Release notes for update package 1846-5242

This update package improves the detection capabilities of the Forcepoint NGFW system.

RELEASE DATE:    Monday March 10, 2025
MD5 CHECKSUM:    017cab7497524c680a72bc153a80fc9a
SHA1 CHECKSUM:    263bf9e5c6ce700b7c8f3354b4b0fcfd75ebff68
SHA256 CHECKSUM:    3e9c04f6a6f486e82f02e353744032d66115ac1ec1ab02f937d2188de799e222


UPDATE CRITICALITY:    HIGH

MINIMUM SOFTWARE VERSIONS
- Forcepoint NGFW Security Management Center:    6.10.1.11125
- Forcepoint NGFW:    6.8.1.24103

List of detected attacks in this update package:

Risk levelDescriptionReferenceVulnerability
High     An attempt to exploit a vulnerability in Exim     CVE-2025-26794     Exim-Etrn-SQL-Injection-CVE-2025-26794
High     An attempt to exploit a vulnerability in D-Tale detected     CVE-2025-0655     D-Tale-RCE
High     An attempt to exploit a vulnerability in HPE Insight Remote Support detected     CVE-2024-53675     HPE-Insight-Remote-Support-XML-External-Entity-Injection-CVE-2024-53675
High     An attempt to exploit a vulnerability in Microsoft Sharepoint Server detected     CVE-2024-38227     Microsoft-SharePoint-Server-ExecuteBdcMethod-Unsafe-Reflection-CVE-2024-38227
High     An attempt to exploit a vulnerability in Zimbra Collaboration detected     CVE-2023-34192     Zimbra-Collaboration-Cross-Site-Scripting-CVE-2023-34192
High     An attempt to exploit a vulnerability in Cisco RV Series routers detected     CVE-2023-20118     Cisco-RV-Series-Router-Command-Execution-CVE-2023-20118
High     A suspicious PNG image containing PHP payloads detected     No CVE/CAN PHP-Payloads-Injected-In-PNG-Image
High     Zloader malware activity detected     No CVE/CAN Zloader-Malware-C2-Traffic
High     Zloader malware activity detected     No CVE/CAN Zloader-Malware-C2-Traffic
Low     A failed Logsign Unified SecOps authentication attempt detected     CVE-2025-1044     Logsign-Unified-Secops-Authentication-Failure

Jump to: Detected Attacks Other Changes

DETECTED ATTACKS

New detected attacks:

HTTP Client Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Microsoft-SharePoint-Server-ExecuteBdcMethod-Unsafe-Reflection-CVE-2024-38227 CVE-2024-38227 HTTP_CS-Microsoft-SharePoint-Server-ExecuteBdcMethod-Unsafe-Reflection-CVE-2024-38227 Potential Compromise

DNS UDP Client Message

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Zloader-Malware-C2-Traffic No CVE/CAN DNS-UDP_Zloader-Malware-DNS-Tunneling Suspected Botnet

HTTP Request URI

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High D-Tale-RCE CVE-2025-0655 HTTP_CSU-D-Tale-RCE Suspected Compromise
High Cisco-RV-Series-Router-Command-Execution-CVE-2023-20118 CVE-2023-20118 HTTP_CSU-Cisco-RV-Series-Router-Command-Execution-CVE-2023-20118 Suspected Compromise

SMTP Client Command Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Exim-Etrn-SQL-Injection-CVE-2025-26794 CVE-2025-26794 SMTP_Exim-Etrn-SQL-Injection-CVE-2025-26794 Suspected Compromise

HTTP Request Header Line

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Zloader-Malware-C2-Traffic No CVE/CAN HTTP_CSH-Zloader-Malware-C2-Traffic Suspected Botnet

HTTP Normalized Request-Line

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Zimbra-Collaboration-Cross-Site-Scripting-CVE-2023-34192 CVE-2023-34192 HTTP_CRL-Zimbra-Collaboration-Cross-Site-Scripting-CVE-2023-34192 Suspected Compromise

Text File Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
Low Logsign-Unified-Secops-Authentication-Failure CVE-2025-1044 File-Text_Logsign-Unified-Secops-Authentication-Failure Protocol Information

PNG File Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High PHP-Payloads-Injected-In-PNG-Image No CVE/CAN File-PNG_PHP-Payloads-Injected-In-PNG-Image Potential Compromise

Identified Text File Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High HPE-Insight-Remote-Support-XML-External-Entity-Injection-CVE-2024-53675 CVE-2024-53675 File-TextId_HPE-Insight-Remote-Support-XML-External-Entity-Injection-CVE-2024-53675 Suspected Compromise

Updated detected attacks:

