CVE-2017-6884

HIGH KEV RANSOMWARE

Zyxel EMG2926 V1.00(AAQT.4)b8 - Command Injection

Title source: llm

Exploitation Summary

CVE-2017-6884 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added September 18, 2023, with confirmed use in ransomware campaigns. EIP tracks 1 public exploit from researchers including trevor Hough.

AI-analyzed exploit summary This exploit demonstrates an OS command injection vulnerability in Zyxel EMG2926 routers via the nslookup diagnostic tool. It allows arbitrary command execution, including reverse shell establishment and password file dumping.

Description

A command injection vulnerability was discovered on the Zyxel EMG2926 home router with firmware V1.00(AAQT.4)b8. The vulnerability is located in the diagnostic tools, specifically the nslookup function. A malicious user may exploit numerous vectors to execute arbitrary commands on the router, such as the ping_ip parameter to the expert/maintenance/diagnostic/nslookup URI.

Exploits (1)

exploitdb WORKING POC

by trevor Hough · textwebappshardware

https://www.exploit-db.com/exploits/41782

View Code ZIP pw:eip

This exploit demonstrates an OS command injection vulnerability in Zyxel EMG2926 routers via the nslookup diagnostic tool. It allows arbitrary command execution, including reverse shell establishment and password file dumping.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Zyxel EMG2926 < V1.00(AAQT.4)b8

Auth required

Prerequisites: Network access to the router's web interface · Valid authentication credentials

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Third Party Advisory, US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-6884

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/41782/

Scores

CVSS v3 8.8

EPSS 0.3763

EPSS Percentile 98.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact partial

Details

CISA KEV 2023-09-18

VulnCheck KEV 2020-01-08

InTheWild.io 2017-04-12

ENISA EUVD EUVD-2017-15938

Ransomware Use Confirmed

CWE

CWE-78

Status published

Products (1)

zyxel/emg2926_firmware v1.00\(aaqt.4\)b8

Published Apr 06, 2017

KEV Added Sep 18, 2023

Tracked Since Feb 18, 2026