Zero-day vulnerability in Huawei HG532

Command injection

The vulnerability has been used in Satori attacks against Huawei's router model HG532. The most targeted countries include the United States, Italy, Germany, and Egypt.

Known malware:

Satori botnet, Mirai malware

Vulnerability details

Advisory: SB2017122501 - Remote code execution in Huawei HG532 routers

Vulnerable component: Huawei HG532

CVE-ID: CVE-2017-17215

CVSSv3 score: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:H/RL:W/RC:C

CWE-ID: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')


The vulnerability allows a remote attacker with administrator privileges to perform command injection attack on the target system.

The weakness exists due to the implementation of the TR-064 (technical report standard), an application layer protocol for remote management, in the Huawei devices was exposed on the public Internet through Universal Plug and Play (UPnP) protocol at port 37215. A remote attacker can inject shell meta-characters тАЬ$()тАЭ in the NewStatusURL and NewDownloadURL, inject arbitrary commands and execute arbitrary code.

Successful exploitation of the vulnerability allows to download and execute the malicious payload on the Huawei routers and upload Satori botnet that may result in system compromise.

Note: the vulnerability is being actively exploited.