HTTP Client Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Microsoft-Sharepoint-Server-Business-Data-Connectivity-Unsafe-Reflection CVE-2024-21318 HTTP_CS-Microsoft-Sharepoint-Server-Business-Data-Connectivity-Unsafe-Reflection Potential Compromise
Detection mechanism updated
High Ivanti-Connect-Secure-Remote-Code-Execution-CVE-2025-0282 CVE-2025-0282 HTTP_CS-Ivanti-Connect-Secure-Remote-Code-Execution-CVE-2025-0282 Suspected Compromise
Fingerprint regexp changed

HTTP Request URI

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High HP-Intelligent-Management-Center-Reporting-Information-Disclosure No CVE/CAN HTTP_CSU-Path-Traversal-Sequence-In-File-Name Suspected Compromise
Description has changed
Category tag group CVE2024 added
High Pentaho-Business-Server-Auth-Bypass-And-Server-Side-Template-Injection-RCE CVE-2022-43939 HTTP_CSU-Pentaho-Business-Server-Auth-Bypass-And-Server-Side-Template-Injection-RCE Suspected Compromise
Description has changed
Fingerprint regexp changed
High Apache-Solr-Fake-URL-Authentication-Bypass CVE-2024-45216 HTTP_CSU-Apache-Solr-Fake-URL-Authentication-Bypass Suspected Compromise
Fingerprint regexp changed
High SimpleHelp-Unauthenticated-Path-Traversal-CVE-2024-57727 CVE-2024-57727 HTTP_CSU-SimpleHelp-Unauthenticated-Path-Traversal-CVE-2024-57727 Suspected Compromise
Fingerprint regexp changed

HTTP Request Header Line

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Badbox-Botnet-C2-Traffic No CVE/CAN HTTP_CSH-Badbox-Botnet-C2-Traffic Suspected Botnet
Comment has changed

Text File Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Information-Stealer-Using-Fake-Captcha No CVE/CAN File-Text_Information-Stealer-Using-Fake-Browser-Dialogs Potential Compromise
Name: File-Text_Information-Stealer-Using-Fake-Captcha->File-Text_Information-Stealer-Using-Fake-Browser-Dialogs
Comment has changed
Fingerprint regexp changed

Other Binary File Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Gnu-GIMP-Psp-Image-Channel-Block-Parsing-Off-By-One-Buffer-Overflow CVE-2023-44444 File-Binary_Gnu-GIMP-Psp-Image-Channel-Block-Parsing-Off-By-One-Buffer-Overflow Potential Compromise
Detection mechanism updated

PNG File Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High SugarCRM-EmailTemplates-Validation-Vulnerability-CVE-2023-22952 CVE-2023-22952 File-PNG_SugarCRM-EmailTemplates-Validation-Vulnerability-CVE-2023-22952 Suspected Compromise
Fingerprint regexp changed
High Libpng-PNG-Decompress-Chunk-Integer-Overflow CVE-2011-3026 File-PNG_Libpng-PNG-Decompress-Chunk-Integer-Overflow Potential Compromise
Fingerprint regexp changed

LIST OF OTHER CHANGES:

New objects:

TypeName
CategoryZloader
CategoryD-Tale
CategoryLogsign Unified SecOps
SituationAnalyzer_Logsign-Unified-Secops-CVE-2025-1044-Authentication-Bypass

Updated objects:

