From baa6c5a8fabcda7baec4d97b87d445c20e77f634 Mon Sep 17 00:00:00 2001 From: Thibault Koechlin Date: Thu, 12 Mar 2026 13:41:38 +0100 Subject: [PATCH 1/7] Add WAF virtual patches for CVE-2020-37123, CVE-2022-3236, CVE-2025-10353 and improve CVE-2025-2611 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit New rules: - vpatch-CVE-2020-37123: Pinger 1.0 RCE via unsanitized ping parameter - vpatch-CVE-2022-3236: Sophos Firewall code injection in User Portal/Webadmin - vpatch-CVE-2025-10353: Melis Platform unrestricted file upload in CMS Slider Improved rule: - vpatch-CVE-2025-2611: ICTBroadcast cookie RCE — switched from COOKIES to HEADERS zone, added urldecode transform, broadened regex to catch $() syntax All rules validated, linted, and tested via Docker harness (403 blocks confirmed). Co-Authored-By: Claude Opus 4.6 --- .../vpatch-CVE-2020-37123/CVE-2020-37123.yaml | 20 +++++++++++ .../vpatch-CVE-2020-37123/config.yaml | 4 +++ .../vpatch-CVE-2022-3236/CVE-2022-3236.yaml | 21 ++++++++++++ .../vpatch-CVE-2022-3236/config.yaml | 4 +++ .../vpatch-CVE-2025-10353/CVE-2025-10353.yaml | 29 ++++++++++++++++ .../vpatch-CVE-2025-10353/config.yaml | 4 +++ .../vpatch-CVE-2025-2611/CVE-2025-2611.yaml | 18 ++++++++++ .../vpatch-CVE-2025-2611/config.yaml | 4 +++ .../crowdsecurity/vpatch-CVE-2020-37123.yaml | 33 +++++++++++++++++++ .../crowdsecurity/vpatch-CVE-2022-3236.yaml | 33 +++++++++++++++++++ .../crowdsecurity/vpatch-CVE-2025-10353.yaml | 30 +++++++++++++++++ .../crowdsecurity/vpatch-CVE-2025-2611.yaml | 13 ++++---- .../appsec-virtual-patching.yaml | 3 ++ 13 files changed, 210 insertions(+), 6 deletions(-) create mode 100644 .appsec-tests/vpatch-CVE-2020-37123/CVE-2020-37123.yaml create mode 100644 .appsec-tests/vpatch-CVE-2020-37123/config.yaml create mode 100644 .appsec-tests/vpatch-CVE-2022-3236/CVE-2022-3236.yaml create mode 100644 .appsec-tests/vpatch-CVE-2022-3236/config.yaml create mode 100644 .appsec-tests/vpatch-CVE-2025-10353/CVE-2025-10353.yaml create mode 100644 .appsec-tests/vpatch-CVE-2025-10353/config.yaml create mode 100644 .appsec-tests/vpatch-CVE-2025-2611/CVE-2025-2611.yaml create mode 100644 .appsec-tests/vpatch-CVE-2025-2611/config.yaml create mode 100644 appsec-rules/crowdsecurity/vpatch-CVE-2020-37123.yaml create mode 100644 appsec-rules/crowdsecurity/vpatch-CVE-2022-3236.yaml create mode 100644 appsec-rules/crowdsecurity/vpatch-CVE-2025-10353.yaml diff --git a/.appsec-tests/vpatch-CVE-2020-37123/CVE-2020-37123.yaml b/.appsec-tests/vpatch-CVE-2020-37123/CVE-2020-37123.yaml new file mode 100644 index 00000000000..78d378e8f92 --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2020-37123/CVE-2020-37123.yaml @@ -0,0 +1,20 @@ +id: CVE-2020-37123 +info: + name: CVE-2020-37123 + author: crowdsec + severity: info + description: CVE-2020-37123 testing + tags: appsec-testing +http: + - raw: + - | + POST /ping.