alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Adobe ColdFusion Deserialization of Untrusted Data (CVE-2023-26360) M3"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".cfc?"; nocase; content:"method="; nocase; content:"_cfclient=true"; nocase; fast_pattern; http.request_body; content:"_variables="; nocase; content:"cffile"; nocase; content:"action"; nocase; within:100; content:"write"; within:20; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/adobe_coldfusion_rce_cve_2023_26360.rb; reference:url,www.cisa.gov/news-events/cybersecurity-advisories/aa23-339a; reference:cve,2023-26360; reference:url,attackerkb.com/topics/F36ClHTTIQ/cve-2023-26360/rapid7-analysis; classtype:attempted-user; sid:2049473; rev:2; metadata:affected_product Adobe_Coldfusion, attack_target Server, created_at 2023_12_05, cve CVE_2023_26360, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2024_06_23, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)