From d2a78352eeea97e93949b5e499c1128c7bd32a10 Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 8 Jul 2026 14:55:45 +0200 Subject: [PATCH 1/4] Add vpatch-CVE-2026-8037 rule --- .../crowdsecurity/vpatch-CVE-2026-8037.yaml | 43 +++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 appsec-rules/crowdsecurity/vpatch-CVE-2026-8037.yaml diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2026-8037.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2026-8037.yaml new file mode 100644 index 00000000000..c922d5e6f1c --- /dev/null +++ b/appsec-rules/crowdsecurity/vpatch-CVE-2026-8037.yaml @@ -0,0 +1,43 @@ +## autogenerated on 2026-07-08 12:55:42 +name: crowdsecurity/vpatch-CVE-2026-8037 +description: 'Detects unauthenticated OS command injection in Progress ADC LoadMaster via crafted JSON parameters in /accessv2 endpoint.' +rules: + - and: + - zones: + - URI + transform: + - lowercase + match: + type: equals + value: /accessv2 + - zones: + - BODY_ARGS + variables: + - json.g0 + - json.g1 + - json.g2 + - json.g3 + - json.g4 + - json.g5 + - json.g6 + - json.g7 + - json.g8 + - json.g9 + transform: + - lowercase + - urldecode + match: + type: contains + value: "';" + +labels: + type: exploit + service: http + confidence: 3 + spoofable: 0 + behavior: 'http:exploit' + label: 'Progress ADC LoadMaster - RCE' + classification: + - cve.CVE-2026-8037 + - attack.T1190 + - cwe.CWE-78 From ef739ffabf48a6218eb0c7ae5466d3e7165990bc Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 8 Jul 2026 14:55:47 +0200 Subject: [PATCH 2/4] Add vpatch-CVE-2026-8037 test config --- .appsec-tests/vpatch-CVE-2026-8037/config.yaml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .appsec-tests/vpatch-CVE-2026-8037/config.yaml diff --git a/.appsec-tests/vpatch-CVE-2026-8037/config.yaml b/.appsec-tests/vpatch-CVE-2026-8037/config.yaml new file mode 100644 index 00000000000..9514aa0e470 --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2026-8037/config.yaml @@ -0,0 +1,5 @@ +## autogenerated on 2026-07-08 12:55:42 +appsec-rules: + - ./appsec-rules/crowdsecurity/base-config.yaml + - ./appsec-rules/crowdsecurity/vpatch-CVE-2026-8037.yaml +nuclei_template: CVE-2026-8037.yaml From 5fb638782b540767c1cefaa429568b0253550769 Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 8 Jul 2026 14:55:49 +0200 Subject: [PATCH 3/4] Add CVE-2026-8037.yaml test --- .../vpatch-CVE-2026-8037/CVE-2026-8037.yaml | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 .appsec-tests/vpatch-CVE-2026-8037/CVE-2026-8037.yaml diff --git a/.appsec-tests/vpatch-CVE-2026-8037/CVE-2026-8037.yaml b/.appsec-tests/vpatch-CVE-2026-8037/CVE-2026-8037.yaml new file mode 100644 index 00000000000..c1ae036b4e1 --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2026-8037/CVE-2026-8037.yaml @@ -0,0 +1,22 @@ +## autogenerated on 2026-07-08 12:55:42 +id: CVE-2026-8037 +info: + name: CVE-2026-8037 + author: crowdsec + severity: info + description: CVE-2026-8037 testing + tags: appsec-testing +http: + - raw: + - | + POST /accessv2 HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json + Accept: */* + + {"cmd": "getall", "apiuser": "''''", "apipass": "BBBBB", "g0": "AAAAAAAAAAAAAAAA'; cat /etc/passwd #"} + cookie-reuse: true + matchers: + - type: status + status: + - 403 From 4ee131ed11b0a738770836b101bfc0c421528a1c Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 8 Jul 2026 14:55:50 +0200 Subject: [PATCH 4/4] Add vpatch-CVE-2026-8037 rule to vpatch collection --- collections/crowdsecurity/appsec-virtual-patching.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/collections/crowdsecurity/appsec-virtual-patching.yaml b/collections/crowdsecurity/appsec-virtual-patching.yaml index 073510b3f5d..abb05a04242 100644 --- a/collections/crowdsecurity/appsec-virtual-patching.yaml +++ b/collections/crowdsecurity/appsec-virtual-patching.yaml @@ -150,6 +150,7 @@ appsec-rules: - crowdsecurity/vpatch-CVE-2025-54249 - crowdsecurity/vpatch-CVE-2020-13640 - crowdsecurity/vpatch-CVE-2018-11511 +- crowdsecurity/vpatch-CVE-2026-8037 - crowdsecurity/vpatch-CVE-2025-2611 - crowdsecurity/vpatch-CVE-2022-24086 - crowdsecurity/vpatch-CVE-2021-32478