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + ping=127.0.0.1;echo+test + cookie-reuse: true + matchers: + - type: status + status: + - 403 \ No newline at end of file diff --git a/.appsec-tests/vpatch-CVE-2020-37123/config.yaml b/.appsec-tests/vpatch-CVE-2020-37123/config.yaml new file mode 100644 index 00000000000..8cb716ddc0f --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2020-37123/config.yaml @@ -0,0 +1,4 @@ +appsec-rules: + - ./appsec-rules/crowdsecurity/base-config.yaml + - ./appsec-rules/crowdsecurity/vpatch-CVE-2020-37123.yaml +nuclei_template: CVE-2020-37123.yaml \ No newline at end of file diff --git a/.appsec-tests/vpatch-CVE-2022-3236/CVE-2022-3236.yaml b/.appsec-tests/vpatch-CVE-2022-3236/CVE-2022-3236.yaml new file mode 100644 index 00000000000..bfd740f9100 --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2022-3236/CVE-2022-3236.yaml @@ -0,0 +1,21 @@ +id: CVE-2022-3236 +info: + name: CVE-2022-3236 + author: crowdsec + severity: info + description: CVE-2022-3236 testing + tags: appsec-testing +http: + - raw: + - | + POST /userportal/Controller HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + X-Requested-With: XMLHttpRequest + + mode=451&json=%7b%22username%22%3a%22admin%22%2c%22password%22%3a%22x%22%2c%22languageid%22%3a%221%22%2c%22browser%22%3a%22Firefox_91%22%2c%22_discriminator%22%3a%7b%22curvalue%22%3a%22%3b%60nc%20example.com%2080%60%22%7d%2c%22value%22%3a%22curvalue%22%7d&__RequestType=ajax&t=1710331582506 + cookie-reuse: true + matchers: + - type: status + status: + - 403 \ No newline at end of file diff --git a/.appsec-tests/vpatch-CVE-2022-3236/config.yaml b/.appsec-tests/vpatch-CVE-2022-3236/config.yaml new file mode 100644 index 00000000000..ec76b187c2d --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2022-3236/config.yaml @@ -0,0 +1,4 @@ +appsec-rules: + - ./appsec-rules/crowdsecurity/base-config.yaml + - ./appsec-rules/crowdsecurity/vpatch-CVE-2022-3236.yaml +nuclei_template: CVE-2022-3236.yaml \ No newline at end of file diff --git a/.appsec-tests/vpatch-CVE-2025-10353/CVE-2025-10353.yaml b/.appsec-tests/vpatch-CVE-2025-10353/CVE-2025-10353.yaml new file mode 100644 index 00000000000..32301c3586a --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2025-10353/CVE-2025-10353.yaml @@ -0,0 +1,29 @@ +id: CVE-2025-10353 +info: + name: CVE-2025-10353 + author: crowdsec + severity: info + description: CVE-2025-10353 testing + tags: appsec-testing +http: + - raw: + - | + POST /melis/MelisCmsSlider/MelisCmsSliderDetails/saveDetailsForm HTTP/1.1 + Host: {{Hostname}} + Content-Type: multipart/form-data; boundary=----crowdsectest + + ------crowdsectest + Content-Disposition: form-data; name="mcsdetail_mcslider_id" + + 0 + ------crowdsectest + Content-Disposition: form-data; name="mcsdetail_img"; filename="test.php" + Content-Type: text/plain + + test + ------crowdsectest-- + cookie-reuse: true + matchers: + - type: status + status: + - 403 \ No newline at end of file diff --git a/.appsec-tests/vpatch-CVE-2025-10353/config.yaml b/.appsec-tests/vpatch-CVE-2025-10353/config.yaml new file mode 100644 index 00000000000..2e3ce6802a8 --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2025-10353/config.yaml @@ -0,0 +1,4 @@ +appsec-rules: + - ./appsec-rules/crowdsecurity/base-config.yaml + - ./appsec-rules/crowdsecurity/vpatch-CVE-2025-10353.yaml +nuclei_template: CVE-2025-10353.yaml \ No newline at end of file diff --git a/.appsec-tests/vpatch-CVE-2025-2611/CVE-2025-2611.yaml b/.appsec-tests/vpatch-CVE-2025-2611/CVE-2025-2611.yaml new file mode 100644 index 00000000000..111df523ba5 --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2025-2611/CVE-2025-2611.yaml @@ -0,0 +1,18 @@ +id: CVE-2025-2611 +info: + name: CVE-2025-2611 + author: crowdsec + severity: info + description: CVE-2025-2611 