{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/server/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Devolutions Server"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","vulnerability","server"],"_cs_type":"advisory","_cs_vendors":["Devolutions"],"content_html":"\u003cp\u003eA significant vulnerability has been identified in Devolutions Server, an enterprise solution for managing privileged access and credentials. This flaw, rated as high severity by BSI (German Federal Office for Information Security), allows a remote, authenticated attacker to bypass multi-factor authentication (MFA) protections. The advisory, published on July 7, 2026, highlights that while an attacker must first gain initial authentication credentials, the successful exploitation of this vulnerability negates the added security layer provided by MFA. This is critical for defenders as MFA is a fundamental control against credential theft and provides a strong defense against unauthorized access to sensitive systems and data managed by Devolutions Server. Without specific details on the nature of the bypass, organizations are urged to apply vendor-provided patches immediately.\u003c/p\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of this MFA bypass vulnerability could have severe consequences for organizations utilizing Devolutions Server. An attacker who has already obtained legitimate user credentials (e.g., through phishing or credential stuffing) could then gain full access to the privileged access management system, bypassing the crucial second factor of authentication. This level of access would allow the attacker to retrieve sensitive credentials, access management tools, and potentially control critical infrastructure. The primary impact is unauthorized access, which can lead to data exfiltration, system compromise, or further lateral movement within the victim's network. The advisory does not specify observed victims or targeted sectors but emphasizes the high risk posed by this type of security bypass.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePrioritize and immediately apply all available security updates from Devolutions for Devolutions Server to remediate the MFA bypass vulnerability.\u003c/li\u003e\n\u003cli\u003eReview access logs for Devolutions Server for any suspicious authentication attempts that successfully bypass MFA or originate from unusual locations/IPs.\u003c/li\u003e\n\u003cli\u003eImplement strict password policies and ensure robust initial authentication mechanisms to prevent initial credential compromise, as this vulnerability requires an already authenticated attacker.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-07T11:08:46Z","date_published":"2026-07-07T11:08:46Z","id":"https://feed.craftedsignal.io/briefs/2026-07-devolutions-server-mfa-bypass/","summary":"A remote, authenticated attacker can exploit a vulnerability in Devolutions Server to bypass its multi-factor authentication (MFA) security measures, potentially leading to unauthorized access to sensitive data and systems.","title":"Devolutions Server: Vulnerability Allows Multi-Factor Authentication Bypass","url":"https://feed.craftedsignal.io/briefs/2026-07-devolutions-server-mfa-bypass/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["SurrealDB (\u003c 3.1.0)"],"_cs_severities":["medium"],"_cs_tags":["denial-of-service","vulnerability","websocket","server"],"_cs_type":"advisory","_cs_vendors":["SurrealDB"],"content_html":"\u003cp\u003eA high-severity Denial of Service vulnerability (GHSA-q729-696q-g9pq) has been identified in SurrealDB, affecting versions prior to 3.1.0. An unauthenticated remote attacker can exploit this flaw by sending a specially crafted, deeply nested JSON payload to the server's WebSocket \u003ccode\u003e/rpc\u003c/code\u003e endpoint. The vulnerability lies in the value and JSON parser, which inconsistently failed to enforce configured recursion depth limits for nested objects, arrays, or parentheses. This oversight allows the malicious payload to exhaust server memory during parsing, leading to the immediate crash of the SurrealDB process. This issue is a partial fix for a previous vulnerability (GHSA-6r8p-hpg7-825g) that addressed a similar problem in the expression parser but overlooked the value/JSON parser code path. The immediate impact is service unavailability for affected SurrealDB instances, requiring manual restart.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eReconnaissance\u003c/strong\u003e: An attacker identifies a publicly exposed SurrealDB instance, potentially through port scanning or misconfiguration.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVulnerability Identification\u003c/strong\u003e: The attacker identifies the accessible WebSocket \u003ccode\u003e/rpc\u003c/code\u003e endpoint, which is vulnerable to unauthenticated input.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePayload Crafting\u003c/strong\u003e: The attacker crafts a malicious JSON payload characterized by extremely deep nesting of objects (\u003ccode\u003e{}\u003c/code\u003e), arrays (\u003ccode\u003e[]\u003c/code\u003e), or parentheses (\u003ccode\u003e()\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eConnection Establishment\u003c/strong\u003e: The attacker establishes a WebSocket connection to the identified \u003ccode\u003e/rpc\u003c/code\u003e endpoint on the vulnerable SurrealDB server.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMalicious Request\u003c/strong\u003e: The crafted, deeply nested JSON payload is sent by the attacker over the established WebSocket connection to the SurrealDB server.