Release notes for update package 1962-5242

This update package improves the detection capabilities of the Forcepoint LLM system.

RELEASE DATE:     Wednesday December 10, 2025
MD5 CHECKSUM:     eaabd4fe19240a2da9dcb5e0ca1429fb
SHA1 CHECKSUM:     f5fff369abc7389d56efb0846a57912a976cad6c
SHA256 CHECKSUM:     168165a0f647d857c6d7f7c5e34daac3cd8c5d38d9f5097c6005f6ecea8fda53


UPDATE CRITICALITY:    HIGH

List of detected attacks in this update package:

Risk level Description Reference Vulnerability
High     An attempt to exploit a vulnerability in Microsoft Windows     CVE-2025-59284     Microsoft-Windows-Tar-File-NTLM-Relay-CVE-2025-59284
High     An attempt to exploit a vulnerability in 7-Zip     CVE-2025-55188     7-Zip-File-Extraction-Link-Following-Directory-Traversal-CVE-2025-55188
High     An attempt to exploit a vulnerability in Apache Tika     CVE-2025-54988     Apache-Tika-Xfa-External-Entity-Injection-CVE-2025-54988
High     An attempt to exploit a vulnerability in SolarWinds Web Help Desk     CVE-2025-26399     Solarwinds-Web-Help-DeskAjaxproxy-Insecure-Deserialization-CVE-2025-26399
High     An attempt to exploit a vulnerability in Ivanti Endpoint Manager     CVE-2025-9713     Ivanti-Endpoint-Manager-EBinaryFile-OnSaveToDB-Directory-Traversal-CVE-2025-9713
High     An attempt to exploit a vulnerability in Zyxel firmware     CVE-2025-9133     ZyXEL-Zyshcgi-Authorization-Bypass-CVE-2025-9133
High     An attempt to exploit a vulnerability in LangChain     CVE-2025-2828     Langchain-Requesttoolkit-Server-SSRF-CVE-2025-2828
High     An attempt to exploit a vulnerability in rsync     CVE-2024-12088     Rsync-Daemon-Safe-Links-Handling-Directory-Traversal-CVE-2024-12088
High     An attempt to exploit a vulnerability in Lollms     CVE-2024-4322     Lollms-Webui-List_Personalities-Directory-Traversal-CVE-2024-4322
High     An attempt to exploit a vulnerability in NCR Command Center Agent     CVE-2021-3122     NCR-Command-Center-Agent-Remote-Code-Execution-CVE-2021-3122
Low     An attempt to reset an Allegra user's password     CVE-2025-6216     Allegra-Password-Reset-Authentication-Bypass-CVE-2025-6216

Jump to: Detected Attacks Other Changes

DETECTED ATTACKS

New detected attacks:

HTTP Client Stream

Risk Vulnerability/Situation References Related Fingerprint Situation Type
High NCR-Command-Center-Agent-Remote-Code-Execution-CVE-2021-3122 CVE-2021-3122 HTTP_CS-NCR-Command-Center-Agent-Remote-Code-Execution-CVE-2021-3122 Suspected Compromise

TCP Server Stream Unknown

Risk Vulnerability/Situation References Related Fingerprint Situation Type
High Rsync-Daemon-Safe-Links-Handling-Directory-Traversal-CVE-2024-12088 CVE-2024-12088 Generic_SS-Rsync-Daemon-Safe-Links-Handling-Directory-Traversal-CVE-2024-12088 Suspected Compromise

HTTP Normalized Request-Line

Risk Vulnerability/Situation References Related Fingerprint Situation Type
High ZyXEL-Zyshcgi-Authorization-Bypass-CVE-2025-9133 CVE-2025-9133 HTTP_CRL-ZyXEL-Zyshcgi-Authorization-Bypass-CVE-2025-9133 Suspected Disclosure
High Langchain-Requesttoolkit-Server-SSRF-CVE-2025-2828 CVE-2025-2828 HTTP_CRL-Langchain-Requesttoolkit-SSRF-CVE-2025-2828 Suspected Compromise
High Solarwinds-Web-Help-DeskAjaxproxy-Insecure-Deserialization-CVE-2025-26399 CVE-2025-26399 HTTP_CRL-Solarwinds-Web-Help-DeskAjaxproxy-Insecure-Deserialization-CVE-2025-26399 Suspected Compromise
High Lollms-Webui-List_Personalities-Directory-Traversal-CVE-2024-4322 CVE-2024-4322 HTTP_CRL-Lollms-Webui-List_Personalities-Directory-Traversal-CVE-2024-4322 Suspected Disclosure
Low Allegra-Password-Reset-Authentication-Bypass-CVE-2025-6216 CVE-2025-6216 HTTP_CRL-Allegra-Password-Reset Protocol Information

Other Binary File Stream

Risk Vulnerability/Situation References Related Fingerprint Situation Type
High 7-Zip-File-Extraction-Link-Following-Directory-Traversal-CVE-2025-55188 CVE-2025-55188 File-Binary_7-Zip-Rar-Archive-Link-Following-Directory-Traversal-CVE-2025-55188 Suspected Compromise
High Microsoft-Windows-Tar-File-NTLM-Relay-CVE-2025-59284 CVE-2025-59284 File-Binary_Microsoft-Windows-Tar-File-NTLM-Relay-CVE-2025-59284 Suspected Compromise

