Attack Chain

1. An unauthenticated attacker sends a GET request to the /api/system/deviceinfo endpoint on the Huawei HG630 V2 router.
2. The router responds with device information, including the SerialNumber field, without requiring authentication.
3. The attacker extracts the SerialNumber value from the response.
4. The attacker isolates the last 8 characters of the extracted SerialNumber.
5. The attacker attempts to log in to the router’s administrative interface via a web browser.
6. The attacker uses “admin” as the username and the last 8 characters of the SerialNumber as the password.
7. If the default credentials have not been changed, the attacker successfully authenticates as an administrator.
8. The attacker gains full administrative access to the router and can modify settings, potentially compromising the network.

Impact

Successful exploitation of CVE-2020-37220 allows an unauthenticated attacker to gain complete administrative control of the Huawei HG630 V2 router. This access enables the attacker to modify router settings, intercept network traffic, conduct man-in-the-middle attacks, or use the compromised device as a pivot point for further attacks within the network. The lack of authentication on a critical endpoint makes this vulnerability particularly severe, potentially impacting a large number of users relying on this router model.

Recommendation

• Deploy the Sigma rule Detect Huawei HG630 V2 Device Info Request to monitor for suspicious requests to the /api/system/deviceinfo endpoint.
• Deploy the Sigma rule Detect Huawei HG630 V2 Successful Admin Login to identify successful logins using credentials derived from the serial number.
• Apply configuration changes to restrict access to the /api/system/deviceinfo endpoint if possible based on the device capabilities.
• Monitor webserver logs for requests to /api/system/deviceinfo and correlate with subsequent login attempts.