ET WEB_SPECIFIC_APPS Microsoft Configuration Manager Authentication Bypass via Spoofing (CVE-2025-59501)

SID: 2067199Rev: 18 views
Sourceet/open
CreatedJanuary 30, 2026
UpdatedJanuary 30, 2026
Classificationweb-application-attack
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Microsoft Configuration Manager Authentication Bypass via Spoofing (CVE-2025-59501)"; flow:established,to_server; http.uri; content:"/AdminService_TokenAuth/wmi/SMS_Admin/"; fast_pattern; http.request_body; content:"|22|AdminSid|22 3a|"; content:"|22|SMS00"; pcre:"/^(?:ALL|UNA)/R"; content:"|22|SMS0001R|22|"; http.method; content:"POST"; reference:url,specterops.io/blog/2025/11/19/sccm-hierarchy-takeover-via-entra-integrationbecause-of-the-implication/; reference:cve,2025-59501; classtype:web-application-attack; sid:2067199; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2026_01_30, cve CVE_2025_59501, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag Exploit, updated_at 2026_01_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

References

urlspecterops.io/blog/2025/11/19/sccm-hierarchy-takeover-via-entra-integrationbecause-of-the-implication/
cve2025-59501

Metadata

attack targetServer
tls stateTLSDecrypt
created at2026_01_30
deploymentSSLDecrypt
confidenceMedium
signature severityMajor
tagExploit
updated at2026_01_30
mitre tactic idTA0001
mitre tactic nameInitial_Access
mitre technique idT1190
mitre technique nameExploit_Public_Facing_Application

Comments (0)

Please sign in to leave a comment.
Sign in

No comments yet. Be the first to comment!