# [CRIT] [GHSA / CRITICAL] CVE-2026-45369: utcp-cli Vulnerable to Command Injection via Unsanitized Argument Substitution in CLI Communication Protocol **Source:** GitHub Security Advisories **Published:** 2026-05-14 **Article:** https://github.com/advisories/GHSA-33p6-5jxp-p3x4 ## Threat Profile utcp-cli Vulnerable to Command Injection via Unsanitized Argument Substitution in CLI Communication Protocol ## Summary The `_substitute_utcp_args` method in `cli_communication_protocol.py` inserts user-controlled `tool_args` values directly into shell command strings without any sanitization or escaping. These commands are then executed via `/bin/bash -c` (Unix) or `powershell.exe -Command` (Windows), allowing an attacker to inject arbitrary shell commands. ## Affected File `plugins/communi… ## Indicators of Compromise (high-fidelity only) - **CVE:** `CVE-2026-45369` ## MITRE ATT&CK Techniques - **T1190** — Exploit Public-Facing Application - **T1059.001** — PowerShell - **T1027** — Obfuscated Files or Information - **T1204.002** — User Execution: Malicious File - **T1059.004** — Command and Scripting Interpreter: Unix Shell - **T1068** — Exploitation for Privilege Escalation - **T1059.006** — Command and Scripting Interpreter: Python ## Kill chain phases observed _(none detected from narrative keywords)_ ## Recommended hunts ### utcp-cli command injection via UTCP_ARG substitution in python→bash -c CMD_N_OUTPUT script `UC_288_3` · phase: **exploit** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=t count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name IN ("python","python3","python3.9","python3.10","python3.11","python3.12","python.exe","pythonw.exe")) AND (Processes.process_name IN ("bash","sh","dash","powershell.exe","pwsh.exe")) AND Processes.process="*CMD_*_OUTPUT=$(*" by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_path | `drop_dm_object_name(Processes)` | rex field=process "CMD_\d+_OUTPUT=\$\((?[^)]+)\)" | eval injected=if(match(substituted,"(?i)(;\s*(curl|wget|nc|bash|sh|python|perl|powershell|base64|chmod|chown)|`[^`]+`|\$\(\s*(cat|curl|wget|whoami|id|uname|hostname|base64|nc)|\|\s*(sh|bash|nc|base64|tee)|>\s*/(tmp|var|dev|etc)|/etc/(passwd|shadow|hosts)|&&\s*(curl|wget|nc|bash))"),1,0) | where injected=1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table firstTime lastTime dest user parent_process_name parent_process process_name process substituted ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(7d) | where InitiatingProcessFileName matches regex @"(?i)^python(3(\.\d+)?)?(\.exe|w\.exe)?$" | where FileName in~ ("bash","sh","dash","powershell.exe","pwsh.exe") | where ProcessCommandLine matches regex @"CMD_\d+_OUTPUT=\$\(" // utcp-cli's signature script template | extend Substituted = extract(@"CMD_\d+_OUTPUT=\$\(([^)]+)\)", 1, ProcessCommandLine) | where ProcessCommandLine matches regex @"(?i)(;\s*(curl|wget|nc|bash|sh|python|perl|powershell|base64|chmod|chown)|`[^`]+`|\$\(\s*(cat|curl|wget|whoami|id|uname|hostname|base64|nc)|\|\s*(sh|bash|nc|base64|tee)|>\s*/(tmp|var|dev|etc)|/etc/(passwd|shadow|hosts)|&&\s*(curl|wget|nc|bash))" | project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, FolderPath, ProcessCommandLine, Substituted, SHA256 | order by Timestamp desc ``` ### Vulnerable utcp-cli package (<= 1.1.1) inventory hunt for CVE-2026-45369 `UC_288_4` · phase: **recon** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=t count min(_time) as firstTime max(_time) as lastTime values(Processes.process) as sample_cmd from datamodel=Endpoint.Processes where Processes.process_name IN ("python","python3","python3.9","python3.10","python3.11","python3.12","python.exe","pip","pip3") AND (Processes.process="*utcp_cli*" OR Processes.process="*utcp-cli*" OR Processes.process="*-m utcp*") by Processes.dest Processes.user Processes.process_name | `drop_dm_object_name(Processes)` | rex field=sample_cmd "utcp[-_]cli[=<>]+(?\d+\.\d+\.\d+)" | eval vulnerable=case(isnotnull(version) AND match(version,"^(0\.|1\.0\.|1\.1\.[01])$"),"yes",isnull(version),"unknown_check_pip_freeze",1=1,"no") | where vulnerable!="no" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table firstTime lastTime dest user process_name version vulnerable sample_cmd ``` **Defender KQL:** ```kql // Approach A — TVM software inventory (fast, no host scan) DeviceTvmSoftwareInventory | where SoftwareVendor in~ ("universal-tool-calling-protocol","utcp","pypi") | where SoftwareName has "utcp" and SoftwareName has "cli" | extend V = split(SoftwareVersion, ".") | extend Major = toint(V[0]), Minor = toint(V[1]), Patch = toint(V[2]) | where Major < 1 or (Major == 1 and Minor == 0) or (Major == 1 and Minor == 1 and Patch <= 1) | project DeviceName, OSPlatform, SoftwareName, SoftwareVersion | union ( // Approach B — fallback: pip install / runtime invocation evidence DeviceProcessEvents | where Timestamp > ago(30d) | where InitiatingProcessFileName matches regex @"(?i)^(pip3?