Zero-day vulnerability in Huawei HG532

Command injection

The vulnerability has been used in Satori attacks against Huawei's router model HG532. The most targeted countries include the United States, Italy, Germany, and Egypt.

Known malware:

Satori botnet, Mirai malware

Vulnerability details

Advisory: SB2017122501 - Remote code execution in Huawei HG532 routers

Vulnerable component: Huawei HG532

CVE-ID: CVE-2017-17215

CVSSv3 score: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:H/RL:W/RC:C

CWE-ID: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')


The vulnerability allows a remote attacker with administrator privileges to perform command injection attack on the target system.

The weakness exists due to the implementation of the TR-064 (technical report standard), an application layer protocol for remote management, in the Huawei devices was exposed on the public Internet through Universal Plug and Play (UPnP) protocol at port 37215. A remote attacker can inject shell meta-characters “$()” in the NewStatusURL and NewDownloadURL, inject arbitrary commands and execute arbitrary code.

Successful exploitation of the vulnerability allows to download and execute the malicious payload on the Huawei routers and upload Satori botnet that may result in system compromise.

Note: the vulnerability is being actively exploited.

Latest references in media:

- Malware Alert: Mirai Alias Miori Is Being Dispensed Via RCE Exploits [2018-12-23 09:51:05]

- Mirai Malware Attack as Miori Delivered via RCE Exploit [2018-12-22 03:31:03]

- With Mirai Comes Miori: IoT Botnet Delivered via ThinkPHP Remote Code Execution Exploit [2018-12-20 14:30:17]

- Attackers increasingly exploiting vulnerabilities to enlarge their IoT botnets [2018-12-14 08:20:19]

- Attackers increasingly exploiting vulnerabilities to enlarge their IoT botnets [2018-12-14 08:10:13]

- Mirai, Gafgyt IoT botnets stab systems with Apache Struts, SonicWall exploits | ZDNet [2018-09-10 12:00:08]

- Department of Labour denies server compromise in recent cyberattack | ZDNet [2018-09-04 10:20:07]

- Federal prosecutors indict 20-year-old youngster behind Satori botnet [2018-09-04 05:51:04]

- New Hakai IoT botnet takes aim at D-Link, Huawei, and Realtek routers | ZDNet [2018-09-03 16:30:05]

- Federal prosecutors indicted a 20-year-old man who built the Satori botnet [2018-08-31 16:30:12]

- Huawei Home Routers in Botnet Recruitment [2018-08-16 21:01:20]

- A Botnet consisting of 18,000 Routers Created In Under 24 Hours By a Hacker [2018-07-24 01:31:14]

- Experts warn of new campaigns leveraging Mirai and Gafgyt variants [2018-07-23 23:00:12]

- A Botnet Compromises 18,000 Huawei Routers [2018-07-22 05:50:56]

- Anarchy botmaster builds a botnet of 18,000 Huawei routers in a few hours [2018-07-20 15:20:09]

- IoT hacker builds Huawei-based botnet, enslaves 18,000 devices in one day | ZDNet [2018-07-20 13:10:07]

- Router Crapfest: Malware Author Builds 18,000-Strong Botnet in a Day [2018-07-19 13:40:18]

- Why Banning Risks to Cybersecurity Doesn’t Actually Improve Cybersecurity [2018-07-05 08:40:10]

- Huawei Home Routers in Botnet Recruitment [2018-06-19 02:51:06]

- Huawei Home Routers in Botnet Recruitment [2018-06-19 01:32:49]

- Mirai Variants Continue to Spawn in Vulnerable IoT Ecosystem [2018-06-06 07:08:41]

- BrickerBot mod_plaintext Analysis [2018-05-29 04:07:47]

- Attackers Use UPnP to Sidestep DDoS Defenses [2018-05-15 22:06:09]

- New Hacking Tool Lets Users Access a Bunch of DVRs and Their Video Feeds [2018-05-02 11:42:00]

- BrickerBot mod_plaintext Analysis [2018-04-05 15:35:32]

- BrickerBot mod_plaintext Analysis [2018-03-29 04:16:09]

- BrickerBot mod_plaintext Analysis [2018-03-26 00:28:24]

- BrickerBot mod_plaintext Analysis [2017-12-19 01:00:00]

- A New Internet of Things Botnet Originated on 'Grand Theft Auto' Servers [2018-02-15 19:11:24]

- A New Internet of Things Botnet Originated on 'Grand Theft Auto' Servers [2018-02-15 19:00:22]

- JenX botnet leverages Grand Theft Auto videogame community to infect devices [2018-02-03 13:10:13]

- JenX Botnet Has Grand Theft Auto Hook [2018-02-02 19:40:07]

- Adobe Flash Player Zero-Day Spotted in the Wild [2018-02-01 21:50:41]

- Satori Author Linked to New Mirai Variant Masuta [2018-01-24 01:00:06]

- Satori Botnet Is Now Attacking Ethereum Mining Rigs [2018-01-17 11:12:55]

- Mirai Okiru botnet targets for first time ever in the history ARC-based IoT devices [2018-01-15 00:02:12]

- Satori IoT botnet malware code given away for Christmas | ZDNet [2018-01-03 11:30:04]

- Security Affairs newsletter Round 143 – News of the week [2017-12-31 13:40:06]

- Huawei router exploit (CVE-2017-17215) involved in Satori and Brickerbot was leaked online [2017-12-29 15:30:17]

- Code Used in Zero Day Huawei Router Attack Made Public [2017-12-28 20:10:11]

- Satori/Okiku IoT Botnet Recruits Hundreds of Thousands of Huawei Routers for DDoS Army [2017-12-23 09:50:03]

- Satori is the latest Mirai botnet variant that is targeting Huawei HG532 home routers [2017-12-23 08:10:10]

- Huawei Router Vulnerability Used to Spread Mirai Variant [2017-12-23 00:10:12]

- Mirai Variant "Satori" Targets Huawei Routers [2017-12-22 17:30:22]

- Amateur Hacker Behind Satori Botnet [2017-12-22 11:14:22]

Vulnerability Scanning SaaS

Vulnerability scanning SaaS service is online 3-rd generation vulnerability scanner with scheduled assessments and vulnerability subscription. You can use service to check security of your network perimeter.