alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Zyxel NAS CGI Remote Code Execution via Configuration Upload (CVE-2024-29974)"; flow:established, to_server; http.method; content:"POST"; http.uri; content:"/desktop|2c|/cgi-bin/file_upload-cgi/"; fast_pattern; http.content_type; content:"multipart/form-data|3b|"; http.request_body; content:"filename|3d|"; content:"|2e|rom|22|"; distance:0; reference:url,outpost24.com/blog/zyxel-nas-critical-vulnerabilities/; reference:cve,2024-29974; classtype:web-application-activity; sid:2055909; rev:1; metadata:affected_product Zyxel, attack_target Server, tls_state plaintext, created_at 2024_09_18, cve CVE_2024_29974, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2024_09_18, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)