<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Web-Exploitation - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/web-exploitation/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Mon, 06 Jul 2026 21:43:46 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/web-exploitation/feed.xml" rel="self" type="application/rss+xml"/><item><title>9routers Database Exposure and Takeover via Insecure API</title><link>https://feed.craftedsignal.io/briefs/2026-07-9routers-db-exposure/</link><pubDate>Mon, 06 Jul 2026 21:43:46 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-9routers-db-exposure/</guid><description>A critical vulnerability (CVE-2026-55500) in 9routers versions &lt;= 0.4.71 allows authenticated attackers with a valid JWT token to export the complete database containing plaintext credentials and secrets, and to import a modified database, leading to full system takeover and credential theft.</description><content:encoded><![CDATA[<p>A critical vulnerability, tracked as CVE-2026-55500, has been identified in 9routers versions 0.4.71 and earlier. This flaw resides in the <code>/api/settings/database</code> API endpoint, which is intended for database export and import functionalities. Despite being protected by an <code>ALWAYS_PROTECTED</code> middleware requiring a valid JWT or CLI token, this protection is deemed insufficient. An attacker, having obtained a valid token (potentially through default credentials like &quot;123456&quot; or other means), can exploit this endpoint to perform a full export of the application's database. This export includes highly sensitive information such as plaintext API keys, OAuth tokens, OIDC client secrets, and hashed user credentials. Furthermore, the attacker can import a modified database, enabling a complete wipe and overwrite of the existing database, which can be leveraged to replace administrator password hashes, gain persistent access, and achieve full system takeover. This vulnerability poses a severe risk to the confidentiality, integrity, and availability of affected 9router instances.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access / Credential Acquisition</strong>: An attacker identifies an accessible 9router instance and obtains an initial valid JWT or CLI token, potentially leveraging default credentials (e.g., '123456') or other initial access methods.</li>
<li><strong>Reconnaissance / Sensitive Endpoint Access</strong>: Using the acquired token, the attacker sends an HTTP GET request to the <code>/api/settings/database</code> endpoint to understand its functionality and extract current configuration.</li>
<li><strong>Data Exfiltration / Credential Dumping</strong>: The vulnerable endpoint responds with a full database export, providing the attacker with highly sensitive information, including plaintext API keys, OAuth tokens, OIDC client secrets, and hashed user credentials.</li>
<li><strong>Data Manipulation</strong>: The attacker analyzes the exfiltrated database content, identifies critical entries (such as administrator password hashes), and modifies them to establish their own privileged access.</li>
<li><strong>Privilege Escalation / Persistence (Database Import)</strong>: The attacker crafts an HTTP POST request containing the manipulated database payload and sends it to the <code>/api/settings/database</code> endpoint, authenticating with their valid token.</li>
<li><strong>System Control / Database Overwrite</strong>: The 9router application processes this malicious import request, completely overwriting its operational database with the attacker's controlled data, including new administrator credentials.</li>
<li><strong>Impact / Full Takeover</strong>: The attacker can now log in to the 9router instance using their newly set credentials, gaining full administrative control and potentially leveraging the previously stolen API keys for further malicious activities.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The successful exploitation of CVE-2026-55500 leads to severe consequences across multiple domains. Confidentiality is completely breached through the exposure of all stored secrets, including plaintext API keys, OAuth tokens, and OIDC client secrets, which could facilitate lateral movement or access to connected services. Integrity is compromised as attackers can perform a full database replacement with their own controlled data, effectively rewriting all application settings and user credentials. This allows for persistent control and unauthorized modifications. Furthermore, availability can be impacted if an attacker chooses to import an empty or malformed database, leading to a denial of service for the 9router application. This vulnerability enables a complete system takeover.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li><strong>Patch Immediately</strong>: Upgrade 9router to a version greater than 0.4.71 to address CVE-2026-55500.</li>
<li><strong>Implement Strong Authentication</strong>: Ensure that highly sensitive endpoints like <code>/api/settings/database</code> require multi-factor authentication or re-authentication with current credentials, not just an existing session.</li>
<li><strong>Deploy Sigma Rules</strong>: Deploy the provided Sigma rule to your SIEM to detect attempts to access the <code>/api/settings/database</code> endpoint and investigate any alerts.</li>
<li><strong>Review Logs</strong>: Audit webserver access logs for <code>http://localhost:20128/api/settings/database</code> (or your production URL) for any suspicious GET or POST requests.</li>
