https://feed.craftedsignal.io/tags/network/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioFri, 01 May 2026 03:16:01 +0000https://feed.craftedsignal.io/briefs/2026-05-totolink-command-injection/Fri, 01 May 2026 03:16:01 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-totolink-command-injection/A command injection vulnerability exists in Totolink NR1800X version 9.1.0u.6279_B20210910, affecting the function sub_41A68C of the file /cgi-bin/cstecgi.cgi; by manipulating the argument setUssd, a remote attacker can inject commands, and an exploit is publicly available.A command injection vulnerability, identified as CVE-2026-7548, affects Totolink NR1800X router version 9.1.0u.6279_B20210910. The vulnerability resides within the sub_41A68C function of the /cgi-bin/cstecgi.cgi file. By manipulating the setUssd argument, a remote attacker can inject arbitrary commands into the system. Publicly available exploit code makes exploitation easier. This vulnerability poses a significant risk as it allows unauthenticated remote attackers to execute arbitrary commands on the affected device, potentially leading to full system compromise.

Attack Chain

1. The attacker identifies a vulnerable Totolink NR1800X device running firmware version 9.1.0u.6279_B20210910.
2. The attacker sends a crafted HTTP request to the /cgi-bin/cstecgi.cgi endpoint.
3. The HTTP request includes the setUssd argument with a malicious payload designed to inject a command.
4. The sub_41A68C function processes the setUssd argument without proper sanitization.
5. The injected command is executed by the system with the privileges of the web server process.
6. The attacker gains initial access and can execute arbitrary commands on the device.
7. The attacker may then use the command execution to escalate privileges, install malware, or pivot to other devices on the network.

Impact

Successful exploitation of this vulnerability allows an attacker to execute arbitrary commands on the affected Totolink NR1800X router. This could lead to complete compromise of the device, allowing the attacker to control network traffic, modify router settings, or use the router as a pivot point to attack other devices on the network. Given the wide usage of Totolink routers, a large number of devices could be vulnerable.

Recommendation

• Monitor web server logs for requests to /cgi-bin/cstecgi.cgi containing suspicious characters or command injection attempts in the setUssd parameter, using the Sigma rule provided below.
• Implement rate limiting on the /cgi-bin/cstecgi.cgi endpoint to mitigate brute-force exploitation attempts.
• Apply available patches provided by Totolink to address the CVE-2026-7548 vulnerability.
• Deploy the Sigma rule to your SIEM and tune for your environment.

]]>criticaladvisorycommand-injectionrouternetworkhttps://feed.craftedsignal.io/briefs/2026-05-synway-smg-rce/Thu, 30 Apr 2026 17:16:25 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-synway-smg-rce/Synway SMG Gateway Management Management Software is vulnerable to unauthenticated OS command injection via crafted POST requests to the RADIUS configuration endpoint, leading to remote code execution.Synway SMG Gateway Management Software is susceptible to an OS command injection vulnerability (CVE-2025-71284) within the RADIUS configuration endpoint. An unauthenticated remote attacker can exploit this flaw by sending a specially crafted POST request to /en/9-2radius.php. The vulnerability lies in the improper sanitization of the radius_address POST parameter, which is directly incorporated into a sed command. The Shadowserver Foundation observed the first exploitation evidence on 2025-07-11 (UTC). Successful exploitation allows the attacker to execute arbitrary shell commands on the affected system, potentially compromising the entire gateway. This vulnerability poses a significant risk to organizations using the Synway SMG Gateway, as it enables unauthenticated remote code execution.

Attack Chain

1. An unauthenticated attacker identifies a Synway SMG Gateway Management Software instance exposed to the network.
2. The attacker crafts a malicious POST request targeting the /en/9-2radius.php endpoint.
3. The POST request includes parameters such as radius_address, radius_address2, shared_secret2, source_ip, timeout, or retry along with save=1 and enable_radius=1.
4. The radius_address parameter contains an OS command injection payload.
5. The application improperly sanitizes the radius_address parameter and incorporates it into a sed command.
6. The injected command is executed by the operating system, granting the attacker arbitrary code execution privileges.
7. The attacker establishes a reverse shell to maintain persistence and expand their foothold.
8. The attacker pivots within the network, gaining access to sensitive data or systems, and potentially establishing a long-term presence.

Impact

Successful exploitation of this vulnerability allows an unauthenticated attacker to execute arbitrary commands on the Synway SMG Gateway. This could lead to complete system compromise, data theft, disruption of services, and further propagation of attacks within the network. Given the high CVSS score (9.8), this vulnerability represents a critical threat. The number of affected systems and organizations is currently unknown.

Recommendation

• Deploy the Sigma rule “Synway SMG Gateway Radius Command Injection Attempt” to your SIEM to detect exploitation attempts based on suspicious POST requests to the vulnerable endpoint.
• Apply input validation and sanitization to the radius_address, radius_address2, shared_secret2, source_ip, timeout, and retry parameters in the RADIUS configuration endpoint.
• Monitor web server logs for POST requests to /en/9-2radius.php containing suspicious characters or command sequences indicative of command injection attacks to activate the “Synway SMG Gateway Radius Command Injection Attempt” rule.

]]>criticaladvisorycommand-injectionrcenetworkhttps://feed.craftedsignal.io/briefs/2026-04-tenda-path-traversal/Sun, 26 Apr 2026 12:16:22 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-tenda-path-traversal/CVE-2026-7036 is a path traversal vulnerability affecting the R7WebsSecurityHandlerfunction in the HTTP Handler component of Tenda i9 version 1.0.0.5(2204), allowing remote attackers to access sensitive files.A path traversal vulnerability, identified as CVE-2026-7036, exists in Tenda i9 version 1.0.0.5(2204). Specifically, the vulnerability resides in the R7WebsSecurityHandlerfunction of the HTTP Handler component. This flaw allows a remote, unauthenticated attacker to potentially access sensitive files and directories on the affected device. The vulnerability was reported on 2026-04-26, and a public exploit is reportedly available, increasing the risk of exploitation. This poses a significant threat to organizations using the affected Tenda i9 router, as it could lead to unauthorized access to sensitive information or system compromise.

Attack Chain

1. An attacker identifies a Tenda i9 router running firmware version 1.0.0.5(2204) accessible over the network.
2. The attacker crafts a malicious HTTP request targeting the vulnerable R7WebsSecurityHandlerfunction.
3. The crafted request includes a path traversal sequence (e.g., “../”) within the URL or request parameters.
4. The Tenda i9 router processes the malicious request without proper sanitization of the path.
5. The R7WebsSecurityHandlerfunction incorrectly interprets the path traversal sequence, allowing access to files or directories outside the intended web root.
6. The attacker gains unauthorized access to sensitive files, such as configuration files or system logs.
7. The attacker may use the exposed information to further compromise the device or the network it is connected to.
8. The attacker could potentially modify system files or execute commands, leading to full device compromise.

Impact

Successful exploitation of CVE-2026-7036 can lead to unauthorized access to sensitive files on the Tenda i9 router. This includes configuration files containing credentials, system logs, or other confidential data. An attacker could leverage this access to gain further control of the device, potentially leading to a complete system compromise. While the number of affected devices is currently unknown, given the widespread use of Tenda routers, the potential impact could be significant.

Recommendation

• Deploy the provided Sigma rule to detect HTTP requests containing path traversal sequences targeting web servers to detect exploitation attempts (Sigma rule: “Detect Tenda i9 Path Traversal Attempt”).
• Since the source mentions a public exploit exists, prioritize patching or replacing vulnerable Tenda i9 routers to remediate CVE-2026-7036 immediately, if a patch becomes available.
• Monitor web server logs for unusual file access patterns or requests containing suspicious path traversal sequences.
• Implement web application firewall (WAF) rules to block requests containing path traversal sequences.

]]>highadvisorycve-2026-7036path-traversaltendanetworkhttps://feed.craftedsignal.io/briefs/2026-04-ovn-dhcpv6-oob-read/Fri, 24 Apr 2026 13:16:21 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-ovn-dhcpv6-oob-read/A remote attacker can exploit an out-of-bounds read vulnerability in Open Virtual Network (OVN) by sending crafted DHCPv6 SOLICIT packets, leading to sensitive information disclosure.CVE-2026-5367 describes a critical vulnerability affecting Open Virtual Network (OVN). A remote attacker can exploit this flaw by sending specially crafted DHCPv6 SOLICIT packets to the OVN controller. These packets contain an inflated Client ID length, which causes the ovn-controller process to read beyond the allocated memory buffer. This out-of-bounds read allows the attacker to potentially access sensitive information stored in the heap memory, which can then be disclosed back to the attacker’s virtual machine port. Successful exploitation grants unauthorized access to potentially sensitive data within the OVN environment, impacting confidentiality.

Attack Chain

1. Attacker identifies a vulnerable OVN deployment.
2. Attacker crafts a malicious DHCPv6 SOLICIT packet. The packet includes an inflated Client ID length field.
3. The attacker sends the crafted DHCPv6 SOLICIT packet to the OVN controller.
4. The ovn-controller receives the packet and attempts to process the DHCPv6 Client ID option.
5. Due to the inflated Client ID length, the ovn-controller reads beyond the bounds of the allocated memory buffer.
6. This out-of-bounds read accesses sensitive information residing in the heap memory.
7. The compromised data is included in the DHCPv6 response sent back to the attacker’s virtual machine port.
8. Attacker receives the DHCPv6 response containing the disclosed sensitive information.

Impact

Successful exploitation of CVE-2026-5367 leads to the disclosure of sensitive information stored in the heap memory of the ovn-controller. The attacker can potentially gain access to configuration data, cryptographic keys, or other sensitive data, allowing them to further compromise the OVN environment or gain unauthorized access to other resources within the network.

Recommendation

• Monitor network traffic for suspicious DHCPv6 SOLICIT packets with unusually long Client ID lengths targeting the OVN controller, utilizing the network_connection rule provided below.
• Analyze DHCPv6 server logs for errors related to invalid Client ID lengths or out-of-bounds memory access, leveraging the linux process_creation rule provided below if auditd captures such events.
• Apply any available patches or updates provided by the OVN project to address CVE-2026-5367.

]]>highadvisorycvevulnerabilitynetworkhttps://feed.craftedsignal.io/briefs/2026-04-uat-4356-firestarter/Thu, 23 Apr 2026 15:11:53 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-uat-4356-firestarter/UAT-4356 is actively targeting Cisco Firepower devices running FXOS, exploiting CVE-2025-20333 and CVE-2025-20362 to deploy the FIRESTARTER backdoor which allows remote access and control by injecting malicious shellcode into the LINA process.Cisco Talos reported that UAT-4356 continues to actively target Cisco Firepower devices running the Firepower eXtensible Operating System (FXOS). In early 2024, Cisco Talos attributed the ArcaneDoor campaign to UAT-4356, a state-sponsored actor focused on gaining access to network perimeter devices for espionage. The actor exploits n-day vulnerabilities CVE-2025-20333 and CVE-2025-20362 to gain unauthorized access to vulnerable devices. Upon successful exploitation, UAT-4356 deploys a custom-built backdoor called “FIRESTARTER,” which shares technical capabilities with RayInitiator’s Stage 3 shellcode. FIRESTARTER enables remote access and the execution of arbitrary code within the LINA process, a core component of Cisco’s ASA and FTD appliances. This allows the attackers to maintain persistent access to compromised systems.

Attack Chain

1. UAT-4356 exploits CVE-2025-20333 and/or CVE-2025-20362 on Cisco Firepower devices running FXOS to gain initial access.
2. The attacker manipulates the CSP_MOUNT_LIST to establish persistence for the FIRESTARTER backdoor.
3. The FIRESTARTER backdoor is written to /opt/cisco/platform/logs/var/log/svc_samcore.log and the CSP_MOUNT_LIST is updated to copy itself to /usr/bin/lina_cs.
4. After a graceful reboot, FIRESTARTER is executed from /usr/bin/lina_cs.
5. FIRESTARTER restores the original CSP_MOUNT_LIST from /tmp/CSP_MOUNTLIST.tmp and removes the temporary copy and the trojanized /usr/bin/lina_cs file from disk.
6. FIRESTARTER reads the LINA process’ memory, searching for specific byte sequences to verify memory layout.
7. FIRESTARTER copies the next stage shellcode to the last 0x200 bytes of the “libstdc++.so” memory region.
8. The attacker overwrites an internal data structure in the LINA process to replace a pointer to a legitimate WebVPN XML handler function with the address of the malicious shellcode. This allows execution of arbitrary shellcode received via WebVPN requests.

Impact

Compromised Cisco Firepower devices allow UAT-4356 to gain a foothold on network perimeters for espionage. Successful exploitation and deployment of the FIRESTARTER backdoor enable attackers to execute arbitrary shellcode, potentially leading to data exfiltration, further network compromise, or disruption of services. The number of victims is currently unknown, but this campaign targets network perimeter devices, which could impact organizations across various sectors.

Recommendation

• Deploy the file integrity monitoring rule to detect the creation or modification of /usr/bin/lina_cs and /opt/cisco/platform/logs/var/log/svc_samcore.log (see “File Creation in Suspicious Directory”).
• Apply software upgrade recommendations outlined in Cisco’s Security Advisory to mitigate CVE-2025-20333 and CVE-2025-20362.
• Monitor network traffic for WebVPN requests containing unexpected XML payloads that might be used to trigger the FIRESTARTER backdoor.

