CORS misconfiguration in the REST API of Network Optix Nx Witness VMS before version 6.1.2, when running in the default Standard security mode, on Linux and Windows allows an unauthenticated remote attacker to steal the session token of an authenticated user and perform Administrator Account Takeover via a malicious cross-origin web page visited by the victim. The High security mode is not affected.Workaround: For existing installations running in Standard security mode, set Access-Control-Allow-Credentials to false via the REST API: PATCH /rest/v2/system/settings with body {"supportedOrigins": "null"}. Alternatively, select High security level during initial setup. Solution: Update to Nx Witness VMS version 6.1.2 or later, in which Access-Control-Allow-Credentials is set to false in the default Standard security configuration.
Casky was already ahead
This CVE exploits attack patterns that Casky's 0matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.
CVE-2026-10056 is a Cross-Origin Resource Sharing (CORS) misconfiguration in Network Optix Nx Witness VMS that allows unauthenticated attackers to steal authenticated user session tokens and achieve Administrator Account Takeover. The vulnerability affects default Standard security mode deployments on both Linux and Windows systems running versions prior to 6.1.2. This is particularly impactful because Nx Witness VMS is widely deployed for video surveillance and security monitoring—systems that require the highest trust levels. An attacker only needs to trick an authenticated administrator into visiting a malicious webpage to compromise the entire video management infrastructure, making this a high-severity supply chain and social engineering vector.
While CVE-2026-10056 currently maps to no specific MITRE ATT&CK techniques in the published advisory, practitioners using Casky.ai would detect the underlying attack patterns through skills aligned with credential access and lateral movement behaviors. Extended reasoning across Casky's 754 mapped security skills would identify suspicious cross-origin API requests, anomalous session token usage from unexpected origins, and authentication bypass attempts typical of T1550 (Use Alternate Authentication Material) and T1187 (Forced Authentication) attack chains. Practitioners reviewing their findings would see API logs showing REST calls originating from mismatched domain sources, session tokens being replayed from unauthorized origins, and privilege escalation attempts immediately following token theft—patterns that Claude's extended reasoning correlates with account takeover attack preparation before administrative actions occur.
Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →
Casky has 0 skills that investigate the attack patterns behind CVE-2026-10056. Run one and get CVSS-scored findings in 3 minutes.
Run the skill that detects this →© 2026 Casky.AI, Inc. · AI Security Investigation