Skip to content

Commit 4f2a585

Browse files
Add vpatch-CVE-2025-52970 rule and test (#1618)
* Add vpatch-CVE-2025-52970 rule * Add vpatch-CVE-2025-52970 test config * Add CVE-2025-52970.yaml test * Add vpatch-CVE-2025-52970 rule to vpatch collection * Update vpatch-CVE-2025-52970.yaml * ci --------- Co-authored-by: Thibault "bui" Koechlin <thibault@crowdsec.net> Co-authored-by: Thibault Koechlin <orixxx@gmail.com>
1 parent 3b05afb commit 4f2a585

File tree

4 files changed

+58
-0
lines changed

4 files changed

+58
-0
lines changed
Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,19 @@
1+
## autogenerated on 2025-12-29 14:03:07
2+
id: CVE-2025-52970
3+
info:
4+
name: CVE-2025-52970
5+
author: crowdsec
6+
severity: info
7+
description: CVE-2025-52970 testing
8+
tags: appsec-testing
9+
http:
10+
- raw:
11+
- |
12+
GET /api/fabric/device/status HTTP/1.1
13+
Host: {{Hostname}}
14+
Authorization: Bearer ';drop/**/table/**/fabric_user.test;--
15+
cookie-reuse: true
16+
matchers:
17+
- type: status
18+
status:
19+
- 403
Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
## autogenerated on 2025-12-29 14:03:07
2+
appsec-rules:
3+
- ./appsec-rules/crowdsecurity/base-config.yaml
4+
- ./appsec-rules/crowdsecurity/vpatch-CVE-2025-52970.yaml
5+
nuclei_template: CVE-2025-52970.yaml
Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,33 @@
1+
## autogenerated on 2025-12-29 14:03:07
2+
name: crowdsecurity/vpatch-CVE-2025-52970
3+
description: 'Detects authentication bypass to admin privilege in Fortinet FortiWeb via crafted Authorization header.'
4+
rules:
5+
- and:
6+
- zones:
7+
- URI
8+
transform:
9+
- lowercase
10+
match:
11+
type: contains
12+
value: /api/fabric/device/status
13+
- zones:
14+
- HEADERS
15+
variables:
16+
- authorization
17+
transform:
18+
- lowercase
19+
match:
20+
type: contains
21+
value: "'"
22+
23+
labels:
24+
type: exploit
25+
service: http
26+
confidence: 3
27+
spoofable: 0
28+
behavior: 'http:exploit'
29+
label: 'Fortinet FortiWeb - Authentication Bypass'
30+
classification:
31+
- cve.CVE-2025-52970
32+
- attack.T1190
33+
- cwe.CWE-223

collections/crowdsecurity/appsec-virtual-patching.yaml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -146,6 +146,7 @@ appsec-rules:
146146
- crowdsecurity/vpatch-CVE-2025-9316
147147
- crowdsecurity/vpatch-CVE-2025-11700
148148
- crowdsecurity/vpatch-CVE-2025-13315
149+
- crowdsecurity/vpatch-CVE-2025-52970
149150
- crowdsecurity/vpatch-CVE-2025-47188
150151
author: crowdsecurity
151152
contexts:

0 commit comments

Comments
 (0)