title: Exploitation of CVE-2021-26814 in Wazuh
id: b9888738-29ed-4c54-96a4-f38c57b84bb3
status: experimental
description: Detects the exploitation of the Wazuh RCE vulnerability described in CVE-2021-26814
author: Florian Roth
date: 2021/05/22
references:
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-26814
    - https://github.com/WickdDavid/CVE-2021-26814/blob/main/PoC.py
    - https://nvd.nist.gov/vuln/detail/cve-2021-21978
logsource:
    category: webserver
detection:
    selection:
        c-uri|contains: '/manager/files?path=etc/lists/../../../../..'
    condition: selection
fields:
    - c-ip
    - c-dns
falsepositives:
    - None
level: high
tags:
    - attack.initial_access
    - attack.t1190