Exploitation of CVE-2021-26814 in Wazuh

Aug 12, 2024 · attack.initial-access attack.t1190 cve.2021-21978 cve.2021-26814 detection.emerging-threats ·

Detects the exploitation of the Wazuh RCE vulnerability described in CVE-2021-26814

Sigma rule (View on GitHub)

 1title: Exploitation of CVE-2021-26814 in Wazuh
 2id: b9888738-29ed-4c54-96a4-f38c57b84bb3
 3status: test
 4description: Detects the exploitation of the Wazuh RCE vulnerability described in CVE-2021-26814
 5references:
 6    - https://github.com/WickdDavid/CVE-2021-26814/blob/6a17355a10ec4db771d0f112cbe031e418d829d5/PoC.py
 7author: Florian Roth (Nextron Systems)
 8date: 2021-05-22
 9modified: 2023-01-02
10tags:
11    - attack.initial-access
12    - attack.t1190
13    - cve.2021-21978
14    - cve.2021-26814
15    - detection.emerging-threats
16logsource:
17    category: webserver
18detection:
19    selection:
20        cs-uri-query|contains: '/manager/files?path=etc/lists/../../../../..'
21    condition: selection
22fields:
23    - c-ip
24    - c-dns
25falsepositives:
26    - Unknown
27level: high

References

CVE-2021-26814/PoC.py at 6a17355a10ec4db771d0f112cbe031e418d829d5 · WickdDavid/CVE-2021-26814

A simple python PoC to exploit CVE-2021-26814 and gain RCE on Wazuh Manager (v.4.0.0-4.0.3) through the API service. - WickdDavid/CVE-2021-26814

Read More

Exploitation of CVE-2021-26814 in Wazuh

Sigma rule (View on GitHub)

References

CVE-2021-26814/PoC.py at 6a17355a10ec4db771d0f112cbe031e418d829d5 · WickdDavid/CVE-2021-26814

Related rules