{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/uac/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2026-40032"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["command-injection","vulnerability","uac"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eUAC (Unix-like Artifacts Collector) before version 3.3.0-rc1 is susceptible to a command injection vulnerability. This flaw resides in the placeholder substitution and command execution pipeline within the application. Specifically, the \u003ccode\u003e_run_command()\u003c/code\u003e function directly passes constructed command strings to \u003ccode\u003eeval\u003c/code\u003e without proper sanitization. This lack of input validation allows attackers to inject malicious shell metacharacters or command substitutions into the command strings. Exploitation is possible through attacker-controlled inputs such as \u003ccode\u003e%line%\u003c/code\u003e values from \u003ccode\u003eforeach\u003c/code\u003e iterators and \u003ccode\u003e%user%\u003c/code\u003e / \u003ccode\u003e%user_home%\u003c/code\u003e values derived from system files. Successful exploitation leads to arbitrary command execution with the same privileges as the UAC process. This poses a significant risk to system integrity and confidentiality.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable UAC instance running a version prior to 3.3.0-rc1.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious input string containing shell metacharacters or command substitutions, targeting either \u003ccode\u003e%line%\u003c/code\u003e values in \u003ccode\u003eforeach\u003c/code\u003e iterators, or the \u003ccode\u003e%user%\u003c/code\u003e and \u003ccode\u003e%user_home%\u003c/code\u003e values.\u003c/li\u003e\n\u003cli\u003eThe attacker-controlled input is passed to UAC, potentially via a configuration file, command-line argument, or other input mechanism.\u003c/li\u003e\n\u003cli\u003eUAC\u0026rsquo;s \u003ccode\u003e_run_command()\u003c/code\u003e function receives the malicious input and performs placeholder substitution.\u003c/li\u003e\n\u003cli\u003eThe resulting command string, now containing the injected commands, is passed to the \u003ccode\u003eeval\u003c/code\u003e function without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eeval\u003c/code\u003e function executes the attacker-injected commands with the privileges of the UAC process.\u003c/li\u003e\n\u003cli\u003eThe attacker gains arbitrary code execution on the system.\u003c/li\u003e\n\u003cli\u003eThe attacker can then perform actions such as data exfiltration, system compromise, or lateral movement within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe command injection vulnerability in UAC before 3.3.0-rc1 allows attackers to execute arbitrary commands on the affected system. The impact of successful exploitation includes complete system compromise, data breaches, and potential for lateral movement to other systems within the network. Since UAC is used to collect artifacts, successful exploitation could lead to the collection of sensitive data from the compromised system, which could then be exfiltrated. The specific number of potential victims is unknown.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade UAC to version 3.3.0-rc1 or later to patch CVE-2026-40032.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization for all user-supplied input, particularly those used in command construction and execution, to prevent command injection vulnerabilities.\u003c/li\u003e\n\u003cli\u003eMonitor process execution for unexpected or unauthorized commands originating from the UAC process, using the Sigma rules provided below.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-08T22:16:23Z","date_published":"2026-04-08T22:16:23Z","id":"/briefs/2024-01-uac-command-injection/","summary":"UAC before 3.3.0-rc1 is vulnerable to command injection in the _run_command() function, allowing attackers to execute arbitrary commands with the privileges of the UAC process through manipulated input values.","title":"UAC (Unix-like Artifacts Collector) Command Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-uac-command-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — Uac","version":"https://jsonfeed.org/version/1.1"}