CISA Flags Critical Flaw in NSA’s GrassMarlin OT Discovery Tool

CISA has warned of a critical XML External Entity vulnerability in NSA’s GrassMarlin OT tool.

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a security advisory identifying a previously unknown vulnerability (CVE-2026-6807) in GrassMarlin, the National Security Agency’s open-source asset discovery tool for operational technology (OT) networks.

The flaw is an XML External Entity (XXE) vulnerability, which allows attackers to submit specially crafted XML documents and potentially access confidential information or systems files. All current releases of GrassMarlin through version 3.2.1 are at risk.

• Attackers leveraging this vulnerability could prompt unintended disclosure of sensitive data, particularly if GrassMarlin is running in less-secure OT environments.
• CISA’s alert notes no confirmed cases of active exploitation as of the publication date but emphasizes risk in networked or poorly segmented OT deployments.
• Recommended actions include disabling external entity processing in XML libraries, validating file inputs, and ensuring strong network segmentation to prevent lateral movement.

Legal and compliance teams should immediately assess whether their organizations use affected versions of GrassMarlin, as exploitation risks can trigger mandatory incident notifications under industry data protection and regulatory regimes. Remedial measures—such as prompt configuration changes and network segmentation—support a defensible security position in the event of regulatory scrutiny.

No official fix or patch is available yet from the NSA or CISA. Organizations should follow future advisories and implement interim mitigations to satisfy due diligence requirements.

Yes, but: No official patch is available; organizations must rely on mitigations and monitoring for now.

What's next: NSA and CISA are expected to announce patch availability. Organizations should monitor for further updates and advisories.