🔬 Assessment

CISA ICS Advisory: GRASSMARLIN OT Network Visualisation Tool Vulnerability CVE-2026-6807

CISA has issued ICS advisory ICSA-26-118-01 for CVE-2026-6807, a vulnerability in GRASSMARLIN — the NSA-developed open-source network visualisation tool widely used by industrial control system operators and OT security teams to map and analyse operational technology networks. The vulnerability affects teams using GRASSMARLIN for defensive ICS visibility, creating a risk of compromise of the analyst workstations conducting that analysis.

4 min read
#ics#ot-security#cisa#grassmarlin#nsa#cve#advisory#pcap-analysis#security-tooling

CISA has published ICS security advisory ICSA-26-118-01 documenting CVE-2026-6807, a vulnerability in GRASSMARLIN — an open-source network visualisation and analysis tool developed by the NSA and widely deployed in industrial control system environments as a passive OT network discovery and mapping solution. The vulnerability creates a risk to the analyst workstations running GRASSMARLIN, particularly in workflows where GRASSMARLIN is used to analyse network traffic captured from OT environments.

About GRASSMARLIN

GRASSMARLIN was developed by the NSA’s Information Assurance Directorate and released to the public as an open-source tool for passive network monitoring of ICS and SCADA environments. It analyses PCAP (network capture) files and live traffic to identify industrial devices, map communication paths between components, and visualise the topology of OT networks — providing asset discovery and network mapping capability without requiring active network probing that could disrupt sensitive industrial systems.

The tool is used by:

  • OT security teams conducting network visibility assessments in manufacturing, energy, and utilities environments
  • ICS incident responders analysing traffic captures from potentially compromised operational networks
  • Critical infrastructure operators building their first ICS asset inventory
  • Government-mandated security assessments and compliance exercises

CVE-2026-6807: Vulnerability Details

CVE-2026-6807 is a parsing vulnerability in GRASSMARLIN’s PCAP ingestion engine. GRASSMARLIN processes network capture files from OT environments as part of its core function — analysing the captured traffic to identify devices and protocols. A specially crafted PCAP file can trigger a memory corruption condition during the parsing of non-standard or malformed packet headers, potentially enabling code execution on the analyst workstation running GRASSMARLIN.

The attack scenario mirrors the Wireshark CVE-2026-5656 risk disclosed on 4 May 2026: an analyst opens a capture file from a network under investigation and the capture file itself becomes the attack vector. In an ICS security context, this is particularly relevant because:

  1. OT incident response frequently involves collecting and analysing network captures from potentially adversary-controlled environments
  2. A sophisticated threat actor with access to an OT network could craft or inject malicious traffic designed to produce a PCAP file that exploits the analyst tool

Affected Versions and Remediation

CVE-2026-6807 affects GRASSMARLIN versions up to and including 2.6.0, which is the current release on the NSA’s public GitHub repository. A patch has not yet been released at time of advisory publication — CISA’s advisory classifies this as a coordinated disclosure pending a patch from the development team.

Interim mitigations:

  • Open GRASSMARLIN and analyse PCAP files only in isolated, air-gapped, or virtual machine environments that do not have access to production internal networks
  • Do not open PCAPs from suspected-compromised OT environments on analyst workstations connected to enterprise IT networks
  • Treat captured network traffic files from live OT environments as untrusted input, applying the same isolation principles as malware analysis workflows

Broader Pattern: Security Tools as Attack Vectors

CVE-2026-6807 is the second security tool vulnerability disclosed within two days — following Wireshark’s CVE-2026-5656 on 4 May 2026. The pattern is not coincidental: security and analysis tools are high-value targets for adversaries who understand that these tools run on workstations with elevated internal network access and are routinely used with untrusted data sources.

For OT-focused defenders, the risk is compounded by the fact that OT incident response requires opening data captured from potentially compromised environments — the very scenario that maximises exploitation probability. Security tooling should be subject to the same vulnerability management programme as production infrastructure, and analysis environments should be isolated by default rather than as an afterthought.

Monitor the NSA GRASSMARLIN GitHub repository and CISA’s advisory page for patch release. Given the tool’s use in ICS environments, CISA is expected to expedite the remediation timeline.

Share this article