# NSA's Discontinued GRASSMARLIN Tool Vulnerable to XML External Entity Attacks


## The Threat


NSA GRASSMARLIN, the agency's discontinued network analysis tool, contains a critical XML External Entity (XXE) vulnerability that could allow attackers with local system access to extract sensitive information from affected systems. The vulnerability exists in version 3.2.1 and potentially all versions of the tool, stemming from improper handling of XML parsing in session data processing.


GRASSMARLIN was originally developed by the NSA to provide network discovery and visualization for industrial control systems and critical infrastructure environments. The tool fell out of support in 2017 when the NSA archived the project, but many organizations have continued using it for legacy network analysis and security assessments. This vulnerability represents a persistent risk for any environment still relying on the outdated tool.


XXE vulnerabilities, categorized as CWE-611 (Improper Restriction of XML External Entity Reference), allow attackers to manipulate XML input to access unauthorized data, execute code, or perform denial-of-service attacks. When an application processes externally-supplied XML without proper validation, an attacker can inject malicious XML entities that reference external resources—potentially exposing files on the system or enabling further compromise. In this case, successful exploitation could disclose sensitive information accessible to the user running GRASSMARLIN.


## Severity and Impact


| Field | Value |

|-------|-------|

| CVE Identifier | CVE-2026-6807 |

| Affected Product | NSA GRASSMARLIN v3.2.1 and all versions |

| CVSS v3.1 Base Score | 5.5 (MEDIUM) |

| CVSS Vector String | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |

| Attack Vector | Local (AV:L) |

| Attack Complexity | Low (AC:L) |

| Privileges Required | Low (PR:L) |

| User Interaction | None (UI:N) |

| Scope | Unchanged (S:U) |

| Confidentiality Impact | High (C:H) |

| Integrity Impact | None (I:N) |

| Availability Impact | None (A:N) |

| CWE | CWE-611 |

| Vulnerability Type | XML External Entity Reference (XXE) |


The MEDIUM severity rating reflects a moderate risk profile: exploitation requires local system access and low-level privileges, but successful attacks result in high-impact information disclosure. This means that users or compromised low-privilege accounts on systems running GRASSMARLIN could leverage the vulnerability to access sensitive data, configuration files, or other protected information stored on the host system.


## Affected Products


NSA GRASSMARLIN

  • Version 3.2.1 (explicitly confirmed vulnerable)
  • All versions (potentially affected)

    • Organizations should treat all deployed instances of GRASSMARLIN as potentially vulnerable until proven otherwise.


    ## Mitigations


    Critical Limitation: NSA declared GRASSMARLIN end-of-life in 2017 and has archived the project. No security patches, updates, or further support from NSA will be provided. Organizations relying on GRASSMARLIN must treat this as an unsupported tool with no vendor remediation available.


    ### Immediate Actions


    Discontinuation and Replacement

    The most effective mitigation is to decommission GRASSMARLIN and migrate to actively maintained network discovery and analysis tools. Consider alternatives such as:

  • Nmap and related open-source tools for network reconnaissance
  • Modern industrial control system (ICS) network monitoring solutions
  • Commercial network analysis platforms with ongoing security updates

    • Access Control Hardening

    If immediate replacement is not feasible:

  • Restrict GRASSMARLIN access to trusted administrators only
  • Implement principle of least privilege—ensure users running GRASSMARLIN have minimal necessary permissions
  • Disable GRASSMARLIN on systems that no longer require active network analysis

    • Network Isolation

  • Deploy GRASSMARLIN only on isolated networks or virtual machines not connected to production infrastructure
  • Prevent direct internet access to systems running GRASSMARLIN
  • Use network segmentation to limit lateral movement from compromised GRASSMARLIN instances

    • Session Data Security

  • Store GRASSMARLIN session files in restricted directories with appropriate file permissions
  • Avoid exposing session data to untrusted users
  • Monitor for suspicious session file modifications or access patterns

    • ### Defense-in-Depth Practices


    CISA recommends organizations implement the following broader defensive measures to protect critical infrastructure and control systems:


  • Network Exposure Minimization: Ensure all control system devices and network analysis tools are not directly accessible from the internet
  • Firewall Protection: Position control system networks and remote devices behind firewalls, isolated from business networks
  • Remote Access Security: When remote access is required, use Virtual Private Networks (VPNs) with current security patches; recognize that VPNs are only as secure as their connected devices
  • Impact Analysis: Perform thorough impact analysis and risk assessment before deploying defensive measures to avoid operational disruption
  • Security Monitoring: Implement detection mechanisms to identify suspicious activity targeting or originating from GRASSMARLIN instances

    • ### Organizational Response


  • Inventory Assessment: Identify all systems still running GRASSMARLIN in your environment
  • Risk Ranking: Prioritize replacement efforts based on system criticality and user privilege levels
  • Incident Preparedness: Establish procedures to detect and respond to potential XXE exploitation attempts
  • Reporting: If suspected malicious activity targeting this vulnerability is observed, report findings to CISA for correlation and tracking

    • ## References


  • CVE-2026-6807: https://nvd.nist.gov/vuln/detail/CVE-2026-6807
  • CISA Alert: Original NSA GRASSMARLIN advisory from CISA
  • CWE-611: Improper Restriction of XML External Entity Reference – https://cwe.mitre.org/data/definitions/611.html
  • CISA ICS Security Resources: https://cisa.gov/ics
  • ICS-TIP-12-146-01B: Targeted Cyber Intrusion Detection and Mitigation Strategies

    • ---


    Vulnerability Reporter: Grady DeRosa

    Initial Publication: April 28, 2026

    Current Status: No known public exploitation reported to CISA as of publication date