{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/openitcockpit/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-24893"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["openITCOCKPIT Community Edition"],"_cs_severities":["critical"],"_cs_tags":["command-injection","rce","openitcockpit"],"_cs_type":"advisory","_cs_vendors":["openITCOCKPIT"],"content_html":"\u003cp\u003eopenITCOCKPIT is an open-source monitoring tool used for various monitoring engines. A critical command injection vulnerability, identified as CVE-2026-24893, affects openITCOCKPIT Community Edition versions prior to 5.5.2. This vulnerability allows an authenticated user with the permission to add or modify hosts to execute arbitrary operating system commands on the monitoring backend. The root cause lies in the insecure handling of user-controlled host attributes, specifically the host address. These attributes are expanded into monitoring command templates without proper validation, escaping, or quoting. This lack of input sanitization allows attackers to inject malicious commands. Successful exploitation results in remote code execution on the openITCOCKPIT server. Organizations using vulnerable versions of openITCOCKPIT are at high risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn authenticated user logs into the openITCOCKPIT web interface with privileges to modify host configurations.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the host configuration panel and selects to add or modify a host.\u003c/li\u003e\n\u003cli\u003eThe attacker enters a malicious payload within the host address field, injecting OS commands (e.g., \u003ccode\u003e127.0.0.1; whoami \u0026gt; /tmp/poc.txt\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eopenITCOCKPIT stores the crafted host address without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe monitoring engine (Nagios/Icinga) processes the host configuration, expanding the host address into a monitoring command template.\u003c/li\u003e\n\u003cli\u003eThe monitoring engine executes the template via a shell. The injected OS command within the host address is executed due to the lack of escaping or quoting.\u003c/li\u003e\n\u003cli\u003eThe injected command executes on the openITCOCKPIT server with the privileges of the monitoring engine.\u003c/li\u003e\n\u003cli\u003eThe attacker gains remote code execution, potentially leading to further compromise of the system and network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-24893 allows attackers to execute arbitrary operating system commands on the openITCOCKPIT server. This could lead to complete system compromise, data exfiltration, and potentially lateral movement within the network. The vulnerability affects all installations of openITCOCKPIT Community Edition prior to version 5.5.2. Organizations relying on openITCOCKPIT for critical infrastructure monitoring are at significant risk of disruption and data loss.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade openITCOCKPIT to version 5.5.2 or later to patch CVE-2026-24893.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eopenitcockpit_command_injection_process\u003c/code\u003e to detect potential exploitation attempts by monitoring process creation events.\u003c/li\u003e\n\u003cli\u003eReview and restrict user permissions within openITCOCKPIT to limit the number of accounts capable of modifying host configurations.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eopenitcockpit_command_injection_web\u003c/code\u003e and tune for your environment to detect possible command injection attempts through web server logs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-openitcockpit-command-injection/","summary":"openITCOCKPIT Community Edition before 5.5.2 is vulnerable to command injection, allowing authenticated users with host modification privileges to execute arbitrary OS commands on the monitoring backend via crafted host attributes in monitoring command templates.","title":"openITCOCKPIT Command Injection Vulnerability (CVE-2026-24893)","url":"https://feed.craftedsignal.io/briefs/2024-01-openitcockpit-command-injection/"}],"language":"en","title":"CraftedSignal Threat Feed - OpenITCOCKPIT","version":"https://jsonfeed.org/version/1.1"}