Deep Security Center

RULE UPDATE: 25-036 (September 2, 2025)
* indicates a new version of an existing rule

Deep Packet Inspection Rules:

Ivanti Endpoint Manager
1012253* - Ivanti Endpoint Manager SQL Injection Vulnerabilities (CVE-2024-32848 and CVE-2024-13162)


OneDev Server
1012270* - OneDev Arbitrary File Read Vulnerability (CVE-2024-45309)


OpenSSL
1012310* - OpenSSL Denial of Service Vulnerability (CVE-2024-6119) - Server


Unix RSync
1012430 - Rsync Information Disclosure Vulnerability (CVE-2024-12085)


Web Application PHP Based
1012308* - WordPress 'Hunk Companion' Plugin Broken Access Control Vulnerability (CVE-2024-11972)
1012431 - WordPress 'WPvivid Backup' Plugin Arbitrary File Upload Vulnerability (CVE-2025-5961)


Web Server Miscellaneous
1012315* - Zimbra Collaboration SQL Injection Vulnerability (CVE-2025-25064)


Integrity Monitoring Rules:

There are no new or updated Integrity Monitoring Rules in this Security Update.


Log Inspection Rules:

1004057* - Microsoft Windows Security Events - 1
RULE UPDATE: 25-035 (August 26, 2025)
* indicates a new version of an existing rule

Deep Packet Inspection Rules:

Adobe Experience Manager
1012427 - Adobe Experience Manager Remote Code Execution Vulnerability (CVE-2025-54253)


CyberPanel
1012196* - CyberPanel Remote Code Execution Vulnerability (CVE-2024-51567)


GhostCMS
1012434 - Ghost CMS Directory Traversal Vulnerability (CVE-2023-32235)


Ivanti Endpoint Manager
1012345* - Ivanti Endpoint Manager SQL Injection Vulnerability (CVE-2025-22461)


JetBrains TeamCity
1012429 - JetBrains TeamCity Reflected Cross-Site Scripting Vulnerability (CVE-2025-52876)


Mail Server Common
1012173* - Roundcube Webmail Stored Cross-Site Scripting Vulnerability (CVE-2024-42009)


Web Application PHP Based
1012247* - WordPress 'Super Backup & Clone' Plugin Arbitrary File Upload Vulnerability (CVE-2024-9290)


Web Application Tomcat
1012251* - LibreNMS Command Injection Vulnerability (CVE-2024-51092)


Web Server HTTPS
1012353* - Cacti SQL Injection Vulnerability (CVE-2024-54146)
1012233* - WordPress 'FundEngine Donation and Crowdfunding Platform' SQL Injection Vulnerability (CVE-2022-0788)
1012320* - WordPress 'KiviCare' Plugin SQL Injection Vulnerability (CVE-2024-11728)
1012224* - WordPress 'Really Simple Security' Plugin Authentication Bypass Vulnerability (CVE-2024-10924)
1012223* - WordPress Core Deserialization of Untrusted Data Remote Code Execution Vulnerability (CVE-2024-31210)
1012365* - Zabbix SQL Injection Vulnerability (CVE-2024-36465)


Web Server Nagios
1012329* - Nagios XI SQL Injection Vulnerability (CVE-2023-48084)


Integrity Monitoring Rules:

There are no new or updated Integrity Monitoring Rules in this Security Update.


Log Inspection Rules:

1012433 - Group Managed Service Account Password Access Attempt
1002795* - Microsoft Windows Events
RULE UPDATE: 25-034 (August 19, 2025)
* indicates a new version of an existing rule

Deep Packet Inspection Rules:

FTP Server IIS
1012386 - SolarWinds Serv-U Directory Traversal Vulnerability (CVE-2024-45711)


Ivanti Endpoint Manager
1012214* - Ivanti Endpoint Manager SQL Injection Vulnerabilities (CVE-2024-32847 and CVE-2024-37376)
1012211* - Ivanti Endpoint Manager SQL Injection Vulnerability (CVE-2024-32839)
1012213* - Ivanti Endpoint Manager SQL Injection Vulnerability (CVE-2024-32841)


JetBrains TeamCity
1012420 - JetBrains TeamCity Reflected Cross-Site Scripting Vulnerability (CVE-2025-52877)


Splunk API
1012422 - Splunk Enterprise Reflected Cross-Site Scripting Vulnerability (CVE-2025-20297)


Trend Micro OfficeScan
1012202* - Trend Micro Apex One SQL Injection Vulnerability (CVE-2024-39753)


