Sitecore Pre-Auth RCE CVE-2021-42237

 1title: Sitecore Pre-Auth RCE CVE-2021-42237
 2id: 20c6ed1c-f7f0-4ea3-aa65-4f198e6acb0f
 3status: test
 4description: Detects exploitation attempts of Sitecore Experience Platform Pre-Auth RCE CVE-2021-42237 found in Report.ashx
 5references:
 6    - https://blog.assetnote.io/2021/11/02/sitecore-rce/
 7    - https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1000776
 8author: Florian Roth (Nextron Systems)
 9date: 2021/11/17
10modified: 2023/01/02
11tags:
12    - attack.initial_access
13    - attack.t1190
14    - cve.2021.42237
15    - detection.emerging_threats
16logsource:
17    category: webserver
18detection:
19    selection:
20        cs-method: 'POST'
21        cs-uri-query|contains: '/sitecore/shell/ClientBin/Reporting/Report.ashx'
22        sc-status: 200
23    condition: selection
24falsepositives:
25    - Vulnerability Scanning
26level: high

References

• Sitecore Experience Platform Pre-Auth RCE - CVE-2021-42237

  

  The advisory for this issue can be found here. Intro One of our missions at Assetnote is to secure the attack surfaces of enterprises around the world. In order to achieve that goal, our security r...

  
  Read More

• %kb_name - %short_descr - Knowledge Portal

  Loading... Skip to page content Skip to page content

  
  Read More

Related rules

• CVE-2010-5278 Exploitation Attempt
• CVE-2020-0688 Exchange Exploitation via Web Log
• CVE-2020-0688 Exploitation Attempt
• CVE-2020-10148 SolarWinds Orion API Auth Bypass
• CVE-2020-5902 F5 BIG-IP Exploitation Attempt