ET EXPLOIT D-Link HNAP SOAPAction Command Injection (CVE-2015-2051, CVE-2019-10891, CVE-2022,37056, CVE-2024-33112, CVE-2025-11488, CVE-2025-63932)
Here you can find all the details about the rule "ET EXPLOIT D-Link HNAP SOAPAction Command Injection (CVE-2015-2051, CVE-2019-10891, CVE-2022,37056, CVE-2024-33112, CVE-2025-11488, CVE-2025-63932)". Propose edits, view related rules, and engage with the community through comments.
[[ currentRule.title ]]
[[ currentRule.description ]]
Rule Content
v [[ currentRule.version ]][[ currentRule.to_string ]]{
"id": 182790,
"format": "suricata",
"title": "ET EXPLOIT D-Link HNAP SOAPAction Command Injection (CVE-2015-2051, CVE-2019-10891, CVE-2022,37056, CVE-2024-33112, CVE-2025-11488, CVE-2025-63932)",
"license": "GPL-2.0",
"description": "No description provided",
"uuid": "3a081a01-f513-4236-b225-a69a4759962d",
"original_uuid": "2034491",
"source": "emerging-all.rules.zip by admin admin",
"author": "Unknown",
"creation_date": "2025-12-19 10:25",
"last_modif": "2025-12-19 10:25",
"vote_up": 0,
"vote_down": 0,
"user_id": 1,
"version": "7",
"to_string": "alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:\"ET EXPLOIT D-Link HNAP SOAPAction Command Injection (CVE-2015-2051, CVE-2019-10891, CVE-2022,37056, CVE-2024-33112, CVE-2025-11488, CVE-2025-63932)\"; flow:established,to_server; http.uri; content:\"/hnap1/\"; nocase; http.header; content:\"soapaction|3a 20|\"; nocase; content:\"http|3a 2f 2f|purenetworks|2e|com|2f|hnap1|2f|getdevicesettings\"; within:60; fast_pattern; nocase; pcre:\"/^[^\\x26]*?(?:(?:\\x3b|%3[Bb])|(?:\\x0a|%0[Aa])|(?:\\x60|%60)|(?:\\x7c|%7[Cc])|(?:\\x24|%24))+/R\"; reference:url,www.exploit-db.com/exploits/37171; reference:cve,2015-2051; reference:cve,2019-10891; reference:cve,2022-37056; reference:cve,2024-33112; reference:cve,2025-11488; reference:cve,2025-63932; classtype:attempted-admin; sid:2034491; rev:7; metadata:affected_product D_Link, attack_target Networking_Equipment, tls_state plaintext, created_at 2021_11_17, cve CVE_2015_2051, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_12_05, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services; target:dest_ip;)",
"is_favorited": false,
"cve_id": "{CVE-2015-2051,CVE-2019-10891,CVE-2024-33112,CVE-2025-11488,CVE-2025-63932}"
}{
"uuid": "b7e19158-a2c9-4baa-b13e-f074e3eb80d4",
"Object": [
{
"name": "suricata",
"meta-category": "network",
"template_uuid": "3c177337-fb80-405a-a6c1-1b2ddea8684a",
"description": "An object describing one or more Suricata rule(s) along with version and contextual information.",
"template_version": "2",
"uuid": "43b7ddd8-057b-462b-82f6-8010232ea5f4",
"Attribute": [
{
"uuid": "0d3479c1-fd90-4310-abfa-93a778699f9f",
"object_relation": "suricata",
"value": "alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:\"ET EXPLOIT D-Link HNAP SOAPAction Command Injection (CVE-2015-2051, CVE-2019-10891, CVE-2022,37056, CVE-2024-33112, CVE-2025-11488, CVE-2025-63932)\"; flow:established,to_server; http.uri; content:\"/hnap1/\"; nocase; http.header; content:\"soapaction|3a 20|\"; nocase; content:\"http|3a 2f 2f|purenetworks|2e|com|2f|hnap1|2f|getdevicesettings\"; within:60; fast_pattern; nocase; pcre:\"/^[^\\x26]*?(?:(?:\\x3b|%3[Bb])|(?:\\x0a|%0[Aa])|(?:\\x60|%60)|(?:\\x7c|%7[Cc])|(?:\\x24|%24))+/R\"; reference:url,www.exploit-db.com/exploits/37171; reference:cve,2015-2051; reference:cve,2019-10891; reference:cve,2022-37056; reference:cve,2024-33112; reference:cve,2025-11488; reference:cve,2025-63932; classtype:attempted-admin; sid:2034491; rev:7; metadata:affected_product D_Link, attack_target Networking_Equipment, tls_state plaintext, created_at 2021_11_17, cve CVE_2015_2051, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_12_05, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services; target:dest_ip;)",
"type": "snort",
"disable_correlation": false,
"to_ids": true,
"category": "Network activity"
},
{
"uuid": "21818178-3167-4b3c-961a-3e9c90e3faa5",
"object_relation": "suricata-rule-name",
"value": "ET EXPLOIT D-Link HNAP SOAPAction Command Injection (CVE-2015-2051, CVE-2019-10891, CVE-2022,37056, CVE-2024-33112, CVE-2025-11488, CVE-2025-63932)",
"type": "text",
"disable_correlation": false,
"to_ids": false,
"category": "Other"
},
{
"uuid": "6164f3b8-f522-492a-badc-e06a710501f0",
"object_relation": "comment",
"value": "No description provided",
"type": "comment",
"disable_correlation": false,
"to_ids": false,
"category": "Other"
},
{
"uuid": "d4dbb1e6-1ba7-42e2-9a20-ab1c14d0af74",
"object_relation": "version",
"value": "7",
"type": "text",
"disable_correlation": false,
"to_ids": false,
"category": "Other"
},
{
"uuid": "9603d120-60c1-4067-8dbf-e4727b4703aa",
"object_relation": "reference",
"value": "emerging-all.rules.zip by admin admin",
"type": "link",
"disable_correlation": false,
"to_ids": false,
"category": "External analysis"
}
],
"distribution": "5",
"sharing_group_id": "0"
}
]
}Similar Rules
More RulesThe similarity is calculated using the TF-IDF (Term Frequency - Inverse Document Frequency) vectorization of each rule's text, followed by computing the cosine similarity between vectors.
This method compares the textual content of the rules, giving higher weight to distinctive terms and lower weight to common terms. It is robust to small changes in wording.
Learn more on the official scikit-learn documentation: TF-IDF Vectorizer & Cosine Similarity
[[ rule.title ]]
[[ rule.description ]]
Related Bundles
[[ bundleListRule.length ]] TotalNo bundles found for this rule.
Please log in to propose an edit.
No edit proposals found for this rule.
[[ comments_list.length ]] Comments
Join the conversation
Login to replyCommunity Discussion
No comments yet
Be the first to share your thoughts on this rule!