From 624d998601e708f004a7359c86cce4aa7e677d08 Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 24 Jun 2026 16:02:06 +0200 Subject: [PATCH 1/4] Add vpatch-CVE-2026-0257 rule --- .../crowdsecurity/vpatch-CVE-2026-0257.yaml | 32 +++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 appsec-rules/crowdsecurity/vpatch-CVE-2026-0257.yaml diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2026-0257.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2026-0257.yaml new file mode 100644 index 00000000000..bf30a24e9b9 --- /dev/null +++ b/appsec-rules/crowdsecurity/vpatch-CVE-2026-0257.yaml @@ -0,0 +1,32 @@ +## autogenerated on 2026-06-24 14:02:03 +name: crowdsecurity/vpatch-CVE-2026-0257 +description: 'Detects authentication bypass attempts against Palo Alto Networks PAN-OS GlobalProtect portal and gateway.' +rules: + - and: + - zones: + - URI + transform: + - lowercase + match: + type: contains + value: /global-protect/login.esp + - and: + - zones: + - URI + transform: + - lowercase + match: + type: contains + value: /sslmgr + +labels: + type: exploit + service: http + confidence: 3 + spoofable: 0 + behavior: 'http:exploit' + label: 'PAN-OS GlobalProtect - Authentication Bypass' + classification: + - cve.CVE-2026-0257 + - attack.T1190 + - cwe.CWE-565 From 32f95dd9ce59c649f73cf5ae5f4b5aabd15faa8d Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 24 Jun 2026 16:02:08 +0200 Subject: [PATCH 2/4] Add vpatch-CVE-2026-0257 test config --- .appsec-tests/vpatch-CVE-2026-0257/config.yaml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .appsec-tests/vpatch-CVE-2026-0257/config.yaml diff --git a/.appsec-tests/vpatch-CVE-2026-0257/config.yaml b/.appsec-tests/vpatch-CVE-2026-0257/config.yaml new file mode 100644 index 00000000000..b3b1dc5f1a3 --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2026-0257/config.yaml @@ -0,0 +1,5 @@ +## autogenerated on 2026-06-24 14:02:03 +appsec-rules: + - ./appsec-rules/crowdsecurity/base-config.yaml + - ./appsec-rules/crowdsecurity/vpatch-CVE-2026-0257.yaml +nuclei_template: CVE-2026-0257.yaml From 8dd9ec4e4b336ceb94873f25d79dca70ec8f226f Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 24 Jun 2026 16:02:10 +0200 Subject: [PATCH 3/4] Add CVE-2026-0257.yaml test --- .../vpatch-CVE-2026-0257/CVE-2026-0257.yaml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 .appsec-tests/vpatch-CVE-2026-0257/CVE-2026-0257.yaml diff --git a/.appsec-tests/vpatch-CVE-2026-0257/CVE-2026-0257.yaml b/.appsec-tests/vpatch-CVE-2026-0257/CVE-2026-0257.yaml new file mode 100644 index 00000000000..b05792ad623 --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2026-0257/CVE-2026-0257.yaml @@ -0,0 +1,18 @@ +## autogenerated on 2026-06-24 14:02:03 +id: CVE-2026-0257 +info: + name: CVE-2026-0257 + author: crowdsec + severity: info + description: CVE-2026-0257 testing + tags: appsec-testing +http: + - method: GET + path: + - "{{BaseURL}}/global-protect/login.esp" + - "{{BaseURL}}/sslmgr" + cookie-reuse: true + matchers: + - type: status + status: + - 403 From d6b2ea3798c50d940745e86973984f5f9a5bcb0c Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 24 Jun 2026 16:02:12 +0200 Subject: [PATCH 4/4] Add vpatch-CVE-2026-0257 rule to vpatch collection --- collections/crowdsecurity/appsec-virtual-patching.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/collections/crowdsecurity/appsec-virtual-patching.yaml b/collections/crowdsecurity/appsec-virtual-patching.yaml index 79a2e5ca01c..7a06ed2519f 100644 --- a/collections/crowdsecurity/appsec-virtual-patching.yaml +++ b/collections/crowdsecurity/appsec-virtual-patching.yaml @@ -118,6 +118,7 @@ appsec-rules: - crowdsecurity/vpatch-CVE-2025-31161 - crowdsecurity/vpatch-CVE-2025-31324 - crowdsecurity/vpatch-CVE-2025-29306 +- crowdsecurity/vpatch-CVE-2026-0257 - crowdsecurity/vpatch-CVE-2025-49113 - crowdsecurity/appsec-generic-test - crowdsecurity/vpatch-CVE-2025-25257