# [CRIT] [GHSA / CRITICAL] CVE-2026-46621: Yamcs Vulnerable to Authenticated Remote Code Execution (RCE) via Jython Algorithm Code Injection **Source:** GitHub Security Advisories **Published:** 2026-05-27 **Article:** https://github.com/advisories/GHSA-2g95-6x5q-xjwj ## Threat Profile Yamcs Vulnerable to Authenticated Remote Code Execution (RCE) via Jython Algorithm Code Injection ### Summary A Server-Side Code Injection vulnerability exists in the Yamcs script evaluation engine for Python algorithms. The application dynamically compiles and evaluates user-controlled algorithm text using Jython (via the JSR-223 ScriptEngine API) without enforcing a secure sandbox. An authenticated user with the `ChangeMissionDatabase` privilege can exploit this by overriding the algorithm lo… ## Indicators of Compromise (high-fidelity only) - **CVE:** `CVE-2026-46621` ## MITRE ATT&CK Techniques - **T1190** — Exploit Public-Facing Application - **T1021.002** — SMB/Windows Admin Shares - **T1569.002** — Service Execution - **T1219** — Remote Access Software - **T1204.002** — User Execution: Malicious File - **T1059.006** — Command and Scripting Interpreter: Python - **T1078** — Valid Accounts - **T1059.004** — Command and Scripting Interpreter: Unix Shell - **T1071.001** — Application Layer Protocol: Web Protocols - **T1105** — Ingress Tool Transfer ## Kill chain phases observed _(none detected from narrative keywords)_ ## Recommended hunts ### Yamcs MDB algorithm PATCH with embedded Jython java.lang.Runtime payload (CVE-2026-46621) `UC_191_4` · phase: **exploit** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=true count min(_time) as firstTime max(_time) as lastTime values(Web.url) as url values(Web.src) as src values(Web.user) as user values(Web.http_user_agent) as ua from datamodel=Web where Web.http_method=PATCH Web.url="*/api/mdb/*/realtime/algorithms/*" by Web.dest Web.url Web.src Web.user | `drop_dm_object_name(Web)` | join type=inner dest [ search index=* sourcetype=*access* method=PATCH uri_path="*/api/mdb/*/realtime/algorithms/*" ("java.lang.Runtime" OR "getRuntime" OR "import java" OR "Runtime.getRuntime" OR "exec([\"bash\"" OR "exec([\"sh\"") | stats values(uri_path) as uri_path values(http_request_body) as body by dest ] | table firstTime lastTime src user dest url ua body ``` **Defender KQL:** ```kql // Yamcs runs as a JVM; web traffic to its REST API is usually proxied or visible as DeviceNetworkEvents to TCP/8090. Defender's HTTP-body visibility is limited — pair with the WAF/reverse-proxy log source. DeviceNetworkEvents | where Timestamp > ago(7d) | where RemotePort == 8090 or LocalPort == 8090 | where InitiatingProcessFileName !in~ ("java.exe","java") | where AdditionalFields has_any ("PATCH","/api/mdb/","/realtime/algorithms/") | project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, RemoteIP, RemotePort, LocalPort, AdditionalFields | order by Timestamp desc ``` ### Yamcs JVM spawns shell or network utility (CVE-2026-46621 post-exploitation) `UC_191_5` · phase: **install** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=true count min(_time) as firstTime max(_time) as lastTime values(Processes.process) as cmdline values(Processes.process_path) as process_path values(Processes.user) as user from datamodel=Endpoint.Processes where (Processes.parent_process_name IN ("java","java.exe","jython")) AND (Processes.process_name IN ("bash","sh","dash","zsh","curl","wget","nc","ncat","python","python3","perl","powershell.exe","cmd.exe")) by Processes.dest Processes.parent_process Processes.process_name Processes.user | `drop_dm_object_name(Processes)` | where like(parent_process,"%yamcs%") OR like(parent_process,"%jython%") OR like(cmdline,"%yamcs%") OR like(cmdline,"%algorithm%") | table firstTime lastTime dest user parent_process process_name cmdline ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(7d) | where InitiatingProcessFileName in~ ("java","java.exe","jython") | where FileName in~ ("bash","sh","dash","zsh","curl","wget","nc","ncat","python","python3","perl","powershell.exe","cmd.exe","pwsh","pwsh.exe") | where InitiatingProcessCommandLine has_any ("yamcs","jython","algorithm","ScriptEngine","AlgorithmManager") or InitiatingProcessFolderPath has_any ("yamcs","jython") | project Timestamp, DeviceName, AccountName, ParentImage = InitiatingProcessFolderPath, ParentCmd = InitiatingProcessCommandLine, ChildImage = FolderPath, ChildCmd = ProcessCommandLine, SHA256 | order by Timestamp desc ``` ### Yamcs Java process beacons to webhook / interact / tunneling service (CVE-2026-46621 C2) `UC_191_6` · phase: **c2** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=true count min(_time) as firstTime max(_time) as lastTime values(All_Traffic.dest) as dest values(All_Traffic.dest_port) as dest_port values(All_Traffic.app) as app values(All_Traffic.process) as process values(All_Traffic.process_name) as process_name from datamodel=Network_Traffic where (All_Traffic.process_name IN ("java","java.exe","jython","curl","curl.exe","wget","wget.exe")) by All_Traffic.src All_Traffic.dest_host All_Traffic.process_name | `drop_dm_object_name(All_Traffic)` | where