Remote-Code-Execution — CraftedSignal Threat Feed

Funadmin Unrestricted File Upload Vulnerability (CVE-2026-7733)

hello@craftedsignal.io — Mon, 04 May 2026 06:16:02 +0000

Funadmin, a web framework, is vulnerable to an unrestricted file upload vulnerability (CVE-2026-7733) affecting versions up to 7.1.0-rc6. The vulnerability exists within the UploadService::chunkUpload function in the app/common/service/UploadService.php file, which handles frontend chunked uploads. An attacker can manipulate the File argument during the upload process to bypass security checks and upload arbitrary files. The vulnerability is remotely exploitable, and an exploit has been published. Patch 59 is available to remediate this vulnerability. This issue enables attackers to upload malicious files, such as web shells or executable code, leading to potential remote code execution on the affected server.

Attack Chain

The attacker identifies a Funadmin instance running a vulnerable version (<= 7.1.0-rc6).
The attacker sends a crafted HTTP request to the UploadService::chunkUpload endpoint.
The request includes a manipulated File argument, bypassing file type and size restrictions.
The vulnerable UploadService::chunkUpload function processes the malicious file without proper validation.
The malicious file is written to the server’s file system in a publicly accessible directory.
The attacker accesses the uploaded file, potentially triggering execution (e.g., accessing a PHP web shell).
If the uploaded file is executable code (webshell), the attacker can execute arbitrary commands on the server.
The attacker gains control of the web server and potentially pivots to other systems within the network.

Impact

Successful exploitation of this vulnerability allows an attacker to upload arbitrary files to the Funadmin server. This can lead to several severe consequences, including remote code execution, web server defacement, data exfiltration, and complete system compromise. Given the ease of exploitation (an exploit is publicly available), affected systems are at high risk of being targeted. Organizations using vulnerable versions of Funadmin should apply patch 59 immediately to prevent potential attacks.

Recommendation

Apply patch 59 to all Funadmin installations running versions up to 7.1.0-rc6 as recommended by the vendor.
Monitor web server logs for unusual activity related to file uploads, specifically requests targeting the UploadService::chunkUpload endpoint (reference: Attack Chain).
Deploy the Sigma rule provided to detect attempts to exploit CVE-2026-7733 by monitoring for requests to the vulnerable endpoint with suspicious parameters.
Implement web application firewall (WAF) rules to filter out requests with malicious payloads targeting the UploadService::chunkUpload endpoint (reference: Attack Chain).

Totolink WA300 Buffer Overflow Vulnerability (CVE-2026-7719)

hello@craftedsignal.io — Mon, 04 May 2026 02:15:58 +0000

A critical buffer overflow vulnerability, identified as CVE-2026-7719, has been discovered in Totolink WA300 version 5.2cu.7112_B20190227. This vulnerability resides within the loginauth function of the /cgi-bin/cstecgi.cgi file, affecting the POST Request Handler component. The vulnerability is triggered by manipulating the http_host argument in a POST request. The exploit is publicly available, increasing the risk of widespread exploitation. This vulnerability allows for remote code execution, potentially granting attackers full control over the affected device. The affected version was released in February 2019. Defenders should prioritize patching or mitigating this vulnerability to prevent potential compromise.

Attack Chain

The attacker identifies a vulnerable Totolink WA300 device running firmware version 5.2cu.7112_B20190227.
The attacker crafts a malicious HTTP POST request targeting the /cgi-bin/cstecgi.cgi endpoint.
The crafted POST request includes a specially crafted http_host argument designed to overflow the buffer in the loginauth function.
The vulnerable loginauth function processes the http_host argument without proper bounds checking.
The oversized http_host argument overwrites adjacent memory regions, including the return address on the stack.
Upon completion of the loginauth function, the overwritten return address is used, redirecting execution to attacker-controlled code.
The attacker-controlled code executes with elevated privileges, allowing the attacker to execute arbitrary commands on the device.
The attacker gains complete control of the device, potentially using it for malicious purposes such as botnet participation, data theft, or further network penetration.

Impact

Successful exploitation of CVE-2026-7719 allows a remote attacker to execute arbitrary code on the vulnerable Totolink WA300 device. This can lead to complete device compromise, allowing the attacker to steal sensitive information, use the device as a botnet node, or pivot to other devices on the network. Given the public availability of the exploit, widespread exploitation is possible, potentially affecting a large number of home and small business networks using the vulnerable device.

Recommendation

Deploy the Sigma rule Detect Totolink WA300 HTTP Host Buffer Overflow Attempt to identify exploitation attempts in web server logs.
Monitor web server logs for POST requests to /cgi-bin/cstecgi.cgi with unusually long http_host headers.
Consider deploying a web application firewall (WAF) rule to filter out malicious requests targeting CVE-2026-7719.
Upgrade to a patched version of the firmware or replace the affected device to remediate the vulnerability.

Totolink WA300 Buffer Overflow Vulnerability in UploadCustomModule

hello@craftedsignal.io — Mon, 04 May 2026 01:16:05 +0000

A buffer overflow vulnerability has been identified in Totolink WA300 wireless router, specifically version 5.2cu.7112_B20190227. The vulnerability resides within the UploadCustomModule function of the /cgi-bin/cstecgi.cgi file, a component of the POST Request Handler. The identified vulnerability allows a remote attacker to cause a buffer overflow through manipulation of the File argument within a crafted POST request. Public proof-of-concept exploit code is available, increasing the likelihood of exploitation. This vulnerability poses a significant risk, as successful exploitation could lead to arbitrary code execution, potentially allowing attackers to fully compromise affected devices. Defenders should prioritize detection and mitigation strategies to prevent exploitation.

Attack Chain

Attacker identifies a vulnerable Totolink WA300 device running firmware version 5.2cu.7112_B20190227.
Attacker crafts a malicious POST request targeting the /cgi-bin/cstecgi.cgi endpoint.
The POST request includes a File argument with a payload exceeding the buffer size allocated for the UploadCustomModule function.
The UploadCustomModule function processes the POST request without proper bounds checking on the File argument.
The oversized File argument overwrites adjacent memory regions, including potentially critical program data and control flow instructions.
The buffer overflow allows the attacker to inject and execute arbitrary code on the device.
The attacker gains remote shell access to the device with elevated privileges.
The attacker could then use the compromised device to pivot into the internal network or cause a denial-of-service condition.

Impact

Successful exploitation of this buffer overflow vulnerability can lead to complete compromise of the affected Totolink WA300 device. An attacker could gain unauthorized access to the device’s configuration, intercept network traffic, or use the device as a bot in a larger attack. Given the high CVSS score of 8.8, the impact is considered critical. Home and small business networks using the affected router model are at risk. The vulnerability allows for remote code execution, leading to significant potential for damage.

Recommendation

Deploy the Sigma rule Detect Totolink WA300 UploadCustomModule Buffer Overflow Attempt to detect malicious POST requests targeting the vulnerable endpoint.
Monitor web server logs for POST requests to /cgi-bin/cstecgi.cgi with unusually large File parameters, as indicated in the Sigma rule.
Apply any available firmware updates from Totolink to patch CVE-2026-7717 if they become available.
Implement network segmentation to limit the impact of a compromised router on other internal network resources.

Shenzhen Libituo Technology LBT-T300-HW1 Buffer Overflow Vulnerability

hello@craftedsignal.io — Sun, 03 May 2026 03:16:15 +0000

A buffer overflow vulnerability, identified as CVE-2026-7675, affects Shenzhen Libituo Technology LBT-T300-HW1 devices with firmware versions up to 1.2.8. The vulnerability resides in the start_lan function within the /apply.cgi file. By manipulating the Channel/ApCliSsid argument, a remote attacker can trigger a buffer overflow, potentially leading to arbitrary code execution. Publicly available exploit code exists for this vulnerability. The vendor was notified about the vulnerability, but there has been no response. This vulnerability is considered critical due to the potential for remote exploitation and the availability of exploit code.

Attack Chain

The attacker identifies a vulnerable Shenzhen Libituo Technology LBT-T300-HW1 device running firmware version 1.2.8 or earlier.
The attacker crafts a malicious HTTP request targeting the /apply.cgi endpoint.
The HTTP request includes a specially crafted Channel/ApCliSsid argument designed to overflow the buffer in the start_lan function.
The vulnerable start_lan function receives the malicious input and attempts to process it without proper bounds checking.
The buffer overflow occurs, overwriting adjacent memory regions, including potentially the return address on the stack.
The attacker gains control of the program execution flow by overwriting the return address with the address of malicious code.
The injected code executes with the privileges of the web server process.
The attacker achieves arbitrary code execution, potentially gaining full control of the device.

Impact

Successful exploitation of this vulnerability allows a remote attacker to execute arbitrary code on the affected device. Given that this is a router, this could lead to complete compromise of the device, including the ability to intercept and manipulate network traffic, install malware, or use the device as part of a botnet. Due to the public availability of the exploit, widespread exploitation is possible.

Recommendation

Apply network intrusion detection system (NIDS) rules to detect and block malicious HTTP requests targeting /apply.cgi with excessively long Channel/ApCliSsid values.
Deploy the Sigma rule Detect-LBT-T300-HW1-applycgi-buffer-overflow to your SIEM and tune for your environment to identify exploitation attempts.
Monitor web server logs for suspicious POST requests to /apply.cgi and analyze the length of the Channel/ApCliSsid parameter.

Totolink NR1800X Stack-Based Buffer Overflow Vulnerability

hello@craftedsignal.io — Fri, 01 May 2026 03:16:01 +0000

A critical security vulnerability, CVE-2026-7546, affects Totolink NR1800X routers running firmware version 9.1.0u.6279_B20210910. The vulnerability resides within the find_host_ip function of the lighttpd web server component. By exploiting this flaw, a remote, unauthenticated attacker can trigger a stack-based buffer overflow through manipulation of the Host argument in an HTTP request. The publicly disclosed exploit allows attackers to potentially gain complete control of the device. This vulnerability poses a significant risk to home and small business networks utilizing the affected Totolink router model, as successful exploitation leads to arbitrary code execution.

