feat(waf): Add CVE-2025-14528 router botnet detection
Add new router_botnet WAF category for IoT/router exploitation:
CVE-2025-14528 (D-Link DIR-803 getcfg.php):
- AUTHORIZED_GROUP parameter manipulation
- SERVICES=DEVICE.ACCOUNT enumeration
- Newline injection bypass (%0a, %0d)
Additional router exploit patterns:
- D-Link hedwig.cgi, HNAP, service.cgi RCE
- UPnP SOAP injection
- Goform command injection
- ASUS/TP-Link/Netgear/Zyxel exploits
Mirai-variant botnet scanner detection:
- User-Agent signatures (Mirai, Hajime, Mozi, BotenaGo, etc.)
- Router payload injection patterns
Sources: CrowdSec Threat Intel, Global Security Mag
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
CyberMind-FR
a469076297