CVE-2017-7577
published 2017-04-07CVE-2017-7577: XiongMai uc-httpd has directory traversal allowing the reading of arbitrary files via a "GET ../" HTTP request.
PriorityP184critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
28.75%
97.9th percentile
XiongMai uc-httpd has directory traversal allowing the reading of arbitrary files via a "GET ../" HTTP request.
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http $EXTERNAL_NET any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Xiongmai/HiSilicon DVR - Request for User Details - Possible CVE-2017-7577 Exploit Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"mnt/mtd/Config/Account1"; nocase; endswith; fast_pattern; reference:cve,2017-7577; reference:url,vulncheck.com/blog/xiongmai-iot-exploitation; reference:url,github.com/tothi/pwn-hisilicon-dvr/blob/master/pwn_hisilicon_dvr.py; classtype:web-application-attack; sid:2041451; rev:1; metadata:attack_target IoT, created_at 2022_12_01, cve CVE_2017_7577, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Minor, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_12_01;)
snort
alert http $EXTERNAL_NET any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Xiongmai/HiSilicon DVR - Request for Product Details Possible CVE-2017-7577 Exploit Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"mnt/custom/ProductDefinition"; nocase; endswith; fast_pattern; reference:cve,2017-7577; reference:url,vulncheck.com/blog/xiongmai-iot-exploitation; reference:url,github.com/tothi/pwn-hisilicon-dvr/blob/master/pwn_hisilicon_dvr.py; classtype:web-application-attack; sid:2041450; rev:1; metadata:attack_target IoT, created_at 2022_12_01, cve CVE_2017_7577, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Minor, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_12_01;)
- →Exploit attempts target specific sensitive file paths via directory traversal in HTTP GET URIs; monitor for URIs ending with 'mnt/mtd/Config/Account1' (user credentials) or 'mnt/custom/ProductDefinition' (device info) on IoT/DVR devices.
- →The attack uses HTTP GET requests with '../' traversal sequences; detection should focus on inbound HTTP traffic from external networks to HTTP servers/home network devices. ↗
- →ET SIDs 2041450 and 2041451 cover the two primary exploit paths (product details and account credential harvesting respectively); deploy at perimeter with low performance impact.
- ·Snort rules use 'endswith' on the URI content match, meaning the traversal path must terminate the URI; payloads with trailing slashes or query strings may evade these signatures.
- ·Rules are classified as confidence Medium and signature_severity Minor by Proofpoint Nexus; tune thresholds accordingly and do not rely solely on these signatures for high-confidence alerting.
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-rgg2-jx9v-88r4: XiongMai uc-httpd has directory traversal allowing the reading of arbitrary files via a "GET
ghsa_unreviewed·2022-05-14
CVE-2017-7577 [CRITICAL] CWE-22 GHSA-rgg2-jx9v-88r4: XiongMai uc-httpd has directory traversal allowing the reading of arbitrary files via a "GET
XiongMai uc-httpd has directory traversal allowing the reading of arbitrary files via a "GET ../" HTTP request.
VulnCheck
xiongmaitech uc-httpd Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2017·CVSS 9.8
CVE-2017-7577 [CRITICAL] xiongmaitech uc-httpd Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
xiongmaitech uc-httpd Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
XiongMai uc-httpd has directory traversal allowing the reading of arbitrary files via a "GET ../" HTTP request.
Affected: xiongmaitech uc-httpd
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://api.vulncheck.com/v3/index/vulncheck-canaries?cve=CVE-2017-7577&date=2026-05-22
Exploit PoC: https://vulncheck.com/xdb/a163b93feb72
Suricata
ET EXPLOIT Xiongmai/HiSilicon DVR - Request for User Details - Possible CVE-2017-7577 Exploit Attempt
suricata·2022-12-01·CVSS 9.8
CVE-2017-7577 [CRITICAL] ET EXPLOIT Xiongmai/HiSilicon DVR - Request for User Details - Possible CVE-2017-7577 Exploit Attempt
ET EXPLOIT Xiongmai/HiSilicon DVR - Request for User Details - Possible CVE-2017-7577 Exploit Attempt
Rule: alert http $EXTERNAL_NET any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Xiongmai/HiSilicon DVR - Request for User Details - Possible CVE-2017-7577 Exploit Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"mnt/mtd/Config/Account1"; nocase; endswith; fast_pattern; reference:cve,2017-7577; reference:url,vulncheck.com/blog/xiongmai-iot-exploitation; reference:url,github.com/tothi/pwn-hisilicon-dvr/blob/master/pwn_hisilicon_dvr.py; classtype:web-application-attack; sid:2041451; rev:1; metadata:attack_target IoT, created_at 2022_12_01, cve CVE_2017_7577, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Minor, tag
Suricata
ET EXPLOIT Xiongmai/HiSilicon DVR - Request for Product Details Possible CVE-2017-7577 Exploit Attempt
suricata·2022-12-01·CVSS 9.8
CVE-2017-7577 [CRITICAL] ET EXPLOIT Xiongmai/HiSilicon DVR - Request for Product Details Possible CVE-2017-7577 Exploit Attempt
ET EXPLOIT Xiongmai/HiSilicon DVR - Request for Product Details Possible CVE-2017-7577 Exploit Attempt
Rule: alert http $EXTERNAL_NET any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Xiongmai/HiSilicon DVR - Request for Product Details Possible CVE-2017-7577 Exploit Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"mnt/custom/ProductDefinition"; nocase; endswith; fast_pattern; reference:cve,2017-7577; reference:url,vulncheck.com/blog/xiongmai-iot-exploitation; reference:url,github.com/tothi/pwn-hisilicon-dvr/blob/master/pwn_hisilicon_dvr.py; classtype:web-application-attack; sid:2041450; rev:1; metadata:attack_target IoT, created_at 2022_12_01, cve CVE_2017_7577, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Min
No public exploits indexed.
arXiv
TORCHLIGHT: Shedding LIGHT on Real-World Attacks on Cloudless IoT Devices Concealed within the Tor Network
arxiv_fulltext·2025-01-28
TORCHLIGHT: Shedding LIGHT on Real-World Attacks on Cloudless IoT Devices Concealed within the Tor Network
TORchlight: Shedding Light on Real-World Attacks on Cloudless IoT Devices Concealed within the Tor Network
Yumingzhi Pan^ , Zhen Ling^ Corresponding author: Prof. Zhen Ling of Southeast University, China., Yue Zhang^ , Hongze Wang^ , Guangchi Liu^ , Junzhou Luo^ , Xinwen Fu^
^ Southeast University, Email: \pymz, zhenling, wanghongze, gc-liu, jluo\@seu.edu.cn
^ Drexel University, Email: [email protected]
^ University of Massachusetts Lowell, Email: [email protected]
## Abstract
The rapidly expanding Internet of Things (IoT) landscape is shifting toward cloudless architectures, removing reliance on centralized cloud services but exposing devices directly to the internet and increasing their vulnerability to cyberattacks. Our research revealed an unexpected pattern of substantial Tor net
Greynoiseio
NoiseLetter August 2024
blogs_greynoiseio
NoiseLetter August 2024
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2017-04-07
Published
Exploited in the wild