alert udp any any -> $HOME_NET 500 (msg:"ET EXPLOIT Zyxel ZyWALL/USG OS Command Injection (CVE-2023-28771)"; flow:stateless,to_server; content:"|29 20 22 08|"; fast_pattern; offset:16; depth:4; content:"|28 00|"; distance:0; content:"|00 0e|"; distance:4; within:2; pcre:"/^.*?[\x3b\x24\x27\x60\x7c]/R"; reference:url,www.fortinet.com/blog/threat-research/ddos-botnets-target-zyxel-vulnerability-cve-2023-28771; reference:cve,2023-28771; classtype:web-application-attack; sid:2063094; rev:1; metadata:affected_product Zyxel, attack_target Server, created_at 2025_06_20, cve CVE_2023_28771, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2025_06_20, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)