{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/unauthorized-access/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-35682"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["command-injection","unauthorized-access","iot"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-35682 describes an authenticated command injection vulnerability in Anviz CX2 Lite devices. An attacker with valid user credentials can inject arbitrary commands into the filename parameter, leading to remote code execution with root privileges. The vulnerability allows an attacker to execute commands like starting telnetd, effectively gaining complete control over the device. This poses a significant risk to organizations using vulnerable Anviz CX2 Lite devices for access control or time attendance, potentially leading to unauthorized access, data breaches, or denial-of-service conditions. The ICS-CERT advisory, ICSA-26-106-03, provides additional details.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains valid credentials for an Anviz CX2 Lite device.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the device\u0026rsquo;s web interface or API.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the vulnerable filename parameter in a specific request.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request containing a command injection payload within the filename parameter (e.g., \u003ccode\u003efilename=;telnetd -p 1337 -l /bin/sh;\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe Anviz CX2 Lite device processes the request, improperly sanitizing the filename parameter.\u003c/li\u003e\n\u003cli\u003eThe injected command executes with root privileges on the device.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the executed command to start a service like telnetd.\u003c/li\u003e\n\u003cli\u003eThe attacker connects to the newly started service, gaining a root shell and complete control of the device.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-35682 allows a remote attacker to gain root-level access to the Anviz CX2 Lite device. This can lead to complete system compromise, including unauthorized access to sensitive data, modification of device settings, and potential use of the device as a foothold for further attacks within the network. Given that these devices are often used for physical access control, this vulnerability could lead to unauthorized physical access to secured areas.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply available patches or firmware updates from Anviz to remediate CVE-2026-35682. Contact Anviz directly through their website for support and remediation steps (\u003ca href=\"https://www.anviz.com/contact-us.html)\"\u003ehttps://www.anviz.com/contact-us.html)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Anviz CX2 Lite Command Injection Attempt\u003c/code\u003e to identify exploitation attempts against the device.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests containing command injection payloads in the filename parameter to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eReview authentication logs for unauthorized access attempts to the Anviz CX2 Lite devices.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-17T20:16:35Z","date_published":"2026-04-17T20:16:35Z","id":"/briefs/2026-04-anviz-command-injection/","summary":"Anviz CX2 Lite is vulnerable to an authenticated command injection via the filename parameter, leading to arbitrary command execution and root-level access.","title":"Anviz CX2 Lite Authenticated Command Injection Vulnerability (CVE-2026-35682)","url":"https://feed.craftedsignal.io/briefs/2026-04-anviz-command-injection/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.1,"id":"CVE-2026-4365"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["wordpress","plugin","learnpress","data-deletion","unauthorized-access"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe LearnPress plugin for WordPress, in versions up to and including 4.3.2.8, is susceptible to unauthorized data deletion. The vulnerability stems from a missing capability check on the \u003ccode\u003edelete_question_answer()\u003c/code\u003e function. The plugin exposes a \u003ccode\u003ewp_rest\u003c/code\u003e nonce in public frontend HTML, and this nonce serves as the sole security check for the \u003ccode\u003elp-load-ajax\u003c/code\u003e AJAX dispatcher. As the \u003ccode\u003edelete_question_answer\u003c/code\u003e action lacks capability or ownership validation, unauthenticated attackers can exploit this flaw to delete arbitrary quiz answer options. This is achieved by sending a crafted POST request containing a publicly available nonce. Exploitation does not require any prior authentication.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a LearnPress installation with a vulnerable version (\u0026lt;= 4.3.2.8).\u003c/li\u003e\n\u003cli\u003eThe attacker accesses the public frontend of the WordPress site.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the \u003ccode\u003ewp_rest\u003c/code\u003e nonce from the \u003ccode\u003elpData\u003c/code\u003e variable in the HTML source code. This nonce is used for AJAX requests.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a POST request to the \u003ccode\u003ewp-admin/admin-ajax.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted POST request includes the \u003ccode\u003eaction\u003c/code\u003e parameter set to \u003ccode\u003edelete_question_answer\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe request also includes the \u003ccode\u003enonce\u003c/code\u003e parameter with the value of the retrieved \u003ccode\u003ewp_rest\u003c/code\u003e nonce.\u003c/li\u003e\n\u003cli\u003eThe request includes the \u003ccode\u003eanswer_id\u003c/code\u003e parameter set to the ID of the quiz answer option to be deleted.\u003c/li\u003e\n\u003cli\u003eThe server, lacking proper capability checks, processes the request and deletes the specified quiz answer option from the database. This results in data loss and potentially disrupts the functionality of quizzes within the LearnPress plugin.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows unauthenticated attackers to arbitrarily delete quiz answer options within the LearnPress plugin. This can lead to data loss, disruption of quizzes, and potentially compromise the integrity of educational content. The CVSS v3.1 base score for this vulnerability is 9.1, indicating a critical severity. The number of victims and specific sectors targeted are currently unknown, but any website using the vulnerable LearnPress plugin is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the LearnPress plugin to a version greater than 4.3.2.8 to patch CVE-2026-4365.