Exploitation of CVE-2021-26814 in Wazuh
Detects the exploitation of the Wazuh RCE vulnerability described in CVE-2021-26814
Sigma rule (View on GitHub)
1title: Exploitation of CVE-2021-26814 in Wazuh
2id: b9888738-29ed-4c54-96a4-f38c57b84bb3
3status: test
4description: Detects the exploitation of the Wazuh RCE vulnerability described in CVE-2021-26814
5references:
6 - https://github.com/WickdDavid/CVE-2021-26814/blob/6a17355a10ec4db771d0f112cbe031e418d829d5/PoC.py
7author: Florian Roth (Nextron Systems)
8date: 2021-05-22
9modified: 2023-01-02
10tags:
11 - attack.initial-access
12 - attack.t1190
13 - cve.2021-21978
14 - cve.2021-26814
15 - detection.emerging-threats
16logsource:
17 category: webserver
18detection:
19 selection:
20 cs-uri-query|contains: '/manager/files?path=etc/lists/../../../../..'
21 condition: selection
22falsepositives:
23 - Unknown
24level: high
References
-
A simple python PoC to exploit CVE-2021-26814 and gain RCE on Wazuh Manager (v.4.0.0-4.0.3) through the API service. - WickdDavid/CVE-2021-26814
Read More
Related rules
- CVE-2021-21978 Exploitation Attempt
- CVE-2020-0688 Exchange Exploitation via Web Log
- CVE-2020-5902 F5 BIG-IP Exploitation Attempt
- CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit
- Cisco ASA FTD Exploit CVE-2020-3452