Attack Chain

The attacker identifies a vulnerable Totolink NR1800X router running firmware version 9.1.0u.6279_B20210910.
The attacker crafts a malicious HTTP request targeting the router’s web interface.
The crafted request includes a Host header with a string exceeding the buffer size allocated in the find_host_ip function within the lighttpd component.
The router’s lighttpd server processes the HTTP request and passes the Host header value to the vulnerable function.
The find_host_ip function attempts to store the oversized Host value in a stack-allocated buffer.
A stack-based buffer overflow occurs due to the insufficient buffer size.
The overflow overwrites adjacent memory on the stack, potentially including the return address.
The attacker gains arbitrary code execution on the device.

Impact

Successful exploitation of CVE-2026-7546 allows a remote attacker to execute arbitrary code on the vulnerable Totolink NR1800X device. This can lead to complete control of the router, allowing the attacker to modify router settings, intercept network traffic, or use the compromised router as a pivot point for further attacks within the network. Given the nature of stack-based buffer overflows, the attacker can potentially install persistent backdoors or malware. This presents a significant risk to users, potentially exposing sensitive data and infrastructure to unauthorized access.

Recommendation

Apply available patches released by Totolink to remediate CVE-2026-7546.
Monitor network traffic for suspicious HTTP requests targeting Totolink routers, specifically looking for abnormally long Host headers with the Sigma rule “Detect Suspiciously Long Host Header”.
Implement network segmentation to limit the impact of a compromised router.
Review and harden router configurations, including disabling remote administration if not required.

Chromium Use-After-Free Vulnerability in GPU Component (CVE-2026-7333)

hello@craftedsignal.io — Fri, 01 May 2026 02:21:27 +0000

CVE-2026-7333 is a critical use-after-free vulnerability residing in the GPU component of the Chromium browser engine. This flaw allows an attacker to potentially corrupt memory and execute arbitrary code in the context of the browser process. As Microsoft Edge is built upon the Chromium engine, it is also susceptible to this vulnerability. Public details are limited, but exploitation likely involves crafting malicious web content that triggers the use-after-free condition within the GPU processing routines. This vulnerability poses a significant threat as it could allow attackers to compromise user systems simply by visiting a malicious website.

Attack Chain

Attacker crafts a malicious HTML page containing JavaScript that interacts with the GPU functionality of the browser.
The user visits the malicious page via a phishing email or drive-by download.
The JavaScript code triggers the use-after-free vulnerability in the Chromium GPU component.
The vulnerability allows the attacker to corrupt memory allocated for GPU processing.
The attacker manipulates memory to gain control of program execution.
The attacker injects malicious code into the browser process.
The injected code executes with the privileges of the browser process, allowing the attacker to perform actions such as stealing cookies, credentials, or installing malware.
The attacker gains persistent access to the compromised system and exfiltrates sensitive data.

Impact

A successful exploitation of CVE-2026-7333 could allow an attacker to execute arbitrary code on a user’s system. This could lead to the theft of sensitive information, installation of malware, or complete system compromise. Given the widespread use of Chromium-based browsers such as Chrome and Edge, this vulnerability has the potential to affect millions of users. The impact is considered critical due to the ease of exploitation and the potential for widespread damage.

Recommendation

Apply the latest security updates for Google Chrome and Microsoft Edge to patch CVE-2026-7333.
Deploy the Sigma rule “Detect Suspicious GPU Process Creation” to identify potential exploitation attempts.
Enable process creation logging with command-line arguments to detect suspicious processes spawned by the browser (logsource: process_creation).

Chromium Use-After-Free Vulnerability in Cast (CVE-2026-7338)

hello@craftedsignal.io — Fri, 01 May 2026 02:21:27 +0000

CVE-2026-7338 is a critical use-after-free vulnerability residing within the Cast component of the Chromium browser engine. Google Chrome and Microsoft Edge (Chromium-based) are both affected by this flaw. While the provided source does not specify the exact vulnerable versions, it indicates that Microsoft Edge ingests Chromium, and thus is affected by vulnerabilities addressed in Chromium releases. Successful exploitation of this vulnerability could lead to arbitrary code execution in the context of the user running the browser. This poses a significant risk, as attackers could potentially gain control of the user’s system. Defenders should prioritize patching affected browsers.

Attack Chain

An attacker crafts a malicious webpage or injects malicious code into a legitimate website that utilizes the Cast functionality.
The victim visits the malicious website or interacts with the compromised legitimate website using an affected browser (Chrome or Edge).
The malicious webpage triggers the use-after-free vulnerability in the Cast component.
The vulnerability allows the attacker to access memory that has already been freed.
The attacker overwrites the freed memory with attacker-controlled data.
The attacker manipulates the memory layout to redirect program execution.
The browser attempts to execute code from the attacker-controlled memory location.
This results in arbitrary code execution within the context of the browser process.

Impact

Successful exploitation of CVE-2026-7338 allows an attacker to execute arbitrary code on a victim’s machine. This can lead to complete system compromise, data theft, installation of malware, or other malicious activities. Given the widespread use of Chromium-based browsers like Chrome and Edge, this vulnerability has the potential to impact a large number of users across various sectors. The severity is critical due to the potential for remote code execution.

Recommendation

Apply the latest security updates for Google Chrome to address CVE-2026-7338 as detailed in Google Chrome Releases.
Apply the latest security updates for Microsoft Edge (Chromium-based) to address CVE-2026-7338, ensuring the ingested Chromium version contains the fix.
Deploy the Sigma rules provided in this brief to your SIEM to detect potential exploitation attempts targeting the Cast component.
Enable enhanced browser security features, such as sandboxing and site isolation, to limit the impact of potential exploits.

code-projects Plugin 4.1.2cu.5137 Buffer Overflow Vulnerability

hello@craftedsignal.io — Thu, 30 Apr 2026 22:16:26 +0000

A critical buffer overflow vulnerability, identified as CVE-2026-7503, has been discovered in code-projects Plugin version 4.1.2cu.5137. The vulnerability resides within the setWiFiMultipleConfig function in the /lib/cste_modules/wireless.so library, which is part of the /cgi-bin/cstecgi.cgi executable. Successful exploitation is achieved through manipulation of the wepkey2 argument, allowing for remote code execution. The vulnerability is considered highly critical due to the availability of a public exploit, increasing the likelihood of widespread exploitation and potential compromise of affected systems. This poses a significant threat to devices utilizing the vulnerable plugin version.

Attack Chain

Attacker identifies a system running code-projects Plugin 4.1.2cu.5137.
The attacker crafts a malicious HTTP request targeting the /cgi-bin/cstecgi.cgi endpoint.
The request includes a specially crafted payload for the wepkey2 argument within the setWiFiMultipleConfig function.
The vulnerable function setWiFiMultipleConfig processes the malicious input without proper bounds checking.
The oversized wepkey2 argument overflows the buffer, overwriting adjacent memory regions.
The attacker injects malicious code into the memory space via the buffer overflow.
The injected code executes, granting the attacker control over the affected system.

Impact

Successful exploitation of CVE-2026-7503 can lead to complete system compromise, allowing attackers to execute arbitrary code, steal sensitive information, or cause denial-of-service conditions. Due to the ready availability of an exploit, any system running the vulnerable code-projects plugin version 4.1.2cu.5137 is at immediate risk. The lack of specific victim numbers or sector targeting information in the provided source does not diminish the critical nature of the vulnerability given the high CVSS score (8.8) and public exploit.

Recommendation

Deploy the Sigma rule “Detect Code-Projects WiFi Configuration Buffer Overflow Attempt” to your SIEM to detect exploitation attempts targeting the vulnerable setWiFiMultipleConfig function and monitor web server logs (cs-uri-query).
Apply input validation and sanitization to prevent buffer overflows. This issue occurs within the /lib/cste_modules/wireless.so library called by /cgi-bin/cstecgi.cgi.
Monitor network traffic for suspicious requests targeting the /cgi-bin/cstecgi.cgi endpoint, as this is the entry point for exploiting CVE-2026-7503.

UTT HiPER 1250GW Buffer Overflow Vulnerability (CVE-2026-7420)

hello@craftedsignal.io — Wed, 29 Apr 2026 23:16:20 +0000

A critical buffer overflow vulnerability, CVE-2026-7420, has been identified in UTT HiPER 1250GW devices. The vulnerability exists in versions up to 3.2.7-210907-180535. The vulnerability lies within the strcpy function in the route/goform/ConfigAdvideo file, where the ‘Profile’ argument is not properly validated, leading to a buffer overflow condition. This allows unauthenticated remote attackers to potentially execute arbitrary code on the device. Publicly available exploits exist, increasing the risk of exploitation. Defenders should implement mitigations and detection strategies immediately.

Attack Chain

The attacker identifies a vulnerable UTT HiPER 1250GW device exposed to the internet.
The attacker crafts a malicious HTTP request targeting the route/goform/ConfigAdvideo endpoint.
The HTTP request includes a ‘Profile’ argument with a payload exceeding the buffer size allocated for it.
The strcpy function attempts to copy the oversized ‘Profile’ argument into the undersized buffer.
The buffer overflow occurs, overwriting adjacent memory regions.
The attacker injects malicious code into the overflowed memory region to gain code execution.
The attacker achieves remote code execution on the UTT HiPER 1250GW device.
The attacker gains control of the device, potentially using it for further malicious activities such as lateral movement, data exfiltration, or denial-of-service attacks.

Impact

Successful exploitation of this vulnerability allows a remote attacker to execute arbitrary code on the UTT HiPER 1250GW device. This can lead to complete compromise of the device, potentially enabling attackers to gain unauthorized access to the network it is connected to, exfiltrate sensitive data, or use the device as a bot in a botnet. The impact is significant, especially if these devices are used in critical infrastructure or sensitive environments.

Recommendation

Apply available patches or firmware updates for UTT HiPER 1250GW devices to remediate CVE-2026-7420.
Implement network segmentation to isolate UTT HiPER 1250GW devices from critical network segments.
Deploy the Sigma rule Detect UTT HiPER Buffer Overflow Attempt to identify malicious HTTP requests targeting the route/goform/ConfigAdvideo endpoint.
Monitor web server logs for unusual activity and large ‘Profile’ argument values in requests to route/goform/ConfigAdvideo to identify potential exploitation attempts.

UTT HiPER 1250GW Buffer Overflow Vulnerability

hello@craftedsignal.io — Wed, 29 Apr 2026 22:16:22 +0000

A buffer overflow vulnerability, identified as CVE-2026-7418, has been discovered in UTT HiPER 1250GW devices with firmware versions up to 3.2.7-210907-180535. The vulnerability resides within the strcpy function in the route/goform/NTP file. A remote attacker can exploit this vulnerability by manipulating the Profile argument during NTP configuration. Successful exploitation could lead to arbitrary code execution on the affected device. The vulnerability has been publicly disclosed, increasing the risk of exploitation. This poses a significant threat to organizations using the affected UTT HiPER 1250GW devices, as attackers could potentially gain control of the device and use it as a foothold for further malicious activities within the network.

