CVE-2017-18368

CRITICAL KEV

Billion 5200w-t Firmware - OS Command Injection

Title source: rule
STIX 2.1

Exploitation Summary

CVE-2017-18368 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added August 7, 2023. EIP tracks 2 public exploits from researchers including Pedro Ribeiro <[email protected]>, including a Metasploit module exploits/linux/http/trueonline_p660hn_v1_rce.

AI-analyzed exploit summary This repository contains the RouterSploit framework, an exploitation toolkit for embedded devices, including exploits, scanners, and credential testing modules. The framework is designed to test and exploit vulnerabilities in routers and other embedded systems, with a structured module system and documentation for contributing new exploits.

Description

The ZyXEL P660HN-T1A v1 TCLinux Fw $7.3.15.0 v001 / 3.40(ULM.0)b31 router distributed by TrueOnline has a command injection vulnerability in the Remote System Log forwarding function, which is accessible by an unauthenticated user. The vulnerability is in the ViewLog.asp page and can be exploited through the remote_host parameter.

Exploits (2)

vulncheck_xdb WORKING POC
remote
https://github.com/threat9/routersploit

This repository contains the RouterSploit framework, an exploitation toolkit for embedded devices, including exploits, scanners, and credential testing modules. The framework is designed to test and exploit vulnerabilities in routers and other embedded systems, with a structured module system and documentation for contributing new exploits.

Classification
Working Poc 95%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: Embedded devices (routers, cameras, etc.)
No auth needed
Prerequisites: Python 3.6+ · Dependencies listed in requirements.txt
devstral-2 · analyzed Feb 25, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Pedro Ribeiro <[email protected]> · rubypocunix
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/trueonline_p660hn_v1_rce.rb

This Metasploit module exploits an unauthenticated command injection vulnerability in the TrueOnline/ZyXEL P660HN-T v1 router by injecting a command to start a telnet daemon, allowing remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: ZyXEL P660HN-T v1 (TrueOnline customized version)
No auth needed
Prerequisites: Network access to the target router · Telnet port (default 9999) must be available
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6
Core References
Exploit, Mailing List, Third Party Advisory x_refsource_misc
https://seclists.org/fulldisclosure/2017/Jan/40
Exploit, Technical Description, Third Party Advisory x_refsource_misc
https://ssd-disclosure.com/index.php/archives/2910

Scores

CVSS v3 9.8
EPSS 0.9451
EPSS Percentile 99.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2023-08-07
VulnCheck KEV 2021-11-11
InTheWild.io 2021-03-18
ENISA EUVD EUVD-2017-9484
CWE
CWE-78
Status published
Products (3)
billion/5200w-t_firmware 7.3.8.0
zyxel/p660hn-t1a_v1_firmware 7.3.15.0
zyxel/p660hn-t1a_v2_firmware 7.3.15.0
Published May 02, 2019
KEV Added Aug 07, 2023
Tracked Since Feb 18, 2026