Web Application PHP Based
1012416 - WordPress 'AIT CSV Import/Export' Plugin Arbitrary File Upload Vulnerability (CVE-2020-36849)
1012428 - WordPress 'Web Directory Free' Plugin SQL Injection Vulnerability (CVE-2024-3552)


Web Client HTTPS
1012419 - Microsoft Windows Management Console Security Feature Bypass Vulnerability (CVE-2025-26633)


Web Server Adobe ColdFusion
1012414 - Adobe ColdFusion Command Injection Vulnerability (CVE-2025-43562)


Web Server HTTPS
1012170* - Centreon SQL Injection Vulnerability (CVE-2024-39842 and CVE-2024-39843)


Integrity Monitoring Rules:

There are no new or updated Integrity Monitoring Rules in this Security Update.


Log Inspection Rules:

There are no new or updated Log Inspection Rules in this Security Update.
RULE UPDATE: 25-033 (August 12, 2025)
* indicates a new version of an existing rule

Deep Packet Inspection Rules:

Kubernetes Ingress-Nginx Controller
1012367* - Kubernetes Ingress-Nginx Multiple Code Injection Vulnerabilities


Mail Server Postfix
1012235* - Zimbra Collaboration Command Injection Vulnerability (CVE-2024-45519)


Progress WhatsUp Gold
1012242* - Progress WhatsUp Gold SQL Injection Vulnerability (CVE-2024-46906)


Redis Server
1012413 - Redis Out of Bound Write Vulnerability (CVE-2025-32023)


Trend Micro OfficeScan
1012421 - Trend Micro Apex One Command Injection Vulnerability (CVE-2025-54948 and CVE-2025-54987)


Web Application PHP Based
1012247* - WordPress 'Super Backup & Clone' Plugin Arbitrary File Upload Vulnerability (CVE-2024-9290)


Web Client HTTPS
1012418 - MCP-Remote Command Injection Vulnerability (CVE-2025-6514)


Web Server HTTPS
1012241* - Cacti Stored Cross-Site Scripting Vulnerabilities (CVE-2024-43364 and CVE-2024-43365)
1012224* - WordPress 'Really Simple Security' Plugin Authentication Bypass Vulnerability (CVE-2024-10924)


Web Server SharePoint
1012423 - Microsoft SharePoint Server Denial-of-Service Vulnerability (ZDI-CAN-25207)
1012424 - Microsoft SharePoint Server Deserialization of Untrusted Data Vulnerability (ZDI-CAN-24831)


Windows Services RPC Client DCERPC
1012425 - Microsoft Windows NTLM Elevation Of Privilege Vulnerability (CVE-2025-53778)


Integrity Monitoring Rules:

1002770* - Linux/Unix - File attributes in the /usr/bin and /usr/sbin directories modified


Log Inspection Rules:

1008670* - Microsoft Windows Security Events - 3
RULE UPDATE: 25-032 (August 5, 2025)
* indicates a new version of an existing rule

Deep Packet Inspection Rules:

HPE Insight Remote Support
1012304* - HPE Insight Remote Support Directory Traversal Vulnerability (CVE-2024-53676)


Ivanti Avalanche
1012411 - Ivanti Avalanche Enterprise Service Arbitrary File Upload Vulnerability (CVE-2021-42125)


Progress WhatsUp Gold
1012237* - Progress WhatsUp Gold SQL Injection Vulnerability (CVE-2024-46905)


SolarWinds Dameware Web Help Desk
1012127* - SolarWinds Dameware Web Help Desk Multiple Deserialization Remote Code Execution Vulnerabilities (CVE-2024-28986 and CVE-2024-28988)


Unix Samba
1012409 - Linux Kernel KSMBD Use After Free Vulnerability (CVE-2025-37778)


Web Application PHP Based
1012307* - WordPress 'Tutor LMS' Plugin SQL Injection Vulnerability (CVE-2024-10400)
1012313* - WordPress 'Ultimate Exporter' Plugin Command Injection Vulnerability (CVE-2024-56278)


Web Server Adobe ColdFusion
1012405 - Adobe ColdFusion Stored Cross-Site Scripting Vulnerability (CVE-2025-49541)
1012407 - Adobe ColdFusion Stored Cross-Site Scripting Vulnerability (CVE-2025-49542)
1012406 - Adobe ColdFusion Stored Cross-Site Scripting Vulnerability (CVE-2025-49543)


Windows SMB Server
1012394* - Microsoft Windows NEGOEX Remote Code Execution Vulnerability (CVE-2025-47981)


Wing FTP Server
1012410* - Wing FTP Server Remote Code Execution Vulnerability (CVE-2025-47812)


Integrity Monitoring Rules:

There are no new or updated Integrity Monitoring Rules in this Security Update.


Log Inspection Rules:

There are no new or updated Log Inspection Rules in this Security Update.
RULE UPDATE: 25-031 (July 29, 2025)
* indicates a new version of an existing rule

Deep Packet Inspection Rules:

CyberPanel
1012300* - CyberPanel Command Injection Vulnerability (CVE-2024-51378)
1012299* - CyberPanel Remote Code Execution Vulnerability (CVE-2024-53376)


PaperCut
1012415 - PaperCut NG and MF Cross-Site Request Forgery Vulnerability (CVE-2023-2533)


Progress WhatsUp Gold
1012239* - Progress WhatsUp Gold SQL Injection Vulnerability (CVE-2024-46907)


Web Application PHP Based
1012401 - WordPress 'Depicter' Plugin SQL Injection Vulnerability (CVE-2025-2011)
1012301* - WordPress 'Quiz Maker' Plugin Reflected Cross-Site Scripting Vulnerability (CVE-2023-2571)


Web Server Adobe ColdFusion
1012408 - Adobe ColdFusion Command Injection Vulnerability (CVE-2025-49537)
1012404* - Adobe ColdFusion Stored Cross-Site Scripting Vulnerability (CVE-2025-49540)


Web Server Common
1012412 - Bypass Network Scanner Traffic - XFF


Web Server HTTPS
1012354* - Craft CMS Remote Code Execution Vulnerability (CVE-2025-32432)
1012292* - Zabbix SQL Injection Vulnerability (CVE-2024-42327)


Integrity Monitoring Rules:

There are no new or updated Integrity Monitoring Rules in this Security Update.


Log Inspection Rules:

There are no new or updated Log Inspection Rules in this Security Update.
RULE UPDATE: 25-030 (July 22, 2025)
* indicates a new version of an existing rule

Deep Packet Inspection Rules:

DCERPC Services - Client
1012403 - Microsoft Windows SMB Client Elevation Of Privilege Vulnerability (CVE-2025-33073)


Directory Server LDAP
1012240* - Microsoft Windows Active Directory Denial of Service Vulnerability (CVE-2024-49113)


HPE Insight Remote Support
1012389 - HPE Insight Remote Support Directory Traversal Vulnerability (CVE-2025-37098)


Ivanti Avalanche
1012296* - Ivanti Avalanche Path Traversal Vulnerability (CVE-2024-13179)


Progress WhatsUp Gold
1012287* - Progress WhatsUp Gold Directory Traversal Vulnerability (CVE-2024-12105)
1012236* - Progress WhatsUp Gold SQL Injection Vulnerability (CVE-2024-46908)


Web Application Common
1012290* - Pandora FMS Command Injection Vulnerability (CVE-2024-11320)


Web Application PHP Based
1012395 - WordPress 'HTML5 Video Player' Plugin SQL Injection Vulnerability (CVE-2024-1061)
1012400 - WordPress 'Kubio AI Page Builder' Plugin Local File Inclusion Vulnerability (CVE-2025-2294)


Web Client Common
1012379* - Microsoft Windows Remote Code Execution Vulnerability (CVE-2025-33053)


Web Server SharePoint
1012390* - Microsoft SharePoint Server Spoofing Vulnerability (CVE-2025-49706 and CVE-2025-53771)


Wing FTP Server
1012410 - Wing FTP Server Remote Code Execution Vulnerability (CVE-2025-47812)


Integrity Monitoring Rules:

There are no new or updated Integrity Monitoring Rules in this Security Update.


Log Inspection Rules:

There are no new or updated Log Inspection Rules in this Security Update.
RULE UPDATE: 25-029 (July 15, 2025)
* indicates a new version of an existing rule

Deep Packet Inspection Rules:

DCERPC Services - Client
1012075* - Microsoft Windows MSHTML Platform Remote Code Execution Vulnerability Over SMB (CVE-2024-38112)
1005153* - Print Spooler Service Format String Vulnerability (CVE-2012-1851) II


DNS Client
1008571* - DNS Request To ShadowPad Domain Detection


Kubernetes Ingress-Nginx Controller
1012367 - Kubernetes Ingress-Nginx Multiple Code Injection Vulnerabilities


Redis Server
1012286* - Redis Use After Free Vulnerability (CVE-2024-46981)