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVulnerable Parsing\u003c/strong\u003e: The SurrealDB server's value and JSON parser attempts to process the incoming payload but fails to enforce its configured recursion depth limits due to the identified vulnerability.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eResource Exhaustion\u003c/strong\u003e: The uncontrolled recursive parsing of the deeply nested JSON payload rapidly consumes and exhausts the server's available memory resources.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDenial of Service\u003c/strong\u003e: The SurrealDB process crashes as a result of the memory exhaustion, rendering the database service completely unavailable to legitimate users.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe primary impact of this vulnerability is a complete Denial of Service for affected SurrealDB instances. An unauthenticated remote attacker can trigger a server crash with a single malicious WebSocket message, requiring no prior credentials or query execution privileges. This vulnerability can lead to significant downtime for any applications or services relying on the SurrealDB instance, causing operational disruption and potential data inconsistencies if the server crashes unexpectedly during write operations. There are no known workarounds other than restricting network access or patching.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch CVE-GHSA-q729-696q-g9pq immediately\u003c/strong\u003e: Upgrade all SurrealDB instances to version 3.1.0 or later to apply the fix for this vulnerability.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRestrict Network Access\u003c/strong\u003e: Implement network access controls (firewalls, security groups) to restrict access to the WebSocket \u003ccode\u003e/rpc\u003c/code\u003e endpoint to only trusted clients or internal networks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T12:29:44Z","date_published":"2026-07-03T12:29:44Z","id":"https://feed.craftedsignal.io/briefs/2026-07-surrealdb-dos/","summary":"An unauthenticated remote attacker can exploit a Denial of Service vulnerability (GHSA-q729-696q-g9pq) in SurrealDB's value and JSON parser, which failed to enforce recursion depth limits when processing deeply nested JSON payloads sent to the WebSocket /rpc endpoint, leading to server memory exhaustion and process crashes.","title":"SurrealDB Denial of Service Vulnerability via JSON Parser (GHSA-q729-696q-g9pq)","url":"https://feed.craftedsignal.io/briefs/2026-07-surrealdb-dos/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["OpenClaw (\u003c 2026.5.18)","npm/openclaw (\u003c 2026.5.18)"],"_cs_severities":["high"],"_cs_tags":["vulnerability","proxy","privilege-escalation","defense-evasion","npm","server"],"_cs_type":"advisory","_cs_vendors":["OpenClaw"],"content_html":"\u003cp\u003eA significant security vulnerability, tracked as GHSA-rggc-m335-3wvj, has been identified in OpenClaw's trusted-proxy deployments, specifically impacting versions prior to \u003ccode\u003e2026.5.18\u003c/code\u003e. This flaw allows a local attacker, operating from the same host where an OpenClaw Gateway instance is running, to forge identity headers. By directly communicating with the proxy-facing Gateway port and presenting these falsified headers, the attacker can effectively bypass the security mechanisms designed for trusted proxies. If the affected feature is active and accessible, this enables the local caller to assume an operator's identity, potentially leading to unauthorized access, configuration changes, or privilege escalation within the OpenClaw environment. This vulnerability is critical for organizations deploying OpenClaw in shared-host or multi-tenant environments where local access by lower-trust processes is possible.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access\u003c/strong\u003e: An attacker gains local access to a system hosting an OpenClaw Gateway instance configured for trusted-proxy deployments. This could be via another compromised application or a low-privilege user account.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDiscovery\u003c/strong\u003e: The attacker probes the local system to identify the specific network port on which the OpenClaw Gateway's proxy-facing service is listening.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDirect Connection\u003c/strong\u003e: The attacker establishes a direct network connection from their local process to the discovered OpenClaw Gateway port, bypassing the legitimate trusted proxy infrastructure.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eHeader Forgery\u003c/strong\u003e: The attacker crafts and sends HTTP requests containing forged identity headers, mimicking those that would normally be generated and supplied by a trusted upstream proxy.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVulnerable Processing\u003c/strong\u003e: The affected OpenClaw Gateway instance (versions \u003ccode\u003e\u0026lt; 2026.5.18\u003c/code\u003e) accepts and processes these forged identity headers from the direct local connection without proper validation.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eIdentity Assumption\u003c/strong\u003e: The Gateway attributes the operator identity specified in the forged headers to the local attacker's process.