{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/web-shell/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-7490"}],"_cs_exploited":false,"_cs_products":["CTMS","CPAS"],"_cs_severities":["high"],"_cs_tags":["arbitrary-file-upload","web-shell","code-execution"],"_cs_type":"advisory","_cs_vendors":["Sunnet"],"content_html":"\u003cp\u003eCVE-2026-7490 is an arbitrary file upload vulnerability found in Sunnet CTMS and CPAS. Disclosed in May 2026, this vulnerability enables a privileged attacker to upload malicious files, specifically web shell backdoors, to the affected server. This can be achieved remotely, without requiring local system access, given the attacker already possesses valid privileged credentials for the application. Successful exploitation allows the attacker to execute arbitrary code on the server, potentially leading to complete system compromise. This vulnerability poses a significant threat to organizations using these Sunnet products, as it could result in data breaches, service disruption, and other malicious activities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains privileged access to the CTMS or CPAS application, either through credential theft, phishing, or other means.\u003c/li\u003e\n\u003cli\u003eAttacker identifies the file upload functionality within the application.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious file, such as a PHP web shell, designed to execute arbitrary commands on the server.\u003c/li\u003e\n\u003cli\u003eAttacker bypasses any client-side file type validation mechanisms.\u003c/li\u003e\n\u003cli\u003eAttacker uploads the malicious file to the server through the vulnerable file upload endpoint.\u003c/li\u003e\n\u003cli\u003eThe application saves the file to a publicly accessible directory without proper sanitization or validation.\u003c/li\u003e\n\u003cli\u003eAttacker accesses the uploaded web shell via a web browser.\u003c/li\u003e\n\u003cli\u003eAttacker uses the web shell to execute arbitrary commands on the server, leading to full system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-7490 allows attackers to execute arbitrary code on the affected server. This can lead to a range of malicious activities, including data theft, modification, or destruction, installation of malware, and complete system takeover. Since the vulnerability affects CTMS and CPAS, organizations in sectors utilizing these systems for content or process management are particularly at risk. The vulnerability\u0026rsquo;s high severity allows attackers to quickly gain a foothold and potentially compromise sensitive information or disrupt business operations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply available patches or updates from Sunnet to address CVE-2026-7490.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eDetect Malicious File Uploads to Web Servers\u003c/code\u003e to detect suspicious file uploads based on file extensions and content.\u003c/li\u003e\n\u003cli\u003eReview and harden file upload functionalities within CTMS and CPAS to prevent arbitrary file uploads.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for access to suspicious files in upload directories, using the \u003ccode\u003eWeb Shell Access\u003c/code\u003e Sigma rule.\u003c/li\u003e\n\u003cli\u003eRestrict access to file upload functionalities to only authorized users with appropriate privileges.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-02T10:16:18Z","date_published":"2026-05-02T10:16:18Z","id":"/briefs/2026-05-sunnet-file-upload/","summary":"A privileged remote attacker can exploit CVE-2026-7490 in Sunnet CTMS and CPAS to upload and execute web shell backdoors, leading to arbitrary code execution on the server.","title":"Sunnet CTMS/CPAS Arbitrary File Upload Vulnerability (CVE-2026-7490)","url":"https://feed.craftedsignal.io/briefs/2026-05-sunnet-file-upload/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-6885"}],"_cs_exploited":false,"_cs_products":["SPM 2007"],"_cs_severities":["critical"],"_cs_tags":["file-upload","web-shell","code-execution"],"_cs_type":"advisory","_cs_vendors":["BorG Technology Corporation"],"content_html":"\u003cp\u003eBorg SPM 2007, a product by BorG Technology Corporation with sales ending in 2008, is vulnerable to arbitrary file uploads (CVE-2026-6885). This vulnerability allows unauthenticated remote attackers to upload malicious files, such as web shells, which can then be executed by the server. The attacker can then achieve arbitrary code execution, leading to a compromise of the system. Given the age of the software, it is likely running on outdated systems with fewer security controls making successful exploitation highly probable. This poses a significant risk to organizations still using this software.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a Borg SPM 2007 server exposed to the internet.