Solr Service
1012280* - Apache Solr Authentication Bypass Vulnerability (CVE-2024-45216)


Web Application PHP Based
1012277* - LibreNMS Stored Cross-Site Scripting Vulnerability (CVE-2024-53457)
1012265* - WordPress 'White Label CMS' Plugin Reflected Cross-Site Scripting Vulnerability (CVE-2022-0422)


Web Client HTTPS
1010132* - Microsoft Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601) - 1


Web Server Adobe ColdFusion
1012404 - Adobe ColdFusion Stored Cross-Site Scripting Vulnerability (CVE-2025-49540)


Web Server Adobe ColdFusion AddOns
1012402 - Adobe ColdFusion XML External Entity Injection Vulnerability (CVE-2025-49538)


Web Server HTTPS
1012284* - Apache Traffic Control SQL Injection Vulnerability (CVE-2024-45387)


Web Server Miscellaneous
1008207* - Apache Struts2 Remote Code Execution Vulnerability (CVE-2017-5638)
1012398 - XWiki SQL Injection Vulnerability (CVE-2025-32969)


Windows Services RPC Client DCERPC
1012178* - Identified Windows DCERPC AUTH LEVEL CONNECT Windows Remote Registry Request


Windows Services RPC Server DCERPC
1010519* - Netlogon Elevation Of Privilege Vulnerability (Zerologon) (CVE-2020-1472)


Zoho ManageEngine ADSelfService Plus
1012393 - Zoho ManageEngine ADSelfService Plus SQL Injection Vulnerability (CVE-2025-3833)


Integrity Monitoring Rules:

There are no new or updated Integrity Monitoring Rules in this Security Update.


Log Inspection Rules:

There are no new or updated Log Inspection Rules in this Security Update.
RULE UPDATE: 25-028 (July 8, 2025)
* indicates a new version of an existing rule

Deep Packet Inspection Rules:

DCERPC Services
1009490* - Block Administrative Share - 1 (ATT&CK T1021.002)
1007596* - Identified Possible Ransomware File Extension Rename Activity Over Network Share
1007598* - Identified Possible Ransomware File Rename Activity Over Network Share
1006906* - Identified Usage Of PsExec Command Line Tool (ATT&CK T1569.002)
1008119* - Microsoft Windows Local Security Authority Subsystem Service (LSASS) Denial Of Service Vulnerability (CVE-2017-0004)
1008123* - Microsoft Windows Local Security Authority Subsystem Service Denial Of Service Vulnerability (CVE-2016-7237)
1008227* - Microsoft Windows SMB Information Disclosure Vulnerability (CVE-2017-0147)
1008432* - Microsoft Windows SMB Information Disclosure Vulnerability (CVE-2017-0267)
1008660* - Microsoft Windows SMB Out-Of-Bounds Read Denial Of Service Vulnerability (CVE-2017-11781)
1008224* - Microsoft Windows SMB Remote Code Execution Vulnerabilities (CVE-2017-0144 and CVE-2017-0146)
1008225* - Microsoft Windows SMB Remote Code Execution Vulnerability (CVE-2017-0145)
1008228* - Microsoft Windows SMB Remote Code Execution Vulnerability (CVE-2017-0148)
1008306* - Microsoft Windows SMB Remote Code Execution Vulnerability (MS17-010)
1008713* - Microsoft Windows SMB Server SMBv1 Information Disclosure Vulnerability (CVE-2017-11815)
1008468* - Microsoft Windows SMBv1 Information Disclosure Vulnerability (CVE-2017-0271)
1008305* - Microsoft Windows SMBv1 Remote Code Execution Vulnerability
1008445* - Microsoft Windows Search Remote Code Execution Vulnerability (CVE-2017-8543)
1008560* - Microsoft Windows Search Remote Code Execution Vulnerability (CVE-2017-8620)
1007432* - Microsoft Windows Server Message Block Memory Corruption Vulnerability (CVE-2015-2474)
1005293* - Prevent Windows Administrator User Login Over SMB (ATT&CK T1078.002,T1078.001,T1021.002)
1007021* - Remote Registry Access Through SMBv2 Protocol Detected (ATT&CK T1012)
1007033* - Remote Scheduled Task Access Through SMBv1 Protocol Detected
1001839* - Restrict Attempt To Enumerate Windows User Accounts (ATT&CK T1087)
1008179* - Restrict File Extensions For Rename Activity Over Network Share
1003984* - SMB NTLM Authentication Lack Of Entropy Vulnerability
1005448* - SMB Null Session Detected - 1
1005447* - SMB Null Session Detected - 2
1003761* - SMBv2 Infinite Loop Vulnerability
1003712* - Windows Vista SMB2.0 Negotiate Protocol Request Remote Code Execution