<li><strong>Rotate Credentials</strong>: Immediately rotate all API keys, OAuth tokens, and other secrets if an instance of 9router was running a vulnerable version.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>web-exploitation</category><category>data-exfiltration</category><category>credential-access</category><category>persistence</category><category>impact</category></item><item><title>Gitea: Multiple Vulnerabilities Leading to XSS, Info Disclosure, and File Manipulation</title><link>https://feed.craftedsignal.io/briefs/2026-07-gitea-multi-vulnerabilities/</link><pubDate>Mon, 06 Jul 2026 08:29:46 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-gitea-multi-vulnerabilities/</guid><description>An attacker can exploit multiple unpatched vulnerabilities in Gitea to bypass security measures, disclose sensitive information, perform Cross-Site Scripting (XSS) attacks, and manipulate files, posing a high risk to self-hosted Git instances.</description><content:encoded><![CDATA[<p>The German Federal Office for Information Security (BSI) has issued a high-severity alert regarding multiple unpatched vulnerabilities in Gitea, a popular self-hosted Git service. These vulnerabilities allow an attacker to bypass security measures, disclose sensitive information, execute Cross-Site Scripting (XSS) attacks, and manipulate files. While specific Common Vulnerabilities and Exposures (CVE) identifiers have not been released, the broad range of potential impacts indicates significant risk to Gitea instances if exploited. Organizations using Gitea versions without the latest security fixes are advised to prioritize updates. The advisory, published on 2026-07-06, highlights the importance of timely patching to prevent unauthorized access and data compromise, emphasizing that the absence of detailed CVEs does not diminish the severity of the threat.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access</strong>: An attacker identifies a vulnerable Gitea instance and sends specially crafted HTTP requests to the application.</li>
<li><strong>Vulnerability Exploitation</strong>: Gitea processes the malicious input, leading to the exploitation of one or more undisclosed vulnerabilities, such as input validation flaws or authorization bypasses.</li>
<li><strong>XSS Execution</strong>: If Cross-Site Scripting (XSS) vulnerabilities are triggered, malicious client-side scripts are injected and executed within a victim's browser session when they interact with the compromised Gitea application.</li>
<li><strong>Security Bypass / Information Disclosure</strong>: Successful exploitation may bypass authentication or authorization mechanisms, granting unauthorized access, or lead to the exposure of sensitive data from the Gitea application or its underlying system.</li>
<li><strong>File Manipulation</strong>: Attackers leverage vulnerabilities to manipulate arbitrary files on the server hosting Gitea, potentially altering configurations, modifying web content, or placing malicious files like web shells.</li>
<li><strong>Achieved Impact</strong>: The attacker achieves objectives such as data exfiltration, establishing persistent access through manipulated files, or causing denial of service by corrupting critical system components or databases.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of these Gitea vulnerabilities could lead to significant consequences for affected organizations. Attackers could gain unauthorized access to sensitive code repositories, intellectual property, or user credentials through information disclosure and security bypass flaws. Cross-Site Scripting attacks might enable session hijacking, credential theft, or further client-side exploitation against legitimate users. Furthermore, file manipulation capabilities could allow attackers to establish persistence by planting web shells, altering configurations, or deploying malicious payloads, potentially leading to full system compromise or supply chain attacks if malicious code is injected into software projects.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Update Gitea to the latest stable version to address the multiple vulnerabilities identified, including those leading to security bypass, information disclosure, XSS, and file manipulation.</li>
<li>Monitor web server logs (e.g., <code>webserver</code> category) for Gitea for unusual HTTP requests, particularly those exhibiting characteristics of attempted exploitation for information disclosure or file manipulation.</li>
<li>Enforce robust Content Security Policies (CSPs) within Gitea deployments to mitigate the execution of malicious client-side scripts, a common outcome of Cross-Site Scripting (XSS) vulnerabilities.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>web-exploitation</category><category>vulnerability</category><category>gitea</category></item><item><title>CVE-2026-14747: SQL Injection in code-projects Real State Services 1.0</title><link>https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14747-sql-injection/</link><pubDate>Sun, 05 Jul 2026 13:21:42 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14747-sql-injection/</guid><description>A high-severity SQL Injection vulnerability, CVE-2026-14747, exists in the /addprojectsale.php file of code-projects Real State Services 1.0, allowing remote unauthenticated attackers to manipulate the 'amen' argument for arbitrary SQL query execution, leading to data compromise or unauthorized access.