# [CRIT] [GHSA / CRITICAL] CVE-2026-55742: Cotonti: Cross-Site Request Forgery in the administration rights handler **Source:** GitHub Security Advisories **Published:** 2026-06-18 **Article:** https://github.com/advisories/GHSA-7g3p-35vc-mgjr ## Threat Profile Cotonti: Cross-Site Request Forgery in the administration rights handler Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to Cross-Site Request Forgery in the administration rights handler. In system/admin/admin.rights.php, the rights update action ('a=update') modifies group access rights (including via cot_auth_add_group) without calling cot_check_xg() to validate the anti-CSRF token. A remote attacker who lures an authenticated administrator into visiting a malicious page can for… ## Indicators of Compromise (high-fidelity only) - **CVE:** `CVE-2026-55742` ## MITRE ATT&CK Techniques - **T1190** — Exploit Public-Facing Application - **T1098** — Account Manipulation - **T1068** — Exploitation for Privilege Escalation - **T1505.003** — Server Software Component: Web Shell - **T1059** — Command and Scripting Interpreter ## Kill chain phases observed _(none detected from narrative keywords)_ ## Recommended hunts ### Cotonti CVE-2026-55742 CSRF rights update missing anti-CSRF token (x=) `UC_68_1` · phase: **exploit** · confidence: **Medium** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Web.src) as src values(Web.http_referrer) as http_referrer values(Web.http_user_agent) as http_user_agent values(Web.http_method) as http_method values(Web.status) as status from datamodel=Web where Web.url="*admin.php*" Web.url="*m=rights*" Web.url="*a=update*" NOT (Web.url="*&x=*" OR Web.url="*?x=*") by Web.dest Web.uri_path | `drop_dm_object_name(Web)` | where status!="403" AND status!="404" | convert ctime(firstTime) ctime(lastTime) ``` ### Cotonti web-server process spawning shell after CVE-2026-55742 admin takeover `UC_68_2` · phase: **install** · confidence: **Medium** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process) as process values(Processes.parent_process) as parent_process from datamodel=Endpoint.Processes where (Processes.parent_process_name IN ("php.exe","php-cgi.exe","php-fpm","w3wp.exe","httpd.exe","nginx.exe","caddy.exe")) (Processes.process_name IN ("cmd.exe","powershell.exe","pwsh.exe","wscript.exe","cscript.exe","bash","sh","net.exe","whoami.exe","certutil.exe")) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name | `drop_dm_object_name(Processes)` | convert ctime(firstTime) ctime(lastTime) ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(7d) | where InitiatingProcessFileName in~ ("php.exe","php-cgi.exe","w3wp.exe","httpd.exe","nginx.exe","caddy.exe") | where FileName in~ ("cmd.exe","powershell.exe","pwsh.exe","wscript.exe","cscript.exe","net.exe","whoami.exe","certutil.exe","bash.exe") | where AccountName !endswith "$" | project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, SHA256 | order by Timestamp desc ``` ### IOC-driven hunts (use shared templates) These are standard IOC-substitution hunts — the canonical SPL and KQL live once in [`_TEMPLATES.md`](../_TEMPLATES.md), so we don't repeat the same boilerplate on every CVE / hash / network-IOC briefing. - **Asset exposure — vulnerability matches article CVE(s)** ([template](../_TEMPLATES.md#asset-exposure)) — phase: **recon**, confidence: **High** - CVE(s): `CVE-2026-55742` ## Why this matters Severity classified as **CRIT** based on: CVE present, 3 use case(s) fired, 5 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.