{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/network/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-7548"}],"_cs_exploited":false,"_cs_products":["NR1800X 9.1.0u.6279_B20210910"],"_cs_severities":["critical"],"_cs_tags":["command-injection","router","network"],"_cs_type":"advisory","_cs_vendors":["Totolink"],"content_html":"\u003cp\u003eA command injection vulnerability, identified as CVE-2026-7548, affects Totolink NR1800X router version 9.1.0u.6279_B20210910. The vulnerability resides within the \u003ccode\u003esub_41A68C\u003c/code\u003e function of the \u003ccode\u003e/cgi-bin/cstecgi.cgi\u003c/code\u003e file. By manipulating the \u003ccode\u003esetUssd\u003c/code\u003e argument, a remote attacker can inject arbitrary commands into the system. Publicly available exploit code makes exploitation easier. This vulnerability poses a significant risk as it allows unauthenticated remote attackers to execute arbitrary commands on the affected device, potentially leading to full system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable Totolink NR1800X device running firmware version 9.1.0u.6279_B20210910.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a crafted HTTP request to the \u003ccode\u003e/cgi-bin/cstecgi.cgi\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe HTTP request includes the \u003ccode\u003esetUssd\u003c/code\u003e argument with a malicious payload designed to inject a command.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esub_41A68C\u003c/code\u003e function processes the \u003ccode\u003esetUssd\u003c/code\u003e argument without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe injected command is executed by the system with the privileges of the web server process.\u003c/li\u003e\n\u003cli\u003eThe attacker gains initial access and can execute arbitrary commands on the device.\u003c/li\u003e\n\u003cli\u003eThe attacker may then use the command execution to escalate privileges, install malware, or pivot to other devices on the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to execute arbitrary commands on the affected Totolink NR1800X router. This could lead to complete compromise of the device, allowing the attacker to control network traffic, modify router settings, or use the router as a pivot point to attack other devices on the network. Given the wide usage of Totolink routers, a large number of devices could be vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor web server logs for requests to \u003ccode\u003e/cgi-bin/cstecgi.cgi\u003c/code\u003e containing suspicious characters or command injection attempts in the \u003ccode\u003esetUssd\u003c/code\u003e parameter, using the Sigma rule provided below.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on the \u003ccode\u003e/cgi-bin/cstecgi.cgi\u003c/code\u003e endpoint to mitigate brute-force exploitation attempts.\u003c/li\u003e\n\u003cli\u003eApply available patches provided by Totolink to address the CVE-2026-7548 vulnerability.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to your SIEM and tune for your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-01T03:16:01Z","date_published":"2026-05-01T03:16:01Z","id":"/briefs/2026-05-totolink-command-injection/","summary":"A command injection vulnerability exists in Totolink NR1800X version 9.1.0u.6279_B20210910, affecting the function sub_41A68C of the file /cgi-bin/cstecgi.cgi; by manipulating the argument setUssd, a remote attacker can inject commands, and an exploit is publicly available.","title":"Totolink NR1800X Command Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-totolink-command-injection/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2025-71284"}],"_cs_exploited":false,"_cs_products":["SMG Gateway Management Software"],"_cs_severities":["critical"],"_cs_tags":["command-injection","rce","network"],"_cs_type":"advisory","_cs_vendors":["Synway"],"content_html":"\u003cp\u003eSynway SMG Gateway Management Software is susceptible to an OS command injection vulnerability (CVE-2025-71284) within the RADIUS configuration endpoint. An unauthenticated remote attacker can exploit this flaw by sending a specially crafted POST request to \u003ccode\u003e/en/9-2radius.php\u003c/code\u003e. The vulnerability lies in the improper sanitization of the \u003ccode\u003eradius_address\u003c/code\u003e POST parameter, which is directly incorporated into a \u003ccode\u003esed\u003c/code\u003e command. The Shadowserver Foundation observed the first exploitation evidence on 2025-07-11 (UTC). Successful exploitation allows the attacker to execute arbitrary shell commands on the affected system, potentially compromising the entire gateway. This vulnerability poses a significant risk to organizations using the Synway SMG Gateway, as it enables unauthenticated remote code execution.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a Synway SMG Gateway Management Software instance exposed to the network.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious POST request targeting the \u003ccode\u003e/en/9-2radius.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe POST request includes parameters such as \u003ccode\u003eradius_address\u003c/code\u003e, \u003ccode\u003eradius_address2\u003c/code\u003e, \u003ccode\u003eshared_secret2\u003c/code\u003e, \u003ccode\u003esource_ip\u003c/code\u003e, \u003ccode\u003etimeout\u003c/code\u003e, or \u003ccode\u003eretry\u003c/code\u003e along with \u003ccode\u003esave=1\u003c/code\u003e and \u003ccode\u003eenable_radius=1\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eradius_address\u003c/code\u003e parameter contains an OS command injection payload.\u003c/li\u003e\n\u003cli\u003eThe application improperly sanitizes the \u003ccode\u003eradius_address\u003c/code\u003e parameter and incorporates it into a \u003ccode\u003esed\u003c/code\u003e command.\u003c/li\u003e\n\u003cli\u003eThe injected command is executed by the operating system, granting the attacker arbitrary code execution privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes a reverse shell to maintain persistence and expand their foothold.\u003c/li\u003e\n\u003cli\u003eThe attacker pivots within the network, gaining access to sensitive data or systems, and potentially establishing a long-term presence.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an unauthenticated attacker to execute arbitrary commands on the Synway SMG Gateway. This could lead to complete system compromise, data theft, disruption of services, and further propagation of attacks within the network. Given the high CVSS score (9.8), this vulnerability represents a critical threat. The number of affected systems and organizations is currently unknown.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Synway SMG Gateway Radius Command Injection Attempt\u0026rdquo; to your SIEM to detect exploitation attempts based on suspicious POST requests to the vulnerable endpoint.\u003c/li\u003e\n\u003cli\u003eApply input validation and sanitization to the \u003ccode\u003eradius_address\u003c/code\u003e, \u003ccode\u003eradius_address2\u003c/code\u003e, \u003ccode\u003eshared_secret2\u003c/code\u003e, \u003ccode\u003esource_ip\u003c/code\u003e, \u003ccode\u003etimeout\u003c/code\u003e, and \u003ccode\u003eretry\u003c/code\u003e parameters in the RADIUS configuration endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to \u003ccode\u003e/en/9-2radius.php\u003c/code\u003e containing suspicious characters or command sequences indicative of command injection attacks to activate the \u0026ldquo;Synway SMG Gateway Radius Command Injection Attempt\u0026rdquo; rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T17:16:25Z","date_published":"2026-04-30T17:16:25Z","id":"/briefs/2026-05-synway-smg-rce/","summary":"Synway SMG Gateway Management Management Software is vulnerable to unauthenticated OS command injection via crafted POST requests to the RADIUS configuration endpoint, leading to remote code execution.","title":"Synway SMG Gateway Management Software Unauthenticated OS Command Injection","url":"https://feed.craftedsignal.io/briefs/2026-05-synway-smg-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7036"}],"_cs_exploited":false,"_cs_products":["i9"],"_cs_severities":["high"],"_cs_tags":["cve-2026-7036","path-traversal","tenda","network"],"_cs_type":"advisory","_cs_vendors":["Tenda"],"content_html":"\u003cp\u003eA path traversal vulnerability, identified as CVE-2026-7036, exists in Tenda i9 version 1.0.0.5(2204). Specifically, the vulnerability resides in the R7WebsSecurityHandlerfunction of the HTTP Handler component. This flaw allows a remote, unauthenticated attacker to potentially access sensitive files and directories on the affected device. The vulnerability was reported on 2026-04-26, and a public exploit is reportedly available, increasing the risk of exploitation. This poses a significant threat to organizations using the affected Tenda i9 router, as it could lead to unauthorized access to sensitive information or system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a Tenda i9 router running firmware version 1.0.0.5(2204) accessible over the network.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the vulnerable R7WebsSecurityHandlerfunction.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a path traversal sequence (e.g., \u0026ldquo;../\u0026rdquo;) within the URL or request parameters.\u003c/li\u003e\n\u003cli\u003eThe Tenda i9 router processes the malicious request without proper sanitization of the path.\u003c/li\u003e\n\u003cli\u003eThe R7WebsSecurityHandlerfunction incorrectly interprets the path traversal sequence, allowing access to files or directories outside the intended web root.