# [CRIT] [GHSA / CRITICAL] CVE-2026-46562: Yamcs Vulnerable to Remote Code Execution via Mission Database algorithm override **Source:** GitHub Security Advisories **Published:** 2026-05-27 **Article:** https://github.com/advisories/GHSA-vmwp-vh32-rj75 ## Threat Profile Yamcs Vulnerable to Remote Code Execution via Mission Database algorithm override # Remote Code Execution via Mission Database algorithm override ## Summary The Nashorn `ScriptEngine` used to evaluate user-supplied algorithm text in `MdbOverrideApi.updateAlgorithm` is constructed without a `ClassFilter`, allowing a user with the `ChangeMissionDatabase` privilege to execute arbitrary Java code on the Yamcs server. In Yamcs's default configuration (no `security.yaml`), the built-in `guest` user… ## Indicators of Compromise (high-fidelity only) - **CVE:** `CVE-2026-46562` ## MITRE ATT&CK Techniques - **T1190** — Exploit Public-Facing Application - **T1204.002** — User Execution: Malicious File - **T1059.007** — Command and Scripting Interpreter: JavaScript - **T1059.004** — Command and Scripting Interpreter: Unix Shell - **T1071.001** — Application Layer Protocol: Web Protocols - **T1219** — Remote Access Software ## Kill chain phases observed _(none detected from narrative keywords)_ ## Recommended hunts ### Yamcs MdbOverrideApi algorithm PATCH carrying Nashorn Java.type RCE payload `UC_192_2` · phase: **exploit** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=true count min(_time) as firstTime max(_time) as lastTime values(Web.url) as url values(Web.src) as src values(Web.dest) as dest from datamodel=Web.Web where Web.http_method=PATCH Web.url="*/api/mdb-overrides/*/algorithms/*" by Web.src Web.dest Web.user | `drop_dm_object_name(Web)` | join type=inner src dest [ search index=* sourcetype=*access* method=PATCH uri_path="*/api/mdb-overrides/*/algorithms/*" ("Java.type" OR "java.lang.Runtime" OR "getRuntime" OR "ProcessBuilder" OR "/dev/tcp/") | stats values(uri_path) as uri_path values(http_user_agent) as ua by src dest ] | convert ctime(firstTime) ctime(lastTime) ``` **Defender KQL:** ```kql // Defender Advanced Hunting has no HTTP request-body table for Yamcs front-end logs; closest pivot is inbound TCP to port 8090 followed by java spawning a shell. See UC2/UC3 for the post-exploitation half. DeviceNetworkEvents | where Timestamp > ago(7d) | where ActionType == "InboundConnectionAccepted" | where LocalPort == 8090 | where InitiatingProcessFileName has_any ("java","java.exe") | project Timestamp, DeviceName, RemoteIP, RemotePort, LocalPort, InitiatingProcessFileName, InitiatingProcessCommandLine | order by Timestamp desc ``` ### Yamcs JVM spawning a POSIX shell — Nashorn Runtime.exec post-exploitation `UC_192_3` · phase: **install** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=true count min(_time) as firstTime max(_time) as lastTime values(Processes.process) as cmd values(Processes.parent_process) as parent_cmd from datamodel=Endpoint.Processes where Processes.parent_process_name="java" Processes.process_name IN ("sh","bash","dash","zsh","nc","ncat","socat","python","python3","perl") (Processes.parent_process="*yamcs*" OR Processes.parent_process="*yamcs-core*" OR Processes.parent_process="*org.yamcs*") by host Processes.user Processes.parent_process_name Processes.process_name | `drop_dm_object_name(Processes)` | convert ctime(firstTime) ctime(lastTime) ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(7d) | where InitiatingProcessFileName =~ "java" | where InitiatingProcessCommandLine has_any ("yamcs","org.yamcs","yamcs-core") | where FileName in~ ("sh","bash","dash","zsh","nc","ncat","socat","python","python3","perl","ruby") | project Timestamp, DeviceName, AccountName, ParentImage = InitiatingProcessFolderPath, ParentCmd = InitiatingProcessCommandLine, ChildImage = FolderPath, ChildCmd = ProcessCommandLine, SHA256 | order by Timestamp desc ``` ### Reverse-shell /dev/tcp file descriptor from Yamcs java process tree `UC_192_4` · phase: **c2** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=true count min(_time) as firstTime max(_time) as lastTime values(Processes.process) as cmd from datamodel=Endpoint.Processes where Processes.process_name IN ("bash","sh","dash","zsh") (Processes.process="*/dev/tcp/*" OR Processes.process="*/dev/udp/*") (Processes.parent_process_name="java" OR Processes.parent_process="*yamcs*" OR Processes.parent_process="*org.yamcs*") by host Processes.user Processes.parent_process_name Processes.process | `drop_dm_object_name(Processes)` | rex field=cmd "/dev/tcp/(?[^/\s]+)/(?\d+)" | convert ctime(firstTime) ctime(lastTime) ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(7d) | where ProcessCommandLine has_any ("/dev/tcp/","/dev/udp/") | where FileName in~ ("bash","sh","dash","zsh") | where InitiatingProcessFileName =~ "java" or InitiatingProcessCommandLine has_any ("yamcs","org.yamcs","yamcs-core") or InitiatingProcessParentFileName =~ "java" | extend RevHost = extract(@"/dev/(?:tcp|udp)/([^/\s]+)/\d+", 1, ProcessCommandLine) | extend RevPort = extract(@"/dev/(?:tcp|udp)/[^/\s]+/(\d+)", 1, ProcessCommandLine) | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, RevHost, RevPort, ParentImage = InitiatingProcessFolderPath, ParentCmd = InitiatingProcessCommandLine | order by Timestamp desc ``` ### Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-46562: Yamcs Vulnerable to Remote Code Execution via `UC_192_1` · phase: **install** · confidence: **High** **Splunk SPL (CIM):** ```spl ``` Article-specific bespoke detection — [GHSA / CRITICAL] CVE-2026-46562: Yamcs Vulnerable to Remote Code Execution via ``` | tstats `summariesonly` count from datamodel=Endpoint.Filesystem where Filesystem.action IN ("created","modified") AND (Filesystem.file_path="*/usr/bin/env*" OR Filesystem.file_path="*/dev/tcp/*") by Filesystem.dest, Filesystem.user, Filesystem.process_name, Filesystem.file_path, Filesystem.file_name | `drop_dm_object_name(Filesystem)` ``` **Defender KQL:** ```kql // Article-specific bespoke detection — [GHSA / CRITICAL] CVE-2026-46562: Yamcs Vulnerable to Remote Code Execution via // Hunts the actual binaries / paths / commandline fragments named // in the article instead of a generic technique-class template. // File-creation events for the named binaries / paths DeviceFileEvents | where Timestamp > ago(30d) | where ActionType in ("FileCreated","FileModified") | where (FolderPath has_any ("/usr/bin/env", "/dev/tcp/")) | project Timestamp, DeviceName, AccountName, FolderPath, FileName, ActionType, InitiatingProcessFileName, InitiatingProcessCommandLine | order by Timestamp desc ``` ### IOC-driven hunts (use shared templates) These are standard IOC-substitution hunts — the canonical SPL and KQL live once in [`_TEMPLATES.md`](../_TEMPLATES.md), so we don't repeat the same boilerplate on every CVE / hash / network-IOC briefing. - **Asset exposure — vulnerability matches article CVE(s)** ([template](../_TEMPLATES.md#asset-exposure)) — phase: **recon**, confidence: **High** - CVE(s): `CVE-2026-46562` ## Why this matters Severity classified as **CRIT** based on: CVE present, 5 use case(s) fired, 6 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.