https://feed.craftedsignal.io/vendors/apache/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioMon, 27 Apr 2026 16:09:56 +0000https://feed.craftedsignal.io/briefs/2026-04-apache-mina-rce/Mon, 27 Apr 2026 16:09:56 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-apache-mina-rce/A critical arbitrary code execution vulnerability (CVE-2026-41635) exists in Apache MINA versions 2.0.0 through 2.0.27, 2.1.0 through 2.1.10, and 2.2.0 through 2.2.5 due to missing class validation in the AbstractIoBuffer.resolveClass() method, potentially allowing attackers to execute arbitrary code on applications using Apache MINA.A critical arbitrary code execution vulnerability, CVE-2026-41635, has been identified in Apache MINA, an open-source network application framework. The vulnerability affects versions 2.0.0 through 2.0.27, 2.1.0 through 2.1.10, and 2.2.0 through 2.2.5. The flaw lies within the AbstractIoBuffer.resolveClass() method, where a branch lacks class validation, bypassing the classname allowlist. This allows remote attackers with low privileges to execute arbitrary code on systems using Apache MINA when the IoBuffer.getObject() method is called. Successful exploitation can lead to full system compromise, data exfiltration, and further attacks on interconnected systems. It is imperative that organizations using Apache MINA apply the necessary patches immediately to mitigate this critical risk.

Attack Chain

1. The attacker identifies a vulnerable application using Apache MINA versions 2.0.0-2.0.27, 2.1.0-2.1.10, or 2.2.0-2.2.5.
2. The attacker crafts a malicious payload containing serialized Java objects designed to exploit the class validation bypass in AbstractIoBuffer.resolveClass().
3. The attacker sends a network request to the vulnerable application that triggers the IoBuffer.getObject() method.
4. The IoBuffer.getObject() method deserializes the attacker-controlled data without proper class validation due to the flaw in AbstractIoBuffer.resolveClass().
5. The malicious serialized object executes arbitrary code within the context of the application.
6. The attacker gains control of the application server.
7. The attacker uses their access to move laterally within the network.
8. The attacker exfiltrates sensitive data or deploys ransomware.

Impact

Successful exploitation of CVE-2026-41635 allows attackers to execute arbitrary code on systems utilizing vulnerable versions of Apache MINA. This can lead to a full compromise of the affected system, including data exfiltration, denial of service, or further attacks on interconnected systems. The vulnerability is remotely exploitable with low privileges, increasing the potential for widespread impact across various sectors relying on Apache MINA for network communication. A successful attack poses a high risk to the confidentiality, integrity, and availability of affected systems and data.

Recommendation

• Immediately patch Apache MINA to the latest version to remediate CVE-2026-41635, as recommended by the vendor advisory (https://lists.apache.org/thread/1l91w1mqsb3lwfd504fs045ylxntt2tm).
• Implement network monitoring to detect suspicious activity related to deserialization attempts, as suggested by the CCB’s recommendation to upscale monitoring capabilities.
• Deploy the Sigma rule “Detect Apache MINA Vulnerable Class Deserialization Attempt” to identify potential exploitation attempts based on suspicious class names in network traffic.

]]>criticaladvisoryapache-minarcedeserializationcve-2026-41635https://feed.craftedsignal.io/briefs/2026-04-bridgehead-filestore-rce/Fri, 24 Apr 2026 16:16:36 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-bridgehead-filestore-rce/BridgeHead FileStore versions prior to 24A are vulnerable to unauthenticated remote code execution via exposed Apache Axis2 administration module with default credentials, enabling attackers to upload malicious web services and execute arbitrary OS commands.BridgeHead FileStore versions prior to 24A, released in early 2024, expose a critical security vulnerability. Specifically, the Apache Axis2 administration module is accessible on network endpoints with default credentials. This flaw allows unauthenticated remote attackers to execute arbitrary operating system commands. The vulnerability stems from insecure default configurations within the FileStore application and the underlying Axis2 web service framework. Successful exploitation grants complete control over the affected system, potentially leading to data breaches, system compromise, and further lateral movement within the network. This vulnerability poses a significant risk to organizations using vulnerable versions of BridgeHead FileStore.

Attack Chain

1. The attacker identifies a BridgeHead FileStore instance running a vulnerable version of the software on a network-accessible endpoint.
2. The attacker accesses the Apache Axis2 administration console, which is exposed due to a misconfiguration.
3. The attacker authenticates to the Axis2 admin console using default credentials, bypassing authentication controls.
4. The attacker uploads a malicious Java archive (WAR file) containing a web service designed to execute arbitrary commands.
5. The attacker deploys the malicious web service through the Axis2 administration interface.
6. The attacker crafts a SOAP request to the deployed malicious web service, embedding the operating system command to be executed.
7. The vulnerable FileStore instance processes the SOAP request, executing the attacker-controlled command on the host operating system.
8. The attacker gains remote code execution, achieving complete control over the compromised system.