DCERPC Services - Client
1004373* - Identified DLL Side Loading Attempt Over Network Share (ATT&CK T1574.002)
1010106* - Identified Downloading Of PowerShell Scripts Through SMB Share (ATT&CK T1059.001)
1004293* - Identified Microsoft Windows Shortcut File Over Network Share
1007913* - Identified Possible Ransomware File Extension Rename Activity Over Network Share - Client
1007912* - Identified Possible Ransomware File Rename Activity Over Network Share - Client
1007592* - Microsoft Windows DLL Loading Vulnerabilities Over Network Share (CVE-2016-0160 and CVE-2016-0148)
1007381* - Microsoft Windows DLL Loading Vulnerabilities Over Network Share (MS15-132)
1007369* - Microsoft Windows DLL Loading Vulnerabilities Over Network Share (MS16-007)
1007426* - Microsoft Windows DLL Loading Vulnerabilities Over Network Share (MS16-014)
1008177* - Microsoft Windows DLL Loading Vulnerability Over Network Share (CVE-2017-0039)
1008585* - Microsoft Windows LNK Remote Code Execution Over SMB (CVE-2017-8464)
1010394* - Microsoft Windows LNK Remote Code Execution Vulnerability Over SMB (CVE-2020-1421)
1010553* - Microsoft Windows Media Foundation Memory Corruption Vulnerability Over SMB (CVE-2020-16915)
1007531* - Microsoft Windows RPC Downgrade Vulnerability (CVE-2016-0128)
1008138* - Microsoft Windows SMB Tree Connect Response Denial Of Service Vulnerability (CVE-2017-0016)


DHCP Client
1000861* - Microsoft Windows DHCP Client Service Remote Code Execution


DNS Client
1010352* - Data Exfiltration Over DNS (Response) Protocol (T1048)
1003328* - Disallow Intra-Site Automatic Tunnel Addressing Protocol
1008666* - Microsoft Windows DNSAPI Remote Code Execution Vulnerability (CVE-2017-11779)


Database Microsoft SQL
1012391 - Microsoft SQL Server Information Disclosure Vulnerability (CVE-2025-49718)


Ivanti Endpoint Manager
1012396 - Ivanti Endpoint Manager Credential Coercion Vulnerability (CVE-2024-13159)


MSMQ Service
1012227* - Microsoft Windows Message Queuing Service Remote Code Execution Vulnerability (CVE-2024-49122)


Mail Server Common
1012143* - Roundcube Webmail Stored Cross-Site Scripting Vulnerability (CVE-2024-37383)


NTP Client
1008004* - NTP 'ntpq atoascii' Memory Corruption Vulnerability (CVE-2015-7852)


Port Mapper FTP Client
1009558* - Remote File Copy Over FTP (ATT&CK T1544, T1071.002)


Ray Framework
1012153* - Ray Remote Code Execution Vulnerability (CVE-2023-48022)


Remote Desktop Protocol Server
1009562* - Identified Remote Desktop Protocol (RDP) Brute Force Attempt (ATT&CK T1110)
1007969* - Identified Suspicious Remote Desktop Protocol (RDP) Brute Force Attempt (ATT&CK T1110, T1021.001)
1008307* - Microsoft Windows Remote Desktop Protocol Remote Code Execution Vulnerability (CVE-2017-0176)
1009749* - Microsoft Windows Remote Desktop Services Remote Code Execution Vulnerability (CVE-2019-0708)


Suspicious Client Application Activity
1010364* - Identified Reverse Shell Communication Over HTTPS - 2 (ATT&CK T1071.001)
1007197* - TMTR-0005: GHOST RAT TCP Connection Detected (ATT&CK T1571)
1007186* - TMTR-0007: STRAT HTTP Request
1007199* - TMTR-0008: STRAT HTTP Request
1007198* - TMTR-0009: STRAT HTTP Request
1007200* - TMTR-0010: FAKEM RAT TCP Connection (ATT&CK T1571)
1007201* - TMTR-0011: FAKEM RAT TCP Request (ATT&CK T1571)
1007205* - TMTR-0012: FAKEM RAT TCP Connection (ATT&CK T1571)
1007206* - TMTR-0013: FAKEMRAT HTTP Request
1007207* - TMTR-0014: NJRAT TCP Connection (ATT&CK T1571)
1007202* - TMTR-0015: PSYRAT HTTP Request
1007208* - TMTR-0016: SPLINTER RAT TCP Connection (ATT&CK T1571)
1007209* - TMTR-0017: ZIYAZO RAT BKDR Connection (ATT&CK T1571)


