https://feed.craftedsignal.io/tags/web-shell/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioSat, 02 May 2026 10:16:18 +0000https://feed.craftedsignal.io/briefs/2026-05-sunnet-file-upload/Sat, 02 May 2026 10:16:18 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-sunnet-file-upload/A privileged remote attacker can exploit CVE-2026-7490 in Sunnet CTMS and CPAS to upload and execute web shell backdoors, leading to arbitrary code execution on the server.CVE-2026-7490 is an arbitrary file upload vulnerability found in Sunnet CTMS and CPAS. Disclosed in May 2026, this vulnerability enables a privileged attacker to upload malicious files, specifically web shell backdoors, to the affected server. This can be achieved remotely, without requiring local system access, given the attacker already possesses valid privileged credentials for the application. Successful exploitation allows the attacker to execute arbitrary code on the server, potentially leading to complete system compromise. This vulnerability poses a significant threat to organizations using these Sunnet products, as it could result in data breaches, service disruption, and other malicious activities.

Attack Chain

1. Attacker gains privileged access to the CTMS or CPAS application, either through credential theft, phishing, or other means.
2. Attacker identifies the file upload functionality within the application.
3. Attacker crafts a malicious file, such as a PHP web shell, designed to execute arbitrary commands on the server.
4. Attacker bypasses any client-side file type validation mechanisms.
5. Attacker uploads the malicious file to the server through the vulnerable file upload endpoint.
6. The application saves the file to a publicly accessible directory without proper sanitization or validation.
7. Attacker accesses the uploaded web shell via a web browser.
8. Attacker uses the web shell to execute arbitrary commands on the server, leading to full system compromise.

Impact

Successful exploitation of CVE-2026-7490 allows attackers to execute arbitrary code on the affected server. This can lead to a range of malicious activities, including data theft, modification, or destruction, installation of malware, and complete system takeover. Since the vulnerability affects CTMS and CPAS, organizations in sectors utilizing these systems for content or process management are particularly at risk. The vulnerability’s high severity allows attackers to quickly gain a foothold and potentially compromise sensitive information or disrupt business operations.

Recommendation

• Apply available patches or updates from Sunnet to address CVE-2026-7490.
• Implement the Sigma rule Detect Malicious File Uploads to Web Servers to detect suspicious file uploads based on file extensions and content.
• Review and harden file upload functionalities within CTMS and CPAS to prevent arbitrary file uploads.
• Monitor web server logs for access to suspicious files in upload directories, using the Web Shell Access Sigma rule.
• Restrict access to file upload functionalities to only authorized users with appropriate privileges.

]]>highadvisoryarbitrary-file-uploadweb-shellcode-executionhttps://feed.craftedsignal.io/briefs/2026-04-borg-spm-file-upload/Thu, 23 Apr 2026 10:16:18 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-borg-spm-file-upload/An unauthenticated remote attacker can exploit an arbitrary file upload vulnerability (CVE-2026-6885) in Borg SPM 2007 to upload and execute web shell backdoors, leading to arbitrary code execution on the server.Borg SPM 2007, a product by BorG Technology Corporation with sales ending in 2008, is vulnerable to arbitrary file uploads (CVE-2026-6885). This vulnerability allows unauthenticated remote attackers to upload malicious files, such as web shells, which can then be executed by the server. The attacker can then achieve arbitrary code execution, leading to a compromise of the system. Given the age of the software, it is likely running on outdated systems with fewer security controls making successful exploitation highly probable. This poses a significant risk to organizations still using this software.

Attack Chain

1. The attacker identifies a Borg SPM 2007 server exposed to the internet.
2. The attacker sends a crafted HTTP POST request to the server, exploiting the file upload vulnerability (CVE-2026-6885).
3. The POST request contains a malicious file, such as a PHP web shell, disguised with a permissible extension or without any extension check.
4. The Borg SPM 2007 server saves the uploaded file to a publicly accessible directory, without proper sanitization.
5. The attacker sends another HTTP request to access the uploaded web shell.
6. The web server executes the web shell code, granting the attacker arbitrary code execution on the server.
7. The attacker uses the web shell to gain a persistent foothold, install malware, or exfiltrate sensitive data.

Impact

Successful exploitation of this vulnerability allows an unauthenticated remote attacker to execute arbitrary code on the vulnerable server. This can lead to full system compromise, data theft, and potential disruption of services. While the number of active installations is likely low due to the product’s end-of-life status in 2008, organizations still running Borg SPM 2007 are at high risk if the system is exposed to the Internet.

