Hub Appsec rule

More info

vpatch-CVE-2025-47812 AppSec Rule

« vpatch-CVE-2025-47812 »
v0.1 by crowdsecurity
AppSec rule

Detects Wing FTP Server <= 7.4.3 RCE via Lua code injection in username parameter during login.

Installation

cscli appsec-rules install crowdsecurity/vpatch-CVE-2025-47812

YAML Configuration

1## autogenerated on 2025-08-06 13:53:06
2name: crowdsecurity/vpatch-CVE-2025-47812
3description: 'Detects Wing FTP Server <= 7.4.3 RCE via Lua code injection in username parameter during login.'
4rules:
5  - and:
6      - zones:
7          - URI
8        transform:
9          - lowercase
10        match:
11          type: contains
12          value: /loginok.html
13      - zones:
14          - BODY_ARGS
15        variables:
16          - username
17        transform:
18          - lowercase
19          - urldecode
20        match:
21          type: contains
22          value: ']]'
23      - zones:
24          - BODY_ARGS
25        variables:
26          - username
27        transform:
28          - lowercase
29          - urldecode
30        match:
31          type: contains
32          value: 'io.popen('
33
34labels:
35  type: exploit
36  service: http
37  confidence: 3
38  spoofable: 0
39  behavior: 'http:exploit'
40  label: 'Wing FTP Server - RCE'
41  classification:
42    - cve.CVE-2025-47812
43    - attack.T1190
44    - cwe.CWE-94
45

Hub Appsec rule

« vpatch-CVE-2025-47812 »v0.1 by crowdsecurityAppSec rule

« vpatch-CVE-2025-47812 »
v0.1 by crowdsecurity
AppSec rule