</description><content:encoded><![CDATA[<p>A critical SQL Injection vulnerability, tracked as CVE-2026-14747, has been identified in version 1.0 of the code-projects Real State Services application. This flaw resides within an unspecified function of the <code>/addprojectsale.php</code> file, where improper handling of user-supplied input to the <code>amen</code> argument allows for remote, unauthenticated attackers to inject and execute arbitrary SQL commands. This enables attackers to bypass security measures, extract sensitive information from the underlying database, or potentially achieve further system compromise depending on the database's privileges. The vulnerability was publicly disclosed on July 5, 2026, by VulDB and is a significant concern for organizations using this specific version of the Real State Services application, as exploitation can lead to severe data breaches.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An unauthenticated attacker identifies a web-facing instance of code-projects Real State Services 1.0.</li>
<li>The attacker crafts a specially designed HTTP POST request targeting the <code>/addprojectsale.php</code> endpoint.</li>
<li>This request includes a malicious SQL injection payload within the <code>amen</code> parameter, bypassing input validation.</li>
<li>The vulnerable application processes the request, incorporating the unsanitized <code>amen</code> parameter value directly into a database query.</li>
<li>The backend SQL database executes the attacker-supplied malicious SQL commands, leading to unauthorized access.</li>
<li>Successful exploitation allows the attacker to read, modify, or delete database contents, extract sensitive data, or potentially establish persistence (e.g., by writing a web shell if sufficient database privileges exist).</li>
<li>The attacker then proceeds with data exfiltration or further compromise of the affected web server.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-14747 can lead to severe consequences for organizations utilizing code-projects Real State Services 1.0. Attackers can gain complete control over the application's database, leading to unauthorized disclosure of sensitive customer data, property listings, or internal operational information. This can result in significant financial losses, reputational damage, regulatory penalties, and potential service disruption. The remote and unauthenticated nature of the vulnerability means that any internet-exposed instance of the application is at risk, potentially affecting numerous small to medium-sized businesses in the real estate sector.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately update code-projects Real State Services to a patched version once available to remediate CVE-2026-14747.</li>
<li>Deploy the provided Sigma rule to your SIEM solution to detect exploitation attempts against CVE-2026-14747.</li>
<li>Review web server logs for suspicious activity targeting <code>/addprojectsale.php</code> with SQL injection patterns.</li>
<li>Implement a Web Application Firewall (WAF) in front of the application to filter and block malicious SQL injection payloads.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>sql-injection</category><category>web-exploitation</category><category>cve</category><category>php</category><category>real-state</category></item><item><title>CVE-2026-14744: Remote SQL Injection in code-projects Real State Services 1.0</title><link>https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14744-sql-injection/</link><pubDate>Sun, 05 Jul 2026 12:19:55 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14744-sql-injection/</guid><description>A critical SQL injection vulnerability (CVE-2026-14744) has been found in code-projects Real State Services version 1.0. The flaw resides in an unknown function within the /normalHomeRent.php file, where manipulating the 'loc' argument allows for remote SQL injection, and a public exploit has been released, posing an immediate threat to affected systems.</description><content:encoded><![CDATA[<p>A critical SQL injection vulnerability, identified as CVE-2026-14744, has been discovered in <code>code-projects Real State Services</code> version 1.0. This flaw, published on July 5, 2026, resides within an unspecified function of the <code>/normalHomeRent.php</code> file. An unauthenticated, remote attacker can exploit this vulnerability by manipulating the <code>loc</code> argument in an HTTP GET request, bypassing security controls and enabling direct interaction with the backend database. The public release of an exploit significantly escalates the risk, making this an immediate and high-priority concern for organizations utilizing this software. Successful exploitation can lead to unauthorized access to sensitive data, data manipulation, or, in severe cases, remote code execution on the underlying server, severely impacting data confidentiality, integrity, and system availability.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An unauthenticated attacker identifies an internet-facing instance of <code>code-projects Real State Services 1.0</code>.</li>
<li>The attacker crafts a malicious HTTP GET request targeting the vulnerable <code>/normalHomeRent.php</code> endpoint.</li>
<li>The request includes a specifically engineered SQL injection payload embedded within the <code>loc</code> URL parameter (e.g., <code>loc=' UNION SELECT NULL,version(),NULL,NULL-- -</code>).</li>
<li>The vulnerable <code>Real State Services</code> application processes this request without adequate input sanitization or validation for the <code>loc</code> parameter.</li>
<li>The web application's backend code embeds the malicious payload directly into an SQL query that is sent to the database.</li>
