{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/incus/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["incusd (\u003c 7.2.0)"],"_cs_severities":["critical"],"_cs_tags":["vulnerability","rce","symlink","linux","incus","container"],"_cs_type":"advisory","_cs_vendors":["Incus"],"content_html":"\u003cp\u003eA critical vulnerability tracked as CVE-2026-48752 has been identified in Incus, a Linux container manager, affecting versions prior to 7.2.0. This flaw allows a malicious actor to perform arbitrary file read and write operations on the underlying host system. The exploitation vector involves crafting a malicious container image or instance backup that includes a top-level \u003ccode\u003etemplates\u003c/code\u003e symlink. When Incus unpacks such an artifact, it fails to properly sanitize this symlink, enabling the attacker to redirect operations intended for the \u003ccode\u003etemplates\u003c/code\u003e directory to any arbitrary path on the host, such as \u003ccode\u003e/etc/cron.d\u003c/code\u003e. This capability can be leveraged to inject malicious cron jobs or modify other sensitive system files, ultimately leading to arbitrary command execution with root privileges on the host. This vulnerability poses a significant risk to the integrity and security of systems running vulnerable Incus instances.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a malicious Incus container image or instance backup (\u003ccode\u003e.tar\u003c/code\u003e archive).\u003c/li\u003e\n\u003cli\u003eWithin this archive, a top-level symlink named \u003ccode\u003etemplates\u003c/code\u003e is created, pointing to a sensitive host directory (e.g., \u003ccode\u003e/etc/cron.d\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker distributes this malicious image or backup, which is then imported or restored on a vulnerable Incus host using \u003ccode\u003eincus image import\u003c/code\u003e or \u003ccode\u003eincus import\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDuring the unpacking process, Incus's \u003ccode\u003earchive.Unpack\u003c/code\u003e (for images) or \u003ccode\u003ersync.LocalCopy\u003c/code\u003e (for backups) follows the \u003ccode\u003etemplates\u003c/code\u003e symlink due to insufficient sanitization.\u003c/li\u003e\n\u003cli\u003eThe attacker then uses \u003ccode\u003eincus config template create\u003c/code\u003e or \u003ccode\u003eincus config template edit\u003c/code\u003e commands, targeting the newly imported malicious instance/image.\u003c/li\u003e\n\u003cli\u003eDue to the symlink, these \u003ccode\u003eincus\u003c/code\u003e commands inadvertently write arbitrary content to the sensitive host directory (e.g., creating a new cron job file in \u003ccode\u003e/etc/cron.d\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe malicious cron job is executed by the host's cron daemon, achieving arbitrary command execution, often as root, on the host system.\u003c/li\u003e\n\u003cli\u003eThe attacker gains full control over the Incus host, enabling further malicious activities like data exfiltration or deploying additional malware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2026-48752 leads to arbitrary file read and write capabilities on the Incus host system. This direct access to the host filesystem allows attackers to modify critical system files, inject malicious configurations (such as cron jobs), and ultimately achieve arbitrary command execution, often with root privileges. The consequences include complete system compromise, unauthorized data access, persistence mechanisms, and potential disruption of services. While no specific victim count or sectors are mentioned, any organization utilizing vulnerable Incus installations could be at risk of severe security breaches and operational disruption.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch Incus immediately to version 7.2.0 or newer to address CVE-2026-48752 as advised by the vendor.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule below to detect suspicious \u003ccode\u003eincusd\u003c/code\u003e write operations to sensitive system directories.\u003c/li\u003e\n\u003cli\u003eEnable comprehensive \u003ccode\u003efile_event\u003c/code\u003e logging for Linux systems to capture modifications within critical directories like \u003ccode\u003e/etc/cron.d/\u003c/code\u003e, \u003ccode\u003e/etc/\u003c/code\u003e, \u003ccode\u003e/bin/\u003c/code\u003e, \u003ccode\u003e/sbin/\u003c/code\u003e by the \u003ccode\u003eincusd\u003c/code\u003e process.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T10:37:30Z","date_published":"2026-07-03T10:37:30Z","id":"https://feed.craftedsignal.io/briefs/2026-07-incus-afrw/","summary":"A critical vulnerability, CVE-2026-48752, in Incus versions prior to 7.2.0 allows an unauthenticated attacker to achieve arbitrary file read and write on the host system via specially crafted container images or instance backups containing unsanitized symlinks, potentially leading to arbitrary command execution as root.","title":"Critical Incus Vulnerability (CVE-2026-48752) Allows Host Arbitrary File Read/Write Leading to RCE","url":"https://feed.craftedsignal.io/briefs/2026-07-incus-afrw/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["incusd \u003c 7.1.0"],"_cs_severities":["critical"],"_cs_tags":["path-traversal","rce","incus","s3","linux","vulnerability"],"_cs_type":"advisory","_cs_vendors":["Incus"],"content_html":"\u003cp\u003eA critical path