alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Exiftool RCE Inbound (CVE-2021-22204)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"ANTa|00 00|"; fast_pattern; pcre:"/[^\r\n]*\x5c(?:n|c)[^\r\n]{0,100}[\x60\x24]/Ri"; reference:url,blogs.blogs.blackberry.com/en/2021/06/from-fix-to-exploit-arbitrary-code-execution-for-cve-2021-22204-in-exiftool; classtype:attempted-admin; sid:2034626; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2021_12_07, cve CVE_2021_22204, deployment Perimeter, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_03_09;)