NSA GRASSMARLIN

MonitorCVSS 5.5ICS-CERT ICSA-26-118-01Apr 28, 2026

Attack path

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

NSA GRASSMARLIN contains an XML parsing vulnerability (CWE-611) that could allow an attacker with local access to disclose sensitive information. The vulnerability affects all versions of GRASSMARLIN. NSA has ended support for the GRASSMARLIN project as of 2017; the project is archived with no further updates planned.

What this means

What could happen

An attacker with local access to a GRASSMARLIN system could read sensitive information from the application's memory or configuration files, potentially exposing network topology data or credentials used for network analysis.

Who's at risk

This affects utilities and industrial organizations that use NSA GRASSMARLIN for network topology analysis and security monitoring. GRASSMARLIN is a network analysis tool commonly used by OT security teams to map industrial control system networks and identify anomalies. Anyone still running GRASSMARLIN for network analysis or asset discovery should be aware that the tool is unsupported.

How it could be exploited

An attacker must first gain local access to the machine running GRASSMARLIN (local privilege escalation or lateral movement to an analyst workstation). They can then exploit an XML parsing vulnerability (CWE-611) through crafted input files to access sensitive data stored in the application's runtime environment.

Prerequisites

Local access to GRASSMARLIN system or analyst workstation
Ability to create or supply crafted input files to GRASSMARLIN
User must interact with the malicious file or the application must process it automatically

no patch availableend-of-life productlocal access required

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (1)

ProductAffected VersionsFix Status

GRASSMARLINAll versionsFix available

Remediation & Mitigation

0/4

Do now

0/3

HARDENINGRestrict local access to systems running GRASSMARLIN using OS-level access controls and remove unnecessary user accounts

HARDENINGIsolate GRASSMARLIN systems from production networks and limit analyst workstation access to a secured, air-gapped environment

WORKAROUNDDocument and secure any sensitive data (credentials, network diagrams, configuration details) that GRASSMARLIN has processed; rotate credentials if exposure is suspected

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXDiscontinue use of GRASSMARLIN and migrate to a supported network analysis or ICS security tool

CVEs (1)

CVE-2026-6807

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/1281faa1-ac3e-4f33-a787-ad611c24bef8

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.