CVE-2017-18372

CWE-78 — OS Command Injection3 documents3 sources

Severity

8.8HIGH

EPSS

72.2%

top 1.25%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Billion 5200w-t Firmware Zyxel P660hn-t1a V1 Firmware Zyxel P660hn-t1a V2 Firmware

Timeline

PublishedMay 2

Latest updateMay 24

Description

The Billion 5200W-T TCLinux Fw $7.3.8.0 v008 130603 router distributed by TrueOnline has a command injection vulnerability in the Time Setting function, which is only accessible by an authenticated user. The vulnerability is in the tools_time.asp page and can be exploited through the uiViewSNTPServer parameter. Authentication can be achieved by exploiting CVE-2017-18373.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶NVDbillion/5200w-t_firmware7.3.8.0

▶NVDzyxel/p660hn-t1a_v1_firmware7.3.15.0

▶NVDzyxel/p660hn-t1a_v2_firmware7.3.15.0

🔴Vulnerability Details

GHSA

GHSA-v454-6xf3-j8mh: The Billion 5200W-T TCLinux Fw $7↗2022-05-24

▶

CVEList

CVE-2017-18372: The Billion 5200W-T TCLinux Fw $7↗2019-05-02

▶