Recommendation

• Identify instances of Borg SPM 2007 running in your environment and isolate them from the network if possible.
• Implement the provided Sigma rule to detect potential web shell uploads based on HTTP request characteristics.
• Since no patch exists, consider immediate decommissioning or migration to a supported alternative.

]]>criticaladvisoryfile-uploadweb-shellcode-executionhttps://feed.craftedsignal.io/briefs/2026-04-17-flowise-upload-bypass/Fri, 17 Apr 2026 14:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-17-flowise-upload-bypass/A file upload validation bypass vulnerability exists in FlowiseAI, where the Chatflow configuration file upload settings can be modified to allow the application/javascript MIME type, enabling an attacker to upload .js files, store malicious Node.js web shells on the server, and potentially achieve Remote Code Execution (RCE).FlowiseAI, a low-code platform for building AI applications, contains a file upload validation bypass vulnerability. By modifying the Chatflow configuration, specifically the allowedUploadFileTypes setting, an attacker can add application/javascript as an accepted MIME type. This bypasses previous mitigations (CVE-2025-61687) intended to prevent the upload of potentially malicious files. Although the frontend UI restricts JavaScript uploads, a direct API request can circumvent this. Successful exploitation allows attackers to persistently store Node.js web shells (e.g., shell.js) on the Flowise server. This vulnerability affects FlowiseAI versions up to 3.0.13. If executed, these web shells could grant the attacker Remote Code Execution (RCE) capabilities on the server, posing a significant risk to system integrity and data confidentiality.

Attack Chain

1. The attacker identifies a vulnerable FlowiseAI instance running a version <= 3.0.13.
2. The attacker authenticates to the FlowiseAI instance as an administrator or with compromised credentials.
3. The attacker crafts a malicious HTTP PUT request to the /api/v1/chatflows/{CHATFLOW_ID} endpoint.
4. The PUT request modifies the Chatflow configuration, specifically the chatbotConfig to include application/javascript in the allowedUploadFileTypes.
5. The attacker crafts a malicious HTTP POST request to the /api/v1/attachments/{CHATFLOW_ID}/{CHAT_ID} endpoint to upload a .js file (Node.js web shell), such as the shell.js example.
6. The server saves the malicious .js file to a publicly accessible directory.
7. The attacker accesses the uploaded .js file via a direct HTTP request.
8. The web shell executes commands specified in the URL parameters, such as http://localhost:8888/?cmd=id, resulting in RCE.

Impact

Successful exploitation of this vulnerability allows attackers to upload and persistently store malicious web shells on the FlowiseAI server. Execution of these web shells grants the attacker the ability to execute arbitrary commands on the underlying system. This can lead to complete system compromise, data exfiltration, and denial of service. This vulnerability affects FlowiseAI versions up to 3.0.13.

Recommendation

• Apply appropriate input validation and sanitization to prevent modification of allowedUploadFileTypes settings.
• Monitor network traffic for PUT requests to /api/v1/chatflows/{CHATFLOW_ID} modifying allowedUploadFileTypes as described in the attack chain.
• Monitor for POST requests to /api/v1/attachments/{CHATFLOW_ID}/{CHAT_ID} uploading .js files based on the attack chain.
• Deploy the Sigma rules provided below to detect suspicious HTTP requests indicative of this attack.

]]>criticaladvisoryflowiseaifile-uploadrceweb-shellhttps://feed.craftedsignal.io/briefs/2024-12-potential-web-shell-aspx-file-creation/Sat, 14 Dec 2024 14:30:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-12-potential-web-shell-aspx-file-creation/The creation of ASPX files in web server directories, excluding legitimate processes, indicates potential web shell deployment for persistence on Windows systems.Attackers frequently deploy web shells to maintain persistence and execute arbitrary commands on compromised web servers. This rule identifies the creation of ASPX files, commonly used in Windows environments, within directories typically targeted for web shell deployment. The rule focuses on the “?:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\*” path, a common location for web server extensions and potential web shell placements. By excluding legitimate processes such as msiexec.exe and psconfigui.exe, the rule aims to detect suspicious ASPX file creation events indicative of malicious activity. The detection logic helps defenders identify potential web shell installations, allowing for timely response and remediation to prevent further compromise. This activity has been observed in exploitation attempts targeting SharePoint servers.