<li>The backend database executes the manipulated SQL query, which may result in sensitive data being returned in the HTTP response, or the execution of arbitrary database commands.</li>
<li>The attacker retrieves the database's response, potentially gaining access to confidential information, modifying database records, or facilitating further system compromise.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-14744 grants remote, unauthenticated attackers the ability to perform SQL injection, leading to significant compromises. The primary impact includes unauthorized access to sensitive database information, such as user credentials, personal data, or proprietary business information. Attackers could also manipulate or delete data, severely affecting data integrity. In some scenarios, depending on the database configuration and type of SQL injection, remote code execution might be achievable on the server hosting the application, leading to full system compromise. With a public exploit available, the number of potential victims is high, spanning any organization or individual using the affected <code>code-projects Real State Services 1.0</code> software.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately apply patches or security updates for <code>code-projects Real State Services 1.0</code> as they become available from the vendor, <code>code-projects</code>.</li>
<li>Deploy the Sigma rule provided in this brief to your SIEM/detection platform to identify attempts to exploit CVE-2026-14744.</li>
<li>Ensure web application firewalls (WAFs) are configured to detect and block common SQL injection patterns, specifically targeting the <code>loc</code> parameter in <code>/normalHomeRent.php</code>.</li>
<li>Implement strong input validation and parameterized queries in any custom web applications to prevent similar SQL injection vulnerabilities.</li>
<li>Review web server access logs for any suspicious requests targeting <code>/normalHomeRent.php</code> with unusual <code>loc</code> parameter values, especially those matching the IOCs or patterns in the Sigma rule.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>web-exploitation</category><category>sql-injection</category><category>cve-2026-14744</category><category>initial-access</category><category>data-exfiltration</category></item><item><title>CVE-2026-14737: Hanwang e-Face General Management Platform SQL Injection</title><link>https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14737-hanwang-e-face-sql-injection/</link><pubDate>Sun, 05 Jul 2026 11:21:39 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14737-hanwang-e-face-sql-injection/</guid><description>A remote SQL injection vulnerability (CVE-2026-14737) affects Hanwang e-Face General Management Platform version 6.3.5.4, specifically within the `/sysAuthStr/querySysAuthStr.do` file, triggered by manipulating argument order, allowing remote attackers to potentially gain unauthorized access to or modify database contents with a publicly available exploit.</description><content:encoded><![CDATA[<p>A critical SQL injection vulnerability, tracked as CVE-2026-14737, has been identified in Hanwang e-Face General Management Platform version 6.3.5.4. This flaw resides in an unknown function within the <code>/sysAuthStr/querySysAuthStr.do</code> file, where improper handling of argument order allows for remote SQL injection. The vulnerability enables unauthenticated attackers to execute arbitrary SQL queries against the underlying database, potentially leading to information disclosure, data manipulation, or denial of service. The CVSS v3.1 base score is 7.3 (High). Crucially, an exploit for this vulnerability is publicly available, significantly increasing the risk of widespread exploitation by malicious actors. Organizations utilizing the affected Hanwang e-Face General Management Platform are urged to address this vulnerability immediately to prevent compromise.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An unauthenticated attacker crafts a malicious HTTP request targeting the vulnerable <code>/sysAuthStr/querySysAuthStr.do</code> endpoint on a Hanwang e-Face General Management Platform 6.3.5.4 instance.</li>
<li>The attacker manipulates the order of arguments or introduces specific SQL metacharacters within the HTTP request parameters, leveraging the flaw in the application's input validation logic.</li>
<li>The application processes the malformed request, mistakenly interpreting the attacker-controlled input as legitimate SQL commands.</li>
<li>The embedded SQL injection payload executes within the application's database context, bypassing intended security controls.</li>
<li>Depending on the attacker's objective and database permissions, this can lead to unauthorized data exfiltration (e.g., user credentials, sensitive business data) or manipulation (e.g., altering records, creating new administrative accounts).</li>
<li>The attacker leverages the retrieved or modified data for further compromise, such as gaining higher privileges within the application or pivoting to other systems within the network.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-14737 could lead to severe consequences for affected organizations. Attackers could gain unauthorized access to sensitive data stored in the Hanwang e-Face General Management Platform's database, including personal information, access credentials, or operational data. This data could be exfiltrated, modified, or deleted, leading to data breaches, reputational damage, regulatory fines, and operational disruption. The public availability of an exploit significantly increases the likelihood of opportunistic attacks, potentially affecting any organization using the vulnerable version of the platform.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately patch Hanwang e-Face General Management Platform to a version that remediates CVE-2026-14737 as soon as one becomes available.</li>
