CISA Warns of Critical Vulnerability in NSA-Developed GRASSMARLIN ICS Mapping Tool
CISA has issued an advisory for a critical vulnerability in GRASSMARLIN, an NSA-developed open-source tool for mapping ICS networks, allowing out-of-band exfiltration of sensitive files.
CISA has issued an advisory warning of a critical vulnerability in GRASSMARLIN, an open-source tool originally developed by the National Security Agency (NSA) for mapping industrial control system (ICS) networks. The flaw, which has not been assigned a CVE ID, enables attackers to trigger out-of-band exfiltration of sensitive files, potentially aiding lateral movement in industrial environments. Because GRASSMARLIN reached end-of-life status in 2017, no official patches will be released, and organizations still using the tool are urged to discontinue its use immediately.
GRASSMARLIN was designed to help network defenders map ICS and supervisory control and data acquisition (SCADA) networks by passively analyzing network traffic. However, the tool's outdated codebase and lack of ongoing support have left it vulnerable to exploitation. According to CISA's advisory, the vulnerability allows an attacker to exfiltrate files from a system running GRASSMARLIN without triggering typical security alerts, as the exfiltration occurs through out-of-band channels that may bypass network monitoring tools.
The impact of this vulnerability is particularly concerning given the sensitive nature of ICS networks. Attackers who successfully exploit the flaw could gain access to network topology data, device configurations, and other operational information that could be used to plan more targeted attacks. In the worst case, this could facilitate lateral movement within industrial networks, potentially leading to disruption of critical infrastructure.
CISA's advisory emphasizes that GRASSMARLIN is no longer supported by the NSA and has not received updates since 2017. As a result, there are no patches available to address the vulnerability. The agency strongly recommends that organizations immediately remove GRASSMARLIN from their networks and transition to alternative, actively maintained tools for ICS network mapping. For organizations that cannot immediately discontinue use, CISA advises implementing strict network segmentation and monitoring to limit the potential for exploitation.
The advisory is part of a broader effort by CISA to address vulnerabilities in legacy tools that remain in use across critical infrastructure sectors. The agency has previously warned about the risks of using end-of-life software in industrial environments, where patching can be challenging due to operational constraints. This latest warning underscores the importance of maintaining up-to-date asset inventories and ensuring that all software used in ICS environments is actively supported.
Security experts have noted that the GRASSMARLIN vulnerability highlights a recurring issue in the cybersecurity community: the continued use of deprecated tools in critical environments. While the tool was once a valuable resource for network defenders, its lack of updates has made it a liability. Organizations are urged to conduct a thorough review of their ICS toolchains and replace any unsupported software with modern alternatives that receive regular security updates.