<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Server - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/server/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 07 Jul 2026 11:08:46 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/server/feed.xml" rel="self" type="application/rss+xml"/><item><title>Devolutions Server: Vulnerability Allows Multi-Factor Authentication Bypass</title><link>https://feed.craftedsignal.io/briefs/2026-07-devolutions-server-mfa-bypass/</link><pubDate>Tue, 07 Jul 2026 11:08:46 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-devolutions-server-mfa-bypass/</guid><description>A remote, authenticated attacker can exploit a vulnerability in Devolutions Server to bypass its multi-factor authentication (MFA) security measures, potentially leading to unauthorized access to sensitive data and systems.</description><content:encoded><![CDATA[<p>A significant vulnerability has been identified in Devolutions Server, an enterprise solution for managing privileged access and credentials. This flaw, rated as high severity by BSI (German Federal Office for Information Security), allows a remote, authenticated attacker to bypass multi-factor authentication (MFA) protections. The advisory, published on July 7, 2026, highlights that while an attacker must first gain initial authentication credentials, the successful exploitation of this vulnerability negates the added security layer provided by MFA. This is critical for defenders as MFA is a fundamental control against credential theft and provides a strong defense against unauthorized access to sensitive systems and data managed by Devolutions Server. Without specific details on the nature of the bypass, organizations are urged to apply vendor-provided patches immediately.</p>
<h2 id="impact">Impact</h2>
<p>The successful exploitation of this MFA bypass vulnerability could have severe consequences for organizations utilizing Devolutions Server. An attacker who has already obtained legitimate user credentials (e.g., through phishing or credential stuffing) could then gain full access to the privileged access management system, bypassing the crucial second factor of authentication. This level of access would allow the attacker to retrieve sensitive credentials, access management tools, and potentially control critical infrastructure. The primary impact is unauthorized access, which can lead to data exfiltration, system compromise, or further lateral movement within the victim's network. The advisory does not specify observed victims or targeted sectors but emphasizes the high risk posed by this type of security bypass.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Prioritize and immediately apply all available security updates from Devolutions for Devolutions Server to remediate the MFA bypass vulnerability.</li>
<li>Review access logs for Devolutions Server for any suspicious authentication attempts that successfully bypass MFA or originate from unusual locations/IPs.</li>
<li>Implement strict password policies and ensure robust initial authentication mechanisms to prevent initial credential compromise, as this vulnerability requires an already authenticated attacker.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>defense-evasion</category><category>vulnerability</category><category>server</category></item><item><title>SurrealDB Denial of Service Vulnerability via JSON Parser (GHSA-q729-696q-g9pq)</title><link>https://feed.craftedsignal.io/briefs/2026-07-surrealdb-dos/</link><pubDate>Fri, 03 Jul 2026 12:29:44 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-surrealdb-dos/</guid><description>An unauthenticated remote attacker can exploit a Denial of Service vulnerability (GHSA-q729-696q-g9pq) in SurrealDB's value and JSON parser, which failed to enforce recursion depth limits when processing deeply nested JSON payloads sent to the WebSocket /rpc endpoint, leading to server memory exhaustion and process crashes.</description><content:encoded><![CDATA[<p>A high-severity Denial of Service vulnerability (GHSA-q729-696q-g9pq) has been identified in SurrealDB, affecting versions prior to 3.1.0. An unauthenticated remote attacker can exploit this flaw by sending a specially crafted, deeply nested JSON payload to the server's WebSocket <code>/rpc</code> endpoint. The vulnerability lies in the value and JSON parser, which inconsistently failed to enforce configured recursion depth limits for nested objects, arrays, or parentheses. This oversight allows the malicious payload to exhaust server memory during parsing, leading to the immediate crash of the SurrealDB process. This issue is a partial fix for a previous vulnerability (GHSA-6r8p-hpg7-825g) that addressed a similar problem in the expression parser but overlooked the value/JSON parser code path. The immediate impact is service unavailability for affected SurrealDB instances, requiring manual restart.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Reconnaissance</strong>: An attacker identifies a publicly exposed SurrealDB instance, potentially through port scanning or misconfiguration.</li>
<li><strong>Vulnerability Identification</strong>: The attacker identifies the accessible WebSocket <code>/rpc</code> endpoint, which is vulnerable to unauthenticated input.</li>
