# [CRIT] [GHSA / CRITICAL] CVE-2026-47731: NASA AMMOS Instrument Toolkit: Path traversal resulting in arbitrary file append (can be triggered over the network by unauthenticated attacker) **Source:** GitHub Security Advisories **Published:** 2026-06-05 **Article:** https://github.com/advisories/GHSA-p462-prxw-mjx4 ## Threat Profile NASA AMMOS Instrument Toolkit: Path traversal resulting in arbitrary file append (can be triggered over the network by unauthenticated attacker) ## 1. Summary The Binary Stream Capture (BSC) component exposes an unauthenticated HTTP API for dynamically creating packet capture “handlers.” Because the code blindly trusts path‑related form fields, a remote client can: - **Bypass the configured log root** and direct BSC to log to **arbitrary filesystem paths** (path traversal / directory escape),… ## Indicators of Compromise (high-fidelity only) - **CVE:** `CVE-2026-47731` ## MITRE ATT&CK Techniques - **T1190** — Exploit Public-Facing Application - **T1204.002** — User Execution: Malicious File - **T1565.001** — Data Manipulation: Stored Data Manipulation - **T1071.001** — Application Layer Protocol: Web Protocols - **T1659** — Content Injection ## Kill chain phases observed _(none detected from narrative keywords)_ ## Recommended hunts ### Unauthenticated POST to AIT-BSC //start with path-traversal form fields (CVE-2026-47731) `UC_116_2` · phase: **exploit** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=true count min(_time) as first_seen max(_time) as last_seen values(Web.url) as urls values(Web.http_user_agent) as user_agents from datamodel=Web where Web.http_method=POST AND (Web.uri_path="*/start" OR Web.url="*/start*") by Web.src Web.dest Web.uri_path Web.uri_query Web.url | `drop_dm_object_name(Web)` | where match(uri_path, "(?i)^/[^/]+/start$") AND (match(uri_query, "(?i)(log_dir_path|file_name_pattern|path)=") AND (match(uri_query, "(?i)(\.\.|%2e%2e|=%2[Ff]|=/etc/|=/home/|=/root/|=/var/|=/tmp/|=/usr/)") OR match(url, "(?i)(\.\.|%2e%2e)"))) | stats values(urls) as urls values(user_agents) as user_agents min(first_seen) as first_seen max(last_seen) as last_seen sum(count) as hits by src dest uri_path | sort - last_seen ``` **Defender KQL:** ```kql DeviceNetworkEvents | where Timestamp > ago(7d) | where ActionType in ("InboundConnectionAccepted","ConnectionFound","ListeningConnectionCreated") | where InitiatingProcessFileName matches regex @"(?i)^(python(3(\.\d+)?)?|ait-bsc)(\.exe)?$" | where InitiatingProcessCommandLine has_any ("ait-bsc","ait.core.bsc","ait_bsc","StreamCaptureManagerServer","bsc.yaml") | where RemoteIPType == "Public" | summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp), Sessions=count(), AnyLocalPort=any(LocalPort) by DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, RemoteIP | order by FirstSeen desc ``` ### ait-bsc outbound TCP to public/non-baseline destination (attacker-supplied loc port) `UC_116_3` · phase: **c2** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=true count min(_time) as first_seen max(_time) as last_seen sum(All_Traffic.bytes_out) as bytes_out values(All_Traffic.process) as processes from datamodel=Network_Traffic where (All_Traffic.process_name="python*" OR All_Traffic.process_name="ait-bsc*" OR All_Traffic.app="ait-bsc") AND All_Traffic.direction="outbound" AND NOT (All_Traffic.dest="10.0.0.0/8" OR All_Traffic.dest="172.16.0.0/12" OR All_Traffic.dest="192.168.0.0/16" OR All_Traffic.dest="127.0.0.0/8" OR All_Traffic.dest="169.254.0.0/16") by All_Traffic.src All_Traffic.dest All_Traffic.dest_port All_Traffic.transport All_Traffic.process_name | `drop_dm_object_name(All_Traffic)` | where match(mvjoin(processes, " "), "(?i)ait[-_.]