CVE-2017-18372

HIGH

Billion 5200W-T Firmware - Authenticated OS Command Injection via uiViewSNTPServer Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2017-18372. PoCs published by Pedro Ribeiro <[email protected]>, including Metasploit module exploits/linux/http/trueonline_billion_5200w_rce.

AI-analyzed exploit summary This Metasploit module exploits an unauthenticated command injection vulnerability in TrueOnline/Billion 5200W-T routers by injecting a command into the 'syslogServerAddr' parameter, which spawns a telnetd service for remote shell access. If the unauthenticated exploit fails, it attempts an authenticated command injection via the 'tools_time.asp' endpoint.

Description

The Billion 5200W-T TCLinux Fw $7.3.8.0 v008 130603 router distributed by TrueOnline has a command injection vulnerability in the Time Setting function, which is only accessible by an authenticated user. The vulnerability is in the tools_time.asp page and can be exploited through the uiViewSNTPServer parameter. Authentication can be achieved by exploiting CVE-2017-18373.

Exploits (1)

metasploit WORKING POC EXCELLENT

by Pedro Ribeiro <[email protected]> · rubypocunix

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/trueonline_billion_5200w_rce.rb

View Code ZIP pw:eip

This Metasploit module exploits an unauthenticated command injection vulnerability in TrueOnline/Billion 5200W-T routers by injecting a command into the 'syslogServerAddr' parameter, which spawns a telnetd service for remote shell access. If the unauthenticated exploit fails, it attempts an authenticated command injection via the 'tools_time.asp' endpoint.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: TrueOnline/Billion 5200W-T router (customized firmware)

No auth needed

Prerequisites: Network access to the router's web interface · Default or known credentials for authenticated exploit fallback

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1210 - Exploitation of Remote Services

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit, Mailing List, Third Party Advisory x_refsource_misc

https://seclists.org/fulldisclosure/2017/Jan/40

Exploit, Technical Description, Third Party Advisory x_refsource_misc

https://ssd-disclosure.com/index.php/archives/2910

Exploit, Third Party Advisory x_refsource_misc

https://raw.githubusercontent.com/pedrib/PoC/master/advisories/zyxel_trueonline.txt

Scores

CVSS v3 8.8

EPSS 0.7216

EPSS Percentile 98.8%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-78

Status published

Products (3)

billion/5200w-t_firmware 7.3.8.0

zyxel/p660hn-t1a_v1_firmware 7.3.15.0

zyxel/p660hn-t1a_v2_firmware 7.3.15.0

Published May 02, 2019

Tracked Since Feb 18, 2026