traversal vulnerability, tracked as CVE-2026-48753, has been identified in the Incus \u003ccode\u003eincusd\u003c/code\u003e daemon affecting versions prior to 7.1.0. This flaw resides within the S3 protocol's multipart upload endpoint, specifically in the handling of the \u003ccode\u003euploadId\u003c/code\u003e parameter. Attackers can leverage this unsanitized parameter to inject path traversal sequences (e.g., \u003ccode\u003e../../\u003c/code\u003e) and write arbitrary files to sensitive locations on the host system. This arbitrary file write capability can be escalated to achieve persistent arbitrary command execution, for instance, by creating malicious cron jobs in \u003ccode\u003e/etc/cron.d\u003c/code\u003e. The successful exploitation of this vulnerability would grant an unauthenticated attacker the ability to execute commands with the privileges of the Incus service, posing a significant risk of full system compromise for affected Linux deployments utilizing Incus's S3 functionality.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable Incus instance (version \u0026lt; 7.1.0) with an exposed S3 API, typically via \u003ccode\u003eincus config set core.storage_buckets_address\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a multipart S3 \u003ccode\u003ePUT\u003c/code\u003e request, targeting an S3 bucket configured on the vulnerable Incus instance.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003euploadId\u003c/code\u003e query parameter within the \u003ccode\u003ePUT\u003c/code\u003e request is maliciously manipulated, containing path traversal sequences such as \u003ccode\u003e../../../../etc/cron.d\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe request body is populated with the content of a malicious cron job entry, for example, \u003ccode\u003e* * * * * root /bin/sh -c 'id \u0026gt; /incus-s3-uploadid-bash-rce; rm -f /etc/cron.d/part-00001'\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDue to the vulnerability in \u003ccode\u003einternal/server/storage/s3/local/multipart.go\u003c/code\u003e, Incus concatenates the unsanitized \u003ccode\u003euploadId\u003c/code\u003e directly into the target file path during the upload process.\u003c/li\u003e\n\u003cli\u003eThis results in an arbitrary file write on the host system, placing the malicious cron job content into a file like \u003ccode\u003e/etc/cron.d/part-00001\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe system's cron daemon periodically executes entries found in \u003ccode\u003e/etc/cron.d\u003c/code\u003e, triggering the newly created malicious job, leading to arbitrary command execution (e.g., \u003ccode\u003eid \u0026gt; /incus-s3-uploadid-bash-rce\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe executed cron job also includes a command to delete itself (\u003ccode\u003erm -f /etc/cron.d/part-00001\u003c/code\u003e), providing persistent remote code execution while attempting to remove forensic evidence.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe primary impact of CVE-2026-48753 is the ability for an unauthenticated attacker to achieve arbitrary file write on the host system where Incus is running. This directly enables arbitrary command execution, as demonstrated by the ability to install persistent cron jobs. Successful exploitation can lead to a complete compromise of the Incus host, allowing attackers to establish persistence, exfiltrate data, disrupt services, or pivot to other systems within the network. This vulnerability is critical due to its unauthenticated nature and the severe consequences of command execution.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch CVE-2026-48753 immediately\u003c/strong\u003e by upgrading your Incus installation to version 7.1.0 or later as advised by the advisory.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDeploy the Sigma rule in this brief\u003c/strong\u003e to your SIEM/EDR to detect exploitation attempts of CVE-2026-48753 by monitoring for suspicious S3 PUT requests.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMonitor web server access logs\u003c/strong\u003e for HTTP PUT requests to S3 endpoints that contain path traversal sequences (\u003ccode\u003e../../\u003c/code\u003e or \u003ccode\u003e..%2F..%2F\u003c/code\u003e) in the \u003ccode\u003euploadId\u003c/code\u003e query parameter.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEnable comprehensive file integrity monitoring\u003c/strong\u003e for critical system directories like \u003ccode\u003e/etc/cron.d\u003c/code\u003e, \u003ccode\u003e/tmp\u003c/code\u003e, and other common locations for malicious file drops.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T10:36:22Z","date_published":"2026-07-03T10:36:22Z","id":"https://feed.craftedsignal.io/briefs/2026-07-incus-s3-path-traversal-rce/","summary":"The Incus `incusd` daemon, specifically its S3 protocol multipart upload endpoint in versions prior to 7.1.0, is vulnerable to CVE-2026-48753, a critical path traversal flaw via the `uploadId` parameter, enabling unauthenticated attackers to write arbitrary files to any location on the host system, which can be leveraged for persistent arbitrary command execution.","title":"Incus S3 Multipart Upload Path Traversal Leading to RCE (CVE-2026-48753)","url":"https://feed.craftedsignal.io/briefs/2026-07-incus-s3-path-traversal-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - Incus","version":"https://jsonfeed.org/version/1.1"}