Potential CVE-2023-25717 Exploitation Attempt
Detects a potential exploitation attempt of CVE-2023-25717 a Remote Code Execution via an unauthenticated HTTP GET Request, in Ruckus Wireless Admin
Sigma rule (View on GitHub)
1title: Potential CVE-2023-25717 Exploitation Attempt
2id: 043c1609-0e32-4462-a6f2-5a0c2da3fafe
3status: test
4description: Detects a potential exploitation attempt of CVE-2023-25717 a Remote Code Execution via an unauthenticated HTTP GET Request, in Ruckus Wireless Admin
5references:
6 - https://cybir.com/2023/cve/proof-of-concept-ruckus-wireless-admin-10-4-unauthenticated-remote-code-execution-csrf-ssrf/
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023/05/30
9tags:
10 - attack.initial_access
11 - attack.t1190
12 - cve.2023.25717
13 - detection.emerging_threats
14logsource:
15 category: webserver
16detection:
17 selection:
18 cs-method: 'GET'
19 cs-uri-query|contains|all:
20 - '/forms/doLogin'
21 - 'login_username'
22 - 'password'
23 cs-uri-query|contains:
24 - '$('
25 - '%24%28' # URL Encode version of "$("
26 condition: selection
27falsepositives:
28 - Vulnerability scanners
29 - Some rare false positives may occur if the password contains the characters "$(". Apply addition indicators such as executed commands to remove FP
30level: high
References
Related rules
- Potential MOVEit Transfer CVE-2023-34362 Exploitation
- OWASSRF Exploitation Attempt Using Public POC - Webserver
- Potential OWASSRF Exploitation Attempt - Webserver
- Potential CVE-2021-27905 Exploitation Attempt
- Potential CVE-2022-21587 Exploitation Attempt