alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Sitecore XP Unauthenticated Remote Code Execution in Report.ashx (CVE-2021-42237)"; flow:established,to_server; http.uri; content:"/sitecore/shell/ClientBin/Reporting/Report.ashx"; fast_pattern; http.request_body; content:"<parameters>"; content:"Serialization/Arrays|22|"; distance:0; pcre:"/^[^\x3e]*?\x3e(?:cmd|pwsh|powershell)/R"; http.method; content:"POST"; reference:url,www.assetnote.io/resources/research/sitecore-experience-platform-pre-auth-rce-cve-2021-42237; reference:cve,2021-42237; classtype:web-application-attack; sid:2065043; rev:1; metadata:affected_product Sitecore, attack_target Server, tls_state TLSDecrypt, created_at 2025_10_03, cve CVE_2021_42237, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_10_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)