CVE-2022-37055 Elastic Security · Elastic

Detect CVE-2022-37055 D-Link Router Buffer Overflow Exploitation in Elastic Security

Detects exploitation attempts targeting CVE-2022-37055, a buffer overflow vulnerability (CWE-120) in D-Link routers. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild. Attackers may exploit this vulnerability to achieve remote code execution on affected D-Link routers, potentially enabling network pivoting, persistent access, or botnet enrollment.

MITRE ATT&CK

Tactic
Initial Access Execution Lateral Movement

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by destination.ip with maxspan=10m
  [network where destination.port in (80, 443, 8080, 8443, 23) and
   (network.bytes > 65000 or
    url.path like "*../*" or
    url.path like "*%2F..%2F*" or
    url.query like "*cmd=*" or
    url.query like "*shell=*") and
   (device.vendor like "*D-Link*" or device.model like "*DIR-*" or device.model like "*DSR-*")]
  [network where event.action in ("connection-attempt", "allowed") and
   source.ip != destination.ip and
   network.direction == "outbound" and
   destination.port in (4444, 1337, 31337, 8888, 9999)]
critical severity medium confidence

EQL sequence rule detecting D-Link router buffer overflow exploitation followed by potential reverse shell callback connections, indicating successful compromise.

Data Sources

Elastic Network EventsElastic IDS/IPS eventsPacketbeat

Required Tables

logs-network.*logs-ids.*

False Positives & Tuning

  • Legitimate router management traffic coinciding with outbound connections to high ports for monitoring
  • Authorized red team engagements targeting network infrastructure
  • VPN or tunneling solutions using non-standard ports on D-Link devices

Other platforms for CVE-2022-37055

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1CVE-2022-37055 Buffer Overflow Simulation via Oversized HTTP POST

    Expected signal: Network logs showing HTTP POST request to port 80 with Content-Length > 65000 bytes destined for router management interface IP. IDS alerts for anomalous payload size.

  2. Test 2Path Traversal Probe Against D-Link Router Management Interface

    Expected signal: Web server access logs or proxy logs showing GET requests with '../' or '%2F..%2F' sequences to router management CGI paths. Firewall logs capturing the HTTP request URLs.

  3. Test 3Reverse Shell Listener Simulation Post Router Compromise

    Expected signal: Netflow/IPFIX records showing TCP connection attempts from router management IP to high-risk ports (4444, 1337, etc.). EDR network telemetry if agent is installed on network capture host.

  4. Test 4CVE-2022-37055 IDS Signature Validation

    Expected signal: IDS/IPS alerts firing on CVE-2022-37055 signature, command injection patterns (wget, shell commands in POST body), and anomalous User-Agent strings in network monitoring.

Last updated: 2026-06-19 Research depth: standard
References (2)

Unlock Pro Content

Get the full detection package for CVE-2022-37055 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002ExecutionTA0008Lateral Movement

Related Techniques

T1190Exploit Public-Facing ApplicationT1059Command and Scripting InterpreterT1021Remote ServicesT1496Resource Hijacking

Same Tactic: Initial Access

Popular Detections