{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/rclone/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["data-exfiltration","rclone","masquerading"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eAttackers are leveraging Rclone, a legitimate command-line program to manage files on cloud storage, for malicious purposes. The primary abuse case involves renaming Rclone (e.g., to TrendFileSecurityCheck.exe) to evade detection based on process name. Once renamed, attackers use Rclone\u0026rsquo;s copy/sync functionalities with cloud backends like S3 or HTTP endpoints. They often employ \u003ccode\u003e--include\u003c/code\u003e filters to target specific sensitive file types for exfiltration. This activity is frequently blended with regular administrative traffic to further obfuscate the malicious intent. Defenders should be aware of this tactic, particularly when unusual processes are observed interacting with cloud storage services.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system through an undisclosed method.\u003c/li\u003e\n\u003cli\u003eRclone is downloaded or transferred to the victim machine.\u003c/li\u003e\n\u003cli\u003eThe rclone executable is renamed to a benign-sounding name (e.g., TrendFileSecurityCheck.exe) to masquerade as a legitimate system utility.\u003c/li\u003e\n\u003cli\u003eThe attacker configures rclone to connect to a cloud storage backend (e.g., an S3 bucket or HTTP endpoint) controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eA command is executed using the renamed rclone executable, specifying the \u003ccode\u003ecopy\u003c/code\u003e or \u003ccode\u003esync\u003c/code\u003e command.\u003c/li\u003e\n\u003cli\u003eThe command includes \u003ccode\u003e--include\u003c/code\u003e flags to filter and select specific file types (e.g., documents, source code, databases) for exfiltration.\u003c/li\u003e\n\u003cli\u003eRclone transfers the targeted files from the victim machine to the attacker\u0026rsquo;s cloud storage backend, potentially using the \u003ccode\u003e--transfers\u003c/code\u003e option for faster exfiltration.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses the exfiltrated data from their cloud storage.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the exfiltration of sensitive data, including proprietary information, customer data, financial records, or intellectual property. The impact can range from reputational damage and financial losses to legal and regulatory repercussions. The scope of damage depends on the sensitivity and volume of the exfiltrated data, the number of affected systems, and the effectiveness of the attacker\u0026rsquo;s filtering criteria.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eSuspicious Rclone Usage\u003c/code\u003e to detect renamed rclone executables executing copy/sync commands.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to collect the necessary process execution data for the Sigma rules.\u003c/li\u003e\n\u003cli\u003eInvestigate any process identified by the Sigma rule \u003ccode\u003eSuspicious Rclone Usage\u003c/code\u003e by examining command-line arguments for cloud backend destinations and \u003ccode\u003e--include\u003c/code\u003e filters.\u003c/li\u003e\n\u003cli\u003eMonitor network connections for unusual outbound traffic to cloud storage providers (AWS S3, Azure Blob Storage, Google Cloud Storage) from processes other than approved backup solutions.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unauthorized or renamed executables.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2026-05-rclone-exfiltration/","summary":"Attackers are abusing the legitimate file synchronization tool rclone, often renamed to masquerade as legitimate software, to exfiltrate data to cloud storage or remote endpoints.","title":"Potential Data Exfiltration via Rclone","url":"https://feed.craftedsignal.io/briefs/2026-05-rclone-exfiltration/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["rclone"],"_cs_severities":["critical"],"_cs_tags":["rclone","auth-bypass","rc-api","CVE-2026-41176","command-execution"],"_cs_type":"advisory","_cs_vendors":["rclone"],"content_html":"\u003cp\u003eRclone, a command-line program to manage files on cloud storage, is vulnerable to an authentication bypass via its remote control (RC) API. The vulnerability, present from version 1.45 onwards, stems from the \u003ccode\u003eoptions/set\u003c/code\u003e endpoint being exposed without authentication requirements, while still being able to modify the global runtime configuration.  