This detection rule identifies exploitation attempts of a server-side template injection vulnerability (CVE-2024-4040) in CrushFTP, affecting versions up to 10.7.1 and 11.1.0. The vulnerability allows attackers to read files outside the VFS Sandbox, bypass authentication, and execute commands remotely. The analytics focuses on parsing CrushFTP session logs to extract actions such as 'READ' or 'WROTE' linked to specific keywords, session details including user and IP, and HTTP methods and URIs. By evaluating these logs for signs of exploitation, unauthorized access can be identified and mitigated promptly. Proper log ingestion and parsing in a SIEM system like Splunk is essential for effective detection.