Cyber Resilience

CVE-2026-28801

Medium

Published: 06 March 2026

Published
06 March 2026
Modified
10 March 2026
KEV Added
Patch
CVSS Score v3.1 6.6 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
EPSS Score 0.0003 7.6th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-28801 is a medium-severity Code Injection (CWE-94) vulnerability in Natroteam Natro Macro. Its CVSS base score is 6.6 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique AutoHotKey & AutoIT (T1059.010); ranked at the 7.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-3 (Malicious Code Protection).

Deeper analysis

CVE-2026-28801 is a code injection vulnerability (CWE-94) affecting Natro Macro, an open-source AutoHotkey-based macro for the Bee Swarm Simulator game. In versions prior to 1.1.0, the software executes arbitrary AutoHotkey (AHK) code embedded within user-supplied pattern or path files. This flaw arises because the macro directly interprets and runs AHK scripts from these files without validation, enabling unintended code execution. The vulnerability carries a CVSS v3.1 base score of 6.6 (AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N).

An attacker can exploit this vulnerability by crafting and sharing a malicious pattern or path file containing hidden AHK code, leveraging the common practice of users exchanging such files within the Bee Swarm Simulator community. Exploitation requires local access to the victim's system, low privileges, and user interaction to load the file into Natro Macro. Successful exploitation allows the malicious code to execute silently in the background alongside legitimate macro functionality, potentially granting the attacker high-impact access to confidentiality and integrity, such as stealing data, modifying files, or performing other arbitrary actions without affecting availability.

The GitHub security advisory at https://github.com/NatroTeam/NatroMacro/security/advisories/GHSA-c5gm-vfvf-pwhx confirms the issue and states that it has been fully addressed in Natro Macro version 1.1.0, recommending that users upgrade immediately to mitigate the risk. No additional workarounds are detailed in the provided information.

EU & UK References

Vulnerability details

Natro Macro is an open-source Bee Swarm Simulator macro written in AutoHotkey. Prior to version 1.1.0, any ahk code contained inside of a pattern or path file is executed by the macro. Since users commonly share path/pattern files, an attacker…

more

could share a file containing malicious code, which is then executed by the program. This code can operate in silence alongside the pattern, running in the background to do whatever the attacker pleases. This issue has been patched in version 1.1.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.010 AutoHotKey & AutoIT Execution
Adversaries may execute commands and perform malicious tasks using AutoIT and AutoHotKey automation scripts.
T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
Why these techniques?

The vulnerability directly enables arbitrary AutoHotkey code execution from unvalidated user-supplied files (T1059.010) and requires a user to load the malicious file for exploitation (T1204.002).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-28800Same product: Natroteam Natro Macro
CVE-2025-61982Shared CWE-94
CVE-2026-3476Shared CWE-94
CVE-2026-42214Shared CWE-94
CVE-2024-27856Shared CWE-94
CVE-2025-24243Shared CWE-94
CVE-2025-25944Shared CWE-94
CVE-2023-31044Shared CWE-94
CVE-2025-65715Shared CWE-94
CVE-2025-21187Shared CWE-94

Affected Assets

natroteam
natro macro
≤ 1.1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of AHK code contained in untrusted pattern/path files before execution, eliminating the injection vector.

preventdetect

Mandates mechanisms to detect and block malicious code embedded in user-shared files before the macro interprets and runs it.

prevent

Requires integrity verification of externally supplied pattern/path files to ensure they have not been tampered with to contain hidden AHK payloads.

References