alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS TOTOLINK N300RH Stack-based Buffer Overflow (CVE-2026-10187)"; flow:established,to_server; http.uri; content:"/cgi-bin/cstecgi.cgi"; fast_pattern; http.request_body; content:"|22|setWiFiBasicConfig|22|"; content:"|22|AuthMode|22 3a|"; content:"|22|OPEN|22|"; within:7; content:"|22|KeyType|22 3a|"; content:"|22|1|22|"; within:4; content:"|22|KeyStr|22 3a|"; pcre:"/^\s*\x22[^\x22]{64,}/R"; http.method; content:"POST"; reference:url,github.com/passwa11/CVE-2026-10187/blob/main/TOTOLINK%20N300RH%20Stack-based%20Buffer%20Overflow%20Vulnerability.md; reference:cve,2026-10187; classtype:web-application-attack; sid:2069987; rev:1; metadata:affected_product TOTOLINK, attack_target Server, tls_state TLSDecrypt, created_at 2026_06_17, cve CVE_2026_10187, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2026_06_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)