alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Zyxel Authentication Bypass Attempt (CVE-2023-4473)"; flow:established,to_server; http.uri; content:"/cmd,/ck6fup6/"; fast_pattern; startswith; pcre:"/\/(?:favicon.ico|adv,\/cgi-bin\/weblogin\.cgi|desktop,\/(?:file_download\.cgi|cgi-bin\/dlnotify|login\.html|res\/|css\/|utility\/flag\/js)|MyWeb\/|register_main\/setCookie|playzone,\/(?:mobile_login\.html|mobile\/sencha\/|mobile\/images\/|images\/))/R"; reference:url,bugprove.com/knowledge-hub/cve-2023-4473-and-cve-2023-4474-authentication-bypass-and-multiple-blind-os-command-injection-vulnerabilities-in-zyxel-s-nas-326-devices/; reference:cve,2023-4473; classtype:attempted-admin; sid:2052325; rev:3; metadata:affected_product Zyxel, created_at 2024_05_01, cve CVE_2023_4473, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_11_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)