Improper XML Input Handling in GRASSMARLIN by CISA
CVE-2026-6807

5.5MEDIUM

Key Information:

Vendor

Nsa

Vendor
CVE Published:
28 April 2026

Badges

πŸ‘Ύ Exploit Exists🟑 Public PoCπŸ“° News Worthy

What is CVE-2026-6807?

A vulnerability exists in GRASSMARLIN v3.2.1 that arises from inadequate protection against the handling of XML input. Specifically, crafted session data can exploit this flaw, leading to the unintended exposure of sensitive information. The underlying issue is due to insufficient hardening in the XML parsing process, which can be manipulated to disclose data without proper authorization.

Affected Version(s)

GRASSMARLIN All versions

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

News Articles

NSA's GrassMarlin Tool Carries Hidden Data Leak Flaw, CISA Warns Critical Infrastructure Operators

CISA spotlighted CVE-2026-6807, a data-theft flaw in NSA's legacy GrassMarlin OT tool, enabling XXE attacks via malicious XML sessions. No patches exist for the end-of-life software still used in SCADA environments.

CISA flags data-theft bug in NSA-built OT networking tool

: GrassMarlin leaks sensitive information, provided your targeting phishing skills are sharp enough

References

CVSS V3.1

Score:
5.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟑

    Public PoC available

  • πŸ‘Ύ

    Exploit known to exist

  • πŸ“°

    First article discovered by theregister

  • Vulnerability published

  • Vulnerability Reserved

Credit

Grady DeRosa reported this vulnerability to CISA.
.