Release notes for update package 1838-5242

This update package improves the detection capabilities of the Forcepoint LLM system.

RELEASE DATE:     Thursday February 20, 2025
MD5 CHECKSUM:     f0a6245309a5bfb20a94bd69d14983d0
SHA1 CHECKSUM:     f384cfe66aa47ab0a9b9a764645e69a240352cc6
SHA256 CHECKSUM:     4f93cd6c6d7b86f5076d62367ed1d946b02c63d8be2189d02c907dccd5cbdac3


UPDATE CRITICALITY:    HIGH

List of detected attacks in this update package:

Risk level Description Reference Vulnerability
High     An attempt to exploit a vulnerability in JetBrains TeamCity detected     CVE-2025-24459     JetBrains-TeamCity-Vault-Connection-Stored-Cross-Site-Scripting
High     An attempt to exploit a vulnerability in PAN-OS detected     CVE-2025-0108     Palo-Alto-PAN-OS-Authentication-Bypass-CVE-2025-0108
High     An attempt to exploit a vulnerability in SonicWall SSLVPN detected     CVE-2024-53704     SonicWall-SSLVPN-Session-Hijacking-CVE-2024-53704
High     An attempt to exploit a vulnerability in WordPress Project Tutor LMS Plugin detected     CVE-2024-10400     Wordpress-Tutor-Lms-Plugin-Get_instructors-SQL-Injection
High     An attempt to exploit a vulnerability in Django     CVE-2021-35042     Django-QuerySet-Order_By-SQL-Injection
High     An attempt to exploit a vulnerability in Rocket Chat     CVE-2021-22911     Rocket-Chat-Pre-Auth-Blind-NoSQL-Injection
High     FinalDraft command-and-control traffic detected     No CVE/CAN FinalDraft-C2-Activity
High     FinalDraft command-and-control traffic detected     No CVE/CAN FinalDraft-C2-Activity

Jump to: Detected Attacks Other Changes

DETECTED ATTACKS

New detected attacks:

TCP Server Stream Unknown

Risk Vulnerability/Situation References Related Fingerprint Situation Type
High FinalDraft-C2-Activity No CVE/CAN Generic_SS-FinalDraft-C2-Activity Suspected Botnet

HTTP Request URI

Risk Vulnerability/Situation References Related Fingerprint Situation Type
High Palo-Alto-PAN-OS-Authentication-Bypass-CVE-2025-0108 CVE-2025-0108 HTTP_CSU-Palo-Alto-PAN-OS-Authentication-Bypass-CVE-2025-0108 Suspected Compromise
High FinalDraft-C2-Activity No CVE/CAN HTTP_CSU-FinalDraft-C2-Activity Suspected Botnet

HTTP Normalized Request-Line

Risk Vulnerability/Situation References Related Fingerprint Situation Type
High Wordpress-Tutor-Lms-Plugin-Get_instructors-SQL-Injection CVE-2024-10400 HTTP_CRL-Wordpress-Tutor-Lms-Plugin-Get_instructors-SQL-Injection Suspected Compromise
High SonicWall-SSLVPN-Session-Hijacking-CVE-2024-53704 CVE-2024-53704 HTTP_CRL-SonicWall-SSLVPN-Session-Hijacking-CVE-2024-53704 Suspected Compromise
High JetBrains-TeamCity-Vault-Connection-Stored-Cross-Site-Scripting CVE-2025-24459 HTTP_CRL-JetBrains-TeamCity-Vault-Connection-Stored-Cross-Site-Scripting Suspected Compromise
High Django-QuerySet-Order_By-SQL-Injection CVE-2021-35042 HTTP_CRL-Django-QuerySet-Order_By-SQL-Injection Potential Compromise
High Rocket-Chat-Pre-Auth-Blind-NoSQL-Injection CVE-2021-22911 HTTP_CRL-Rocket-Chat-Pre-Auth-Blind-NoSQL-Injection Potential Compromise

Updated detected attacks:

HTTP Request URI

Risk Vulnerability/Situation References Related Fingerprint Situation Type Change Description
High Spring-Security-RegexRequestMatcher-Authorization-Bypass-CVE-2022-22978 CVE-2022-22978 HTTP_CSU-Spring-Security-RegexRequestMatcher-Authorization-Bypass-CVE-2022-22978 Potential Compromise
Fingerprint regexp changed

HTTP Request Header Line

Risk Vulnerability/Situation References Related Fingerprint Situation Type Change Description
High SonicWall-SSLVPN-Session-Hijacking-CVE-2024-53704 CVE-2024-53704 HTTP_CSH-SonicWall-SSLVPN-Session-Hijacking-CVE-2024-53704 Suspected Compromise
Fingerprint regexp changed

HTTP Reply Header Line

Risk Vulnerability/Situation References Related Fingerprint Situation Type Change Description
Low Long-Domain-Name-Redirect No CVE/CAN HTTP_SHS-Possibly-Malicious-Long-Domain-Name-Redirect Other Suspicious Traffic
Name: HTTP_SHS-Long-Domain-Name-Redirect->HTTP_SHS-Possibly-Malicious-Long-Domain-Name-Redirect
Comment has changed
Fingerprint regexp changed

Text File Stream

Risk Vulnerability/Situation References Related Fingerprint Situation Type Change Description
High Microsoft-Internet-Explorer-execCommand-File-Type-Spoofing No CVE/CAN File-Text_Microsoft-Internet-Explorer-execCommand-File-Type-Spoofing Suspected Compromise
Fingerprint regexp changed

