CVE-2026-4447 (NetVanguard-cmd) is a high-severity vulnerability (CVSS 8.8) affecting multiple platforms including Windows, Docker, and cloud services. Detection should focus on exploitation attempts targeting vulnerable NetVanguard components and command execution patterns.

union (DeviceProcessEvents | where ProcessCommandLine contains "netvanguard" or ProcessCommandLine contains "CVE-2026-4447" or InitiatingProcessCommandLine contains "netvanguard" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessCommandLine, AccountName), (SecurityEvent | where EventID == 4688 and (CommandLine contains "netvanguard" or CommandLine contains "CVE-2026-4447") | project TimeGenerated, Computer, CommandLine, ParentProcessName, Account), (CommonSecurityLog | where Activity contains "netvanguard" or RequestURL contains "CVE-2026-4447" or Message contains "netvanguard" | project TimeGenerated, DeviceName, Activity, RequestURL, SourceIP) | where Timestamp > ago(7d) or TimeGenerated > ago(7d)

Monitor for process creation events and command-line execution containing 'netvanguard' or CVE-2026-4447 references across Windows security logs, device process events, and network security logs. Correlate suspicious command execution with known exploitation patterns and unusual parent-child process relationships.

Windows, Docker, Azure, Office365, Chrome, Cisco, VMware, Python

T1190, T1059, T1203

Legitimate NetVanguard administrative tools and updates may trigger alerts; whitelist known administrative accounts and scheduled maintenance windows. Filter out benign references in logs, documentation, or security scanning tools that may mention the CVE identifier.

CVE-2025-61882 (NetVanguard-cmd) is a critical vulnerability with a CVSS score of 9.8 affecting multiple platforms including Windows, Azure, and Docker environments. Detection should focus on identifying exploitation attempts through command execution patterns and suspicious process activity associated with vulnerable NetVanguard components.

DeviceProcessEvents | where ProcessCommandLine contains "netvanguard" or ProcessCommandLine contains "netguard" or ProcessCommandLine matches regex @"(?i)(netvanguard|netguard).*cmd" | where InitiatingProcessName !in ("explorer.exe", "svchost.exe") | project Timestamp, DeviceName, ProcessId, ProcessCommandLine, InitiatingProcessName, InitiatingProcessId, AccountName | union (SecurityEvent | where EventID == 4688 and (CommandLine contains "netvanguard" or CommandLine contains "netguard") | project TimeGenerated, Computer, NewProcessId, CommandLine, ParentProcessName, SubjectUserName)

Monitor for process creation events containing NetVanguard-cmd references in command lines, focusing on suspicious parent processes and execution contexts. Cross-reference Windows Security Event logs (EventID 4688) and Microsoft Defender for Endpoint process events to identify exploitation attempts. Alert on any execution from non-standard locations or by unexpected service accounts.

Windows, Azure, Docker, VMware, Cisco, Chrome, Python, Office365

T1059.001, T1190, T1203

Legitimate NetVanguard administrative tools may trigger alerts; whitelist known administrative accounts and scheduled maintenance windows. Filter out expected system processes and legitimate security software. Tune based on organizational baseline of NetVanguard usage patterns. Consider excluding events from approved administrative workstations and change management systems.

CVE-2026-6563 is a remote buffer overflow vulnerability in H3C Magic B1 devices affecting the SetAPWifiorLedInfoById function in /goform/aspForm, exploitable without authentication. Detection focuses on identifying exploitation attempts through network traffic patterns, process execution anomalies, and file access to vulnerable endpoints on H3C devices or management interfaces.

