Cyber Resilience

CVE-2017-18368

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 02 May 2019

Published
02 May 2019
Modified
05 November 2025
KEV Added
07 August 2023
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9359 99.8th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2017-18368 is a critical-severity OS Command Injection (CWE-78) vulnerability in Billion 5200W-T Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

The vulnerability CVE-2017-18368 is a command injection flaw (CWE-78) in the ZyXEL P660HN-T1A v1 router running TCLinux firmware version 7.3.15.0 v001 / 3.40(ULM.0)b31 as distributed by TrueOnline. It resides in the Remote System Log forwarding function on the ViewLog.asp page and is triggered through the remote_host parameter, with no authentication required for access. The flaw received a CVSS 3.1 score of 9.8.

An unauthenticated attacker with network access can supply a malicious remote_host value to execute arbitrary operating system commands on the device. This grants complete control over the router, allowing impacts to confidentiality, integrity, and availability without any user interaction or privileges.

Public references include a ZyXEL announcement on unauthenticated vulnerabilities, a detailed proof-of-concept, and technical write-ups on Seclists and SSD Disclosure. One reference from Unit 42 links the issue to a Mirai variant observed targeting similar enterprise wireless and router devices.

EU & UK References

Vulnerability details

The ZyXEL P660HN-T1A v1 TCLinux Fw $7.3.15.0 v001 / 3.40(ULM.0)b31 router distributed by TrueOnline has a command injection vulnerability in the Remote System Log forwarding function, which is accessible by an unauthenticated user. The vulnerability is in the ViewLog.asp page…

more

and can be exploited through the remote_host parameter.

CWE(s)
KEV Date Added
07 August 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

billion
5200w-t firmware
7.3.8.0
zyxel
p660hn-t1a v2 firmware
7.3.15.0
zyxel
p660hn-t1a v1 firmware
7.3.15.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of the remote_host parameter on ViewLog.asp to block command injection payloads from unauthenticated users.

prevent

Enforces authentication and authorization checks before any access to the Remote System Log forwarding function, eliminating the unauthenticated entry point.

AC-17 Remote Access partial match
prevent

Restricts and authorizes all remote management access paths to the router, reducing the network-exposed attack surface that allows unauthenticated exploitation.

References