CVE-2017-6884
published 2017-04-06CVE-2017-6884: A command injection vulnerability was discovered on the Zyxel EMG2926 home router with firmware V1.00(AAQT.4)b8. The vulnerability is located in the diagnostic…
PriorityP189high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2023-10-09
Exploited in the wild
EPSS
37.63%
98.3th percentile
A command injection vulnerability was discovered on the Zyxel EMG2926 home router with firmware V1.00(AAQT.4)b8. The vulnerability is located in the diagnostic tools, specifically the nslookup function. A malicious user may exploit numerous vectors to execute arbitrary commands on the router, such as the ping_ip parameter to the expert/maintenance/diagnostic/nslookup URI.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zyxel | emg2926_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/expert/maintenance/diagnostic/nslookup?nslookup_button=nslookup_button&ping_ip=google.ca%3b%20cat%20/etc/passwd&server_ip=↗
snort
alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Zyxel Command Injection RCE (CVE-2017-6884)"; flow:established,to_server; http.uri; content:"/cgi-bin/luci/"; content:"stok="; content:"/nslookup?nslookup_button=nslookup_button&"; fast_pattern; reference:cve,2017-6884; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/; classtype:attempted-admin; sid:2026105; rev:4; metadata:attack_target Networking_Equipment, created_at 2018_09_10, cve CVE_2017_6884, deployment Perimeter, confidence Medium, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_07, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)
- →Exploit traffic targets HTTP URI path containing '/cgi-bin/luci/' with 'stok=' and '/nslookup?nslookup_button=nslookup_button&' — all three content matches together are high-confidence indicators of exploitation attempts.
- →Command injection is delivered via the 'ping_ip' GET parameter using semicolon (;) as a shell command separator to chain arbitrary OS commands (e.g., %3b URL-encoded semicolon followed by the injected command). ↗
- →The exploit was observed being leveraged by IoT/Linux botnets including Mirai and Gafgyt variants targeting networking equipment; correlate with known botnet C2 infrastructure.
- →Successful exploitation is confirmed by /etc/passwd content in HTTP responses; monitor outbound responses from the router for passwd-file patterns (e.g., root:x:0:0 or supervisor password hash lines). ↗
- ·The vulnerability affects Zyxel EMG2926 with a specific firmware version; confirm scope before deploying detections. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-x6r5-p9fx-6346: A command injection vulnerability was discovered on the Zyxel EMG2926 home router with firmware V1
ghsa_unreviewed·2022-05-17
CVE-2017-6884 [HIGH] CWE-78 GHSA-x6r5-p9fx-6346: A command injection vulnerability was discovered on the Zyxel EMG2926 home router with firmware V1
A command injection vulnerability was discovered on the Zyxel EMG2926 home router with firmware V1.00(AAQT.4)b8. The vulnerability is located in the diagnostic tools, specifically the nslookup function. A malicious user may exploit numerous vectors to execute arbitrary commands on the router, such as the ping_ip parameter to the expert/maintenance/diagnostic/nslookup URI.
VulnCheck
Zyxel EMG2926 Routers Command Injection Vulnerability
vulncheck·2017·CVSS 8.8
CVE-2017-6884 [HIGH] CWE-78 Zyxel EMG2926 Routers Command Injection Vulnerability
Zyxel EMG2926 Routers Command Injection Vulnerability
Zyxel EMG2926 routers contain a command injection vulnerability located in the diagnostic tools, specifically the nslookup function. A malicious user may exploit numerous vectors to execute malicious commands on the router, such as the ping_ip parameter to the expert/maintenance/diagnostic/nslookup URI.