let timeframe = 7d; let h3c_indicators = dynamic(['SetAPWifiorLedInfoById', 'aspForm', 'param', 'Magic B1']); union (DeviceNetworkEvents | where Timestamp > ago(timeframe) | where RemoteUrl has_any ('goform/aspForm', '/goform/') or RemoteUrl matches regex @'(?i).*SetAPWifiorLedInfoById.*' | where ActionType in ('ConnectionSuccess', 'ConnectionAttempted', 'ConnectionFailed') | project Timestamp, DeviceName, RemoteIP, RemoteUrl, RemotePort, InitiatingProcessFileName, InitiatingProcessCommandLine), (DeviceProcessEvents | where Timestamp > ago(timeframe) | where ProcessCommandLine has_any (h3c_indicators) or FolderPath has_any ('goform', 'aspForm') | project Timestamp, DeviceName, ProcessCommandLine, ProcessId, AccountName, FileName), (DeviceFileEvents | where Timestamp > ago(timeframe) | where FolderPath has_any ('goform', 'aspForm') or FileName has_any (h3c_indicators) | where ActionType in ('FileCreated', 'FileModified', 'FileDeleted') | project Timestamp, DeviceName, FolderPath, FileName, ActionType, AccountName) | summarize EventCount = count() by Timestamp, DeviceName, RemoteIP, ProcessCommandLine, FileName | where EventCount > 0 | limit 1000

Monitor for exploitation attempts by detecting network connections to vulnerable /goform/aspForm endpoints with SetAPWifiorLedInfoById function calls, unusual process execution with buffer overflow payloads in command lines, and suspicious file modifications in web application directories. Cross-correlate network events with process and file activity to identify attack chains.

H3C Magic B1, H3C Magic B1 up to 100R004

T1190, T1133, T1071

Legitimate administrative access to H3C device management interfaces, routine firmware updates or configuration changes via /goform/ endpoints, and normal web application file operations may trigger alerts. Whitelist known management IPs, scheduled maintenance windows, and authenticated administrative accounts. Filter out internal network scanning and vulnerability assessment tools that may probe these endpoints.

CVE-2026-6560 is a critical remote buffer overflow vulnerability in H3C Magic B0 devices affecting the Edit_BasicSSID function in /goform/aspForm, with a CVSS score of 8.8. Detection should focus on identifying exploitation attempts targeting H3C devices through malicious web requests and subsequent process execution or network anomalies.

let timeframe = 7d; let h3c_indicators = dynamic(['Edit_BasicSSID', 'aspForm', 'goform']); union (DeviceNetworkEvents | where Timestamp > ago(timeframe) | where RemoteUrl has_any (h3c_indicators) or InitiatingProcessCommandLine has_any (h3c_indicators) | project Timestamp, DeviceId, DeviceName, RemoteIP, RemoteUrl, RemotePort, InitiatingProcessFileName, InitiatingProcessCommandLine, ActionType), (DeviceProcessEvents | where Timestamp > ago(timeframe) | where ProcessCommandLine has_any (h3c_indicators) or FolderPath has_any (h3c_indicators) | project Timestamp, DeviceId, DeviceName, ProcessCommandLine, ProcessId, FileName, FolderPath, AccountName, ActionType), (SecurityEvent | where TimeGenerated > ago(timeframe) | where Activity has_any (h3c_indicators) or CommandLine has_any (h3c_indicators) | project TimeGenerated, Computer, Activity, CommandLine, Account, EventID) | where ActionType !in ('ProcessTerminated', 'NetworkConnectionTerminated') or Activity !has 'Success' | limit 1000

Monitor for HTTP requests containing Edit_BasicSSID, aspForm, or goform path indicators targeting H3C devices. Correlate with subsequent suspicious process creation, command execution, or unexpected network connections from affected devices. Focus on remote connection attempts to H3C management interfaces and buffer overflow exploitation patterns in request payloads.

H3C Magic B0, H3C Magic B0 100R002

T1190, T1133, T1071

Legitimate H3C device management traffic and administrative configuration changes may trigger alerts; whitelist known H3C management IPs and scheduled maintenance windows. Filter out normal device firmware update processes and authenticated administrative sessions. Exclude internal network scanning and vulnerability assessment tools that may probe H3C devices.

CVE-2026-3055 is a critical vulnerability (CVSS 9.8) affecting NetVanguard-cmd with high exploitation probability (EPSS 55.7%). Detection should focus on identifying exploitation attempts and suspicious command execution patterns associated with this vulnerability.

