Release notes for update package 1838-5242

This update package improves the detection capabilities of the Forcepoint NGFW system.

RELEASE DATE:    Thursday February 20, 2025
MD5 CHECKSUM:    d0ca15c3f5f46f05a665c44c4ee7cf5a
SHA1 CHECKSUM:    841398d1fda186c8fb863c132c22fb711b618a82
SHA256 CHECKSUM:    115891212fc71d0592f0f0cfc7e20c523bbd6d662106e6c208c78ecde4c64ad9


UPDATE CRITICALITY:    HIGH

MINIMUM SOFTWARE VERSIONS
- Forcepoint NGFW Security Management Center:    6.10.1.11125
- Forcepoint NGFW:    6.8.1.24103

List of detected attacks in this update package:

Risk levelDescriptionReferenceVulnerability
High     An attempt to exploit a vulnerability in JetBrains TeamCity detected     CVE-2025-24459     JetBrains-TeamCity-Vault-Connection-Stored-Cross-Site-Scripting
High     An attempt to exploit a vulnerability in PAN-OS detected     CVE-2025-0108     Palo-Alto-PAN-OS-Authentication-Bypass-CVE-2025-0108
High     An attempt to exploit a vulnerability in SonicWall SSLVPN detected     CVE-2024-53704     SonicWall-SSLVPN-Session-Hijacking-CVE-2024-53704
High     An attempt to exploit a vulnerability in WordPress Project Tutor LMS Plugin detected     CVE-2024-10400     Wordpress-Tutor-Lms-Plugin-Get_instructors-SQL-Injection
High     An attempt to exploit a vulnerability in Django     CVE-2021-35042     Django-QuerySet-Order_By-SQL-Injection
High     An attempt to exploit a vulnerability in Rocket Chat     CVE-2021-22911     Rocket-Chat-Pre-Auth-Blind-NoSQL-Injection
High     FinalDraft command-and-control traffic detected     No CVE/CAN FinalDraft-C2-Activity
High     FinalDraft command-and-control traffic detected     No CVE/CAN FinalDraft-C2-Activity

Jump to: Detected Attacks Other Changes

DETECTED ATTACKS

New detected attacks:

TCP Server Stream Unknown

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High FinalDraft-C2-Activity No CVE/CAN Generic_SS-FinalDraft-C2-Activity Suspected Botnet

HTTP Request URI

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Palo-Alto-PAN-OS-Authentication-Bypass-CVE-2025-0108 CVE-2025-0108 HTTP_CSU-Palo-Alto-PAN-OS-Authentication-Bypass-CVE-2025-0108 Suspected Compromise
High FinalDraft-C2-Activity No CVE/CAN HTTP_CSU-FinalDraft-C2-Activity Suspected Botnet

HTTP Normalized Request-Line

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Wordpress-Tutor-Lms-Plugin-Get_instructors-SQL-Injection CVE-2024-10400 HTTP_CRL-Wordpress-Tutor-Lms-Plugin-Get_instructors-SQL-Injection Suspected Compromise
High SonicWall-SSLVPN-Session-Hijacking-CVE-2024-53704 CVE-2024-53704 HTTP_CRL-SonicWall-SSLVPN-Session-Hijacking-CVE-2024-53704 Suspected Compromise
High JetBrains-TeamCity-Vault-Connection-Stored-Cross-Site-Scripting CVE-2025-24459 HTTP_CRL-JetBrains-TeamCity-Vault-Connection-Stored-Cross-Site-Scripting Suspected Compromise
High Django-QuerySet-Order_By-SQL-Injection CVE-2021-35042 HTTP_CRL-Django-QuerySet-Order_By-SQL-Injection Potential Compromise
High Rocket-Chat-Pre-Auth-Blind-NoSQL-Injection CVE-2021-22911 HTTP_CRL-Rocket-Chat-Pre-Auth-Blind-NoSQL-Injection Potential Compromise

Updated detected attacks:

HTTP Request URI

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Spring-Security-RegexRequestMatcher-Authorization-Bypass-CVE-2022-22978 CVE-2022-22978 HTTP_CSU-Spring-Security-RegexRequestMatcher-Authorization-Bypass-CVE-2022-22978 Potential Compromise
Fingerprint regexp changed

HTTP Request Header Line

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High SonicWall-SSLVPN-Session-Hijacking-CVE-2024-53704 CVE-2024-53704 HTTP_CSH-SonicWall-SSLVPN-Session-Hijacking-CVE-2024-53704 Suspected Compromise
Fingerprint regexp changed

HTTP Reply Header Line

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
Low Long-Domain-Name-Redirect No CVE/CAN HTTP_SHS-Possibly-Malicious-Long-Domain-Name-Redirect Other Suspicious Traffic
Name: HTTP_SHS-Long-Domain-Name-Redirect->HTTP_SHS-Possibly-Malicious-Long-Domain-Name-Redirect
Comment has changed
Fingerprint regexp changed

Text File Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Microsoft-Internet-Explorer-execCommand-File-Type-Spoofing No CVE/CAN File-Text_Microsoft-Internet-Explorer-execCommand-File-Type-Spoofing Suspected Compromise
Fingerprint regexp changed

WebSocket Client Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Beyondtrust-Command-Injection-CVE-2024-12356 CVE-2024-12356 WebSocket_CS-Beyondtrust-Command-Injection-CVE-2024-12356 Suspected Compromise
Detection mechanism updated

LIST OF OTHER CHANGES:

New objects:

TypeName
CategoryRocket Chat
CategoryFinalDraft
IPListAmazon ROUTE53_HEALTHCHECKS us-gov-east-1
IPListAmazon ROUTE53_HEALTHCHECKS us-gov-west-1
ApplicationN-able Take Control

