# ============================================================================
# CYBERDUDEBIVASH SENTINEL APEX — Detection Pack
# Traceability:
#   CVE ............ CVE-2026-48558
#   Vendor / Product SimpleHelp  / SimpleHelp
#   CISA KEV ....... added 2026-06-29, federal remediation due 2026-07-02
#   Ransomware ..... Unknown
#   NVD ............ https://nvd.nist.gov/vuln/detail/CVE-2026-48558
#   KEV catalog .... https://www.cisa.gov/known-exploited-vulnerabilities-catalog
# Every claim in this rule's metadata is verifiable against the sources above.
# ============================================================================
title: SimpleHelp Unauthenticated Access to Administrative Endpoint (CVE-2026-48558)
id: 1b5ae312-afbf-569e-8c87-24dc398a0eae
status: experimental
description: |
    Detects HTTP requests to SimpleHelp administrative/toolbox endpoints returning success without a preceding authenticated session — consistent with the authentication-bypass vulnerability.
references:
    - https://nvd.nist.gov/vuln/detail/CVE-2026-48558
    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
    - https://blog.cyberdudebivash.in/detections/
author: CYBERDUDEBIVASH SENTINEL APEX
date: 2026/07/05
tags:
    - attack.initial_access
    - attack.t1190
    - attack.credential_access
    - cve.2026.48558
logsource:
    category: webserver
detection:
    selection:
        cs-uri-stem|contains:
            - '/toolbox'
            - '/admin'
            - '/serverconfig'
        sc-status:
            - 200
            - 302
    filter_admin_source:
        c-ip|cidr:
            - '10.0.0.0/8'
            - '192.168.0.0/16'
    condition: selection and not filter_admin_source
    fields:
        - c-ip
        - cs-uri-stem
        - cs-user-agent
falsepositives:
    - Legitimate administrators reaching the toolbox from known management IPs — scope the filter to your admin ranges.
level: high