testing + tags: appsec-testing +http: + - raw: + - | + GET /login.php HTTP/1.1 + Host: {{Hostname}} + Cookie: PHPSESSID=`echo${IFS}dGVzdA==|base64${IFS}-d|sh` + cookie-reuse: true + matchers: + - type: status + status: + - 403 \ No newline at end of file diff --git a/.appsec-tests/vpatch-CVE-2025-2611/config.yaml b/.appsec-tests/vpatch-CVE-2025-2611/config.yaml new file mode 100644 index 00000000000..05f666772b9 --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2025-2611/config.yaml @@ -0,0 +1,4 @@ +appsec-rules: + - ./appsec-rules/crowdsecurity/base-config.yaml + - ./appsec-rules/crowdsecurity/vpatch-CVE-2025-2611.yaml +nuclei_template: CVE-2025-2611.yaml \ No newline at end of file diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2020-37123.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2020-37123.yaml new file mode 100644 index 00000000000..4813cbbb349 --- /dev/null +++ b/appsec-rules/crowdsecurity/vpatch-CVE-2020-37123.yaml @@ -0,0 +1,33 @@ +name: crowdsecurity/vpatch-CVE-2020-37123 +description: 'Detects remote code execution via unsanitized ping parameter in Pinger 1.0' +rules: + - and: + - zones: + - URI + transform: + - lowercase + - urldecode + match: + type: contains + value: '/ping.php' + - zones: + - BODY_ARGS + variables: + - ping + transform: + - lowercase + - urldecode + match: + type: regex + value: '[;|&`$]' +labels: + type: exploit + service: http + confidence: 3 + spoofable: 0 + behavior: 'http:exploit' + label: 'Pinger - RCE' + classification: + - cve.CVE-2020-37123 + - attack.T1190 + - cwe.CWE-78 \ No newline at end of file diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2022-3236.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2022-3236.yaml new file mode 100644 index 00000000000..18a5181171c --- /dev/null +++ b/appsec-rules/crowdsecurity/vpatch-CVE-2022-3236.yaml @@ -0,0 +1,33 @@ +name: crowdsecurity/vpatch-CVE-2022-3236 +description: 'Detects code injection in Sophos Firewall User Portal and Webadmin via JSON parameter' +rules: + - and: + - zones: + - URI + transform: + - lowercase + - urldecode + match: + type: regex + value: '/(userportal|webconsole)/controller' + - zones: + - BODY_ARGS + variables: + - json + transform: + - lowercase + - urldecode + match: + type: regex + value: '`|\$\(' +labels: + type: exploit + service: http + confidence: 3 + spoofable: 0 + behavior: 'http:exploit' + label: 'Sophos Firewall - Code Injection' + classification: + - cve.CVE-2022-3236 + - attack.T1190 + - cwe.CWE-94 \ No newline at end of file diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2025-10353.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2025-10353.yaml new file mode 100644 index 00000000000..529bf3fd9e4 --- /dev/null +++ b/appsec-rules/crowdsecurity/vpatch-CVE-2025-10353.yaml @@ -0,0 +1,30 @@ +name: crowdsecurity/vpatch-CVE-2025-10353 +description: 'Detects unrestricted file upload in Melis Platform CMS Slider module' +rules: + - and: + - zones: + - URI + transform: + - lowercase + - urldecode + match: + type: contains + value: '/melis/meliscmsslider/meliscmssliderdetails/savedetailsform' + - zones: + - FILENAMES + transform: + - lowercase + match: + type: regex + value: '\.' +labels: + type: exploit + service: http + confidence: 3 + spoofable: 0 + behavior: 'http:exploit' + label: 'Melis Platform - Arbitrary File Upload' + classification: + - cve.CVE-2025-10353 + - attack.T1190 + - cwe.CWE-434 \ No newline at end of file diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2025-2611.