Release notes for update package 1876-5242

This update package improves the detection capabilities of the Forcepoint LLM system.

RELEASE DATE:     Thursday May 08, 2025
MD5 CHECKSUM:     30371437f1e06879ee74ebae7832fbcd
SHA1 CHECKSUM:     c6ca498d63b7ab6c06fe024c78592a0c05e9fb90
SHA256 CHECKSUM:     a4eb5472512a8aecae51483cc3bc672a22a7498a0d5c4bc134dd66ba8a8f32ef


UPDATE CRITICALITY:    HIGH

List of detected attacks in this update package:

Risk level Description Reference Vulnerability
High     An attempt to exploit a vulnerability in Commvault Command Center detected     CVE-2025-34028     Commvault-Command-Center-Path-Traversal-CVE-2025-34028
High     An attempt to exploit a vulnerability in Commvault Command Center detected     CVE-2025-34028     Commvault-Command-Center-Path-Traversal-CVE-2025-34028
High     An attempt to exploit a vulnerability in Delta Electronics CNCSoft detected     CVE-2024-47962     Delta-Electronics-CNCSoft-G2-DOPSoft-Buffer-Overflow-CVE-2024-47962
High     An attempt to exploit a vulnerability in Ivanti Avalanche     CVE-2024-13179     Ivanti-Avalanche-Securefilter-Dofilter-CVE-2024-13179-Authentication-Bypass
High     XorDDoS trojan's C2 traffic detected     No CVE/CAN XorDDoS-Trojan-C2-Traffic
High     XorDDoS trojan's C2 traffic detected     No CVE/CAN XorDDoS-Trojan-C2-Traffic

Jump to: Detected Attacks Other Changes

DETECTED ATTACKS

New detected attacks:

TCP Client Stream Unknown

Risk Vulnerability/Situation References Related Fingerprint Situation Type
High XorDDoS-Trojan-C2-Traffic No CVE/CAN Generic_CS-XorDDoS-Trojan-C2-Traffic Suspected Botnet

TCP Server Stream Unknown

Risk Vulnerability/Situation References Related Fingerprint Situation Type
High XorDDoS-Trojan-C2-Traffic No CVE/CAN Generic_SS-XorDDoS-Trojan-C2-Traffic Suspected Botnet

HTTP Request URI

Risk Vulnerability/Situation References Related Fingerprint Situation Type
High Commvault-Command-Center-Path-Traversal-CVE-2025-34028 CVE-2025-34028 HTTP_CSU-Commvault-Command-Center-Path-Traversal-CVE-2025-34028 Suspected Compromise

HTTP Normalized Request-Line

Risk Vulnerability/Situation References Related Fingerprint Situation Type
High Ivanti-Avalanche-Securefilter-Dofilter-CVE-2024-13179-Authentication-Bypass CVE-2024-13179 HTTP_CRL-Ivanti-Avalanche-Securefilter-Dofilter-CVE-2024-13179-Authentication-Bypass Suspected Compromise
High Commvault-Command-Center-Path-Traversal-CVE-2025-34028 CVE-2025-34028 HTTP_CRL-Commvault-Command-Center-Path-Traversal-CVE-2025-34028 Suspected Compromise

Other Binary File Stream

Risk Vulnerability/Situation References Related Fingerprint Situation Type
High Delta-Electronics-CNCSoft-G2-DOPSoft-Buffer-Overflow-CVE-2024-47962 CVE-2024-47962 File-Binary_Delta-Electronics-CNCSoft-G2-DOPSoft-Buffer-Overflow-CVE-2024-47962 Suspected Compromise

Updated detected attacks:

SSH TCP Client Stream

Risk Vulnerability/Situation References Related Fingerprint Situation Type Change Description
High OpenSSH-Pre-Authentication-Denial-Of-Service-CVE-2025-26466 CVE-2025-26466 SSH_OpenSSH-Client-Pre-Authentication-Denial-Of-Service-CVE-2025-26466 Suspected Compromise
Detection mechanism updated

HTTP Normalized Request-Line

Risk Vulnerability/Situation References Related Fingerprint Situation Type Change Description
High Saml-XML-Signature-Wrapping No CVE/CAN HTTP_CRL-Saml-XML-Signature-Wrapping Suspected Compromise
Detection mechanism updated
High Langflow-AI-RCE-CVE-2025-3248 CVE-2025-3248 HTTP_CRL-Langflow-AI-RCE-CVE-2025-3248 Suspected Compromise
Fingerprint regexp changed

LIST OF OTHER CHANGES:

New objects:

Type Name
Situation IP_WeCom
Category Commvault Command Center
Category XorDDoS

Updated objects:

