cbcvebase.
CVE-2017-18371
published 2019-05-02

CVE-2017-18371: The ZyXEL P660HN-T1A v2 TCLinux Fw #7.3.37.6 router distributed by TrueOnline has three user accounts with default passwords, including two hardcoded service…

PriorityP274critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
22.53%
97.4th percentile
The ZyXEL P660HN-T1A v2 TCLinux Fw #7.3.37.6 router distributed by TrueOnline has three user accounts with default passwords, including two hardcoded service accounts: one with the username true and password true, and another with the username supervisor and password zyad1234. These accounts can be used to login to the web interface, exploit authenticated command injections, and change router settings for malicious purposes.

Affected

3 ranges
VendorProductVersion rangeFixed in
billion5200w-t_firmware
zyxelp660hn-t1a_v1_firmware
zyxelp660hn-t1a_v2_firmware

Detection & IOCsextracted from sources · hover to see the quote

urllogSet.asp
otherServerIP
  • Monitor HTTP requests to logSet.asp on ZyXEL P660HN-T1A v2 devices, particularly the ServerIP parameter, for command injection payloads (e.g., shell metacharacters such as semicolons, pipes, backticks).
  • The Metasploit module for this vulnerability targets the Remote System Log forwarding page; detect exploitation attempts via the module path exploits/linux/http/trueonline_p660hn_v2_rce.
  • ·Scope may extend beyond Thailand; firmware contains Turkish and other language strings, suggesting other regional P660HN-T v2 variants may also be vulnerable.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.