From 07e3ac3cf68ca7d16cb75b8d0617146e1b1e81d3 Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 15 Apr 2026 15:28:06 +0200 Subject: [PATCH 1/4] Add vpatch-CVE-2026-1603 rule --- .../crowdsecurity/vpatch-CVE-2026-1603.yaml | 31 +++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 appsec-rules/crowdsecurity/vpatch-CVE-2026-1603.yaml diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2026-1603.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2026-1603.yaml new file mode 100644 index 00000000000..c971eb376a2 --- /dev/null +++ b/appsec-rules/crowdsecurity/vpatch-CVE-2026-1603.yaml @@ -0,0 +1,31 @@ +## autogenerated on 2026-04-15 13:28:03 +name: crowdsecurity/vpatch-CVE-2026-1603 +description: 'Detects authentication bypass in Ivanti Endpoint Manager via improper access control on /RemoteControlAuth/api/Auth.' +rules: + - and: + - zones: + - URI + transform: + - lowercase + match: + type: contains + value: /remotecontrolauth/api/auth + - zones: + - RAW_BODY + transform: + - lowercase + match: + type: contains + value: '"logintype":"64"' + +labels: + type: exploit + service: http + confidence: 3 + spoofable: 0 + behavior: 'http:exploit' + label: 'Ivanti Endpoint Manager - Authentication Bypass' + classification: + - cve.CVE-2026-1603 + - attack.T1190 + - cwe.CWE-288 From 9a77c8c159e7f306f759e3ed68e10b277c5edde4 Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 15 Apr 2026 15:28:08 +0200 Subject: [PATCH 2/4] Add vpatch-CVE-2026-1603 test config --- .appsec-tests/vpatch-CVE-2026-1603/config.yaml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .appsec-tests/vpatch-CVE-2026-1603/config.yaml diff --git a/.appsec-tests/vpatch-CVE-2026-1603/config.yaml b/.appsec-tests/vpatch-CVE-2026-1603/config.yaml new file mode 100644 index 00000000000..6c233fb60c3 --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2026-1603/config.yaml @@ -0,0 +1,5 @@ +## autogenerated on 2026-04-15 13:28:03 +appsec-rules: + - ./appsec-rules/crowdsecurity/base-config.yaml + - ./appsec-rules/crowdsecurity/vpatch-CVE-2026-1603.yaml +nuclei_template: CVE-2026-1603.yaml From a06dd938bd4a4ecc731b3e9e28f81a9490bc8f1c Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 15 Apr 2026 15:28:10 +0200 Subject: [PATCH 3/4] Add CVE-2026-1603.yaml test --- .../vpatch-CVE-2026-1603/CVE-2026-1603.yaml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 .appsec-tests/vpatch-CVE-2026-1603/CVE-2026-1603.yaml diff --git a/.appsec-tests/vpatch-CVE-2026-1603/CVE-2026-1603.yaml b/.appsec-tests/vpatch-CVE-2026-1603/CVE-2026-1603.yaml new file mode 100644 index 00000000000..6c51ea5c3e9 --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2026-1603/CVE-2026-1603.yaml @@ -0,0 +1,24 @@ +## autogenerated on 2026-04-15 13:28:03 +id: CVE-2026-1603 +info: + name: CVE-2026-1603 + author: crowdsec + severity: info + description: CVE-2026-1603 testing + tags: appsec-testing +http: + - raw: + - | + POST /RemoteControlAuth/api/Auth HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/json + + { + "logintype":"64", + "username":"administrator" + } + cookie-reuse: true + matchers: + - type: status + status: + - 403 From 0fb8d9ced6f8ce51845dabd1e48b842e8ecf0127 Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 15 Apr 2026 15:28:12 +0200 Subject: [PATCH 4/4] Add vpatch-CVE-2026-1603 rule to vpatch collection --- collections/crowdsecurity/appsec-virtual-patching.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/collections/crowdsecurity/appsec-virtual-patching.yaml b/collections/crowdsecurity/appsec-virtual-patching.yaml index 7ccf9a8bf03..dc96edf7be7 100644 --- a/collections/crowdsecurity/appsec-virtual-patching.yaml +++ b/collections/crowdsecurity/appsec-virtual-patching.yaml @@ -8,6 +8,7 @@ appsec-rules: - crowdsecurity/vpatch-CVE-2017-9841 - crowdsecurity/vpatch-CVE-2020-11738 - crowdsecurity/vpatch-CVE-2022-27926 +- crowdsecurity/vpatch-CVE-2026-1603 - crowdsecurity/vpatch-CVE-2022-35914 - crowdsecurity/vpatch-CVE-2022-46169 - crowdsecurity/vpatch-CVE-2024-3408