Potential Nimbuspwn Exploit CVE-2022-29799 and CVE-2022-27800

 1title: Potential Nimbuspwn Exploit CVE-2022-29799 and CVE-2022-27800
 2id: 7ba05b43-adad-4c02-b5e9-c8c35cdf9fa8
 3status: test
 4description: |
 5        Detects potential exploitation attempts of Nimbuspwn vulnerabilities CVE-2022-29799 and CVE-2022-27800 in Linux systems.
 6references:
 7    - https://www.microsoft.com/security/blog/2022/04/26/microsoft-finds-new-elevation-of-privilege-linux-vulnerability-nimbuspwn/
 8    - https://github.com/Immersive-Labs-Sec/nimbuspwn
 9author: Bhabesh Raj
10date: 2022-05-04
11modified: 2025-11-03
12tags:
13    - attack.privilege-escalation
14    - attack.t1068
15    - detection.emerging-threats
16    - cve.2022-29799
17    - cve.2022-27800
18logsource:
19    product: linux
20detection:
21    keywords:
22        '|all':
23            - 'networkd-dispatcher'
24            - 'Error handling notification for interface'
25            - '../../'
26    condition: keywords
27falsepositives:
28    - Unknown
29level: high

References

• https://www.microsoft.com/security/blog/2022/04/26/microsoft-finds-new-elevation-of-privilege-linux-vulnerability-nimbuspwn/

  
  Read More

• GitHub - Immersive-Labs-Sec/nimbuspwn: This is a PoC for Nimbuspwn, a Linux privilege escalation issue identified by Microsoft

  

  This is a PoC for Nimbuspwn, a Linux privilege escalation issue identified by Microsoft - Immersive-Labs-Sec/nimbuspwn

  
  Read More

Related rules

• OMIGOD HTTP No Authentication RCE - CVE-2021-38647
• Sudo Privilege Escalation CVE-2019-14287
• Sudo Privilege Escalation CVE-2019-14287 - Builtin
• Exploiting SetupComplete.cmd CVE-2019-1378
• Potential Exploitation of CrushFTP RCE Vulnerability (CVE-2025-54309)