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a crafted HTTP POST request to the server, exploiting the file upload vulnerability (CVE-2026-6885).\u003c/li\u003e\n\u003cli\u003eThe POST request contains a malicious file, such as a PHP web shell, disguised with a permissible extension or without any extension check.\u003c/li\u003e\n\u003cli\u003eThe Borg SPM 2007 server saves the uploaded file to a publicly accessible directory, without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe attacker sends another HTTP request to access the uploaded web shell.\u003c/li\u003e\n\u003cli\u003eThe web server executes the web shell code, granting the attacker arbitrary code execution on the server.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the web shell to gain a persistent foothold, install malware, or exfiltrate sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an unauthenticated remote attacker to execute arbitrary code on the vulnerable server. This can lead to full system compromise, data theft, and potential disruption of services. While the number of active installations is likely low due to the product\u0026rsquo;s end-of-life status in 2008, organizations still running Borg SPM 2007 are at high risk if the system is exposed to the Internet.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eIdentify instances of Borg SPM 2007 running in your environment and isolate them from the network if possible.\u003c/li\u003e\n\u003cli\u003eImplement the provided Sigma rule to detect potential web shell uploads based on HTTP request characteristics.\u003c/li\u003e\n\u003cli\u003eSince no patch exists, consider immediate decommissioning or migration to a supported alternative.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-23T10:16:18Z","date_published":"2026-04-23T10:16:18Z","id":"/briefs/2026-04-borg-spm-file-upload/","summary":"An unauthenticated remote attacker can exploit an arbitrary file upload vulnerability (CVE-2026-6885) in Borg SPM 2007 to upload and execute web shell backdoors, leading to arbitrary code execution on the server.","title":"Borg SPM 2007 Arbitrary File Upload Vulnerability (CVE-2026-6885)","url":"https://feed.craftedsignal.io/briefs/2026-04-borg-spm-file-upload/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.3,"id":"CVE-2025-61687"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["flowiseai","file-upload","rce","web-shell"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eFlowiseAI, a low-code platform for building AI applications, contains a file upload validation bypass vulnerability. By modifying the Chatflow configuration, specifically the \u003ccode\u003eallowedUploadFileTypes\u003c/code\u003e setting, an attacker can add \u003ccode\u003eapplication/javascript\u003c/code\u003e as an accepted MIME type. This bypasses previous mitigations (CVE-2025-61687) intended to prevent the upload of potentially malicious files. Although the frontend UI restricts JavaScript uploads, a direct API request can circumvent this. Successful exploitation allows attackers to persistently store Node.js web shells (e.g., shell.js) on the Flowise server. This vulnerability affects FlowiseAI versions up to 3.0.13. If executed, these web shells could grant the attacker Remote Code Execution (RCE) capabilities on the server, posing a significant risk to system integrity and data confidentiality.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable FlowiseAI instance running a version \u0026lt;= 3.0.13.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the FlowiseAI instance as an administrator or with compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP PUT request to the \u003ccode\u003e/api/v1/chatflows/{CHATFLOW_ID}\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe PUT request modifies the Chatflow configuration, specifically the \u003ccode\u003echatbotConfig\u003c/code\u003e to include \u003ccode\u003eapplication/javascript\u003c/code\u003e in the \u003ccode\u003eallowedUploadFileTypes\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request to the \u003ccode\u003e/api/v1/attachments/{CHATFLOW_ID}/{CHAT_ID}\u003c/code\u003e endpoint to upload a \u003ccode\u003e.js\u003c/code\u003e file (Node.js web shell), such as the \u003ccode\u003eshell.js\u003c/code\u003e example.\u003c/li\u003e\n\u003cli\u003eThe server saves the malicious \u003ccode\u003e.js\u003c/code\u003e file to a publicly accessible directory.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses the uploaded \u003ccode\u003e.js\u003c/code\u003e file via a direct HTTP request.\u003c/li\u003e\n\u003cli\u003eThe web shell executes commands specified in the URL parameters, such as \u003ccode\u003ehttp://localhost:8888/?cmd=id\u003c/code\u003e, resulting in RCE.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to upload and persistently store malicious web shells on the FlowiseAI server. Execution of these web shells grants the attacker the ability to execute arbitrary commands on the underlying system. This can lead to complete system compromise, data exfiltration, and denial of service. This vulnerability affects FlowiseAI versions up to 3.0.13.