Release notes for update package 1866-5242

This update package improves the detection capabilities of the Forcepoint LLM system.

RELEASE DATE:     Monday April 14, 2025
MD5 CHECKSUM:     c10fe7fa03219186fcc34746569db858
SHA1 CHECKSUM:     33115662f746656601f03a4a03e71beaf55ac571
SHA256 CHECKSUM:     4c666874c3ae7c266d9297cecf28ddade81b6f7de0dc0cd39873e9e4a8a58fe7


UPDATE CRITICALITY:    HIGH

List of detected attacks in this update package:

Risk level Description Reference Vulnerability
High     An attempt to exploit a vulnerability in SAML-Toolkits ruby-saml detected     CVE-2025-25291     Ruby-Saml-XMLSecurity-DOCTYPE-Authentication-Bypass-CVE-2025-25291
High     An attempt to exploit a vulnerability in Progress Software Kemp LoadMaster detected     CVE-2025-1758     Progress-Kemp-Loadmaster-Mangle-Stack-Based-Buffer-Overflow-CVE-2025-1758
High     An attempt to exploit a vulnerability in Pandora FMS detected     CVE-2024-12971     Pandora-FMS-chromium_path-Or-phantomjs_bin-RCE-CVE-2024-12971
High     An attempt to exploit a vulnerability in Microsoft Windows detected     CVE-2019-0697     Microsoft-Windows-DHCP-Client-Dhcpextractfulloptions-Code-Execution
High     An attempt to exploit a vulnerability in ManageEngine Recovery Manager Plus detected     CVE-2018-9163     Manageengine-Recovery-Manager-Plus-XSS-CVE-2018-9163
High     An attempt to exploit a vulnerability in Oracle Hospitality detected     CVE-2018-2636     Oracle-Hospitality-Simphony-Directory-Traversal-CVE-2018-2636
High     An attempt to exploit a vulnerability in Moodle detected     CVE-2018-1133     Moodle-Calculated-Question-Remote-Code-Execution-CVE-2018-1133
High     An attempt to exploit a vulnerability in SoapUI detected     CVE-2014-1202     SoapUI-WSDL-Remote-Code-Execution-CVE-2014-1202
Low     Rockwell Automation MicroLogix PLC default SNMP community string detected     CVE-2016-5645     Rockwell-Automation-Micrologix-PLC-Default-Credentials-CVE-2016-5645

Jump to: Detected Attacks Other Changes

DETECTED ATTACKS

New detected attacks:

BOOTP Server Stream

Risk Vulnerability/Situation References Related Fingerprint Situation Type
High Microsoft-Windows-DHCP-Client-Dhcpextractfulloptions-Code-Execution CVE-2019-0697 BOOTP_SS-Microsoft-Windows-DHCP-Client-Dhcpextractfulloptions-Code-Execution Suspected Compromise

SNMP UDP Client Stream

Risk Vulnerability/Situation References Related Fingerprint Situation Type
Low Rockwell-Automation-Micrologix-PLC-Default-Credentials-CVE-2016-5645 CVE-2016-5645 SNMP-UDP_Rockwell-Automation-Micrologix-PLC-Default-Community-String-Usage Possibly Unwanted Content

