Release notes for update package 1880-5242

This update package improves the detection capabilities of the Forcepoint LLM system.

RELEASE DATE:     Monday May 19, 2025
MD5 CHECKSUM:     b6babad6c9f4d35624d84c13df5ceccc
SHA1 CHECKSUM:     95862449b4fd0967c7ec4c59cb1d74f2b32a5eb4
SHA256 CHECKSUM:     c8ac256214f902cf7494ddba77ece57303c9add8492d318c7e69c7af11e7bf2b


UPDATE CRITICALITY:    HIGH

List of detected attacks in this update package:

Risk level Description Reference Vulnerability
High     An attempt to exploit a vulnerability in SureTriggers detected     CVE-2025-3102     Wordpress-SureTriggers-Auth-Bypass-And-RCE-CVE-2025-3102
High     An attempt to exploit a vulnerability in SonicWall SMA100 series appliances detected     CVE-2024-38475     Apache-HTTP-Server-Mod-Rewrite-Improper-Escaping-CVE-2024-38475
High     An attempt to exploit a vulnerability in Fortinet FortiSandbox     CVE-2024-27778     Fortinet-FortiSandbox-VM-Screenshot-Command-Injection-CVE-2024-27778
High     An attempt to exploit a vulnerability in Nagios Enterprises Nagios XI     No CVE/CAN Nagios-XI--Windows-Winrm-Command-Injection

Jump to: Detected Attacks Other Changes

DETECTED ATTACKS

New detected attacks:

HTTP Client Stream

Risk Vulnerability/Situation References Related Fingerprint Situation Type
High Fortinet-FortiSandbox-VM-Screenshot-Command-Injection-CVE-2024-27778 CVE-2024-27778 HTTP_CS-Fortinet-FortiSandbox-VM-Screenshot-Command-Injection-CVE-2024-27778 Suspected Compromise

HTTP Request URI

Risk Vulnerability/Situation References Related Fingerprint Situation Type
High Apache-HTTP-Server-Mod-Rewrite-Improper-Escaping-CVE-2024-38475 CVE-2024-38475 HTTP_CSU-SonicWall-SMA100-Arbitrary-File-Read-Apache-Mod-Rewrite-CVE-2024-38475 Suspected Compromise

HTTP Request Header Line

Risk Vulnerability/Situation References Related Fingerprint Situation Type
High Wordpress-SureTriggers-Auth-Bypass-And-RCE-CVE-2025-3102 CVE-2025-3102 HTTP_CSH-Wordpress-SureTriggers-Auth-Bypass-And-RCE-CVE-2025-3102 Suspected Compromise

HTTP Normalized Request-Line

Risk Vulnerability/Situation References Related Fingerprint Situation Type
High Nagios-XI--Windows-Winrm-Command-Injection No CVE/CAN HTTP_CRL-Nagios-XI-Windows-Winrm-Command-Injection Suspected Compromise

Updated detected attacks:

HTTP Client Stream

Risk Vulnerability/Situation References Related Fingerprint Situation Type Change Description
High Nagios-XI--Windows-Winrm-Command-Injection No CVE/CAN HTTP_CS-Nagios-XI-Windows-Winrm-Command-Injection Suspected Compromise
Fingerprint regexp changed

DNS UDP Server Message

Risk Vulnerability/Situation References Related Fingerprint Situation Type Change Description
High ISC-Bind-Edns-Option-Processing-Denial-Of-Service CVE-2014-3859 DNS-UDP_ISC-Bind-Edns-Option-Processing-Denial-Of-Service Potential Compromise
Fingerprint regexp changed
High ISC-Bind-Buffer.c-Require-Assertion-Failure-Denial-Of-Service CVE-2015-8705 DNS-UDP_ISC-Bind-Buffer.c-Require-Assertion-Failure-Denial-Of-Service-CVE-2015-8705 Suspected Compromise
Detection mechanism updated
High ISC-Bind-DNS-Cookie-Assertion-Failure-Denial-Of-Service CVE-2016-2088 DNS-UDP_ISC-Bind-DNS-Cookie-Assertion-Failure-Denial-Of-Service Suspected Compromise
Fingerprint regexp changed