<li>Deploy the Sigma rule &quot;Detect CVE-2026-14737 Exploitation - Hanwang e-Face SQL Injection&quot; to your SIEM to identify attempts to exploit <code>/sysAuthStr/querySysAuthStr.do</code>.</li>
<li>Implement Web Application Firewall (WAF) rules to detect and block common SQL injection patterns and suspicious requests targeting the <code>/sysAuthStr/querySysAuthStr.do</code> path.</li>
<li>Enable comprehensive webserver access logging to capture full HTTP request details (headers, methods, URIs, query strings, body) for forensics and analysis.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>sql-injection</category><category>web-exploitation</category><category>vulnerability</category><category>cve</category><category>hanwang</category></item><item><title>Web Server Cloud Metadata SSRF Exploitation</title><link>https://feed.craftedsignal.io/briefs/2026-07-web-server-cloud-metadata-ssrf/</link><pubDate>Fri, 03 Jul 2026 15:30:46 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-web-server-cloud-metadata-ssrf/</guid><description>Attackers are actively exploiting Server-Side Request Forgery (SSRF) vulnerabilities in public-facing web applications to access cloud instance metadata services, such as those on AWS, GCP, and Azure, to harvest temporary credentials and sensitive instance details.</description><content:encoded><![CDATA[<p>This threat involves the exploitation of Server-Side Request Forgery (SSRF) vulnerabilities found in web applications hosted on various platforms, including Nginx, Apache, IIS, and Traefik. Attackers leverage these vulnerabilities to manipulate web servers into making outbound requests to internal cloud instance metadata service (IMDS) endpoints. Such endpoints are typically associated with cloud providers like Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure, and are used to provision temporary credentials, tokens, and instance-specific information. The objective is to steal these credentials, enabling unauthorized access and control over cloud resources, which can lead to data exfiltration, resource manipulation, or further lateral movement within the cloud environment. This technique is a well-known method for escalating privileges in compromised cloud workloads.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access via SSRF Vulnerability</strong>: An attacker identifies and exploits a Server-Side Request Forgery (SSRF) vulnerability within a public-facing web application, which could be running on Nginx, Apache, IIS, or Traefik.</li>
<li><strong>Internal Request Injection</strong>: The attacker crafts a malicious HTTP request, embedding an internal cloud instance metadata service (IMDS) endpoint (e.g., <code>http://169.254.169.254/latest/meta-data/</code>) within a user-controlled URL or query parameter.</li>
<li><strong>Web Server Initiates Internal Connection</strong>: The vulnerable web application processes the malicious request and, due to the SSRF flaw, makes an outbound HTTP connection to the specified internal IMDS endpoint as if it were a legitimate internal service request.</li>
<li><strong>Metadata Service Response</strong>: The cloud instance metadata service responds to the web server's request, providing sensitive information such as temporary IAM role credentials (e.g., <code>meta-data/iam/security-credentials</code>), API tokens (e.g., <code>latest/api/token</code>), or instance configuration details.</li>
<li><strong>Credential Exfiltration</strong>: The web application receives the sensitive metadata or credentials and, depending on the SSRF exploit, leaks this information back to the attacker as part of the HTTP response or through other channels.</li>
<li><strong>Cloud Resource Compromise</strong>: The attacker uses the stolen temporary credentials to authenticate to the cloud provider's APIs (e.g., AWS CLI, GCP SDK), gaining unauthorized access to cloud resources, potentially leading to data exfiltration, privilege escalation, or further attacks.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful SSRF attack against cloud instance metadata services can lead to significant compromise of cloud environments. Attackers can steal temporary credentials associated with the compromised workload, gaining unauthorized access to critical cloud resources, sensitive data, and the ability to manipulate cloud configurations. This can result in data breaches, resource hijacking, disruption of services, and the establishment of persistent access within the victim's cloud infrastructure. The breadth of potential impact depends on the permissions granted to the compromised instance's role or service account, which often include access to databases, object storage, and other core services.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;Web Server Cloud Metadata SSRF Request&quot; to your SIEM to detect inbound HTTP requests containing cloud metadata endpoints.</li>
<li>Block the C2 domains and IP addresses listed in the IOC table at the network perimeter (firewall/WAF) to prevent outbound connections to known metadata services from unauthorized sources.</li>
