Skip to content

Add vpatch-CVE-2026-48282 rule and test#60

Closed
crowdsec-automation wants to merge 113 commits into
masterfrom
1784119683-vpatch-CVE-2026-48282
Closed

Add vpatch-CVE-2026-48282 rule and test#60
crowdsec-automation wants to merge 113 commits into
masterfrom
1784119683-vpatch-CVE-2026-48282

Conversation

@crowdsec-automation

Copy link
Copy Markdown

This rule detects exploitation attempts against Adobe ColdFusion's RDS FILEIO WRITE vulnerability (CVE-2026-48282), which allows unauthenticated attackers to write arbitrary files to the server.

  • The first rule block matches requests to the vulnerable endpoint /cfide/main/ide.cfm (case-insensitive, using lowercase transform).
  • The second rule block ensures the action parameter in the query string is set to fileio, which is required for the vulnerable operation.
  • The third rule block inspects the raw POST body for the string :write, which is a strong indicator of the FILEIO WRITE operation being attempted (the body contains a serialized format with :write as the operation).
  • All value: fields are lowercase, and all relevant transforms include lowercase for normalization.
  • The rule avoids matching on specific file paths or file names to minimize false negatives and focuses on the protocol and operation signature.
  • The test nuclei template is adapted to send a representative exploit payload and expects a 403 response if the rule is triggered.

Validation checklist:

  • All value: fields are lowercase.
  • All transforms include lowercase where applicable.
  • No match.value contains capital letters.
  • The rule uses contains and equals instead of regex where applicable.

Exploit URL: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2026/CVE-2026-48282.yaml

@github-actions

Copy link
Copy Markdown

Hello @crowdsec-automation and thank you for your contribution!

❗ It seems that the following scenarios are not part of the 'crowdsecurity/appsec-virtual-patching' collection:

🔴 crowdsecurity/vpatch-CVE-2026-48282 🔴

@github-actions

Copy link
Copy Markdown

Hello @crowdsec-automation,

Scenarios/AppSec Rule are compliant with the taxonomy, thank you for your contribution!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants