alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Omnissa Workspace One Path Traversal (CVE-2025-25231)"; flow:established,to_server; http.uri; content:"/DevicesGateway/apps/system-app-metadata/"; fast_pattern; startswith; content:"packageId|3d|"; pcre:"/^[^&]*?(?:(?:\x2e|%(?:25)?2[Ee]){1,2}(?:\x2f|\x5c|%(?:25)?5[Cc]|%(?:25)?2[Ff]){1,}){2,}/R"; reference:url,www.picussecurity.com/resource/blog/omnissa-workspace-one-cve-2025-25231-path-traversal-exploit; reference:cve,2025-25231; classtype:web-application-attack; sid:2066456; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2025_12_24, cve CVE_2025_25231, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_12_24, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)