HTTP Normalized Request-Line

Risk Vulnerability/Situation References Related Fingerprint Situation Type Change Description
High Centreon-Web-Updatelcarelation-SQL-Injection-CVE-2024-23116 CVE-2024-23116 HTTP_CRL-Centreon-Web-Updatelcarelation-SQL-Injection-CVE-2024-23116 Suspected Compromise
Name: HTTP_CRL-Centreon-Web-Updatelcarelation-SQL-Injection->HTTP_CRL-Centreon-Web-Updatelcarelation-SQL-Injection-CVE-2024-23116
Comment has changed
High Wordpress-Core-Avatar-Block-Stored-Cross-Site-Scripting-CVE-2024-4439 CVE-2024-4439 HTTP_CRL-Wordpress-Core-Avatar-Block-Stored-Cross-Site-Scripting-CVE-2024-4439 Suspected Compromise
Name: HTTP_CRL-Wordpress-Core-Avatar-Block-Stored-Cross-Site-Scripting->HTTP_CRL-Wordpress-Core-Avatar-Block-Stored-Cross-Site-Scripting-CVE-2024-4439
Comment has changed
High Centreon-Web-Insertgraphtemplate-SQL-Injection-CVE-2024-23119 CVE-2024-23119 HTTP_CRL-Centreon-Web-Insertgraphtemplate-SQL-Injection-CVE-2024-23119 Suspected Compromise
Name: HTTP_CRL-Centreon-Web-Insertgraphtemplate-SQL-Injection->HTTP_CRL-Centreon-Web-Insertgraphtemplate-SQL-Injection-CVE-2024-23119
Comment has changed
High Centreon-Web-Updateservicehost-SQL-Injection-CVE-2024-5723 CVE-2024-5723 HTTP_CRL-Centreon-Web-Updateservicehost-SQL-Injection-CVE-2024-5723 Suspected Compromise
Name: HTTP_CRL-Centreon-Web-Updateservicehost-SQL-Injection->HTTP_CRL-Centreon-Web-Updateservicehost-SQL-Injection-CVE-2024-5723
Comment has changed
High Centreon-Web-Updateservicehost_MC-SQL-Injection-CVE-2024-32501 CVE-2024-32501 HTTP_CRL-Centreon-Web-Updateservicehost_MC-SQL-Injection-CVE-2024-32501 Suspected Compromise
Name: HTTP_CRL-Centreon-Web-Updateservicehost_MC-SQL-Injection->HTTP_CRL-Centreon-Web-Updateservicehost_MC-SQL-Injection-CVE-2024-32501
Comment has changed
High NetGear-ProSafe-Plus-Improper-Access-Control-CVE-2020-26919 CVE-2020-26919 HTTP_CRL-NetGear-ProSafe-Plus-Improper-Access-Control-CVE-2020-26919 Suspected Compromise
Fingerprint regexp changed
High Tenda-AC11-Remote-Code-Execution-CVE-2021-31755 CVE-2021-31755 HTTP_CRL-Tenda-AC11-Remote-Code-Execution-CVE-2021-31755 Suspected Compromise
Fingerprint regexp changed
High SonicWall-SMA100-SQL-Injection-CVE-2019-7481 CVE-2019-7481 HTTP_CRL-SonicWall-SMA100-SQL-Injection-CVE-2019-7481 Suspected Compromise
Name: HTTP_CRL-SonicWall-SMA100-SQL-Injection->HTTP_CRL-SonicWall-SMA100-SQL-Injection-CVE-2019-7481

SMB Client Header Stream

Risk Vulnerability/Situation References Related Fingerprint Situation Type Change Description
High Linux-Kernel-Ksmbd-Setinfo-Request-Out-of-Bounds-Read-Information-Disclosure No CVE/CAN SMB-TCP_CHS-Linux-Kernel-Ksmbd-Setinfo-Request-Out-of-Bounds-Read-Information-Disclosure Potential Compromise
Comment has changed