HTTP Normalized Request-Line

Risk Vulnerability/Situation References Related Fingerprint Situation Type
High Pandora-FMS-chromium_path-Or-phantomjs_bin-RCE-CVE-2024-12971 CVE-2024-12971 HTTP_CRL-Pandora-FMS-chromium_path-Or-phantomjs_bin-RCE-CVE-2024-12971 Suspected Compromise
High Moodle-Calculated-Question-Remote-Code-Execution-CVE-2018-1133 CVE-2018-1133 HTTP_CRL-Moodle-Calculated-Question-Remote-Code-Execution-CVE-2018-1133 Suspected Compromise
High Manageengine-Recovery-Manager-Plus-XSS-CVE-2018-9163 CVE-2018-9163 HTTP_CRL-Manageengine-Recovery-Manager-Plus-XSS-CVE-2018-9163 Suspected Compromise
High Ruby-Saml-XMLSecurity-DOCTYPE-Authentication-Bypass-CVE-2025-25291 CVE-2025-25291 HTTP_CRL-Ruby-Saml-XMLSecurity-DOCTYPE-Authentication-Bypass-CVE-2025-25291 Suspected Compromise
High Progress-Kemp-Loadmaster-Mangle-Stack-Based-Buffer-Overflow-CVE-2025-1758 CVE-2025-1758 HTTP_CRL-Progress-Kemp-Loadmaster-Mangle-Stack-Based-Buffer-Overflow-CVE-2025-1758 Suspected Compromise
High Oracle-Hospitality-Simphony-Directory-Traversal-CVE-2018-2636 CVE-2018-2636 HTTP_CRL-Oracle-Hospitality-Simphony-Directory-Traversal-CVE-2018-2636 Suspected Compromise

Identified Text File Stream

Risk Vulnerability/Situation References Related Fingerprint Situation Type
High SoapUI-WSDL-Remote-Code-Execution-CVE-2014-1202 CVE-2014-1202 File-TextId_SoapUI-WSDL-Remote-Code-Execution-CVE-2014-1202 Suspected Compromise

Updated detected attacks:

UDP Packet Unknown

Risk Vulnerability/Situation References Related Fingerprint Situation Type Change Description
Low Plex-Media-Server-Reflection-DDoS-CVE-2021-33959 CVE-2021-33959 Generic_UDP-Plex-Media-Server-Reflection-DDoS-CVE-2021-33959 Potential Denial of Service
Fingerprint regexp changed

TCP MySQL Client Stream

Risk Vulnerability/Situation References Related Fingerprint Situation Type Change Description
High Oracle-Mysql-Server-Xpath-Denial-Of-Service CVE-2014-0384 MySQL_CS-Oracle-Mysql-Server-Xpath-Denial-Of-Service Suspected Compromise
Fingerprint regexp changed

BOOTP Client Stream

Risk Vulnerability/Situation References Related Fingerprint Situation Type Change Description
High Microsoft-Windows-DHCP-Client-Dhcpextractfulloptions-Code-Execution CVE-2019-0697 BOOTP_CS-Microsoft-Windows-DHCP-Client-Dhcpextractfulloptions-Code-Execution Suspected Compromise
Description has changed
High Microsoft-Windows-DHCP-Server-UncodeOption-Heap-Buffer-Overflow-CVE-2019-0626 CVE-2019-0626 BOOTP_CS-Microsoft-Windows-DHCP-Server-UncodeOption-Heap-Buffer-Overflow-CVE-2019-0626 Suspected Compromise
Name: BOOTP_CS-Microsoft-Windows-DHCP-Server-UncodeOption-Heap-Buffer-Overflow->BOOTP_CS-Microsoft-Windows-DHCP-Server-UncodeOption-Heap-Buffer-Overflow-CVE-2019-0626
High Microsoft-Windows-DHCP-Client-Out-Of-Bounds-Read-CVE-2025-21179 CVE-2025-21179 BOOTP_CS-Microsoft-Windows-DHCP-Client-Out-Of-Bounds-Read-CVE-2025-21179 Potential Compromise
Detection mechanism updated

TCP Client Stream Unknown

Risk Vulnerability/Situation References Related Fingerprint Situation Type Change Description
High PostgreSQL-Database-Password-Change-Stack-Buffer-Overflow CVE-2019-10164 Generic_CS-PostgreSQL-Database-Password-Change-Stack-Buffer-Overflow Suspected Compromise
Fingerprint regexp changed

HTTP Request Header Line

Risk Vulnerability/Situation References Related Fingerprint Situation Type Change Description
High ProSafe-Management-System-Arbitrary-File-Upload-Vulnerability CVE-2016-1524 HTTP_CSH-ProSafe-Management-System-Arbitrary-File-Upload-Vulnerability Suspected Compromise
Description has changed

