Ruleset Update Summary - 2025/11/25 - v11070

Ruleset Updates
1

Summary:

13 new OPEN, 15 new PRO (13 + 2)

Please be aware that Thursday and Friday (27 November and 28 November, 2025) are Proofpoint company holidays. There will be no rule releases on either of these days. Daily rule releases will recommence on Monday, 01 December, 2025

Added rules:

Open:

  • 2065904 - ET WEB_SPECIFIC_APPS Adobe Commerce & Magento REST API SessionReaper Execution (CVE-2025-54236) (web_specific_apps.rules)
  • 2065905 - ET MALWARE WallStealer Data Exfiltration Attempt over Telegram (malware.rules)
  • 2065906 - ET EXPLOIT_KIT RondoDox BotNet Init Script Inbound (exploit_kit.rules)
  • 2065907 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (lentdwn .cyou) (malware.rules)
  • 2065908 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (lentdwn .cyou) in TLS SNI (malware.rules)
  • 2065909 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (senszlz .cfd) (malware.rules)
  • 2065910 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (senszlz .cfd) in TLS SNI (malware.rules)
  • 2065911 - ET EXPLOIT_KIT Mirai Variant Payload Inbound (exploit_kit.rules)
  • 2065912 - ET WEB_SPECIFIC_APPS Opto22 Groov Manage REST API Remote Code Execution (CVE-2025-13087) (web_specific_apps.rules)
  • 2065913 - ET WEB_SPECIFIC_APPS DNN (DotNetNuke) Unrestricted Arbitrary File Upload (CVE-2025-64095) (web_specific_apps.rules)
  • 2065914 - ET WEB_SPECIFIC_APPS N-able N-central Session ID Disclosure (web_specific_apps.rules)
  • 2065915 - ET WEB_SPECIFIC_APPS N-able N-central Authentication Bypass (CVE-2025-9316) (web_specific_apps.rules)
  • 2065916 - ET WEB_SPECIFIC_APPS Shenzhen TVT NVMS-9000 Information Disclosure Attempt (CVE-2024-14007) (web_specific_apps.rules)

Pro:

  • 2865232 - ETPRO MALWARE Sha1-Hulud (The Second Coming) NPM Malware Backdoor Setup (malware.rules)
  • 2865233 - ETPRO MALWARE Sha1-Hulud (The Second Coming) NPM Malware Exfiltration Setup (malware.rules)

Enabled and modified rules:

  • 2864622 - ETPRO MALWARE Observed ClickFix Style URI in HTTP GET (malware.rules)

Modified inactive rules:

  • 2020067 - ET EXPLOIT Possible CVE-2014-6332 Arrays with Offset Dec 23 (exploit.rules)
  • 2020660 - ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204) (exploit.rules)
  • 2021623 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC) (malware.rules)
  • 2021776 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM) (malware.rules)