Attack Chain

The attacker identifies a vulnerable UTT HiPER 1250GW device with a firmware version up to 3.2.7-210907-180535.
The attacker crafts a malicious HTTP request targeting the /route/goform/NTP endpoint.
The crafted request includes a specially designed Profile argument containing a payload that exceeds the buffer size allocated for it.
The web server on the UTT HiPER 1250GW device receives the HTTP request and passes the Profile argument to the strcpy function.
The strcpy function copies the oversized Profile argument into the undersized buffer, leading to a buffer overflow.
The buffer overflow overwrites adjacent memory regions, potentially including critical program data or executable code.
The attacker gains arbitrary code execution on the device with the privileges of the web server process.
The attacker can then use this foothold to further compromise the device or the network it is connected to, potentially leading to data exfiltration or denial-of-service attacks.

Impact

Successful exploitation of CVE-2026-7418 can allow a remote attacker to execute arbitrary code on the affected UTT HiPER 1250GW device. This could allow the attacker to gain full control of the device, potentially leading to data exfiltration, denial-of-service attacks, or further compromise of the network to which the device is connected. The vulnerability has a CVSS v3.1 score of 8.8, indicating a high severity. Given the public availability of the exploit, organizations using the affected devices are at increased risk.

Recommendation

Apply available patches or firmware updates provided by UTT to address CVE-2026-7418 on HiPER 1250GW devices.
Deploy the Sigma rule Detect Suspicious NTP Profile Argument to detect exploitation attempts against the /route/goform/NTP endpoint.
Monitor web server logs for suspicious requests targeting the /route/goform/NTP endpoint with unusually long Profile arguments to identify potential exploitation attempts.

Tenda F456 Router Buffer Overflow Vulnerability (CVE-2026-7101)

hello@craftedsignal.io — Mon, 27 Apr 2026 09:19:31 +0000

A critical buffer overflow vulnerability, identified as CVE-2026-7101, has been discovered in Tenda F456 router version 1.0.0.5. The vulnerability resides in the fromWrlclientSet function within the /goform/WrlclientSet file, which is part of the router’s httpd component. Successful exploitation allows remote attackers to execute arbitrary code on the device. Publicly available exploit code exists, increasing the risk of widespread exploitation. This vulnerability poses a significant threat to home and small business networks using the affected Tenda router model, potentially leading to complete device compromise and unauthorized network access. The vulnerability was published on 2026-04-27 and is tracked by VulDB.

Attack Chain

An attacker identifies a vulnerable Tenda F456 router running firmware version 1.0.0.5.
The attacker crafts a malicious HTTP request targeting the /goform/WrlclientSet endpoint.
The crafted request includes an oversized payload designed to overflow the buffer in the fromWrlclientSet function.
The httpd process attempts to process the request without proper bounds checking.
The buffer overflow occurs, overwriting adjacent memory regions, including critical program data and execution pointers.
The attacker gains control of the program execution flow.
The attacker executes arbitrary code on the router, potentially including shell commands or custom malware.
The attacker achieves complete control of the router, potentially enabling network reconnaissance, data exfiltration, or further attacks on the local network.

Impact

Successful exploitation of this buffer overflow vulnerability allows a remote attacker to execute arbitrary code on the Tenda F456 router. This can lead to complete device compromise, allowing the attacker to control network traffic, modify router settings, or use the compromised device as a pivot point for further attacks within the network. Given the wide usage of Tenda routers in home and small business environments, a successful widespread exploitation could impact thousands of users.

Recommendation

Upgrade to a patched firmware version if available from the vendor.
Implement network segmentation to limit the impact of a compromised router.
Monitor web server logs for suspicious activity targeting the /goform/WrlclientSet endpoint using the provided Sigma rule.
Implement an IPS rule to detect and block exploit attempts targeting CVE-2026-7101.

Tenda F456 Router Buffer Overflow Vulnerability

hello@craftedsignal.io — Sun, 26 Apr 2026 11:16:06 +0000

A buffer overflow vulnerability has been identified in Tenda F456 router, specifically version 1.0.0.5. The vulnerability resides within the fromSafeClientFilter function located in the /goform/SafeClientFilter file. Successful exploitation allows a remote attacker to inject and execute arbitrary code. Publicly available exploit code exists, increasing the risk of widespread exploitation targeting vulnerable Tenda F456 devices. This issue poses a significant threat to network security, as a compromised router can lead to data breaches, denial of service, or further network intrusion.

Attack Chain

The attacker identifies a Tenda F456 router running firmware version 1.0.0.5 exposed to the internet.
The attacker crafts a malicious HTTP POST request targeting the /goform/SafeClientFilter endpoint.
The crafted request includes a specially designed payload within the menufacturer/Go argument. This payload is designed to trigger a buffer overflow in the fromSafeClientFilter function.
The fromSafeClientFilter function processes the malicious input without proper bounds checking.
The oversized payload overwrites adjacent memory regions, potentially including return addresses or other critical data.
When the fromSafeClientFilter function attempts to return, the overwritten return address is used, redirecting execution flow to attacker-controlled memory.
The attacker-controlled memory contains shellcode or other malicious instructions.
The router executes the attacker’s code, granting the attacker control over the device.

Impact

Successful exploitation of this vulnerability can result in complete compromise of the Tenda F456 router. An attacker can gain unauthorized access to network traffic, modify router settings, or use the compromised device as a launchpad for further attacks within the network. Given the public availability of exploit code, a large number of Tenda F456 routers could be targeted, potentially affecting numerous home and small business networks. A successful attack could lead to data theft, service disruption, and reputational damage.

Recommendation

Apply any available patches or firmware updates released by Tenda to address CVE-2026-7033 on the F456 1.0.0.5 routers.
Implement network intrusion detection systems (IDS) or intrusion prevention systems (IPS) rules to detect and block malicious requests targeting the /goform/SafeClientFilter endpoint.
Deploy the Sigma rules provided below to your SIEM to detect exploitation attempts targeting the vulnerable endpoint.
Monitor web server logs for suspicious POST requests to /goform/SafeClientFilter with abnormally large menufacturer/Go argument values.

Ray Data Remote Code Execution via Parquet Arrow Extension Type Deserialization

hello@craftedsignal.io — Fri, 24 Apr 2026 16:15:00 +0000

Ray Data, a component of the Ray distributed computing framework, is susceptible to remote code execution (RCE) due to unsafe deserialization of Parquet file metadata. The vulnerability stems from Ray’s registration of custom Arrow extension types (ray.data.arrow_tensor, ray.data.arrow_tensor_v2, ray.data.arrow_variable_shaped_tensor) within PyArrow. When a Parquet file containing these extension types is processed, the __arrow_ext_deserialize__ function is invoked, leading to the execution of arbitrary code through cloudpickle.loads() on the field’s metadata, prior to any data being read. This issue affects Ray versions 2.49.0 through 2.54.0, introduced in July 2025 via commit f6d21db1a4. Successful exploitation does not require authentication or network access to a Ray cluster. Instead, it hinges on the framework reading a maliciously crafted Parquet file, which can originate from various sources like cloud storage, HuggingFace datasets, or shared file systems.

Attack Chain

An attacker crafts a Parquet file containing a column with a ray.data.arrow_tensor, ray.data.arrow_tensor_v2, or ray.data.arrow_variable_shaped_tensor extension type.
The attacker injects a malicious payload in the ARROW:extension:metadata field of the Parquet file, serialized using cloudpickle.
The attacker places the crafted Parquet file in a location accessible to a Ray Data pipeline, such as a HuggingFace dataset, a shared filesystem, or a cloud storage bucket.
A Ray Data pipeline, using functions like ray.data.read_parquet(), pyarrow.parquet.read_table(), or pandas.read_parquet(), attempts to read the Parquet file.
During schema parsing, PyArrow encounters the custom Arrow extension type and automatically calls the __arrow_ext_deserialize__ method.
The __arrow_ext_deserialize__ method invokes _deserialize_with_fallback(), which attempts to deserialize the metadata using cloudpickle.loads().
The cloudpickle.loads() function executes the attacker’s arbitrary code from the crafted Parquet metadata.
The attacker achieves arbitrary command execution as the user running the Ray worker process, potentially leading to full server compromise.

Impact

This vulnerability affects Ray versions 2.49.0 through 2.54.0, impacting any process utilizing Ray Data that reads Parquet files. The global registration of extension types in PyArrow means that all Parquet reads within the affected process are vulnerable. An attacker can achieve arbitrary command execution as the Ray worker process user, leading to full server compromise, without requiring authentication or cluster access. Successful exploitation allows attackers to compromise systems by simply placing a malicious Parquet file in a location that a Ray Data pipeline processes.

Recommendation

Upgrade Ray to a patched version beyond 2.54.0 to remediate the vulnerability, ensuring the fix addresses the cloudpickle.loads() call in the deserialization path.
Implement strict input validation and sanitization for Parquet files before processing them with Ray Data to prevent the execution of malicious payloads embedded in the ARROW:extension:metadata field.
Monitor for suspicious process execution originating from python processes using cloudpickle.loads() with the intent of arbitrary code execution.
Deploy the Sigma rule Detect Ray Data Parquet Deserialization RCE to detect exploitation attempts by monitoring for specific metadata within Parquet files.

OpenMage LTS Phar Deserialization RCE

hello@craftedsignal.io — Tue, 21 Apr 2026 14:32:48 +0000

OpenMage LTS versions prior to 20.16.1 are vulnerable to remote code execution due to insecure handling of PHP archives (phar) and the phar:// stream wrapper. The vulnerability stems from the usage of functions like getimagesize(), file_exists(), and is_readable() with potentially controllable file paths in image validation and media handling. An attacker can exploit this by uploading a specially crafted polyglot file (a valid image that is also a valid phar archive) and then triggering the vulnerable functions to access it using the phar:// protocol, resulting in the deserialization of malicious code. This issue affects any versions derived from Magento 1.x with the vulnerable code paths in app/code/core/Mage/Core/Model/File/Validator/Image.php, app/code/core/Mage/Cms/Model/Wysiwyg/Images/Storage.php, and lib/Varien/Image.php.

