{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/apache/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-41635"}],"_cs_exploited":false,"_cs_products":["MINA 2.0","MINA 2.1","MINA 2.2"],"_cs_severities":["critical"],"_cs_tags":["apache-mina","rce","deserialization","cve-2026-41635"],"_cs_type":"advisory","_cs_vendors":["Apache"],"content_html":"\u003cp\u003eA critical arbitrary code execution vulnerability, CVE-2026-41635, has been identified in Apache MINA, an open-source network application framework. The vulnerability affects versions 2.0.0 through 2.0.27, 2.1.0 through 2.1.10, and 2.2.0 through 2.2.5. The flaw lies within the AbstractIoBuffer.resolveClass() method, where a branch lacks class validation, bypassing the classname allowlist. This allows remote attackers with low privileges to execute arbitrary code on systems using Apache MINA when the IoBuffer.getObject() method is called. Successful exploitation can lead to full system compromise, data exfiltration, and further attacks on interconnected systems. It is imperative that organizations using Apache MINA apply the necessary patches immediately to mitigate this critical risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable application using Apache MINA versions 2.0.0-2.0.27, 2.1.0-2.1.10, or 2.2.0-2.2.5.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious payload containing serialized Java objects designed to exploit the class validation bypass in \u003ccode\u003eAbstractIoBuffer.resolveClass()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a network request to the vulnerable application that triggers the \u003ccode\u003eIoBuffer.getObject()\u003c/code\u003e method.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eIoBuffer.getObject()\u003c/code\u003e method deserializes the attacker-controlled data without proper class validation due to the flaw in \u003ccode\u003eAbstractIoBuffer.resolveClass()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe malicious serialized object executes arbitrary code within the context of the application.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the application server.\u003c/li\u003e\n\u003cli\u003eThe attacker uses their access to move laterally within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data or deploys ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-41635 allows attackers to execute arbitrary code on systems utilizing vulnerable versions of Apache MINA. This can lead to a full compromise of the affected system, including data exfiltration, denial of service, or further attacks on interconnected systems. The vulnerability is remotely exploitable with low privileges, increasing the potential for widespread impact across various sectors relying on Apache MINA for network communication. A successful attack poses a high risk to the confidentiality, integrity, and availability of affected systems and data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately patch Apache MINA to the latest version to remediate CVE-2026-41635, as recommended by the vendor advisory (\u003ca href=\"https://lists.apache.org/thread/1l91w1mqsb3lwfd504fs045ylxntt2tm)\"\u003ehttps://lists.apache.org/thread/1l91w1mqsb3lwfd504fs045ylxntt2tm)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eImplement network monitoring to detect suspicious activity related to deserialization attempts, as suggested by the CCB\u0026rsquo;s recommendation to upscale monitoring capabilities.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Apache MINA Vulnerable Class Deserialization Attempt\u0026rdquo; to identify potential exploitation attempts based on suspicious class names in network traffic.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-27T16:09:56Z","date_published":"2026-04-27T16:09:56Z","id":"/briefs/2026-04-apache-mina-rce/","summary":"A critical arbitrary code execution vulnerability (CVE-2026-41635) exists in Apache MINA versions 2.0.0 through 2.0.27, 2.1.0 through 2.1.10, and 2.2.0 through 2.2.5 due to missing class validation in the AbstractIoBuffer.resolveClass() method, potentially allowing attackers to execute arbitrary code on applications using Apache MINA.","title":"Apache MINA Arbitrary Code Execution Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-apache-mina-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-39920"}],"_cs_exploited":false,"_cs_products":["FileStore","Axis2"],"_cs_severities":["critical"],"_cs_tags":["rce","cve-2026-39920","apache axis2","default credentials","web service"],"_cs_type":"advisory","_cs_vendors":["BridgeHead Software","Apache"],"content_html":"\u003cp\u003eBridgeHead FileStore versions prior to 24A, released in early 2024, expose a critical security vulnerability. Specifically, the Apache Axis2 administration module is accessible on network endpoints with default credentials. This flaw allows unauthenticated remote attackers to execute arbitrary operating system commands. The vulnerability stems from insecure default configurations within the FileStore application and the underlying Axis2 web service framework. Successful exploitation grants complete control over the affected system, potentially leading to data breaches, system compromise, and further lateral movement within the network. This vulnerability poses a significant risk to organizations using vulnerable versions of BridgeHead FileStore.