From 288c803a741295695e6d15fe91d77cc5166a6fff Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 17 Sep 2025 17:52:32 +0200 Subject: [PATCH 1/4] Add vpatch-CVE-2025-48703 rule --- .../crowdsecurity/vpatch-CVE-2025-48703.yaml | 35 +++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 appsec-rules/crowdsecurity/vpatch-CVE-2025-48703.yaml diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2025-48703.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2025-48703.yaml new file mode 100644 index 00000000000..634296595a6 --- /dev/null +++ b/appsec-rules/crowdsecurity/vpatch-CVE-2025-48703.yaml @@ -0,0 +1,35 @@ +## autogenerated on 2025-09-17 15:52:29 +name: crowdsecurity/vpatch-CVE-2022-44877 +description: 'Detects exploitation attempts against CWP (CentOS Web Panel) filemanager changePerm RCE via t_total parameter.' +rules: + - and: + - zones: + - URI + transform: + - lowercase + - urldecode + match: + type: contains + value: /filemanager&acc=changeperm + - zones: + - ARGS + variables: + - t_total + transform: + - lowercase + - urldecode + match: + type: contains + value: '`' + +labels: + type: exploit + service: http + confidence: 3 + spoofable: 0 + behavior: 'http:exploit' + label: 'CWP - RCE' + classification: + - cve.CVE-2022-44877 + - attack.T1190 + - cwe.CWE-78 From ef3aa17c0c5c458ef9de5dc3fc30ef76732e52cc Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 17 Sep 2025 17:52:34 +0200 Subject: [PATCH 2/4] Add vpatch-CVE-2025-48703 test config --- .appsec-tests/vpatch-CVE-2025-48703/config.yaml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .appsec-tests/vpatch-CVE-2025-48703/config.yaml diff --git a/.appsec-tests/vpatch-CVE-2025-48703/config.yaml b/.appsec-tests/vpatch-CVE-2025-48703/config.yaml new file mode 100644 index 00000000000..676131bc21c --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2025-48703/config.yaml @@ -0,0 +1,5 @@ +## autogenerated on 2025-09-17 15:52:29 +appsec-rules: + - ./appsec-rules/crowdsecurity/base-config.yaml + - ./appsec-rules/crowdsecurity/vpatch-CVE-2022-44877.yaml +nuclei_template: CVE-2022-44877.yaml From 156335aec0cac212a32d6a6713bf8e336ad79ecc Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 17 Sep 2025 17:52:36 +0200 Subject: [PATCH 3/4] Add CVE-2025-48703.yaml test --- .../vpatch-CVE-2025-48703/CVE-2025-48703.yaml | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 .appsec-tests/vpatch-CVE-2025-48703/CVE-2025-48703.yaml diff --git a/.appsec-tests/vpatch-CVE-2025-48703/CVE-2025-48703.yaml b/.appsec-tests/vpatch-CVE-2025-48703/CVE-2025-48703.yaml new file mode 100644 index 00000000000..e4b752f75d5 --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2025-48703/CVE-2025-48703.yaml @@ -0,0 +1,20 @@ +## autogenerated on 2025-09-17 15:52:29 +id: CVE-2022-44877 +info: + name: CVE-2022-44877 + author: crowdsec + severity: info + description: CVE-2022-44877 testing + tags: appsec-testing +http: + - method: POST + path: + - "{{BaseURL}}/myuser/index.php?module=filemanager&acc=changePerm" + headers: + Content-Type: application/x-www-form-urlencoded + body: "fileName=.bashrc¤tPath=/home/myuser&t_total=`id`" + cookie-reuse: true + matchers: + - type: status + status: + - 403 From 59fe0952892e29692b721d2209359b20b3e7410a Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 17 Sep 2025 17:52:38 +0200 Subject: [PATCH 4/4] Add vpatch-CVE-2025-48703 rule to vpatch collection --- collections/crowdsecurity/appsec-virtual-patching.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/collections/crowdsecurity/appsec-virtual-patching.yaml b/collections/crowdsecurity/appsec-virtual-patching.yaml index be69426f031..7a47919882a 100644 --- a/collections/crowdsecurity/appsec-virtual-patching.yaml +++ b/collections/crowdsecurity/appsec-virtual-patching.yaml @@ -90,6 +90,7 @@ appsec-rules: - crowdsecurity/vpatch-CVE-2024-27292 - crowdsecurity/vpatch-CVE-2025-24893 - crowdsecurity/vpatch-CVE-2021-43798 +- crowdsecurity/vpatch-CVE-2025-48703 author: crowdsecurity contexts: - crowdsecurity/appsec_base