WebSocket Client Stream

Risk Vulnerability/Situation References Related Fingerprint Situation Type Change Description
High Beyondtrust-Command-Injection-CVE-2024-12356 CVE-2024-12356 WebSocket_CS-Beyondtrust-Command-Injection-CVE-2024-12356 Suspected Compromise
Detection mechanism updated

LIST OF OTHER CHANGES:

New objects:

Type Name
Category Rocket Chat
Category FinalDraft
IPList Amazon ROUTE53_HEALTHCHECKS us-gov-east-1
IPList Amazon ROUTE53_HEALTHCHECKS us-gov-west-1
Application N-able Take Control

Updated objects:

Type Name Changes
Situation URL_List-DNS-Over-HTTPS
Detection mechanism updated
IPList Somalia
IPList Iraq
IPList Saudi Arabia
IPList Iran
IPList Cyprus
IPList Armenia
IPList DR Congo
IPList Djibouti
IPList Seychelles
IPList United Arab Emirates
IPList Israel
IPList Türkiye
IPList Ethiopia
IPList Eritrea
IPList Egypt
IPList Greece
IPList Burundi
IPList Estonia
IPList Latvia
IPList Azerbaijan
IPList Lithuania
IPList Svalbard and Jan Mayen
IPList Georgia
IPList Moldova
IPList Belarus
IPList Finland
IPList Ukraine
IPList North Macedonia
IPList Hungary
IPList Bulgaria
IPList Albania
IPList Poland
IPList Romania
IPList Zimbabwe
IPList Comoros
IPList Botswana
IPList Mauritius
IPList Eswatini
IPList South Africa
IPList Mayotte
IPList Afghanistan
IPList Pakistan
IPList Bangladesh
IPList Turkmenistan
IPList Sri Lanka
IPList Bhutan
IPList India
IPList Maldives
IPList Myanmar
IPList Uzbekistan
IPList Kazakhstan
IPList Kyrgyzstan
IPList Cocos (Keeling) Islands
IPList Palau
IPList Vietnam
IPList Thailand
IPList Indonesia
IPList Taiwan
IPList Philippines
IPList Malaysia
IPList China
IPList Hong Kong
IPList Brunei
IPList Macao
IPList Cambodia
IPList South Korea
IPList Japan
IPList North Korea
IPList Singapore
IPList Timor-Leste
IPList Russia
IPList Mongolia
IPList Australia
IPList Christmas Island
IPList Vanuatu
IPList Fiji
IPList Cameroon
IPList Portugal
IPList Ghana
IPList Equatorial Guinea
IPList Nigeria
IPList Togo
IPList Benin
IPList Gabon
IPList Gibraltar
IPList Gambia
IPList Spain
IPList Morocco
IPList Algeria
IPList Denmark
IPList Iceland
IPList United Kingdom
IPList Switzerland
IPList Sweden
IPList The Netherlands
IPList Austria
IPList Belgium
IPList Germany
IPList Luxembourg
IPList Ireland
IPList Monaco
IPList France
IPList Slovakia
IPList Czechia
IPList Norway
IPList Italy
IPList Slovenia
IPList Montenegro
IPList Croatia
IPList Angola
IPList Namibia
IPList Bouvet Island
IPList Barbados
IPList Cabo Verde
IPList Paraguay
IPList Uruguay
IPList Brazil
IPList Dominican Republic
IPList Cuba
IPList Bermuda
IPList Anguilla
IPList Trinidad and Tobago
IPList St Kitts and Nevis
IPList Antigua and Barbuda
IPList St Vincent and Grenadines
IPList Saint Martin
IPList Saint Barthélemy
IPList Guadeloupe
IPList Cayman Islands
IPList Belize
IPList El Salvador
IPList Honduras
IPList Nicaragua
IPList Costa Rica
IPList Venezuela
IPList Ecuador
IPList Colombia
IPList Panama
IPList Haiti
IPList Argentina
IPList Chile
IPList Bolivia
IPList Peru
IPList Mexico
IPList French Polynesia
IPList Wallis and Futuna
IPList Northern Mariana Islands
IPList Guam
IPList Puerto Rico
IPList U.S. Virgin Islands
IPList Canada
IPList United States
IPList Palestine
IPList Serbia
IPList Antarctica
IPList Bonaire, Sint Eustatius, and Saba
IPList TOR exit nodes IP Address List
IPList Amazon AMAZON
IPList Amazon ROUTE53_HEALTHCHECKS
IPList Amazon EC2
IPList Akamai Servers
IPList TOR relay nodes IP Address List
IPList Malicious Site IP Address List
IPList NordVPN Servers IP Address List
IPList Google Cloud IP Address List for europe-west12
IPList Amazon AMAZON eu-central-1
IPList Amazon EC2 eu-central-1
IPList Forcepoint Drop IP Address List
IPList Google Cloud IP Address List for europe-west1
IPList Google Cloud IP Address List for us-west3
Situation HTTP_CSU-Shared-Variables
Situation Generic_CS-Shared-Variable-Fingerprints
Fingerprint regexp changed
Application Akamai-Infrastructure
Application TOR
Application Manoto
Application DNS-Over-HTTPS
Application NordVPN

DISCLAIMER AND COPYRIGHT

Copyright © 2025 Forcepoint
Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint.

All other trademarks used in this document are the property of their respective owners.

Every effort has been made to ensure the accuracy of this document. However, Forcepoint makes no warranties with respect to this documentation and disclaims any implied warranties of merchantability and fitness for a particular purpose. Forcepoint shall not be liable for any error or for incidental or consequential damages in connection with the furnishing, performance, or use of this manual or the examples herein. The information in this documentation is subject to change without notice.