CVE-2016-10401
published 2017-07-25CVE-2016-10401: ZyXEL PK5001Z devices have zyad5001 as the su password, which makes it easier for remote attackers to obtain root access if a non-root account password is…
PriorityP189high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEVRansomware
Exploited in the wild
EPSS
12.44%
95.7th percentile
ZyXEL PK5001Z devices have zyad5001 as the su password, which makes it easier for remote attackers to obtain root access if a non-root account password is known (or a non-root default account exists within an ISP's deployment of these devices).
Detection & IOCsextracted from sources · hover to see the quote
- →Detect Telnet login attempts to ZyXEL PK5001Z using the hardcoded credential 'CenturyL1nk' for the admin account on port 23. ↗
- →Alert on successful Telnet sessions to 192.168.0.1 (default gateway) followed by 'su' command execution, indicative of privilege escalation using the hardcoded su password 'zyad5001'. ↗
- →Identify ZyXEL PK5001Z devices on the network by their banner string 'PK5001Z login:' presented over Telnet, which indicates a potentially vulnerable device. ↗
- →Monitor for the kernel/hostname string 'Linux PK5001Z 2.6.20.19' in network traffic or device enumeration, identifying the specific vulnerable firmware version. ↗
- ·The hardcoded su password 'zyad5001' is only exploitable if an attacker already has access to a non-root account (e.g., via the hardcoded 'admin'/'CenturyL1nk' Telnet credential or another known non-root account within an ISP deployment). ↗
- ·The exploit was tested against CenturyLink-deployed ZyXEL PK5001Z modems; other ISP deployments may use different non-root credentials but the same hardcoded su password 'zyad5001' applies. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-2f5j-3w2j-7mxv: ZyXEL PK5001Z devices have zyad5001 as the su password, which makes it easier for remote attackers to obtain root access if a non-root account passwor
ghsa_unreviewed·2022-05-17
CVE-2016-10401 [HIGH] GHSA-2f5j-3w2j-7mxv: ZyXEL PK5001Z devices have zyad5001 as the su password, which makes it easier for remote attackers to obtain root access if a non-root account passwor
ZyXEL PK5001Z devices have zyad5001 as the su password, which makes it easier for remote attackers to obtain root access if a non-root account password is known (or a non-root default account exists within an ISP's deployment of these devices).
VulnCheck
ZyXEL PK5001Z Remote Authentication Bypass
vulncheck·2016·CVSS 8.8
CVE-2016-10401 [HIGH] ZyXEL PK5001Z Remote Authentication Bypass
ZyXEL PK5001Z Remote Authentication Bypass
ZyXEL PK5001Z devices have zyad5001 as the su password, which makes it easier for remote attackers to obtain root access if a non-root account password is known (or a non-root default account exists within an ISP's deployment of these devices).
Affected: Zyxel pk5001z_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://blog.netlab.360.com/early-warning-a-new-mirai-variant-is-spreading-quickly-on-port-23-and-2323-en/; https://www.tripwire.com/state-of-security/doubledoor-iot-botnet-abuses-two-vulnerabilities-to-circumvent-firewalls-modems; https://www.csk.gov.in/a
No detection rules found.
No writeups or analysis indexed.
2017-07-25
Published
Exploited in the wild