]]>criticalthreatuat-4356firestarterciscobackdoornetworkespionagehttps://feed.craftedsignal.io/briefs/2026-04-across-dr810-file-disclosure/Sun, 12 Apr 2026 13:16:33 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-across-dr810-file-disclosure/Across DR-810 routers are vulnerable to unauthenticated file disclosure, allowing remote attackers to download the rom-0 backup file containing sensitive information, such as router passwords and configuration data, via a simple GET request to the rom-0 endpoint.The Across DR-810 router contains an unauthenticated file disclosure vulnerability (CVE-2019-25706) that allows remote attackers to retrieve sensitive information. By sending a simple GET request to the /rom-0 endpoint, an attacker can download a backup file containing router passwords, configuration details, and potentially other sensitive data. This vulnerability exists because the /rom-0 endpoint does not require authentication, allowing anyone with network access to the router to retrieve the backup file. Successful exploitation leads to complete compromise of the device’s configuration and potential lateral movement within the network if credentials are reused. This vulnerability was published on 2026-04-12.

Attack Chain

1. Attacker identifies an Across DR-810 router exposed on the network.
2. Attacker crafts an HTTP GET request targeting the /rom-0 endpoint.
3. The router responds with the rom-0 backup file without requiring authentication.
4. Attacker downloads the rom-0 backup file.
5. Attacker decompresses the downloaded rom-0 file, which is likely compressed to reduce size.
6. The attacker parses the decompressed file to extract sensitive information such as router passwords.
7. Attacker uses the extracted router passwords to gain administrative access to the router’s web interface.

Impact

Successful exploitation of this vulnerability allows attackers to retrieve sensitive information, including router passwords and configuration data. This can lead to complete compromise of the affected router. An attacker can then modify router settings, intercept network traffic, or potentially use the compromised router as a pivot point to access other systems on the network. If the router passwords are reused across multiple systems, the impact could extend beyond the compromised router, affecting other devices and services.

Recommendation

• Monitor web server logs for requests to the /rom-0 endpoint on Across DR-810 routers to detect potential exploitation attempts using the provided Sigma rule.
• Inspect network traffic for unusual downloads from Across DR-810 routers, focusing on responses from the /rom-0 endpoint.
• Block access to the /rom-0 endpoint on Across DR-810 routers via firewall rules to prevent unauthorized access.
• Review the provided reference URLs for additional context and potential mitigation strategies.

]]>criticaladvisorycve-2019-25706file-disclosurerouternetworkhttps://feed.craftedsignal.io/briefs/2024-01-22-juniper-bgp-dos/Thu, 09 Apr 2026 22:16:29 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-22-juniper-bgp-dos/CVE-2026-33797 is an improper input validation vulnerability in Juniper Networks Junos OS and Junos OS Evolved that allows an unauthenticated adjacent attacker to reset established BGP sessions via a specific BGP packet, leading to a denial of service condition.CVE-2026-33797 is a vulnerability affecting Juniper Networks Junos OS and Junos OS Evolved versions 25.2 before 25.2R2 and 25.2-EVO before 25.2R2-EVO, respectively. It stems from improper input validation within the Border Gateway Protocol (BGP) handling. An unauthenticated, adjacent attacker can exploit this flaw by sending a crafted BGP packet to an already established BGP session. This malicious packet causes the targeted BGP session to reset, leading to a Denial of Service (DoS). Repeated transmission of the crafted packet can sustain the DoS condition. Both external BGP (eBGP) and internal BGP (iBGP) sessions are susceptible, and the vulnerability impacts both IPv4 and IPv6 network configurations. This vulnerability poses a risk to network stability and availability.

Attack Chain

1. Attacker identifies a vulnerable Juniper device running Junos OS or Junos OS Evolved versions 25.2 prior to 25.2R2 or 25.2-EVO prior to 25.2R2-EVO.
2. The attacker establishes network adjacency to the targeted device, allowing for direct BGP communication.
3. The attacker crafts a specific, but genuine, BGP packet designed to exploit the improper input validation vulnerability.
4. The attacker sends the crafted BGP packet to an already established BGP session on the target device.
5. Upon receiving the malicious packet, the vulnerable Junos OS or Junos OS Evolved instance improperly processes it.
6. Due to the input validation failure, the targeted BGP session is forcibly reset.
7. The attacker repeats the process of sending the crafted BGP packet to continuously reset the BGP session.
8. The repeated session resets cause a sustained Denial of Service (DoS), disrupting network routing and connectivity.

Impact

Successful exploitation of CVE-2026-33797 leads to a denial-of-service condition affecting BGP routing. By repeatedly sending crafted BGP packets, an attacker can disrupt network connectivity and stability. The impact is a loss of routing functionality for networks relying on the targeted BGP sessions. The number of potential victims is broad, including any organization using vulnerable versions of Junos OS or Junos OS Evolved. This can result in service outages, impaired communication, and potential financial losses.

Recommendation

• Upgrade Junos OS to version 25.2R2 or later to remediate CVE-2026-33797 (see references).
• Upgrade Junos OS Evolved to version 25.2R2-EVO or later to remediate CVE-2026-33797 (see references).
• Deploy the Sigma rule provided to detect unusual BGP reset activity in network traffic (see rules).
• Monitor network traffic for unexpected BGP session resets originating from adjacent networks.

]]>mediumadvisorycve-2026-33797denial-of-servicejuniperbgpnetworkhttps://feed.craftedsignal.io/briefs/2026-04-junos-mx-privesc/Thu, 09 Apr 2026 22:16:27 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-junos-mx-privesc/CVE-2026-33785 allows a low-privileged, local, authenticated user to execute 'request csds' commands on Juniper Junos OS MX Series devices, leading to complete device compromise.Juniper Networks Junos OS on MX Series is vulnerable to a missing authorization issue (CVE-2026-33785). This vulnerability allows a local, authenticated user with low privileges to execute specific CLI operational commands, specifically ‘request csds’, that should only be available to high-privileged users or those designated for Juniper Device Manager (JDM) / Connected Security Distributed Services (CSDS) operations. Successful exploitation leads to a complete compromise of managed devices. This issue affects Junos OS on MX Series versions 24.4 prior to 24.4R2-S3 and 25.2 prior to 25.2R2. Releases prior to 24.4 are not affected. The vulnerability was published on 2026-04-09.

