Full Report
Server-Side Request Forgery (SSRF) vulnerability (CVE-2026-5131) has been found in GREENmod software.
Analysis Summary
# Vulnerability: SSRF in GREENmod via Insecure Named Pipes
## CVE Details
- **CVE ID**: CVE-2026-5131
- **CVSS Score**: Not explicitly provided in the article (High severity typical for this class)
- **CWE**: CWE-918 (Server-Side Request Forgery)
## Affected Systems
- **Products**: GREENmod (by Nomios Poland)
- **Versions**: All versions prior to 2.8.33
- **Configurations**: Windows-based installations where the GREENmod agent is running as a system service.
## Vulnerability Description
GREENmod utilizes named pipes to facilitate communication between its internal components, including plugins, the web portal, and the core system service. The software fails to implement proper Access Control Lists (ACLs) for these named pipes.
Due to these insecure permissions, an attacker can interact with the communication stream and upload arbitrary XML or JSON files. These files are subsequently processed by the named pipe under the security context of the service user (typically high privilege). This leads to a Server-Side Request Forgery (SSRF) flaw, enabling the attacker to force the system to communicate with any Windows machine via SMB or WebDav protocols.
## Exploitation
- **Status**: Reported via Coordinated Vulnerability Disclosure (CVD); no mention of active exploitation in the wild.
- **Complexity**: Low/Medium (Requires ability to interact with local named pipes).
- **Attack Vector**: Network/Local (The flaw involves inter-process communication, but the resulting SSRF impacts network-reachable Windows systems).
## Impact
- **Confidentiality**: High (Ability to pivot to other systems and potentially leak data/credentials via SMB/WebDav).
- **Integrity**: Medium (Processing of unauthorized XML/JSON files).
- **Availability**: Low (Primary impact is focused on unauthorized communication and data relay).
## Remediation
### Patches
- **Version 2.8.33**: This version addresses the ACL configurations for named pipes. Users are urged to upgrade immediately.
### Workarounds
- No specific workarounds were provided in the advisory; updating to the patched version is the recommended course of action.
## Detection
- **Indicators of Compromise**: Monitor for unusual XML or JSON files being passed through named pipes associated with GREENmod.
- **Detection methods and tools**: Monitor for unexpected outbound SMB (TCP 445) or WebDav (TCP 80/443) traffic originating from the GREENmod service account toward external or internal Windows systems.
## References
- **Vendor**: Nomios Poland
- **CVE Record**: hxxps[://]www[.]cve[.]org/CVERecord?id=CVE-2026-5131
- **CERT Polska Advisory**: hxxps[://]cert[.]pl/en/posts/2026/04/vulnerability-in-greenmod/
- **CVD Policy**: hxxps[://]cert[.]pl/en/cvd/