DeviceProcessEvents | where ProcessCommandLine contains "netvanguard" or ProcessCommandLine matches regex @"(?i)(netvanguard|cve.?2026.?3055)" | where InitiatingProcessName !in ("explorer.exe", "svchost.exe") | project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessName, InitiatingProcessId | union (SecurityEvent | where EventID == 4688 and CommandLine contains "netvanguard" | project TimeGenerated, Computer, Account, CommandLine, ParentProcessName) | union (CommonSecurityLog | where Activity contains "NetVanguard" or RequestURL contains "netvanguard" | project TimeGenerated, SourceIP, DestinationIP, Activity, RequestURL)

Monitor for process creation events containing 'netvanguard' or CVE-2026-3055 references in command lines, excluding legitimate system processes. Cross-correlate with network logs for suspicious communication patterns and web requests related to the vulnerability.

NetVanguard-cmd, Windows, Azure, Office365

T1190, T1059

Legitimate NetVanguard administrative tools and updates may trigger alerts; whitelist known administrative accounts and scheduled maintenance windows. Filter out benign security scanning tools that may reference CVE identifiers in logs.

CVE-2026-6577 affects DjangoBlog up to version 2.1.0.0, introducing a missing authentication vulnerability in the logtracks endpoint (owntracks/views.py) that allows unauthenticated remote access. Detection focuses on identifying suspicious web requests to DjangoBlog instances, particularly targeting the vulnerable owntracks endpoint, combined with process and network indicators of exploitation.

let timeframe = 7d; let djangoblog_paths = dynamic(['/owntracks/', '/logtracks', 'owntracks/views.py']); union (CloudAppEvents | where TimeGenerated > ago(timeframe) | where ActionType in ('HttpRequest', 'WebRequest') | where any(djangoblog_paths, p => RawEventData has p or Url has p) | project TimeGenerated, AccountId, Url, ActionType, RawEventData, DeviceName), (DeviceNetworkEvents | where TimeGenerated > ago(timeframe) | where RemoteUrl has 'djangoblog' or RemoteUrl has 'owntracks' | where ActionType == 'ConnectionSuccess' | project TimeGenerated, DeviceName, RemoteUrl, RemoteIP, RemotePort, InitiatingProcessFileName, InitiatingProcessCommandLine), (DeviceProcessEvents | where TimeGenerated > ago(timeframe) | where ProcessCommandLine has_any ('django', 'python') and (ProcessCommandLine has 'owntracks' or ProcessCommandLine has 'logtracks') | project TimeGenerated, DeviceName, ProcessCommandLine, ProcessId, AccountName, FileName) | summarize EventCount = count(), UniqueDevices = dcount(DeviceName), EventTypes = make_set(ActionType) by bin(TimeGenerated, 1h), DeviceName | where EventCount > 3 | limit 1000

Detection correlates three signal types: (1) CloudAppEvents for HTTP requests targeting owntracks/logtracks endpoints without proper authentication context, (2) DeviceNetworkEvents for network connections to DjangoBlog instances from unexpected sources, and (3) DeviceProcessEvents for suspicious Python/Django process execution with owntracks/logtracks references. Aggregation identifies devices with multiple related events within 1-hour windows, indicating potential exploitation attempts.

DjangoBlog, Python, Django

T1190, T1133, T1078

Legitimate DjangoBlog administrators accessing owntracks endpoints for maintenance, automated monitoring tools querying the logtracks endpoint, and development/testing environments running DjangoBlog locally. Tune by excluding known admin IP ranges, internal monitoring tools, and development subnets. Consider allowlisting authenticated service accounts and known CI/CD pipelines.