Affected: Zyxel EMG2926 Routers
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://web.archive.org/web/20200319160240/https://labs.bitdefender.com/2020/01/hold-my-beer-mirai-spinoff-named-liquorbot-incorporates-cryptomining/; https://cybersecurityworks.com/blog/ransomware/cyber-hygiene-ranso
CISA
Zyxel EMG2926 Routers Command Injection Vulnerability
cisa·2023-09-18·CVSS 8.8
CVE-2017-6884 [HIGH] CWE-78 Zyxel EMG2926 Routers Command Injection Vulnerability
Vulnerability: Zyxel EMG2926 Routers Command Injection Vulnerability
Affected: Zyxel EMG2926 Routers
Zyxel EMG2926 routers contain a command injection vulnerability located in the diagnostic tools, specifically the nslookup function. A malicious user may exploit numerous vectors to execute malicious commands on the router, such as the ping_ip parameter to the expert/maintenance/diagnostic/nslookup URI.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-command-injection-vulnerability-in-emg2926-q10a-ethernet-cpe, https://www.zyxelguard.com/Zyxel-EOL.asp; https://nvd.nist.gov/vuln/detail/CVE-2017-6884
Remediation Due Dat
Suricata
ET EXPLOIT Zyxel Command Injection RCE (CVE-2017-6884)
suricata·2018-09-10·CVSS 8.8
CVE-2017-6884 [HIGH] ET EXPLOIT Zyxel Command Injection RCE (CVE-2017-6884)
ET EXPLOIT Zyxel Command Injection RCE (CVE-2017-6884)
Rule: alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Zyxel Command Injection RCE (CVE-2017-6884)"; flow:established,to_server; http.uri; content:"/cgi-bin/luci/"; content:"stok="; content:"/nslookup?nslookup_button=nslookup_button&"; fast_pattern; reference:cve,2017-6884; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/; classtype:attempted-admin; sid:2026105; rev:4; metadata:attack_target Networking_Equipment, created_at 2018_09_10, cve CVE_2017_6884, deployment Perimeter, confidence Medium, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_07, mitre_tactic_id TA0008, mitre_tactic_n
Greynoiseio
The Noise in the Silence: Unmasking CISA's Hidden KEV Ransomware Updates
blogs_greynoiseio·2026-02-02
The Noise in the Silence: Unmasking CISA's Hidden KEV Ransomware Updates
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Unit42
Multi-exploit IoT/Linux Botnets Mirai and Gafgyt Target Apache Struts, SonicWall
blogs_unit42·2018-09-10·CVSS 9.8
CVE-2017-5638 [CRITICAL] Multi-exploit IoT/Linux Botnets Mirai and Gafgyt Target Apache Struts, SonicWall
Threat Research Center
Threat Research
Malware
## Multi-exploit IoT/Linux Botnets Mirai and Gafgyt Target Apache Struts, SonicWall
Ruchna Nigam
Published: September 9, 2018
Malware
Threat Research
Vulnerabilities
Apache Struts
BlackNurse
Botnet
CVE-2017-5638
CVE-2018-9866
Exploits
Gafgyt
IoT
Linux
Mirai
SonicWall RCE
Executive Summary:
Unit 42 has uncovered new variants of the well-known IoT botnets Mirai and Gafgyt. These are the IoT botnets associated with unprecedented Distributed Denial of Service attacks in November 2016 and since.
These variants are notable for two reasons:
The new Mirai version targets the same Apache Struts vulnerability associated with the Equifax data breach in 2017.
The new Gafgyt version targets a newly disclosed vulnerability affectin
Unit42
Multi-exploit IoT/Linux Botnets Mirai and Gafgyt Target Apache Struts, SonicWall
blogs_unit42·2018-09-10·CVSS 9.8
[CRITICAL] Multi-exploit IoT/Linux Botnets Mirai and Gafgyt Target Apache Struts, SonicWall
Executive Summary:
Unit 42 has uncovered new variants of the well-known IoT botnets Mirai and Gafgyt. These are the IoT botnets associated with unprecedented Distributed Denial of Service attacks in November 2016 and since.
These variants are notable for two reasons:
- The new Mirai version targets the same Apache Struts vulnerability associated with the Equifax data breach in 2017.
- The new Gafgyt version targets a newly disclosed vulnerability affecting older, unsupported versions of SonicWall’s Global Management System (GMS).
These developments suggest these IOT botnets are increasingly targeting enterprise devices with outdated versions.
All organizations should ensure they keep not only their systems up-to-date and patched, but also their IoT devices. For Palo Alto Networks cust
Greynoiseio
NoiseLetter
blogs_greynoiseio·CVSS 10.0
[CRITICAL] NoiseLetter
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2017-04-06
Published
2023-09-18
Added to CISA KEV
Exploited in the wild