Cyber Threat Brief — March 9 2026
Cyber Threat Brief — March 9 2026
Generated: 2026-03-09 05:00 PT
Threats Covered: 4
Sources: GitHub PoC/exploit monitoring, X/Twitter threat intelligence, CISA KEV, Web search
1. GestioIP 3.5.7 — RCE via upload.cgi Backdoor Dropper (Metasploit PR)
Summary
A new Metasploit module PR landed today for a GestioIP 3.5.7 remote-code-exec that behaves like an upload-to-webshell flow: the exploit writes a Perl CGI “backdoor” and then executes attacker-supplied commands from the query string. This is the kind of bug that turns into noisy-but-fast internet scanning the minute someone merges it — and it leaves very huntable web artifacts (a specific CGI path + obviously weaponized query strings).
What’s New (Last 24 Hours)
Rapid7 Metasploit Framework PR #21041 (2026-03-09) adds an exploit module for GestioIP 3.5.7 RCE that drops a CGI backdoor and executes commands supplied via QUERY_STRING on a predictable endpoint.
Actionable Intel
| Artifact | Type | ATT&CK Technique | Data Source | How to Use |
|---|---|---|---|---|
GET /gestioip/api/upload.cgi?<cmd> | TTP | T1190 | Web server / reverse proxy logs | Hunt for requests to .../gestioip/api/upload.cgi where the query string looks like shell commands (e.g., whoami, id, curl, wget, bash, sh) |
<!-- CGI backdoor --> | IOC | T1059 | Web content integrity monitoring / file integrity (Linux) | Search web roots / deployed CGI scripts for this exact marker; treat as a dropped webshell |
README_server.txt (used as upload placeholder in module) | Clue | T1190 | Web/app logs | If your GestioIP deployment logs uploaded filenames, pivot on README_server.txt or anomalous uploads immediately before access to upload.cgi |
Potential Detection Coverage Based on MITRE ATT&CK Technique
| Source | Detections | Coverage |
|---|---|---|
| Splunk | Ivanti Connect Secure Command Injection Attempts | Maps to the same core behavior here: attacker-controlled strings reaching server-side command execution via an HTTP request (T1190 → T1059). Adapt the URI/parameter patterns to .../gestioip/api/upload.cgi and look for command-like query strings. |
| Elastic | Execution from Unusual Directory - Command Line | Indirect coverage: if exploitation leads to secondary tooling execution from temp/unusual locations, this can catch post-exploitation execution (T1059). For GestioIP specifically, you likely need web-tier detection on the upload.cgi path. |
| Sigma | Php Inline Command Execution | Partial/adjacent coverage for command execution patterns (T1059). This exploit’s strongest detection surface is HTTP logs for upload.cgi + suspicious query strings rather than endpoint PHP execution telemetry. |
Sources
- Metasploit PR #21041 — Add exploit module for Gestioip3.5.7 RCE — Published 2026-03-09
2. SPIP Saisies Plugin (5.4.0–5.11.0) — Unauthenticated RCE via _anciennes_valeurs (Metasploit PR)
Summary
Metasploit added a detailed exploit module + documentation for an unauthenticated SPIP Saisies plugin RCE where a single form parameter (_anciennes_valeurs) is interpolated unsafely and leads to PHP execution. The important defender win: this PR doesn’t just say “RCE exists” — it names the exact parameter, common victim page patterns, and the discovery/crawl behavior an exploit might use.
What’s New (Last 24 Hours)
Rapid7 Metasploit Framework PR #21001 (2026-03-09) adds an exploit module and module documentation describing the injection surface (_anciennes_valeurs) and typical target form endpoints (often spip.php?page=<form>).
Actionable Intel
| Artifact | Type | ATT&CK Technique | Data Source | How to Use |
|---|---|---|---|---|
POST requests that include form parameter _anciennes_valeurs | TTP | T1190 | Web server logs / WAF logs (HTTP body) | Alert/hunt for _anciennes_valeurs being supplied by unauthenticated clients, especially when it contains template / code-like payloads |
GET /spip.php?page=<page> followed by POST to the same page (form submit) from the same client | TTP | T1190 | Web server logs | Correlate “crawl-like” access patterns (many spip.php?page=... hits) with subsequent POSTs carrying _anciennes_valeurs |
GET /plugins/(auto/)?saisies/paquet.xml | IOC | T1592.002 | Web server logs | Watch for direct requests to plugin metadata paths used for version probing; strong precursor behavior for targeted exploitation |
Potential Detection Coverage Based on MITRE ATT&CK Technique
| Source | Detections | Coverage |
|---|---|---|
| Splunk | Confluence Unauthenticated Remote Code Execution CVE-2022-26134 | Technique-aligned (T1190) coverage for “unauthenticated web request triggers code execution.” Use as a template to build a SPIP-focused detector keyed on _anciennes_valeurs and SPIP form endpoints. |
| Elastic | Web Application Suspicious Request Pattern | Generic web exploit patterning (T1190). Tune for SPIP: target spip.php?page= access + POST bodies containing _anciennes_valeurs and suspicious payload markers. |
| Sigma | Webshell Detection - Generic Webserver | Post-exploitation coverage: if the RCE is used to drop a webshell or persistent server-side file, generic webshell patterns can help (T1505.003), but primary prevention/hunting is parameter-level detection in HTTP logs. |
Sources
- Metasploit PR #21001 — Add SPIP Saisies plugin RCE module — Published 2026-03-09
3. GL.iNet Routers (≤ 4.6.8) — LuCI Brute Force + RPC Plugin Handler Command Injection Chain (Metasploit PR)
Summary
A new Metasploit PR describes a clean “router compromise chain”: brute-force the LuCI web UI (no rate limiting) to obtain admin creds, then pivot into an authenticated command injection in the router RPC API plugin handler to execute commands as root. The artifacts are specific and network-visible: a high-rate POST spray to /cgi-bin/luci, then JSON-RPC calls to /rpc (challenge / login), and finally an RPC method (plugins → install_package) that becomes the injection point.
What’s New (Last 24 Hours)
Rapid7 Metasploit Framework PR #21037 (2026-03-08) adds (1) a LuCI login brute-force auxiliary module and (2) an authenticated RCE module targeting the router’s /rpc API — including the exact endpoints, POST parameter names, and JSON-RPC method names.
Actionable Intel
| Artifact | Type | ATT&CK Technique | Data Source | How to Use |
|---|---|---|---|---|
POST /cgi-bin/luci with form fields luci_username and luci_password | TTP | T1110 | Web server / reverse proxy logs (router mgmt plane) | Detect high-rate login attempts (many POSTs) and 302-based “success” patterns; this is the brute-force stage |
HTTP 302 responses on /cgi-bin/luci during bursts of login attempts | TTP | T1110 | Web server logs | Treat as a “credential found” signal; pivot to subsequent /rpc activity from the same source |
POST /rpc JSON-RPC method challenge followed by login | TTP | T1071.001 | HTTP logs / packet capture | Flag routers receiving JSON-RPC auth flows from unusual source IPs (esp. internet-facing mgmt) |
JSON-RPC method plugins / install_package to /rpc | TTP | T1059 | HTTP logs (request body) | Alert on install_package calls and inspect the argument values for shell metacharacters; this is the command-injection surface |
Potential Detection Coverage Based on MITRE ATT&CK Technique
| Source | Detections | Coverage |
|---|---|---|
| Splunk | None found | No out-of-the-box rule in the current coverage set matched this very router-specific chain. Build custom detections on the management-plane HTTP endpoints: /cgi-bin/luci spray + /rpc JSON-RPC calls + install_package method usage. |
| Elastic | None found | Same gap: you’ll likely need custom web log rules for router management interfaces (T1110 + T1059) and/or firewall rate-limit detections on repeated POSTs to /cgi-bin/luci. |
| Sigma | None found | Sigma coverage tends to be endpoint-focused; this chain is best detected via web/proxy logs on the router management plane plus network controls (rate limiting, geo/IP allowlists). |
Sources
- Metasploit PR #21037 — Add GL.iNet Router Exploit Chain — Published 2026-03-08
4. Possible Malicious ScreenConnect C2 Domain: alpha.noleggiodisci.com
Summary
A single-domain IOC dropped today that’s being called out as potential ScreenConnect (ConnectWise Control) C2 infrastructure. Even when the “implant” is a legitimate remote admin tool, defender reality is the same: if you don’t explicitly run ScreenConnect, any endpoint reaching out to a weird domain with ScreenConnect traffic should be treated as likely unauthorized remote control.
What’s New (Last 24 Hours)
An IOC alert was published on X (2026-03-09) flagging alpha.noleggiodisci.com as possible malicious ScreenConnect C2 infrastructure.
Actionable Intel
| Artifact | Type | ATT&CK Technique | Data Source | How to Use |
|---|---|---|---|---|
alpha.noleggiodisci.com | IOC | T1071.001 | DNS logs / proxy logs / firewall logs | Block or alert on DNS resolutions and outbound connections; pivot to endpoints that resolved the domain and enumerate installed remote access tooling |
| ScreenConnect / ConnectWise Control client presence on endpoints | TTP | T1219 | EDR process + service inventory | Hunt for ScreenConnect client/service installs on endpoints that touched the domain; prioritize those without approved IT tooling context |
Potential Detection Coverage Based on MITRE ATT&CK Technique
| Source | Detections | Coverage |
|---|---|---|
| Splunk | None found | No direct mapped rule found for ScreenConnect in the current coverage set. Use this IOC in DNS/proxy correlation searches and combine with endpoint inventory of ScreenConnect installs (T1219). |
| Elastic | Suspicious ScreenConnect Client Child Process | Covers likely post-install activity: ScreenConnect client spawning suspicious child processes consistent with interactive remote control / command execution (T1219/T1059 adjacent). Pair with the domain IOC to increase fidelity. |
| Sigma | Remote Access Tool - ScreenConnect Execution Remote Access Tool - ScreenConnect Potential Suspicious Remote Command Execution ScreenConnect Temporary Installation Artefact | These rules map directly to ScreenConnect usage artifacts: process execution (client running), suspicious remote execution patterns, and common temporary install artifacts — exactly what you want to correlate to endpoints that resolve/connect to alpha.noleggiodisci.com. |
Sources
- @ScotchNVD — IOC Alert – Possible ScreenConnect C2 — Published 2026-03-09