{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/zevorn/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-16128"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["rt-claw 0.1","rt-claw 0.2.0"],"_cs_severities":["high"],"_cs_tags":["ssrf","vulnerability","webserver","remote-code-execution","information-disclosure"],"_cs_type":"advisory","_cs_vendors":["zevorn"],"content_html":"\u003cp\u003eA severe server-side request forgery (SSRF) vulnerability, tracked as CVE-2026-16128, has been identified in \u003ccode\u003ezevorn rt-claw\u003c/code\u003e software, specifically affecting versions up to and including 0.2.0. The flaw resides within the \u003ccode\u003ereceiver_thread\u003c/code\u003e function in the \u003ccode\u003ehttp_request\u003c/code\u003e component of \u003ccode\u003eclaw/services/swarm/swarm.c\u003c/code\u003e. This vulnerability allows a remote unauthenticated attacker to manipulate HTTP requests, compelling the vulnerable \u003ccode\u003ert-claw\u003c/code\u003e application to make arbitrary requests to internal or external systems from the server's perspective. An exploit for CVE-2026-16128 has been publicly released, increasing the risk of widespread attacks. The project maintainers were notified via an issue report but have not yet responded or released a patch, leaving affected systems exposed to potential data exfiltration, internal network reconnaissance, or further compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA remote attacker crafts a malicious HTTP request targeting a \u003ccode\u003ezevorn rt-claw\u003c/code\u003e instance running a vulnerable version (up to 0.2.0).\u003c/li\u003e\n\u003cli\u003eThe malicious request exploits a flaw in the \u003ccode\u003ereceiver_thread\u003c/code\u003e function within the \u003ccode\u003ehttp_request\u003c/code\u003e component.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ert-claw\u003c/code\u003e application processes the manipulated request, leading it to initiate an arbitrary HTTP request to a target specified by the attacker.\u003c/li\u003e\n\u003cli\u003eThis server-side request forgery (SSRF) allows the attacker to leverage the \u003ccode\u003ert-claw\u003c/code\u003e server as a proxy to access internal network resources (e.g., administrative interfaces, cloud metadata services, other internal APIs) that are otherwise inaccessible from outside.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ert-claw\u003c/code\u003e server returns the response from the internal or external target to the attacker, facilitating information disclosure or potential interaction with these services.\u003c/li\u003e\n\u003cli\u003eThe attacker can use the gained information or access to pivot further into the internal network, exfiltrate sensitive data, or potentially achieve remote code execution depending on the accessed services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-16128 can lead to significant information disclosure and network access within the victim's environment. Attackers can perform internal network reconnaissance, access sensitive internal services, retrieve credentials from cloud metadata services, and potentially interact with internal APIs or databases. Given that a public exploit is available and the vendor has not yet responded with a patch, organizations running \u003ccode\u003ezevorn rt-claw\u003c/code\u003e are at high risk of compromise, which could result in data breaches, further system compromise, and operational disruption.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eOrganizations using \u003ccode\u003ezevorn rt-claw\u003c/code\u003e should immediately assess their deployments for versions up to 0.2.0, as these are affected by CVE-2026-16128.\u003c/li\u003e\n\u003cli\u003eIsolate affected systems from critical internal networks to minimize the blast radius of potential SSRF exploitation of CVE-2026-16128.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs (category \u003ccode\u003ewebserver\u003c/code\u003e) for unusual HTTP requests to \u003ccode\u003ezevorn rt-claw\u003c/code\u003e endpoints, specifically looking for crafted parameters that might indicate SSRF attempts related to CVE-2026-16128.\u003c/li\u003e\n\u003cli\u003eImplement egress filtering on network devices to prevent the \u003ccode\u003ezevorn rt-claw\u003c/code\u003e application from making outbound requests to unauthorized internal IP ranges or sensitive external services.\u003c/li\u003e\n\u003cli\u003eAs the vendor has not yet provided a patch for CVE-2026-16128, consider implementing web application firewall (WAF) rules to detect and block requests attempting to exploit this vulnerability by sanitizing or blocking suspicious URL parameters.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-18T17:18:59Z","date_published":"2026-07-18T17:18:59Z","id":"https://feed.craftedsignal.io/briefs/2026-07-zevorn-rt-claw-ssrf/","summary":"A server-side request forgery (SSRF) vulnerability, identified as CVE-2026-16128, exists in zevorn rt-claw versions up to and including 0.2.0. The flaw is located within the `receiver_thread` function of the `http_request` component in `claw/services/swarm/swarm.c`. This critical vulnerability allows remote attackers to perform server-side request forgery, and a public exploit is available, increasing the urgency for detection and mitigation efforts.","title":"Server-Side Request Forgery in zevorn rt-claw (CVE-2026-16128)","url":"https://feed.craftedsignal.io/briefs/2026-07-zevorn-rt-claw-ssrf/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-16125"},{"cvss":7.3,"id":"CVE-2026-16126"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["rt-claw \u003c= 0.2.0"],"_cs_severities":["high"],"_cs_tags":["server-side-request-forgery","vulnerability","web-application","ssrf","exploitation"],"_cs_type":"advisory","_cs_vendors":["zevorn"],"content_html":"\u003cp\u003eA significant server-side request forgery (SSRF) vulnerability, tracked as CVE-2026-16125, has been identified in zevorn rt-claw software, specifically impacting versions up to and including 0.2.0. This flaw exists within the \u003ccode\u003eclaw_net_get\u003c/code\u003e and \u003ccode\u003eclaw_net_post\u003c/code\u003e functions located in the \u003ccode\u003eclaw/services/tools/net.c\u003c/code\u003e file, part of the application's \u003ccode\u003ehttp_request\u003c/code\u003e component. Attackers can remotely exploit this vulnerability by manipulating the \u003ccode\u003eurl\u003c/code\u003e argument, leading to the application making requests to arbitrary internal or external destinations. This allows adversaries to bypass network access controls, gather sensitive information, or interact with services not intended for public exposure. An exploit for CVE-2026-16125 has been publicly released, increasing the urgency for users to address this vulnerability to prevent potential compromise of internal systems.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies an internet-facing zevorn rt-claw application instance running version 0.2.0 or earlier.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a specially formed HTTP request targeting the vulnerable \u003ccode\u003eclaw_net_get\u003c/code\u003e or \u003ccode\u003eclaw_net_post\u003c/code\u003e functions.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a manipulated \u003ccode\u003eurl\u003c/code\u003e argument containing an arbitrary internal IP address, hostname, or sensitive service endpoint.\u003c/li\u003e\n\u003cli\u003eThe zevorn rt-claw application processes this malicious \u003ccode\u003eurl\u003c/code\u003e parameter without adequate validation or sanitization.\u003c/li\u003e\n\u003cli\u003eThe application's \u003ccode\u003ehttp_request\u003c/code\u003e component then makes an unintended, server-side outbound connection to the attacker-specified internal or external resource.\u003c/li\u003e\n\u003cli\u003eThis server-side request forgery (SSRF) allows the attacker to bypass network segmentation, probe internal services, or access metadata services (e.g., cloud instance metadata).\u003c/li\u003e\n\u003cli\u003eThe final objective can range from internal network reconnaissance and information disclosure to potential further exploitation of discovered internal services or exfiltration of sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful exploitation of CVE-2026-16125 can have severe consequences, rated with a CVSS v3.1 Base Score of 7.3 (High). The primary impact includes unauthorized access to internal network resources, bypassing network firewalls and segmentation. Attackers can use this vulnerability to perform port scanning of internal hosts, access sensitive web services, or retrieve cloud provider metadata, which often contains credentials or configuration details. This can lead to significant information disclosure, lateral movement within the network, and potentially complete system compromise, enabling further sophisticated attacks against the organization's infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-16125 immediately by updating zevorn rt-claw to a version greater than 0.2.0, once released by the vendor.\u003c/li\u003e\n\u003cli\u003eMonitor your webserver logs for the \u003ccode\u003ert-claw\u003c/code\u003e application for unusual \u003ccode\u003eurl\u003c/code\u003e parameters containing internal IP addresses, non-standard ports, or suspicious domain names.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-18T16:20:33Z","date_published":"2026-07-18T16:18:39Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-16125-rt-claw-ssrf/","summary":"A critical server-side request forgery (SSRF) vulnerability, identified as CVE-2026-16125, affects zevorn rt-claw versions up to and including 0.2.0, residing in the claw_net_get/claw_net_post functions within the http_request component, allowing remote attackers to manipulate the URL argument and access internal resources or perform port scanning.","title":"CVE-2026-16125: Server-Side Request Forgery in zevorn rt-claw","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-16125-rt-claw-ssrf/"}],"language":"en","title":"CraftedSignal Threat Feed - Zevorn","version":"https://jsonfeed.org/version/1.1"}