|python(3(\.\d+)?)?)(\.exe)?$" or FileName matches regex @"(?i)^(pip3?|python(3(\.\d+)?)?)(\.exe)?$" | where ProcessCommandLine has_any ("utcp_cli","utcp-cli") | summarize Hosts = make_set(DeviceName), LastSeen = max(Timestamp), SampleCmd = any(ProcessCommandLine) by FileName | mv-expand DeviceName = Hosts to typeof(string) | project DeviceName, OSPlatform="", SoftwareName="utcp-cli (cmdline-evidence)", SoftwareVersion=tostring(SampleCmd) ) | order by DeviceName asc ``` ### PowerShell encoded / obfuscated command `UC_PS_OBFUSCATED` · phase: **exploit** · confidence: **High** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("powershell.exe","pwsh.exe") AND (Processes.process="*-enc *" OR Processes.process="*EncodedCommand*" OR Processes.process="*FromBase64String*" OR Processes.process="*-nop*" OR Processes.process="*-w hidden*" OR Processes.process="*Invoke-Expression*" OR Processes.process="*IEX(*" OR Processes.process="*DownloadString*" OR Processes.process="*Net.WebClient*") by Processes.dest, Processes.user, Processes.process_name, Processes.process, Processes.parent_process_name | `drop_dm_object_name(Processes)` ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(7d) | where AccountName !endswith "$" | where FileName in~ ("powershell.exe","pwsh.exe") | where ProcessCommandLine matches regex @"(?i)(-enc|encodedcommand|frombase64string|-nop|-w\s+hidden|invoke-expression|iex\s*\(|downloadstring|net\.webclient)" | project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine ``` ### Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-45369: utcp-cli Vulnerable to Command Injection via U `UC_288_2` · phase: **exploit** · confidence: **High** **Splunk SPL (CIM):** ```spl ``` Article-specific bespoke detection — [GHSA / CRITICAL] CVE-2026-45369: utcp-cli Vulnerable to Command Injection via U ``` | tstats `summariesonly` count earliest(_time) AS firstTime latest(_time) AS lastTime from datamodel=Endpoint.Processes where (Processes.process_name IN ("cli_communication_protocol.py","script.py")) by Processes.dest, Processes.user, Processes.process_name, Processes.process, Processes.parent_process_name, Processes.process_path | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | append [ | tstats `summariesonly` count from datamodel=Endpoint.Filesystem where Filesystem.action IN ("created","modified") AND (Filesystem.file_path="*/etc/passwd*" OR Filesystem.file_name IN ("cli_communication_protocol.py","script.py")) by Filesystem.dest, Filesystem.user, Filesystem.process_name, Filesystem.file_path, Filesystem.file_name | `drop_dm_object_name(Filesystem)` ] ``` **Defender KQL:** ```kql // Article-specific bespoke detection — [GHSA / CRITICAL] CVE-2026-45369: utcp-cli Vulnerable to Command Injection via U // Hunts the actual binaries / paths / commandline fragments named // in the article instead of a generic technique-class template. DeviceProcessEvents | where Timestamp > ago(30d) | where (FileName in~ ("cli_communication_protocol.py", "script.py")) | project Timestamp, DeviceName, AccountName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine | order by Timestamp desc // File-creation events for the named binaries / paths DeviceFileEvents | where Timestamp > ago(30d) | where ActionType in ("FileCreated","FileModified") | where (FolderPath has_any ("/etc/passwd") or FileName in~ ("cli_communication_protocol.py", "script.py")) | project Timestamp, DeviceName, AccountName, FolderPath, FileName, ActionType, InitiatingProcessFileName, InitiatingProcessCommandLine | order by Timestamp desc ``` ### IOC-driven hunts (use shared templates) These are standard IOC-substitution hunts — the canonical SPL and KQL live once in [`_TEMPLATES.md`](../_TEMPLATES.md), so we don't repeat the same boilerplate on every CVE / hash / network-IOC briefing. - **Asset exposure — vulnerability matches article CVE(s)** ([template](../_TEMPLATES.md#asset-exposure)) — phase: **recon**, confidence: **High** - CVE(s): `CVE-2026-45369` ## Why this matters Severity classified as **CRIT** based on: CVE present, 5 use case(s) fired, 7 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.