Suspicious Server Application Activity
1009549* - Detected Terminal Services (RDP) Server Traffic - 1 (ATT&CK T1021.001)


WSO2
1012249* - WSO2 Multiple Products Arbitrary File Upload Vulnerability (CVE-2024-7074)


Web Application Common
1012397 - Liferay Multiple Products Reflected Cross-Site Scripting Vulnerability (CVE-2025-4388)


Web Server Common
1011242* - Apache Log4j Remote Code Execution Vulnerability (CVE-2021-44228)


Web Server Oracle
1012244* - Oracle WebLogic Server Insecure Deserialization Vulnerability (CVE-2024-21182)


Web Server SharePoint
1012390 - Microsoft SharePoint Server Remote Code Execution Vulnerability (CVE-2025-49704)


Windows Remote Management
1009894* - Powershell Remote Command Execution Via WinRM - HTTP (Request) (ATT&CK T1021.006, T1059.001)
1010048* - WinRM Service Detected & Powershell RCE Over HTTP (ATT&CK T1021.006, T1059.001)


Windows Remote Management Client
1010073* - WinRM Service Detected & Powershell RCE Over HTTP - Client (ATT&CK T1021.006, T1059.001)


Windows SMB Client
1006994* - Executable File Download On Network Share Detected


Windows SMB Server
1007065* - Executable File Uploaded On Network Share (ATT&CK T1570)
1011018* - Identified DCERPC AddPrinterDriverEx Call Over SMB Protocol
1012394 - Microsoft Windows NEGOEX Remote Code Execution Vulnerability (CVE-2025-47981)
1009511* - Microsoft Windows SMB Remote Code Execution Vulnerability (CVE-2019-0630)


Windows Server DCERPC
1011016* - Identified DCERPC AddPrinterDriverEx Call Over TCP Protocol


Windows Services RPC Client DCERPC
1008477* - Identified Usage Of WMI Execute Methods - Client (ATT&CK T1047)
1007539* - Microsoft Windows RPC Downgrade Vulnerability (CVE-2016-0128) - 1


Windows Services RPC Server DCERPC
1009615* - Identified Initialization Of WMI - Server (ATT&CK T1047)
1009604* - Identified Usage Of WMI Execute Methods - Server - 1 (ATT&CK T1047)
1009480* - Identified WMI Query Over DCE/RPC Protocol (ATT&CK T1047)
1003766* - Local Security Authority Subsystem Service Integer Overflow Vulnerability
1007068* - Remote Service Execution Through SMBv2 Protocol Detected


Integrity Monitoring Rules:

1002770* - Linux/Unix - File attributes in the /usr/bin and /usr/sbin directories modified
1010812* - Linux/Unix - Name resolver configuration files modified (ATT&CK T1071.004, T1583.002)
1010373* - Linux/Unix - Systemd service modified (ATT&CK T1543.002)


Log Inspection Rules:

There are no new or updated Log Inspection Rules in this Security Update.
RULE UPDATE: 25-027 (July 1, 2025)
* indicates a new version of an existing rule

Deep Packet Inspection Rules:

