alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Ivanti Virtual Traffic Manager (vTM) Authentication Bypass (CVE-2024-7593)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/apps/zxtm/wizard.fcgi?"; fast_pattern; content:"error|3d|1"; content:"section|3d|Access|20|Management|3a|LocalUsers"; http.content_type; content:"application/x-www-form-urlencoded"; http.request_body; content:"_form_submitted|3d|form"; content:"create_user|3d|Create"; content:"group|3d|admin"; content:"newusername|3d|"; content:"password1|3d|"; reference:url,forums.ivanti.com/s/article/Security-Advisory-Ivanti-Virtual-Traffic-Manager-vTM-CVE-2024-7593; reference:cve,2024-7593; classtype:web-application-activity; sid:2056184; rev:2; metadata:affected_product Ivanti, created_at 2024_09_25, cve CVE_2024_7593, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_11_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)