An unauthenticated attacker can exploit this vulnerability by setting the \u003ccode\u003erc.NoAuth\u003c/code\u003e parameter to \u003ccode\u003etrue\u003c/code\u003e, effectively disabling the authentication gate for numerous RC methods registered with \u003ccode\u003eAuthRequired: true\u003c/code\u003e. This allows unauthorized access to sensitive administrative functionality, including configuration settings and operational commands. The issue was validated against \u003ccode\u003ev1.73.4\u003c/code\u003e and the current \u003ccode\u003emaster\u003c/code\u003e branch as of April 14, 2026. This vulnerability is especially critical when the RC API is exposed without global HTTP authentication (i.e. \u003ccode\u003e--rc-user\u003c/code\u003e/\u003ccode\u003e--rc-pass\u003c/code\u003e are not set), as it allows complete control of the Rclone instance.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable Rclone instance with the RC API enabled (via \u003ccode\u003e--rc\u003c/code\u003e or \u003ccode\u003erclone rcd\u003c/code\u003e) that is reachable on the network. The attacker confirms that the RC API is not protected by global HTTP authentication (no \u003ccode\u003e--rc-user\u003c/code\u003e, \u003ccode\u003e--rc-pass\u003c/code\u003e, or \u003ccode\u003e--rc-htpasswd\u003c/code\u003e flags).\u003c/li\u003e\n\u003cli\u003eThe attacker sends an unauthenticated POST request to the \u003ccode\u003e/options/set\u003c/code\u003e endpoint with a JSON payload setting \u003ccode\u003erc.NoAuth\u003c/code\u003e to \u003ccode\u003etrue\u003c/code\u003e: \u003ccode\u003e{\u0026quot;rc\u0026quot;:{\u0026quot;NoAuth\u0026quot;:true}}\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe Rclone RC server processes the request and updates the runtime configuration, disabling the authentication requirement for subsequent RC calls.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the now-unprotected RC API to access sensitive configuration data using endpoints like \u003ccode\u003e/config/listremotes\u003c/code\u003e, \u003ccode\u003e/config/dump\u003c/code\u003e, or \u003ccode\u003e/config/get\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker can list the available filesystems and remote configurations.\u003c/li\u003e\n\u003cli\u003eThe attacker then uses operational endpoints such as \u003ccode\u003e/operations/list\u003c/code\u003e to list files and directories within a configured remote.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits the \u003ccode\u003e/operations/copyfile\u003c/code\u003e endpoint to copy files from one location to another, potentially exfiltrating sensitive data or overwriting critical files.\u003c/li\u003e\n\u003cli\u003eFinally, the attacker uses the \u003ccode\u003e/core/command\u003c/code\u003e endpoint to execute arbitrary commands on the host system, achieving complete system compromise. This endpoint utilizes the \u003ccode\u003eexec.Command(...)\u003c/code\u003e function, allowing arbitrary command execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an unauthenticated attacker to bypass intended access controls on the Rclone RC administrative interface. The impact ranges from sensitive configuration disclosure and filesystem enumeration to arbitrary command execution on the host system. This could lead to complete system compromise, data exfiltration, or denial of service.  The vulnerability affects Rclone instances from version 1.45 up to (but not including) 1.73.5. The severity is amplified when the RC API is exposed to a wider network without proper authentication measures.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Rclone to version 1.73.5 or later to patch CVE-2026-41176.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately feasible, ensure that the Rclone RC API is protected by global HTTP authentication using the \u003ccode\u003e--rc-user\u003c/code\u003e, \u003ccode\u003e--rc-pass\u003c/code\u003e, or \u003ccode\u003e--rc-htpasswd\u003c/code\u003e flags.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for POST requests to the \u003ccode\u003e/options/set\u003c/code\u003e endpoint without authentication, indicative of exploitation attempts. Deploy the provided Sigma rule to detect this activity.\u003c/li\u003e\n\u003cli\u003eReview Rclone RC API access logs for unauthorized access to sensitive endpoints such as \u003ccode\u003e/config/listremotes\u003c/code\u003e, \u003ccode\u003e/config/dump\u003c/code\u003e, \u003ccode\u003e/config/get\u003c/code\u003e, \u003ccode\u003e/operations/list\u003c/code\u003e, \u003ccode\u003e/operations/copyfile\u003c/code\u003e, and \u003ccode\u003e/core/command\u003c/code\u003e after the \u003ccode\u003e/options/set\u003c/code\u003e endpoint has been accessed.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-23T12:00:00Z","date_published":"2026-04-23T12:00:00Z","id":"/briefs/2026-04-rclone-auth-bypass/","summary":"Rclone is vulnerable to an unauthenticated options/set vulnerability that allows runtime authentication bypass, potentially leading to sensitive operations and command execution by setting `rc.NoAuth=true` on reachable RC servers started without global HTTP authentication.","title":"Rclone Unauthenticated options/set Allows Runtime Auth Bypass","url":"https://feed.craftedsignal.io/briefs/2026-04-rclone-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Rclone","version":"https://jsonfeed.org/version/1.1"}