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a BridgeHead FileStore instance running a vulnerable version of the software on a network-accessible endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses the Apache Axis2 administration console, which is exposed due to a misconfiguration.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the Axis2 admin console using default credentials, bypassing authentication controls.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads a malicious Java archive (WAR file) containing a web service designed to execute arbitrary commands.\u003c/li\u003e\n\u003cli\u003eThe attacker deploys the malicious web service through the Axis2 administration interface.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a SOAP request to the deployed malicious web service, embedding the operating system command to be executed.\u003c/li\u003e\n\u003cli\u003eThe vulnerable FileStore instance processes the SOAP request, executing the attacker-controlled command on the host operating system.\u003c/li\u003e\n\u003cli\u003eThe attacker gains remote code execution, achieving complete control over the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-39920 allows unauthenticated attackers to execute arbitrary OS commands on systems running vulnerable versions of BridgeHead FileStore. This can lead to complete system compromise, data breaches, denial of service, and further lateral movement within the network. While the exact number of affected organizations is unknown, the widespread use of BridgeHead FileStore in data protection and archiving scenarios makes this a critical vulnerability. The consequences of a successful attack could include the loss of sensitive data, disruption of business operations, and significant financial losses.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the update to FileStore version 24A or later to remediate the vulnerability as mentioned in the product updates page (\u003ca href=\"https://www.bridgeheadsoftware.com/rapid-data-protection-product-updates/\"\u003ehttps://www.bridgeheadsoftware.com/rapid-data-protection-product-updates/\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to the Axis2 administration console (\u003ccode\u003e/axis2/servlet/AdminServlet\u003c/code\u003e) as it is a key component of the exploitation. Use the \u0026ldquo;Detect Axis2 Admin Access\u0026rdquo; Sigma rule to identify unauthorized access attempts.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the exposure of BridgeHead FileStore instances and the Axis2 administration module.\u003c/li\u003e\n\u003cli\u003eReview and enforce strong authentication policies for all web-based administration interfaces.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-24T16:16:36Z","date_published":"2026-04-24T16:16:36Z","id":"/briefs/2026-04-bridgehead-filestore-rce/","summary":"BridgeHead FileStore versions prior to 24A are vulnerable to unauthenticated remote code execution via exposed Apache Axis2 administration module with default credentials, enabling attackers to upload malicious web services and execute arbitrary OS commands.","title":"BridgeHead FileStore Unauthenticated Remote Code Execution via Apache Axis2","url":"https://feed.craftedsignal.io/briefs/2026-04-bridgehead-filestore-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":4.3,"id":"CVE-2026-33227"},{"cvss":8.8,"id":"CVE-2026-34197"},{"cvss":7.5,"id":"CVE-2026-40046"},{"cvss":7.5,"id":"CVE-2026-39304"},{"cvss":8.8,"id":"CVE-2026-40466"}],"_cs_exploited":false,"_cs_products":["ActiveMQ"],"_cs_severities":["critical"],"_cs_tags":["activemq","rce","xss","apache"],"_cs_type":"advisory","_cs_vendors":["Apache"],"content_html":"\u003cp\u003eMultiple vulnerabilities in Apache ActiveMQ allow a remote, authenticated attacker to execute arbitrary code or perform cross-site scripting (XSS) attacks. While specific CVEs and attack vectors are not detailed in this advisory, the presence of both RCE and XSS vulnerabilities suggests a high risk to organizations using affected versions of ActiveMQ. Exploitation requires authentication, implying that attackers may need to compromise credentials or exploit other vulnerabilities to gain initial access. This combination of vulnerabilities could lead to complete system compromise, data theft, or service disruption. The lack of specific version information makes it crucial for organizations to identify and patch all potentially vulnerable ActiveMQ instances.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: The attacker gains valid credentials to access the ActiveMQ management console or API, potentially through credential stuffing, phishing, or exploiting other vulnerabilities.\u003c/li\u003e\n\u003cli\u003eAuthentication: The attacker authenticates to the ActiveMQ instance using the compromised credentials.\u003c/li\u003e\n\u003cli\u003eVulnerability Exploitation (RCE): The attacker exploits a deserialization or other RCE vulnerability to inject malicious code into the ActiveMQ server. This may involve crafting a specific message or request to trigger the vulnerability.\u003c/li\u003e\n\u003cli\u003eCode Execution: The injected code executes within the context of the ActiveMQ server process, granting the attacker control over the system.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation (if necessary): The attacker attempts to escalate privileges to gain root or system-level access, depending on the initial privileges of the ActiveMQ process.\u003c/li\u003e\n\u003cli\u003eLateral Movement: The attacker uses the compromised ActiveMQ server as a pivot point to move laterally within the network, targeting other systems and resources.