Type Name Changes
Situation HTTP_CRL-Shared-Variables
Situation HTTP_PSU-Shared-Variables
Fingerprint regexp changed
Situation File-Name_Shared-Variables
Application TOR
Application DNS-Over-HTTPS
Application NordVPN
Application Amazon Chime
Application WeCom
Application detection context content changed
Situation File_Blocked-Bad-SHA1-Hash
Detection mechanism updated
Situation URL_List-DNS-Over-HTTPS
Detection mechanism updated
IPList Iraq
IPList Saudi Arabia
IPList Iran
IPList Cyprus
IPList Armenia
IPList Kenya
IPList Seychelles
IPList Jordan
IPList Lebanon
IPList Kuwait
IPList Oman
IPList Qatar
IPList Bahrain
IPList United Arab Emirates
IPList Israel
IPList Türkiye
IPList Egypt
IPList Greece
IPList Estonia
IPList Latvia
IPList Azerbaijan
IPList Lithuania
IPList Georgia
IPList Moldova
IPList Belarus
IPList Finland
IPList Ukraine
IPList North Macedonia
IPList Hungary
IPList Bulgaria
IPList Albania
IPList Poland
IPList Romania
IPList Zimbabwe
IPList Zambia
IPList Lesotho
IPList Botswana
IPList Mauritius
IPList Eswatini
IPList Réunion
IPList South Africa
IPList Mozambique
IPList Afghanistan
IPList Pakistan
IPList Bangladesh
IPList Turkmenistan
IPList Tajikistan
IPList India
IPList Nepal
IPList Uzbekistan
IPList Kazakhstan
IPList French Southern Territories
IPList Cocos (Keeling) Islands
IPList Vietnam
IPList Thailand
IPList Indonesia
IPList Taiwan
IPList Philippines
IPList Malaysia
IPList China
IPList Hong Kong
IPList Macao
IPList South Korea
IPList Japan
IPList Singapore
IPList Timor-Leste
IPList Russia
IPList Australia
IPList Solomon Islands
IPList Tuvalu
IPList Nauru
IPList Vanuatu
IPList New Zealand
IPList Fiji
IPList Portugal
IPList Liberia
IPList Ivory Coast
IPList Ghana
IPList Nigeria
IPList Burkina Faso
IPList Tunisia
IPList Spain
IPList Morocco
IPList Malta
IPList Denmark
IPList Iceland
IPList United Kingdom
IPList Switzerland
IPList Sweden
IPList The Netherlands
IPList Austria
IPList Belgium
IPList Germany
IPList Luxembourg
IPList Ireland
IPList France
IPList Slovakia
IPList Czechia
IPList Norway
IPList Vatican City
IPList Italy
IPList Slovenia
IPList Montenegro
IPList Croatia
IPList Bosnia and Herzegovina
IPList French Guiana
IPList Paraguay
IPList Uruguay
IPList Brazil
IPList Jamaica
IPList Dominican Republic
IPList Martinique
IPList Anguilla
IPList Trinidad and Tobago
IPList Saint Martin
IPList Guadeloupe
IPList Guatemala
IPList Honduras
IPList Nicaragua
IPList Costa Rica
IPList Venezuela
IPList Ecuador
IPList Colombia
IPList Panama
IPList Argentina
IPList Chile
IPList Bolivia
IPList Peru
IPList Mexico
IPList Kiribati
IPList Tonga
IPList Guam
IPList Puerto Rico
IPList American Samoa
IPList Canada
IPList United States
IPList Palestine
IPList Serbia
IPList Antarctica
IPList TOR exit nodes IP Address List
IPList Amazon AMAZON
IPList Spotify
IPList Amazon EC2
IPList TOR relay nodes IP Address List
IPList Malicious Site IP Address List
IPList Amazon AMAZON ap-south-1
IPList Amazon EC2 ap-south-1
IPList NordVPN Servers IP Address List
IPList Amazon AMAZON ca-central-1
IPList Amazon EC2 ca-central-1
IPList Amazon AMAZON eu-central-1
IPList Amazon EC2 eu-central-1
IPList Amazon AMAZON eu-west-2
IPList Amazon EC2 eu-west-2
IPList Amazon AMAZON us-east-1
IPList Amazon AMAZON us-east-2
IPList Amazon EC2 us-east-2
IPList Forcepoint Drop IP Address List
IPList Amazon EC2 us-gov-east-1
IPList Amazon AMAZON us-west-2
IPList Amazon EC2 us-west-2
IPList Amazon IVS_REALTIME
IPList GitHub Actions IP Address List
IPList Amazon IVS_REALTIME us-west-2
IPList Amazon CHIME_MEETINGS
IPList Amazon AMAZON mx-central-1

DISCLAIMER AND COPYRIGHT

Copyright © 2025 Forcepoint
Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint.

All other trademarks used in this document are the property of their respective owners.

Every effort has been made to ensure the accuracy of this document. However, Forcepoint makes no warranties with respect to this documentation and disclaims any implied warranties of merchantability and fitness for a particular purpose. Forcepoint shall not be liable for any error or for incidental or consequential damages in connection with the furnishing, performance, or use of this manual or the examples herein. The information in this documentation is subject to change without notice.