Cyber Resilience

CVE-2026-2967

MediumPublic PoC

Published: 23 February 2026

Published
23 February 2026
Modified
23 February 2026
KEV Added
Patch
CVSS Score v4 6.3 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0023 46.3th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-2967 is a medium-severity Improper Verification of Source of a Communication Channel (CWE-940) vulnerability in Cesanta Mongoose. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 46.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

Vulnerability details

A security vulnerability has been detected in Cesanta Mongoose up to 7.20. This affects the function getpeer of the file /src/net_builtin.c of the component TCP Sequence Number Handler. The manipulation leads to improper verification of source of a communication channel.…

more

The attack may be initiated remotely. The attack's complexity is rated as high. The exploitability is reported as difficult. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Remote network vulnerability in TCP handling (improper source verification) directly enables exploitation of a public-facing service.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

Affected Assets

cesanta
mongoose
≤ 7.20

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-940

Enforces verification of the source of a communication channel by requiring identification and authentication of services first.

addresses: CWE-940

Requires explicit verification of the source and integrity of the channel used for authentication and other security functions.

addresses: CWE-940

Provides the means to verify the source of name-resolution responses instead of relying on unauthenticated channels.

addresses: CWE-940

Requires explicit verification of the communication source, blocking session hijacking via spoofed or alternate channels.

References