{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/pi-hole/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-35519"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Pi-hole"],"_cs_severities":["critical"],"_cs_tags":["pihole","rce","dnsmasq","cve-2026-35519"],"_cs_type":"advisory","_cs_vendors":["Pi-hole"],"content_html":"\u003cp\u003ePi-hole FTLDNS (pihole-FTL) versions 6.0 to before 6.6 are vulnerable to a Remote Code Execution (RCE) vulnerability, identified as CVE-2026-35519. This vulnerability resides in the DNS host record configuration parameter (dns.hostRecord) within the FTL engine. An authenticated attacker can exploit this flaw by injecting arbitrary \u003ccode\u003ednsmasq\u003c/code\u003e configuration directives through newline characters. Successful exploitation enables the attacker to execute commands on the underlying Linux system. Pi-hole users running versions between 6.0 and 6.6 are affected and should upgrade to version 6.6 or later to remediate this vulnerability. This vulnerability poses a significant risk, potentially allowing attackers to compromise the Pi-hole server and gain unauthorized access to the network.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker authenticates to the Pi-hole web interface. This requires valid credentials or exploiting an authentication bypass.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the DNS settings page within the web interface.\u003c/li\u003e\n\u003cli\u003eThe attacker locates the \u0026quot;Host record\u0026quot; configuration parameter (dns.hostRecord).\u003c/li\u003e\n\u003cli\u003eThe attacker injects malicious \u003ccode\u003ednsmasq\u003c/code\u003e directives into the \u003ccode\u003edns.hostRecord\u003c/code\u003e parameter, using newline characters to separate the injected code from legitimate configuration. For example, they might inject a directive to execute a shell command.\u003c/li\u003e\n\u003cli\u003eThe attacker saves the modified DNS settings, which triggers FTL to update the \u003ccode\u003ednsmasq\u003c/code\u003e configuration.\u003c/li\u003e\n\u003cli\u003eFTL processes the injected directives, leading to command execution on the underlying system. The injected directives are interpreted as part of the \u003ccode\u003ednsmasq\u003c/code\u003e configuration.\u003c/li\u003e\n\u003cli\u003eThe attacker gains arbitrary code execution, potentially allowing them to install malware, modify system files, or pivot to other systems on the network.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves complete control of the Pi-hole server, enabling them to intercept DNS traffic, redirect users to malicious websites, or exfiltrate sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-35519 allows an authenticated attacker to achieve arbitrary code execution on the Pi-hole server. This can lead to a full system compromise, allowing the attacker to install malware, steal sensitive data, or disrupt network services. Given Pi-hole's role as a DNS server, a successful attack could affect all devices on the network that rely on Pi-hole for DNS resolution. There is no information regarding the number of victims or specific sectors targeted.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Pi-hole FTL to version 6.6 or later to patch CVE-2026-35519.\u003c/li\u003e\n\u003cli\u003eMonitor Pi-hole logs for suspicious activity related to DNS settings modifications. Enable logging for web interface access attempts and configuration changes (reference: Pi-hole documentation).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect Suspicious Dnsmasq Configuration Changes\u0026quot; to identify potentially malicious modifications to the dnsmasq configuration file.\u003c/li\u003e\n\u003cli\u003eImplement strong authentication measures for the Pi-hole web interface to prevent unauthorized access. Use strong passwords and consider enabling multi-factor authentication where possible (reference: Pi-hole documentation).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-31T12:00:00Z","date_published":"2024-01-31T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-pihole-rce/","summary":"A remote code execution vulnerability exists in Pi-hole FTL versions 6.0 to before 6.6, where an authenticated attacker can inject arbitrary dnsmasq configuration directives through newline characters in the DNS host record configuration parameter, leading to command execution on the underlying system.","title":"Pi-hole FTL Remote Code Execution Vulnerability (CVE-2026-35519)","url":"https://feed.craftedsignal.io/briefs/2024-01-pihole-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - Pi-Hole","version":"https://jsonfeed.org/version/1.1"}