alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Commvault Pre-Auth RCE via deployServiceCommcell.do (CVE-2025-34028)"; flow:established,to_server; xbits:set,ET.CVE-2025-34028,track ip_dst,expire 120; http.method; content:"POST"; http.uri; bsize:39; content:"/commandcenter/deployServiceCommcell.do"; fast_pattern; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name|3d 22|servicePack|22|"; content:"Content-Type|3a 20|text/plain"; within:50; pcre:"/^[^\x26]*?(?:(?:\x2e|%2[Ee]){1,2}(?:\x2f|\x5c|%5[Cc]|%2[Ff]){1,}){2,}/R"; content:"Content-Disposition|3a 20|form-data|3b 20|name|3d 22|file|22 3b 20|filename|3d 22|"; content:".zip|22|"; within:100; content:"Content-Type|3a 20|application/octet-stream"; within:50; content:"PK"; within:50; reference:cve,2025-34028; reference:url,labs.watchtowr.com/fire-in-the-hole-were-breaching-the-vault-commvault-remote-code-execution-cve-2025-34028/; classtype:attempted-admin; sid:2061838; rev:1; metadata:affected_product Commvault, attack_target Web_Server, tls_state TLSDecrypt, created_at 2025_04_24, cve CVE_2025_34028, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2025_04_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)