Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
Critical

Remote buffer overflow in mini_httpd/thttpd htpasswd

IdentifiersCVE-2017-17663CWE-120

CVE-2017-17663 is a remotely exploitable buffer overflow in the htpasswd implementation of mini_httpd before 1.28 and thttpd before 2.28. The vulnerable code in the embedded HTTP server’s htpasswd functionality does not safely handle crafted input, allowing memory corruption. According to the provided content, affected software is commonly embedded in Linux-based SOHO routers and IoT devices, and the flaw has been exploited in the wild as an N-day to gain initial access to unpatched devices.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can lead to remote code execution on the affected device. In the observed campaigns described in the content, attackers used this class of flaw to compromise SOHO routers and IoT devices, deploy the ShortLeash backdoor, obtain root-level persistence via a systemd service, and convert the devices into operational relay box infrastructure for long-term espionage support and traffic relaying.

Mitigation

If you can’t patch tonight, do this now.

Until patches or updated firmware can be applied, reduce exposure of affected devices by restricting access to the embedded HTTP service to trusted management networks only, disabling unnecessary remote administration, filtering untrusted inbound traffic, and monitoring for signs of compromise or unauthorized web service behavior. Given reported in-the-wild exploitation on unpatched SOHO devices, internet-exposed management interfaces using vulnerable embedded HTTP components should be treated as high risk.

Remediation

Patch, then assume compromise.

Upgrade mini_httpd to version 1.28 or later and thttpd to version 2.28 or later, or apply vendor firmware updates that incorporate the fixed versions of these components. Because the vulnerable software is often embedded in network appliances and IoT products, remediation may require installing updated firmware from the device manufacturer rather than patching the HTTP daemon directly. Devices that cannot be updated should be replaced.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
AcmeMini Httpdapplication
AcmeThttpdapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app
the hacker newsNews
Jun 27, 2025
Over 1,000 SOHO Devices Hacked in China-linked LapDogs Cyber Espionage Campaign

An older (N-day) vulnerability referenced as being weaponized to gain initial access to primarily Linux-based SOHO devices in the LapDogs ORB campaign.

Read more
bank info securityNews
Jun 23, 2025
Chinese Hackers Turn Unpatched Routers Into ORB Spy Network

A buffer memory overrun vulnerability in a small embedded open-source HTTP server used in various IoT/router devices, contributing to compromise of unpatched devices used as ORB infrastructure.

Read more
security weekNews
Nov 27, 2025
Chinese APT Hacking Routers to Build Espionage Infrastructure

An SSH-related vulnerability present on older/unpatched SOHO router/access point devices that the campaign’s compromised nodes were found to be vulnerable to.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence1

Every observed campaign linking this CVE to a named adversary.

Associated malware3

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2017-17663
NVD
nvd.nist.gov/vuln/detail/CVE-2017-17663
MITRE CWE · CWE-120
cwe.mitre.org
Third Party Advisory
acme.com/updates/archive/199.html