cbcvebase.
CVE-2017-6884
published 2017-04-06

CVE-2017-6884: A command injection vulnerability was discovered on the Zyxel EMG2926 home router with firmware V1.00(AAQT.4)b8. The vulnerability is located in the diagnostic…

PriorityP189high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2023-10-09
Exploited in the wild
EPSS
37.63%
98.3th percentile
A command injection vulnerability was discovered on the Zyxel EMG2926 home router with firmware V1.00(AAQT.4)b8. The vulnerability is located in the diagnostic tools, specifically the nslookup function. A malicious user may exploit numerous vectors to execute arbitrary commands on the router, such as the ping_ip parameter to the expert/maintenance/diagnostic/nslookup URI.

Affected

1 ranges
VendorProductVersion rangeFixed in
zyxelemg2926_firmware

Detection & IOCsextracted from sources · hover to see the quote

url/expert/maintenance/diagnostic/nslookup
url/expert/maintenance/diagnostic/nslookup?nslookup_button=nslookup_button&ping_ip=google.ca%3b%20cat%20/etc/passwd&server_ip=
path/cgi-bin/luci/;stok=/expert/maintenance/diagnostic/nslookup
snort
alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Zyxel Command Injection RCE (CVE-2017-6884)"; flow:established,to_server; http.uri; content:"/cgi-bin/luci/"; content:"stok="; content:"/nslookup?nslookup_button=nslookup_button&"; fast_pattern; reference:cve,2017-6884; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/; classtype:attempted-admin; sid:2026105; rev:4; metadata:attack_target Networking_Equipment, created_at 2018_09_10, cve CVE_2017_6884, deployment Perimeter, confidence Medium, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_07, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)
  • Exploit traffic targets HTTP URI path containing '/cgi-bin/luci/' with 'stok=' and '/nslookup?nslookup_button=nslookup_button&' — all three content matches together are high-confidence indicators of exploitation attempts.
  • Command injection is delivered via the 'ping_ip' GET parameter using semicolon (;) as a shell command separator to chain arbitrary OS commands (e.g., %3b URL-encoded semicolon followed by the injected command).
  • The exploit was observed being leveraged by IoT/Linux botnets including Mirai and Gafgyt variants targeting networking equipment; correlate with known botnet C2 infrastructure.
  • Successful exploitation is confirmed by /etc/passwd content in HTTP responses; monitor outbound responses from the router for passwd-file patterns (e.g., root:x:0:0 or supervisor password hash lines).
  • ·The vulnerability affects Zyxel EMG2926 with a specific firmware version; confirm scope before deploying detections.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.