← Back to CVEs
CVE-2017-18368
CRITICALCISA KEV9.8
Description
The ZyXEL P660HN-T1A v1 TCLinux Fw $7.3.15.0 v001 / 3.40(ULM.0)b31 router distributed by TrueOnline has a command injection vulnerability in the Remote System Log forwarding function, which is accessible by an unauthenticated user. The vulnerability is in the ViewLog.asp page and can be exploited through the remote_host parameter.
CVE Details
CVSS v3.1 Score9.8
SeverityCRITICAL
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack VectorNETWORK
ComplexityLOW
Privileges RequiredNONE
User InteractionNONE
Published5/2/2019
Last Modified11/5/2025
Sourcekev
Honeypot Sightings0
CISA KEV
VendorZyxel
ProductP660HN-T1A Routers
Vulnerability NameZyxel P660HN-T1A Routers Command Injection Vulnerability
KEV Date Added2023-08-07
Remediation Due Date2023-08-28
Ransomware UseUnknown
Affected Products
billion:5200w-tbillion:5200w-t_firmwarezyxel:p660hn-t1a_v1zyxel:p660hn-t1a_v1_firmwarezyxel:p660hn-t1a_v2zyxel:p660hn-t1a_v2_firmware
Weaknesses (CWE)
CWE-78CWE-78
References
https://seclists.org/fulldisclosure/2017/Jan/40(cve@mitre.org)
https://ssd-disclosure.com/index.php/archives/2910(cve@mitre.org)
https://unit42.paloaltonetworks.com/new-mirai-variant-targets-enterprise-wireless-presentation-display-systems/(cve@mitre.org)
http://www.zyxel.com/support/announcement_unauthenticated.shtml(af854a3a-2127-422b-91ae-364da2661108)
https://raw.githubusercontent.com/pedrib/PoC/master/advisories/zyxel_trueonline.txt(af854a3a-2127-422b-91ae-364da2661108)
https://seclists.org/fulldisclosure/2017/Jan/40(af854a3a-2127-422b-91ae-364da2661108)
https://ssd-disclosure.com/index.php/archives/2910(af854a3a-2127-422b-91ae-364da2661108)
https://unit42.paloaltonetworks.com/new-mirai-variant-targets-enterprise-wireless-presentation-display-systems/(af854a3a-2127-422b-91ae-364da2661108)
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-18368(134c704f-9b21-4f2e-91b3-4a467353bcc0)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.