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to sensitive files, such as configuration files or system logs.\u003c/li\u003e\n\u003cli\u003eThe attacker may use the exposed information to further compromise the device or the network it is connected to.\u003c/li\u003e\n\u003cli\u003eThe attacker could potentially modify system files or execute commands, leading to full device compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-7036 can lead to unauthorized access to sensitive files on the Tenda i9 router. This includes configuration files containing credentials, system logs, or other confidential data. An attacker could leverage this access to gain further control of the device, potentially leading to a complete system compromise. While the number of affected devices is currently unknown, given the widespread use of Tenda routers, the potential impact could be significant.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect HTTP requests containing path traversal sequences targeting web servers to detect exploitation attempts (Sigma rule: \u0026ldquo;Detect Tenda i9 Path Traversal Attempt\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eSince the source mentions a public exploit exists, prioritize patching or replacing vulnerable Tenda i9 routers to remediate CVE-2026-7036 immediately, if a patch becomes available.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual file access patterns or requests containing suspicious path traversal sequences.\u003c/li\u003e\n\u003cli\u003eImplement web application firewall (WAF) rules to block requests containing path traversal sequences.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-26T12:16:22Z","date_published":"2026-04-26T12:16:22Z","id":"/briefs/2026-04-tenda-path-traversal/","summary":"CVE-2026-7036 is a path traversal vulnerability affecting the R7WebsSecurityHandlerfunction in the HTTP Handler component of Tenda i9 version 1.0.0.5(2204), allowing remote attackers to access sensitive files.","title":"Tenda i9 Path Traversal Vulnerability (CVE-2026-7036)","url":"https://feed.craftedsignal.io/briefs/2026-04-tenda-path-traversal/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.6,"id":"CVE-2026-5367"}],"_cs_exploited":false,"_cs_products":["OVN"],"_cs_severities":["high"],"_cs_tags":["cve","vulnerability","network"],"_cs_type":"advisory","_cs_vendors":["Open Virtual Network"],"content_html":"\u003cp\u003eCVE-2026-5367 describes a critical vulnerability affecting Open Virtual Network (OVN). A remote attacker can exploit this flaw by sending specially crafted DHCPv6 SOLICIT packets to the OVN controller. These packets contain an inflated Client ID length, which causes the \u003ccode\u003eovn-controller\u003c/code\u003e process to read beyond the allocated memory buffer. This out-of-bounds read allows the attacker to potentially access sensitive information stored in the heap memory, which can then be disclosed back to the attacker\u0026rsquo;s virtual machine port. Successful exploitation grants unauthorized access to potentially sensitive data within the OVN environment, impacting confidentiality.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable OVN deployment.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious DHCPv6 SOLICIT packet. The packet includes an inflated Client ID length field.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted DHCPv6 SOLICIT packet to the OVN controller.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eovn-controller\u003c/code\u003e receives the packet and attempts to process the DHCPv6 Client ID option.\u003c/li\u003e\n\u003cli\u003eDue to the inflated Client ID length, the \u003ccode\u003eovn-controller\u003c/code\u003e reads beyond the bounds of the allocated memory buffer.\u003c/li\u003e\n\u003cli\u003eThis out-of-bounds read accesses sensitive information residing in the heap memory.\u003c/li\u003e\n\u003cli\u003eThe compromised data is included in the DHCPv6 response sent back to the attacker\u0026rsquo;s virtual machine port.\u003c/li\u003e\n\u003cli\u003eAttacker receives the DHCPv6 response containing the disclosed sensitive information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5367 leads to the disclosure of sensitive information stored in the heap memory of the \u003ccode\u003eovn-controller\u003c/code\u003e. The attacker can potentially gain access to configuration data, cryptographic keys, or other sensitive data, allowing them to further compromise the OVN environment or gain unauthorized access to other resources within the network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor network traffic for suspicious DHCPv6 SOLICIT packets with unusually long Client ID lengths targeting the OVN controller, utilizing the network_connection rule provided below.\u003c/li\u003e\n\u003cli\u003eAnalyze DHCPv6 server logs for errors related to invalid Client ID lengths or out-of-bounds memory access, leveraging the linux process_creation rule provided below if auditd captures such events.\u003c/li\u003e\n\u003cli\u003eApply any available patches or updates provided by the OVN project to address CVE-2026-5367.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-24T13:16:21Z","date_published":"2026-04-24T13:16:21Z","id":"/briefs/2026-04-ovn-dhcpv6-oob-read/","summary":"A remote attacker can exploit an out-of-bounds read vulnerability in Open Virtual Network (OVN) by sending crafted DHCPv6 SOLICIT packets, leading to sensitive information disclosure.","title":"OVN DHCPv6 Out-of-Bounds Read Vulnerability (CVE-2026-5367)","url":"https://feed.craftedsignal.io/briefs/2026-04-ovn-dhcpv6-oob-read/"},{"_cs_actors":["UAT-4356"],"_cs_cves":[{"cvss":9.9,"id":"CVE-2025-20333"},{"cvss":6.5,"id":"CVE-2025-20362"}],"_cs_exploited":false,"_cs_products":["Firepower eXtensible Operating System (FXOS)","ASA","FTD"],"_cs_severities":["critical"],"_cs_tags":["uat-4356","firestarter","cisco","backdoor","network","espionage"],"_cs_type":"threat","_cs_vendors":["Cisco"],"content_html":"\u003cp\u003eCisco Talos reported that UAT-4356 continues to actively target Cisco Firepower devices running the Firepower eXtensible Operating System (FXOS). In early 2024, Cisco Talos attributed the ArcaneDoor campaign to UAT-4356, a state-sponsored actor focused on gaining access to network perimeter devices for espionage. The actor exploits n-day vulnerabilities CVE-2025-20333 and CVE-2025-20362 to gain unauthorized access to vulnerable devices. Upon successful exploitation, UAT-4356 deploys a custom-built backdoor called \u0026ldquo;FIRESTARTER,\u0026rdquo; which shares technical capabilities with RayInitiator\u0026rsquo;s Stage 3 shellcode. FIRESTARTER enables remote access and the execution of arbitrary code within the LINA process, a core component of Cisco\u0026rsquo;s ASA and FTD appliances. This allows the attackers to maintain persistent access to compromised systems.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eUAT-4356 exploits CVE-2025-20333 and/or CVE-2025-20362 on Cisco Firepower devices running FXOS to gain initial access.\u003c/li\u003e\n\u003cli\u003eThe attacker manipulates the CSP_MOUNT_LIST to establish persistence for the FIRESTARTER backdoor.\u003c/li\u003e\n\u003cli\u003eThe FIRESTARTER backdoor is written to \u003ccode\u003e/opt/cisco/platform/logs/var/log/svc_samcore.log\u003c/code\u003e and the CSP_MOUNT_LIST is updated to copy itself to \u003ccode\u003e/usr/bin/lina_cs\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAfter a graceful reboot, FIRESTARTER is executed from \u003ccode\u003e/usr/bin/lina_cs\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eFIRESTARTER restores the original CSP_MOUNT_LIST from \u003ccode\u003e/tmp/CSP_MOUNTLIST.tmp\u003c/code\u003e and removes the temporary copy and the trojanized \u003ccode\u003e/usr/bin/lina_cs\u003c/code\u003e file from disk.\u003c/li\u003e\n\u003cli\u003eFIRESTARTER reads the LINA process’ memory, searching for specific byte sequences to verify memory layout.\u003c/li\u003e\n\u003cli\u003eFIRESTARTER copies the next stage shellcode to the last 0x200 bytes of the \u0026ldquo;libstdc++.so\u0026rdquo; memory region.\u003c/li\u003e\n\u003cli\u003eThe attacker overwrites an internal data structure in the LINA process to replace a pointer to a legitimate WebVPN XML handler function with the address of the malicious shellcode. This allows execution of arbitrary shellcode received via WebVPN requests.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised Cisco Firepower devices allow UAT-4356 to gain a foothold on network perimeters for espionage. Successful exploitation and deployment of the FIRESTARTER backdoor enable attackers to execute arbitrary shellcode, potentially leading to data exfiltration, further network compromise, or disruption of services. The number of victims is currently unknown, but this campaign targets network perimeter devices, which could impact organizations across various sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the file integrity monitoring rule to detect the creation or modification of \u003ccode\u003e/usr/bin/lina_cs\u003c/code\u003e and \u003ccode\u003e/opt/cisco/platform/logs/var/log/svc_samcore.log\u003c/code\u003e (see \u0026ldquo;File Creation in Suspicious Directory\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eApply software upgrade recommendations outlined in Cisco\u0026rsquo;s Security Advisory to mitigate CVE-2025-20333 and CVE-2025-20362.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for WebVPN requests containing unexpected XML payloads that might be used to trigger the FIRESTARTER backdoor.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-23T15:11:53Z","date_published":"2026-04-23T15:11:53Z","id":"/briefs/2026-04-uat-4356-firestarter/","summary":"UAT-4356 is actively targeting Cisco Firepower devices running FXOS, exploiting CVE-2025-20333 and CVE-2025-20362 to deploy the FIRESTARTER backdoor which allows remote access and control by injecting malicious shellcode into the LINA process.","title":"UAT-4356 FIRESTARTER Backdoor Targeting Cisco Firepower Devices","url":"https://feed.craftedsignal.io/briefs/2026-04-uat-4356-firestarter/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2019-25706"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2019-25706","file-disclosure","router","network"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Across DR-810 router contains an unauthenticated file disclosure vulnerability (CVE-2019-25706) that allows remote attackers to retrieve sensitive information. By sending a simple GET request to the \u003ccode\u003e/rom-0\u003c/code\u003e endpoint, an attacker can download a backup file containing router passwords, configuration details, and potentially other sensitive data. This vulnerability exists because the \u003ccode\u003e/rom-0\u003c/code\u003e endpoint does not require authentication, allowing anyone with network access to the router to retrieve the backup file. Successful exploitation leads to complete compromise of the device\u0026rsquo;s configuration and potential lateral movement within the network if credentials are reused. This vulnerability was published on 2026-04-12.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies an Across DR-810 router exposed on the network.\u003c/li\u003e\n\u003cli\u003eAttacker crafts an HTTP GET request targeting the \u003ccode\u003e/rom-0\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe router responds with the \u003ccode\u003erom-0\u003c/code\u003e backup file without requiring authentication.\u003c/li\u003e\n\u003cli\u003eAttacker downloads the \u003ccode\u003erom-0\u003c/code\u003e backup file.\u003c/li\u003e\n\u003cli\u003eAttacker decompresses the downloaded \u003ccode\u003erom-0\u003c/code\u003e file, which is likely compressed to reduce size.\u003c/li\u003e\n\u003cli\u003eThe attacker parses the decompressed file to extract sensitive information such as router passwords.\u003c/li\u003e\n\u003cli\u003eAttacker uses the extracted router passwords to gain administrative access to the router\u0026rsquo;s web interface.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to retrieve sensitive information, including router passwords and configuration data. This can lead to complete compromise of the affected router. An attacker can then modify router settings, intercept network traffic, or potentially use the compromised router as a pivot point to access other systems on the network. If the router passwords are reused across multiple systems, the impact could extend beyond the compromised router, affecting other devices and services.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor web server logs for requests to the \u003ccode\u003e/rom-0\u003c/code\u003e endpoint on Across DR-810 routers to detect potential exploitation attempts using the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eInspect network traffic for unusual downloads from Across DR-810 routers, focusing on responses from the \u003ccode\u003e/rom-0\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eBlock access to the \u003ccode\u003e/rom-0\u003c/code\u003e endpoint on Across DR-810 routers via firewall rules to prevent unauthorized access.\u003c/li\u003e\n\u003cli\u003eReview the provided reference URLs for additional context and potential mitigation strategies.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-12T13:16:33Z","date_published":"2026-04-12T13:16:33Z","id":"/briefs/2026-04-across-dr810-file-disclosure/","summary":"Across DR-810 routers are vulnerable to unauthenticated file disclosure, allowing remote attackers to download the rom-0 backup file containing sensitive information, such as router passwords and configuration data, via a simple GET request to the rom-0 endpoint.","title":"Across DR-810 Unauthenticated File Disclosure Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-across-dr810-file-disclosure/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.4,"id":"CVE-2026-33797"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["cve-2026-33797","denial-of-service","juniper","bgp","network"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-33797 is a vulnerability affecting Juniper Networks Junos OS and Junos OS Evolved versions 25.2 before 25.2R2 and 25.2-EVO before 25.2R2-EVO, respectively. It stems from improper input validation within the Border Gateway Protocol (BGP) handling. An unauthenticated, adjacent attacker can exploit this flaw by sending a crafted BGP packet to an already established BGP session. This malicious packet causes the targeted BGP session to reset, leading to a Denial of Service (DoS). Repeated transmission of the crafted packet can sustain the DoS condition. Both external BGP (eBGP) and internal BGP (iBGP) sessions are susceptible, and the vulnerability impacts both IPv4 and IPv6 network configurations. This vulnerability poses a risk to network stability and availability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable Juniper device running Junos OS or Junos OS Evolved versions 25.2 prior to 25.2R2 or 25.2-EVO prior to 25.2R2-EVO.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes network adjacency to the targeted device, allowing for direct BGP communication.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a specific, but genuine, BGP packet designed to exploit the improper input validation vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted BGP packet to an already established BGP session on the target device.\u003c/li\u003e\n\u003cli\u003eUpon receiving the malicious packet, the vulnerable Junos OS or Junos OS Evolved instance improperly processes it.\u003c/li\u003e\n\u003cli\u003eDue to the input validation failure, the targeted BGP session is forcibly reset.\u003c/li\u003e\n\u003cli\u003eThe attacker repeats the process of sending the crafted BGP packet to continuously reset the BGP session.\u003c/li\u003e\n\u003cli\u003eThe repeated session resets cause a sustained Denial of Service (DoS), disrupting network routing and connectivity.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-33797 leads to a denial-of-service condition affecting BGP routing. By repeatedly sending crafted BGP packets, an attacker can disrupt network connectivity and stability. The impact is a loss of routing functionality for networks relying on the targeted BGP sessions. The number of potential victims is broad, including any organization using vulnerable versions of Junos OS or Junos OS Evolved. This can result in service outages, impaired communication, and potential financial losses.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Junos OS to version 25.2R2 or later to remediate CVE-2026-33797 (see references).\u003c/li\u003e\n\u003cli\u003eUpgrade Junos OS Evolved to version 25.2R2-EVO or later to remediate CVE-2026-33797 (see references).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided to detect unusual BGP reset activity in network traffic (see rules).\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for unexpected BGP session resets originating from adjacent networks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-09T22:16:29Z","date_published":"2026-04-09T22:16:29Z","id":"/briefs/2024-01-22-juniper-bgp-dos/","summary":"CVE-2026-33797 is an improper input validation vulnerability in Juniper Networks Junos OS and Junos OS Evolved that allows an unauthenticated adjacent attacker to reset established BGP sessions via a specific BGP packet, leading to a denial of service condition.","title":"Juniper Junos OS and Junos OS Evolved BGP Session Reset Denial of Service (CVE-2026-33797)","url":"https://feed.craftedsignal.io/briefs/2024-01-22-juniper-bgp-dos/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-33785"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["privilege-escalation","network","juniper"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eJuniper Networks Junos OS on MX Series is vulnerable to a missing authorization issue (CVE-2026-33785). This vulnerability allows a local, authenticated user with low privileges to execute specific CLI operational commands, specifically \u0026lsquo;request csds\u0026rsquo;, that should only be available to high-privileged users or those designated for Juniper Device Manager (JDM) / Connected Security Distributed Services (CSDS) operations. Successful exploitation leads to a complete compromise of managed devices. This issue affects Junos OS on MX Series versions 24.4 prior to 24.4R2-S3 and 25.2 prior to 25.2R2. Releases prior to 24.4 are not affected. The vulnerability was published on 2026-04-09.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains local, low-privilege access to a Junos OS MX Series device.\u003c/li\u003e\n\u003cli\u003eAttacker authenticates to the Junos OS CLI using their credentials.\u003c/li\u003e\n\u003cli\u003eAttacker executes the \u0026lsquo;request csds\u0026rsquo; operational command.\u003c/li\u003e\n\u003cli\u003eThe system fails to perform adequate authorization checks before executing the command.\u003c/li\u003e\n\u003cli\u003eThe \u0026lsquo;request csds\u0026rsquo; command executes with elevated privileges due to the missing authorization.\u003c/li\u003e\n\u003cli\u003eAttacker leverages the elevated privileges to modify system configurations.\u003c/li\u003e\n\u003cli\u003eAttacker installs malicious software or backdoors.