\u003c/li\u003e\n\u003cli\u003eVulnerability Exploitation (XSS): Simultaneously or independently, the attacker exploits an XSS vulnerability within the ActiveMQ web console. This may involve injecting malicious JavaScript code into the console.\u003c/li\u003e\n\u003cli\u003eImpact: The attacker deploys ransomware, exfiltrates sensitive data, or disrupts critical services, depending on their objectives. The XSS vulnerability allows the attacker to steal administrator cookies or inject further malicious content.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities could lead to complete compromise of the ActiveMQ server, potentially affecting all connected systems and applications. The lack of specifics makes it difficult to determine the exact number of potential victims; however, given the widespread use of ActiveMQ in enterprise environments, the impact could be significant. Consequences include data breaches, service disruption, financial loss, and reputational damage. The combination of RCE and XSS vulnerabilities allows attackers to pursue a wide range of malicious objectives, from data theft to system destruction.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eIdentify all Apache ActiveMQ instances within your environment and determine their versions.\u003c/li\u003e\n\u003cli\u003eConsult the Apache ActiveMQ security advisories to identify specific vulnerabilities affecting your versions and apply the necessary patches.\u003c/li\u003e\n\u003cli\u003eImplement strong authentication and authorization controls to restrict access to the ActiveMQ management console and API.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect potential exploitation attempts against ActiveMQ instances.\u003c/li\u003e\n\u003cli\u003eReview and harden the ActiveMQ configuration to minimize the attack surface and reduce the risk of exploitation.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the impact of a successful compromise of an ActiveMQ instance.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-24T09:09:10Z","date_published":"2026-04-24T09:09:10Z","id":"/briefs/2026-04-activemq-rce-xss/","summary":"An authenticated remote attacker can exploit multiple vulnerabilities in Apache ActiveMQ to execute arbitrary program code or perform cross-site scripting attacks.","title":"Apache ActiveMQ Vulnerabilities Allow RCE and XSS","url":"https://feed.craftedsignal.io/briefs/2026-04-activemq-rce-xss/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2023-50164"}],"_cs_exploited":false,"_cs_products":["Struts 2"],"_cs_severities":["high"],"_cs_tags":["apache-struts","webshell","cve-2023-50164","initial-access","persistence","command-and-control"],"_cs_type":"advisory","_cs_vendors":["Apache"],"content_html":"\u003cp\u003eCVE-2023-50164 is a critical path traversal vulnerability affecting Apache Struts 2 versions prior to 2.5.33 or 6.3.0.2. The vulnerability resides in the file upload functionality, allowing attackers to manipulate file upload parameters and write malicious files, such as JSP web shells, to arbitrary locations on the web server. Successful exploitation leads to remote code execution. Detection focuses on correlating suspicious file upload requests to Struts endpoints with subsequent creation of JSP files in web-accessible directories, indicating successful exploitation. The attack involves crafting malicious multipart/form-data POST requests with WebKitFormBoundary to Struts .action upload endpoints.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends a malicious HTTP POST request to a vulnerable Apache Struts endpoint (e.g., \u003ccode\u003e*.action\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe HTTP POST request contains a \u003ccode\u003emultipart/form-data\u003c/code\u003e content type with a \u003ccode\u003eWebKitFormBoundary\u003c/code\u003e string.\u003c/li\u003e\n\u003cli\u003eThe request exploits CVE-2023-50164, leveraging a path traversal vulnerability in the file upload process.\u003c/li\u003e\n\u003cli\u003eThe attacker bypasses security controls due to the path traversal vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads a malicious JSP file (web shell) to a web-accessible directory, such as Tomcat\u0026rsquo;s \u003ccode\u003ewebapps\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eA Java process (e.g., Tomcat) creates the JSP web shell file in the webapps directory.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses the deployed web shell via HTTP.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary commands on the server through the web shell.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2023-50164 allows attackers to achieve remote code execution on the affected server. This can lead to complete system compromise, data exfiltration, deployment of malware, and lateral movement within the network. The vulnerability affects Apache Struts 2 applications using the file upload feature, potentially impacting numerous organizations across various sectors using the framework.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Apache Struts CVE-2023-50164 Webshell Creation\u0026rdquo; to detect JSP file creation events in webapps directories following suspicious POST requests as described in the overview.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Apache Struts CVE-2023-50164 Suspicious POST Request\u0026rdquo; to detect suspicious POST requests to Struts endpoints with \u003ccode\u003emultipart/form-data\u003c/code\u003e content containing \u003ccode\u003eWebKitFormBoundary\u003c/code\u003e, as indicated in the Attack Chain.