Attack Chain

The attacker crafts a polyglot file that is both a valid image (e.g., JPEG) and a valid PHP archive (phar).
The malicious phar archive contains serialized PHP objects designed to execute arbitrary code when deserialized.
The attacker uploads the polyglot file to the OpenMage LTS server through a vulnerable endpoint, such as product images, CMS media, or file import functionality.
The application stores the uploaded file in a publicly accessible directory.
The attacker triggers the vulnerable application logic in app/code/core/Mage/Core/Model/File/Validator/Image.php (line 72), app/code/core/Mage/Cms/Model/Wysiwyg/Images/Storage.php (line 137) or lib/Varien/Image.php (line 71), causing the application to use getimagesize() or similar functions on the uploaded file with the phar:// stream wrapper.
PHP attempts to read the file using the phar:// wrapper, which triggers the deserialization of the malicious metadata contained within the phar archive.
The deserialization process instantiates the malicious PHP objects, executing the attacker’s code.
The attacker achieves remote code execution on the server, allowing them to compromise the system, install malware, or exfiltrate data.

Impact

Successful exploitation allows an attacker to execute arbitrary code on the OpenMage LTS server. This can lead to complete system compromise, data theft, defacement of the website, or the installation of malware. Given the potential for unauthenticated file uploads, the impact is significant, with potential widespread compromise affecting all versions of OpenMage LTS prior to 20.16.1. The vulnerability exists in core Magento 1.x code, so all derived products are affected.

Recommendation

Upgrade OpenMage LTS to version 20.16.1 or later to patch the vulnerability.
Implement the recommended code fix by blocking phar:// paths before passing to vulnerable functions like getimagesize() in the affected files: app/code/core/Mage/Core/Model/File/Validator/Image.php, app/code/core/Mage/Cms/Model/Wysiwyg/Images/Storage.php, and lib/Varien/Image.php.
Deploy the Sigma rule to detect attempts to access files using the phar:// stream wrapper (see rule “Detect Phar Stream Wrapper Access”).
If upgrading is not immediately possible, disable the phar:// stream wrapper in the php.ini file.
Implement strict upload validation beyond file extension checks to prevent the upload of polyglot files.

Modelscope Agentscope Code Injection Vulnerability (CVE-2026-6603)

hello@craftedsignal.io — Mon, 20 Apr 2026 05:16:15 +0000

A critical code injection vulnerability, identified as CVE-2026-6603, affects modelscope agentscope versions up to 1.0.18. The vulnerability resides within the execute_python_code and execute_shell_command functions in the src/AgentScope/tool/_coding/_python.py file. This flaw allows an attacker to inject arbitrary code, leading to potential remote code execution on the affected system. A public exploit is available, increasing the risk of widespread exploitation. The vendor was contacted but has not responded to the disclosure. This vulnerability poses a significant threat to systems running vulnerable versions of agentscope, potentially leading to compromise and unauthorized access.

Attack Chain

An attacker identifies a vulnerable instance of modelscope agentscope running a version up to 1.0.18.
The attacker crafts a malicious request targeting the execute_python_code or execute_shell_command function.
The malicious request injects arbitrary code into the vulnerable function’s input.
The application processes the injected code without proper sanitization or validation.
The injected code is executed by the system, potentially allowing the attacker to execute arbitrary commands.
The attacker leverages the executed code to gain further access to the system or network.
The attacker installs malware, establishes persistence, or exfiltrates sensitive data.

Impact

Successful exploitation of CVE-2026-6603 can result in arbitrary code execution on the affected system. This can lead to complete system compromise, data breaches, and unauthorized access to sensitive information. While the exact number of victims is currently unknown, the availability of a public exploit makes widespread exploitation highly probable. Organizations using modelscope agentscope are at risk and should take immediate action to mitigate this vulnerability.

Recommendation

Upgrade modelscope agentscope to a patched version beyond 1.0.18 to remediate the vulnerability (CVE-2026-6603).
Implement the provided Sigma rule to detect suspicious process execution originating from the agentscope application server.
Monitor web server logs for unusual requests targeting the execute_python_code or execute_shell_command endpoints (webserver log source).

Microsoft April 2026 Patch Tuesday Addresses 163 Vulnerabilities

hello@craftedsignal.io — Thu, 16 Apr 2026 10:00:00 +0000

Microsoft’s April 2026 Patch Tuesday addresses 163 vulnerabilities across its product range, with 8 rated as critical. This update includes fixes for actively exploited zero-day vulnerabilities. The vulnerabilities span multiple categories, including remote code execution (RCE), elevation of privilege, and spoofing. Specifically, CVE-2026-32201 is a zero-day actively exploited in Microsoft SharePoint, and CVE-2026-33826 poses a critical RCE risk in Windows Active Directory environments. Given the wide range of impacted products and the severity of certain vulnerabilities, organizations are strongly advised to prioritize patching to mitigate potential risks of exploitation and lateral movement. The updates cover both server and workstation products.

Attack Chain

Initial Access (CVE-2026-32201): An attacker exploits a spoofing vulnerability in Microsoft SharePoint, potentially through cross-site scripting (XSS).
Exploitation (CVE-2026-33826): An authenticated attacker sends a specially crafted RPC call to an RPC host within a restricted Active Directory domain.
Code Execution (CVE-2026-33826): The crafted RPC call triggers code execution with the same permissions as the RPC host on the target system.
Privilege Escalation (CVE-2026-33825): An attacker leverages insufficient access control granularity in Microsoft Defender to escalate privileges locally.
Network Propagation (CVE-2026-33824, CVE-2026-33827): An unauthenticated attacker sends crafted packets to a target with IKE version 2 enabled, or a crafted IPv6 packet to a Windows node where IPSec is enabled, to achieve code execution.
Defense Evasion (CVE-2026-27913): An attacker bypasses Secure Boot by exploiting an input validation vulnerability in Windows BitLocker.
Lateral Movement (CVE-2026-33826): Threat actors use the foothold established via Active Directory exploitation to move laterally within the organization’s network.
Impact: The attacker steals data and deploys malware across the compromised network.

Impact

The successful exploitation of these vulnerabilities could lead to a range of impacts, from data theft and malware deployment to complete system compromise. Given that Microsoft products are widely used across various sectors, a successful attack could affect a large number of organizations, including those in critical infrastructure. The exploitation of Active Directory vulnerabilities (CVE-2026-33826) is particularly concerning, as it could allow attackers to establish a foothold for lateral movement, potentially affecting hundreds or thousands of systems within an enterprise network. The actively exploited SharePoint vulnerability (CVE-2026-32201) could lead to sensitive information disclosure and unauthorized modifications.

Recommendation

Apply the Microsoft April 2026 Patch Tuesday updates immediately to all affected systems, prioritizing those with critical vulnerabilities, especially CVE-2026-32201 (SharePoint) and CVE-2026-33826 (Active Directory).
Upscale monitoring and detection capabilities to identify suspicious activity related to the exploitation of these vulnerabilities, as recommended by the advisory.
Deploy the Sigma rule to detect suspicious RPC calls indicative of CVE-2026-33826 exploitation in Windows Active Directory environments.
Implement firewall rules to mitigate the risk of CVE-2026-33824 exploitation targeting the Windows Internet Key Exchange (IKE) Service Extensions, as suggested in the advisory.
Review and enforce strict input validation practices to prevent exploitation of spoofing vulnerabilities like CVE-2026-32201 and CVE-2026-26151.

Openfind MailGates/MailAudit Stack-based Buffer Overflow (CVE-2026-6350)

hello@craftedsignal.io — Thu, 16 Apr 2026 03:16:30 +0000

Openfind MailGates and MailAudit are susceptible to a critical stack-based buffer overflow vulnerability, identified as CVE-2026-6350. This flaw allows unauthenticated remote attackers to gain control over the program’s execution flow and execute arbitrary code on the affected system. The vulnerability stems from insufficient input validation, leading to a buffer overflow when processing specifically crafted requests. Given the nature of MailGates/MailAudit as email security solutions, successful exploitation can lead to a full compromise of the email infrastructure and potential data breaches. The vulnerability was reported on April 15, 2026, and affects undisclosed versions of MailGates/MailAudit.

Attack Chain

An unauthenticated remote attacker identifies a vulnerable MailGates/MailAudit instance.
The attacker crafts a malicious network request specifically designed to trigger the stack-based buffer overflow in MailGates/MailAudit.
The attacker sends the crafted request to the targeted MailGates/MailAudit server.
The vulnerable application receives and processes the malicious request without proper input sanitization.
The oversized input overwrites adjacent memory on the stack, including the return address.
When the function attempts to return, it jumps to an address controlled by the attacker.
The attacker-controlled address points to shellcode injected within the overflowing buffer or elsewhere in memory.
The shellcode executes arbitrary commands on the server, potentially leading to complete system compromise and data exfiltration.

Impact

Successful exploitation of CVE-2026-6350 allows unauthenticated remote attackers to execute arbitrary code on the MailGates/MailAudit server. This can result in full system compromise, allowing attackers to steal sensitive email data, modify email content, or use the compromised server as a launchpad for further attacks. Given that MailGates/MailAudit are used by numerous organizations for email security, a successful widespread attack could impact potentially thousands of organizations and millions of users.

Recommendation

Monitor web server logs for unusual request patterns indicative of buffer overflow attempts targeting MailGates/MailAudit.
Inspect network traffic for suspicious payloads being sent to MailGates/MailAudit servers, looking for patterns that could indicate exploit attempts.
Deploy the Sigma rule provided below to detect potential exploitation attempts targeting CVE-2026-6350.
Consult Openfind’s security advisories for patches and mitigation steps specific to CVE-2026-6350.
If available apply updates provided by Openfind to remediate CVE-2026-6350 on the MailGates/MailAudit servers.

CVE-2026-33824: Windows IKE Extension Double Free Vulnerability

hello@craftedsignal.io — Wed, 15 Apr 2026 12:00:00 +0000

CVE-2026-33824 is a critical vulnerability affecting the Windows Internet Key Exchange (IKE) Extension. This double-free vulnerability enables an unauthenticated attacker to execute arbitrary code on a vulnerable system remotely. The vulnerability stems from improper memory management within the IKE service. Successful exploitation could lead to complete system compromise, making it a high-priority concern for defenders. Microsoft has assigned a CVSS v3.1 score of 9.8 to this vulnerability. This issue was reported to Microsoft and assigned CVE-2026-33824. The affected systems are those running the Windows IKE Extension without the necessary security update.