<li><strong>Payload Crafting</strong>: The attacker crafts a malicious JSON payload characterized by extremely deep nesting of objects (<code>{}</code>), arrays (<code>[]</code>), or parentheses (<code>()</code>).</li>
<li><strong>Connection Establishment</strong>: The attacker establishes a WebSocket connection to the identified <code>/rpc</code> endpoint on the vulnerable SurrealDB server.</li>
<li><strong>Malicious Request</strong>: The crafted, deeply nested JSON payload is sent by the attacker over the established WebSocket connection to the SurrealDB server.</li>
<li><strong>Vulnerable Parsing</strong>: The SurrealDB server's value and JSON parser attempts to process the incoming payload but fails to enforce its configured recursion depth limits due to the identified vulnerability.</li>
<li><strong>Resource Exhaustion</strong>: The uncontrolled recursive parsing of the deeply nested JSON payload rapidly consumes and exhausts the server's available memory resources.</li>
<li><strong>Denial of Service</strong>: The SurrealDB process crashes as a result of the memory exhaustion, rendering the database service completely unavailable to legitimate users.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The primary impact of this vulnerability is a complete Denial of Service for affected SurrealDB instances. An unauthenticated remote attacker can trigger a server crash with a single malicious WebSocket message, requiring no prior credentials or query execution privileges. This vulnerability can lead to significant downtime for any applications or services relying on the SurrealDB instance, causing operational disruption and potential data inconsistencies if the server crashes unexpectedly during write operations. There are no known workarounds other than restricting network access or patching.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li><strong>Patch CVE-GHSA-q729-696q-g9pq immediately</strong>: Upgrade all SurrealDB instances to version 3.1.0 or later to apply the fix for this vulnerability.</li>
<li><strong>Restrict Network Access</strong>: Implement network access controls (firewalls, security groups) to restrict access to the WebSocket <code>/rpc</code> endpoint to only trusted clients or internal networks.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>denial-of-service</category><category>vulnerability</category><category>websocket</category><category>server</category></item><item><title>OpenClaw Vulnerability Allows Local Forged Identity Headers</title><link>https://feed.craftedsignal.io/briefs/2026-07-openclaw-forged-headers/</link><pubDate>Fri, 03 Jul 2026 12:17:46 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-openclaw-forged-headers/</guid><description>A vulnerability (GHSA-rggc-m335-3wvj) in OpenClaw's trusted-proxy deployments allows a local attacker on the same host to forge identity headers, bypassing intended security controls and potentially leading to unauthorized access or privilege escalation if the affected feature is enabled and reachable.</description><content:encoded><![CDATA[<p>A significant security vulnerability, tracked as GHSA-rggc-m335-3wvj, has been identified in OpenClaw's trusted-proxy deployments, specifically impacting versions prior to <code>2026.5.18</code>. This flaw allows a local attacker, operating from the same host where an OpenClaw Gateway instance is running, to forge identity headers. By directly communicating with the proxy-facing Gateway port and presenting these falsified headers, the attacker can effectively bypass the security mechanisms designed for trusted proxies. If the affected feature is active and accessible, this enables the local caller to assume an operator's identity, potentially leading to unauthorized access, configuration changes, or privilege escalation within the OpenClaw environment. This vulnerability is critical for organizations deploying OpenClaw in shared-host or multi-tenant environments where local access by lower-trust processes is possible.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access</strong>: An attacker gains local access to a system hosting an OpenClaw Gateway instance configured for trusted-proxy deployments. This could be via another compromised application or a low-privilege user account.</li>
<li><strong>Discovery</strong>: The attacker probes the local system to identify the specific network port on which the OpenClaw Gateway's proxy-facing service is listening.</li>
<li><strong>Direct Connection</strong>: The attacker establishes a direct network connection from their local process to the discovered OpenClaw Gateway port, bypassing the legitimate trusted proxy infrastructure.</li>
<li><strong>Header Forgery</strong>: The attacker crafts and sends HTTP requests containing forged identity headers, mimicking those that would normally be generated and supplied by a trusted upstream proxy.</li>
<li><strong>Vulnerable Processing</strong>: The affected OpenClaw Gateway instance (versions <code>&lt; 2026.5.18</code>) accepts and processes these forged identity headers from the direct local connection without proper validation.</li>
