CISA flags data-theft bug in NSA-built OT networking tool
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about a data-disclosure vulnerability, CVE-2026-6807, in GrassMarlin, an operational technology networking tool developed by the NSA. The flaw stems from insufficient hardening in the XML parsing process, potentially allowing attackers to extract sensitive information through malicious XML files. Since GrassMarlin reached end-of-life in 2017, no patches will be released, and CISA advises organizations to isolate affected systems and secure remote access.
- ▪CISA has identified a vulnerability, CVE-2026-6807 (CVSS score 5.5), in the NSA-built GrassMarlin tool that could lead to disclosure of sensitive information.
- ▪The vulnerability is due to insufficient hardening in the XML parsing process, making it susceptible to XML External Entity (XXE) attacks.
- ▪GrassMarlin has been end-of-life since 2017, and no fixes are being developed for the vulnerability.
- ▪A proof-of-concept exploit for CVE-2026-6807 has been published on GitHub by Anna Quinn, a penetration tester at Rapid7.
- ▪CISA recommends isolating control systems from business networks, blocking internet accessibility, and securing remote access to mitigate risks.
Opening excerpt (first ~120 words) tap to expand
Security CISA flags data-theft bug in NSA-built OT networking tool GrassMarlin leaks sensitive information, provided your targeting phishing skills are sharp enough Connor Jones Wed 29 Apr 2026 // 15:35 UTC The Cybersecurity and Infrastructure Security Agency (CISA) is warning anyone who uses GrassMarlin, a tool developed by the National Security Agency (NSA), about a new vulnerability that attackers can use to snoop on sensitive information. First reported by Grady DeRosa, senior industrial pentester at Dragos, the weak spot affects all versions of GrassMarlin, a tool developed and open-sourced by the NSA to support network security at critical infrastructure organizations, industrial control systems, and SCADA networks. GrassMarlin went EOL in 2017, so there are no fixes in the works.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at The Register.
Discussion
0 commentsMore from The Register