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2025-2611.yaml index 5ebae95edff..cd98f0c3265 100644 --- a/appsec-rules/crowdsecurity/vpatch-CVE-2025-2611.yaml +++ b/appsec-rules/crowdsecurity/vpatch-CVE-2025-2611.yaml @@ -1,24 +1,25 @@ name: crowdsecurity/vpatch-CVE-2025-2611 -description: 'Detects command injection in ICTBroadcast via BROADCAST cookie' +description: 'Detects unauthenticated RCE via session cookie shell injection in ICTBroadcast' rules: - and: - zones: - URI transform: - lowercase + - urldecode match: type: contains - value: /login.php + value: '/login.php' - zones: - - COOKIES + - HEADERS variables: - - broadcast + - Cookie transform: - lowercase + - urldecode match: type: regex - value: "[`|$|;]" - + value: '`|\$\(' labels: type: exploit service: http diff --git a/collections/crowdsecurity/appsec-virtual-patching.yaml b/collections/crowdsecurity/appsec-virtual-patching.yaml index 1a563374297..2871e5e7963 100644 --- a/collections/crowdsecurity/appsec-virtual-patching.yaml +++ b/collections/crowdsecurity/appsec-virtual-patching.yaml @@ -170,6 +170,9 @@ appsec-rules: - crowdsecurity/vpatch-CVE-2025-4689 - crowdsecurity/vpatch-CVE-2026-20127 - crowdsecurity/vpatch-CVE-2026-20127-dca-disclosure +- crowdsecurity/vpatch-CVE-2020-37123 +- crowdsecurity/vpatch-CVE-2022-3236 +- crowdsecurity/vpatch-CVE-2025-10353 author: crowdsecurity tags: - waf From f1d45d5ef7c90d9bd0c039c89b1540120c6b68ca Mon Sep 17 00:00:00 2001 From: "Thibault \"bui\" Koechlin" Date: Thu, 12 Mar 2026 15:02:54 +0100 Subject: [PATCH 2/7] Update vpatch-CVE-2025-10353.yaml --- appsec-rules/crowdsecurity/vpatch-CVE-2025-10353.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2025-10353.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2025-10353.yaml index 529bf3fd9e4..9c05663cd68 100644 --- a/appsec-rules/crowdsecurity/vpatch-CVE-2025-10353.yaml +++ b/appsec-rules/crowdsecurity/vpatch-CVE-2025-10353.yaml @@ -16,7 +16,7 @@ rules: - lowercase match: type: regex - value: '\.' + value: '\.php|\.phtml' labels: type: exploit service: http @@ -27,4 +27,4 @@ labels: classification: - cve.CVE-2025-10353 - attack.T1190 - - cwe.CWE-434 \ No newline at end of file + - cwe.CWE-434 From a5ddd547e306f71d68d1fd50d1789711f94e1cd7 Mon Sep 17 00:00:00 2001 From: "Thibault \"bui\" Koechlin" Date: Thu, 12 Mar 2026 15:33:26 +0100 Subject: [PATCH 3/7] Update vpatch-CVE-2025-2611.yaml --- appsec-rules/crowdsecurity/vpatch-CVE-2025-2611.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2025-2611.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2025-2611.yaml index cd98f0c3265..7203dc7a03c 100644 --- a/appsec-rules/crowdsecurity/vpatch-CVE-2025-2611.yaml +++ b/appsec-rules/crowdsecurity/vpatch-CVE-2025-2611.yaml @@ -11,9 +11,9 @@ rules: type: contains value: '/login.php' - zones: - - HEADERS + - COOKIES variables: - - Cookie + - broadcast transform: - lowercase - urldecode @@ -30,4 +30,4 @@ labels: classification: - cve.CVE-2025-2611 - attack.T1190 - - cwe.CWE-78 \ No newline at end of file + - cwe.CWE-78 From 80d2bca74997e1d327cc4f3fcfaac23bdbb060c6 Mon Sep 17 00:00:00 2001 From: "Thibault \"bui\" Koechlin" Date: Thu, 12 Mar 2026 15:37:14 +0100 Subject: [PATCH 4/7] Refactor vpatch-CVE-2025-2611.yaml rules Removed unnecessary transformations and updated regex values for better matching. --- appsec-rules/crowdsecurity/vpatch-CVE-2025-2611.yaml | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2025-2611.