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect LearnPress Unauthorized Data Deletion Attempt\u0026rdquo; to your SIEM to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to \u003ccode\u003ewp-admin/admin-ajax.php\u003c/code\u003e with the \u003ccode\u003eaction\u003c/code\u003e parameter set to \u003ccode\u003edelete_question_answer\u003c/code\u003e and investigate suspicious activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-14T02:16:57Z","date_published":"2026-04-14T02:16:57Z","id":"/briefs/2026-04-learnpress-data-deletion/","summary":"The LearnPress plugin for WordPress is vulnerable to unauthorized data deletion due to a missing capability check on the `delete_question_answer()` function, allowing unauthenticated attackers to delete quiz answer options.","title":"LearnPress WordPress Plugin Unauthorized Data Deletion Vulnerability (CVE-2026-4365)","url":"https://feed.craftedsignal.io/briefs/2026-04-learnpress-data-deletion/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["openshift","kubernetes","networkpolicy","unauthorized-access"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA vulnerability, CVE-2025-12805, has been identified in Red Hat OpenShift AI (RHOAI) llama-stack-operator. The vulnerability stems from the lack of NetworkPolicy restrictions on the llama-stack service endpoint. This allows a user within one namespace to bypass intended isolation and directly access Llama Stack services deployed in other namespaces. The vulnerability was published on March 26, 2026. Successful exploitation could lead to unauthorized data access and manipulation, impacting the…\u003c/p\u003e\n","date_modified":"2026-03-27T10:00:00Z","date_published":"2026-03-27T10:00:00Z","id":"/briefs/2026-03-openshift-ai-vuln/","summary":"CVE-2025-12805 describes a flaw in Red Hat OpenShift AI (RHOAI) llama-stack-operator that allows unauthorized access to Llama Stack services in other namespaces via direct network requests due to missing NetworkPolicy restrictions, potentially enabling attackers to view or manipulate sensitive data.","title":"Red Hat OpenShift AI Llama Stack Unauthorized Access Vulnerability (CVE-2025-12805)","url":"https://feed.craftedsignal.io/briefs/2026-03-openshift-ai-vuln/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Active Directory"],"_cs_severities":["medium"],"_cs_tags":["azuread","authentication","geo-location","unauthorized-access","credential-compromise","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis brief addresses the risk of unauthorized access to Azure Active Directory (Azure AD) resources stemming from successful authentication events originating from unexpected geographic locations. While the source material does not attribute this activity to a specific threat actor, such access can be indicative of compromised user accounts, sophisticated phishing attacks, or insider threats. The focus is on detecting deviations from established operational norms, where user logins typically originate from known and trusted countries. By monitoring sign-in logs, security teams can identify potentially malicious activity that bypasses standard security controls and warrants further investigation. Effective detection relies on maintaining an accurate list of countries where the organization operates.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Compromise:\u003c/strong\u003e An attacker obtains valid user credentials through phishing, malware, or credential stuffing.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker leverages the compromised credentials to attempt authentication to Azure AD.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAuthentication Request:\u003c/strong\u003e The attacker initiates a sign-in request to Azure AD from an IP address associated with an unexpected geographic location.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eBypass MFA (if present):\u003c/strong\u003e If multi-factor authentication (MFA) is enabled, the attacker may attempt to bypass it through techniques like MFA fatigue or SIM swapping.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSuccessful Authentication:\u003c/strong\u003e The attacker successfully authenticates to Azure AD, gaining access to cloud resources and applications.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e The attacker attempts to escalate privileges within the Azure AD environment to gain broader access.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e The attacker moves laterally within the cloud environment, accessing sensitive data and resources.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration / Persistence:\u003c/strong\u003e The attacker exfiltrates sensitive data or establishes persistent access for future malicious activity.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to significant data breaches, financial loss, and reputational damage. The extent of the impact depends on the level of access gained by the attacker and the sensitivity of the compromised data. Organizations may face regulatory fines, legal action, and loss of customer trust. The absence of geographic restrictions on authentication increases the attack surface and elevates the risk of unauthorized access from malicious actors operating outside of the organization\u0026rsquo;s control.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule provided to detect successful authentications from countries outside of the organization\u0026rsquo;s operational footprint, based on the \u003ccode\u003eLocation\u003c/code\u003e field in Azure AD sign-in logs.\u003c/li\u003e\n\u003cli\u003eMaintain and regularly update a whitelist of countries where the organization operates to ensure the accuracy of the \u003ccode\u003efilter\u003c/code\u003e in the Sigma rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to determine the legitimacy of the sign-in event and the potential compromise of the user account.\u003c/li\u003e\n\u003cli\u003eEnforce multi-factor authentication (MFA) for all users to mitigate the risk of credential compromise, although attackers may attempt to bypass MFA.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-29T18:22:00Z","date_published":"2024-01-29T18:22:00Z","id":"/briefs/2024-01-azure-auth-bypass/","summary":"Detection of successful authentications originating from geographic locations outside of an organization's expected operational footprint, potentially indicating compromised credentials or unauthorized access.","title":"Azure AD Authentication from Unexpected Geo-locations","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Unauthorized-Access","version":"https://jsonfeed.org/version/1.1"}