Detect CVE-2022-37055 D-Link Router Buffer Overflow Exploitation in Google Chronicle
Detects exploitation attempts targeting CVE-2022-37055, a buffer overflow vulnerability (CWE-120) in D-Link routers. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild. Attackers may exploit this vulnerability to achieve remote code execution on affected D-Link routers, potentially enabling network pivoting, persistent access, or botnet enrollment.
MITRE ATT&CK
YARA-L Detection Query
rule cve_2022_37055_dlink_buffer_overflow {
meta:
author = "df00tech Detection Engineering"
description = "Detects exploitation attempts for CVE-2022-37055 D-Link Router Buffer Overflow"
severity = "CRITICAL"
priority = "HIGH"
reference = "https://nvd.nist.gov/vuln/detail/CVE-2022-37055"
created = "2025-12-08"
events:
$e.metadata.event_type = "NETWORK_HTTP"
$e.target.port in (80, 443, 8080, 8443, 23)
(
re.regex($e.network.http.request_url, `(\.\./|%2F\.\.%2F|cmd=|shell=|/bin/sh|/bin/bash)`) or
$e.network.sent_bytes > 65000 or
re.regex($e.metadata.description, `(?i)(cve-2022-37055|d-link.*overflow|buffer.*overflow.*router)`)
)
$e.target.asset.attribute.labels["vendor"] = /(?i)d-link/
$src_ip = $e.principal.ip
$dst_ip = $e.target.ip
match:
$src_ip, $dst_ip over 10m
outcome:
$risk_score = max(
if($e.network.sent_bytes > 65000, 70) +
if(re.regex($e.network.http.request_url, `(\.\./|cmd=|shell=)`), 90) +
if(re.regex($e.metadata.description, `(?i)cve-2022-37055`), 100)
)
condition:
$e
}Chronicle YARA-L rule detecting D-Link router buffer overflow exploitation attempts matching CVE-2022-37055 via HTTP anomalies, large payloads, and path traversal patterns in network telemetry.
Data Sources
Required Tables
False Positives & Tuning
- Authorized vulnerability scanners targeting D-Link devices in managed network segments
- Legitimate firmware upgrade traffic matching large payload thresholds
- Development environments with D-Link test devices receiving automated config pushes
- Misconfigured Chronicle entity labels incorrectly tagging non-D-Link devices as D-Link vendor
Other platforms for CVE-2022-37055
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1CVE-2022-37055 Buffer Overflow Simulation via Oversized HTTP POST
Expected signal: Network logs showing HTTP POST request to port 80 with Content-Length > 65000 bytes destined for router management interface IP. IDS alerts for anomalous payload size.
- Test 2Path Traversal Probe Against D-Link Router Management Interface
Expected signal: Web server access logs or proxy logs showing GET requests with '../' or '%2F..%2F' sequences to router management CGI paths. Firewall logs capturing the HTTP request URLs.
- Test 3Reverse Shell Listener Simulation Post Router Compromise
Expected signal: Netflow/IPFIX records showing TCP connection attempts from router management IP to high-risk ports (4444, 1337, etc.). EDR network telemetry if agent is installed on network capture host.
- Test 4CVE-2022-37055 IDS Signature Validation
Expected signal: IDS/IPS alerts firing on CVE-2022-37055 signature, command injection patterns (wget, shell commands in POST body), and anomalous User-Agent strings in network monitoring.
Unlock Pro Content
Get the full detection package for CVE-2022-37055 including response playbook, investigation guide, and atomic red team tests.