CVE-2026-6574 affects osuuu LightPicture up to version 1.2.2, exploiting the /public/install/lp.sql API upload endpoint to expose hard-coded credentials through file manipulation. Detection focuses on identifying suspicious file uploads, API endpoint access patterns, and credential exposure indicators in web application logs and process execution.

union (DeviceFileEvents | where Timestamp > ago(7d) | where FolderPath has_any ("/public/install", "\\public\\install") and FileName has_any ("lp.sql", "install") and ActionType in ("FileCreated", "FileModified") | project Timestamp, DeviceName, FolderPath, FileName, ActionType, InitiatingProcessFileName, InitiatingProcessCommandLine, AccountName), (DeviceNetworkEvents | where Timestamp > ago(7d) | where RemoteUrl has_any ("/public/install/lp.sql", "/api/upload") and ActionType == "ConnectionSuccess" | project Timestamp, DeviceName, RemoteUrl, RemoteIP, InitiatingProcessFileName, InitiatingProcessCommandLine, AccountName), (DeviceProcessEvents | where Timestamp > ago(7d) | where ProcessCommandLine has_any ("lp.sql", "lightpicture", "install") or FileName =~ "lightpicture.exe" | project Timestamp, DeviceName, ProcessCommandLine, FileName, ProcessId, AccountName, FolderPath) | summarize EventCount=count() by DeviceName, AccountName, bin(Timestamp, 1h) | where EventCount > 2 | limit 1000

Monitor for file creation/modification events in /public/install directory targeting lp.sql, detect HTTP requests to vulnerable API endpoints (/public/install/lp.sql, /api/upload), and identify process execution patterns associated with LightPicture application. Correlate events by device and user account to identify exploitation attempts. Focus on anomalous file operations and network connections from web application processes.

osuuu LightPicture, Windows, Azure, Office365

T1190, T1552, T1083

Legitimate software updates or installations of LightPicture may trigger file events in the install directory. Filter out known-good processes and service accounts performing routine maintenance. Exclude internal development/testing environments where LightPicture is actively being deployed. Tune for expected API upload traffic from authorized administrative accounts during maintenance windows.

CVE-2026-6569 affects KodExplorer up to version 4.52, exploiting improper authentication in the fileGet endpoint (/app/controller/share.class.php) via manipulation of the fileUrl parameter. This remote vulnerability allows unauthorized file access through authentication bypass.

union (DeviceProcessEvents | where Timestamp > ago(7d) | where ProcessCommandLine has_any ('kodexplorer', 'share.class.php', 'fileGet') or FolderPath has '/app/controller/' | project Timestamp, DeviceName, ProcessCommandLine, AccountName, FileName, FolderPath), (DeviceNetworkEvents | where Timestamp > ago(7d) | where RemoteUrl has_any ('kodexplorer', '/app/controller/share.class.php', 'fileGet') or InitiatingProcessFileName has_any ('php', 'apache', 'nginx') | where RemoteUrl matches regex @'(?i)(fileget|fileurl)' | project Timestamp, DeviceName, RemoteUrl, RemoteIP, InitiatingProcessFileName, InitiatingProcessCommandLine), (CloudAppEvents | where Timestamp > ago(7d) | where ObjectName has_any ('share.class.php', 'fileGet', 'kodexplorer') or RawEventData has 'fileUrl' | project Timestamp, AccountDisplayName, ObjectName, Operation, RawEventData) | project Timestamp, DeviceName, AccountName, AccountDisplayName, ProcessCommandLine, RemoteUrl, ObjectName, Operation | limit 1000

Monitor for process execution, network connections, and cloud application events related to KodExplorer components, specifically targeting the share.class.php file and fileGet endpoint. Detection focuses on suspicious fileUrl parameter manipulation attempts and authentication bypass indicators across Windows endpoints, cloud services, and web application logs.

KodExplorer, KodCloud

T1190, T1566

Legitimate administrative access to KodExplorer file management interfaces, routine backup/sync operations using fileGet functionality, and authorized file sharing operations may trigger alerts. Filter by known administrative accounts and expected file transfer patterns. Consider whitelisting internal file server IPs and known legitimate KodExplorer instances.

