Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to vulnerabilities
High

Remote Code Execution in Huawei HG532 SOAP Service

IdentifiersCVE-2017-17215CWE-78

CVE-2017-17215 is a remote code execution vulnerability affecting Huawei HG532 routers, including some customized versions. The flaw is exposed through the device's SOAP service listening on TCP port 37215. According to the provided content, an authenticated attacker can send malicious packets to port 37215 and trigger execution of arbitrary code on the device. The vulnerability has been widely incorporated into Mirai-family and other IoT botnet propagation modules targeting Huawei HG532 devices.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows remote execution of arbitrary code on the vulnerable router. In practice, the vulnerability has been used to compromise internet-exposed IoT devices, deploy botnet malware, and conscript affected routers into large-scale DDoS and propagation infrastructure. Compromise of the router can also provide attackers persistent control of the device and a foothold for further malicious activity on the local network.

Mitigation

If you can’t patch tonight, do this now.

Restrict or block access to the SOAP service on TCP port 37215 from untrusted networks, especially the public internet. Limit management exposure through firewall rules or ACLs, disable remote administration features that are not required, and place affected routers behind trusted management boundaries. Where patching is unavailable, replace vulnerable devices and monitor for exploitation attempts targeting port 37215 and known botnet activity.

Remediation

Patch, then assume compromise.

Apply the vendor-provided security update or fixed firmware for affected Huawei HG532 devices and customized variants, if available from Huawei or the ISP/OEM maintaining the customized build. Because the content indicates only some customized versions are affected, remediation should include validating the exact firmware build and replacing unsupported or end-of-life devices that no longer receive fixes.
PUBLIC EXPLOITS

Exploits

No valid public exploits. Mallory filtered out 2 candidates as fakes, detection scripts, or README-only repos.

VALID 0 / 2 TOTALView more in app

All candidate exploits were filtered out by Mallory's validation.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Huawei TechnologiesHg532 Firmwareoperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

29 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

29 SOURCESView more in app
reddit netsecNews
May 27, 2026
A week after Dutch FIOD seized 800+ servers, the hosting network's ASN (AS209847) is still scanning at its normal daily rate : r/netsec

A known vulnerability identified as CVE-2017-17215 that is being probed during scanning activity from the referenced ASN.

Read more
mdpiNews
May 2, 2026
Evolving IoT Botnet Threats and Practical Honeypot Observation: A Summary Review and Experimental Study

An IoT vulnerability cited as an example of weak default credentials used to emulate common botnet-targeted device weaknesses in the honeypot study.

Read more
cyfirma otherNews
Apr 22, 2026
CHINA CYBERSECURITY THREAT INTELLIGENCE REPORT - CYFIRMA

A critical vulnerability affecting NETGEAR routers that remains actively relevant in detections and has publicly available exploit code per the report.

Read more
help net securityNews
Apr 22, 2026
New Mirai variants target routers and DVRs in parallel campaigns - Help Net Security

A vulnerability affecting older Huawei devices for which Nexcorium includes a bundled exploit.

Read more
+24 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence5

Every observed campaign linking this CVE to a named adversary.

Associated malware21

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity1

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2017-17215
NVD
nvd.nist.gov/vuln/detail/CVE-2017-17215
MITRE CWE · CWE-78
cwe.mitre.org
Vendor Advisory
huawei.com/en/psirt/security-notices/huawei-sn-20171130-01-hg532-en
Third Party Advisory
securityfocus.com/bid/102344