\u003c/li\u003e\n\u003cli\u003eAttacker achieves complete compromise of the Junos OS MX Series device, potentially impacting all devices managed by it.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-33785 allows an attacker to completely compromise a Juniper Junos OS MX Series device. This can lead to unauthorized access to sensitive data, disruption of network services, and the potential compromise of other devices managed by the affected MX Series device. The vulnerability affects Junos OS on MX Series versions 24.4 before 24.4R2-S3 and 25.2 before 25.2R2. While the exact number of vulnerable devices is unknown, the impact is critical due to the potential for widespread network compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Junos OS on MX Series devices to versions 24.4R2-S3 or later, or 25.2R2 or later, to patch CVE-2026-33785.\u003c/li\u003e\n\u003cli\u003eImplement the provided Sigma rule to detect unauthorized execution of the \u003ccode\u003erequest csds\u003c/code\u003e command.\u003c/li\u003e\n\u003cli\u003eMonitor Junos OS CLI command logs for suspicious activity, specifically focusing on the \u003ccode\u003erequest csds\u003c/code\u003e command and user privilege levels.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-09T22:16:27Z","date_published":"2026-04-09T22:16:27Z","id":"/briefs/2026-04-junos-mx-privesc/","summary":"CVE-2026-33785 allows a low-privileged, local, authenticated user to execute 'request csds' commands on Juniper Junos OS MX Series devices, leading to complete device compromise.","title":"Juniper Junos OS MX Series Missing Authorization Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-junos-mx-privesc/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.1,"id":"CVE-2021-4477"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2021-4477","firewall-bypass","network"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eHirschmann HiLCOS OpenBAT and BAT450 products are vulnerable to a firewall bypass (CVE-2021-4477) in IPv6 IPsec deployments. The vulnerability allows attackers to circumvent configured firewall rules by establishing IPv6 IPsec connections (IKEv1 or IKEv2) while simultaneously maintaining an IPv6 Internet connection. This bypass can allow unauthorized access to internal network resources. The vulnerability was published in April 2026. Exploitation of this vulnerability can lead to significant security breaches, allowing attackers to move laterally within a network and potentially compromise sensitive data. Defenders should prioritize patching and implementing detection measures to mitigate this risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable Hirschmann HiLCOS OpenBAT or BAT450 device with IPv6 and IPsec enabled.\u003c/li\u003e\n\u003cli\u003eAttacker establishes an IPv6 IPsec VPN connection (IKEv1 or IKEv2) to the target device.\u003c/li\u003e\n\u003cli\u003eSimultaneously, the attacker maintains an active IPv6 Internet connection.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts network packets designed to bypass the configured firewall rules.\u003c/li\u003e\n\u003cli\u003eThe target device incorrectly routes traffic from the VPN connection, bypassing the firewall.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to internal network resources.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally within the network, exploiting additional vulnerabilities.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data or performs other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2021-4477 allows attackers to bypass firewall restrictions, potentially compromising the entire network. This can lead to unauthorized access to sensitive data, lateral movement within the network, and deployment of malware. The severity of the impact depends on the network configuration and the sensitivity of the data being protected by the affected devices. Due to the nature of industrial control systems (ICS), successful exploitation could have significant operational and safety consequences.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security patches provided by Belden for Hirschmann HiLCOS OpenBAT and BAT450 products to address CVE-2021-4477, as referenced in the Belden Security Bulletin.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for anomalous IPv6 IPsec connections originating from or directed towards Hirschmann devices to detect potential exploitation attempts, using network connection logs.\u003c/li\u003e\n\u003cli\u003eImplement the provided Sigma rule \u003ccode\u003eDetect_Hirschmann_IPsec_Bypass\u003c/code\u003e to identify suspicious network activity indicative of the firewall bypass vulnerability.\u003c/li\u003e\n\u003cli\u003eReview and harden firewall configurations on affected devices, ensuring that IPv6 traffic is properly inspected and filtered, based on product documentation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-03T23:17:01Z","date_published":"2026-04-03T23:17:01Z","id":"/briefs/2026-04-hirschmann-firewall-bypass/","summary":"CVE-2021-4477 describes a firewall bypass vulnerability in Hirschmann HiLCOS OpenBAT and BAT450 products that can be exploited by establishing IPv6 IPsec connections (IKEv1 or IKEv2) while using an IPv6 Internet connection, allowing attackers to bypass configured firewall rules.","title":"Hirschmann HiLCOS OpenBAT/BAT450 IPv6 IPsec Firewall Bypass (CVE-2021-4477)","url":"https://feed.craftedsignal.io/briefs/2026-04-hirschmann-firewall-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2020-37216"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["dos","cve-2020-37216","network"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eHirschmann HiOS is vulnerable to a denial-of-service (DoS) condition due to improper handling of packet length fields within the EtherNet/IP stack. This vulnerability, identified as CVE-2020-37216, affects HiOS devices with versions prior to 08.1.00 and 07.1.01. A remote attacker can exploit this flaw by sending specially crafted UDP EtherNet/IP packets where the specified length value exceeds the actual packet size. Successful exploitation leads to a device crash or hang, rendering it inoperable and disrupting network communications. This vulnerability was reported and published in April 2026. Defenders should prioritize patching or mitigating this vulnerability to maintain network availability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies vulnerable Hirschmann HiOS device on the network.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious UDP EtherNet/IP packet.\u003c/li\u003e\n\u003cli\u003eThe crafted packet includes a length field with a value exceeding the actual packet size.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted UDP EtherNet/IP packet to the targeted HiOS device.\u003c/li\u003e\n\u003cli\u003eThe HiOS device attempts to process the malformed packet.\u003c/li\u003e\n\u003cli\u003eDue to the improper handling of the invalid length field, the EtherNet/IP stack within the HiOS device encounters an error.\u003c/li\u003e\n\u003cli\u003eThe error causes the HiOS device to crash or hang.\u003c/li\u003e\n\u003cli\u003eThe device becomes inoperable, resulting in a denial-of-service condition.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2020-37216 results in a denial-of-service condition on the affected Hirschmann HiOS device. This can disrupt critical network communications and potentially impact industrial control systems relying on the affected device. The number of affected devices and organizations depends on the prevalence of vulnerable HiOS versions within operational networks. A successful attack could lead to temporary or prolonged outages, impacting productivity and availability of industrial processes.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Hirschmann HiOS devices to versions 08.1.00 or 07.1.01 or later to patch CVE-2020-37216.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious UDP EtherNet/IP packets with abnormally large length fields destined for Hirschmann HiOS devices, using the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the potential impact of a successful denial-of-service attack.\u003c/li\u003e\n\u003cli\u003eReview and harden the configuration of Hirschmann HiOS devices according to vendor best practices.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-03T21:17:08Z","date_published":"2026-04-03T21:17:08Z","id":"/briefs/2026-04-hios-dos/","summary":"A denial-of-service vulnerability in Hirschmann HiOS devices allows remote attackers to crash or hang the device by sending crafted UDP EtherNet/IP packets with invalid length fields.","title":"Hirschmann HiOS EtherNet/IP Stack Denial-of-Service Vulnerability (CVE-2020-37216)","url":"https://feed.craftedsignal.io/briefs/2026-04-hios-dos/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-31933"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["dos","suricata","cve-2026-31933","network"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eSuricata, a network IDS, IPS, and NSM engine, is susceptible to a denial-of-service vulnerability (CVE-2026-31933) affecting versions prior to 7.0.15 and 8.0.4. This flaw arises from inefficient algorithmic complexity (CWE-407), where specially crafted network traffic can induce a significant slowdown in Suricata\u0026rsquo;s processing, particularly impacting its performance in IDS mode. An attacker can exploit this vulnerability by sending malicious network packets, potentially causing the Suricata instance to become unresponsive or consume excessive resources. The vulnerability was reported and patched by the Open Information Security Foundation (OISF). Organizations using affected Suricata versions are vulnerable to service disruption.