Attack Chain

An unauthenticated attacker sends a specially crafted IKE packet to the target system.
The Windows IKE Extension processes the malicious IKE packet.
Due to a flaw in memory management, the IKE Extension attempts to free the same memory location twice (double-free).
The double-free condition corrupts the heap memory.
The attacker leverages the heap corruption to overwrite critical data structures.
The attacker gains control of program execution flow.
The attacker injects and executes arbitrary code within the context of the IKE service.
The attacker achieves remote code execution, potentially leading to complete system compromise.

Impact

Successful exploitation of CVE-2026-33824 allows a remote, unauthenticated attacker to execute arbitrary code on a vulnerable Windows system. Given the critical CVSS score of 9.8, the impact is severe. A compromised system could be used to steal sensitive data, establish a foothold for further network penetration, or cause a denial-of-service condition. Organizations that do not apply the patch released by Microsoft are at significant risk of compromise.

Recommendation

Apply the security update released by Microsoft to patch CVE-2026-33824 on all affected Windows systems immediately. Refer to the Microsoft advisory https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33824.
Monitor network traffic for suspicious IKE packets targeting your Windows systems. Deploy the network connection rule below to identify potential exploitation attempts.
Enable Windows event logging for the IKE service and deploy the process creation rule below to detect unexpected processes spawned by the IKE service.

PraisonAI Unauthenticated Remote Session Hijacking Vulnerability (CVE-2026-40289)

hello@craftedsignal.io — Tue, 14 Apr 2026 04:18:47 +0000

PraisonAI, a multi-agent team system, is affected by a critical vulnerability (CVE-2026-40289) in versions prior to 4.5.139 and praisonaiagents versions prior to 1.5.140. The vulnerability lies in the browser bridge component (“praisonai browser start”), which lacks proper authentication and has a bypassable origin check on its /ws WebSocket endpoint. The server, binding to 0.0.0.0 by default, inadequately validates the Origin header, permitting connections from non-browser clients omitting this header. This flaw allows an unauthenticated attacker to remotely hijack sessions and broadcast automation actions and outputs. This can lead to unauthorized remote control of connected browser automation sessions, leakage of sensitive page context and automation results, and misuse of model-backed browser actions. Defenders must prioritize patching affected systems to mitigate this severe risk.

Attack Chain

Attacker identifies a vulnerable PraisonAI instance with network access to the browser bridge component.
Attacker establishes a direct WebSocket connection to the /ws endpoint of the browser bridge, omitting the Origin header to bypass the weak origin check.
Attacker sends a “start_session” message to the WebSocket endpoint.
The server routes the attacker’s “start_session” request to the first idle browser-extension WebSocket, effectively hijacking that session.
The hijacked browser session begins executing commands dictated by the attacker.
All automation actions and outputs resulting from the hijacked session are broadcast back to the attacker via the WebSocket connection.
Attacker gains unauthorized remote control of the connected browser automation session.
Attacker exfiltrates sensitive data and/or misuses model-backed browser actions.

Impact

Successful exploitation of CVE-2026-40289 can lead to complete compromise of PraisonAI browser automation sessions. An attacker can gain unauthorized remote control, potentially leading to leakage of sensitive page context and automation results. Furthermore, they can misuse model-backed browser actions. The vulnerability affects all environments where the bridge is network-reachable. The severity of the impact is high, as it allows for unauthenticated remote code execution within the context of the PraisonAI browser extension.

Recommendation

Upgrade PraisonAI to version 4.5.139 or later, and praisonaiagents to version 1.5.140 or later to patch CVE-2026-40289.
Monitor network connections to the /ws endpoint on PraisonAI servers (logsource category: network_connection, product: windows/linux).
Deploy the Sigma rule to detect suspicious websocket connections without origin header (see rule below).
Implement network segmentation to limit network access to the PraisonAI browser bridge component.

Smart Slider 3 Pro Compromised Update Leads to Remote Code Execution

hello@craftedsignal.io — Thu, 09 Apr 2026 23:17:00 +0000

Smart Slider 3 Pro version 3.5.1.35, a popular WordPress and Joomla plugin, is vulnerable to remote code execution due to a compromised update system. This vulnerability, tracked as CVE-2026-34424, allows unauthenticated attackers to inject a multi-stage remote access toolkit. The attackers leverage this toolkit to execute arbitrary code and commands, effectively taking control of the affected web server. This vulnerability poses a significant threat to websites using the vulnerable plugin, potentially leading to data theft, website defacement, or use of the server for malicious purposes. Defenders should prioritize patching or removing the affected plugin version immediately.

Attack Chain

The attacker compromises the Smart Slider 3 Pro update server.
A malicious update is pushed to vulnerable Smart Slider 3 Pro installations (version 3.5.1.35).
The plugin downloads and installs the malicious update, injecting the multi-stage remote access toolkit.
The attacker triggers pre-authentication remote shell execution by sending crafted HTTP headers to the web server.
An authenticated backdoor is established, allowing the attacker to execute arbitrary PHP code or OS commands.
The attacker creates hidden administrator accounts within WordPress or Joomla to maintain persistent access.
Credentials and access keys are exfiltrated from the compromised system.
Persistence is maintained through multiple injection points, including modifications to must-use plugins and core files.

Impact

Successful exploitation of CVE-2026-34424 leads to complete compromise of the affected web server. Attackers can gain unauthorized access to sensitive data, including user credentials, database information, and proprietary code. Websites can be defaced, injected with malware, or used as part of a botnet. The vulnerability affects all users of Smart Slider 3 Pro version 3.5.1.35, regardless of the underlying operating system. Given the widespread use of WordPress and Joomla, a large number of websites are potentially at risk.

Recommendation

Immediately remove or update Smart Slider 3 Pro to a patched version newer than 3.5.1.35 to remediate CVE-2026-34424.
Monitor web server logs for suspicious HTTP requests with unusual headers indicative of attempted pre-authentication shell execution as described in the Attack Chain.
Implement the provided Sigma rules to detect suspicious process creation and file modifications related to the injected toolkit.
Audit user accounts for unauthorized administrator accounts as the attacker creates hidden accounts.

Logstash Arbitrary File Write via Path Traversal (CVE-2026-33466)

hello@craftedsignal.io — Wed, 08 Apr 2026 18:26:00 +0000

CVE-2026-33466 exposes a critical vulnerability in Logstash, stemming from improper validation of file paths within compressed archives. This flaw, classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), can be exploited by an attacker to achieve arbitrary file writes on the host system. The attack vector involves serving a specially crafted archive to Logstash, typically through a compromised or attacker-controlled update endpoint. This malicious archive contains file paths designed to traverse directories, allowing the attacker to write files outside of the intended Logstash directories with the privileges of the Logstash process. If Logstash is configured with automatic pipeline reloading, this arbitrary file write can be leveraged to execute arbitrary code, effectively achieving remote code execution (RCE).

Attack Chain

Attacker identifies a Logstash instance with a vulnerable version of the archive extraction utility and a potential attack vector via update endpoints.
Attacker crafts a malicious compressed archive containing files with relative path traversal sequences in their filenames (e.g., “../../path/to/malicious/file.conf”).
Attacker compromises or controls an update endpoint used by Logstash to retrieve updates, such as pipeline configurations or plugins.
Logstash retrieves the malicious archive from the compromised update endpoint.
Logstash extracts the contents of the archive using a vulnerable archive extraction utility.
Due to insufficient path validation, the utility writes the files to arbitrary locations on the filesystem, overwriting existing files or creating new ones. A common target could be Logstash’s configuration directory.
If automatic pipeline reloading is enabled, Logstash detects the modified configuration file and reloads the pipeline.
The malicious configuration file contains embedded code that executes arbitrary commands on the system with the privileges of the Logstash process, achieving remote code execution.

Impact

Successful exploitation of CVE-2026-33466 can lead to complete compromise of the Logstash server. An attacker can gain arbitrary code execution, allowing them to install malware, steal sensitive data, or disrupt services. The CVSS v3.1 base score of 8.1 reflects the high potential for damage. While the number of potential victims and targeted sectors are unknown, any organization using a vulnerable Logstash instance is at risk.

Recommendation

Apply the patch or upgrade to a version of Logstash that addresses CVE-2026-33466 as soon as it becomes available.
Implement strict input validation on any update endpoints used by Logstash to prevent the delivery of malicious archives.
Disable automatic pipeline reloading in Logstash if possible, or implement controls to verify the integrity of pipeline configurations before reloading.
Deploy the Sigma rule Detect Logstash Path Traversal Archive Extraction to detect potential exploitation attempts by monitoring for suspicious file creation events.
Monitor file creation events for files created outside of the intended Logstash directories using the Detect Logstash Out-of-Directory File Creation Sigma rule.

WordPress Plugin Vulnerability: Arbitrary File Upload in Gerador de Certificados – DevApps

hello@craftedsignal.io — Wed, 08 Apr 2026 07:16:22 +0000

The Gerador de Certificados – DevApps plugin for WordPress, versions up to and including 1.3.6, contains an arbitrary file upload vulnerability (CVE-2026-4808). This flaw stems from a lack of file type validation within the moveUploadedFile() function. Authenticated users with administrator privileges or higher can exploit this vulnerability by uploading arbitrary files to the affected server. Successful exploitation could allow an attacker to execute arbitrary code on the server, leading to a complete system compromise. This vulnerability poses a significant threat to websites using the affected plugin, potentially impacting data confidentiality, integrity, and availability.

Attack Chain

An attacker authenticates to the WordPress site with administrator-level privileges.
The attacker navigates to the Gerador de Certificados – DevApps plugin’s upload functionality.
The attacker crafts a malicious file (e.g., a PHP file) with a disguised extension or no extension.
The attacker uploads the malicious file through the plugin’s interface, bypassing the missing file type validation in the moveUploadedFile() function.
The plugin saves the file to a publicly accessible directory on the server.
The attacker identifies the location of the uploaded file.
The attacker sends an HTTP request to the uploaded file’s location.
The server executes the malicious code within the uploaded file, granting the attacker remote code execution capabilities.

Impact

Successful exploitation of this vulnerability allows attackers with administrator privileges to upload arbitrary files to the web server. This can lead to remote code execution, potentially allowing the attacker to gain full control of the WordPress website and the underlying server. This could lead to data theft, website defacement, or use of the server for malicious purposes such as hosting phishing sites or launching attacks against other systems. The number of affected sites is potentially very large.

