Release notes for update package 1857-5242

This update package improves the detection capabilities of the Forcepoint NGFW system.

RELEASE DATE:    Friday March 28, 2025
MD5 CHECKSUM:    bafdd306547750e6fb7e2e3f9a2b5473
SHA1 CHECKSUM:    6c6fd3d732d1f6da354f9ca4d49b4633ddd97783
SHA256 CHECKSUM:    aaabca7977b84c69cfce3f87020ba772c2827c0b23fac6c69dbb28cf0cc0d2d1


UPDATE CRITICALITY:    HIGH

MINIMUM SOFTWARE VERSIONS
- Forcepoint NGFW Security Management Center:    6.10.1.11125
- Forcepoint NGFW:    6.8.1.24103

List of detected attacks in this update package:

Risk levelDescriptionReferenceVulnerability
High     An attempt to exploit a vulnerability in Sitecore Experience Manager detected     CVE-2025-27218     Sitecore-Multiple-Products-ThumbnailsAccessToken-Insecure-Deserialization
High     An attempt to exploit a vulnerability in Advantive VeraCore detected     CVE-2025-25181     Advantive-VeraCore-PmSess1-SQL-Injection-CVE-2025-25181
High     An attempt to exploit a vulnerability in Ivanti Avalanche     CVE-2024-47008     Ivanti-Avalanche-Validateamcwsconnection-Server-Side-Request-Forgery
High     An attempt to exploit a vulnerability in Apple Computer macOS Sonoma detected     CVE-2024-44176     Apple-MacOS-ImageIO-Jp2-File-Parsing-Heap-Buffer-Overflow-CVE-2024-44176
High     An attempt to exploit a vulnerability in Apple Computer macOS Sonoma detected     CVE-2024-40777     Apple-MacOS-ImageIO-Psd-File-Parsing-Heap-Buffer-Overflow-CVE-2024-40777
High     An attempt to exploit a vulnerability in Eramba detected     CVE-2023-36255     Eramba-Authenticated-Remote-Code-Execution-Module-CVE-2023-36255
High     An attempt to exploit a vulnerability in SAP NetWeaver detected     CVE-2017-12637     SAP-Netweaver-Application-Server-Directory-Traversal-CVE-2017-12637
High     A transfer of a Windows Script File (WSF) detected     No CVE/CAN Windows-Script-File-Transfer
High     A transfer of a VBScript file detected     No CVE/CAN VBScript-File-Transfer
High     A transfer of an archive containing a Windows Script File (WSF) detected     No CVE/CAN Windows-Script-File-Transfer
High     A transfer of an archive containing a VBScript file detected     No CVE/CAN VBScript-File-Transfer

Jump to: Detected Attacks Other Changes

DETECTED ATTACKS

New detected attacks:

File Name

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High VBScript-File-Transfer No CVE/CAN File-Name_VBScript-File-Transfer Potential Botnet
High Windows-Script-File-Transfer No CVE/CAN File-Name_Windows-Script-File-Transfer Potential Botnet

HTTP Request URI

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High SAP-Netweaver-Application-Server-Directory-Traversal-CVE-2017-12637 CVE-2017-12637 HTTP_CSU-SAP-Netweaver-Application-Server-Directory-Traversal-CVE-2017-12637 Suspected Compromise
High Eramba-Authenticated-Remote-Code-Execution-Module-CVE-2023-36255 CVE-2023-36255 HTTP_CSU-Eramba-Authenticated-Remote-Code-Execution-Module-CVE-2023-36255 Suspected Compromise

HTTP Request Header Line

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Sitecore-Multiple-Products-ThumbnailsAccessToken-Insecure-Deserialization CVE-2025-27218 HTTP_CSH-Sitecore-Multiple-Products-ThumbnailsAccessToken-Insecure-Deserialization-CVE-2025-27218 Potential Compromise

HTTP Normalized Request-Line

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Advantive-VeraCore-PmSess1-SQL-Injection-CVE-2025-25181 CVE-2025-25181 HTTP_CRL-Advantive-VeraCore-PmSess1-SQL-Injection-CVE-2025-25181 Suspected Compromise

Other Binary File Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Apple-MacOS-ImageIO-Psd-File-Parsing-Heap-Buffer-Overflow-CVE-2024-40777 CVE-2024-40777 File-Binary_Apple-Mac OS X-ImageIO-Psd-File-Parsing-Heap-Buffer-Overflow-CVE-2024-40777 Suspected Compromise

JPEG File Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Apple-MacOS-ImageIO-Jp2-File-Parsing-Heap-Buffer-Overflow-CVE-2024-44176 CVE-2024-44176 File-JPEG_Apple-MacOS-ImageIO-Jp2-File-Parsing-Heap-Buffer-Overflow-CVE-2024-44176 Suspected Compromise

