Remote code execution in Huawei HG532 routers
| Risk | Critical |
| Patch available | NO |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2017-17215 |
| CWE-ID | CWE-77 |
| Exploitation vector | Network |
| Public exploit | This vulnerability is being exploited in the wild. |
| Vulnerable software |
Huawei HG532 Hardware solutions / Routers for home users |
| Vendor | Huawei |
Security Bulletin
This security bulletin contains one critical risk vulnerability.
1) Command injection
EUVDB-ID: #VU9722
Risk: Critical
CVSSv4.0: 8.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Red]
CVE-ID: CVE-2017-17215
CWE-ID:
CWE-77 - Command injection
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker with administrator privileges to perform command injection attack on the target system.
The weakness exists due to the implementation of the TR-064 (technical report standard), an application layer protocol for remote management, in the Huawei devices was exposed on the public Internet through Universal Plug and Play (UPnP) protocol at port 37215. A remote attacker can inject shell meta-characters “$()” in the NewStatusURL and NewDownloadURL, inject arbitrary commands and execute arbitrary code.
Successful exploitation of the vulnerability allows to download and execute the malicious payload on the Huawei routers and upload Satori botnet that may result in system compromise.
Note: the vulnerability is being actively exploited.
Customers can take the following measures to circumvent or prevent the exploit of this vulnerability. For details, consult the local service provider or Huawei TAC.
(1) Configure the built-in firewall function.
(2) Change the default password.
(3) Deploy a firewall at the carrier side.
The customers can deploy Huawei NGFWs (Next Generation Firewall) or data center firewalls, and upgrade the IPS signature database to the latest version IPS_H20011000_2017120100 released on December 1, 2017 to detect and defend against this vulnerability exploits initiated from the Internet.
Vulnerable software versionsHuawei HG532: All versions
CPE2.3 External linkshttp://research.checkpoint.com/good-zero-day-skiddie/
http://www.huawei.com/en/psirt/security-notices/huawei-sn-20171130-01-hg532-en
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.
