CVE-2015-7254
published 2015-11-07CVE-2015-7254: Directory traversal vulnerability on Huawei HG532e, HG532n, and HG532s devices allows remote attackers to read arbitrary files via a .. (dot dot) in an icon/…
PriorityP274medium5CVSS 2.0
AVNACLAuNCPINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
27.53%
97.8th percentile
Directory traversal vulnerability on Huawei HG532e, HG532n, and HG532s devices allows remote attackers to read arbitrary files via a .. (dot dot) in an icon/ URI.
Detection & IOCsextracted from sources · hover to see the quote
- →Detect HTTP requests to port 37215 containing path traversal sequences (/../) under the /icon/ URI path, indicative of CVE-2015-7254 exploitation against Huawei HG532e/n/s devices. ↗
- →Detect HTTP POST requests to /ctrlt/DeviceUpgrade_1 on port 37215 using HTTP Digest Authentication with credentials 'dslf-config'/'admin', which is the hardcoded credential pair used in the exploit. ↗
- →Alert on HTTP request bodies containing the string 'HUAWEIUPNP', which is a unique marker injected by the exploit payload into the DeviceUpgrade_1 endpoint. ↗
- →Monitor for HTTP requests with User-Agent 'Mozilla' (bare, no version string) to port 37215, as used by the exploit's fetch_url function. ↗
- →Scan for internet-exposed Huawei CPE devices by querying for 'tr064dev.xml', which identifies approximately 66,000 potentially vulnerable devices on Shodan. ↗
- ·The exploit combines directory traversal (CVE-2015-7254) on port 37215 with a separate command injection step via POST to /ctrlt/DeviceUpgrade_1 using hardcoded Digest Auth credentials, enabling full remote command execution beyond simple file read. ↗
- ·The CVSS exploitability subscore is 10/10 with low access complexity and no authentication required, despite a medium overall base score of 5.0. ↗
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-558f-5537-gq4c: Directory traversal vulnerability on Huawei HG532e, HG532n, and HG532s devices allows remote attackers to read arbitrary files via a
ghsa_unreviewed·2022-05-14
CVE-2015-7254 [MEDIUM] CWE-22 GHSA-558f-5537-gq4c: Directory traversal vulnerability on Huawei HG532e, HG532n, and HG532s devices allows remote attackers to read arbitrary files via a
Directory traversal vulnerability on Huawei HG532e, HG532n, and HG532s devices allows remote attackers to read arbitrary files via a .. (dot dot) in an icon/ URI.
VulnCheck
huawei hg532e Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2015·CVSS 5.0
CVE-2015-7254 [MEDIUM] huawei hg532e Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
huawei hg532e Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Directory traversal vulnerability on Huawei HG532e, HG532n, and HG532s devices allows remote attackers to read arbitrary files via a .. (dot dot) in an icon/ URI.
Affected: huawei hg532e
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://blog.checkpoint.com/security/december-2021s-most-wanted-malware-trickbot-emotet-and-the-log4j-plague/; https://blog.checkpoint.com/security/april-2022s-most-wanted-malware-a-shake-up-in-the-index-but-emotet-is-still-on-top/; https://blog.checkpoint.com/security/april-2024s-most-wanted-malware-surge-in-androxgh0st-attacks-and-
No detection rules found.
Recorded Future
Huawei CPE Vulnerability and Kiddie Fun
blogs_recorded_future·CVSS 5.0
[MEDIUM] Huawei CPE Vulnerability and Kiddie Fun
# Huawei CPE Vulnerability and Kiddie Fun
Like most Recorded Future users I have a list of keywords (entities created from text fragments) that generate a daily alert summary of relevant results from the Web. Recorded Future’s applied NLP (natural language processing) makes the daily foreign language results especially interesting.
A recent alert caught my eye for its mysterious brevity (circled in red below).
Following the source of the “exploit” statement led to the below forum and a reference to CVE-2015-7254, which is a directory traversal vulnerability on specific Huawei CPE (Customer Premise Equipment) models. (Cisco claims CPE models HG532e, HG532n, and HG532s are affected.) Remote attackers are able to navigate to arbitrary directories starting from an absolute URI path ending i
Recorded Future
Huawei CPE Vulnerability and Kiddie Fun
blogs_recorded_future·CVSS 5.0
[MEDIUM] Huawei CPE Vulnerability and Kiddie Fun
## Huawei CPE Vulnerability and Kiddie Fun
Like most Recorded Future users I have a list of keywords (entities created from text fragments) that generate a daily alert summary of relevant results from the Web. Recorded Future’s applied NLP (natural language processing) makes the daily foreign language results especially interesting.
A recent alert caught my eye for its mysterious brevity (circled in red below).
Following the source of the “exploit” statement led to the below forum and a reference to CVE-2015-7254 , which is a directory traversal vulnerability on specific Huawei CPE (Customer Premise Equipment) models. ( Cisco claims CPE models HG532e, HG532n, and HG532s are affected .) Remote attackers are able to navigate to arbitrary directories starting from an absolute URI path endi
http://www.huawei.com/en/psirt/security-advisories/hw-462908http://www.kb.cert.org/vuls/id/438928http://www.securityfocus.com/bid/77506http://www1.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-462908.htmhttps://github.com/0xAdrian/scripts/blob/master/2015_7254_exploit.pyhttps://www.exploit-db.com/exploits/45991/http://www.huawei.com/en/psirt/security-advisories/hw-462908http://www.kb.cert.org/vuls/id/438928http://www.securityfocus.com/bid/77506http://www1.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-462908.htmhttps://github.com/0xAdrian/scripts/blob/master/2015_7254_exploit.pyhttps://www.exploit-db.com/exploits/45991/
2015-11-07
Published
Exploited in the wild