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply appropriate input validation and sanitization to prevent modification of \u003ccode\u003eallowedUploadFileTypes\u003c/code\u003e settings.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for PUT requests to \u003ccode\u003e/api/v1/chatflows/{CHATFLOW_ID}\u003c/code\u003e modifying \u003ccode\u003eallowedUploadFileTypes\u003c/code\u003e as described in the attack chain.\u003c/li\u003e\n\u003cli\u003eMonitor for POST requests to \u003ccode\u003e/api/v1/attachments/{CHATFLOW_ID}/{CHAT_ID}\u003c/code\u003e uploading \u003ccode\u003e.js\u003c/code\u003e files based on the attack chain.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided below to detect suspicious HTTP requests indicative of this attack.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-17T14:00:00Z","date_published":"2026-04-17T14:00:00Z","id":"/briefs/2026-04-17-flowise-upload-bypass/","summary":"A file upload validation bypass vulnerability exists in FlowiseAI, where the Chatflow configuration file upload settings can be modified to allow the application/javascript MIME type, enabling an attacker to upload .js files, store malicious Node.js web shells on the server, and potentially achieve Remote Code Execution (RCE).","title":"FlowiseAI File Upload Validation Bypass Leads to RCE","url":"https://feed.craftedsignal.io/briefs/2026-04-17-flowise-upload-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":true,"_cs_products":["SharePoint"],"_cs_severities":["medium"],"_cs_tags":["web-shell","persistence","windows"],"_cs_type":"threat","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers frequently deploy web shells to maintain persistence and execute arbitrary commands on compromised web servers. This rule identifies the creation of ASPX files, commonly used in Windows environments, within directories typically targeted for web shell deployment. The rule focuses on the \u0026ldquo;?:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\*\u0026rdquo; path, a common location for web server extensions and potential web shell placements. By excluding legitimate processes such as msiexec.exe and psconfigui.exe, the rule aims to detect suspicious ASPX file creation events indicative of malicious activity. The detection logic helps defenders identify potential web shell installations, allowing for timely response and remediation to prevent further compromise. This activity has been observed in exploitation attempts targeting SharePoint servers.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the target system, potentially through exploiting a vulnerability in a web application or service running on the server (e.g., SharePoint).\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised web application to upload a malicious ASPX file to a directory within the web server\u0026rsquo;s file system, specifically targeting locations like \u0026ldquo;?:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\*\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eThe uploaded ASPX file contains malicious code designed to provide the attacker with remote access and control over the server.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers the execution of the ASPX file by sending a request to the web server, which processes the ASPX file and executes the embedded malicious code.\u003c/li\u003e\n\u003cli\u003eThe web shell allows the attacker to execute arbitrary commands on the server, potentially escalating privileges and moving laterally within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the web shell to establish persistence on the compromised server, ensuring continued access even after the initial vulnerability is patched.\u003c/li\u003e\n\u003cli\u003eThe attacker may use the web shell to exfiltrate sensitive data from the server or to deploy additional malware and tools.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful web shell deployment can lead to complete compromise of the affected server, potentially impacting numerous organizations. Attackers can use web shells to execute arbitrary code, steal sensitive data, and establish persistent access to internal networks. The impact includes data breaches, financial losses, and reputational damage. Successful exploitation of SharePoint vulnerabilities leading to web shell deployment has been observed in the wild.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Web Shell ASPX File Creation in Common Directories\u0026rdquo; to detect suspicious ASPX file creation events, filtering out legitimate processes to reduce false positives.