HTTP Normalized Request-Line

Risk Vulnerability/Situation References Related Fingerprint Situation Type Change Description
High Drupal-Core-Remote-Code-Execution-CVE-2019-6340 CVE-2019-6340 HTTP_CRL-Drupal-Core-Web-Services-Remote-Code-Execution-CVE-2019-6340 Suspected Compromise
Name: HTTP_CS-Drupal-Core-Web-Services-Remote-Code-Execution->HTTP_CRL-Drupal-Core-Web-Services-Remote-Code-Execution-CVE-2019-6340
Comment has changed
Category tag group TCP Correlation Dependency Group removed
Context has changed from HTTP Client Stream to HTTP Normalized Request-Line
High Gitlist-Argument-Injection-Vulnerability-CVE-2018-1000533 CVE-2018-1000533 HTTP_CRL-Gitlist-Argument-Injection-Vulnerability-CVE-2018-1000533 Suspected Compromise
Name: HTTP_CRL-Gitlist-Argument-Injection-Vulnerability->HTTP_CRL-Gitlist-Argument-Injection-Vulnerability-CVE-2018-1000533
Fingerprint regexp changed
High NetGear-NMS300-Management-System-Arbitrary-File-Read-CVE-2016-1525 CVE-2016-1525 HTTP_CRL-NetGear-NMS300-Configimagecontroller-Addconfigfile-Arbitrary-File-Deletion Suspected Compromise
Description has changed
Category tag group CVE2016 added
Fingerprint regexp changed

LIST OF OTHER CHANGES:

New objects:

Type Name
Category ManageEngine Recovery Manager Plus
Category SoapUI
Category Oracle Hospitality
Category Rockwell Automation MicroLogix PLC
Situation BOOTP_Shared-Variables

Updated objects:

