From 2e5401e7bcc9c70ba27e15e9dd76e0ea8cf7ec49 Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Fri, 12 Jun 2026 13:10:23 +0200 Subject: [PATCH 1/4] Add vpatch-CVE-2026-2699 rule --- .../crowdsecurity/vpatch-CVE-2026-2699.yaml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 appsec-rules/crowdsecurity/vpatch-CVE-2026-2699.yaml diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2026-2699.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2026-2699.yaml new file mode 100644 index 00000000000..9a667de319c --- /dev/null +++ b/appsec-rules/crowdsecurity/vpatch-CVE-2026-2699.yaml @@ -0,0 +1,24 @@ +## autogenerated on 2026-06-12 11:10:20 +name: crowdsecurity/vpatch-CVE-2026-2699 +description: 'Detects unauthenticated access to restricted configuration pages in Progress ShareFile Storage Zones Controller (CVE-2026-2699)' +rules: + - and: + - zones: + - URI + transform: + - lowercase + match: + type: contains + value: /configservice/admin.aspx + +labels: + type: exploit + service: http + confidence: 3 + spoofable: 0 + behavior: 'http:exploit' + label: 'Progress ShareFile - Authentication Bypass' + classification: + - cve.CVE-2026-2699 + - attack.T1190 + - cwe.CWE-284 From ba9784e1ddd53452b30f41f4b0b8ff11f80bd2b2 Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Fri, 12 Jun 2026 13:10:25 +0200 Subject: [PATCH 2/4] Add vpatch-CVE-2026-2699 test config --- .appsec-tests/vpatch-CVE-2026-2699/config.yaml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .appsec-tests/vpatch-CVE-2026-2699/config.yaml diff --git a/.appsec-tests/vpatch-CVE-2026-2699/config.yaml b/.appsec-tests/vpatch-CVE-2026-2699/config.yaml new file mode 100644 index 00000000000..8666dae8b7f --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2026-2699/config.yaml @@ -0,0 +1,5 @@ +## autogenerated on 2026-06-12 11:10:20 +appsec-rules: + - ./appsec-rules/crowdsecurity/base-config.yaml + - ./appsec-rules/crowdsecurity/vpatch-CVE-2026-2699.yaml +nuclei_template: CVE-2026-2699.yaml From 196592badca34237d6a27d887cf6023762e7501d Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Fri, 12 Jun 2026 13:10:27 +0200 Subject: [PATCH 3/4] Add CVE-2026-2699.yaml test --- .../vpatch-CVE-2026-2699/CVE-2026-2699.yaml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 .appsec-tests/vpatch-CVE-2026-2699/CVE-2026-2699.yaml diff --git a/.appsec-tests/vpatch-CVE-2026-2699/CVE-2026-2699.yaml b/.appsec-tests/vpatch-CVE-2026-2699/CVE-2026-2699.yaml new file mode 100644 index 00000000000..a05bf12fa0d --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2026-2699/CVE-2026-2699.yaml @@ -0,0 +1,18 @@ +## autogenerated on 2026-06-12 11:10:20 +id: CVE-2026-2699 +info: + name: CVE-2026-2699 + author: crowdsec + severity: info + description: CVE-2026-2699 testing + tags: appsec-testing +http: + - raw: + - | + GET /ConfigService/Admin.aspx HTTP/1.1 + Host: {{Hostname}} + cookie-reuse: true + matchers: + - type: status + status: + - 403 From ec5e95a6aee33579da5a208f43c785a2b42448b8 Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Fri, 12 Jun 2026 13:10:29 +0200 Subject: [PATCH 4/4] Add vpatch-CVE-2026-2699 rule to vpatch collection --- collections/crowdsecurity/appsec-virtual-patching.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/collections/crowdsecurity/appsec-virtual-patching.yaml b/collections/crowdsecurity/appsec-virtual-patching.yaml index 9d5aabe34fc..648d214f6d9 100644 --- a/collections/crowdsecurity/appsec-virtual-patching.yaml +++ b/collections/crowdsecurity/appsec-virtual-patching.yaml @@ -88,6 +88,7 @@ appsec-rules: - crowdsecurity/vpatch-CVE-2024-52301 - crowdsecurity/vpatch-CVE-2025-34291 - crowdsecurity/vpatch-CVE-2024-8963 +- crowdsecurity/vpatch-CVE-2026-2699 - crowdsecurity/vpatch-CVE-2024-38816 - crowdsecurity/vpatch-CVE-2024-9465 - crowdsecurity/vpatch-CVE-2024-51378