Attack Chain

1. Attacker gains local, low-privilege access to a Junos OS MX Series device.
2. Attacker authenticates to the Junos OS CLI using their credentials.
3. Attacker executes the ‘request csds’ operational command.
4. The system fails to perform adequate authorization checks before executing the command.
5. The ‘request csds’ command executes with elevated privileges due to the missing authorization.
6. Attacker leverages the elevated privileges to modify system configurations.
7. Attacker installs malicious software or backdoors.
8. Attacker achieves complete compromise of the Junos OS MX Series device, potentially impacting all devices managed by it.

Impact

Successful exploitation of CVE-2026-33785 allows an attacker to completely compromise a Juniper Junos OS MX Series device. This can lead to unauthorized access to sensitive data, disruption of network services, and the potential compromise of other devices managed by the affected MX Series device. The vulnerability affects Junos OS on MX Series versions 24.4 before 24.4R2-S3 and 25.2 before 25.2R2. While the exact number of vulnerable devices is unknown, the impact is critical due to the potential for widespread network compromise.

Recommendation

• Upgrade Junos OS on MX Series devices to versions 24.4R2-S3 or later, or 25.2R2 or later, to patch CVE-2026-33785.
• Implement the provided Sigma rule to detect unauthorized execution of the request csds command.
• Monitor Junos OS CLI command logs for suspicious activity, specifically focusing on the request csds command and user privilege levels.

]]>criticaladvisoryprivilege-escalationnetworkjuniperhttps://feed.craftedsignal.io/briefs/2026-04-hirschmann-firewall-bypass/Fri, 03 Apr 2026 23:17:01 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-hirschmann-firewall-bypass/CVE-2021-4477 describes a firewall bypass vulnerability in Hirschmann HiLCOS OpenBAT and BAT450 products that can be exploited by establishing IPv6 IPsec connections (IKEv1 or IKEv2) while using an IPv6 Internet connection, allowing attackers to bypass configured firewall rules.Hirschmann HiLCOS OpenBAT and BAT450 products are vulnerable to a firewall bypass (CVE-2021-4477) in IPv6 IPsec deployments. The vulnerability allows attackers to circumvent configured firewall rules by establishing IPv6 IPsec connections (IKEv1 or IKEv2) while simultaneously maintaining an IPv6 Internet connection. This bypass can allow unauthorized access to internal network resources. The vulnerability was published in April 2026. Exploitation of this vulnerability can lead to significant security breaches, allowing attackers to move laterally within a network and potentially compromise sensitive data. Defenders should prioritize patching and implementing detection measures to mitigate this risk.

Attack Chain

1. Attacker identifies a vulnerable Hirschmann HiLCOS OpenBAT or BAT450 device with IPv6 and IPsec enabled.
2. Attacker establishes an IPv6 IPsec VPN connection (IKEv1 or IKEv2) to the target device.
3. Simultaneously, the attacker maintains an active IPv6 Internet connection.
4. The attacker crafts network packets designed to bypass the configured firewall rules.
5. The target device incorrectly routes traffic from the VPN connection, bypassing the firewall.
6. The attacker gains unauthorized access to internal network resources.
7. The attacker moves laterally within the network, exploiting additional vulnerabilities.
8. The attacker exfiltrates sensitive data or performs other malicious activities.

Impact

Successful exploitation of CVE-2021-4477 allows attackers to bypass firewall restrictions, potentially compromising the entire network. This can lead to unauthorized access to sensitive data, lateral movement within the network, and deployment of malware. The severity of the impact depends on the network configuration and the sensitivity of the data being protected by the affected devices. Due to the nature of industrial control systems (ICS), successful exploitation could have significant operational and safety consequences.

Recommendation

• Apply the security patches provided by Belden for Hirschmann HiLCOS OpenBAT and BAT450 products to address CVE-2021-4477, as referenced in the Belden Security Bulletin.
• Monitor network traffic for anomalous IPv6 IPsec connections originating from or directed towards Hirschmann devices to detect potential exploitation attempts, using network connection logs.
• Implement the provided Sigma rule Detect_Hirschmann_IPsec_Bypass to identify suspicious network activity indicative of the firewall bypass vulnerability.
• Review and harden firewall configurations on affected devices, ensuring that IPv6 traffic is properly inspected and filtered, based on product documentation.

]]>criticaladvisorycve-2021-4477firewall-bypassnetworkhttps://feed.craftedsignal.io/briefs/2026-04-hios-dos/Fri, 03 Apr 2026 21:17:08 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-hios-dos/A denial-of-service vulnerability in Hirschmann HiOS devices allows remote attackers to crash or hang the device by sending crafted UDP EtherNet/IP packets with invalid length fields.Hirschmann HiOS is vulnerable to a denial-of-service (DoS) condition due to improper handling of packet length fields within the EtherNet/IP stack. This vulnerability, identified as CVE-2020-37216, affects HiOS devices with versions prior to 08.1.00 and 07.1.01. A remote attacker can exploit this flaw by sending specially crafted UDP EtherNet/IP packets where the specified length value exceeds the actual packet size. Successful exploitation leads to a device crash or hang, rendering it inoperable and disrupting network communications. This vulnerability was reported and published in April 2026. Defenders should prioritize patching or mitigating this vulnerability to maintain network availability.

Attack Chain

1. Attacker identifies vulnerable Hirschmann HiOS device on the network.
2. Attacker crafts a malicious UDP EtherNet/IP packet.
3. The crafted packet includes a length field with a value exceeding the actual packet size.
4. The attacker sends the crafted UDP EtherNet/IP packet to the targeted HiOS device.
5. The HiOS device attempts to process the malformed packet.
6. Due to the improper handling of the invalid length field, the EtherNet/IP stack within the HiOS device encounters an error.
7. The error causes the HiOS device to crash or hang.
8. The device becomes inoperable, resulting in a denial-of-service condition.

Impact

Successful exploitation of CVE-2020-37216 results in a denial-of-service condition on the affected Hirschmann HiOS device. This can disrupt critical network communications and potentially impact industrial control systems relying on the affected device. The number of affected devices and organizations depends on the prevalence of vulnerable HiOS versions within operational networks. A successful attack could lead to temporary or prolonged outages, impacting productivity and availability of industrial processes.

Recommendation

• Upgrade Hirschmann HiOS devices to versions 08.1.00 or 07.1.01 or later to patch CVE-2020-37216.
• Monitor network traffic for suspicious UDP EtherNet/IP packets with abnormally large length fields destined for Hirschmann HiOS devices, using the provided Sigma rule.
• Implement network segmentation to limit the potential impact of a successful denial-of-service attack.
• Review and harden the configuration of Hirschmann HiOS devices according to vendor best practices.