?bsc|ait\.core\.bsc|StreamCaptureManager") | stats min(first_seen) as first_seen max(last_seen) as last_seen sum(count) as sessions sum(bytes_out) as bytes_out values(processes) as processes by src dest dest_port transport process_name | sort - first_seen ``` **Defender KQL:** ```kql DeviceNetworkEvents | where Timestamp > ago(7d) | where InitiatingProcessFileName matches regex @"(?i)^(python(3(\.\d+)?)?|ait-bsc)(\.exe)?$" | where InitiatingProcessCommandLine has_any ("ait-bsc","ait.core.bsc","ait_bsc","StreamCaptureManagerServer","bsc.yaml") | where ActionType in ("ConnectionSuccess","ConnectionAttempt","ConnectionRequest") | where RemoteIPType == "Public" | summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp), Sessions=count(), DistinctRemotes=dcount(RemoteIP) by DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, RemoteIP, RemotePort | order by FirstSeen desc ``` ### Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-47731: NASA AMMOS Instrument Toolkit: Path traversal `UC_116_1` · phase: **exploit** · confidence: **High** **Splunk SPL (CIM):** ```spl ``` Article-specific bespoke detection — [GHSA / CRITICAL] CVE-2026-47731: NASA AMMOS Instrument Toolkit: Path traversal ``` | tstats `summariesonly` count earliest(_time) AS firstTime latest(_time) AS lastTime from datamodel=Endpoint.Processes where (Processes.process_name IN ("python_poc.py","attacker_tcp.py","dmc.py")) by Processes.dest, Processes.user, Processes.process_name, Processes.process, Processes.parent_process_name, Processes.process_path | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | append [ | tstats `summariesonly` count from datamodel=Endpoint.Filesystem where Filesystem.action IN ("created","modified") AND (Filesystem.file_path="*/home/user/...*" OR Filesystem.file_path="*/home/elias/ait-venv/...*" OR Filesystem.file_path="*/home/elias/ait-venv/.../dmc.py*" OR Filesystem.file_path="*/var/opt/ait-bsc/logs*" OR Filesystem.file_path="*/usr/bin/env*" OR Filesystem.file_path="*/home/elias/ait-venv/lib/python3.10/site-packages/ait/core/*" OR Filesystem.file_name IN ("python_poc.py","attacker_tcp.py","dmc.py")) by Filesystem.dest, Filesystem.user, Filesystem.process_name, Filesystem.file_path, Filesystem.file_name | `drop_dm_object_name(Filesystem)` ] ``` **Defender KQL:** ```kql // Article-specific bespoke detection — [GHSA / CRITICAL] CVE-2026-47731: NASA AMMOS Instrument Toolkit: Path traversal // Hunts the actual binaries / paths / commandline fragments named // in the article instead of a generic technique-class template. DeviceProcessEvents | where Timestamp > ago(30d) | where (FileName in~ ("python_poc.py", "attacker_tcp.py", "dmc.py")) | project Timestamp, DeviceName, AccountName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine | order by Timestamp desc // File-creation events for the named binaries / paths DeviceFileEvents | where Timestamp > ago(30d) | where ActionType in ("FileCreated","FileModified") | where (FolderPath has_any ("/home/user/...", "/home/elias/ait-venv/...", "/home/elias/ait-venv/.../dmc.py", "/var/opt/ait-bsc/logs", "/usr/bin/env", "/home/elias/ait-venv/lib/python3.10/site-packages/ait/core/") or FileName in~ ("python_poc.py", "attacker_tcp.py", "dmc.py")) | project Timestamp, DeviceName, AccountName, FolderPath, FileName, ActionType, InitiatingProcessFileName, InitiatingProcessCommandLine | order by Timestamp desc ``` ### IOC-driven hunts (use shared templates) These are standard IOC-substitution hunts — the canonical SPL and KQL live once in [`_TEMPLATES.md`](../_TEMPLATES.md), so we don't repeat the same boilerplate on every CVE / hash / network-IOC briefing. - **Asset exposure — vulnerability matches article CVE(s)** ([template](../_TEMPLATES.md#asset-exposure)) — phase: **recon**, confidence: **High** - CVE(s): `CVE-2026-47731` ## Why this matters Severity classified as **CRIT** based on: CVE present, 4 use case(s) fired, 5 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.