NSA GRASSMARLIN XXE Vulnerability CVE-2026-6807 — Mitigation Guide

The Cybersecurity and Infrastructure Security Agency (CISA) recently published an advisory regarding a security flaw in GRASSMARLIN, an open-source tool developed by the National Security Agency (NSA) for passive network discovery and inventory in Industrial Control System (ICS) environments. According to CISA Advisory ICSA-26-118-01, the vulnerability is classified as an Improper Restriction of XML External Entity Reference, commonly known as an XXE.

Technical Analysis of CVE-2026-6807

The CVE-2026-6807 identifier has been assigned to this flaw, which carries a CVSS v3.1 base score of 5.5. This CVE involves a vulnerability in GRASSMARLIN v3.2.1 that allows specially crafted session data to trigger improper handling of XML input. This failure stems from insufficient hardening of the XML parsing logic within the application.

When an application parses XML documents that contain references to external entities without proper validation or restriction, it can be forced to disclose local files, conduct internal port scanning, or potentially execute remote service requests. In the context of NSA GRASSMARLIN [CVE-2026-6807] exploitation, the impact is primarily focused on the unintended exposure of sensitive information. Because the attack vector is defined as Local (AV:L), an adversary must already have established a foothold on the system or be able to trick a legitimate user into loading a malicious session file.

GRASSMARLIN End-of-Life Security Risks and Exposure

A significant concern for the SOC is the lifecycle status of the affected software. The NSA indicated that the GRASSMARLIN project reached end-of-life (EOL) status in 2017. Consequently, no patches or updates are planned to address this vulnerability. Using EOL software in critical infrastructure environments introduces persistent risks, as new TTP developed by threat actors will remain unmitigated by the vendor. Security professionals should prioritize detecting XXE in GRASSMARLIN v3.2.1 installations during internal audits to identify legacy systems that may have been forgotten.

Impact on Critical Infrastructure

While GRASSMARLIN was designed to help defenders map out MITRE ATT&CK for ICS frameworks by providing visibility into OT networks, its continued use now presents a liability. The information disclosure risk could allow an attacker to harvest configuration details, network maps, or credentials stored within the session files. Such data is invaluable for an adversary planning further stages of an attack, such as lateral movement or targeted disruption of industrial processes.

Actionable Recommendations

Because there is no official patch, the primary remediation strategy is the total decommissioning of the software. Defenders should adopt the following measures to ensure network integrity:

• Software Inventory and Removal: Conduct a comprehensive scan of all workstations used for industrial network maintenance to identify and remove all instances of GRASSMARLIN.
• Transition to Supported Tools: Migrate to modern, actively maintained passive discovery tools that receive regular security updates and vulnerability disclosures.
• Network Segmentation: Ensure that all control system devices are located behind firewalls and isolated from business networks. This limits the potential for an attacker to leverage information gained through local vulnerabilities.
• Least Privilege: Enforce strict access controls on engineering workstations. Since the exploit requires local access, restricting who can modify or load session data can reduce the immediate risk profile.

Organizations observing suspicious activity related to XML parsing or unauthorized file access on ICS-adjacent systems should report their findings to CISA for further correlation.