]]>highadvisorydoscve-2020-37216networkhttps://feed.craftedsignal.io/briefs/2026-04-suricata-dos/Thu, 02 Apr 2026 14:16:28 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-suricata-dos/Specially crafted network traffic can cause Suricata to slow down, leading to a denial-of-service condition in versions prior to 7.0.15 and 8.0.4, as identified by CVE-2026-31933.Suricata, a network IDS, IPS, and NSM engine, is susceptible to a denial-of-service vulnerability (CVE-2026-31933) affecting versions prior to 7.0.15 and 8.0.4. This flaw arises from inefficient algorithmic complexity (CWE-407), where specially crafted network traffic can induce a significant slowdown in Suricata’s processing, particularly impacting its performance in IDS mode. An attacker can exploit this vulnerability by sending malicious network packets, potentially causing the Suricata instance to become unresponsive or consume excessive resources. The vulnerability was reported and patched by the Open Information Security Foundation (OISF). Organizations using affected Suricata versions are vulnerable to service disruption.

Attack Chain

1. The attacker crafts a series of malicious network packets specifically designed to exploit the algorithmic inefficiency in Suricata’s packet processing.
2. The attacker sends the crafted packets to the Suricata instance. This can be achieved through various network protocols and ports monitored by Suricata.
3. Suricata receives the packets and begins processing them. Due to the inefficient algorithm, processing these packets consumes significantly more resources than legitimate traffic.
4. As the number of malicious packets increases, Suricata’s CPU and memory usage rises dramatically, leading to a performance slowdown.
5. The slowdown affects Suricata’s ability to inspect other network traffic in a timely manner, potentially allowing malicious activity to go undetected.
6. Eventually, Suricata’s performance degrades to the point where it becomes unresponsive, effectively causing a denial-of-service condition.
7. Legitimate network traffic may be dropped or delayed due to Suricata’s inability to process it efficiently.

Impact

Successful exploitation of CVE-2026-31933 results in a denial-of-service condition, causing Suricata to become unresponsive and hindering its ability to perform network intrusion detection and prevention. The impact includes the potential for undetected malicious activity, delayed or dropped legitimate network traffic, and increased operational overhead for security teams to investigate and remediate the issue. The severity is rated as HIGH with a CVSS v3.1 score of 7.5.

Recommendation

• Upgrade Suricata to version 7.0.15 or 8.0.4 or later to patch CVE-2026-31933.
• Deploy the Sigma rule DetectHighPacketRate to identify unusual traffic patterns indicative of a DoS attempt.
• Monitor Suricata’s CPU and memory utilization for unexpected spikes, which could indicate exploitation of this vulnerability.
• Implement rate limiting or traffic shaping rules on network devices to mitigate the impact of malicious traffic.

]]>mediumadvisorydossuricatacve-2026-31933networkhttps://feed.craftedsignal.io/briefs/2024-01-interlock-firewall-ransomware/Thu, 19 Mar 2026 05:33:30 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-interlock-firewall-ransomware/The Interlock ransomware campaign is targeting enterprise firewalls to encrypt sensitive data and demand ransom payment.The Interlock ransomware campaign specifically targets enterprise firewalls. The campaign’s objective is to encrypt sensitive data residing on or accessible through these firewalls, rendering systems inoperable and creating significant business disruption. While specific details about the initial discovery and scope of the campaign remain limited, its focus on firewalls suggests a targeted approach aimed at organizations heavily reliant on these devices for network security and perimeter defense. The lack of specific details about delivery mechanisms and exploited vulnerabilities underscores the need for proactive threat hunting and vulnerability management to detect and mitigate potential Interlock ransomware infections.

Attack Chain

1. Initial Access: The attacker gains initial access to the targeted network, potentially through exploiting vulnerabilities in the firewall’s management interface or VPN services.
2. Firewall Compromise: The attacker exploits the initial access to compromise the firewall device. This may involve exploiting known vulnerabilities or using stolen credentials.
3. Lateral Movement: The attacker uses the compromised firewall as a pivot point to move laterally within the internal network. Tools like ssh or PsExec may be used.
4. Discovery: The attacker performs reconnaissance to identify valuable data stores accessible through the firewall. This may involve scanning network shares or querying databases.
5. Privilege Escalation: The attacker attempts to escalate privileges to gain administrative access to critical systems. This could involve exploiting vulnerabilities or using credential harvesting techniques.
6. Data Encryption: The attacker deploys the Interlock ransomware payload to encrypt sensitive data on systems accessible via the firewall.
7. Ransom Demand: After encryption, the attacker delivers a ransom note demanding payment for decryption keys.
8. Exfiltration (Possible): Depending on the attacker’s goals, data exfiltration may occur prior to encryption.

Impact

A successful Interlock ransomware attack can lead to significant data loss, business disruption, and financial damage. Organizations can suffer reputational damage and legal repercussions due to data breaches. The targeted nature of the attack suggests a focus on organizations where firewall compromise would have a widespread impact, potentially affecting hundreds or thousands of users or customers.

Recommendation

• Enable enhanced logging on all enterprise firewalls to capture detailed activity, including login attempts, configuration changes, and network traffic. This enhances the effectiveness of the detection rules below.
• Implement multi-factor authentication (MFA) for all firewall administrative access to mitigate the risk of credential theft.
• Regularly patch and update firewall firmware to address known vulnerabilities.
• Deploy the Sigma rules provided in this brief to your SIEM and tune for your environment.

]]>highadvisoryransomwarefirewallnetworkhttps://feed.craftedsignal.io/briefs/2026-02-fortigate-cve-2023-27997/Thu, 26 Feb 2026 07:27:12 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-02-fortigate-cve-2023-27997/Multiple IDS alerts indicate potential exploitation attempts against Fortigate VPN servers using CVE-2023-27997, alongside traffic from a suspicious user agent, possibly indicating reconnaissance or exploit activity.<p>On February 26, 2026, network intrusion detection systems (IDS) triggered alerts related to potential exploitation attempts targeting Fortigate VPN servers. The alerts highlight suspicious network activity originating from multiple IP addresses, specifically repeated GET requests to the <code>/remote/logincheck</code> endpoint, a known vulnerability associated with CVE-2023-27997. This vulnerability could allow unauthorized access to the VPN. Additionally, an IPv4 address was observed using a suspicious…</p> highadvisoryfortigatevpncve-2023-27997exploitnetworkhttps://feed.craftedsignal.io/briefs/2026-02-cisco-sdwan-vulns/Wed, 25 Feb 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-02-cisco-sdwan-vulns/Malicious actors are actively exploiting CVE-2026-20127 for initial access and CVE-2022-20775 for privilege escalation and persistence on Cisco SD-WAN systems globally.<p>CISA and its partners have observed malicious cyber actors targeting and compromising Cisco SD-WAN systems across various organizations globally. The attackers are leveraging CVE-2026-20127, an authentication bypass vulnerability, for initial access. Following successful exploitation of CVE-2026-20127, the attackers escalate privileges and establish long-term persistence within the compromised SD-WAN systems using CVE-2022-20775. In response to this active exploitation, CISA issued Emergency…</p> criticaladvisorycisco-sdwanvulnerabilityexploitationnetworkhttps://feed.craftedsignal.io/briefs/2024-01-09-rpc-from-internet/Tue, 09 Jan 2024 18:23:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-09-rpc-from-internet/This brief focuses on detecting Remote Procedure Call (RPC) traffic originating from the internet, a common initial access vector, by monitoring network connections to TCP port 135 and filtering known internal IP ranges.This detection rule identifies RPC traffic originating from the internet, which can indicate malicious activity. RPC is used for remote system administration and resource sharing but should rarely be exposed to the internet. Threat actors frequently target RPC for initial access or as a backdoor. This rule analyzes network traffic, specifically looking for TCP connections to port 135 (a common RPC port) originating from outside the internal network. The rule aims to detect unauthorized attempts to access or control systems via RPC from external sources, enhancing network security and preventing potential breaches. The rule was last updated on 2026-04-24.

