Honeypot on Corvus Blog

CVE-2017-17215

Wed, 28 Jan 2026 00:00:00 +0000

Attack Summary

On January 28, 2026 at 21:01:11 UTC, IP address 60[.]19[.]220[.]0 attempted to exploit my ICS honeypot with CVE-2017-17215, a remote code execution vulnerability in Huawei HG532 routers. The attack targeted /boaform/admin/formLogin with default credentials (username=user&psd=user) via HTTP/1.0.

The IP has two recent reports on AbuseIPDB, indicating active malicious scanning.

CVE-2017-17215

CVE-2017-17215 is a remote code execution flaw in Huawei HG532 home gateways discovered in November 2017. The vulnerability exists in the router’s UPnP implementation, where the TR-064 protocol (designed for local network configuration) was exposed to the WAN through port 37215¹.

Conpot Honeypot: First Day Attack Analysis

Tue, 27 Jan 2026 00:00:00 +0000

Conpot Honeypot: First Day Attack Analysis

Within the first 6 hours of operation, my Conpot ICS honeypot (emulating a Siemens S7-1200 PLC) attracted 40+ distinct attack sessions from 30+ unique IP addresses across multiple continents. The attacks ranged from automated scanning to targeted industrial protocol exploitation, including the first documented S7comm diagnostic probe and a sustained Next.js remote code execution campaign.

This post analyzes the attack patterns observed, identifies gaps in the honeypot configuration, and extracts actionable threat intelligence for ICS security research.

Customizing Conpot for Realistic ICS Emulation

Mon, 26 Jan 2026 00:00:00 +0000

The Problem with Default Templates

Conpot’s default template emulates an S7-200 PLC with whimsical configuration values clearly designed for demonstration purposes rather than realism. Examining the default template.xml reveals:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10


<entity name="unit">S7-200</entity>
<key name="FacilityName">
 <value type="value">"Mouser Factory"</value>
</key>
<key name="SystemName">
 <value type="value">"Technodrome"</value>
</key>
<key name="sysLocation">
 <value type="value">"Venus"</value>
</key>

While functional for basic honeypot deployment, these values present several issues for research purposes:

Deploying an ICS Honeypot

Mon, 26 Jan 2026 00:00:00 +0000

As part of my MSc research in Information Security at Royal Holloway, University of London, I’ve been investigating the threat landscape facing industrial control systems (ICS) and SCADA infrastructure. One of the most effective ways to understand attacker behavior in this space is through honeypot deployment; specifically, using Conpot to emulate vulnerable industrial systems.

This post documents my process of deploying a production ICS honeypot on DigitalOcean, the technical considerations involved, and some initial observations from the deployment.