<li>Implement strict outbound access controls and allowlisting at the network and application layer to restrict web applications from initiating connections to link-local addresses (e.g., 169.254.169.254) and other internal network ranges.</li>
<li>Enforce the use of IMDSv2 (Instance Metadata Service Version 2) on AWS EC2 instances, and similar authenticated access mechanisms for other cloud providers, to require session tokens for metadata access.</li>
<li>Regularly review and audit the permissions of cloud instance roles and managed identities, adhering to the principle of least privilege to minimize the impact of credential compromise.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>ssrf</category><category>cloud-security</category><category>web-exploitation</category><category>credential-access</category><category>initial-access</category><category>webserver</category></item><item><title>Steeltoe Host Header Bypass Vulnerability (CVE-2026-50194)</title><link>https://feed.craftedsignal.io/briefs/2026-07-steeltoe-host-header-bypass/</link><pubDate>Fri, 03 Jul 2026 11:24:19 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-steeltoe-host-header-bypass/</guid><description>An unauthenticated remote attacker can bypass port isolation in Steeltoe applications configured with `Management:Endpoints:Port` by spoofing the Host HTTP header, allowing access to all actuator endpoints (CVE-2026-50194).</description><content:encoded><![CDATA[<p>A critical vulnerability (CVE-2026-50194) in Steeltoe applications allows unauthenticated remote attackers to bypass port isolation for management endpoints. This flaw affects configurations where <code>Management:Endpoints:Port</code> is explicitly set to a port different from the application's primary listener. The middleware, intended to restrict access, incorrectly relies on the <code>Host</code> HTTP header rather than the actual network socket port. By crafting a request with a spoofed <code>Host</code> header specifying the management port, attackers can trick the application into granting access to all actuator endpoints. This enables unauthorized control, information disclosure, and potential configuration manipulation, making it a high-severity concern for organizations using vulnerable Steeltoe versions, specifically <code>Steeltoe.Management.Endpoint</code> up to 4.1.0 and <code>Steeltoe.Management.EndpointCore</code> versions between 3.2.2 and 3.3.0.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker identifies a publicly accessible Steeltoe application that is likely using management endpoints.</li>
<li>The target Steeltoe application is configured with <code>Management:Endpoints:Port</code> set to a port different from its main listener (e.g., application on 80/443, management on 8080).</li>
<li>Attacker crafts an HTTP request targeting the application's main listener port, typically 80 or 443.</li>
<li>The crafted request includes a spoofed <code>Host</code> HTTP header, setting its value to the application's domain combined with the configured <code>Management:Endpoints:Port</code> (e.g., <code>Host: example.com:8080</code>).</li>
<li>The request scheme (HTTP/HTTPS) matches the <code>Management:Endpoints:SslEnabled</code> setting of the application.</li>
<li>The Steeltoe middleware, upon receiving the request, evaluates the <code>Host</code> header for port isolation rather than the actual socket port the request arrived on.</li>
<li>The spoofed <code>Host</code> header causes the middleware to erroneously permit access as if the request originated on the designated management port.</li>
<li>Attacker gains unauthenticated access to all management actuator endpoints (e.g., <code>/actuator/health</code>, <code>/actuator/env</code>), enabling information disclosure or potential configuration changes.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The successful exploitation of CVE-2026-50194 grants unauthenticated remote attackers full access to Steeltoe's management actuator endpoints. This can lead to severe consequences, including sensitive information disclosure (e.g., environment variables, application configuration), arbitrary configuration modifications, and potentially remote code execution if certain actuators are exposed and misconfigured. While no specific victim count has been reported, any organization deploying Steeltoe applications with the described vulnerable configuration is at risk. The ease of exploitation via a simple HTTP header manipulation makes this a high-risk vulnerability for data exposure and unauthorized system control.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately upgrade <code>Steeltoe.Management.Endpoint</code> to version 4.1.1 or higher, and <code>Steeltoe.Management.EndpointCore</code> to version 3.3.1 or higher, to address CVE-2026-50194.</li>
<li>Deploy the provided Sigma rule to your SIEM, tuning <code>cs-host</code> to match your expected application domain and monitoring for <code>cs-uri-stem</code> containing <code>/actuator/</code> with unexpected port values in the <code>Host</code> header.</li>
<li>Implement explicit ASP.NET Core authorization (<code>RequireAuthorization</code>) on all sensitive actuator endpoints as a defense-in-depth measure, as recommended by the Steeltoe advisory.</li>
<li>Configure reverse proxies or load balancers in front of Steeltoe applications to strictly enforce expected <code>Host</code> header values, preventing clients from specifying arbitrary ports.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>vulnerability</category><category>web-exploitation</category><category>cve</category><category>dotnet</category><category>bypass</category></item></channel></rss>