Attack Chain

1. An attacker scans the internet for systems with exposed RPC services on TCP port 135.
2. The attacker establishes a TCP connection to the target system’s port 135.
3. The attacker attempts to negotiate an RPC connection, potentially exploiting vulnerabilities in the RPC service.
4. Successful exploitation allows the attacker to execute commands remotely on the target system.
5. The attacker uses the compromised system to perform reconnaissance, gathering information about the internal network.
6. The attacker attempts lateral movement to other systems within the network, using the initial foothold.
7. The attacker installs malware or creates a backdoor for persistent access.

Impact

Successful exploitation of exposed RPC services can lead to complete system compromise, allowing attackers to execute arbitrary commands, install malware, and steal sensitive data. This can result in data breaches, financial loss, and reputational damage. The rule aims to prevent attackers from gaining initial access to internal systems, mitigating the risk of wider network compromise.

Recommendation

• Deploy the Sigma rule “Detect RPC from Internet” to your SIEM to identify potentially malicious connections to port 135.
• Review and harden systems that provide RPC services to ensure they are not directly exposed to the internet, as detected by the rule “Detect RPC from Internet”.
• Enforce network segmentation to limit the exposure of critical systems and services, preventing RPC services from being accessible from the Internet (reference: note section in the rule).
• Investigate any alerts generated by the Sigma rule by examining the source and destination IP addresses and related network traffic logs (reference: note section in the rule).

]]>highadvisoryinitial-accessnetworkrpchttps://feed.craftedsignal.io/briefs/2024-01-tenda-dns-hijacking/Wed, 03 Jan 2024 18:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-tenda-dns-hijacking/Tenda FH303/A300 firmware V5.07.68_EN contains a session weakness vulnerability (CVE-2018-25318) that allows unauthenticated attackers to modify DNS settings by exploiting insufficient cookie validation, potentially redirecting user traffic to malicious sites.CVE-2018-25318 affects Tenda FH303/A300 routers running firmware version V5.07.68_EN. This vulnerability stems from a session weakness related to insufficient cookie validation. An unauthenticated attacker can exploit this flaw to modify the DNS settings of the router. By sending a crafted GET request to the /goform/AdvSetDns endpoint, an attacker can inject a malicious admin cookie. This allows them to overwrite the configured DNS servers, potentially redirecting all network traffic from connected devices through attacker-controlled infrastructure. This can lead to phishing attacks, malware distribution, and other malicious activities. The vulnerability poses a significant risk to home and small office networks using the affected Tenda routers.

Attack Chain

1. An attacker identifies a vulnerable Tenda FH303/A300 router running firmware V5.07.68_EN.
2. The attacker crafts a malicious HTTP GET request targeting the /goform/AdvSetDns endpoint.
3. The crafted GET request includes a forged admin cookie, bypassing authentication checks due to the session weakness.
4. The attacker sends the crafted GET request to the router’s management interface.
5. The router, due to insufficient cookie validation, accepts the forged cookie and processes the request.
6. The request modifies the DNS server settings on the router, replacing the legitimate DNS servers with attacker-controlled DNS servers.
7. Users connected to the router unknowingly use the attacker’s DNS servers for name resolution.
8. DNS requests are redirected to malicious IPs controlled by the attacker, potentially leading to phishing sites or malware downloads.

Impact

Successful exploitation of CVE-2018-25318 allows an attacker to perform DNS hijacking on affected Tenda routers. This can redirect users to malicious websites designed to steal credentials, distribute malware, or conduct other harmful activities. The vulnerability poses a critical risk to users of the affected routers, as it can compromise their online security and privacy. The CVSS v3.1 base score for this vulnerability is 9.8, highlighting its severity. The number of affected users is dependent on the number of deployed vulnerable devices.

Recommendation

• Monitor web server logs for requests to /goform/AdvSetDns with unusual parameters (Sigma rule: “Detect Tenda Router DNS Hijacking Attempt”).
• If possible, upgrade the router firmware to a version that patches CVE-2018-25318.
• Implement network segmentation to limit the impact of compromised devices.
• Consider using a reputable DNS service with built-in security features to mitigate the impact of DNS hijacking attacks.

]]>criticaladvisorycve-2018-25318tendadns-hijackingnetworkhttps://feed.craftedsignal.io/briefs/2024-01-rdp-bruteforce/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-rdp-bruteforce/This detection identifies potential RDP brute force attacks by monitoring network traffic for RDP application activity by detecting source IPs that have made more than 10 connection attempts to the same RDP port on a host within a one-hour window.This analytic identifies potential Remote Desktop Protocol (RDP) brute force attacks by monitoring network traffic for RDP application activity. It detects potential RDP brute force attacks by identifying source IPs that have made more than 10 connection attempts to the same RDP port on a host within a one-hour window. The results are presented in a table that includes the source and destination IPs, destination port, number of attempts, and the times of the first and last connection attempts, helping to prioritize IPs based on the intensity of activity. This activity can lead to account compromise and potential ransomware deployment.

Attack Chain

1. The attacker scans the network to identify systems with open RDP ports (TCP 3389).
2. The attacker initiates multiple RDP connection attempts to a target host, using a list of common usernames and passwords or compromised credentials.
3. The firewall logs each connection attempt, recording the source and destination IPs, ports, and timestamps.
4. Sysmon logs the network connections with Event ID 3.
5. The attacker continues to attempt connections, typically exceeding 10 attempts within an hour.
6. Upon successful authentication, the attacker gains unauthorized access to the target system.
7. The attacker may then install malware, move laterally, or exfiltrate sensitive data.
8. The attacker might deploy ransomware like SamSam or Ryuk, as referenced in external reports.