\u003c/li\u003e\n\u003cli\u003ePatch Apache Struts 2 to version 2.5.33, 6.3.0.2, or higher to remediate the CVE-2023-50164 vulnerability, as noted in the References.\u003c/li\u003e\n\u003cli\u003eEnable HTTP request body capture in network traffic monitoring tools to detect the multipart/form-data content containing WebKitFormBoundary indicators, as required by the rule setup.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-05T18:22:00Z","date_published":"2024-01-05T18:22:00Z","id":"/briefs/2024-01-apache-struts-cve-2023-50164-webshell/","summary":"Exploitation of CVE-2023-50164, a critical path traversal vulnerability in Apache Struts 2, is detected by identifying malicious multipart/form-data POST requests with WebKitFormBoundary targeting Struts .action upload endpoints, followed by JSP web shell creation in Tomcat's webapps directories, indicating remote code execution.","title":"Apache Struts CVE-2023-50164 Exploitation Leading to Web Shell Deployment","url":"https://feed.craftedsignal.io/briefs/2024-01-apache-struts-cve-2023-50164-webshell/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Tomcat","OpenMRS Core","openmrs-web"],"_cs_severities":["high"],"_cs_tags":["path-traversal","information-disclosure","openmrs"],"_cs_type":"advisory","_cs_vendors":["Apache","OpenMRS"],"content_html":"\u003cp\u003eOpenMRS Core, a widely used open-source medical record system, is vulnerable to a path traversal attack via the \u003ccode\u003eModuleResourcesServlet\u003c/code\u003e. This flaw affects versions up to 2.7.8 and versions 2.8.0 through 2.8.5. An unauthenticated attacker can exploit this vulnerability by crafting a malicious URL to read arbitrary files from the server\u0026rsquo;s filesystem. The vulnerability exists because the \u003ccode\u003eModuleResourcesServlet\u003c/code\u003e component fails to properly validate user-supplied path input when serving static module resources. This vulnerability is particularly critical because the affected endpoint is not protected by authentication filters, and successful exploitation depends on running Apache Tomcat versions before 8.5.31 or prior to 9.0.10.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable OpenMRS instance running on a susceptible Tomcat version.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a valid module ID installed on the target OpenMRS instance (e.g., \u003ccode\u003elegacyui\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP GET request to the \u003ccode\u003e/openmrs/moduleResources/{moduleid}\u003c/code\u003e endpoint containing a path traversal sequence (e.g., \u003ccode\u003e..;\u003c/code\u003e) within the URL. The request attempts to access a sensitive file, such as \u003ccode\u003e/etc/passwd\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eModuleResourcesServlet\u003c/code\u003e receives the request and extracts the path information without proper validation.\u003c/li\u003e\n\u003cli\u003eThe application constructs a file path by concatenating the web application root, module path, module ID, \u0026ldquo;resources,\u0026rdquo; and the attacker-supplied path.\u003c/li\u003e\n\u003cli\u003eDue to missing path sanitization and normalization, the resulting file path points to the attacker-specified file outside the intended resources directory.\u003c/li\u003e\n\u003cli\u003eThe server reads the content of the arbitrary file (e.g., \u003ccode\u003e/etc/passwd\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe server returns the file content in the HTTP response to the attacker, resulting in information disclosure.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an unauthenticated attacker to read arbitrary files on the OpenMRS server. This can lead to the exposure of sensitive information, including system configuration files containing database credentials, potentially compromising the entire application and patient data. The number of affected deployments is unknown, but any OpenMRS instance running vulnerable versions on older Tomcat installations is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenMRS Core to a patched version beyond 2.8.5 to address CVE-2026-40075.\u003c/li\u003e\n\u003cli\u003eAs a short-term mitigation, upgrade Apache Tomcat to version 8.5.31 or later, or 9.0.10 or later, to leverage container-level path traversal protection.\u003c/li\u003e\n\u003cli\u003eDeploy the following Sigma rule to detect exploitation attempts against the vulnerable \u003ccode\u003eModuleResourcesServlet\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious URL patterns containing path traversal sequences (\u003ccode\u003e../\u003c/code\u003e, \u003ccode\u003e..;\u003c/code\u003e, \u003ccode\u003e%2e%2e%2f\u003c/code\u003e) targeting the \u003ccode\u003e/openmrs/moduleResources/\u003c/code\u003e path.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-openmrs-path-traversal/","summary":"OpenMRS Core versions 2.7.8 and earlier, as well as versions 2.8.0 through 2.8.5, contain a path traversal vulnerability in the ModuleResourcesServlet, allowing an unauthenticated attacker to read arbitrary files from the server filesystem by manipulating the URL.","title":"OpenMRS ModuleResourcesServlet Path Traversal Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-openmrs-path-traversal/"}],"language":"en","title":"CraftedSignal Threat Feed — Apache","version":"https://jsonfeed.org/version/1.1"}