Back

CISA Warns of Data-Theft Vulnerability in NSA's GrassMarlin Tool

Severity: Medium (Score: 54.9)

Sources: Theregister

Summary

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding a vulnerability in GrassMarlin, a tool developed by the NSA, which could allow attackers to access sensitive information. This vulnerability, identified as CVE-2026-6807, affects all versions of GrassMarlin, which was open-sourced for network security in critical infrastructure. The flaw, stemming from insufficient hardening of the XML parsing process, can lead to data exfiltration through XML External Entity (XXE) attacks. GrassMarlin has been end-of-life (EOL) since 2017, meaning no fixes are forthcoming. CISA advises users to secure their control systems and networks against potential exploitation. A proof-of-concept exploit has been developed and shared publicly, indicating the vulnerability can be exploited primarily via phishing attacks. While the threat is significant, it is noted that the bug may not pose a major risk to most organizations. Key Points: • CISA warns of CVE-2026-6807 affecting all versions of GrassMarlin. • GrassMarlin is an NSA-developed tool that has been EOL since 2017. • Exploitation is possible through XML External Entity (XXE) attacks, primarily via phishing.

Key Entities

  • Data Breach (attack_type)
  • Phishing (attack_type)
  • CVE-2026-6807 (cve)
  • Cwe-611 - Improper Restriction Of XML External Entity Reference (xxe) (cwe)
  • T1041 - Exfiltration Over C2 Channel (mitre_attack)
  • T1566 - Phishing (mitre_attack)
  • T1567 - Exfiltration Over Web Service (mitre_attack)
  • Java (platform)
  • XML (platform)
  • GrassMarlin (tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed