cbcvebase.
CVE-2016-10401
published 2017-07-25

CVE-2016-10401: ZyXEL PK5001Z devices have zyad5001 as the su password, which makes it easier for remote attackers to obtain root access if a non-root account password is…

PriorityP189high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEVRansomware
Exploited in the wild
EPSS
12.44%
95.7th percentile
ZyXEL PK5001Z devices have zyad5001 as the su password, which makes it easier for remote attackers to obtain root access if a non-root account password is known (or a non-root default account exists within an ISP's deployment of these devices).

Detection & IOCsextracted from sources · hover to see the quote

otherusername: admin / password: CenturyL1nk (Telnet hardcoded credential)
othersu password: zyad5001 (hardcoded root escalation credential)
ip192.168.0.1
commandsu
versionPK5001Z 2.6.20.19
  • Detect Telnet login attempts to ZyXEL PK5001Z using the hardcoded credential 'CenturyL1nk' for the admin account on port 23.
  • Alert on successful Telnet sessions to 192.168.0.1 (default gateway) followed by 'su' command execution, indicative of privilege escalation using the hardcoded su password 'zyad5001'.
  • Identify ZyXEL PK5001Z devices on the network by their banner string 'PK5001Z login:' presented over Telnet, which indicates a potentially vulnerable device.
  • Monitor for the kernel/hostname string 'Linux PK5001Z 2.6.20.19' in network traffic or device enumeration, identifying the specific vulnerable firmware version.
  • ·The hardcoded su password 'zyad5001' is only exploitable if an attacker already has access to a non-root account (e.g., via the hardcoded 'admin'/'CenturyL1nk' Telnet credential or another known non-root account within an ISP deployment).
  • ·The exploit was tested against CenturyLink-deployed ZyXEL PK5001Z modems; other ISP deployments may use different non-root credentials but the same hardcoded su password 'zyad5001' applies.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.