https://feed.craftedsignal.io/vendors/grokability/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioFri, 08 May 2026 23:04:36 +0000https://feed.craftedsignal.io/briefs/2024-01-snipeit-file-upload-rce/Fri, 08 May 2026 23:04:36 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-snipeit-file-upload-rce/Snipe-IT versions prior to 8.4.1 are vulnerable to remote code execution due to insecure permissions on file uploads, where an attacker can upload arbitrary files and execute code on the server.Snipe-IT, a web-based IT asset management system, is vulnerable to a critical file upload vulnerability (CVE-2026-37709) affecting versions up to 8.4.0. This vulnerability stems from insufficient permission checks in the app/Http/Controllers/Api/UploadedFilesController.php component. Specifically, the API endpoint /api/v1/{object_type}/{id}/files allows users with “view” permissions, rather than the necessary “write” permissions, to upload files. Successful exploitation of this vulnerability can lead to arbitrary code execution on the server. The vulnerability was patched after the 2026-03-10 commit 676a9958 and released in version 8.4.1. This poses a significant risk to organizations using vulnerable Snipe-IT instances, potentially allowing attackers to compromise the entire system.

Attack Chain

1. An attacker identifies a vulnerable Snipe-IT instance running a version prior to 8.4.1.
2. The attacker authenticates to the Snipe-IT instance with user credentials that have “view” permissions for assets, consumables, or other managed objects.
3. The attacker crafts a malicious HTTP POST request to the /api/v1/{object_type}/{id}/files endpoint, replacing {object_type} and {id} with valid values for an existing asset or consumable.
4. The POST request includes a file containing malicious code, such as a PHP webshell, disguised as a seemingly harmless file type (e.g., image).
5. The Snipe-IT application, due to insufficient permission checks, accepts the file upload and stores it on the server.
6. The attacker determines the full path to the uploaded file on the server.
7. The attacker crafts a new HTTP request to execute the uploaded file, triggering the malicious code.
8. The attacker achieves remote code execution on the Snipe-IT server, potentially gaining full control of the system and sensitive data.

Impact

Successful exploitation of CVE-2026-37709 can lead to complete compromise of the Snipe-IT server. An attacker can gain unauthorized access to sensitive asset information, modify inventory data, and potentially pivot to other systems within the network. Given the critical nature of asset management systems, this vulnerability poses a severe risk to organizations of all sizes and across various sectors. The attacker could potentially steal intellectual property, disrupt operations, or launch further attacks from the compromised server.

Recommendation

• Upgrade Snipe-IT installations to version 8.4.1 or later to remediate CVE-2026-37709, as this version contains the necessary permission checks in the app/Http/Controllers/Api/UploadedFilesController.php component.
• Deploy the Sigma rule “Detect CVE-2026-37709 Exploitation — SnipeIT Malicious File Upload” to detect suspicious POST requests to the /api/v1/{object_type}/{id}/files endpoint.
• Monitor web server logs for HTTP POST requests to the /api/v1/{object_type}/{id}/files endpoint with filenames that contain suspicious extensions or patterns to identify potential exploitation attempts.

]]>criticaladvisoryremote code executionfile uploadinsecure permissionsasset managementCVE-2026-37709https://feed.craftedsignal.io/briefs/2024-01-03-snipeit-privesc/Wed, 03 Jan 2024 18:22:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-03-snipeit-privesc/An authenticated user with limited 'users.edit' permissions can escalate their privileges to 'admin' in Snipe-IT versions before 8.4.1 by manipulating the permissions array in a PATCH request to the API, as tracked by CVE-2026-44832.Snipe-IT, a web-based IT asset management system, is susceptible to a privilege escalation vulnerability affecting versions prior to 8.4.1. An authenticated user possessing the users.edit permission can exploit this flaw to elevate their own privileges to that of an administrator. This is achieved by sending a specifically crafted PATCH request to the /api/v1/users/{id} endpoint, where the permissions[admin] parameter is set to ‘1’. The vulnerability, identified as CVE-2026-44832, arises due to insufficient validation on the server-side, allowing unauthorized modification of user permissions. The absence of proper input sanitization in the API controller enables users with limited privileges to assign administrative rights to themselves, undermining the system’s security model.

Attack Chain

1. An attacker authenticates to the Snipe-IT application with a user account that has the users.edit permission.
2. The attacker identifies the target user ID, typically their own user ID, which can be obtained from the user profile page or API.
3. The attacker crafts a PATCH request to /api/v1/users/{id}, replacing {id} with the target user’s ID.
4. Within the PATCH request body, the attacker includes the parameter permissions[admin]=1.
5. The attacker sends the malicious PATCH request to the Snipe-IT server.
6. The Snipe-IT server, due to insufficient validation, accepts the request and updates the target user’s permissions, granting them administrative privileges.
7. The attacker logs out and logs back in to the Snipe-IT application.
8. Upon logging back in, the attacker now possesses administrative privileges, allowing them to perform any action within the Snipe-IT system.

Impact

Successful exploitation of this vulnerability allows an attacker with limited user privileges to gain full administrative control over the Snipe-IT system. This could lead to unauthorized access to sensitive data, modification or deletion of assets, creation of rogue administrator accounts, and complete compromise of the Snipe-IT installation. The vulnerability affects all Snipe-IT instances running versions prior to 8.4.1. The scope of the impact is limited to the Snipe-IT application itself.

Recommendation

• Upgrade Snipe-IT to version 8.4.1 or later to remediate CVE-2026-44832 as per the vendor’s advisory.
• Deploy the Sigma rule Detect Snipe-IT Privilege Escalation Attempt via API to monitor for suspicious PATCH requests to the /api/v1/users/{id} endpoint.
• Enable web server access logging and review logs for unusual API requests targeting user permission modification.
• Implement input validation and sanitization on all API endpoints, particularly those that handle user permissions.

]]>highadvisoryprivilege-escalationweb-applicationapi