{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/a-g-u-p-t-a/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7785"}],"_cs_exploited":true,"_cs_products":["wireshark-mcp"],"_cs_severities":["critical"],"_cs_tags":["command-injection","web-application","rolling-release"],"_cs_type":"threat","_cs_vendors":["A-G-U-P-T-A"],"content_html":"\u003cp\u003eA remote OS command injection vulnerability (CVE-2026-7785) has been identified in the \u003ccode\u003equick_capture\u003c/code\u003e function of the \u003ccode\u003epyshark_mcp.py\u003c/code\u003e file within the A-G-U-P-T-A \u003ccode\u003ewireshark-mcp\u003c/code\u003e project. The vulnerability allows for the injection and execution of arbitrary OS commands via crafted inputs. The project operates on a rolling release basis, lacking specific version numbers, which hinders targeted patching. Publicly available exploits increase the risk of active exploitation against vulnerable deployments. The vendor was notified via issue report but has yet to respond as of the time of this report.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable instance of A-G-U-P-T-A \u003ccode\u003ewireshark-mcp\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request targeting the \u003ccode\u003equick_capture\u003c/code\u003e function within the \u003ccode\u003epyshark_mcp.py\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes an OS command injection payload within the parameters of the \u003ccode\u003equick_capture\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ewireshark-mcp\u003c/code\u003e application processes the malicious request without proper sanitization or input validation.\u003c/li\u003e\n\u003cli\u003eThe injected OS command is executed by the system with the privileges of the \u003ccode\u003ewireshark-mcp\u003c/code\u003e application.\u003c/li\u003e\n\u003cli\u003eThe attacker gains the ability to perform actions such as reading sensitive files, modifying system configurations, or establishing a reverse shell.\u003c/li\u003e\n\u003cli\u003eThe attacker pivots within the network, leveraging the compromised system to target other internal resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-7785 can lead to complete system compromise, data breaches, and lateral movement within the affected network. The absence of versioning due to the rolling release nature of \u003ccode\u003ewireshark-mcp\u003c/code\u003e increases the difficulty of identifying and patching vulnerable instances. Given the availability of public exploits, organizations running this software are at significant risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eInspect network traffic for suspicious POST requests containing shell commands targeting the \u003ccode\u003equick_capture\u003c/code\u003e function in \u003ccode\u003epyshark_mcp.py\u003c/code\u003e using the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for unexpected processes spawned by the \u003ccode\u003ewireshark-mcp\u003c/code\u003e application, based on the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eBlock network connections originating from systems where exploitation is suspected, based on the IOC \u003ccode\u003eedaf604416fbc94a201b4043092d4a1b09a12275\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement robust input validation and sanitization mechanisms within the \u003ccode\u003ewireshark-mcp\u003c/code\u003e application to prevent command injection attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-05T00:16:17Z","date_published":"2026-05-05T00:16:17Z","id":"/briefs/2024-01-wireshark-mcp-command-injection/","summary":"A-G-U-P-T-A wireshark-mcp is vulnerable to remote OS command injection (CVE-2026-7785) via manipulation of the `quick_capture` function in `pyshark_mcp.py`, potentially allowing attackers to execute arbitrary commands on the system.","title":"A-G-U-P-T-A wireshark-mcp OS Command Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-wireshark-mcp-command-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — A-G-U-P-T-A","version":"https://jsonfeed.org/version/1.1"}