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a series of malicious network packets specifically designed to exploit the algorithmic inefficiency in Suricata\u0026rsquo;s packet processing.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted packets to the Suricata instance. This can be achieved through various network protocols and ports monitored by Suricata.\u003c/li\u003e\n\u003cli\u003eSuricata receives the packets and begins processing them. Due to the inefficient algorithm, processing these packets consumes significantly more resources than legitimate traffic.\u003c/li\u003e\n\u003cli\u003eAs the number of malicious packets increases, Suricata\u0026rsquo;s CPU and memory usage rises dramatically, leading to a performance slowdown.\u003c/li\u003e\n\u003cli\u003eThe slowdown affects Suricata\u0026rsquo;s ability to inspect other network traffic in a timely manner, potentially allowing malicious activity to go undetected.\u003c/li\u003e\n\u003cli\u003eEventually, Suricata\u0026rsquo;s performance degrades to the point where it becomes unresponsive, effectively causing a denial-of-service condition.\u003c/li\u003e\n\u003cli\u003eLegitimate network traffic may be dropped or delayed due to Suricata\u0026rsquo;s inability to process it efficiently.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-31933 results in a denial-of-service condition, causing Suricata to become unresponsive and hindering its ability to perform network intrusion detection and prevention. The impact includes the potential for undetected malicious activity, delayed or dropped legitimate network traffic, and increased operational overhead for security teams to investigate and remediate the issue. The severity is rated as HIGH with a CVSS v3.1 score of 7.5.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Suricata to version 7.0.15 or 8.0.4 or later to patch CVE-2026-31933.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetectHighPacketRate\u003c/code\u003e to identify unusual traffic patterns indicative of a DoS attempt.\u003c/li\u003e\n\u003cli\u003eMonitor Suricata\u0026rsquo;s CPU and memory utilization for unexpected spikes, which could indicate exploitation of this vulnerability.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting or traffic shaping rules on network devices to mitigate the impact of malicious traffic.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-02T14:16:28Z","date_published":"2026-04-02T14:16:28Z","id":"/briefs/2026-04-suricata-dos/","summary":"Specially crafted network traffic can cause Suricata to slow down, leading to a denial-of-service condition in versions prior to 7.0.15 and 8.0.4, as identified by CVE-2026-31933.","title":"Suricata DoS Vulnerability (CVE-2026-31933)","url":"https://feed.craftedsignal.io/briefs/2026-04-suricata-dos/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["ransomware","firewall","network"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Interlock ransomware campaign specifically targets enterprise firewalls. The campaign\u0026rsquo;s objective is to encrypt sensitive data residing on or accessible through these firewalls, rendering systems inoperable and creating significant business disruption. While specific details about the initial discovery and scope of the campaign remain limited, its focus on firewalls suggests a targeted approach aimed at organizations heavily reliant on these devices for network security and perimeter defense. The lack of specific details about delivery mechanisms and exploited vulnerabilities underscores the need for proactive threat hunting and vulnerability management to detect and mitigate potential Interlock ransomware infections.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker gains initial access to the targeted network, potentially through exploiting vulnerabilities in the firewall\u0026rsquo;s management interface or VPN services.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eFirewall Compromise:\u003c/strong\u003e The attacker exploits the initial access to compromise the firewall device. This may involve exploiting known vulnerabilities or using stolen credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e The attacker uses the compromised firewall as a pivot point to move laterally within the internal network. Tools like \u003ccode\u003essh\u003c/code\u003e or \u003ccode\u003ePsExec\u003c/code\u003e may be used.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDiscovery:\u003c/strong\u003e The attacker performs reconnaissance to identify valuable data stores accessible through the firewall. This may involve scanning network shares or querying databases.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e The attacker attempts to escalate privileges to gain administrative access to critical systems. This could involve exploiting vulnerabilities or using credential harvesting techniques.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Encryption:\u003c/strong\u003e The attacker deploys the Interlock ransomware payload to encrypt sensitive data on systems accessible via the firewall.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRansom Demand:\u003c/strong\u003e After encryption, the attacker delivers a ransom note demanding payment for decryption keys.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExfiltration (Possible):\u003c/strong\u003e Depending on the attacker\u0026rsquo;s goals, data exfiltration may occur prior to encryption.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful Interlock ransomware attack can lead to significant data loss, business disruption, and financial damage. Organizations can suffer reputational damage and legal repercussions due to data breaches. The targeted nature of the attack suggests a focus on organizations where firewall compromise would have a widespread impact, potentially affecting hundreds or thousands of users or customers.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable enhanced logging on all enterprise firewalls to capture detailed activity, including login attempts, configuration changes, and network traffic. This enhances the effectiveness of the detection rules below.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all firewall administrative access to mitigate the risk of credential theft.\u003c/li\u003e\n\u003cli\u003eRegularly patch and update firewall firmware to address known vulnerabilities.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM and tune for your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-19T05:33:30Z","date_published":"2026-03-19T05:33:30Z","id":"/briefs/2024-01-interlock-firewall-ransomware/","summary":"The Interlock ransomware campaign is targeting enterprise firewalls to encrypt sensitive data and demand ransom payment.","title":"Interlock Ransomware Campaign Targeting Enterprise Firewalls","url":"https://feed.craftedsignal.io/briefs/2024-01-interlock-firewall-ransomware/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["fortigate","vpn","cve-2023-27997","exploit","network"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOn February 26, 2026, network intrusion detection systems (IDS) triggered alerts related to potential exploitation attempts targeting Fortigate VPN servers. The alerts highlight suspicious network activity originating from multiple IP addresses, specifically repeated GET requests to the \u003ccode\u003e/remote/logincheck\u003c/code\u003e endpoint, a known vulnerability associated with CVE-2023-27997. This vulnerability could allow unauthorized access to the VPN. Additionally, an IPv4 address was observed using a suspicious…\u003c/p\u003e\n","date_modified":"2026-02-26T07:27:12Z","date_published":"2026-02-26T07:27:12Z","id":"/briefs/2026-02-fortigate-cve-2023-27997/","summary":"Multiple IDS alerts indicate potential exploitation attempts against Fortigate VPN servers using CVE-2023-27997, alongside traffic from a suspicious user agent, possibly indicating reconnaissance or exploit activity.","title":"Fortigate VPN Exploit Attempt via CVE-2023-27997 and Suspicious User-Agent","url":"https://feed.craftedsignal.io/briefs/2026-02-fortigate-cve-2023-27997/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cisco-sdwan","vulnerability","exploitation","network"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCISA and its partners have observed malicious cyber actors targeting and compromising Cisco SD-WAN systems across various organizations globally. The attackers are leveraging CVE-2026-20127, an authentication bypass vulnerability, for initial access. Following successful exploitation of CVE-2026-20127, the attackers escalate privileges and establish long-term persistence within the compromised SD-WAN systems using CVE-2022-20775. In response to this active exploitation, CISA issued Emergency…\u003c/p\u003e\n","date_modified":"2026-02-25T12:00:00Z","date_published":"2026-02-25T12:00:00Z","id":"/briefs/2026-02-cisco-sdwan-vulns/","summary":"Malicious actors are actively exploiting CVE-2026-20127 for initial access and CVE-2022-20775 for privilege escalation and persistence on Cisco SD-WAN systems globally.","title":"Ongoing Exploitation of Cisco SD-WAN Systems","url":"https://feed.craftedsignal.io/briefs/2026-02-cisco-sdwan-vulns/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elasticsearch"],"_cs_severities":["high"],"_cs_tags":["initial-access","network","rpc"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection rule identifies RPC traffic originating from the internet, which can indicate malicious activity. RPC is used for remote system administration and resource sharing but should rarely be exposed to the internet. Threat actors frequently target RPC for initial access or as a backdoor. This rule analyzes network traffic, specifically looking for TCP connections to port 135 (a common RPC port) originating from outside the internal network. The rule aims to detect unauthorized attempts to access or control systems via RPC from external sources, enhancing network security and preventing potential breaches. The rule was last updated on 2026-04-24.