This detection rule focuses on identifying server-side template injection attempts related to CVE-2022-22954 in VMware Workspace ONE. The rule inspects web or proxy logs, specifically filtering for HTTP GET requests targeting the endpoint 'catalog-portal/ui/oauth/verify' that includes the 'freemarker.template.utility.Execute' command. Successful exploitation of this vulnerability could allow attackers to execute arbitrary commands on the server, risking complete system compromise, data exfiltration, and potentially enabling further lateral movement within the network. The analytic leverages specific indicators in request URLs to signal suspicious activity, making it a critical part of network security monitoring for environments using VMware Workspace ONE.