CVE-2024-4040 is a vulnerability found in CrushFTP versions prior to 10.7.1 and 11.1.0, allowing unauthenticated remote attackers to read files located on the filesystem outside of the Virtual File System (VFS) Sandbox. The provided Splunk rule specifically targets GET and POST requests that contain parameters configured to exploit this weakness. This rule leverages web application firewall (WAF) logs to extract relevant data by monitoring for indicators associated with the LFI attack. By defining specific parameters and conditions, the rule captures potential attempts to execute file inclusion attacks, thereby enhancing the detection capabilities against exploitation of this vulnerability. The rule outputs event data such as timestamps, host information, URI paths, query strings, and source IP addresses, facilitating comprehensive monitoring and rapid incident response for systems vulnerable to CVE-2024-4040.