Impact

Successful RDP brute force attacks can lead to unauthorized access to systems, data breaches, malware infections, and ransomware deployment. Compromised systems can be used as a staging point for further attacks within the network. The references indicate that ransomware attacks have been delivered using RDP brute-force techniques.

Recommendation

• Ensure network traffic data is populating the Network_Traffic data model to enable the provided search query.
• Deploy the Sigma rule RDP Bruteforce via Network Traffic to detect brute force attempts based on network connection patterns.
• Adjust the count and duration thresholds in the detection query to tune the sensitivity for your environment.
• Investigate source IPs identified by the detection rule as potential attackers.
• Monitor Sysmon EventID 3 for network connections to detect RDP brute-force attempts.
• Review the referenced Zscaler and ReliaQuest articles for additional context and mitigation strategies.

]]>highadvisoryrdpbruteforcecredential-accesswindowsnetworkhttps://feed.craftedsignal.io/briefs/2024-01-03-outbound-smb/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-03-outbound-smb/This analytic detects outbound SMB connections from internal hosts to external servers, potentially indicating lateral movement and credential theft attempts.This detection identifies outbound Server Message Block (SMB) traffic from internal hosts to external servers. The activity is identified by monitoring network traffic for SMB requests directed towards the Internet, an unusual occurrence in standard operations. This analytic is crucial for Security Operations Centers (SOCs) as it can signal an attacker’s attempt to retrieve credential hashes via compromised internal systems, a critical step in lateral movement and privilege escalation. The source mentions specific relevance to “Hidden Cobra Malware”, “DHS Report TA18-074A”, and “NOBELIUM Group”, suggesting possible connections to these threat actors or campaigns.

Attack Chain

1. An internal host is compromised through an initial access vector (e.g., phishing, exploit).
2. The attacker attempts to enumerate network resources accessible from the compromised host.
3. The attacker leverages SMB to connect to external servers, typically on ports 139 or 445.
4. The SMB connection attempts to authenticate or negotiate with the external server.
5. The attacker may attempt to exploit vulnerabilities in the SMB protocol or server.
6. The attacker captures or relays credential hashes transmitted over the SMB connection.
7. The attacker uses the captured credentials to move laterally to other systems or escalate privileges.
8. The attacker achieves their final objective, such as data exfiltration or system compromise.

Impact

Successful exploitation of outbound SMB traffic can lead to unauthorized access to sensitive data and full system compromise. Lateral movement and privilege escalation are key goals. Confirmed malicious SMB traffic could enable attackers to move through the network, potentially impacting numerous systems and leading to significant data breaches. While the number of victims isn’t specified, the detection’s relevance to known threat actors suggests potentially widespread impact.

Recommendation

• Deploy the Sigma rule Outbound SMB Traffic Detected to your SIEM and tune it for your environment, using the provided positive and negative test cases to ensure accurate detection.
• Investigate and block any detected outbound SMB connections that are not explicitly authorized by legitimate business needs (reference detect_outbound_smb_traffic_filter macro in the original search).
• Implement network segmentation to restrict internal hosts from directly accessing external SMB services.
• Enforce strong password policies and multi-factor authentication to mitigate the impact of credential theft.
• Categorize internal CIDR blocks as internal in your asset management system to reduce false positives (reference “known_false_positives” section).
• Consider blocking external communications of all SMB versions and related protocols at the network boundary.

]]>highadvisorynetworksmblateral-movementprivilege-escalationhttps://feed.craftedsignal.io/briefs/2024-01-03-gobgp-dos/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-03-gobgp-dos/A remote Denial of Service (DoS) vulnerability exists in GoBGP version 4.2.0 and earlier, where a malformed BGP UPDATE message can trigger a runtime error (index out of range panic), crashing the GoBGP process. This occurs during the processing of 4-byte AS attributes when the message structure causes an internal slice index shift that is not properly handled. A single malicious peer or a malformed route propagated through a transit provider can consistently crash the BGP daemon, leading to a complete loss of routing capabilities.A remote Denial of Service vulnerability exists in GoBGP that can be triggered by a malformed BGP UPDATE message, specifically when handling 4-byte AS attributes. The vulnerability, identified as CVE-2026-41643, affects GoBGP version 4.2.0 and earlier. The attack involves sending a crafted BGP UPDATE message that causes an index-out-of-range panic in the UpdatePathAttrs4ByteAs function within internal/pkg/table/message.go. This panic results in the GoBGP process crashing, leading to a loss of routing capabilities. A malicious peer or a malformed route propagated through a transit provider can exploit this vulnerability to consistently crash the BGP daemon. This can disrupt network operations.

Attack Chain

1. Attacker establishes a BGP peering session with a vulnerable GoBGP instance (version 4.2.0 or earlier).
2. The attacker crafts a malicious BGP UPDATE message. This message contains both an AS_PATH (Type 2) and an AS4_PATH (Type 17) attribute.
3. The crafted message orders the attributes such that the AS4_PATH appears before the AS_PATH.
4. The AS4_PATH attribute is intentionally malformed to trigger a validation error.
5. The GoBGP process attempts to remove the invalid AS4_PATH attribute from the msg.PathAttributes slice in the UpdatePathAttrs4ByteAs function.
6. Removing the AS4_PATH causes subsequent attributes in the slice to shift left, altering their indices.
7. The function attempts to access the AS_PATH attribute using a stale index (asAttrPos) calculated before the slice modification.
8. Due to the index shift, accessing msg.PathAttributes[asAttrPos] results in an out-of-bounds access, triggering a panic and crashing the GoBGP process, causing a denial of service.

Impact

The vulnerability leads to a remote Denial of Service (DoS) condition. Any GoBGP deployment (v4.2.0 and earlier) that accepts BGP UPDATE messages from peers is vulnerable. A single malicious peer or a malformed route propagated through a transit provider can consistently crash the BGP daemon. This results in a complete loss of routing capabilities, disrupting network services, and causing potential outages.

Recommendation

• Upgrade GoBGP to a patched version that addresses CVE-2026-41643.
• Monitor BGP UPDATE messages for malformed AS4_PATH attributes (Type 17) appearing before AS_PATH attributes (Type 2) using a network intrusion detection system.
• Implement rate limiting on BGP UPDATE messages from untrusted peers to mitigate the impact of a DoS attack.