CVE-2026-6568 is a path traversal vulnerability in KodExplorer up to version 4.52 affecting the share.class.php component, allowing remote attackers to manipulate file paths and access unauthorized resources. Detection should focus on identifying exploitation attempts targeting the vulnerable share handler endpoint with path traversal payloads.

union (DeviceNetworkEvents | where Timestamp > ago(7d) | where RemoteUrl has "/app/controller/share.class.php" or RemoteUrl has "initShareOld" or RemoteUrl matches @'(?i).*\.\./.*' | where ActionType == "ConnectionSuccess" or ActionType == "ConnectionAttempted" | project Timestamp, DeviceName, RemoteUrl, RemoteIP, InitiatingProcessFileName, InitiatingProcessCommandLine), (CloudAppEvents | where Timestamp > ago(7d) | where ObjectName has "share.class.php" or ObjectName has "initShareOld" or RawEventData has "path" | where ActionType in ("FileAccessed", "FileModified") | project Timestamp, AccountUpn, ObjectName, IPAddress, ActionType), (DeviceFileEvents | where Timestamp > ago(7d) | where FolderPath has "/app/controller/" and FileName has "share.class.php" | where ActionType in ("FileCreated", "FileModified") | project Timestamp, DeviceName, FolderPath, FileName, InitiatingProcessFileName, InitiatingProcessCommandLine) | where RemoteUrl matches @'(?i).*(%2e%2e|\.\.)[/\\].*' or ObjectName matches @'(?i).*(%2e%2e|\.\.)[/\\].*' or FolderPath matches @'(?i).*(%2e%2e|\.\.)[/\\].*' | limit 1000

Monitor network connections to vulnerable KodExplorer endpoints (share.class.php, initShareOld function) with path traversal indicators (../ or URL-encoded equivalents %2e%2e). Cross-reference with file access events on the application directory and cloud app events showing suspicious file operations. Focus on remote connection attempts and file modifications in /app/controller/ paths.

KodExplorer, KodCloud

T1083, T1190

Legitimate administrative access to share.class.php for updates or maintenance; normal file synchronization operations in cloud storage; legitimate relative path references in application logs that don't represent exploitation attempts. Filter by known legitimate source IPs and service accounts with administrative roles.

CVE-2026-6562 is a SQL injection vulnerability in dameng100 muucmf 1.9.5.20260309 affecting the getListByPage function in /index/Search/index.html through manipulation of the keyword argument. Detection focuses on identifying exploitation attempts via malicious SQL payloads in web requests and subsequent database anomalies.

union (DeviceNetworkEvents | where Timestamp > ago(7d) | where RemoteUrl has "/index/Search/index.html" or RemoteUrl has "getListByPage" | where InitiatingProcessFileName in~ ("chrome.exe", "firefox.exe", "iexplore.exe", "msedge.exe") | where RemoteUrl matches regex @"(?i)(keyword|search).*('|(\-\-)|(;)|(union)|(select)|(insert)|(update)|(delete)|(drop))" | project Timestamp, DeviceName, RemoteUrl, RemoteIP, InitiatingProcessFileName, InitiatingProcessCommandLine), (SecurityEvent | where Timestamp > ago(7d) | where EventID in (4688, 4689) | where CommandLine matches regex @"(?i)(sqlcmd|osql|mysql|psql).*('|(\-\-)|(;)|(union)|(select))" | where Process has_any ("dameng", "muucmf") | project Timestamp, Computer, CommandLine, ParentProcessName, Account), (DeviceProcessEvents | where Timestamp > ago(7d) | where ProcessCommandLine matches regex @"(?i)(keyword|search).*('|(\-\-)|(;)|(union)|(select)|(insert)|(update)|(delete))" | where FolderPath has_any ("dameng", "muucmf", "index") | project Timestamp, DeviceName, ProcessCommandLine, FileName, AccountName) | limit 1000

Monitor for HTTP requests to /index/Search/index.html with SQL injection payloads in the keyword parameter (single quotes, comments, UNION/SELECT statements). Correlate with process execution of database tools and command-line activity containing SQL keywords. Track network connections from browsers to vulnerable endpoints combined with suspicious database process spawning.

dameng100 muucmf 1.9.5.20260309

T1190, T1083, T1005

Legitimate search queries containing special characters, database maintenance scripts, SQL Server Management Studio usage, automated backup/restore operations, and security scanning tools performing SQL injection testing. Whitelist known internal database administration tools and scheduled maintenance windows. Filter out test/development environments and authorized penetration testing activities.