alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Yealink RCE Attempt (CVE-2021-27561)"; flow:established,to_server; http.uri; content:"/premise/front/getPingData?url=http|3a 2f 2f|0.0.0.0|3a|9600/sm/api/v1/firewall/zone/services?zone="; startswith; fast_pattern; reference:url,unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/; reference:url,ssd-disclosure.com/ssd-advisory-yealink-dm-pre-auth-root-level-rce/; reference:url,cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27561; reference:url,cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27562; reference:cve,2021-27561; classtype:attempted-admin; sid:2032095; rev:3; metadata:attack_target IoT, created_at 2021_03_17, cve CVE_2021_27561, deployment Perimeter, performance_impact Low, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_09_20;)