Network-Protocol","version":"https://jsonfeed.org/version/1.1"}