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 11 (File Create) to capture file creation events on Windows systems, which is a data source for the Sigma rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule \u0026ldquo;Web Shell ASPX File Creation in Common Directories\u0026rdquo; by examining the file path, creating process, and network activity around the time of the event.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests targeting ASPX files in common web server directories, as referenced in the rule description.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-12-14T14:30:00Z","date_published":"2024-12-14T14:30:00Z","id":"/briefs/2024-12-potential-web-shell-aspx-file-creation/","summary":"The creation of ASPX files in web server directories, excluding legitimate processes, indicates potential web shell deployment for persistence on Windows systems.","title":"Potential Web Shell ASPX File Creation","url":"https://feed.craftedsignal.io/briefs/2024-12-potential-web-shell-aspx-file-creation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend"],"_cs_severities":["low"],"_cs_tags":["persistence","execution","command-and-control","web shell","linux"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection rule focuses on identifying potentially malicious activity stemming from Linux-based web servers. The rule is triggered when a web server process, such as Apache, Nginx, or others, initiates an outbound network connection to a destination port that is considered non-standard. This activity can signal the presence of a web shell, a malicious script uploaded to a web server to enable remote access and control. Attackers may exploit compromised web servers to establish covert communication channels, exfiltrate data, or launch further attacks on internal systems. The rule leverages data from Elastic Defend to monitor network connections and filter out legitimate traffic based on a predefined list of common ports and internal IP ranges.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access is gained via exploitation of a vulnerability in a web application or web server component running on a Linux system (e.g., through SQL injection or remote code execution).\u003c/li\u003e\n\u003cli\u003eA web shell is uploaded to the compromised web server, often disguised as a legitimate file or hidden within existing directories.\u003c/li\u003e\n\u003cli\u003eThe attacker interacts with the web shell through HTTP requests, using it as a command and control interface.\u003c/li\u003e\n\u003cli\u003eThe web shell executes commands on the server, initiating outbound network connections to non-standard ports.\u003c/li\u003e\n\u003cli\u003eThese connections may be used to communicate with external C2 servers, download additional payloads, or exfiltrate sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the web shell to move laterally within the network, targeting other systems and services.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to establish persistence on the compromised server, ensuring continued access even after system reboots.\u003c/li\u003e\n\u003cli\u003eThe final objective is data theft, system compromise, or disruption of services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised web servers can lead to significant data breaches, system downtime, and reputational damage. While this rule triggers on low-severity behavior, successful exploitation can lead to complete system compromise. The number of affected systems depends on the scope of the initial vulnerability and the attacker\u0026rsquo;s ability to move laterally. Organizations in all sectors that rely on web-based applications are potentially at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect web server processes initiating connections to unusual destination ports and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable Elastic Defend integration to collect the necessary network event data from Linux endpoints to activate the rule.\u003c/li\u003e\n\u003cli\u003eReview and customize the list of excluded destination ports and internal IP ranges in the Sigma rule to match your organization\u0026rsquo;s specific network configuration and legitimate traffic patterns.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the rule to determine if the activity is malicious or benign, focusing on the process name, user, destination IP, and destination port.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T18:28:00Z","date_published":"2024-01-09T18:28:00Z","id":"/briefs/2024-01-uncommon-web-server-port/","summary":"The rule identifies unusual outbound network connections on non-standard ports originating from web server processes on Linux systems, indicative of potential web shell activity or unauthorized communication.","title":"Uncommon Destination Port Connection by Web Server on Linux","url":"https://feed.craftedsignal.io/briefs/2024-01-uncommon-web-server-port/"}],"language":"en","title":"CraftedSignal Threat Feed — Web-Shell","version":"https://jsonfeed.org/version/1.1"}