Attack Chain

1. Attacker identifies a vulnerable RTGS2017 NagaAgent instance running version 5.1.0 or earlier.
2. The attacker crafts a malicious HTTP request targeting the Skills Endpoint.
3. The malicious request includes a Name argument with path traversal characters (e.g., ../, ..\\).
4. The application fails to properly sanitize the Name argument before using it to construct a file path.
5. The application attempts to access a file or directory outside of the intended base directory.
6. The attacker gains unauthorized access to sensitive files or directories on the server, potentially including configuration files or user data.
7. The attacker leverages the exposed information to further compromise the system or network.

Impact

Successful exploitation of this path traversal vulnerability allows attackers to read arbitrary files on the affected system. This can lead to the exposure of sensitive information such as configuration files, credentials, or user data. An attacker could potentially leverage this access to escalate privileges, move laterally within the network, or cause denial of service. The full scope of impact depends on the specific files and directories that are accessible to the attacker.

Recommendation

• Upgrade RTGS2017 NagaAgent to a patched version that addresses CVE-2026-7784 (if a patch becomes available).
• Implement input validation on the Name argument within the Skills Endpoint to prevent path traversal attacks.
• Deploy the Sigma rule “Detect RTGS2017 NagaAgent Path Traversal Attempt” to identify exploitation attempts.
• Monitor web server logs for suspicious requests containing path traversal sequences targeting the apiserver/routes/extensions.py endpoint.