Back to Intelligence

CVE-2026-6807: NSA GRASSMARLIN XXE Vulnerability — Detection and Hardening Guide

SA
Security Arsenal Team
April 30, 2026
6 min read

The NSA's GRASSMARLIN is a pivotal tool for situational awareness within Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) environments. It provides defenders with the ability to visualize and manage network assets. However, CISA’s recent advisory (ICSA-26-118-01) exposes a significant chink in this armor: CVE-2026-6807.

This vulnerability, classified as an Improper Restriction of XML External Entity Reference (XXE), affects all versions of GRASSMARLIN, specifically identified in v3.2.1. While the CVSS v3 score of 5.5 might suggest a moderate severity, the context of deployment—Critical Infrastructure sectors worldwide—elevates the urgency. A successful exploit allows an attacker to disclose sensitive information, potentially undermining the very intelligence gathering the tool is designed to support. Defenders must act immediately to identify instances and apply hardening measures.

Technical Analysis

Affected Products & Versions

  • Product: NSA GRASSMARLIN
  • Affected Versions: vers:all/* (Specific vulnerability confirmed in v3.2.1)
  • Vendor: National Security Agency (NSA)

Vulnerability Details

  • CVE ID: CVE-2026-6807
  • CWE: CWE-611 (Improper Restriction of XML External Entity Reference)
  • CVSS v3 Score: 5.5 (Medium)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Attack Mechanics & Exploitation The vulnerability resides in the handling of session data. The application parses XML input without sufficient hardening against External Entity (XXE) attacks.

  1. Ingestion: An attacker crafts malicious session data containing an XML DOCTYPE definition with a SYSTEM or ENTITY reference.
  2. Processing: The vulnerable GRASSMARLIN XML parser processes this input.
  3. Resolution: Because the parser is configured to resolve external entities, it attempts to retrieve the content specified by the attacker. This can be a local file (e.g., /etc/passwd, application configuration files) or an internal network resource (Server-Side Request Forgery).
  4. Exfiltration: The content of the file or the response from the internal request is embedded in the application’s response or error message, sent back to the attacker.

Exploitation Status While active exploitation in the wild has not been explicitly confirmed in the advisory at this time, the public disclosure of the CVE and the tool's high-value target status (defensive infrastructure) make it a prime candidate for scanning and probing.

Detection & Response

Detecting XXE attacks at the network level is notoriously difficult because the malicious payload resides inside the application layer (HTTP/HTTPS body) and the exploit triggers often look like standard traffic. However, because XXE frequently requires an "Out-of-Band" (OOB) data retrieval to exfiltrate data (e.g., forcing the server to send data to an attacker-controlled server), we can hunt for the side effects: abnormal outbound network connections initiated by the application process.

Sigma Rules

The following rules focus on the behavioral indicators of GRASSMARLIN (often Java-based) making outbound connections that are characteristic of XXE data exfiltration or SSRF (Server-Side Request Forgery).

YAML
---
title: GRASSMARLIN Potential XXE OOB Data Exfiltration
id: 8a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects potential GRASSMARLIN XXE exploitation via suspicious outbound network connections from the Java host process, indicative of Out-of-Band data exfiltration.
references:
 - https://www.cisa.gov/news-events/ics-advisories/icsa-26-118-01
 - https://attack.mitre.org/techniques/T1190/
author: Security Arsenal
date: 2026/04/06
tags:
 - attack.initial_access
 - attack.t1190
 - attack.exfiltration
 - attack.t1041
logsource:
 category: network_connection
 product: windows
detection:
 selection:
   Image|endswith: '\java.exe'
   Initiated: 'true'
 filter_main_legit_grassmarlin:
   DestinationIp|contains:
     - '192.168.'
     - '10.'
     - '172.16.'
 condition: selection and not filter_main_legit_grassmarlin
falsepositives:
  - Legitimate administrative updates or plugin checks
level: high
---
title: Linux GRASSMARLIN XML Parser Process Anomaly
id: 9c3d4e5f-6a7b-8c9d-0e1f-2a3b4c5d6e7f
status: experimental
description: Detects execution of XML parsing tools or unusual child processes spawned by the GRASSMARLIN parent process on Linux hosts.
references:
 - https://www.cisa.gov/news-events/ics-advisories/icsa-26-118-01
author: Security Arsenal
date: 2026/04/06
tags:
 - attack.execution
 - attack.t1059
logsource:
 category: process_creation
 product: linux
detection:
 selection:
   ParentImage|contains: '/grassmarlin'
   Image|endswith:
     - '/curl'
     - '/wget'
     - '/python'
     - '/perl'
 condition: selection
falsepositives:
  - Authorized administrative scripting
level: medium

KQL (Microsoft Sentinel / Defender)

This hunt query identifies outbound network connections from the GRASSMARLIN host to external IP addresses, which is a necessary step for XXE OOB data exfiltration. It assumes DeviceNetworkEvents are ingested via Microsoft Defender for Endpoint or similar sources.