<li><strong>Identity Assumption</strong>: The Gateway attributes the operator identity specified in the forged headers to the local attacker's process.</li>
<li><strong>Privilege Escalation / Unauthorized Actions</strong>: The attacker, now operating with the assumed operator identity, performs unauthorized actions such as modifying configurations, accessing sensitive data, or escalating privileges within the OpenClaw system.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The successful exploitation of this vulnerability can lead to significant security breaches. If an attacker can successfully forge identity headers, they can impersonate an authorized operator within the OpenClaw environment. The practical impact is highly dependent on the privileges associated with the impersonated operator and the specific configurations of the OpenClaw Gateway. This could result in unauthorized configuration changes, data manipulation or exfiltration, or complete administrative control over the OpenClaw instance. Organizations with shared hosting environments or those running multiple applications on the same server as OpenClaw are particularly at risk, as any compromised local process could leverage this flaw.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li><strong>Patch Immediately</strong>: Upgrade all OpenClaw Gateway instances to version <code>2026.5.18</code> or newer to remediate the vulnerability described in GHSA-rggc-m335-3wvj.</li>
<li><strong>Network Segmentation</strong>: Implement network controls to bind the trusted-proxy ingress behind the actual trusted proxy and firewall direct same-host access to the Gateway port, as mentioned in the GHSA-rggc-m335-3wvj mitigations.</li>
<li><strong>Feature Disablement</strong>: Disable the affected trusted-proxy feature if it is not explicitly required for your operational workflow to reduce the attack surface.</li>
<li><strong>Access Control</strong>: Ensure that lower-trust applications or users on the same host cannot reach the OpenClaw Gateway's proxy-facing port, following the hardening advice from GHSA-rggc-m335-3wvj.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>vulnerability</category><category>proxy</category><category>privilege-escalation</category><category>defense-evasion</category><category>npm</category><category>server</category></item><item><title>Dell PowerProtect Data Domain: Multiple Vulnerabilities</title><link>https://feed.craftedsignal.io/briefs/2026-07-dell-powerprotect-vulnerabilities/</link><pubDate>Fri, 03 Jul 2026 10:55:50 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-dell-powerprotect-vulnerabilities/</guid><description>Multiple vulnerabilities in Dell PowerProtect Data Domain could allow an attacker to elevate privileges, execute arbitrary code, bypass security controls, perform a Denial of Service attack, conduct Cross-Site Scripting, disclose information, and manipulate files.</description><content:encoded><![CDATA[<p>The German Federal Office for Information Security (BSI) has issued an advisory (WID-SEC-2026-2189) highlighting multiple critical vulnerabilities within Dell PowerProtect Data Domain. These vulnerabilities collectively pose a significant risk, allowing an attacker to achieve a wide range of malicious outcomes. While the advisory does not specify observed in-the-wild exploitation, it warns that successful exploitation could lead to privilege escalation, arbitrary code execution, bypassing security measures, Denial of Service (DoS) attacks, Cross-Site Scripting (XSS), and unauthorized information disclosure or file manipulation. Organizations utilizing Dell PowerProtect Data Domain systems are urged to address these vulnerabilities promptly, as they represent a substantial attack surface for adversaries seeking to compromise data backup and recovery infrastructure.</p>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of these vulnerabilities in Dell PowerProtect Data Domain could lead to severe consequences for affected organizations. Attackers could gain elevated privileges, execute arbitrary code on the affected systems, and bypass existing security controls, potentially leading to full compromise of the data protection environment. The vulnerabilities also open avenues for Denial of Service attacks, rendering critical backup and recovery services unavailable, and Cross-Site Scripting attacks that could compromise administrative sessions. Furthermore, sensitive information could be disclosed, and critical files manipulated, undermining data integrity and confidentiality. While no specific victim count or targeted sectors were detailed in the advisory, any organization using Dell PowerProtect Data Domain is at risk of these potential impacts.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Prioritize and immediately apply all available security patches and updates for Dell PowerProtect Data Domain from Dell Technologies.</li>
<li>Regularly review security advisories from Dell and CERT-Bund (BSI) for new vulnerabilities affecting Dell PowerProtect Data Domain.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">threat</category><category>vulnerability</category><category>server</category><category>dell</category><category>data-protection</category></item></channel></rss>