Attack Chain

1. An attacker gains initial access to the target system, potentially through exploiting a vulnerability in a web application or service running on the server (e.g., SharePoint).
2. The attacker leverages the compromised web application to upload a malicious ASPX file to a directory within the web server’s file system, specifically targeting locations like “?:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\*”.
3. The uploaded ASPX file contains malicious code designed to provide the attacker with remote access and control over the server.
4. The attacker triggers the execution of the ASPX file by sending a request to the web server, which processes the ASPX file and executes the embedded malicious code.
5. The web shell allows the attacker to execute arbitrary commands on the server, potentially escalating privileges and moving laterally within the network.
6. The attacker uses the web shell to establish persistence on the compromised server, ensuring continued access even after the initial vulnerability is patched.
7. The attacker may use the web shell to exfiltrate sensitive data from the server or to deploy additional malware and tools.

Impact

A successful web shell deployment can lead to complete compromise of the affected server, potentially impacting numerous organizations. Attackers can use web shells to execute arbitrary code, steal sensitive data, and establish persistent access to internal networks. The impact includes data breaches, financial losses, and reputational damage. Successful exploitation of SharePoint vulnerabilities leading to web shell deployment has been observed in the wild.

Recommendation

• Deploy the Sigma rule “Web Shell ASPX File Creation in Common Directories” to detect suspicious ASPX file creation events, filtering out legitimate processes to reduce false positives.
• Enable Sysmon Event ID 11 (File Create) to capture file creation events on Windows systems, which is a data source for the Sigma rule.
• Investigate any alerts generated by the Sigma rule “Web Shell ASPX File Creation in Common Directories” by examining the file path, creating process, and network activity around the time of the event.
• Monitor web server logs for suspicious requests targeting ASPX files in common web server directories, as referenced in the rule description.

]]>mediumthreatweb-shellpersistencewindowshttps://feed.craftedsignal.io/briefs/2024-01-uncommon-web-server-port/Tue, 09 Jan 2024 18:28:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-uncommon-web-server-port/The rule identifies unusual outbound network connections on non-standard ports originating from web server processes on Linux systems, indicative of potential web shell activity or unauthorized communication.This detection rule focuses on identifying potentially malicious activity stemming from Linux-based web servers. The rule is triggered when a web server process, such as Apache, Nginx, or others, initiates an outbound network connection to a destination port that is considered non-standard. This activity can signal the presence of a web shell, a malicious script uploaded to a web server to enable remote access and control. Attackers may exploit compromised web servers to establish covert communication channels, exfiltrate data, or launch further attacks on internal systems. The rule leverages data from Elastic Defend to monitor network connections and filter out legitimate traffic based on a predefined list of common ports and internal IP ranges.

Attack Chain

1. Initial access is gained via exploitation of a vulnerability in a web application or web server component running on a Linux system (e.g., through SQL injection or remote code execution).
2. A web shell is uploaded to the compromised web server, often disguised as a legitimate file or hidden within existing directories.
3. The attacker interacts with the web shell through HTTP requests, using it as a command and control interface.
4. The web shell executes commands on the server, initiating outbound network connections to non-standard ports.
5. These connections may be used to communicate with external C2 servers, download additional payloads, or exfiltrate sensitive data.
6. The attacker uses the web shell to move laterally within the network, targeting other systems and services.
7. The attacker attempts to establish persistence on the compromised server, ensuring continued access even after system reboots.
8. The final objective is data theft, system compromise, or disruption of services.

Impact

Compromised web servers can lead to significant data breaches, system downtime, and reputational damage. While this rule triggers on low-severity behavior, successful exploitation can lead to complete system compromise. The number of affected systems depends on the scope of the initial vulnerability and the attacker’s ability to move laterally. Organizations in all sectors that rely on web-based applications are potentially at risk.

Recommendation

• Deploy the provided Sigma rule to your SIEM to detect web server processes initiating connections to unusual destination ports and tune for your environment.
• Enable Elastic Defend integration to collect the necessary network event data from Linux endpoints to activate the rule.
• Review and customize the list of excluded destination ports and internal IP ranges in the Sigma rule to match your organization’s specific network configuration and legitimate traffic patterns.
• Investigate any alerts generated by the rule to determine if the activity is malicious or benign, focusing on the process name, user, destination IP, and destination port.

]]>lowadvisorypersistenceexecutioncommand-and-controlweb shelllinux