]]>mediumadvisorydenial of servicebgpnetworkhttps://feed.craftedsignal.io/briefs/2024-01-03-gnutls-dtls-overflow/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-03-gnutls-dtls-overflow/A heap buffer overflow vulnerability, CVE-2026-33846, exists in the DTLS handshake fragment reassembly logic of GnuTLS, allowing unauthenticated remote attackers to cause application crashes or potential memory corruption by sending crafted DTLS fragments with conflicting message lengths.A heap buffer overflow vulnerability has been identified in the DTLS handshake fragment reassembly logic of GnuTLS. The vulnerability, tracked as CVE-2026-33846, resides within the merge_handshake_packet() function. This function is responsible for matching and merging incoming DTLS handshake fragments. The core issue is the lack of validation for the message_length field across different fragments belonging to the same logical message. An attacker can exploit this flaw by transmitting malicious DTLS fragments that contain inconsistent message_length values. This inconsistency leads the GnuTLS implementation to allocate a buffer based on a smaller, initial fragment but subsequently attempts to write data beyond the allocated buffer’s boundaries using the larger, conflicting fragments. This out-of-bounds write on the heap can be triggered remotely without requiring any form of authentication, making it a critical vulnerability. Successful exploitation can lead to application crashes or, potentially, arbitrary memory corruption.

Attack Chain

1. Attacker initiates a DTLS handshake with a vulnerable GnuTLS server.
2. The attacker sends a first DTLS handshake fragment with a small message_length value.
3. The vulnerable merge_handshake_packet() function allocates a heap buffer based on the initial, smaller message_length.
4. Attacker sends a subsequent DTLS handshake fragment for the same handshake message with a larger, inconsistent message_length value.
5. merge_handshake_packet() incorrectly merges the second fragment into the allocated buffer without proper bounds checking.
6. The write operation overflows the allocated heap buffer, corrupting adjacent memory.
7. The application crashes due to memory corruption, or the attacker potentially gains further control.

Impact

Successful exploitation of CVE-2026-33846 can lead to denial-of-service conditions due to application crashes. Memory corruption could allow for arbitrary code execution, but this is a less likely outcome. Given the widespread use of GnuTLS in various applications and systems, a large number of services could be impacted.

Recommendation

• Monitor network traffic for DTLS handshakes with inconsistent message_length values in fragmented handshake messages using the provided Sigma rule Detect DTLS Handshake Fragment Length Mismatch.
• Apply available patches from GnuTLS to remediate CVE-2026-33846.
• Implement rate limiting for DTLS handshake requests to mitigate potential denial-of-service attacks.

]]>highadvisorycve-2026-33846dtlsheap overflowgnutlsnetworkhttps://feed.craftedsignal.io/briefs/2024-01-cisco-aci-cloudsec/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-cisco-aci-cloudsec/A vulnerability in Cisco ACI Multi-Site CloudSec encryption allows a remote attacker to read or modify intersite encrypted traffic due to a flaw in cipher implementation.A vulnerability exists within the Cisco ACI Multi-Site CloudSec encryption feature of Cisco Nexus 9000 Series Fabric Switches when operating in ACI mode. This flaw enables an unauthenticated, remote adversary to potentially decipher and manipulate encrypted traffic traversing between sites. The vulnerability, identified as CVE-2023-20185, originates from an issue in the cipher implementation employed by the CloudSec encryption feature. Cisco has deprecated and removed the affected ACI Multi-Site CloudSec encryption feature.

Attack Chain

1. Attacker establishes a network position on-path between ACI sites.
2. The attacker intercepts intersite encrypted traffic.
3. The attacker analyzes the captured traffic.
4. The attacker exploits the weak cipher implementation.
5. The attacker decrypts the intercepted traffic.
6. The attacker reads sensitive data within the decrypted traffic.
7. The attacker modifies the decrypted traffic.
8. The attacker re-encrypts (or forwards unencrypted) the modified traffic toward the destination.

Impact

Successful exploitation of CVE-2023-20185 allows unauthorized reading and modification of data transmitted between ACI sites. The impact can range from data breaches and intellectual property theft to manipulated financial transactions and compromised control systems. The lack of a workaround necessitates immediate action to mitigate the risk.

Recommendation

• Apply configuration changes to remove usage of the CloudSec encryption feature.
• Monitor network traffic for unusual patterns indicative of man-in-the-middle attacks targeting intersite communication.
• Deploy the Sigma rules provided below to detect potential exploitation attempts targeting intersite traffic.

]]>highadvisorycve-2023-20185information-disclosurenetworkhttps://feed.craftedsignal.io/briefs/2024-01-smb-to-internet/Tue, 02 Jan 2024 14:12:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-smb-to-internet/This rule detects network events indicating the use of Windows file sharing (SMB or CIFS) traffic to the Internet, which is commonly exploited for initial access, backdoor deployment, or data exfiltration.The provided Elastic rule identifies instances of Server Message Block (SMB), also known as Windows File Sharing, being transmitted to external IP addresses. SMB is intended for internal network communication for file, printer, and resource sharing. Exposing SMB to the internet presents a significant security risk. Threat actors frequently target and exploit SMB for initial access, deploying backdoors, or exfiltrating sensitive data. This activity warrants immediate investigation as it violates best practices and poses a direct threat to network security. The rule focuses on traffic on TCP ports 139 and 445, originating from internal IP ranges and destined for external IPs, excluding known safe IP ranges, as defined by IANA. The rule was last updated April 24, 2026.

Attack Chain

1. An internal host is compromised, often through phishing or other social engineering techniques.
2. The compromised host attempts to establish an SMB connection to an external IP address on TCP ports 139 or 445.
3. The attacker leverages the SMB protocol to attempt authentication, potentially exploiting vulnerabilities like credential stuffing or known SMB exploits.
4. Upon successful authentication or exploitation, the attacker gains unauthorized access to shared resources or system services on the external system.
5. The attacker may upload malicious payloads, such as malware or backdoors, via the SMB connection to the external host.
6. The attacker uses the SMB protocol to exfiltrate sensitive data from the internal network to the external system.
7. The attacker maintains persistence on the compromised internal host, using SMB for command and control or lateral movement.

Impact

Compromising SMB services can lead to significant data breaches, system compromise, and potential ransomware deployment. Exposed SMB services allow attackers to gain unauthorized access to sensitive files, critical infrastructure, and internal network resources. Successful exploitation can result in complete system takeover, data exfiltration, and disruption of business operations. While the exact number of victims is unknown, the prevalence of SMB vulnerabilities and misconfigurations suggests a widespread risk across various sectors.

Recommendation

• Deploy the provided Sigma rule to your SIEM to detect SMB traffic to the internet and tune for your environment.
• Review firewall and network configurations to ensure SMB traffic is not allowed to the Internet, and block any unauthorized outbound SMB traffic on ports 139 and 445, as identified by the rule description.
• Investigate the source IP addresses triggering the rule, identifying internal systems initiating SMB traffic and determining if they belong to known devices or users within the organization, as described in the provided investigation guide.
• Regularly audit network configurations and update the rule exceptions to include any legitimate device IPs to prevent false positives, as mentioned in the investigation guide.

]]>mediumadvisoryinitial-accessexfiltrationnetwork