""ET WEB_SPECIFIC_APPS Zyxel Command Injection Attempt (CVE-2024-4474) M3""

SID: 2052364

Revision: 1

Class Type: attempted-admin

Metadata: affected_product Zyxel, attack_target Networking_Equipment, tls_state plaintext, created_at 2024_05_02, cve CVE_2024_4474, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, updated_at 2024_05_02, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services

Reference:

• cve

• 2024-4474

Protocol: tcp

Source Network: any

Source Port: any

Destination Network: $HOME_NET

Destination Port: $HTTP_PORTS

Flow: established,to_server

Contents:

• Value: "/cmd,/ck6fup6/zylog_main/configure_mail_syslog/" Depth: 47

Within:

PCRE: "/(?:mailTo|mailFrom|mailServer|mailFormat|accountSMTP|passwdSMTP|scheduleDay|scheduleHour|scheduleMinute)\x3d.*\x3b/U"

Special Options:

• http_uri

source