Updated objects:

TypeNameChanges
SituationURL_List-DNS-Over-HTTPS
Detection mechanism updated
IPListSomalia
IPListIraq
IPListSaudi Arabia
IPListIran
IPListCyprus
IPListArmenia
IPListDR Congo
IPListDjibouti
IPListSeychelles
IPListUnited Arab Emirates
IPListIsrael
IPListTürkiye
IPListEthiopia
IPListEritrea
IPListEgypt
IPListGreece
IPListBurundi
IPListEstonia
IPListLatvia
IPListAzerbaijan
IPListLithuania
IPListSvalbard and Jan Mayen
IPListGeorgia
IPListMoldova
IPListBelarus
IPListFinland
IPListUkraine
IPListNorth Macedonia
IPListHungary
IPListBulgaria
IPListAlbania
IPListPoland
IPListRomania
IPListZimbabwe
IPListComoros
IPListBotswana
IPListMauritius
IPListEswatini
IPListSouth Africa
IPListMayotte
IPListAfghanistan
IPListPakistan
IPListBangladesh
IPListTurkmenistan
IPListSri Lanka
IPListBhutan
IPListIndia
IPListMaldives
IPListMyanmar
IPListUzbekistan
IPListKazakhstan
IPListKyrgyzstan
IPListCocos (Keeling) Islands
IPListPalau
IPListVietnam
IPListThailand
IPListIndonesia
IPListTaiwan
IPListPhilippines
IPListMalaysia
IPListChina
IPListHong Kong
IPListBrunei
IPListMacao
IPListCambodia
IPListSouth Korea
IPListJapan
IPListNorth Korea
IPListSingapore
IPListTimor-Leste
IPListRussia
IPListMongolia
IPListAustralia
IPListChristmas Island
IPListVanuatu
IPListFiji
IPListCameroon
IPListPortugal
IPListGhana
IPListEquatorial Guinea
IPListNigeria
IPListTogo
IPListBenin
IPListGabon
IPListGibraltar
IPListGambia
IPListSpain
IPListMorocco
IPListAlgeria
IPListDenmark
IPListIceland
IPListUnited Kingdom
IPListSwitzerland
IPListSweden
IPListThe Netherlands
IPListAustria
IPListBelgium
IPListGermany
IPListLuxembourg
IPListIreland
IPListMonaco
IPListFrance
IPListSlovakia
IPListCzechia
IPListNorway
IPListItaly
IPListSlovenia
IPListMontenegro
IPListCroatia
IPListAngola
IPListNamibia
IPListBouvet Island
IPListBarbados
IPListCabo Verde
IPListParaguay
IPListUruguay
IPListBrazil
IPListDominican Republic
IPListCuba
IPListBermuda
IPListAnguilla
IPListTrinidad and Tobago
IPListSt Kitts and Nevis
IPListAntigua and Barbuda
IPListSt Vincent and Grenadines
IPListSaint Martin
IPListSaint Barthélemy
IPListGuadeloupe
IPListCayman Islands
IPListBelize
IPListEl Salvador
IPListHonduras
IPListNicaragua
IPListCosta Rica
IPListVenezuela
IPListEcuador
IPListColombia
IPListPanama
IPListHaiti
IPListArgentina
IPListChile
IPListBolivia
IPListPeru
IPListMexico
IPListFrench Polynesia
IPListWallis and Futuna
IPListNorthern Mariana Islands
IPListGuam
IPListPuerto Rico
IPListU.S. Virgin Islands
IPListCanada
IPListUnited States
IPListPalestine
IPListSerbia
IPListAntarctica
IPListBonaire, Sint Eustatius, and Saba
IPListTOR exit nodes IP Address List
IPListAmazon AMAZON
IPListAmazon ROUTE53_HEALTHCHECKS
IPListAmazon EC2
IPListAkamai Servers
IPListTOR relay nodes IP Address List
IPListMalicious Site IP Address List
IPListNordVPN Servers IP Address List
IPListGoogle Cloud IP Address List for europe-west12
IPListAmazon AMAZON eu-central-1
IPListAmazon EC2 eu-central-1
IPListForcepoint Drop IP Address List
IPListGoogle Cloud IP Address List for europe-west1
IPListGoogle Cloud IP Address List for us-west3
SituationHTTP_CSU-Shared-Variables
SituationGeneric_CS-Shared-Variable-Fingerprints
Fingerprint regexp changed
ApplicationAkamai-Infrastructure
ApplicationTOR
ApplicationManoto
ApplicationDNS-Over-HTTPS
ApplicationNordVPN

HOW TO IMPORT AND ACTIVATE THE DYNAMIC UPDATE PACKAGE

  1. Download the dynamic update package, then make sure that the checksums for the original files and the files that you have downloaded match.
  2. In the Management Client, select Menu > File > Import > Import Update Packages.
  3. Browse to the file, select it, then click Import.
  4. Select  Configuration, then browse to Administration > Other Elements > Updates.
  5. Right-click the imported dynamic update package, then select Activate.
  6. When the activation is finished, refresh the policy on all NGFW Engines. If your policy uses a custom template, you might need to edit the policy.

DISCLAIMER AND COPYRIGHT

Copyright © 2025 Forcepoint
Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint.

All other trademarks used in this document are the property of their respective owners.

Every effort has been made to ensure the accuracy of this document. However, Forcepoint makes no warranties with respect to this documentation and disclaims any implied warranties of merchantability and fitness for a particular purpose. Forcepoint shall not be liable for any error or for incidental or consequential damages in connection with the furnishing, performance, or use of this manual or the examples herein. The information in this documentation is subject to change without notice.