Impact

Successful exploitation of CVE-2026-39920 allows unauthenticated attackers to execute arbitrary OS commands on systems running vulnerable versions of BridgeHead FileStore. This can lead to complete system compromise, data breaches, denial of service, and further lateral movement within the network. While the exact number of affected organizations is unknown, the widespread use of BridgeHead FileStore in data protection and archiving scenarios makes this a critical vulnerability. The consequences of a successful attack could include the loss of sensitive data, disruption of business operations, and significant financial losses.

Recommendation

• Apply the update to FileStore version 24A or later to remediate the vulnerability as mentioned in the product updates page (https://www.bridgeheadsoftware.com/rapid-data-protection-product-updates/).
• Monitor web server logs for suspicious POST requests to the Axis2 administration console (/axis2/servlet/AdminServlet) as it is a key component of the exploitation. Use the “Detect Axis2 Admin Access” Sigma rule to identify unauthorized access attempts.
• Implement network segmentation to limit the exposure of BridgeHead FileStore instances and the Axis2 administration module.
• Review and enforce strong authentication policies for all web-based administration interfaces.

]]>criticaladvisoryrcecve-2026-39920apache axis2default credentialsweb servicehttps://feed.craftedsignal.io/briefs/2026-04-activemq-rce-xss/Fri, 24 Apr 2026 09:09:10 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-activemq-rce-xss/An authenticated remote attacker can exploit multiple vulnerabilities in Apache ActiveMQ to execute arbitrary program code or perform cross-site scripting attacks.Multiple vulnerabilities in Apache ActiveMQ allow a remote, authenticated attacker to execute arbitrary code or perform cross-site scripting (XSS) attacks. While specific CVEs and attack vectors are not detailed in this advisory, the presence of both RCE and XSS vulnerabilities suggests a high risk to organizations using affected versions of ActiveMQ. Exploitation requires authentication, implying that attackers may need to compromise credentials or exploit other vulnerabilities to gain initial access. This combination of vulnerabilities could lead to complete system compromise, data theft, or service disruption. The lack of specific version information makes it crucial for organizations to identify and patch all potentially vulnerable ActiveMQ instances.

Attack Chain

1. Initial Access: The attacker gains valid credentials to access the ActiveMQ management console or API, potentially through credential stuffing, phishing, or exploiting other vulnerabilities.
2. Authentication: The attacker authenticates to the ActiveMQ instance using the compromised credentials.
3. Vulnerability Exploitation (RCE): The attacker exploits a deserialization or other RCE vulnerability to inject malicious code into the ActiveMQ server. This may involve crafting a specific message or request to trigger the vulnerability.
4. Code Execution: The injected code executes within the context of the ActiveMQ server process, granting the attacker control over the system.
5. Privilege Escalation (if necessary): The attacker attempts to escalate privileges to gain root or system-level access, depending on the initial privileges of the ActiveMQ process.
6. Lateral Movement: The attacker uses the compromised ActiveMQ server as a pivot point to move laterally within the network, targeting other systems and resources.
7. Vulnerability Exploitation (XSS): Simultaneously or independently, the attacker exploits an XSS vulnerability within the ActiveMQ web console. This may involve injecting malicious JavaScript code into the console.
8. Impact: The attacker deploys ransomware, exfiltrates sensitive data, or disrupts critical services, depending on their objectives. The XSS vulnerability allows the attacker to steal administrator cookies or inject further malicious content.

Impact

Successful exploitation of these vulnerabilities could lead to complete compromise of the ActiveMQ server, potentially affecting all connected systems and applications. The lack of specifics makes it difficult to determine the exact number of potential victims; however, given the widespread use of ActiveMQ in enterprise environments, the impact could be significant. Consequences include data breaches, service disruption, financial loss, and reputational damage. The combination of RCE and XSS vulnerabilities allows attackers to pursue a wide range of malicious objectives, from data theft to system destruction.

Recommendation

• Identify all Apache ActiveMQ instances within your environment and determine their versions.
• Consult the Apache ActiveMQ security advisories to identify specific vulnerabilities affecting your versions and apply the necessary patches.
• Implement strong authentication and authorization controls to restrict access to the ActiveMQ management console and API.
• Deploy the Sigma rule to detect potential exploitation attempts against ActiveMQ instances.
• Review and harden the ActiveMQ configuration to minimize the attack surface and reduce the risk of exploitation.
• Implement network segmentation to limit the impact of a successful compromise of an ActiveMQ instance.

]]>criticaladvisoryactivemqrcexssapachehttps://feed.craftedsignal.io/briefs/2024-01-apache-struts-cve-2023-50164-webshell/Fri, 05 Jan 2024 18:22:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-apache-struts-cve-2023-50164-webshell/Exploitation of CVE-2023-50164, a critical path traversal vulnerability in Apache Struts 2, is detected by identifying malicious multipart/form-data POST requests with WebKitFormBoundary targeting Struts .action upload endpoints, followed by JSP web shell creation in Tomcat's webapps directories, indicating remote code execution.CVE-2023-50164 is a critical path traversal vulnerability affecting Apache Struts 2 versions prior to 2.5.33 or 6.3.0.2. The vulnerability resides in the file upload functionality, allowing attackers to manipulate file upload parameters and write malicious files, such as JSP web shells, to arbitrary locations on the web server. Successful exploitation leads to remote code execution. Detection focuses on correlating suspicious file upload requests to Struts endpoints with subsequent creation of JSP files in web-accessible directories, indicating successful exploitation. The attack involves crafting malicious multipart/form-data POST requests with WebKitFormBoundary to Struts .action upload endpoints.

