alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS VMware AirWatch BlobHandler Server Side Request Forgery M1 (CVE-2021-22054)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/AirWatch/BlobHandler.ashx|3f|"; fast_pattern; startswith; content:"Url="; distance:0; reference:url,www.assetnote.io/resources/research/encrypting-our-way-to-ssrf-in-vmware-workspace-one-uem-cve-2021-22054; reference:cve,2021-22054; classtype:attempted-admin; sid:2068227; rev:1; metadata:affected_product VMware, attack_target Server, tls_state TLSDecrypt, created_at 2026_03_13, cve CVE_2021_22054, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Unknown, tag Exploit, tag CISA_KEV, updated_at 2026_03_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)