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2025-2611.yaml index 7203dc7a03c..74718960c01 100644 --- a/appsec-rules/crowdsecurity/vpatch-CVE-2025-2611.yaml +++ b/appsec-rules/crowdsecurity/vpatch-CVE-2025-2611.yaml @@ -6,27 +6,22 @@ rules: - URI transform: - lowercase - - urldecode match: type: contains - value: '/login.php' + value: /login.php - zones: - COOKIES variables: - broadcast transform: - lowercase - - urldecode match: type: regex - value: '`|\$\(' + value: "[`|$|;]" + labels: type: exploit service: http - confidence: 3 - spoofable: 0 - behavior: 'http:exploit' - label: 'ICTBroadcast - RCE' classification: - cve.CVE-2025-2611 - attack.T1190 From 52d7528a6916458ff60bb892a14fe33b86cffcaa Mon Sep 17 00:00:00 2001 From: "Thibault \"bui\" Koechlin" Date: Thu, 12 Mar 2026 15:37:44 +0100 Subject: [PATCH 5/7] Add additional metadata to CVE-2025-2611 patch --- appsec-rules/crowdsecurity/vpatch-CVE-2025-2611.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2025-2611.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2025-2611.yaml index 74718960c01..b8d18919f6e 100644 --- a/appsec-rules/crowdsecurity/vpatch-CVE-2025-2611.yaml +++ b/appsec-rules/crowdsecurity/vpatch-CVE-2025-2611.yaml @@ -22,6 +22,10 @@ rules: labels: type: exploit service: http + confidence: 3 + spoofable: 0 + behavior: 'http:exploit' + label: 'ICTBroadcast - RCE' classification: - cve.CVE-2025-2611 - attack.T1190 From 600ae29037053f41d6737693b1a7ce6956d4d288 Mon Sep 17 00:00:00 2001 From: "Thibault \"bui\" Koechlin" Date: Thu, 12 Mar 2026 16:03:30 +0100 Subject: [PATCH 6/7] Update cookie name in CVE-2025-2611.yaml --- .appsec-tests/vpatch-CVE-2025-2611/CVE-2025-2611.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.appsec-tests/vpatch-CVE-2025-2611/CVE-2025-2611.yaml b/.appsec-tests/vpatch-CVE-2025-2611/CVE-2025-2611.yaml index 111df523ba5..d2be5d7b4c4 100644 --- a/.appsec-tests/vpatch-CVE-2025-2611/CVE-2025-2611.yaml +++ b/.appsec-tests/vpatch-CVE-2025-2611/CVE-2025-2611.yaml @@ -10,9 +10,9 @@ http: - | GET /login.php HTTP/1.1 Host: {{Hostname}} - Cookie: PHPSESSID=`echo${IFS}dGVzdA==|base64${IFS}-d|sh` + Cookie: BROADBAND=`echo${IFS}dGVzdA==|base64${IFS}-d|sh` cookie-reuse: true matchers: - type: status status: - - 403 \ No newline at end of file + - 403 From eec884534b8c521ed4f09d625c7852989fc50810 Mon Sep 17 00:00:00 2001 From: "Thibault \"bui\" Koechlin" Date: Thu, 12 Mar 2026 16:14:54 +0100 Subject: [PATCH 7/7] Update CVE-2025-2611.yaml --- .appsec-tests/vpatch-CVE-2025-2611/CVE-2025-2611.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.appsec-tests/vpatch-CVE-2025-2611/CVE-2025-2611.yaml b/.appsec-tests/vpatch-CVE-2025-2611/CVE-2025-2611.yaml index d2be5d7b4c4..82c8f61da10 100644 --- a/.appsec-tests/vpatch-CVE-2025-2611/CVE-2025-2611.yaml +++ b/.appsec-tests/vpatch-CVE-2025-2611/CVE-2025-2611.yaml @@ -10,7 +10,7 @@ http: - | GET /login.php HTTP/1.1 Host: {{Hostname}} - Cookie: BROADBAND=`echo${IFS}dGVzdA==|base64${IFS}-d|sh` + Cookie: BROADCAST=`echo${IFS}dGVzdA==|base64${IFS}-d|sh` cookie-reuse: true matchers: - type: status