{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5756", "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "state": "PUBLISHED", "assignerShortName": "certcc", "dateReserved": "2026-04-07T16:42:45.597Z", "datePublished": "2026-04-14T17:51:53.628Z", "dateUpdated": "2026-04-23T13:33:37.216Z"}, "containers": {"cna": {"title": "Unauthenticated Configuration File Modification Vulnerability in DRC Central Office Services (COS)", "descriptions": [{"lang": "en", "value": "Unauthenticated Configuration File Modification Vulnerability in DRC Central Office Services (COS) allows an attacker to modify the server's configuration file, potentially leading to mass data exfiltration, malicious traffic interception, or disruption of testing services."}], "source": {"discovery": "UNKNOWN"}, "affected": [{"vendor": "Data Recognition Corporation", "product": "Central Office Services - Content Hosting Component", "versions": [{"status": "affected", "version": "975"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-306 Missing Authentication for Critical Function"}]}, {"descriptions": [{"lang": "en", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}, {"descriptions": [{"lang": "en", "description": "CWE-522 Insufficiently Protected Credentials"}]}], "references": [{"url": "https://www.datarecognitioncorp.com/"}], "x_generator": {"engine": "VINCE 3.0.35", "env": "prod", "origin": "https://cveawg.mitre.org/api/cve/CVE-2026-5756"}, "providerMetadata": {"orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc", "dateUpdated": "2026-04-14T17:51:53.628Z"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-16T11:55:49.509703Z", "id": "CVE-2026-5756", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T12:05:46.105Z"}}, {"title": "CVE Program Container", "references": [{"url": "https://www.kb.cert.org/vuls/id/748485"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-23T13:33:37.216Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.kb.cert.org/vuls/id/748485"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-23T13:33:37.216Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-5756", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-16T11:55:49.509703Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T11:55:45.355Z"}}], "cna": {"title": "Unauthenticated Configuration File Modification Vulnerability in DRC Central Office Services (COS)", "source": {"discovery": "UNKNOWN"}, "affected": [{"vendor": "Data Recognition Corporation", "product": "Central Office Services - Content Hosting Component", "versions": [{"status": "affected", "version": "975"}]}], "references": [{"url": "https://www.datarecognitioncorp.com/"}], "x_generator": {"env": "prod", "engine": "VINCE 3.0.35", "origin": "https://cveawg.mitre.org/api/cve/CVE-2026-5756"}, "descriptions": [{"lang": "en", "value": "Unauthenticated Configuration File Modification Vulnerability in DRC Central Office Services (COS) allows an attacker to modify the server's configuration file, potentially leading to mass data exfiltration, malicious traffic interception, or disruption of testing services."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-306 Missing Authentication for Critical Function"}]}, {"descriptions": [{"lang": "en", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}, {"descriptions": [{"lang": "en", "description": "CWE-522 Insufficiently Protected Credentials"}]}], "providerMetadata": {"orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc", "dateUpdated": "2026-04-14T17:51:53.628Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5756", "state": "PUBLISHED", "dateUpdated": "2026-04-23T13:33:37.216Z", "dateReserved": "2026-04-07T16:42:45.597Z", "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "datePublished": "2026-04-14T17:51:53.628Z", "assignerShortName": "certcc"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Unauthenticated Configuration File Modification Vulnerability in DRC Central Office Services (COS) allows an attacker to modify the server's configuration file, potentially leading to mass data exfiltration, malicious traffic interception, or disruption of testing services."}], "id": "CVE-2026-5756", "lastModified": "2026-04-23T14:16:04.840", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-14T18:17:39.600", "references": [{"source": "cret@cert.org", "url": "https://www.datarecognitioncorp.com/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.kb.cert.org/vuls/id/748485"}], "sourceIdentifier": "cret@cert.org", "vulnStatus": "Awaiting Analysis"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "975"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Central Office Services - Content Hosting Component", "source": "cna", "vendor": "Data Recognition Corporation"}, "product": "central_office_services_-_content_hosting_component", "vendor": "data_recognition_corporation"}], "analysis": {"en": {"generated_at": "2026-04-17T08:53:23.355279+00:00", "value": {"mitigation_remediation": ["Apply any vendor patch or update to the affected component, or upgrade to a version that addresses the unauthenticated configuration modification flaw.", "Restrict network access to the configuration files by implementing firewall rules or network segmentation, ensuring only trusted administrators can reach the COS management interface.", "Enable detailed logging for configuration changes and monitor file integrity to detect any unauthorized modifications, performing regular security audits of the COS environment."], "summary": {"action": "Apply Patch", "impact": "Unauthorized configuration modification enabling data exfiltration and traffic interception"}, "threat_synthesis": {"affected_systems": "Data Recognition Corporation\u2019s Central Office Services \u2013 Content Hosting Component. No specific version information is provided, so any installation of this component is potentially impacted.", "description_and_impact": "The vulnerability allows an attacker who is not authenticated to modify the server\u2019s configuration file in DRC Central Office Services (COS). This flaw can enable mass data exfiltration, interception of malicious traffic, or disruption of testing services. The flaw represents a weakness in access control, equivalent to an improper authorization issue that undermines confidentiality and integrity of the system\u2019s configuration.", "risk_and_exploitability": "The vulnerability is likely exploitable via network channels that grant write access to configuration files, given the lack of authentication requirements. With an EPSS score of less than 1% and no listing in CISA\u2019s KEV catalog, the exact exploit probability is low but non-zero; however, the absence of authentication suggests a significant risk if left unmitigated. A CVSS score of 7.5 indicates high severity. Potential attackers could alter service parameters, potentially redirect traffic or exfiltrate data, making this a high\u2011impact vulnerability if exploited."}}}}, "created": "2026-04-15T14:41:09.778091+00:00", "updated": "2026-04-17T09:00:10.965981+00:00", "vendors": ["data_recognition_corporation", "data_recognition_corporation$PRODUCT$central_office_services_-_content_hosting_component"], "weaknesses": ["CWE-284", "CWE-862"]}