cbcvebase.
CVE-2017-18370
published 2019-05-02

CVE-2017-18370: The ZyXEL P660HN-T1A v2 TCLinux Fw #7.3.37.6 router distributed by TrueOnline has a command injection vulnerability in the Remote System Log forwarding…

PriorityP270high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
22.91%
97.5th percentile
The ZyXEL P660HN-T1A v2 TCLinux Fw #7.3.37.6 router distributed by TrueOnline has a command injection vulnerability in the Remote System Log forwarding function, which is only accessible by an authenticated user. The vulnerability is in the logSet.asp page and can be exploited through the ServerIP parameter. Authentication can be achieved by exploiting CVE-2017-18371.

Affected

3 ranges
VendorProductVersion rangeFixed in
billion5200w-t_firmware
zyxelp660hn-t1a_v1_firmware
zyxelp660hn-t1a_v2_firmware

Detection & IOCsextracted from sources · hover to see the quote

url/logSet.asp
otherServerIP
  • Monitor HTTP POST/GET requests targeting the logSet.asp page on ZyXEL P660HN-T1A v2 devices, specifically for shell metacharacters or command injection payloads in the ServerIP parameter.
  • Alert on authentication attempts or successful logins using the default 'supervisor' account, which is leveraged to reach the authenticated command injection endpoint.
  • Chained exploitation: CVE-2017-18371 may be used first to obtain authentication before exploiting CVE-2017-18370; detect sequential exploitation of both CVEs from the same source IP.
  • Inline/reverse shell payloads are preferred by the Metasploit module; monitor for unexpected outbound connections from the router following requests to logSet.asp.
  • ·The Metasploit module was tested in an emulated environment only; real-world behavior on physical hardware may differ.
  • ·The vulnerability may not be limited to Thailand-distributed firmware; other regional variants of the P660HN-T v2 could also be affected due to shared firmware lineage.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.