Refactor vpatch-CVE-2025-2611.yaml rules

buixor · web-flow · commit 80d2bca74997 · 2026-03-12T15:37:14.000+01:00
Removed unnecessary transformations and updated regex values for better matching.
diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2025-2611.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2025-2611.yaml
@@ -6,27 +6,22 @@ rules:
           - URI
         transform:
           - lowercase
-          - urldecode
         match:
           type: contains
-          value: '/login.php'
+          value: /login.php
       - zones:
           - COOKIES
         variables:
           - broadcast
         transform:
           - lowercase
-          - urldecode
         match:
           type: regex
-          value: '`|\$\('
+          value: "[`|$|;]"
+
 labels:
   type: exploit
   service: http
-  confidence: 3
-  spoofable: 0
-  behavior: 'http:exploit'
-  label: 'ICTBroadcast - RCE'
   classification:
     - cve.CVE-2025-2611
     - attack.T1190