Recommendation

Upgrade the Gerador de Certificados – DevApps plugin to the latest version, which includes a fix for CVE-2026-4808.
Implement web server configurations to prevent the execution of scripts in upload directories.
Enable web server logging and monitor for suspicious file uploads and access attempts to unusual file types.
Deploy the Sigma rule to detect attempts to access PHP files within the wp-content/uploads directory.

Windmill Missing Authorization Vulnerability (CVE-2026-22683)

hello@craftedsignal.io — Tue, 07 Apr 2026 17:16:27 +0000

Windmill, a low-code internal tool platform, contains a critical missing authorization vulnerability, tracked as CVE-2026-22683, affecting versions 1.56.0 through 1.614.0. The vulnerability stems from a failure to properly enforce role-based access controls within the backend API. Specifically, users assigned the “Operator” role, who are intended to have limited privileges and be restricted from creating or modifying entities, can bypass these restrictions. This allows Operators to create and modify scripts, flows, apps, and raw_apps, effectively exceeding their intended permissions. Given that Operators can also execute scripts through the jobs API, this authorization bypass facilitates a direct path to privilege escalation and potentially remote code execution within the Windmill environment. Defenders should prioritize patching and detection efforts to mitigate this risk.

Attack Chain

An attacker compromises or is assigned an “Operator” role within the Windmill platform.
The attacker authenticates to the Windmill backend API using their Operator credentials.
The attacker crafts a malicious API request to create a new script, flow, app, or raw_app, bypassing the intended authorization checks for Operator roles.
The Windmill API processes the request without properly validating the Operator’s permissions, allowing the entity creation to proceed.
The attacker creates a script containing malicious code designed to escalate privileges or execute arbitrary commands.
The attacker utilizes the jobs API to execute the newly created malicious script.
The script executes with elevated privileges within the Windmill deployment environment.
The attacker achieves remote code execution, potentially compromising the entire Windmill instance and connected resources.

Impact

A successful exploitation of CVE-2026-22683 can lead to complete compromise of the Windmill instance. An attacker leveraging an Operator account can gain remote code execution capabilities. The missing authorization can lead to full control over the Windmill instance, potentially affecting all applications, flows, and scripts managed within the platform. Given the nature of Windmill as an internal tool platform, this could expose sensitive internal data and systems to unauthorized access. The number of affected organizations depends on the adoption rate of Windmill within the affected version range.

Recommendation

Immediately upgrade Windmill instances to a patched version beyond 1.614.0 to remediate CVE-2026-22683.
Implement the Sigma rule Detect Windmill Unauthorized Entity Creation to detect attempts to create scripts, flows, apps, or raw_apps from Operator accounts via the API.
Implement the Sigma rule Detect Windmill Job Execution of Newly Created Entities to detect the execution of scripts, flows, apps or raw_apps that were recently created.
Monitor Windmill API logs for suspicious activity related to entity creation and modification, focusing on requests originating from Operator accounts.

Tenda CX12L Router Stack-Based Buffer Overflow Vulnerability (CVE-2026-5686)

hello@craftedsignal.io — Mon, 06 Apr 2026 22:16:24 +0000

CVE-2026-5686 is a critical vulnerability affecting Tenda CX12L routers running firmware version 16.03.53.12. This stack-based buffer overflow is located in the fromRouteStatic function within the /goform/RouteStatic file. A remote, unauthenticated attacker can exploit this vulnerability by sending a crafted request with a malicious page argument. Publicly available exploit code exists, increasing the risk of widespread exploitation. Successful exploitation could lead to arbitrary code execution, potentially allowing attackers to gain full control of the affected router. This poses a significant risk to home and small business networks using the vulnerable device.

Attack Chain

The attacker identifies a Tenda CX12L router running firmware version 16.03.53.12.
The attacker sends a crafted HTTP POST request to /goform/RouteStatic.
The request includes a page argument with a string exceeding the buffer size allocated to the fromRouteStatic function.
The oversized page argument overwrites adjacent memory on the stack, including the return address.
When the fromRouteStatic function returns, it attempts to jump to the overwritten return address controlled by the attacker.
The attacker’s payload, injected via the overflowed buffer, is executed with the privileges of the httpd process.
The attacker gains remote code execution on the router.
The attacker can then use the compromised router as a foothold for further attacks, such as network reconnaissance, lateral movement, or data exfiltration.

Impact

Successful exploitation of CVE-2026-5686 allows a remote attacker to execute arbitrary code on the affected Tenda CX12L router. This could lead to a complete compromise of the device, enabling attackers to modify router settings, intercept network traffic, or use the router as a proxy for malicious activities. Given the widespread use of Tenda routers in home and small business networks, this vulnerability could have a significant impact, potentially affecting thousands of users. A successful attack could lead to data breaches, service disruptions, and further compromise of connected devices within the network.

Recommendation

Apply available patches or firmware updates provided by Tenda to address CVE-2026-5686.
Monitor web server logs for suspicious POST requests to /goform/RouteStatic with unusually long page parameters, using the provided Sigma rule.
Implement network intrusion detection systems (IDS) to detect and block exploit attempts targeting this vulnerability.
Restrict access to the router’s administrative interface to trusted networks or IP addresses to limit the attack surface.
Regularly review router configurations and security settings to ensure they align with best practices.

Emlog Path Traversal Vulnerability Leads to Remote Code Execution

hello@craftedsignal.io — Fri, 03 Apr 2026 23:17:04 +0000

Emlog, an open-source website building system, is vulnerable to a critical path traversal vulnerability (CVE-2026-34607) affecting versions 2.6.2 and earlier. This flaw resides within the emUnZip() function located in include/lib/common.php:793. The vulnerability stems from the function’s failure to sanitize ZIP entry names during extraction of ZIP archives, such as those used for plugin/template uploads or backup imports. An authenticated administrator can exploit this by uploading a specially crafted ZIP file containing entries with “../” sequences. This allows the attacker to write arbitrary files to the server’s file system, potentially including PHP webshells, ultimately leading to Remote Code Execution (RCE). At the time of this writing, there are no publicly available patches to address this vulnerability.

Attack Chain

The attacker authenticates as an administrator in the Emlog application.
The attacker crafts a malicious ZIP archive containing a file with a path traversal sequence (e.g., ../../../../shell.php).
The attacker uploads the crafted ZIP archive via a plugin/template upload or backup import feature.
The emUnZip() function is invoked, which extracts the contents of the ZIP archive.
Due to the lack of sanitization, the extractTo() function writes the malicious file to an arbitrary location on the server’s filesystem, as dictated by the path traversal sequence.
The attacker uploads a PHP webshell to a publicly accessible directory.
The attacker accesses the uploaded PHP webshell through a web browser (e.g., http://example.com/shell.php).
The attacker executes arbitrary commands on the server via the webshell, achieving Remote Code Execution (RCE).

Impact

Successful exploitation of this vulnerability allows an attacker to gain complete control over the affected Emlog server. This can lead to data breaches, website defacement, malware distribution, or further attacks against other systems on the network. Given that Emlog is used by numerous websites, the potential impact could be widespread, affecting potentially hundreds or thousands of websites.

Recommendation

Apply any available patches or updates for Emlog as soon as they are released to address CVE-2026-34607.
Implement input validation and sanitization measures within the emUnZip() function to prevent path traversal attacks. Specifically, sanitize ZIP entry names before passing them to the extractTo() function.
Monitor web server logs for suspicious requests to PHP files in unusual directories (e.g., outside the webroot) after ZIP archive uploads, using the provided Sigma rule for webserver logs.
Implement the provided Sigma rule to detect process creation from web server processes to identify potential webshell execution.

Cesanta Mongoose TLS 1.3 Heap-Based Buffer Overflow Vulnerability (CVE-2026-5244)

hello@craftedsignal.io — Thu, 02 Apr 2026 08:16:28 +0000

A heap-based buffer overflow vulnerability, identified as CVE-2026-5244, has been discovered in Cesanta Mongoose versions up to 7.20. This flaw resides within the mg_tls_recv_cert function in the mongoose.c file, specifically affecting the TLS 1.3 handler. The vulnerability can be triggered by manipulating the pubkey argument, which leads to memory corruption. The exploit for this vulnerability is publicly available, increasing the risk of exploitation. Successful exploitation could allow a remote attacker to execute arbitrary code on the affected system. Cesanta has addressed this issue in version 7.21, with patch 0d882f1b43ff2308b7486a56a9d60cd6dba8a3f1.

Attack Chain

An attacker initiates a TLS 1.3 handshake with a vulnerable Mongoose server.
The attacker crafts a malicious TLS certificate containing an oversized pubkey.
The mg_tls_recv_cert function processes the certificate.
Due to insufficient bounds checking, the oversized pubkey overwrites the heap buffer.
The heap overflow corrupts adjacent memory regions.
The attacker leverages memory corruption to gain control of program execution.
The attacker injects and executes arbitrary code on the server.
The attacker achieves complete control over the vulnerable system, potentially leading to data exfiltration or service disruption.

Impact

Successful exploitation of CVE-2026-5244 allows a remote attacker to execute arbitrary code on systems running vulnerable versions of Cesanta Mongoose. This could lead to complete system compromise, data breaches, and denial-of-service conditions. Given the widespread use of Mongoose in embedded systems and IoT devices, a successful attack could impact a large number of devices across various sectors.

Recommendation

Upgrade to Cesanta Mongoose version 7.21 or later to patch CVE-2026-5244, using the provided patch ID 0d882f1b43ff2308b7486a56a9d60cd6dba8a3f1.
Monitor web server logs for unusual TLS handshake patterns or certificate errors that could indicate exploitation attempts against vulnerable Mongoose instances. Utilize the provided Sigma rule to detect potential exploitation attempts.
Implement network intrusion detection systems (IDS) to detect and block malicious TLS traffic targeting vulnerable Mongoose servers.

Multiple Vulnerabilities in libpng Allow Remote Code Execution and Denial of Service

hello@craftedsignal.io — Wed, 01 Apr 2026 09:21:36 +0000

Multiple vulnerabilities have been identified in libpng, a widely used library for handling PNG image format. These vulnerabilities could allow a remote, anonymous attacker to execute arbitrary program code or cause a denial of service (DoS). The vulnerabilities stem from weaknesses in how libpng parses and processes PNG image files. While the specifics of the vulnerabilities are not detailed in this advisory, the potential impact necessitates immediate attention from defenders who utilize libpng in their applications or systems. The lack of specific CVEs or version numbers makes targeted patching difficult, but increased monitoring and proactive defense measures are essential to mitigate the risk.

Attack Chain

An attacker crafts a malicious PNG image file designed to exploit a vulnerability in libpng.
The attacker delivers the malicious PNG image to a vulnerable application or system. This delivery mechanism is unspecified in this brief, but could involve network protocols, file uploads, or other methods of data transfer.
The vulnerable application utilizes the libpng library to process the received PNG image.
During the image processing, the malicious PNG triggers a buffer overflow, heap corruption, or other memory-related error within libpng.
The attacker leverages the memory corruption to overwrite critical program data or inject malicious code into the application’s memory space.
The injected code is executed, granting the attacker arbitrary code execution capabilities within the context of the vulnerable application. Alternatively, the memory corruption leads to a crash and denial of service.
The attacker can then use the compromised application to further compromise the system or network.

Impact

Successful exploitation of these libpng vulnerabilities could lead to arbitrary code execution, potentially allowing attackers to gain complete control over affected systems. Alternatively, attackers can cause a denial of service, disrupting critical services and impacting business operations. Given the widespread use of libpng, a large number of systems and applications could be vulnerable. The lack of specific information regarding the number of victims and sectors targeted makes it difficult to estimate the precise scope of impact, but the potential for widespread disruption is significant.

Recommendation

Implement robust input validation and sanitization measures to reduce the risk of processing malicious PNG images.
Monitor systems for unexpected crashes or errors occurring during image processing to detect potential exploitation attempts. Deploy the Sigma rule detecting crashes related to image processing.
Investigate and analyze any reported crashes or errors occurring during image processing promptly to determine the root cause and potential impact.
Implement network segmentation and least privilege principles to limit the potential impact of a successful exploitation.
Enable process crash reporting on systems utilizing libpng and centralize the logs in a SIEM for analysis by detection engineers.

OpenClaw Privilege Escalation Vulnerability (CVE-2026-32922)

hello@craftedsignal.io — Sun, 29 Mar 2026 13:17:00 +0000

OpenClaw versions prior to 2026.3.11 are susceptible to a critical privilege escalation vulnerability identified as CVE-2026-32922. This flaw resides within the device.token.rotate function. Attackers who have already gained operator.pairing scope can exploit this vulnerability to mint new tokens with broader, unauthorized scopes, due to a failure in the application to properly constrain the newly minted scopes. This allows attackers to elevate their privileges to operator.admin on paired…

Crashmail 1.6 Stack-Based Buffer Overflow Vulnerability

hello@craftedsignal.io — Sat, 28 Mar 2026 12:16:03 +0000

Crashmail 1.6 is susceptible to a stack-based buffer overflow vulnerability (CVE-2018-25223) that allows remote attackers to execute arbitrary code. This vulnerability is triggered when the application receives specially crafted input designed to overwrite the stack. Attackers can leverage Return-Oriented Programming (ROP) chains to achieve code execution within the context of the application. Failed exploitation attempts may result in a denial-of-service condition, impacting application availability. Given the network-accessible nature of the vulnerability and the potential for arbitrary code execution, it poses a significant risk to systems running Crashmail 1.6.

Attack Chain

The attacker identifies a vulnerable Crashmail 1.6 server exposed to the network.
The attacker crafts a malicious input specifically designed to exploit the stack-based buffer overflow vulnerability (CVE-2018-25223). This input includes shellcode or a ROP chain.
The attacker sends the malicious input to the Crashmail application via a network connection.
The application processes the malicious input, triggering the buffer overflow when copying the input data to a fixed-size buffer on the stack.
The overflow overwrites critical stack data, including the return address of the current function.
Upon function return, control is redirected to the attacker-controlled address, initiating the execution of the injected shellcode or ROP chain.
The shellcode or ROP chain executes arbitrary commands, potentially including installing malware, creating new user accounts, or exfiltrating sensitive data.
If the exploit fails, the application may crash, resulting in a denial-of-service condition.

Impact

Successful exploitation of this vulnerability allows remote attackers to execute arbitrary code on the affected system. This could lead to complete system compromise, including data theft, malware installation, and denial of service. Given the critical CVSS score of 9.8, organizations running vulnerable versions of Crashmail are at high risk. The number of potential victims is dependent on the number of Crashmail 1.6 installations exposed to network traffic.

Recommendation

Apply available patches or upgrades to mitigate CVE-2018-25223 in Crashmail 1.6.
Monitor network traffic for suspicious patterns indicative of exploit attempts targeting Crashmail, using the process_creation Sigma rule below to detect unexpected processes.
Implement network segmentation to limit the potential impact of a successful exploit.
Deploy the provided Sigma rule to detect potential exploitation attempts by monitoring process creations spawned from the crashmail process.

Totolink LR350 Remote Buffer Overflow Vulnerability (CVE-2026-4976)

hello@craftedsignal.io — Fri, 27 Mar 2026 21:17:28 +0000

A critical buffer overflow vulnerability, CVE-2026-4976, has been identified in Totolink LR350 routers running firmware version 9.3.5u.6369_B20220309. The vulnerability resides in the setWiFiGuestCfg function within the /cgi-bin/cstecgi.cgi file. By crafting a malicious HTTP request and manipulating the ssid argument, a remote, unauthenticated attacker can trigger a buffer overflow, potentially leading to arbitrary code execution on the device. The availability of a public exploit…

WP Job Portal Plugin Arbitrary File Deletion Vulnerability (CVE-2026-4758)

hello@craftedsignal.io — Thu, 26 Mar 2026 00:16:41 +0000

The WP Job Portal plugin for WordPress versions up to and including 2.4.9 is susceptible to an arbitrary file deletion vulnerability (CVE-2026-4758). The vulnerability stems from insufficient file path validation within the WPJOBPORTALcustomfields::removeFileCustom function. Authenticated attackers with Subscriber-level access or higher can exploit this flaw to delete arbitrary files on the server. Successful exploitation allows attackers to delete critical files such as wp-config.php…

CVE-2026-4675: Google Chrome WebGL Heap Buffer Overflow Vulnerability

hello@craftedsignal.io — Wed, 25 Mar 2026 12:00:00 +0000

CVE-2026-4675 describes a heap buffer overflow vulnerability affecting the WebGL component of Google Chrome. Specifically, versions prior to 146.0.7680.165 are susceptible. An attacker can exploit this vulnerability by crafting a malicious HTML page that, when rendered by a vulnerable Chrome browser, triggers an out-of-bounds memory read due to the heap buffer overflow in WebGL. The Chromium security team rated this as a “High” severity issue. Successful exploitation can lead to information…

Multiple Vulnerabilities in Apache Tomcat Allow for Remote Code Execution and Data Manipulation

hello@craftedsignal.io — Wed, 25 Mar 2026 10:22:01 +0000

A remote attacker, either authenticated or anonymous, can exploit multiple vulnerabilities within Apache Tomcat. Successful exploitation can lead to arbitrary code execution, bypassing security measures, manipulating sensitive data, and triggering a denial-of-service condition, severely impacting availability and confidentiality. This broad range of potential impacts makes timely patching and robust detection critical for organizations utilizing Apache Tomcat. The absence of specific CVEs in the advisory makes targeted patching difficult, emphasizing the importance of proactive monitoring for suspicious activity.

Attack Chain

The attacker identifies an exploitable vulnerability in Apache Tomcat (e.g., via public disclosure or vulnerability scanning).
The attacker crafts a malicious request targeting the identified vulnerability. This request could exploit flaws in data handling, authentication mechanisms, or other server-side processes.
The attacker sends the malicious request to the Apache Tomcat server. This could be done over HTTP/HTTPS.
The Apache Tomcat server processes the malicious request, triggering the vulnerability.
Due to the vulnerability, the attacker achieves arbitrary code execution on the server. This may involve injecting malicious code into server processes or exploiting insecure deserialization.
The attacker uses the gained code execution to install a web shell or other persistent backdoor for continued access.
The attacker leverages the compromised server to manipulate data, potentially altering database records, configuration files, or other sensitive information.
The attacker may also trigger a denial-of-service condition by exhausting server resources or crashing critical processes, disrupting service availability for legitimate users.

Impact

Successful exploitation of these vulnerabilities can lead to a complete compromise of the Apache Tomcat server. This includes the ability to execute arbitrary code, potentially leading to the installation of malware or remote access tools. Data manipulation can result in data breaches, financial loss, and reputational damage. A denial-of-service condition can disrupt critical business operations and impact customer service. The lack of specific victim information or industry targeting in the advisory suggests a widespread risk to any organization using Apache Tomcat.

Recommendation

Implement a Web Application Firewall (WAF) rule to detect and block common Apache Tomcat exploit attempts based on suspicious HTTP request patterns (see rule “Detect Suspicious Tomcat Request”).
Monitor Apache Tomcat access logs for unusual request patterns or error codes indicative of exploit attempts, using the “Tomcat Access Log Anomalies” rule.
Regularly review and update Apache Tomcat configurations to follow security best practices, including restricting access to sensitive resources and disabling unnecessary features.

Census CSWeb 8.0.1 Arbitrary File Upload Vulnerability

hello@craftedsignal.io — Tue, 24 Mar 2026 12:00:00 +0000

Census CSWeb 8.0.1 is vulnerable to an arbitrary file upload vulnerability (CVE-2025-60947). An authenticated attacker can leverage this vulnerability to upload malicious files to the server. Successful exploitation could allow the attacker to achieve remote code execution on the targeted system. The vulnerability was patched in version 8.1.0 alpha. This poses a significant risk to organizations using the affected CSWeb version, potentially leading to data breaches, system compromise, and…

Tenda A15 Router Stack-Based Buffer Overflow (CVE-2026-4567)

hello@craftedsignal.io — Mon, 23 Mar 2026 03:16:00 +0000

A critical stack-based buffer overflow vulnerability, identified as CVE-2026-4567, has been discovered in Tenda A15 wireless routers running firmware version 15.13.07.13. The vulnerability resides in the UploadCfg function within the /cgi-bin/UploadCfg file, which handles file uploads. A remote attacker can exploit this flaw by crafting a malicious request to the router, specifically targeting the File argument, to overwrite the stack buffer and potentially gain arbitrary code execution…

GStreamer Multiple Vulnerabilities Allow for Remote Code Execution and Denial of Service

hello@craftedsignal.io — Fri, 03 May 2024 12:00:00 +0000

GStreamer is a widely used open-source multimedia framework. A recent advisory highlights the existence of multiple vulnerabilities within GStreamer that could be exploited by a remote, anonymous attacker. Successful exploitation of these vulnerabilities could lead to a denial-of-service (DoS) condition, rendering the affected system or application unavailable, or, more critically, the execution of arbitrary code, potentially granting the attacker full control over the compromised system. While the specific CVEs and technical details of the vulnerabilities remain undisclosed in this brief, the potential impact necessitates immediate attention from security teams to implement proactive detection and mitigation measures. The lack of specificity regarding the attack vector and affected versions emphasizes the need for broad defensive strategies targeting common exploitation techniques.

