{"id":105,"date":"2026-01-19T15:49:54","date_gmt":"2026-01-19T14:49:54","guid":{"rendered":"https:\/\/helloblog.io\/lv\/modular-ds-cve-2026-23550-aktivs-uzbrukums-wordpress-admin-piekluve\/"},"modified":"2026-01-20T06:38:46","modified_gmt":"2026-01-20T05:38:46","slug":"modular-ds-cve-2026-23550-aktivs-uzbrukums-wordpress-admin-piekluve","status":"publish","type":"post","link":"https:\/\/helloblog.io\/lv\/modular-ds-cve-2026-23550-aktivs-uzbrukums-wordpress-admin-piekluve\/","title":{"rendered":"Modular DS spraudnis ar kritisku CVE tiek akt\u012bvi ekspluat\u0113ts: k\u0101 pasarg\u0101t WordPress vietni no admin piek\u013cuves p\u0101r\u0146em\u0161anas"},"content":{"rendered":"\n

Ja WordPress projektos izmanto spraudni Modular DS<\/strong>, \u0161obr\u012bd ir v\u0113rts uz to paskat\u012bties k\u0101 uz potenci\u0101lu incidentu, nevis \u201ck\u0101rt\u0113jo atjaunin\u0101jumu\u201d. Patchstack zi\u0146o, ka kritiska ievainojam\u012bba tiek akt\u012bvi ekspluat\u0113ta<\/strong>, un \u013cauj uzbruc\u0113jam bez autentifik\u0101cijas ieg\u016bt administratora piek\u013cuvi.<\/p>\n\n\n\n

Kas noticis: CVE-2026-23550 (CVSS 10.0) un ietekm\u0113t\u0101s versijas<\/h2>\n\n\n\n

Ievainojam\u012bba ir re\u0123istr\u0113ta k\u0101 CVE-2026-23550<\/strong> ar maksim\u0101lo CVSS 10.0<\/strong> v\u0113rt\u0113jumu. Probl\u0113ma skar visas Modular DS versijas l\u012bdz 2.5.1 ieskaitot<\/strong>, un t\u0101 ir nov\u0113rsta versij\u0101 2.5.2<\/strong>. Publiskotaj\u0101 inform\u0101cij\u0101 min\u0113ts, ka spraudnim ir vair\u0101k nek\u0101 40 000 akt\u012bvu instal\u0101ciju<\/strong>, kas uzbruc\u0113jiem padara to par \u013coti pievilc\u012bgu m\u0113r\u0137i.<\/p>\n\n\n\n

\n\n

Steidzami<\/h4>\n\n\n

Ja tav\u0101 vietn\u0113 ir Modular DS un versija ir 2.5.1 vai vec\u0101ka, priorit\u0101te ir atjaunin\u0101t uz 2.5.2 un p\u0113c tam p\u0101rbaud\u012bt kompromit\u0101cijas paz\u012bmes.<\/p>\n\n<\/div>\n\n\n\n

K\u0101ds ir uzbrukuma meh\u0101nisms: \u201crouting\u201d sl\u0101nis un netie\u0161a uztic\u0113\u0161an\u0101s<\/h2>\n\n\n\n

Tehniski interesant\u0101k\u0101 da\u013ca (un ar\u012b b\u012bstam\u0101k\u0101) ir t\u0101, ka \u0161is nav \u201cviens if-statement\u201d tipa caurums. Patchstack apraksta to k\u0101 vair\u0101ku dizaina izv\u0113\u013cu kombin\u0101ciju: p\u0101r\u0101k pielaid\u012bga mar\u0161rut\u0113\u0161ana (routing), iesp\u0113ja p\u0101rsl\u0113gties uz \u201cdirect request\u201d re\u017e\u012bmu, autentifik\u0101cijas lo\u0123ika, kas balst\u0101s tikai uz vietnes savienojuma st\u0101vokli, un pieteik\u0161an\u0101s pl\u016bsma, kas var novest l\u012bdz autom\u0101tiskai ieie\u0161anai ar administratora kontu.<\/p>\n\n\n\n

Spraudnis publiski atver savus endpoint (galapunktus) zem prefiksa \/api\/modular-connector\/<\/code><\/strong> un paredz, ka jut\u012bgie mar\u0161ruti ir aizsarg\u0101ti ar autentifik\u0101cijas barjeru (middleware). Probl\u0113ma: noteiktos apst\u0101k\u013cos \u0161o sl\u0101ni var apiet.<\/p>\n\n\n\n

Apie\u0161anas nosac\u012bjums: origin=mo un type=\u2026<\/h3>\n\n\n\n

Patchstack nor\u0101da, ka, ja uzbruc\u0113js pievieno piepras\u012bjumam parametrus origin=mo<\/code><\/strong> un type<\/code><\/strong> ar jebk\u0101du v\u0113rt\u012bbu (piem., origin=mo&type=xxx<\/code>), piepras\u012bjums tiek apstr\u0101d\u0101ts k\u0101 Modular \u201cdirect request\u201d. Ja vietne jau ir savienota ar Modular (t.i., ir tokeni un tos var atjaunot), autentifik\u0101cijas middleware var tikt apiets, jo nav kriptogr\u0101fiskas sasaistes starp ien\u0101ko\u0161o HTTP piepras\u012bjumu un pa\u0161u Modular servisu.<\/p>\n\n\n\n

Ko uzbruc\u0113js var izdar\u012bt: no att\u0101lin\u0101tas ielogo\u0161an\u0101s l\u012bdz pilnai vietnes p\u0101r\u0146em\u0161anai<\/h2>\n\n\n\n

Apie\u0161anas rezult\u0101t\u0101 k\u013c\u016bst pieejami vair\u0101ki mar\u0161ruti, tostarp \/login\/<\/code><\/strong>, \/server-information\/<\/code><\/strong>, \/manager\/<\/code><\/strong> un \/backup\/<\/code><\/strong>. Kritisk\u0101kais scen\u0101rijs ir ekspluat\u0113t \/login\/{modular_request}<\/code><\/strong> un ieg\u016bt administratora piek\u013cuvi (privilege escalation bez autentifik\u0101cijas).<\/p>\n\n\n\n

Kad uzbruc\u0113jam ir admin ties\u012bbas, t\u0101l\u0101k parasti seko pilna kompromit\u0101cija: \u013caunpr\u0101t\u012bgi spraud\u0146i vai backdoor faili, satura injekcijas, lietot\u0101ju p\u0101radres\u0101cijas uz kr\u0101pniecisk\u0101m lap\u0101m, vai pat jaunu administratoru izveide, lai saglab\u0101tu persistenci.<\/p>\n\n\n\n

Ko redz \u201ctelemetrij\u0101\u201d: uzbrukumu paz\u012bmes un zin\u0101mie IP<\/h2>\n\n\n\n

Patchstack publiski min, ka pirmie uzbrukumi fiks\u0113ti 2026. gada 13. janv\u0101r\u012b ap plkst. 02:00 UTC<\/strong>, ar HTTP GET piepras\u012bjumiem uz endpoint \/api\/modular-connector\/login\/<\/code><\/strong>, un p\u0113c tam sekoju\u0161i m\u0113\u0123in\u0101jumi izveidot administratora lietot\u0101ju.<\/p>\n\n\n\n

Zi\u0146ojum\u0101 min\u0113tas ar\u012b IP adreses, no kur\u0101m nov\u0113rota ekspluat\u0101cija:<\/p>\n\n\n\n