← Retour aux CVEs
CVE-2017-18368
CRITICALCISA KEV9.8
Description
The ZyXEL P660HN-T1A v1 TCLinux Fw $7.3.15.0 v001 / 3.40(ULM.0)b31 router distributed by TrueOnline has a command injection vulnerability in the Remote System Log forwarding function, which is accessible by an unauthenticated user. The vulnerability is in the ViewLog.asp page and can be exploited through the remote_host parameter.
Details CVE
Score CVSS v3.19.8
SeveriteCRITICAL
Vecteur CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vecteur d'attaqueNETWORK
ComplexiteLOW
Privileges requisNONE
Interaction utilisateurNONE
Publie5/2/2019
Derniere modification11/5/2025
Sourcekev
Observations honeypot0
CISA KEV
FournisseurZyxel
ProduitP660HN-T1A Routers
Nom vulnerabiliteZyxel P660HN-T1A Routers Command Injection Vulnerability
Date ajout KEV2023-08-07
Date limite remediation2023-08-28
Utilise dans ransomwareUnknown
Produits affectes
billion:5200w-tbillion:5200w-t_firmwarezyxel:p660hn-t1a_v1zyxel:p660hn-t1a_v1_firmwarezyxel:p660hn-t1a_v2zyxel:p660hn-t1a_v2_firmware
Faiblesses (CWE)
CWE-78CWE-78
References
https://seclists.org/fulldisclosure/2017/Jan/40(cve@mitre.org)
https://ssd-disclosure.com/index.php/archives/2910(cve@mitre.org)
https://unit42.paloaltonetworks.com/new-mirai-variant-targets-enterprise-wireless-presentation-display-systems/(cve@mitre.org)
http://www.zyxel.com/support/announcement_unauthenticated.shtml(af854a3a-2127-422b-91ae-364da2661108)
https://raw.githubusercontent.com/pedrib/PoC/master/advisories/zyxel_trueonline.txt(af854a3a-2127-422b-91ae-364da2661108)
https://seclists.org/fulldisclosure/2017/Jan/40(af854a3a-2127-422b-91ae-364da2661108)
https://ssd-disclosure.com/index.php/archives/2910(af854a3a-2127-422b-91ae-364da2661108)
https://unit42.paloaltonetworks.com/new-mirai-variant-targets-enterprise-wireless-presentation-display-systems/(af854a3a-2127-422b-91ae-364da2661108)
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-18368(134c704f-9b21-4f2e-91b3-4a467353bcc0)
Correlations IOC
Aucune correlation enregistree
This product uses data from the NVD API but is not endorsed or certified by the NVD.