match(dest_host,"(?i)(webhook\.site|requestbin|interact\.sh|interactsh|oast\.fun|oast\.live|burpcollaborator\.net|ngrok\.io|ngrok-free\.app|trycloudflare\.com|beeceptor\.com|pipedream\.net|requestcatcher\.com)") | table firstTime lastTime src process_name dest_host dest_port count ``` **Defender KQL:** ```kql let oobDomains = dynamic(["webhook.site","requestbin.com","requestbin.net","en7","interact.sh","interactsh","oast.fun","oast.live","oast.me","oast.online","oast.pro","oast.site","burpcollaborator.net","ngrok.io","ngrok-free.app","trycloudflare.com","beeceptor.com","pipedream.net","requestcatcher.com"]); DeviceNetworkEvents | where Timestamp > ago(7d) | where InitiatingProcessFileName in~ ("java","java.exe","jython","curl","curl.exe","wget","wget.exe") | where (RemoteUrl has_any (oobDomains)) or (isnotempty(AdditionalFields) and AdditionalFields has_any (oobDomains)) | project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName, RemoteIP, RemotePort, RemoteUrl, Protocol | order by Timestamp desc ``` ### Remote service execution — PsExec / SMB lateral movement `UC_LATERAL_PSEXEC` · phase: **actions** · confidence: **High** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("psexec.exe","psexesvc.exe","paexec.exe","smbexec.py") OR (Processes.process_name="wmic.exe" AND Processes.process="*/node:*") by Processes.dest, Processes.user, Processes.process_name, Processes.process, Processes.parent_process_name | `drop_dm_object_name(Processes)` ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(7d) | where AccountName !endswith "$" | where FileName in~ ("psexec.exe","psexesvc.exe","paexec.exe","smbexec.py") or (FileName =~ "wmic.exe" and ProcessCommandLine has "/node:") | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName | order by Timestamp desc ``` ### RMM tool installed by non-IT user — remote-access utility for hands-on-keyboard `UC_RMM_TOOLS` · phase: **install** · confidence: **High** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("AnyDesk.exe","TeamViewer.exe","TeamViewer_Service.exe", "ScreenConnect.ClientService.exe","ConnectWiseControl.ClientService.exe", "atera_agent.exe","SplashtopStreamer.exe","RustDesk.exe","NinjaOne.exe","kaseya*.exe") by Processes.dest, Processes.user, Processes.process_name, Processes.process, Processes.parent_process_name | `drop_dm_object_name(Processes)` ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(7d) | where AccountName !endswith "$" | where FileName in~ ("AnyDesk.exe","TeamViewer.exe","TeamViewer_Service.exe", "ScreenConnect.ClientService.exe","ConnectWiseControl.ClientService.exe", "atera_agent.exe","SplashtopStreamer.exe","RustDesk.exe","NinjaOne.exe") or FileName matches regex @"(?i)kaseya.*\.exe" | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine ``` ### Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-46621: Yamcs Vulnerable to Authenticated Remote Code `UC_191_3` · phase: **exploit** · confidence: **High** **Splunk SPL (CIM):** ```spl ``` Article-specific bespoke detection — [GHSA / CRITICAL] CVE-2026-46621: Yamcs Vulnerable to Authenticated Remote Code ``` | tstats `summariesonly` count earliest(_time) AS firstTime latest(_time) AS lastTime from datamodel=Endpoint.Processes where (Processes.process_name IN ("simulator.py")) by Processes.dest, Processes.user, Processes.process_name, Processes.process, Processes.parent_process_name, Processes.process_path | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | append [ | tstats `summariesonly` count from datamodel=Endpoint.Filesystem where Filesystem.action IN ("created","modified") AND (Filesystem.file_name IN ("simulator.py")) by Filesystem.dest, Filesystem.user, Filesystem.process_name, Filesystem.file_path, Filesystem.file_name | `drop_dm_object_name(Filesystem)` ] ``` **Defender KQL:** ```kql // Article-specific bespoke detection — [GHSA / CRITICAL] CVE-2026-46621: Yamcs Vulnerable to Authenticated Remote Code // Hunts the actual binaries / paths / commandline fragments named // in the article instead of a generic technique-class template. DeviceProcessEvents | where Timestamp > ago(30d) | where (FileName in~ ("simulator.py")) | project Timestamp, DeviceName, AccountName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine | order by Timestamp desc // File-creation events for the named binaries / paths DeviceFileEvents | where Timestamp > ago(30d) | where ActionType in ("FileCreated","FileModified") | where (FileName in~ ("simulator.py")) | project Timestamp, DeviceName, AccountName, FolderPath, FileName, ActionType, InitiatingProcessFileName, InitiatingProcessCommandLine | order by Timestamp desc ``` ### IOC-driven hunts (use shared templates) These are standard IOC-substitution hunts — the canonical SPL and KQL live once in [`_TEMPLATES.md`](../_TEMPLATES.md), so we don't repeat the same boilerplate on every CVE / hash / network-IOC briefing. - **Asset exposure — vulnerability matches article CVE(s)** ([template](../_TEMPLATES.md#asset-exposure)) — phase: **recon**, confidence: **High** - CVE(s): `CVE-2026-46621` ## Why this matters Severity classified as **CRIT** based on: CVE present, 7 use case(s) fired, 10 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.