CVE-2017-18371 – This vulnerability allows attackers to access Z... (How to Fix)

Q: What is the severity of CVE-2017-18371?

CVE-2017-18371 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows attackers to access ZyXEL routers using default hardcoded credentials, then execute authenticated command injections to take full control. It affects TrueOnline customers using specific ZyXEL router models with vulnerable firmware. Attackers can change router settings, intercept traffic, or join botnets.

📋 TL;DR

This vulnerability allows attackers to access ZyXEL routers using default hardcoded credentials, then execute authenticated command injections to take full control. It affects TrueOnline customers using specific ZyXEL router models with vulnerable firmware. Attackers can change router settings, intercept traffic, or join botnets.

💻 Affected Systems

Products:

ZyXEL P660HN-T1A v2 router distributed by TrueOnline

Versions: TCLinux Fw #7.3.37.6

Operating Systems: Embedded Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects routers distributed by TrueOnline with the specific firmware version. Other ZyXEL models may have similar issues.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete router compromise allowing traffic interception, DNS hijacking, credential theft, and recruitment into botnets for DDoS attacks.

🟠

Likely Case

Router takeover leading to network surveillance, malware distribution, and unauthorized configuration changes.

🟢

If Mitigated

Limited impact if default credentials are changed and command injection is blocked, though initial access remains possible.

🌐 Internet-Facing: HIGH - Routers are directly internet-facing and vulnerable to remote exploitation.

🏢 Internal Only: MEDIUM - Internal attackers could exploit if they gain network access, but external threats are more likely.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authentication first using default credentials, then command injection. Has been used in Mirai botnet variants.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Later firmware versions from ZyXEL

Vendor Advisory: http://www.zyxel.com/support/announcement_unauthenticated.shtml

Restart Required: Yes

Instructions:

1. Check current firmware version. 2. Download latest firmware from ZyXEL support site. 3. Upload firmware via web interface. 4. Reboot router after update completes.

🔧 Temporary Workarounds

Change Default Credentials

all

Immediately change passwords for all user accounts, especially 'true' and 'supervisor' accounts.

Disable Remote Management

all

Turn off remote administration features to prevent external exploitation.

🧯 If You Can't Patch

Replace affected routers with updated models
Implement network segmentation to isolate router management interfaces

🔍 How to Verify

Check if Vulnerable:

Attempt to login to router web interface using username 'true' with password 'true' or username 'supervisor' with password 'zyad1234'.

Check Version:

Check router web interface status page or use 'cat /proc/version' via SSH if accessible.

Verify Fix Applied:

Verify default credentials no longer work and check firmware version is newer than #7.3.37.6.

📡 Detection & Monitoring

Log Indicators:

Failed login attempts followed by successful logins with default usernames
Unusual configuration changes
Command injection patterns in web logs

Network Indicators:

Unexpected outbound connections to known C2 servers
DNS queries to suspicious domains
Unusual traffic patterns from router

SIEM Query:

source="router.log" (username="true" OR username="supervisor") AND action="login"

📊 Metadata

CVE ID: CVE-2017-18371

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-798

Published: May 2, 2019

Last Updated: November 21, 2024

🔗 References

http://www.zyxel.com/support/announcement_unauthenticated.shtml Broken Link
https://raw.githubusercontent.com/pedrib/PoC/master/advisories/zyxel_trueonline.txt Exploit,Third Party Advisory
https://seclists.org/fulldisclosure/2017/Jan/40 Exploit,Mailing List,Third Party Advisory
https://ssd-disclosure.com/index.php/archives/2910 Exploit,Technical Description,Third Party Advisory
https://unit42.paloaltonetworks.com/new-mirai-variant-targets-enterprise-wireless-presentation-display-systems/ Technical Description,Third Party Advisory
http://www.zyxel.com/support/announcement_unauthenticated.shtml Broken Link
https://raw.githubusercontent.com/pedrib/PoC/master/advisories/zyxel_trueonline.txt Exploit,Third Party Advisory
https://seclists.org/fulldisclosure/2017/Jan/40 Exploit,Mailing List,Third Party Advisory
https://ssd-disclosure.com/index.php/archives/2910 Exploit,Technical Description,Third Party Advisory
https://unit42.paloaltonetworks.com/new-mirai-variant-targets-enterprise-wireless-presentation-display-systems/ Technical Description,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2017-18371, you might also want to check these: