CVE-2017-18370

CWE-78 — OS Command Injection3 documents3 sources

Severity

8.8HIGH

EPSS

75.1%

top 1.12%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Billion 5200w-t Firmware Zyxel P660hn-t1a V1 Firmware Zyxel P660hn-t1a V2 Firmware

Timeline

PublishedMay 2

Latest updateMay 24

Description

The ZyXEL P660HN-T1A v2 TCLinux Fw #7.3.37.6 router distributed by TrueOnline has a command injection vulnerability in the Remote System Log forwarding function, which is only accessible by an authenticated user. The vulnerability is in the logSet.asp page and can be exploited through the ServerIP parameter. Authentication can be achieved by exploiting CVE-2017-18371.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶NVDzyxel/p660hn-t1a_v1_firmware7.3.37.6

▶NVDzyxel/p660hn-t1a_v2_firmware7.3.37.6

▶NVDbillion/5200w-t_firmware7.3.8.0

🔴Vulnerability Details

GHSA

GHSA-926f-c85f-cm9h: The ZyXEL P660HN-T1A v2 TCLinux Fw #7↗2022-05-24

▶

CVEList

CVE-2017-18370: The ZyXEL P660HN-T1A v2 TCLinux Fw #7↗2019-05-02

▶