TypeNameChanges
IPListTOR exit nodes IP Address List
IPListAmazon AMAZON
IPListMicrosoft Azure datacenter for australiaeast
IPListMicrosoft Azure datacenter for australiasoutheast
IPListMicrosoft Azure datacenter for brazilsouth
IPListMicrosoft Azure datacenter for canadacentral
IPListTOR relay nodes IP Address List
IPListMicrosoft Azure datacenter for canadaeast
IPListMicrosoft Azure datacenter for centralindia
IPListMicrosoft Azure datacenter for centraluseuap
IPListMicrosoft Azure datacenter for centralus
IPListMicrosoft Azure datacenter for eastasia
IPListMicrosoft Azure datacenter for eastus2euap
IPListMicrosoft Azure datacenter for eastus2
IPListMicrosoft Azure datacenter for eastus
IPListMicrosoft Azure datacenter for centralfrance
IPListMicrosoft Azure datacenter for southfrance
IPListMicrosoft Azure datacenter for japaneast
IPListMicrosoft Azure datacenter for japanwest
IPListMicrosoft Azure datacenter for koreacentral
IPListMicrosoft Azure datacenter for koreasouth
IPListMicrosoft Azure datacenter for northcentralus
IPListMicrosoft Azure datacenter for northeurope
IPListMicrosoft Azure datacenter for southcentralus
IPListMicrosoft Azure datacenter for southindia
IPListMicrosoft Azure datacenter for southeastasia
IPListMicrosoft Azure datacenter for uksouth
IPListMicrosoft Azure datacenter for ukwest
IPListMicrosoft Azure datacenter for westcentralus
IPListMicrosoft Azure datacenter for westeurope
IPListMicrosoft Azure datacenter for westindia
IPListMicrosoft Azure datacenter for westus2
IPListMicrosoft Azure datacenter for westus
IPListMicrosoft Azure datacenter
IPListAmazon AMAZON ap-east-1
IPListBotnet IP Address List
IPListMalicious Site IP Address List
IPListMicrosoft Azure datacenter for malaysiasouth
IPListMicrosoft Azure service for MicrosoftDefenderForEndpoint
IPListMicrosoft Azure datacenter for indonesiacentral
Ressurrected
IPListNordVPN Servers IP Address List
IPListForcepoint Drop IP Address List
IPListMicrosoft Azure service for SerialConsole
IPListMicrosoft Azure datacenter for australiacentral
IPListMicrosoft Azure datacenter for australiacentral2
IPListMicrosoft Azure datacenter for brazilse
IPListMicrosoft Azure datacenter for germanyn
IPListMicrosoft Azure datacenter for germanywc
IPListMicrosoft Azure datacenter for norwaye
IPListMicrosoft Azure datacenter for norwayw
IPListMicrosoft Azure datacenter for southafricanorth
IPListMicrosoft Azure datacenter for southafricawest
IPListMicrosoft Azure datacenter for switzerlandn
IPListMicrosoft Azure datacenter for switzerlandw
IPListMicrosoft Azure datacenter for uaecentral
IPListMicrosoft Azure datacenter for uaenorth
IPListMicrosoft Azure service for AzureActiveDirectory_ServiceEndpoint
IPListMicrosoft Azure service for AzureAdvancedThreatProtection
IPListMicrosoft Azure service for AzureCloud
IPListMicrosoft Azure service for AzureCognitiveSearch
IPListMicrosoft Azure service for AzureDatabricks
IPListMicrosoft Azure service for AzureKeyVault
IPListMicrosoft Azure service for AzureMonitor
IPListMicrosoft Azure service for ServiceFabric
IPListMicrosoft Azure service for Storage
IPListMicrosoft Azure service for WindowsVirtualDesktop
IPListMicrosoft Azure datacenter for usstagee
IPListMicrosoft Azure datacenter for jioindiacentral
IPListMicrosoft Azure datacenter for jioindiawest
IPListMicrosoft Azure datacenter for swedencentral
IPListMicrosoft Azure datacenter for swedensouth
IPListMicrosoft Azure datacenter for westus3
IPListMicrosoft Azure datacenter for usstagec
IPListMicrosoft Azure service for SCCservice
IPListMicrosoft Azure datacenter for qatarcentral
IPListMicrosoft Azure service for AzureSecurityCenter
IPListMicrosoft Azure datacenter for israelcentral
IPListMicrosoft Azure datacenter for italynorth
IPListMicrosoft Azure datacenter for mexicocentral
IPListMicrosoft Azure datacenter for newzealandnorth
IPListMicrosoft Azure datacenter for spaincentral
IPListMicrosoft Azure datacenter for taiwannorth
IPListMicrosoft Azure datacenter for taiwannorthwest
IPListMicrosoft Azure service for AzureSentinel
SituationHTTP_CSU-Shared-Variables
SituationHTTP_CSH-Shared-Variables
SituationFile-Text_Internet-Shortcut-File-Transfer
SituationFile-PNG_Shared-Variables
SituationFile-TextId_Internet-Shortcut-File-Transfer
ApplicationTOR
ApplicationNordVPN

HOW TO IMPORT AND ACTIVATE THE DYNAMIC UPDATE PACKAGE

  1. Download the dynamic update package, then make sure that the checksums for the original files and the files that you have downloaded match.
  2. In the Management Client, select Menu > File > Import > Import Update Packages.
  3. Browse to the file, select it, then click Import.
  4. Select  Configuration, then browse to Administration > Other Elements > Updates.
  5. Right-click the imported dynamic update package, then select Activate.
  6. When the activation is finished, refresh the policy on all NGFW Engines. If your policy uses a custom template, you might need to edit the policy.

DISCLAIMER AND COPYRIGHT

Copyright © 2025 Forcepoint
Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint.

All other trademarks used in this document are the property of their respective owners.

Every effort has been made to ensure the accuracy of this document. However, Forcepoint makes no warranties with respect to this documentation and disclaims any implied warranties of merchantability and fitness for a particular purpose. Forcepoint shall not be liable for any error or for incidental or consequential damages in connection with the furnishing, performance, or use of this manual or the examples herein. The information in this documentation is subject to change without notice.