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker scans the internet for systems with exposed RPC services on TCP port 135.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes a TCP connection to the target system\u0026rsquo;s port 135.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to negotiate an RPC connection, potentially exploiting vulnerabilities in the RPC service.\u003c/li\u003e\n\u003cli\u003eSuccessful exploitation allows the attacker to execute commands remotely on the target system.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised system to perform reconnaissance, gathering information about the internal network.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts lateral movement to other systems within the network, using the initial foothold.\u003c/li\u003e\n\u003cli\u003eThe attacker installs malware or creates a backdoor for persistent access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of exposed RPC services can lead to complete system compromise, allowing attackers to execute arbitrary commands, install malware, and steal sensitive data. This can result in data breaches, financial loss, and reputational damage. The rule aims to prevent attackers from gaining initial access to internal systems, mitigating the risk of wider network compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect RPC from Internet\u0026rdquo; to your SIEM to identify potentially malicious connections to port 135.\u003c/li\u003e\n\u003cli\u003eReview and harden systems that provide RPC services to ensure they are not directly exposed to the internet, as detected by the rule \u0026ldquo;Detect RPC from Internet\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eEnforce network segmentation to limit the exposure of critical systems and services, preventing RPC services from being accessible from the Internet (reference: note section in the rule).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by examining the source and destination IP addresses and related network traffic logs (reference: note section in the rule).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T18:23:00Z","date_published":"2024-01-09T18:23:00Z","id":"/briefs/2024-01-09-rpc-from-internet/","summary":"This brief focuses on detecting Remote Procedure Call (RPC) traffic originating from the internet, a common initial access vector, by monitoring network connections to TCP port 135 and filtering known internal IP ranges.","title":"Detecting External RPC Traffic for Initial Access","url":"https://feed.craftedsignal.io/briefs/2024-01-09-rpc-from-internet/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2018-25318"}],"_cs_exploited":false,"_cs_products":["FH303/A300 firmware"],"_cs_severities":["critical"],"_cs_tags":["cve-2018-25318","tenda","dns-hijacking","network"],"_cs_type":"advisory","_cs_vendors":["Tenda"],"content_html":"\u003cp\u003eCVE-2018-25318 affects Tenda FH303/A300 routers running firmware version V5.07.68_EN. This vulnerability stems from a session weakness related to insufficient cookie validation. An unauthenticated attacker can exploit this flaw to modify the DNS settings of the router. By sending a crafted GET request to the \u003ccode\u003e/goform/AdvSetDns\u003c/code\u003e endpoint, an attacker can inject a malicious admin cookie. This allows them to overwrite the configured DNS servers, potentially redirecting all network traffic from connected devices through attacker-controlled infrastructure. This can lead to phishing attacks, malware distribution, and other malicious activities. The vulnerability poses a significant risk to home and small office networks using the affected Tenda routers.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable Tenda FH303/A300 router running firmware V5.07.68_EN.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP GET request targeting the \u003ccode\u003e/goform/AdvSetDns\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted GET request includes a forged admin cookie, bypassing authentication checks due to the session weakness.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted GET request to the router\u0026rsquo;s management interface.\u003c/li\u003e\n\u003cli\u003eThe router, due to insufficient cookie validation, accepts the forged cookie and processes the request.\u003c/li\u003e\n\u003cli\u003eThe request modifies the DNS server settings on the router, replacing the legitimate DNS servers with attacker-controlled DNS servers.\u003c/li\u003e\n\u003cli\u003eUsers connected to the router unknowingly use the attacker\u0026rsquo;s DNS servers for name resolution.\u003c/li\u003e\n\u003cli\u003eDNS requests are redirected to malicious IPs controlled by the attacker, potentially leading to phishing sites or malware downloads.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2018-25318 allows an attacker to perform DNS hijacking on affected Tenda routers. This can redirect users to malicious websites designed to steal credentials, distribute malware, or conduct other harmful activities. The vulnerability poses a critical risk to users of the affected routers, as it can compromise their online security and privacy. The CVSS v3.1 base score for this vulnerability is 9.8, highlighting its severity. The number of affected users is dependent on the number of deployed vulnerable devices.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor web server logs for requests to \u003ccode\u003e/goform/AdvSetDns\u003c/code\u003e with unusual parameters (Sigma rule: \u0026ldquo;Detect Tenda Router DNS Hijacking Attempt\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eIf possible, upgrade the router firmware to a version that patches CVE-2018-25318.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the impact of compromised devices.\u003c/li\u003e\n\u003cli\u003eConsider using a reputable DNS service with built-in security features to mitigate the impact of DNS hijacking attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:00:00Z","date_published":"2024-01-03T18:00:00Z","id":"/briefs/2024-01-tenda-dns-hijacking/","summary":"Tenda FH303/A300 firmware V5.07.68_EN contains a session weakness vulnerability (CVE-2018-25318) that allows unauthenticated attackers to modify DNS settings by exploiting insufficient cookie validation, potentially redirecting user traffic to malicious sites.","title":"Tenda FH303/A300 DNS Hijacking Vulnerability (CVE-2018-25318)","url":"https://feed.craftedsignal.io/briefs/2024-01-tenda-dns-hijacking/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Secure Access Firewall","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["rdp","bruteforce","credential-access","windows","network"],"_cs_type":"advisory","_cs_vendors":["Cisco","Splunk"],"content_html":"\u003cp\u003eThis analytic identifies potential Remote Desktop Protocol (RDP) brute force attacks by monitoring network traffic for RDP application activity. It detects potential RDP brute force attacks by identifying source IPs that have made more than 10 connection attempts to the same RDP port on a host within a one-hour window. The results are presented in a table that includes the source and destination IPs, destination port, number of attempts, and the times of the first and last connection attempts, helping to prioritize IPs based on the intensity of activity. This activity can lead to account compromise and potential ransomware deployment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker scans the network to identify systems with open RDP ports (TCP 3389).\u003c/li\u003e\n\u003cli\u003eThe attacker initiates multiple RDP connection attempts to a target host, using a list of common usernames and passwords or compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe firewall logs each connection attempt, recording the source and destination IPs, ports, and timestamps.\u003c/li\u003e\n\u003cli\u003eSysmon logs the network connections with Event ID 3.\u003c/li\u003e\n\u003cli\u003eThe attacker continues to attempt connections, typically exceeding 10 attempts within an hour.\u003c/li\u003e\n\u003cli\u003eUpon successful authentication, the attacker gains unauthorized access to the target system.\u003c/li\u003e\n\u003cli\u003eThe attacker may then install malware, move laterally, or exfiltrate sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker might deploy ransomware like SamSam or Ryuk, as referenced in external reports.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful RDP brute force attacks can lead to unauthorized access to systems, data breaches, malware infections, and ransomware deployment. Compromised systems can be used as a staging point for further attacks within the network. The references indicate that ransomware attacks have been delivered using RDP brute-force techniques.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnsure network traffic data is populating the Network_Traffic data model to enable the provided search query.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eRDP Bruteforce via Network Traffic\u003c/code\u003e to detect brute force attempts based on network connection patterns.\u003c/li\u003e\n\u003cli\u003eAdjust the count and duration thresholds in the detection query to tune the sensitivity for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate source IPs identified by the detection rule as potential attackers.