Other Binary File Stream

Risk Vulnerability/Situation References Related Fingerprint Situation Type Change Description
High HPE-Operations-Orchestration-Insecure-Deserialization-CVE-2016-8519 CVE-2016-8519 File-Binary_Suspicious-Java-Serialized-Object Suspected Compromise
Description has changed
Category tag group CVE2016 added

OLE File Stream

Risk Vulnerability/Situation References Related Fingerprint Situation Type Change Description
High Clamav-Initialize_Encryption_Key-Out-Of-Bounds-Read-CVE-2024-20290 CVE-2024-20290 File-OLE_Clamav-Initialize_Encryption_Key-Out-Of-Bounds-Read-CVE-2024-20290 Potential Compromise
Name: File-OLE_Clamav-Initialize_Encryption_Key_-Out-Of-Bounds-Read->File-OLE_Clamav-Initialize_Encryption_Key-Out-Of-Bounds-Read-CVE-2024-20290
Comment has changed

LIST OF OTHER CHANGES:

New objects:

Type Name
Category SureTriggers

Updated objects:

Type Name Changes
Situation HTTP_CS-HPE-Operations-Orchestration-Insecure-Deserialization-CVE-2016-8519
Name: HTTP_CS-HPE-Operations-Orchestration-Insecure-Deserialization->HTTP_CS-HPE-Operations-Orchestration-Insecure-Deserialization-CVE-2016-8519
Description has changed
Attacker: connection_source->none
Victim: connection_destination->none
Category tag situation Obsolete added
Category tag os Any Operating System removed
Category tag hardware Any Hardware removed
Category tag application HPE Operations Orchestration removed
Category tag group CVE2016 removed
Category tag os_not_specific Any Operating System not specific removed
Category tag situation Suspected Compromise removed
Category tag group HTTP Correlation Dependency Group removed
Category tag group TCP Correlation Dependency Group removed
Category tag group Severity over 4 Correlation Dependency Group removed
Category tag group TCP Client Traffic removed
Situation HTTP_CSU-Shared-Variables
Situation HTTP_CRL-Shared-Variables
Application Netflix
Application TOR
Application DNS-Over-HTTPS
Application NordVPN
Certificate Authority cPanel, Inc. Certification Authority int
Marked for removal
Certificate Authority XinChaCha Trust SSL Domain Validated
Marked for removal
Certificate Authority XinChaCha Trust SSL Extended Validated
Marked for removal
Certificate Authority XinChaCha Trust SSL Organization Validated
Marked for removal
Certificate Authority cPanel, Inc. ECC Certification Authority
Marked for removal
Situation URL_List-DNS-Over-HTTPS
Detection mechanism updated
IPList TOR exit nodes IP Address List
IPList Amazon AMAZON
IPList Amazon EC2
IPList TOR relay nodes IP Address List
IPList Netflix Servers
IPList Microsoft Azure datacenter
IPList Malicious Site IP Address List
IPList NordVPN Servers IP Address List
IPList Amazon AMAZON us-east-1
IPList Amazon EC2 us-east-1
IPList Amazon AMAZON us-west-2
IPList Amazon EC2 us-west-2
IPList Amazon IVS_REALTIME
IPList Amazon IVS_REALTIME us-west-2

DISCLAIMER AND COPYRIGHT

Copyright © 2025 Forcepoint
Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint.

All other trademarks used in this document are the property of their respective owners.

Every effort has been made to ensure the accuracy of this document. However, Forcepoint makes no warranties with respect to this documentation and disclaims any implied warranties of merchantability and fitness for a particular purpose. Forcepoint shall not be liable for any error or for incidental or consequential damages in connection with the furnishing, performance, or use of this manual or the examples herein. The information in this documentation is subject to change without notice.