Rule History

alert http any any -> any any (msg: "ATTACK [PTsecurity] Fortinet FortiWeb Server SQLi RCE attempt (CVE-2025-25257)"; http.uri; content: "api/fabric/device/status"; nocase; http.header; content: "Authorization:"; content: "Bearer"; distance: 0; pcre: "/[^\r\n]+(\'|\*)/R"; threshold: type limit, track by_src, count 1, seconds 60; reference: cve, 2025-25257; reference: url, labs.watchtowr.com/pre-auth-sql-injection-to-rce-fortinet-fortiweb-fabric-connector-cve-2025-25257/; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10014261; rev: 1;)