KQL — Microsoft Sentinel / Defender
// Hunt for GRASSMARLIN XXE OOB Exfiltration Indicators
DeviceNetworkEvents
| where InitiatingProcessFileName has "java" // GRASSMARLIN is Java-based
| where Timestamp > ago(7d)
| where not(RemoteIP has_any("192.168.", "10.", "172.16.", "127.")) // Filter RFC1918 and Loopback
| where ActionType == "ConnectionSuccess" or ActionType == "ConnectionInitiated"
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteIP, RemotePort, RemoteUrl, InitiatingProcessCommandLine
| order by Timestamp desc

Velociraptor VQL

This artifact hunts for the presence of the vulnerable application and attempts to identify the configuration or version information to aid in remediation prioritization.

VQL — Velociraptor
-- Hunt for NSA GRASSMARLIN Installation and Version Info
SELECT 
  FullPath,
  Size,
  Mtime,
  Mode
FROM glob(globs="/opt/grassmarlin/**", root="/")
WHERE NOT IsDir
LIMIT 50

-- Hunt for specific XML configuration files that might allow insecure parsing
SELECT 
  FullPath,
  Data
FROM read_file(filenames=glob(globs="C:\\Program Files\\GRASSMARLIN\\*.xml", root="C:\\"))
WHERE Data =~ 'DOCTYPE' OR Data =~ 'ENTITY'

Remediation Script (PowerShell)

This PowerShell script checks if GRASSMARLIN is installed (checking common paths) and verifies the service status. If the server is identified, it applies a network-based workaround by blocking outbound internet access from the application host to mitigate XXE OOB attacks until a patch is applied.

PowerShell
# Check for GRASSMARLIN Service and Apply Mitigations
Write-Host "[*] Checking for NSA GRASSMARLIN service..."

$serviceName = "Grassmarlin*"
$service = Get-Service -Name $serviceName -ErrorAction SilentlyContinue

if ($service) {
    Write-Host "[!] ALERT: GRASSMARLIN service found: $($service.DisplayName)" -ForegroundColor Red
    Write-Host "[*] Service Status: $($service.Status)"
    
    # Identify the process (if running)
    $process = Get-Process -Name "java" -ErrorAction SilentlyContinue | Where-Object {$_.MainWindowTitle -like "*Grassmarlin*"}
    
    if ($process) {
        Write-Host "[*] Running Process ID: $($process.Id)"
    }

    # Mitigation: Block outbound traffic from this host (Workaround for XXE OOB)
    Write-Host "[*] Applying Network Hardening Mitigation..."
    $ruleName = "Block GRASSMARLIN Outbound - XXE Mitigation"
    $existingRule = Get-NetFirewallRule -DisplayName $ruleName -ErrorAction SilentlyContinue

    if (-not $existingRule) {
        New-NetFirewallRule -DisplayName $ruleName `
                            -Direction Outbound `
                            -Action Block `
                            -Enabled True `
                            -Profile Any `
                            -InterfaceType Any `
                            -Description "Mitigation for CVE-2026-6807. Block outbound traffic to prevent XXE data exfiltration. Update to patched version immediately."
        Write-Host "[+] Firewall rule '$ruleName' created successfully." -ForegroundColor Green
    } else {
        Write-Host "[-] Firewall rule '$ruleName' already exists."
    }

} else {
    Write-Host "[-] GRASSMARLIN service not found on this host."
}

Remediation

  1. Apply Updates: Monitor the official NSA GRASSMARLIN repository and CISA advisories for a patch addressing CVE-2026-6807. Apply the update immediately upon release.
  2. Network Segmentation (Workaround): If immediate patching is not possible, place the GRASSMARLIN server behind a strict firewall. Disallow outbound internet access from the GRASSMARLIN host. This effectively neutralizes the "Out-of-Band" data exfiltration vector required by most XXE attacks.
  3. Input Validation: Review the application configuration. Ensure that the XML parser is configured to disable DTDs (Document Type Definitions) and external entities entirely.
  4. Access Control: Restrict the ability to upload session data or XML files to the application to only trusted, internal IP addresses.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

mdrthreat-huntingendpoint-detectionsecurity-monitoringnsa-grassmarlincve-2026-6807xxeics-security

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action