alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Potential External VMware vRealize Automation Authentication Bypass Vulnerability"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/SAAS/auth/login/embeddedauthbroker/callback"; fast_pattern; http.content_type; content:"application/x-www-form-urlencoded"; http.request_body; content:"protected_state"; content:"userstore"; content:"username"; content:"password"; content:"userstoreDisplay"; content:"horizonRelayState"; content:"stickyConnectorId"; content:"action"; reference:url,horizon3.ai/vmware-authentication-bypass-vulnerability-cve-2022-22972-technical-deep-dive/; classtype:attempted-admin; sid:2036725; rev:5; metadata:affected_product VMware, created_at 2022_05_27, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_11_26, reviewed_at 2024_10_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)