DCERPC Services
1007134* - Batch File Uploaded On Network Share (ATT&CK T1021.002, T1204.002)
1007064* - Executable File Uploaded On System32 Folder Through SMB Share (ATT&CK T1021.002, T1204.002)
1001852* - Identified Attempt To Brute Force Windows Login Credentials (ATT&CK T1110)
1004808* - Identified Big-Endian Byte Order
1005889* - Identified POSWDS Malware Connection Over SMB
1002937* - Integer Overflow In IPP Service Vulnerability
1003824* - License Logging Server Heap Overflow Vulnerability
1004600* - Microsoft Active Directory 'BROWSER ELECTION' Buffer Overflow Vulnerability
1003015* - Microsoft SMB Credential Reflection Vulnerability
1006579* - Microsoft Windows NETLOGON Spoofing Vulnerability (CVE-2015-0005)
1002931* - Microsoft Windows SMB Buffer Underflow Vulnerability
1000972* - Microsoft Windows svcctl ChangeServiceConfig2A() Memory Corruption Vulnerability
1007114* - Portable Executable File Uploaded On SMB Share (ATT&CK T1021.002, T1204.002)
1003564* - Print Spooler Load Library Vulnerability
1005140* - Print Spooler Service Format String Vulnerability (CVE-2012-1851)
1004401* - Print Spooler Service Impersonation Vulnerability
1007125* - Remote Access Event Through SMBv1 Protocol Detected
1007121* - Remote Access Event Through SMBv2 Protocol Detected
1006995* - Remote Add Job Through SMBv1 Protocol Detected
1007037* - Remote Add Job Through SMBv2 Protocol Detected
1007020* - Remote CreateService Request Detected Through SMBv1 Protocol (ATT&CK T1543.003)
1007066* - Remote Delete Job Through SMBv1 Protocol Detected
1007038* - Remote Delete Job Through SMBv2 Protocol Detected
1007035* - Remote DeleteService Request Through SMBv1 Detected (ATT&CK T1543.003)
1007070* - Remote PWDUMP Through SMBv1 Protocol Detected
1007057* - Remote Registry Access Through SMBv1 Protocol Detected (ATT&CK T1012)
1007032* - Remote Schedule Task Create Through SMBv1 Protocol Detected
1007069* - Remote Service Execution Through SMBv1 Detected (ATT&CK T1569.002)
1003985* - SMB Memory Corruption Vulnerability
1003979* - SMB Null Pointer Vulnerability
1003978* - SMB Pathname Overflow Vulnerability
1004346* - SMB Pool Overflow Vulnerability
1004355* - SMB Stack Exhaustion Vulnerability
1004641* - SMB Transaction Parsing Vulnerability (CVE-2011-0661)
1004348* - SMB Variable Validation Vulnerability
1002975* - Server Service Vulnerability (wkssvc)
1004542* - Windows Netlogon Service Denial Of Service (CVE-2010-2742)
1003676* - Workstation Service Memory Corruption Vulnerability


DCERPC Services - Client
1004821* - Active Accessibility Insecure Library Loading Vulnerability (CVE-2011-1247)
1004924* - Color Control Panel Insecure Library Loading Vulnerability Over Network Share (CVE-2010-5082)
1004700* - DFS Memory Corruption Vulnerability (CVE-2011-1868)
1004762* - Data Access Components Insecure Library Loading Vulnerability Over Network Share (CVE-2011-1975)
1004304* - Identified Suspicious Microsoft Windows Shortcut File Over Network Share (ATT&CK T1080)
1004926* - Indeo Codec Insecure Library Loading Vulnerability Over Network Share (CVE-2010-3138)
1004563* - Microsoft Windows 'CreateSizedDIBSECTION()' Thumbnail View Stack Buffer Overflow Vulnerability Over Network Share
1003832* - Microsoft Windows 'KeAccumulateTicks()' SMB2 Packet Remote Denial Of Service Vulnerability
1005281* - Microsoft Windows Briefcase Integer Overflow Vulnerability Over Network Share (CVE-2012-1528)
1005280* - Microsoft Windows Briefcase Integer Underflow Vulnerability Over Network Share (CVE-2012-1527)
1004053* - Microsoft Windows CHM Notepad Remote Code Execution
1006554* - Microsoft Windows DLL Planting Remote Code Execution Vulnerability (CVE-2015-0096)
1006013* - Microsoft Windows Insecure Binary Loading Vulnerability Over Network Share (CVE-2014-0315)
1006292* - Microsoft Windows OLE Remote Code Execution Vulnerability Over SMB
1004697* - OLE Automation Underflow Vulnerability ( CVE-2011-0658 )
1004897* - Object Packager Insecure Executable Launching Vulnerability Over Network Share (CVE-2012-0009)
1004877* - PowerPoint Insecure Library Loading Vulnerability Over Network Share (CVE-2011-3396)
1005153* - Print Spooler Service Format String Vulnerability (CVE-2012-1851) II
1005139* - Remote Administration Protocol Denial Of Service Vulnerability (CVE-2012-1850)
1005142* - Remote Administration Protocol Stack Overflow Vulnerability
1004094* - SMB Client Memory Allocation Vulnerability
1004100* - SMB Client Message Size Vulnerability
1003973* - SMB Client Pool Corruption Vulnerability
1003980* - SMB Client Race Condition Vulnerability
1004096* - SMB Client Response Parsing Vulnerability
1004637* - SMB Client Response Parsing Vulnerability (CVE-2011-0660)
1004095* - SMB Client Transaction Vulnerability
1003014* - SMB Credential Reflection Vulnerability
1004692* - SMB Response Parsing Vulnerability (CVE-2011-1268)
1004775* - Telnet Handler Remote Code Execution Vulnerability Over Network Share (CVE-2011-1961)
1012387 - Trend Micro Apex One Client Remote Code Execution Vulnerability Over SMB (CVE-2025-49155)
1005081* - Vulnerability In Windows Shell Could Allow Remote Code Execution (CVE-2012-0175)
1004797* - Windows Components Insecure Library Loading Vulnerability Over Network Share (CVE-2011-1991)
1004843* - Windows Mail Insecure Library Loading Vulnerability Over Network Share (CVE-2011-2016)