\u003c/li\u003e\n\u003cli\u003eMonitor Sysmon EventID 3 for network connections to detect RDP brute-force attempts.\u003c/li\u003e\n\u003cli\u003eReview the referenced Zscaler and ReliaQuest articles for additional context and mitigation strategies.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-rdp-bruteforce/","summary":"This detection identifies potential RDP brute force attacks by monitoring network traffic for RDP application activity by detecting source IPs that have made more than 10 connection attempts to the same RDP port on a host within a one-hour window.","title":"Windows Remote Desktop Network Bruteforce Attempt","url":"https://feed.craftedsignal.io/briefs/2024-01-rdp-bruteforce/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Secure Firewall Threat Defense","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud","Secure Access Firewall"],"_cs_severities":["high"],"_cs_tags":["network","smb","lateral-movement","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":["Cisco","Splunk"],"content_html":"\u003cp\u003eThis detection identifies outbound Server Message Block (SMB) traffic from internal hosts to external servers. The activity is identified by monitoring network traffic for SMB requests directed towards the Internet, an unusual occurrence in standard operations. This analytic is crucial for Security Operations Centers (SOCs) as it can signal an attacker\u0026rsquo;s attempt to retrieve credential hashes via compromised internal systems, a critical step in lateral movement and privilege escalation. The source mentions specific relevance to \u0026ldquo;Hidden Cobra Malware\u0026rdquo;, \u0026ldquo;DHS Report TA18-074A\u0026rdquo;, and \u0026ldquo;NOBELIUM Group\u0026rdquo;, suggesting possible connections to these threat actors or campaigns.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn internal host is compromised through an initial access vector (e.g., phishing, exploit).\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to enumerate network resources accessible from the compromised host.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages SMB to connect to external servers, typically on ports 139 or 445.\u003c/li\u003e\n\u003cli\u003eThe SMB connection attempts to authenticate or negotiate with the external server.\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to exploit vulnerabilities in the SMB protocol or server.\u003c/li\u003e\n\u003cli\u003eThe attacker captures or relays credential hashes transmitted over the SMB connection.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the captured credentials to move laterally to other systems or escalate privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration or system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of outbound SMB traffic can lead to unauthorized access to sensitive data and full system compromise. Lateral movement and privilege escalation are key goals. Confirmed malicious SMB traffic could enable attackers to move through the network, potentially impacting numerous systems and leading to significant data breaches. While the number of victims isn\u0026rsquo;t specified, the detection\u0026rsquo;s relevance to known threat actors suggests potentially widespread impact.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eOutbound SMB Traffic Detected\u003c/code\u003e to your SIEM and tune it for your environment, using the provided positive and negative test cases to ensure accurate detection.\u003c/li\u003e\n\u003cli\u003eInvestigate and block any detected outbound SMB connections that are not explicitly authorized by legitimate business needs (reference \u003ccode\u003edetect_outbound_smb_traffic_filter\u003c/code\u003e macro in the original search).\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to restrict internal hosts from directly accessing external SMB services.\u003c/li\u003e\n\u003cli\u003eEnforce strong password policies and multi-factor authentication to mitigate the impact of credential theft.\u003c/li\u003e\n\u003cli\u003eCategorize internal CIDR blocks as \u003ccode\u003einternal\u003c/code\u003e in your asset management system to reduce false positives (reference \u0026ldquo;known_false_positives\u0026rdquo; section).\u003c/li\u003e\n\u003cli\u003eConsider blocking external communications of all SMB versions and related protocols at the network boundary.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-outbound-smb/","summary":"This analytic detects outbound SMB connections from internal hosts to external servers, potentially indicating lateral movement and credential theft attempts.","title":"Outbound SMB Traffic Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-03-outbound-smb/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["GoBGP"],"_cs_severities":["medium"],"_cs_tags":["denial of service","bgp","network"],"_cs_type":"advisory","_cs_vendors":["osrg"],"content_html":"\u003cp\u003eA remote Denial of Service vulnerability exists in GoBGP that can be triggered by a malformed BGP UPDATE message, specifically when handling 4-byte AS attributes. The vulnerability, identified as CVE-2026-41643, affects GoBGP version 4.2.0 and earlier. The attack involves sending a crafted BGP UPDATE message that causes an index-out-of-range panic in the \u003ccode\u003eUpdatePathAttrs4ByteAs\u003c/code\u003e function within \u003ccode\u003einternal/pkg/table/message.go\u003c/code\u003e. This panic results in the GoBGP process crashing, leading to a loss of routing capabilities. A malicious peer or a malformed route propagated through a transit provider can exploit this vulnerability to consistently crash the BGP daemon. This can disrupt network operations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker establishes a BGP peering session with a vulnerable GoBGP instance (version 4.2.0 or earlier).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious BGP UPDATE message. This message contains both an AS_PATH (Type 2) and an AS4_PATH (Type 17) attribute.\u003c/li\u003e\n\u003cli\u003eThe crafted message orders the attributes such that the AS4_PATH appears before the AS_PATH.\u003c/li\u003e\n\u003cli\u003eThe AS4_PATH attribute is intentionally malformed to trigger a validation error.\u003c/li\u003e\n\u003cli\u003eThe GoBGP process attempts to remove the invalid AS4_PATH attribute from the \u003ccode\u003emsg.PathAttributes\u003c/code\u003e slice in the \u003ccode\u003eUpdatePathAttrs4ByteAs\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eRemoving the AS4_PATH causes subsequent attributes in the slice to shift left, altering their indices.\u003c/li\u003e\n\u003cli\u003eThe function attempts to access the AS_PATH attribute using a stale index (asAttrPos) calculated before the slice modification.\u003c/li\u003e\n\u003cli\u003eDue to the index shift, accessing \u003ccode\u003emsg.PathAttributes[asAttrPos]\u003c/code\u003e results in an out-of-bounds access, triggering a panic and crashing the GoBGP process, causing a denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe vulnerability leads to a remote Denial of Service (DoS) condition. Any GoBGP deployment (v4.2.0 and earlier) that accepts BGP UPDATE messages from peers is vulnerable. A single malicious peer or a malformed route propagated through a transit provider can consistently crash the BGP daemon. This results in a complete loss of routing capabilities, disrupting network services, and causing potential outages.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade GoBGP to a patched version that addresses CVE-2026-41643.\u003c/li\u003e\n\u003cli\u003eMonitor BGP UPDATE messages for malformed AS4_PATH attributes (Type 17) appearing before AS_PATH attributes (Type 2) using a network intrusion detection system.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on BGP UPDATE messages from untrusted peers to mitigate the impact of a DoS attack.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-gobgp-dos/","summary":"A remote Denial of Service (DoS) vulnerability exists in GoBGP version 4.2.0 and earlier, where a malformed BGP UPDATE message can trigger a runtime error (index out of range panic), crashing the GoBGP process. This occurs during the processing of 4-byte AS attributes when the message structure causes an internal slice index shift that is not properly handled. A single malicious peer or a malformed route propagated through a transit provider can consistently crash the BGP daemon, leading to a complete loss of routing capabilities.","title":"GoBGP Remote Denial of Service via Malformed BGP UPDATE Message","url":"https://feed.craftedsignal.io/briefs/2024-01-03-gobgp-dos/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-33846"}],"_cs_exploited":false,"_cs_products":["GnuTLS"],"_cs_severities":["high"],"_cs_tags":["cve-2026-33846","dtls","heap overflow","gnutls","network"],"_cs_type":"advisory","_cs_vendors":["GnuTLS"],"content_html":"\u003cp\u003eA heap buffer overflow vulnerability has been identified in the DTLS handshake fragment reassembly logic of GnuTLS. The vulnerability, tracked as CVE-2026-33846, resides within the \u003ccode\u003emerge_handshake_packet()\u003c/code\u003e function. This function is responsible for matching and merging incoming DTLS handshake fragments. The core issue is the lack of validation for the \u003ccode\u003emessage_length\u003c/code\u003e field across different fragments belonging to the same logical message. An attacker can exploit this flaw by transmitting malicious DTLS fragments that contain inconsistent \u003ccode\u003emessage_length\u003c/code\u003e values. This inconsistency leads the GnuTLS implementation to allocate a buffer based on a smaller, initial fragment but subsequently attempts to write data beyond the allocated buffer\u0026rsquo;s boundaries using the larger, conflicting fragments. This out-of-bounds write on the heap can be triggered remotely without requiring any form of authentication, making it a critical vulnerability. Successful exploitation can lead to application crashes or, potentially, arbitrary memory corruption.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker initiates a DTLS handshake with a vulnerable GnuTLS server.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a first DTLS handshake fragment with a small \u003ccode\u003emessage_length\u003c/code\u003e value.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003emerge_handshake_packet()\u003c/code\u003e function allocates a heap buffer based on the initial, smaller \u003ccode\u003emessage_length\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAttacker sends a subsequent DTLS handshake fragment for the same handshake message with a larger, inconsistent \u003ccode\u003emessage_length\u003c/code\u003e value.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003emerge_handshake_packet()\u003c/code\u003e incorrectly merges the second fragment into the allocated buffer without proper bounds checking.\u003c/li\u003e\n\u003cli\u003eThe write operation overflows the allocated heap buffer, corrupting adjacent memory.\u003c/li\u003e\n\u003cli\u003eThe application crashes due to memory corruption, or the attacker potentially gains further control.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-33846 can lead to denial-of-service conditions due to application crashes. Memory corruption could allow for arbitrary code execution, but this is a less likely outcome. Given the widespread use of GnuTLS in various applications and systems, a large number of services could be impacted.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor network traffic for DTLS handshakes with inconsistent \u003ccode\u003emessage_length\u003c/code\u003e values in fragmented handshake messages using the provided Sigma rule \u003ccode\u003eDetect DTLS Handshake Fragment Length Mismatch\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eApply available patches from GnuTLS to remediate CVE-2026-33846.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting for DTLS handshake requests to mitigate potential denial-of-service attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-gnutls-dtls-overflow/","summary":"A heap buffer overflow vulnerability, CVE-2026-33846, exists in the DTLS handshake fragment reassembly logic of GnuTLS, allowing unauthenticated remote attackers to cause application crashes or potential memory corruption by sending crafted DTLS fragments with conflicting message lengths.","title":"GnuTLS DTLS Handshake Heap Overflow Vulnerability (CVE-2026-33846)","url":"https://feed.craftedsignal.io/briefs/2024-01-03-gnutls-dtls-overflow/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.4,"id":"CVE-2023-20185"}],"_cs_exploited":false,"_cs_products":["Nexus 9000 Series Fabric Switches in ACI mode"],"_cs_severities":["high"],"_cs_tags":["cve-2023-20185","information-disclosure","network"],"_cs_type":"advisory","_cs_vendors":["Cisco"],"content_html":"\u003cp\u003eA vulnerability exists within the Cisco ACI Multi-Site CloudSec encryption feature of Cisco Nexus 9000 Series Fabric Switches when operating in ACI mode. This flaw enables an unauthenticated, remote adversary to potentially decipher and manipulate encrypted traffic traversing between sites. The vulnerability, identified as CVE-2023-20185, originates from an issue in the cipher implementation employed by the CloudSec encryption feature. Cisco has deprecated and removed the affected ACI Multi-Site CloudSec encryption feature.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker establishes a network position on-path between ACI sites.\u003c/li\u003e\n\u003cli\u003eThe attacker intercepts intersite encrypted traffic.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the captured traffic.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits the weak cipher implementation.\u003c/li\u003e\n\u003cli\u003eThe attacker decrypts the intercepted traffic.\u003c/li\u003e\n\u003cli\u003eThe attacker reads sensitive data within the decrypted traffic.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the decrypted traffic.\u003c/li\u003e\n\u003cli\u003eThe attacker re-encrypts (or forwards unencrypted) the modified traffic toward the destination.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2023-20185 allows unauthorized reading and modification of data transmitted between ACI sites. The impact can range from data breaches and intellectual property theft to manipulated financial transactions and compromised control systems. The lack of a workaround necessitates immediate action to mitigate the risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply configuration changes to remove usage of the CloudSec encryption feature.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for unusual patterns indicative of man-in-the-middle attacks targeting intersite communication.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided below to detect potential exploitation attempts targeting intersite traffic.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-cisco-aci-cloudsec/","summary":"A vulnerability in Cisco ACI Multi-Site CloudSec encryption allows a remote attacker to read or modify intersite encrypted traffic due to a flaw in cipher implementation.","title":"Cisco ACI Multi-Site CloudSec Encryption Information Disclosure Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-cisco-aci-cloudsec/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["initial-access","exfiltration","network"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThe provided Elastic rule identifies instances of Server Message Block (SMB), also known as Windows File Sharing, being transmitted to external IP addresses. SMB is intended for internal network communication for file, printer, and resource sharing. Exposing SMB to the internet presents a significant security risk. Threat actors frequently target and exploit SMB for initial access, deploying backdoors, or exfiltrating sensitive data. This activity warrants immediate investigation as it violates best practices and poses a direct threat to network security. The rule focuses on traffic on TCP ports 139 and 445, originating from internal IP ranges and destined for external IPs, excluding known safe IP ranges, as defined by IANA. The rule was last updated April 24, 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn internal host is compromised, often through phishing or other social engineering techniques.\u003c/li\u003e\n\u003cli\u003eThe compromised host attempts to establish an SMB connection to an external IP address on TCP ports 139 or 445.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the SMB protocol to attempt authentication, potentially exploiting vulnerabilities like credential stuffing or known SMB exploits.\u003c/li\u003e\n\u003cli\u003eUpon successful authentication or exploitation, the attacker gains unauthorized access to shared resources or system services on the external system.\u003c/li\u003e\n\u003cli\u003eThe attacker may upload malicious payloads, such as malware or backdoors, via the SMB connection to the external host.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the SMB protocol to exfiltrate sensitive data from the internal network to the external system.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence on the compromised internal host, using SMB for command and control or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromising SMB services can lead to significant data breaches, system compromise, and potential ransomware deployment. Exposed SMB services allow attackers to gain unauthorized access to sensitive files, critical infrastructure, and internal network resources. Successful exploitation can result in complete system takeover, data exfiltration, and disruption of business operations. While the exact number of victims is unknown, the prevalence of SMB vulnerabilities and misconfigurations suggests a widespread risk across various sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect SMB traffic to the internet and tune for your environment.\u003c/li\u003e\n\u003cli\u003eReview firewall and network configurations to ensure SMB traffic is not allowed to the Internet, and block any unauthorized outbound SMB traffic on ports 139 and 445, as identified by the rule description.\u003c/li\u003e\n\u003cli\u003eInvestigate the source IP addresses triggering the rule, identifying internal systems initiating SMB traffic and determining if they belong to known devices or users within the organization, as described in the provided investigation guide.\u003c/li\u003e\n\u003cli\u003eRegularly audit network configurations and update the rule exceptions to include any legitimate device IPs to prevent false positives, as mentioned in the investigation guide.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T14:12:00Z","date_published":"2024-01-02T14:12:00Z","id":"/briefs/2024-01-smb-to-internet/","summary":"This rule detects network events indicating the use of Windows file sharing (SMB or CIFS) traffic to the Internet, which is commonly exploited for initial access, backdoor deployment, or data exfiltration.","title":"SMB (Windows File Sharing) Activity to the Internet","url":"https://feed.craftedsignal.io/briefs/2024-01-smb-to-internet/"}],"language":"en","title":"CraftedSignal Threat Feed — Network","version":"https://jsonfeed.org/version/1.1"}