PDF File Stream

Risk Vulnerability/Situation References Related Fingerprint Situation Type
High Apache-Tika-Xfa-External-Entity-Injection-CVE-2025-54988 CVE-2025-54988 File-PDF_Apache-Tika-Xfa-External-Entity-Injection-CVE-2025-66516 Suspected Compromise

Identified Text File Stream

Risk Vulnerability/Situation References Related Fingerprint Situation Type
High Ivanti-Endpoint-Manager-EBinaryFile-OnSaveToDB-Directory-Traversal-CVE-2025-9713 CVE-2025-9713 File-TextId_Ivanti-Endpoint-Manager-EBinaryFile-OnSaveToDB-Directory-Traversal-CVE-2025-9713 Suspected Compromise

Updated detected attacks:

HTTP Client Stream

Risk Vulnerability/Situation References Related Fingerprint Situation Type Change Description
High Microsoft-Web-Deploy-Insecure-Deserialization-CVE-2025-53772 CVE-2025-53772 HTTP_CS-Microsoft-Web-Deploy-Insecure-Deserialization-CVE-2025-53772 Suspected Compromise
Detection mechanism updated

HTTP Normalized Request-Line

Risk Vulnerability/Situation References Related Fingerprint Situation Type Change Description
High React-Server-Components-Insecure-Deserialization-CVE-2025-55182 CVE-2025-55182 HTTP_CRL-React-Server-Components-Insecure-Deserialization-CVE-2025-55182 Suspected Compromise
Fingerprint regexp changed
High React-Server-Components-Insecure-Deserialization-CVE-2025-55182 CVE-2025-55182 HTTP_CRL-React2shell-Scanner-CVE-2025-55182 Suspected Compromise
Fingerprint regexp changed

Text File Stream

Risk Vulnerability/Situation References Related Fingerprint Situation Type Change Description
High Suspicious-Jsp-File-Upload No CVE/CAN File-Text_Suspicious-Jsp-File-Content-Upload Suspected Compromise
Description has changed
Category tag group CVE2021 added

Other Binary File Stream

Risk Vulnerability/Situation References Related Fingerprint Situation Type Change Description
High Winace-Rar-And-Tar-Directory-Traversal-Vulnerability CVE-2006-0981 File-Binary_Path-Traversal-Via-Tar-Archive Suspected Compromise
Detection mechanism updated
High RARLAB-WinRAR-Directory-Traversal-CVE-2025-6218 CVE-2025-6218 File-Binary_RARLAB-WinRAR-Directory-Traversal-CVE-2025-6218 Suspected Compromise
Name: File-Binary_RARLAB-WinRAR-CVE-2025-6218-Directory-Traversal-CVE-2025-6218->File-Binary_RARLAB-WinRAR-Directory-Traversal-CVE-2025-6218

LIST OF OTHER CHANGES:

New objects:

Type Name
Situation Analyzer_Allegra-Password-Reset-Flood
Application Onlyfans
Application Rutube
Application Theporndude
Application Xnxx
Application Allegro
Application Namshi
Application Noon
Application Otto
Application Shopee
Application Target
Application Walmart
Category NCR Command Center Agent
Category lollms

Updated objects:

Type Name Changes
Situation HTTP_CSU-Shared-Variables
Situation Generic_CS-Shared-Variable-Fingerprints
Fingerprint regexp changed
Situation File-Binary_Rar5-Archive-Parser
Application Microsoft-Outlook
Application Madthumbs
Application detection context content changed
Application Port "tcp/443 tls: free" added
TLS Match identification changed from to false
Application Empflix
Application detection context content changed
Application Port "tcp/443 tls: free" added
TLS Match identification changed from to false
Application Beeg
Application detection context content changed
Application Port "tcp/443 tls: free" added
TLS Match identification changed from to false
Application Tube8
Application detection context content changed
Application Port "tcp/443 tls: free" added
TLS Match identification changed from to false
Application Youjizz
Application detection context content changed
Application Port "tcp/443 tls: free" added
TLS Match identification changed from to false
Application Xhamster
Application Redtube
Application detection context content changed
Application Port "tcp/443 tls: free" added
TLS Match identification changed from to false
Application Porntube
Application detection context content changed
Application Port "tcp/443 tls: free" added
TLS Match identification changed from to false
Application 4tube
Application detection context content changed
Application Port "tcp/443 tls: free" added
TLS Match identification changed from to false
Application Swapper
Application detection context content changed
Application Port "tcp/443 tls: free" added
TLS Match identification changed from to false
Application Microsoft-Office-365
Application Xxxoh
Application detection context content changed
Application Port "tcp/443 tls: free" added
Application TOR
Application NordVPN
Application WeCom
Situation File_Blocked-Bad-SHA1-Hash
Detection mechanism updated
IPList TOR exit nodes IP Address List
IPList TOR relay nodes IP Address List
IPList Okta IP Address List
IPList Botnet IP Address List
IPList Malicious Site IP Address List
IPList NordVPN Servers IP Address List
IPList WeCom IP Address List
IPList Forcepoint Drop IP Address List
IPList GitHub Actions IP Address List

DISCLAIMER AND COPYRIGHT

Copyright © 2025 Forcepoint
Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint.

All other trademarks used in this document are the property of their respective owners.

Every effort has been made to ensure the accuracy of this document. However, Forcepoint makes no warranties with respect to this documentation and disclaims any implied warranties of merchantability and fitness for a particular purpose. Forcepoint shall not be liable for any error or for incidental or consequential damages in connection with the furnishing, performance, or use of this manual or the examples herein. The information in this documentation is subject to change without notice.