type: trigger
#debug: true
name: crowdsecurity/CVE-2022-37042
description: "Detect CVE-2022-37042 exploits"
filter: |
    (
    Upper(evt.Meta.http_path) contains Upper('/service/extension/backup/mboximport?account-name=admin&ow=2&no-switch=1&append=1') ||
    Upper(evt.Meta.http_path) contains Upper('/service/extension/backup/mboximport?account-name=admin&account-status=1&ow=cmd') 
    )
    and evt.Meta.http_status startsWith ('40') and
    Upper(evt.Meta.http_verb) == 'POST'


blackhole: 2m
groupby: "evt.Meta.source_ip"
labels:
  type: exploit
  remediation: true