CVE-2017-18371
published 2019-05-02CVE-2017-18371: The ZyXEL P660HN-T1A v2 TCLinux Fw #7.3.37.6 router distributed by TrueOnline has three user accounts with default passwords, including two hardcoded service…
PriorityP274critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
22.53%
97.4th percentile
The ZyXEL P660HN-T1A v2 TCLinux Fw #7.3.37.6 router distributed by TrueOnline has three user accounts with default passwords, including two hardcoded service accounts: one with the username true and password true, and another with the username supervisor and password zyad1234. These accounts can be used to login to the web interface, exploit authenticated command injections, and change router settings for malicious purposes.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| billion | 5200w-t_firmware | — | — |
| zyxel | p660hn-t1a_v1_firmware | — | — |
| zyxel | p660hn-t1a_v2_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP requests to logSet.asp on ZyXEL P660HN-T1A v2 devices, particularly the ServerIP parameter, for command injection payloads (e.g., shell metacharacters such as semicolons, pipes, backticks). ↗
- →The Metasploit module for this vulnerability targets the Remote System Log forwarding page; detect exploitation attempts via the module path exploits/linux/http/trueonline_p660hn_v2_rce. ↗
- ·Scope may extend beyond Thailand; firmware contains Turkish and other language strings, suggesting other regional P660HN-T v2 variants may also be vulnerable. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-926f-c85f-cm9h: The ZyXEL P660HN-T1A v2 TCLinux Fw #7
ghsa_unreviewed·2022-05-24·CVSS 9.8
CVE-2017-18370 [CRITICAL] CWE-78 GHSA-926f-c85f-cm9h: The ZyXEL P660HN-T1A v2 TCLinux Fw #7
The ZyXEL P660HN-T1A v2 TCLinux Fw #7.3.37.6 router distributed by TrueOnline has a command injection vulnerability in the Remote System Log forwarding function, which is only accessible by an authenticated user. The vulnerability is in the logSet.asp page and can be exploited through the ServerIP parameter. Authentication can be achieved by exploiting CVE-2017-18371.
GHSA
GHSA-j9rw-cgp6-m49q: The ZyXEL P660HN-T1A v2 TCLinux Fw #7
ghsa_unreviewed·2022-05-24
CVE-2017-18371 [CRITICAL] CWE-798 GHSA-j9rw-cgp6-m49q: The ZyXEL P660HN-T1A v2 TCLinux Fw #7
The ZyXEL P660HN-T1A v2 TCLinux Fw #7.3.37.6 router distributed by TrueOnline has three user accounts with default passwords, including two hardcoded service accounts: one with the username true and password true, and another with the username supervisor and password zyad1234. These accounts can be used to login to the web interface, exploit authenticated command injections, and change router settings for malicious purposes.
No detection rules found.
No writeups or analysis indexed.
http://www.zyxel.com/support/announcement_unauthenticated.shtmlhttps://raw.githubusercontent.com/pedrib/PoC/master/advisories/zyxel_trueonline.txthttps://seclists.org/fulldisclosure/2017/Jan/40https://ssd-disclosure.com/index.php/archives/2910https://unit42.paloaltonetworks.com/new-mirai-variant-targets-enterprise-wireless-presentation-display-systems/http://www.zyxel.com/support/announcement_unauthenticated.shtmlhttps://raw.githubusercontent.com/pedrib/PoC/master/advisories/zyxel_trueonline.txthttps://seclists.org/fulldisclosure/2017/Jan/40https://ssd-disclosure.com/index.php/archives/2910https://unit42.paloaltonetworks.com/new-mirai-variant-targets-enterprise-wireless-presentation-display-systems/
2019-05-02
Published