alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT VMWare Server-side Template Injection RCE (CVE-2022-22954)"; flow:established,to_server; http.uri; content:"/catalog-portal/"; http.request_body; content:"%24%7b%22%66%72%65%65%6d%61%72%6b%65%72%2e%74%65%6d%70%6c%61%74%65%2e%75%74%69%6c%69%74%79%2e%45%78%65%63%75%74%65%22"; nocase; fast_pattern; content:"%6e%65%77%28%29"; nocase; within:200; reference:url,www.vmware.com/security/advisories/VMSA-2022-0011.html; reference:cve,2022-22954; classtype:attempted-admin; sid:2035876; rev:2; metadata:affected_product VMware, attack_target Server, created_at 2022_04_08, cve CVE_2022_22954, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_04_08;)