CVE-2016-10372

CRITICAL EXPLOITED

Eir D1000 Modem Firmware - Remote Code Execution via TR-064 Protocol

Title source: llm

Exploitation Summary

CVE-2016-10372 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 1 public exploit from researchers including Kenzo, including a Metasploit module exploits/linux/http/tr064_ntpserver_cmdinject.

AI-analyzed exploit summary This Metasploit module exploits a command injection vulnerability in Zyxel/Eir D1000 DSL modems via the TR-064 SOAP interface. It injects commands into the 'NewNTPServer' parameter, allowing remote code execution without authentication.

Description

The Eir D1000 modem does not properly restrict the TR-064 protocol, which allows remote attackers to execute arbitrary commands via TCP port 7547, as demonstrated by opening WAN access to TCP port 80, retrieving the login password (which defaults to the Wi-Fi password), and using the NewNTPServer feature.

Exploits (1)

metasploit WORKING POC NORMAL

by Kenzo · rubypoclinux

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/tr064_ntpserver_cmdinject.rb

View Code ZIP pw:eip

This Metasploit module exploits a command injection vulnerability in Zyxel/Eir D1000 DSL modems via the TR-064 SOAP interface. It injects commands into the 'NewNTPServer' parameter, allowing remote code execution without authentication.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Zyxel/Eir D1000 DSL Modem (firmware versions up to 2.00(AADU.5)_20150909)

No auth needed

Prerequisites: Network access to the target device on port 7547 · TR-064 SOAP interface enabled

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit, Third Party Advisory x_refsource_misc

https://devicereversing.wordpress.com/2016/11/07/eirs-d1000-modem-is-wide-open-to-being-hacked/

Exploit, Technical Description, Third Party Advisory x_refsource_misc

https://isc.sans.edu/forums/diary/TR069+NewNTPServer+Exploits+What+we+know+so+far/21763/

Various Sources x_refsource_misc

https://ghostbin.com/paste/q2vq2

Scores

CVSS v3 9.8

EPSS 0.9197

EPSS Percentile 99.7%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2019-01-01

CWE

CWE-264

Status published

Products (1)

eir/d1000_modem_firmware

Published May 16, 2017

Tracked Since Feb 18, 2026