CVE-2017-18368
Published: 02 May 2019
Summary
CVE-2017-18368 is a critical-severity OS Command Injection (CWE-78) vulnerability in Billion 5200W-T Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
The vulnerability CVE-2017-18368 is a command injection flaw (CWE-78) in the ZyXEL P660HN-T1A v1 router running TCLinux firmware version 7.3.15.0 v001 / 3.40(ULM.0)b31 as distributed by TrueOnline. It resides in the Remote System Log forwarding function on the ViewLog.asp page and is triggered through the remote_host parameter, with no authentication required for access. The flaw received a CVSS 3.1 score of 9.8.
An unauthenticated attacker with network access can supply a malicious remote_host value to execute arbitrary operating system commands on the device. This grants complete control over the router, allowing impacts to confidentiality, integrity, and availability without any user interaction or privileges.
Public references include a ZyXEL announcement on unauthenticated vulnerabilities, a detailed proof-of-concept, and technical write-ups on Seclists and SSD Disclosure. One reference from Unit 42 links the issue to a Mirai variant observed targeting similar enterprise wireless and router devices.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2017-9484
Vulnerability details
The ZyXEL P660HN-T1A v1 TCLinux Fw $7.3.15.0 v001 / 3.40(ULM.0)b31 router distributed by TrueOnline has a command injection vulnerability in the Remote System Log forwarding function, which is accessible by an unauthenticated user. The vulnerability is in the ViewLog.asp page…
more
and can be exploited through the remote_host parameter.
- CWE(s)
- KEV Date Added
- 07 August 2023
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of the remote_host parameter on ViewLog.asp to block command injection payloads from unauthenticated users.
Enforces authentication and authorization checks before any access to the Remote System Log forwarding function, eliminating the unauthenticated entry point.
Restricts and authorizes all remote management access paths to the router, reducing the network-exposed attack surface that allows unauthenticated exploitation.