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation / Unauthorized Actions\u003c/strong\u003e: The attacker, now operating with the assumed operator identity, performs unauthorized actions such as modifying configurations, accessing sensitive data, or escalating privileges within the OpenClaw system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of this vulnerability can lead to significant security breaches. If an attacker can successfully forge identity headers, they can impersonate an authorized operator within the OpenClaw environment. The practical impact is highly dependent on the privileges associated with the impersonated operator and the specific configurations of the OpenClaw Gateway. This could result in unauthorized configuration changes, data manipulation or exfiltration, or complete administrative control over the OpenClaw instance. Organizations with shared hosting environments or those running multiple applications on the same server as OpenClaw are particularly at risk, as any compromised local process could leverage this flaw.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch Immediately\u003c/strong\u003e: Upgrade all OpenClaw Gateway instances to version \u003ccode\u003e2026.5.18\u003c/code\u003e or newer to remediate the vulnerability described in GHSA-rggc-m335-3wvj.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eNetwork Segmentation\u003c/strong\u003e: Implement network controls to bind the trusted-proxy ingress behind the actual trusted proxy and firewall direct same-host access to the Gateway port, as mentioned in the GHSA-rggc-m335-3wvj mitigations.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eFeature Disablement\u003c/strong\u003e: Disable the affected trusted-proxy feature if it is not explicitly required for your operational workflow to reduce the attack surface.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAccess Control\u003c/strong\u003e: Ensure that lower-trust applications or users on the same host cannot reach the OpenClaw Gateway's proxy-facing port, following the hardening advice from GHSA-rggc-m335-3wvj.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T12:17:46Z","date_published":"2026-07-03T12:17:46Z","id":"https://feed.craftedsignal.io/briefs/2026-07-openclaw-forged-headers/","summary":"A vulnerability (GHSA-rggc-m335-3wvj) in OpenClaw's trusted-proxy deployments allows a local attacker on the same host to forge identity headers, bypassing intended security controls and potentially leading to unauthorized access or privilege escalation if the affected feature is enabled and reachable.","title":"OpenClaw Vulnerability Allows Local Forged Identity Headers","url":"https://feed.craftedsignal.io/briefs/2026-07-openclaw-forged-headers/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":true,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["PowerProtect Data Domain"],"_cs_severities":["high"],"_cs_tags":["vulnerability","server","dell","data-protection"],"_cs_type":"threat","_cs_vendors":["Dell"],"content_html":"\u003cp\u003eThe German Federal Office for Information Security (BSI) has issued an advisory (WID-SEC-2026-2189) highlighting multiple critical vulnerabilities within Dell PowerProtect Data Domain. These vulnerabilities collectively pose a significant risk, allowing an attacker to achieve a wide range of malicious outcomes. While the advisory does not specify observed in-the-wild exploitation, it warns that successful exploitation could lead to privilege escalation, arbitrary code execution, bypassing security measures, Denial of Service (DoS) attacks, Cross-Site Scripting (XSS), and unauthorized information disclosure or file manipulation. Organizations utilizing Dell PowerProtect Data Domain systems are urged to address these vulnerabilities promptly, as they represent a substantial attack surface for adversaries seeking to compromise data backup and recovery infrastructure.\u003c/p\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities in Dell PowerProtect Data Domain could lead to severe consequences for affected organizations. Attackers could gain elevated privileges, execute arbitrary code on the affected systems, and bypass existing security controls, potentially leading to full compromise of the data protection environment. The vulnerabilities also open avenues for Denial of Service attacks, rendering critical backup and recovery services unavailable, and Cross-Site Scripting attacks that could compromise administrative sessions. Furthermore, sensitive information could be disclosed, and critical files manipulated, undermining data integrity and confidentiality. While no specific victim count or targeted sectors were detailed in the advisory, any organization using Dell PowerProtect Data Domain is at risk of these potential impacts.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePrioritize and immediately apply all available security patches and updates for Dell PowerProtect Data Domain from Dell Technologies.\u003c/li\u003e\n\u003cli\u003eRegularly review security advisories from Dell and CERT-Bund (BSI) for new vulnerabilities affecting Dell PowerProtect Data Domain.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T10:55:50Z","date_published":"2026-07-03T10:55:50Z","id":"https://feed.craftedsignal.io/briefs/2026-07-dell-powerprotect-vulnerabilities/","summary":"Multiple vulnerabilities in Dell PowerProtect Data Domain could allow an attacker to elevate privileges, execute arbitrary code, bypass security controls, perform a Denial of Service attack, conduct Cross-Site Scripting, disclose information, and manipulate files.","title":"Dell PowerProtect Data Domain: Multiple Vulnerabilities","url":"https://feed.craftedsignal.io/briefs/2026-07-dell-powerprotect-vulnerabilities/"}],"language":"en","title":"CraftedSignal Threat Feed - Server","version":"https://jsonfeed.org/version/1.1"}