add vpatch-WT-2026-0001 (#1656)

buixor · web-flow · commit 9d1b389ec7d6 · 2026-01-22T10:23:59.000+01:00
diff --git a/.appsec-tests/vpatch-WT-2026-0001/config.yaml b/.appsec-tests/vpatch-WT-2026-0001/config.yaml
@@ -0,0 +1,4 @@
+appsec-rules:
+  - ./appsec-rules/crowdsecurity/base-config.yaml
+  - ./appsec-rules/crowdsecurity/vpatch-WT-2026-0001.yaml
+nuclei_template: vpatch-WT-2026-0001.yaml
diff --git a/.appsec-tests/vpatch-WT-2026-0001/vpatch-WT-2026-0001.yaml b/.appsec-tests/vpatch-WT-2026-0001/vpatch-WT-2026-0001.yaml
@@ -0,0 +1,28 @@
+id: WT-2026-0001
+
+info:
+  name: SmarterMail Authentication Bypass - Force Reset Password
+  author: crowdsec
+  severity: critical
+  description: |
+    Detects authentication bypass in SmarterTools SmarterMail via the force-reset-password endpoint.
+    An unauthenticated attacker can reset the system administrator password by setting IsSysAdmin to true.
+  reference:
+    - https://labs.watchtowr.com/attackers-with-decompilers-strike-again-smartertools-smartermail-wt-2026-0001-auth-bypass/
+  classification:
+    cwe-id: CWE-287
+  tags: appsec-testing,smartermail,auth-bypass
+
+http:
+  - raw:
+      - |
+        POST /api/v1/auth/force-reset-password HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/json
+
+        {"IsSysAdmin":"true","OldPassword":"whatever","Username":"admin","NewPassword":"NewPassword123!@#","ConfirmPassword":"NewPassword123!@#"}
+
+    matchers:
+      - type: status
+        status:
+          - 403
diff --git a/appsec-rules/crowdsecurity/vpatch-WT-2026-0001.yaml b/appsec-rules/crowdsecurity/vpatch-WT-2026-0001.yaml
@@ -0,0 +1,33 @@
+name: crowdsecurity/vpatch-WT-2026-0001
+description: 'Detects authentication bypass in SmarterTools SmarterMail via force-reset-password endpoint when IsSysAdmin is true'
+rules:
+  - and:
+      - zones:
+          - URI
+        transform:
+          - lowercase
+          - urldecode
+        match:
+          type: contains
+          value: '/api/v1/auth/force-reset-password'
+      - zones:
+          - BODY_ARGS
+        variables:
+          - json.issysadmin
+        transform:
+          - lowercase
+        match:
+          type: equals
+          value: 'true'
+
+labels:
+  type: exploit
+  service: http
+  confidence: 3
+  spoofable: 0
+  behavior: 'http:exploit'
+  label: 'SmarterMail - Authentication Bypass'
+  classification:
+    - cve.WT-2026-0001
+    - attack.T1190
+    - cwe.CWE-287