Attack Chain

1. The attacker sends a malicious HTTP POST request to a vulnerable Apache Struts endpoint (e.g., *.action).
2. The HTTP POST request contains a multipart/form-data content type with a WebKitFormBoundary string.
3. The request exploits CVE-2023-50164, leveraging a path traversal vulnerability in the file upload process.
4. The attacker bypasses security controls due to the path traversal vulnerability.
5. The attacker uploads a malicious JSP file (web shell) to a web-accessible directory, such as Tomcat’s webapps directory.
6. A Java process (e.g., Tomcat) creates the JSP web shell file in the webapps directory.
7. The attacker accesses the deployed web shell via HTTP.
8. The attacker executes arbitrary commands on the server through the web shell.

Impact

Successful exploitation of CVE-2023-50164 allows attackers to achieve remote code execution on the affected server. This can lead to complete system compromise, data exfiltration, deployment of malware, and lateral movement within the network. The vulnerability affects Apache Struts 2 applications using the file upload feature, potentially impacting numerous organizations across various sectors using the framework.

Recommendation

• Deploy the Sigma rule “Apache Struts CVE-2023-50164 Webshell Creation” to detect JSP file creation events in webapps directories following suspicious POST requests as described in the overview.
• Deploy the Sigma rule “Apache Struts CVE-2023-50164 Suspicious POST Request” to detect suspicious POST requests to Struts endpoints with multipart/form-data content containing WebKitFormBoundary, as indicated in the Attack Chain.
• Patch Apache Struts 2 to version 2.5.33, 6.3.0.2, or higher to remediate the CVE-2023-50164 vulnerability, as noted in the References.
• Enable HTTP request body capture in network traffic monitoring tools to detect the multipart/form-data content containing WebKitFormBoundary indicators, as required by the rule setup.

]]>highadvisoryapache-strutswebshellcve-2023-50164initial-accesspersistencecommand-and-controlhttps://feed.craftedsignal.io/briefs/2024-01-openmrs-path-traversal/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-openmrs-path-traversal/OpenMRS Core versions 2.7.8 and earlier, as well as versions 2.8.0 through 2.8.5, contain a path traversal vulnerability in the ModuleResourcesServlet, allowing an unauthenticated attacker to read arbitrary files from the server filesystem by manipulating the URL.OpenMRS Core, a widely used open-source medical record system, is vulnerable to a path traversal attack via the ModuleResourcesServlet. This flaw affects versions up to 2.7.8 and versions 2.8.0 through 2.8.5. An unauthenticated attacker can exploit this vulnerability by crafting a malicious URL to read arbitrary files from the server’s filesystem. The vulnerability exists because the ModuleResourcesServlet component fails to properly validate user-supplied path input when serving static module resources. This vulnerability is particularly critical because the affected endpoint is not protected by authentication filters, and successful exploitation depends on running Apache Tomcat versions before 8.5.31 or prior to 9.0.10.

Attack Chain

1. The attacker identifies a vulnerable OpenMRS instance running on a susceptible Tomcat version.
2. The attacker identifies a valid module ID installed on the target OpenMRS instance (e.g., legacyui).
3. The attacker crafts a malicious HTTP GET request to the /openmrs/moduleResources/{moduleid} endpoint containing a path traversal sequence (e.g., ..;) within the URL. The request attempts to access a sensitive file, such as /etc/passwd.
4. The ModuleResourcesServlet receives the request and extracts the path information without proper validation.
5. The application constructs a file path by concatenating the web application root, module path, module ID, “resources,” and the attacker-supplied path.
6. Due to missing path sanitization and normalization, the resulting file path points to the attacker-specified file outside the intended resources directory.
7. The server reads the content of the arbitrary file (e.g., /etc/passwd).
8. The server returns the file content in the HTTP response to the attacker, resulting in information disclosure.

Impact

Successful exploitation allows an unauthenticated attacker to read arbitrary files on the OpenMRS server. This can lead to the exposure of sensitive information, including system configuration files containing database credentials, potentially compromising the entire application and patient data. The number of affected deployments is unknown, but any OpenMRS instance running vulnerable versions on older Tomcat installations is at risk.

Recommendation

• Upgrade OpenMRS Core to a patched version beyond 2.8.5 to address CVE-2026-40075.
• As a short-term mitigation, upgrade Apache Tomcat to version 8.5.31 or later, or 9.0.10 or later, to leverage container-level path traversal protection.
• Deploy the following Sigma rule to detect exploitation attempts against the vulnerable ModuleResourcesServlet endpoint.
• Monitor web server logs for suspicious URL patterns containing path traversal sequences (../, ..;, %2e%2e%2f) targeting the /openmrs/moduleResources/ path.

]]>highadvisorypath-traversalinformation-disclosureopenmrs