The U.S. Cybersecurity and Infrastructure Security Agency issued a stark advisory Tuesday, spotlighting a data-theft vulnerability in GrassMarlin, an operational technology networking tool crafted by the National Security Agency itself. Tracked as CVE-2026-6807, the flaw resides in every version of the software, which hit end-of-life back in 2017. No patches exist. Operators in industrial control systems and SCADA environments take note: attackers could snoop sensitive network maps through this one.
GrassMarlin scans and diagrams OT networks, bundling session data—nodes, edges, positions, colors, metadata—into XML files zipped as .gm3 archives. The bug? Lax XML parsing. It falls under CWE-611, enabling XML External Entity attacks. Penetration tester Anna Quinn at Rapid7 dissected it, noting on LinkedIn that ‘the likely vulnerable parameters had to do with the XML files ingested when opening stored sessions.’ She released a proof-of-concept on GitHub, demonstrating out-of-band exfiltration: craft a malicious XML, reference an external DTD host, encode file contents in base64, chunk them across console messages to dodge errors. Boom. Arbitrary files leak.
CVSS rates it 5.5—medium severity. Successful hits disclose sensitive info. But here’s the catch. Exploitation demands the bundled Java version; newer ones won’t run GrassMarlin. Delivery? Mostly phishing, luring users to open booby-trapped sessions. Quinn downplayed the panic: ‘the bug won’t pose too much of a threat to most organizations, and that it can only realistically be exploited via phishing.’ Still, CISA’s ICS Advisory ICSA-26-118-01 lists it bluntly: ‘The flaw stems from insufficient hardening of the XML parsing process.’
Why does this matter now? GrassMarlin persists in air-gapped setups for critical infrastructure—power grids, water treatment, manufacturing—where network diagrams are gold for attackers plotting disruptions. The NSA open-sourced it years ago to aid defenders, yet unpatched legacy tools linger. And no fix coming. CISA urges basics: keep OT off the public internet. Firewall rigorously. Isolate from IT networks. Vet remote access hard.
Quinn’s technical breakdown reveals the mechanics. Open a session: GrassMarlin parses XML. Malicious DTD pulls external entities, fetching attacker-controlled data that triggers file reads. Errors flood the console, but base64 chunking slips payloads out. Her GitHub PoC proves it works locally. In OT, where Java updates are rare to avoid breaking gear, this sticks around.
Broader context hits hard. CISA’s ICS advisories target industrial edges, where software like GrassMarlin bridges visibility gaps. But legacy haunts. The tool’s EOL status mirrors countless OT pains—no vendor support, custom forks maybe, but vulnerabilities fester. Attackers love XML flaws; XXE has felled bigger targets, from parsers in web apps to now OT diagrammers.
Recent CISA moves underscore urgency elsewhere. Just yesterday, the agency added CVE-2024-1708 in ConnectWise ScreenConnect and CVE-2026-32202 in Microsoft Windows to its Known Exploited Vulnerabilities catalog, per The Hacker News. Federal deadline: May 12. ScreenConnect’s path traversal enables code execution; Windows spoofing aids credential grabs. Russia-linked actors hit one, North Korea the other, says Cybersecurity Dive. Data theft threads through all.
OT pros can’t ignore this pattern. GrassMarlin’s flaw, though niche, exposes how even NSA tools carry risks. Inventory your estate. Ditch unsupported software where possible. Quinn’s work shows exploits emerge fast—PoC public now. Phishing campaigns could target engineers with .gm3 lures, mapping your SCADA before ransomware strikes.
And the irony. NSA builds for defense; flaw undermines it. CISA’s advisory pushes mitigation over perfection. Segment networks. Monitor XML intakes. Train on phishing. In critical infrastructure, one leaked diagram shifts attack calculus. Act now.
WebProNews is an iEntry Publication