Release notes for update package 1862-5242

This update package improves the detection capabilities of the Forcepoint LLM system.

RELEASE DATE:     Thursday April 03, 2025
MD5 CHECKSUM:     f0deb5975fda9c6c6ee6fa4264e796b9
SHA1 CHECKSUM:     42789100e45e896749e4d065866f6581eb29108c
SHA256 CHECKSUM:     9d019a25fdacd22c14b161b238c67987f1b3c1a659509e425f410ea970454a53


UPDATE CRITICALITY:    HIGH

List of detected attacks in this update package:

Risk level Description Reference Vulnerability
High     An attempt to exploit a vulnerability in Django Software Foundation Django detected     CVE-2025-26699     Django-Wordwrap-Filter-Denial-Of-Service-CVE-2025-26699
High     An attempt to exploit a vulnerability in Microsoft Windows detected     CVE-2025-24054     Microsoft-Windows-NTLM-Relay-CVE-2025-24054
High     An attempt to exploit a vulnerability in LibreNMS LibreNMS detected     CVE-2025-23199     LibreNMS-Device-Port-Settings-Description-Stored-XSS-CVE-2025-23199
High     An attempt to exploit a vulnerability in CMS Made Simple     CVE-2023-36969     CmsMadeSimple-Authenticated-File-Manager-RCE-CVE-2023-36969
Low     A transfer of a Shell Library Description (*.library-ms) file detect     CVE-2025-24054     Microsoft-Windows-NTLM-Relay-CVE-2025-24054
Low     A transfer of a Search Connector Description (*.searchConnector-ms) file detect     CVE-2025-24054     Microsoft-Windows-NTLM-Relay-CVE-2025-24054

Jump to: Detected Attacks Other Changes

DETECTED ATTACKS

New detected attacks:

HTTP Client Stream

Risk Vulnerability/Situation References Related Fingerprint Situation Type
High CmsMadeSimple-Authenticated-File-Manager-RCE-CVE-2023-36969 CVE-2023-36969 HTTP_CS-CmsMadeSimple-Authenticated-File-Manager-RCE-CVE-2023-36969 Suspected Compromise

File Name

Risk Vulnerability/Situation References Related Fingerprint Situation Type
Low Microsoft-Windows-NTLM-Relay-CVE-2025-24054 CVE-2025-24054 File-Name_Search-Connector-Description-File-Transfer Other Suspicious Traffic
Low Microsoft-Windows-NTLM-Relay-CVE-2025-24054 CVE-2025-24054 File-Name_Shell-Library-Description-File-Transfer Other Suspicious Traffic

HTTP Normalized Request-Line

Risk Vulnerability/Situation References Related Fingerprint Situation Type
High LibreNMS-Device-Port-Settings-Description-Stored-XSS-CVE-2025-23199 CVE-2025-23199 HTTP_CRL-LibreNMS-Device-Port-Settings-Description-Stored-XSS-CVE-2025-23199 Suspected Compromise
High Django-Wordwrap-Filter-Denial-Of-Service-CVE-2025-26699 CVE-2025-26699 HTTP_CRL-Django-Wordwrap-Filter-Denial-Of-Service-CVE-2025-26699 Suspected Compromise

Identified Text File Stream

Risk Vulnerability/Situation References Related Fingerprint Situation Type
High Microsoft-Windows-NTLM-Relay-CVE-2025-24054 CVE-2025-24054 File-TextId_Microsoft-Windows-NTLM-Relay-CVE-2025-24054 Suspected Compromise

Updated detected attacks:

HTTP Normalized Request-Line

Risk Vulnerability/Situation References Related Fingerprint Situation Type Change Description
Critical HTTP-Phpbb-Viewtopic-Urldecode-System-Compromise No CVE/CAN HTTP_CRL-Phpbb-Viewtopic-Urldecode-System-Compromise Compromise
Fingerprint regexp changed
High GeoServer-Unauthenticated-Remote-Code-Execution-CVE-2024-36401 CVE-2024-36401 HTTP_CRL-GeoServer-Unauthenticated-Remote-Code-Execution-CVE-2024-36401 Suspected Compromise
Fingerprint regexp changed
High SharePoint-Workflows-XOML-Injection-CVE-2020-0646 CVE-2020-0646 HTTP_CRL-SharePoint-Workflows-XOML-Injection-CVE-2020-0646 Suspected Compromise
Name: HTTP_CRL-SharePoint-Workflows-XOML-Injection->HTTP_CRL-SharePoint-Workflows-XOML-Injection-CVE-2020-0646
Fingerprint regexp changed
High PRTG-Network-Monitor-Authenticated-RCE-CVE-2018-9276 CVE-2018-9276 HTTP_CRL-PRTG-Network-Monitor-Authenticated-RCE-CVE-2018-9276 Suspected Compromise
Name: HTTP_CRL-PRTG-Network-Monitor-Authenticated-RCE->HTTP_CRL-PRTG-Network-Monitor-Authenticated-RCE-CVE-2018-9276
Fingerprint regexp changed

Identified Text File Stream

Risk Vulnerability/Situation References Related Fingerprint Situation Type Change Description
High Microsoft-.NET-Framework-XPS-File-Parsing-Remote-Code-Execution CVE-2020-0605 File-TextId_Microsoft-.NET-Framework-XPS-File-Parsing-Remote-Code-Execution Suspected Compromise
Fingerprint regexp changed

Zip File Stream

Risk Vulnerability/Situation References Related Fingerprint Situation Type Change Description
High Microsoft-Visual-Studio-Python-Interpreter-RCE CVE-2021-27068 File-Zip_Microsoft-Visual-Studio-Python-Interpreter-RCE Potential Compromise
Detection mechanism updated

LIST OF OTHER CHANGES:

Updated objects:

Type Name Changes
IPList Botnet IP Address List
IPList Malicious Site IP Address List
IPList NordVPN Servers IP Address List
IPList Forcepoint Drop IP Address List
Situation HTTP_CSU-Shared-Variables
Situation File-Name_Shared-Variables
Application NordVPN

DISCLAIMER AND COPYRIGHT

Copyright © 2025 Forcepoint
Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint.

All other trademarks used in this document are the property of their respective owners.

Every effort has been made to ensure the accuracy of this document. However, Forcepoint makes no warranties with respect to this documentation and disclaims any implied warranties of merchantability and fitness for a particular purpose. Forcepoint shall not be liable for any error or for incidental or consequential damages in connection with the furnishing, performance, or use of this manual or the examples herein. The information in this documentation is subject to change without notice.