DNS Client
1003189* - Malware AGENT.BTZ Domain Blocker
1000468* - Microsoft Word Malformed Object Pointer Remote Code Execution
1003133* - Pointer Reference Memory Corruption Vulnerability Domain Blocker


HP Intelligent Management Center (IMC)
1012392 - Apache OFBiz Stored Cross-Site Scripting Vulnerability (CVE-2025-30676)


Ivanti Endpoint Manager
1012204* - Ivanti Endpoint Manager SQL Injection Vulnerability (CVE-2024-50328)
1012283* - Ivanti Endpoint Manager Untrusted Search Path Vulnerability (CVE-2024-13158)


JetBrains TeamCity
1012238* - JetBrains TeamCity Stored Cross-Site Scripting Vulnerability (CVE-2024-47951)


Link-Local Multicast Name Resolution
1004645* - DNS Query Vulnerability (CVE-2011-0657)


NTP Client
1006630* - NTP MAC Security Bypass Vulnerability (CVE-2015-1798)


Remote Desktop Protocol Server
1006870* - Microsoft Windows Remote Desktop Protocol (RDP) Remote Code Execution Vulnerability (CVE-2015-2373)
1004949* - Remote Desktop Protocol Vulnerability (CVE-2012-0002)
1005138* - Remote Desktop Protocol Vulnerability (CVE-2012-2526)


Shellcode
1005428* - Identified Suspicious Shellcode Over Network Traffic
1001183* - Identified Suspicious Usage Of Shellcode
1001202* - Identified Suspicious Usage Of Shellcode Encoders
1002359* - Identified Suspicious Usage Of Shellcode In Network Traffic


Suspicious Client Application Activity
1007113* - HTRANS Response Detected
1005067* - Identified Potentially Harmful Client Traffic
1005283* - Identified Potentially Malicious RAT Traffic - I (ATT&CK T1571)
1005299* - Identified Potentially Malicious RAT Traffic - III (ATT&CK T1571, T1219)
1005300* - Identified Potentially Malicious RAT Traffic - IV (ATT&CK T1571)
1005473* - Identified Potentially Malicious RAT Traffic - V (ATT&CK T1571)
1006247* - Identified Potentially Malicious RAT Traffic - VI (ATT&CK T1571)
1005401* - Identified Suspicious HTTP Traffic (ATT&CK T1071.001)
1007181* - TMTR-0001: PRORAT HTTP Request
1007182* - TMTR-0003: PRORAT HTTP Request
1005294* - TMTR-0004: GHOST RAT HTTP Request
1007184* - TMTR-0006: BUTERAT HTTP Request


Suspicious Server Application Activity
1001164* - Detected Terminal Services (RDP) Server Traffic
1005090* - Identified Potentially Harmful Server Traffic


TFTP Client
1003527* - Allow TFTP Client Traffic


Telnet Client
1003687* - Telnet Credential Reflection Vulnerability


Web Application PHP Based
1012281* - LibreNMS Stored Cross-Site Scripting Vulnerability (CVE-2024-49754)


Web Client Common
1005924* - Restrict Download Of EICAR Test File Over HTTP


Web Server Miscellaneous
1012248* - Jenkins 'Simple Queue' Plugin Stored Cross-Site Scripting Vulnerability (CVE-2024-54003)


Web Server Nagios
1012385 - Nagios XI Arbitrary File Write Vulnerability


Windows Services RPC Server DCERPC
1007054* - Remote Schedule Task 'Create' Through SMBv2 Protocol Detected (ATT&CK T1053.005)
1007053* - Remote Schedule Task 'Delete' Through SMBv2 Protocol Detected (ATT&CK T1053.005)
1007017* - Remote Schedule Task 'Run' Through SMBv2 Protocol Detected (ATT&CK T1053.005)


Integrity Monitoring Rules:

There are no new or updated Integrity Monitoring Rules in this Security Update.


Log Inspection Rules:

There are no new or updated Log Inspection Rules in this Security Update.