alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Adobe Coldfusion Local File Inclusion Attempt (CVE-2023-26360, CVE-2023-26359) M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".cfc?"; content:"method|3d|"; content:"_cfclient|3d|true"; fast_pattern; http.request_body; content:"_variables|3d 7b|"; startswith; reference:cve,2023-26359; reference:cve,2023-26360; reference:url,realalphaman.medium.com/adobe-coldfusion-lfi-lead-to-rce-cve-2023-26359-cve-2023-26360-bd1c4b0e24bc; classtype:attempted-admin; sid:2049530; rev:3; metadata:affected_product Adobe_Coldfusion, attack_target Server, created_at 2023_12_06, cve CVE_2023_26360_CVE_2023_26359, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, tag LFI, tag RFI, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_11_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)