alert tcp any any -> $HOME_NET 7900 (msg:"ET EXPLOIT Fortinet FortiSIEM Unauthenticated Command Injection CVE-2024-23108"; flow:established,to_server; content:"|51 00 00 00|"; startswith; content:"<mount_point"; nocase; fast_pattern; pcre:"/^\b[^>]*>[^\x3b<]+\x3b[^<]+<\/mount_point>/Rsi"; reference:url,horizon3.ai/attack-research/cve-2024-23108-fortinet-fortisiem-2nd-order-command-injection-deep-dive/; reference:cve,2024-23108; classtype:misc-attack; sid:2052889; rev:1; metadata:attack_target Server, created_at 2024_05_28, cve CVE_2024_23108, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2024_05_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)