Attack Chain

The attacker identifies a vulnerable GStreamer instance or application.
The attacker crafts a malicious media file or network stream specifically designed to trigger a vulnerability within GStreamer.
The attacker delivers the crafted media content to the vulnerable GStreamer instance, either through a file upload, network stream, or other input method.
GStreamer processes the malicious media content, triggering the targeted vulnerability.
If the vulnerability leads to arbitrary code execution, the attacker injects and executes malicious code within the context of the GStreamer process.
The attacker establishes a persistent foothold on the compromised system.
The attacker escalates privileges to gain administrative access.
The attacker performs malicious activities such as data exfiltration, system disruption, or further lateral movement within the network.

Impact

Successful exploitation of these GStreamer vulnerabilities could have severe consequences, ranging from service disruption due to denial-of-service attacks to complete system compromise through arbitrary code execution. The lack of specific victimology makes it difficult to quantify the precise impact, but given GStreamer’s widespread use in media players, streaming applications, and other multimedia software, a large number of systems are potentially at risk. A successful attack could lead to data breaches, financial losses, and reputational damage.

Recommendation

Implement generic detections for exploitation attempts targeting media processing applications using process creation monitoring and network connection analysis. Deploy the “Detect Suspicious Process Creation by GStreamer” Sigma rule to identify potentially malicious child processes spawned by GStreamer.
Monitor network traffic for suspicious patterns associated with exploitation attempts, such as unusual data transfers or connections to known malicious IP addresses. Deploy the “Detect Outbound Connection from GStreamer to External IP” Sigma rule.
Analyze GStreamer application logs for error messages or unexpected behavior that may indicate exploitation attempts.

ConnectWise ScreenConnect Path Traversal Vulnerability (CVE-2024-1708)

hello@craftedsignal.io — Mon, 29 Apr 2024 12:00:00 +0000

CVE-2024-1708 is a critical path traversal vulnerability affecting ConnectWise ScreenConnect. This flaw could allow an unauthenticated attacker to execute remote code or directly access confidential data and critical systems. ConnectWise released security bulletin 23.9.8 to address this vulnerability. Given the potential for remote code execution and data compromise, this vulnerability poses a significant risk to organizations using ConnectWise ScreenConnect, potentially allowing full system takeover. CISA added this to their KEV catalog and recommends applying mitigations per vendor instructions, following BOD 22-01 guidance for cloud services, or discontinuing use of the product if mitigations are unavailable.

Attack Chain

An unauthenticated attacker identifies a ConnectWise ScreenConnect server exposed to the internet.
The attacker crafts a malicious HTTP request containing a path traversal payload targeting a vulnerable endpoint within ScreenConnect. This payload is designed to bypass authentication checks.
The ScreenConnect server processes the malicious request, and the path traversal vulnerability allows the attacker to access files outside of the intended webroot directory.
The attacker leverages the file access to read sensitive configuration files, potentially containing credentials or other sensitive information.
Alternatively, the attacker uploads a malicious executable (e.g., a web shell) to a writeable directory accessible via path traversal.
The attacker executes the uploaded web shell, gaining remote code execution on the ScreenConnect server.
The attacker uses the compromised ScreenConnect server as a pivot point to move laterally within the internal network, escalating privileges and compromising additional systems.
The attacker exfiltrates sensitive data or deploys ransomware, disrupting business operations and causing significant financial damage.

Impact

Successful exploitation of CVE-2024-1708 can lead to complete compromise of ConnectWise ScreenConnect servers and potentially the entire network. Attackers could exfiltrate sensitive data, deploy ransomware, or use the compromised systems for lateral movement. Given the widespread use of ScreenConnect in MSP environments, a successful attack could impact numerous downstream clients, causing widespread disruption.

Recommendation

Apply the mitigations provided by ConnectWise in security bulletin 23.9.8 to patch CVE-2024-1708.
Deploy the Sigma rule “Detect Suspicious ScreenConnect Path Traversal Attempts” to identify potential exploitation attempts in web server logs.
Monitor network traffic for suspicious outbound connections originating from ScreenConnect servers, as this could indicate post-exploitation activity.
Review and harden the configuration of ConnectWise ScreenConnect servers, following security best practices to minimize the attack surface.

Xerte Online Toolkits Path Traversal Vulnerability

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

Xerte Online Toolkits, a tool used to create online learning materials, is vulnerable to a path traversal vulnerability (CVE-2026-34414) in versions 3.15 and earlier. The vulnerability exists in the elFinder connector endpoint at /editor/elfinder/php/connector.php. The name parameter within rename commands is not properly sanitized, allowing attackers to use directory traversal sequences (e.g., ../) to manipulate file locations. This flaw can be exploited to overwrite application files, inject stored cross-site scripting (XSS), or, when combined with other vulnerabilities, achieve unauthenticated remote code execution (RCE). This poses a significant threat to organizations utilizing affected versions of Xerte Online Toolkits, potentially leading to data breaches, system compromise, and reputational damage.

Attack Chain

An attacker identifies a vulnerable Xerte Online Toolkits instance running version 3.15 or earlier.
The attacker crafts a malicious HTTP request to /editor/elfinder/php/connector.php targeting the rename command.
Within the request, the name parameter contains directory traversal sequences (e.g., ../../) and the desired destination path.
The server, due to insufficient input validation, processes the request without properly sanitizing the name parameter.
The attacker moves a file (e.g., an uploaded image or media file) from its original project media directory to a new location specified within the malicious name parameter. This could involve moving a file to the application root directory.
If the attacker moves a specifically crafted PHP file to the application root and the webserver is configured to execute PHP files in the root, the attacker can then access this file via a web request.
The attacker executes arbitrary code on the server.
The attacker gains complete control of the Xerte Online Toolkits instance and potentially the underlying server.

Impact

Successful exploitation of this vulnerability can lead to several critical consequences. Attackers can overwrite sensitive application files, leading to denial of service or system instability. The injection of malicious JavaScript code can result in stored cross-site scripting (XSS) attacks, compromising user accounts and data. The most severe outcome is unauthenticated remote code execution (RCE), enabling attackers to gain complete control over the affected server, potentially leading to data breaches, malware deployment, and further lateral movement within the network. The CVSS v3.1 base score for this vulnerability is 7.1, indicating a high level of risk.

Recommendation

Upgrade Xerte Online Toolkits to a version greater than 3.15 to patch CVE-2026-34414.
Deploy the Sigma rule Detect Suspicious Path Traversal in Xerte Connector to identify attempted exploitation of the path traversal vulnerability by monitoring requests to /editor/elfinder/php/connector.php with directory traversal sequences.
Implement input validation and sanitization on the name parameter within the elFinder connector to prevent path traversal attacks.
Review web server configurations to prevent the execution of PHP files from the web root directory.

Pipecat Remote Code Execution via Pickle Deserialization in LivekitFrameSerializer

hello@craftedsignal.io — Tue, 02 Jan 2024 10:00:00 +0000

A critical vulnerability (CVE-2025-62373) exists in Pipecat’s LivekitFrameSerializer, an optional, non-default, and now deprecated frame serializer class intended for LiveKit integration. The deserialize() method in src/pipecat/serializers/livekit.py uses Python’s pickle.loads() on data received from WebSocket clients without validation or sanitization. This allows a malicious WebSocket client to send a crafted pickle payload to execute arbitrary code on the Pipecat server. While LivekitFrameSerializer is not enabled by default and was deprecated in version 0.0.90 in favor of the safer LiveKitTransport method, it remains in the codebase and could be inadvertently used, posing a severe risk if a Pipecat server is configured to use it and is listening on an external interface.

Attack Chain

Attacker identifies a Pipecat server with an exposed WebSocket endpoint (e.g., listening on 0.0.0.0:8765) using the vulnerable LivekitFrameSerializer.
Attacker crafts a malicious Python pickle payload. This payload contains instructions to execute arbitrary code on the server, using techniques like defining a class with a __reduce__ method that calls os.system().
Attacker establishes a WebSocket connection to the Pipecat server.
Attacker sends the crafted pickle payload as a WebSocket message to the server.
The Pipecat server receives the message and passes the data to the LivekitFrameSerializer.deserialize() method.
The deserialize() method calls pickle.loads() on the attacker-controlled data without proper validation.
pickle.loads() deserializes the malicious pickle object, triggering the execution of the attacker’s code on the server with the privileges of the Pipecat process.
Attacker achieves remote code execution, potentially leading to full compromise of the server, including data exfiltration, malware installation, or pivoting to other systems.

Impact

Successful exploitation of this vulnerability, CVE-2025-62373, allows an attacker to achieve remote code execution on the Pipecat server. If an application uses LivekitFrameSerializer and exposes the Pipecat WebSocket server to untrusted networks, an attacker can completely compromise the server. This could lead to the execution of operating system commands, data modification, malware installation, or pivoting to other systems. The vulnerability is critical because any code execution flaw in a real-time communications server context poses a high risk.

Recommendation

Immediately stop using the LivekitFrameSerializer due to its use of unsafe pickle deserialization. Migrate to the recommended LiveKitTransport or other secure methods provided by the Pipecat framework (see Overview).
Update Pipecat to a version >= 0.0.94 to receive the deprecation warning.
If you must support LiveKit integration or binary frame serialization, use safer alternatives like JSON, Protocol Buffers, or MessagePack.
Bind the Pipecat service to localhost (127.0.0.1) whenever possible to prevent external network access as mentioned in the Overview.
Implement authentication and authorization on the WebSocket connection to restrict who can send data to the server, as described in the Mitigation section.