Cyber Resilience

CVE-2017-6884

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linkedRCE

Published: 06 April 2017

Published
06 April 2017
Modified
21 April 2026
KEV Added
18 September 2023
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9008 99.6th percentile
Risk Priority 92 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2017-6884 is a high-severity OS Command Injection (CWE-78) vulnerability in Zyxel Emg2926 Firmware. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 0.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

A command injection vulnerability, tracked as CVE-2017-6884 and assigned CWE-78, affects the Zyxel EMG2926 home router running firmware V1.00(AAQT.4)b8. The flaw resides in the diagnostic tools, specifically the nslookup function, and can be triggered through parameters such as ping_ip submitted to the expert/maintenance/diagnostic/nslookup URI.

An authenticated remote attacker with network access can supply crafted input to execute arbitrary commands on the device. Successful exploitation yields full control over the router, resulting in high impact to confidentiality, integrity, and availability as reflected in the CVSS 8.8 score.

The vulnerability is listed in the CISA Known Exploited Vulnerabilities catalog, and public exploit code is available on Exploit-DB. No vendor advisory or patch details are provided in the supplied references.

EU & UK References

Vulnerability details

A command injection vulnerability was discovered on the Zyxel EMG2926 home router with firmware V1.00(AAQT.4)b8. The vulnerability is located in the diagnostic tools, specifically the nslookup function. A malicious user may exploit numerous vectors to execute arbitrary commands on the…

more

router, such as the ping_ip parameter to the expert/maintenance/diagnostic/nslookup URI.

CWE(s)
KEV Date Added
18 September 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

zyxel
emg2926 firmware
v1.00\(aaqt.4\)b8

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation and sanitization of inputs such as the ping_ip parameter to the nslookup URI, directly blocking the command-injection payload.

prevent

Restricts privileges of the web-interface and diagnostic processes so that even a successful injection yields limited control over the router.

prevent

Mandates timely application of patches or firmware updates that eliminate the nslookup command-injection flaw.

References