Type Name Changes
Situation File_Blocked-Known-Bad-SHA1-2
Detection mechanism updated
IPList Rwanda
IPList Yemen
IPList Iraq
IPList Saudi Arabia
IPList Iran
IPList Cyprus
IPList Tanzania
IPList Syria
IPList Armenia
IPList Kenya
IPList DR Congo
IPList Djibouti
IPList Uganda
IPList Seychelles
IPList Jordan
IPList Lebanon
IPList Kuwait
IPList Oman
IPList Qatar
IPList Bahrain
IPList United Arab Emirates
IPList Israel
IPList Türkiye
IPList Ethiopia
IPList Eritrea
IPList Egypt
IPList Sudan
IPList Greece
IPList Estonia
IPList Latvia
IPList Azerbaijan
IPList Lithuania
IPList Georgia
IPList Moldova
IPList Belarus
IPList Finland
IPList Åland Islands
IPList Ukraine
IPList North Macedonia
IPList Hungary
IPList Bulgaria
IPList Albania
IPList Poland
IPList Romania
IPList Zimbabwe
IPList Zambia
IPList Comoros
IPList Malawi
IPList Botswana
IPList Mauritius
IPList Eswatini
IPList Réunion
IPList South Africa
IPList Mayotte
IPList Mozambique
IPList Madagascar
IPList Afghanistan
IPList Pakistan
IPList Bangladesh
IPList Turkmenistan
IPList Tajikistan
IPList Sri Lanka
IPList Bhutan
IPList India
IPList Maldives
IPList British Indian Ocean Territory
IPList Nepal
IPList Myanmar
IPList Uzbekistan
IPList Kazakhstan
IPList Kyrgyzstan
IPList Heard and McDonald Islands
IPList Palau
IPList Vietnam
IPList Thailand
IPList Indonesia
IPList Laos
IPList Taiwan
IPList Philippines
IPList Malaysia
IPList China
IPList Hong Kong
IPList Brunei
IPList Macao
IPList Cambodia
IPList South Korea
IPList Japan
IPList North Korea
IPList Singapore
IPList Cook Islands
IPList Timor-Leste
IPList Russia
IPList Mongolia
IPList Australia
IPList Christmas Island
IPList Federated States of Micronesia
IPList Papua New Guinea
IPList Solomon Islands
IPList Tuvalu
IPList Nauru
IPList New Caledonia
IPList Norfolk Island
IPList New Zealand
IPList Fiji
IPList Libya
IPList Cameroon
IPList Senegal
IPList Congo Republic
IPList Portugal
IPList Liberia
IPList Ivory Coast
IPList Ghana
IPList Nigeria
IPList Burkina Faso
IPList Togo
IPList Mauritania
IPList Gabon
IPList Sierra Leone
IPList São Tomé and Príncipe
IPList Gibraltar
IPList Chad
IPList Tunisia
IPList Spain
IPList Morocco
IPList Malta
IPList Algeria
IPList Denmark
IPList Iceland
IPList United Kingdom
IPList Switzerland
IPList Sweden
IPList The Netherlands
IPList Austria
IPList Belgium
IPList Germany
IPList Luxembourg
IPList Ireland
IPList Monaco
IPList France
IPList Andorra
IPList Jersey
IPList Isle of Man
IPList Guernsey
IPList Slovakia
IPList Czechia
IPList Norway
IPList San Marino
IPList Italy
IPList Slovenia
IPList Montenegro
IPList Croatia
IPList Bosnia and Herzegovina
IPList Angola
IPList Namibia
IPList Barbados
IPList Cabo Verde
IPList Guyana
IPList French Guiana
IPList Suriname
IPList Saint Pierre and Miquelon
IPList Paraguay
IPList Uruguay
IPList Brazil
IPList Falkland Islands
IPList Jamaica
IPList Dominican Republic
IPList Cuba
IPList Martinique
IPList Bahamas
IPList Bermuda
IPList Anguilla
IPList Trinidad and Tobago
IPList St Kitts and Nevis
IPList Dominica
IPList Antigua and Barbuda
IPList Saint Lucia
IPList Turks and Caicos Islands
IPList Aruba
IPList British Virgin Islands
IPList St Vincent and Grenadines
IPList Montserrat
IPList Saint Martin
IPList Saint Barthélemy
IPList Guadeloupe
IPList Grenada
IPList Cayman Islands
IPList Belize
IPList El Salvador
IPList Guatemala
IPList Honduras
IPList Nicaragua
IPList Costa Rica
IPList Venezuela
IPList Ecuador
IPList Colombia
IPList Panama
IPList Haiti
IPList Argentina
IPList Chile
IPList Bolivia
IPList Peru
IPList Mexico
IPList French Polynesia
IPList Kiribati
IPList Tonga
IPList Wallis and Futuna
IPList Samoa
IPList Northern Mariana Islands
IPList Guam
IPList Puerto Rico
IPList U.S. Virgin Islands
IPList American Samoa
IPList Canada
IPList United States
IPList Palestine
IPList Serbia
IPList Antarctica
IPList Sint Maarten
IPList Curaçao
IPList Bonaire, Sint Eustatius, and Saba
IPList TOR exit nodes IP Address List
IPList TOR relay nodes IP Address List
IPList Botnet IP Address List
IPList Malicious Site IP Address List
IPList NordVPN Servers IP Address List
IPList Forcepoint Drop IP Address List
Situation File-Name_Shared-Variables
Application TOR
Application NordVPN

DISCLAIMER AND COPYRIGHT

Copyright © 2025 Forcepoint
Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint.

All other trademarks used in this document are the property of their respective owners.

Every effort has been made to ensure the accuracy of this document. However, Forcepoint makes no warranties with respect to this documentation and disclaims any implied warranties of merchantability and fitness for a particular purpose. Forcepoint shall not be liable for any error or for incidental or consequential damages in connection with the furnishing, performance, or use of this manual or the examples herein. The information in this documentation is subject to change without notice.