Fortinet CVE-2021-22123 Exploitation
Detects CVE-2021-22123 exploitation attempt against Fortinet WAFs
Sigma rule (View on GitHub)
1title: Fortinet CVE-2021-22123 Exploitation
2id: f425637f-891c-4191-a6c4-3bb1b70513b4
3status: test
4description: Detects CVE-2021-22123 exploitation attempt against Fortinet WAFs
5references:
6 - https://www.rapid7.com/blog/post/2021/08/17/fortinet-fortiweb-os-command-injection
7author: Bhabesh Raj, Florian Roth
8date: 2021/08/19
9modified: 2023/01/02
10tags:
11 - attack.initial_access
12 - attack.t1190
13 - cve.2021.22123
14 - detection.emerging_threats
15logsource:
16 category: webserver
17detection:
18 selection:
19 cs-uri-query|contains: '/api/v2.0/user/remoteserver.saml'
20 cs-method: POST
21 filter1:
22 cs-referer|contains: '/root/user/remote-user/saml-user/'
23 filter2:
24 cs-referer: null
25 condition: selection and not filter1 and not filter2
26falsepositives:
27 - Unknown
28fields:
29 - c-ip
30 - url
31 - response
32level: critical
References
-
An OS command injection vulnerability in FortiWeb's management interface can allow a remote attacker to execute arbitrary commands on the system.
Read More
Related rules
- CVE-2010-5278 Exploitation Attempt
- CVE-2020-0688 Exchange Exploitation via Web Log
- CVE-2020-0688 Exploitation Attempt
- CVE-2020-10148 SolarWinds Orion API Auth Bypass
- CVE-2020-5902 F5 BIG-IP Exploitation Attempt