ET EXPLOIT Sophos Web Appliance Pre-Auth Command Injection Attempt (CVE-2023-1671)
Sourceet/open
Fileemerging-exploit.rules
CreatedDecember 11, 2023
UpdatedMarch 27, 2024
Classificationattempted-admin
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Sophos Web Appliance Pre-Auth Command Injection Attempt (CVE-2023-1671)"; flow:established,to_server ; http.method; content:"POST"; http.uri; bsize:36; content:"|2f|index|2e|php|3f|c|3d|blocked|26|action|3d|continue"; http.request_body; content:"args_reason=filetypewarn&url="; startswith; fast_pattern; content:"&filetype="; content:"&user_encoded="; reference:url,sophos.com/en-us/security-advisories/sophos-sa-20230404-swa-rce ; classtype:attempted-admin; sid:2049632; rev:2; metadata:attack_target Client_Endpoint, created_at 2023_12_11, cve CVE_2023_1671, deployment Perimeter, deployment SSLDecrypt, confidence High, signature_severity Major, tag cve_2023_1671, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_27, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)
Metadata
Comments (0)
Please sign in to leave a comment.
Sign inNo comments yet. Be the first to comment!