cbcvebase.
CVE-2015-7254
published 2015-11-07

CVE-2015-7254: Directory traversal vulnerability on Huawei HG532e, HG532n, and HG532s devices allows remote attackers to read arbitrary files via a .. (dot dot) in an icon/…

PriorityP274medium5CVSS 2.0
AVNACLAuNCPINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
27.53%
97.8th percentile
Directory traversal vulnerability on Huawei HG532e, HG532n, and HG532s devices allows remote attackers to read arbitrary files via a .. (dot dot) in an icon/ URI.

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://<ip>:37215/icon/../../../<path>
urlhttp://192.168.1.1:37215/ctrlt/DeviceUpgrade_1
port37215
path/icon/../../../
path/tmp/ccmd
path/tmp/cpwd
commandcd {} ; {} > {} ; pwd > {}
otherdslf-config:admin (HTTPDigestAuth credentials)
otherHUAWEIUPNP (marker string in exploit payload)
urltr064dev.xml (Shodan fingerprint query)
  • Detect HTTP requests to port 37215 containing path traversal sequences (/../) under the /icon/ URI path, indicative of CVE-2015-7254 exploitation against Huawei HG532e/n/s devices.
  • Detect HTTP POST requests to /ctrlt/DeviceUpgrade_1 on port 37215 using HTTP Digest Authentication with credentials 'dslf-config'/'admin', which is the hardcoded credential pair used in the exploit.
  • Alert on HTTP request bodies containing the string 'HUAWEIUPNP', which is a unique marker injected by the exploit payload into the DeviceUpgrade_1 endpoint.
  • Monitor for HTTP requests with User-Agent 'Mozilla' (bare, no version string) to port 37215, as used by the exploit's fetch_url function.
  • Scan for internet-exposed Huawei CPE devices by querying for 'tr064dev.xml', which identifies approximately 66,000 potentially vulnerable devices on Shodan.
  • ·The exploit combines directory traversal (CVE-2015-7254) on port 37215 with a separate command injection step via POST to /ctrlt/DeviceUpgrade_1 using hardcoded Digest Auth credentials, enabling full remote command execution beyond simple file read.
  • ·The CVSS exploitability subscore is 10/10 with low access complexity and no authentication required, despite a medium overall base score of 5.0.

CVSS provenance

nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.