Archive type identification from member names

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High VBScript-File-Transfer No CVE/CAN File-Member-Name_VBScript-File-Transfer Potential Botnet
High Windows-Script-File-Transfer No CVE/CAN File-Member-Name_Windows-Script-File-Transfer Potential Botnet

ARCserve Backup Client Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation Type
High Ivanti-Avalanche-Validateamcwsconnection-Server-Side-Request-Forgery CVE-2024-47008 ARCserve_CS-Ivanti-Avalanche-Validateamcwsconnection-CVE-2024-47008-Server-Side-Request-Forgery Suspected Compromise

Updated detected attacks:

HTTP Client Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Microsoft-SharePoint-Server-ExecuteBdcMethod-Unsafe-Reflection-CVE-2024-38227 CVE-2024-38227 HTTP_CS-Microsoft-SharePoint-Server-ExecuteBdcMethod-Unsafe-Reflection-CVE-2024-38227 Potential Compromise
Detection mechanism updated

TCP Client Stream Unknown

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Zabbix-Server-Active-Proxy-Trapper-Command-Injection CVE-2017-2824 Generic_CS-Zabbix-Server-Active-Proxy-Trapper-Command-Injection Suspected Compromise
Description has changed
Category tag group CVE2020 added
Fingerprint regexp changed

HTTP Normalized Request-Line

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Ivanti-Avalanche-Validateamcwsconnection-Server-Side-Request-Forgery CVE-2024-47008 HTTP_CRL-Ivanti-Avalanche-Validateamcwsconnection-CVE-2024-47008-Server-Side-Request-Forgery Suspected Compromise
Fingerprint regexp changed

Text File Stream

RiskVulnerability/SituationReferencesRelated FingerprintSituation TypeChange Description
High Ingress-Nginx-Controller-Kubernetes-Annotation-Injection-CVE-2025-1097 CVE-2025-1097 File-Text_Ingress-Nginx-Controller-Kubernetes-Annotation-Injection Suspected Compromise
Description has changed
Fingerprint regexp changed

LIST OF OTHER CHANGES:

New objects:

TypeName
CategoryEramba
CategoryAdvantive VeraCore
IPListAmazon ROUTE53_HEALTHCHECKS eusc-de-east-1
Trusted Update Certificate216

Updated objects:

TypeNameChanges
IPListRwanda
IPListIraq
IPListSaudi Arabia
IPListIran
IPListCyprus
IPListTanzania
IPListArmenia
IPListKenya
IPListDR Congo
IPListUganda
IPListSeychelles
IPListJordan
IPListLebanon
IPListOman
IPListQatar
IPListBahrain
IPListUnited Arab Emirates
IPListIsrael
IPListTürkiye
IPListEgypt
IPListGreece
IPListBurundi
IPListEstonia
IPListLatvia
IPListAzerbaijan
IPListLithuania
IPListGeorgia
IPListMoldova
IPListBelarus
IPListFinland
IPListUkraine
IPListNorth Macedonia
IPListHungary
IPListBulgaria
IPListAlbania
IPListPoland
IPListRomania
IPListKosovo
IPListZimbabwe
IPListZambia
IPListComoros
IPListBotswana
IPListMauritius
IPListRéunion
IPListSouth Africa
IPListMozambique
IPListPakistan
IPListBangladesh
IPListTurkmenistan
IPListTajikistan
IPListSri Lanka
IPListBhutan
IPListIndia
IPListMaldives
IPListBritish Indian Ocean Territory
IPListNepal
IPListMyanmar
IPListUzbekistan
IPListKazakhstan
IPListKyrgyzstan
IPListCocos (Keeling) Islands
IPListPalau
IPListVietnam
IPListThailand
IPListIndonesia
IPListLaos
IPListTaiwan
IPListPhilippines
IPListMalaysia
IPListChina
IPListHong Kong
IPListBrunei
IPListMacao
IPListCambodia
IPListSouth Korea
IPListJapan
IPListSingapore
IPListCook Islands
IPListTimor-Leste
IPListRussia
IPListMongolia
IPListAustralia
IPListChristmas Island
IPListMarshall Islands
IPListFederated States of Micronesia
IPListPapua New Guinea
IPListSolomon Islands
IPListVanuatu
IPListNew Caledonia
IPListNorfolk Island
IPListNew Zealand
IPListFiji
IPListCameroon
IPListCongo Republic
IPListPortugal
IPListIvory Coast
IPListNigeria
IPListBurkina Faso
IPListBenin
IPListChad
IPListSpain
IPListMorocco
IPListAlgeria
IPListDenmark
IPListIceland
IPListUnited Kingdom
IPListSwitzerland
IPListSweden
IPListThe Netherlands
IPListAustria
IPListBelgium
IPListGermany
IPListLuxembourg
IPListIreland
IPListFrance
IPListAndorra
IPListLiechtenstein
IPListJersey
IPListIsle of Man
IPListGuernsey
IPListSlovakia
IPListCzechia
IPListNorway
IPListVatican City
IPListSan Marino
IPListItaly
IPListSlovenia
IPListMontenegro
IPListCroatia
IPListBosnia and Herzegovina
IPListAngola
IPListBouvet Island
IPListBarbados
IPListCabo Verde
IPListFrench Guiana
IPListBrazil
IPListFalkland Islands
IPListDominican Republic
IPListMartinique
IPListBahamas
IPListAnguilla
IPListSt Kitts and Nevis
IPListDominica
IPListAntigua and Barbuda
IPListSaint Lucia
IPListBritish Virgin Islands
IPListGuadeloupe
IPListCayman Islands
IPListBelize
IPListGuatemala
IPListHonduras
IPListCosta Rica
IPListVenezuela
IPListEcuador
IPListColombia
IPListPanama
IPListArgentina
IPListChile
IPListBolivia
IPListPeru
IPListMexico
IPListFrench Polynesia
IPListKiribati
IPListTonga
IPListWallis and Futuna
IPListSamoa
IPListNiue
IPListNorthern Mariana Islands
IPListGuam
IPListPuerto Rico
IPListAmerican Samoa
IPListCanada
IPListUnited States
IPListSerbia
IPListAntarctica
IPListBonaire, Sint Eustatius, and Saba
IPListTOR exit nodes IP Address List
IPListAmazon AMAZON
IPListAmazon ROUTE53_HEALTHCHECKS
IPListAmazon S3
IPListAmazon EC2
IPListAkamai Servers
IPListMicrosoft Azure datacenter for australiaeast
IPListTOR relay nodes IP Address List
IPListMicrosoft Azure datacenter for centralindia
IPListMicrosoft Azure datacenter for centraluseuap
IPListMicrosoft Azure datacenter for centralus
IPListMicrosoft Azure datacenter for eastasia
IPListMicrosoft Azure datacenter for eastus2euap
IPListMicrosoft Azure datacenter for eastus2
IPListMicrosoft Azure datacenter for eastus
IPListMicrosoft Azure datacenter for westus2
IPListMicrosoft Azure datacenter for westus
IPListMicrosoft Azure datacenter
IPListBotnet IP Address List
IPListMalicious Site IP Address List
IPListNordVPN Servers IP Address List
IPListAmazon AMAZON eu-central-1
IPListAmazon S3 eu-central-1
IPListAmazon EC2 eu-central-1
IPListAmazon AMAZON eusc-de-east-1
IPListAmazon EC2 eusc-de-east-1
IPListForcepoint Drop IP Address List
IPListMicrosoft Azure datacenter for uaenorth
IPListMicrosoft Azure service for AzureCloud
IPListMicrosoft Azure service for AzureConnectors
IPListAmazon AMAZON ap-east-2
IPListMicrosoft Azure service for AzureMonitor
IPListMicrosoft Azure service for AzureTrafficManager
IPListMicrosoft Azure datacenter for usstagee
IPListMicrosoft Azure datacenter for westus3
IPListMicrosoft Azure datacenter for qatarcentral
IPListMicrosoft Azure datacenter for italynorth
IPListAmazon EC2 me-west-1
IPListAmazon AMAZON me-west-1
IPListAmazon S3 me-west-1
SituationHTTPS_CS-Shared-Variables-For-Client-Stream-Context
SituationHTTPS_SS-Shared-Variables-For-Server-Stream-Context
SituationLDAP_CS-OpenLDAP-Nested-Filter-Stack-Overflow
Fingerprint regexp changed
SituationHTTP_PSH-Shared-Variables
Fingerprint regexp changed
SituationFile-Member-Name_Shared-Variables
Fingerprint regexp changed
SituationFile-Name_Shared-Variables
ApplicationAkamai-Infrastructure
ApplicationTOR
ApplicationManoto
ApplicationTelegram
Category tag application_group Application Routing added
Application detection context content changed
ApplicationNordVPN

HOW TO IMPORT AND ACTIVATE THE DYNAMIC UPDATE PACKAGE

  1. Download the dynamic update package, then make sure that the checksums for the original files and the files that you have downloaded match.
  2. In the Management Client, select Menu > File > Import > Import Update Packages.
  3. Browse to the file, select it, then click Import.
  4. Select  Configuration, then browse to Administration > Other Elements > Updates.
  5. Right-click the imported dynamic update package, then select Activate.
  6. When the activation is finished, refresh the policy on all NGFW Engines. If your policy uses a custom template, you might need to edit the policy.

DISCLAIMER AND COPYRIGHT

Copyright © 2025 Forcepoint
Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint.

All other trademarks used in this document are the property of their respective owners.

Every effort has been made to ensure the accuracy of this document. However, Forcepoint makes no warranties with respect to this documentation and disclaims any implied warranties of merchantability and fitness for a particular purpose. Forcepoint shall not be liable for any error or for incidental or consequential damages in connection with the furnishing, performance, or use of this manual or the examples herein. The information in this documentation is subject to change without notice.