Zyxel security advisory for command injection vulnerability in EMG2926-Q10A Ethernet CPE

CVE: CVE-2017-6884

Zyxel recently became aware of CVE-2017-6884 being listed on the CISA Known Exploited Vulnerabilities (KEV) catalog; however, Zyxel provided a patch for the mentioned customized EMG2926-Q10A in 2017. Please also note that the EMG2926-Q10A reached end-of-life several years ago; therefore, we strongly recommend that users replace it with a newer-generation product for optimal protection.

What is the vulnerability?

A command injection vulnerability in the diagnostic function “NSLOOKUP” of the legacy Ethernet CPE EMG2926-Q10A firmware version V1.00(AAQT.4)b8 could allow an authenticated attacker to execute shell commands on an affected device.

What should you do?

The EMG2926-Q10A is a legacy product that has reached end-of-support. In accordance with industry product life cycle management practices, Zyxel advises customers to replace legacy products with newer-generation equipment for optimal protection. If you obtained your Zyxel product through an internet service provider (ISP), please contact the ISP for support.

Got a question?

Please contact your local service rep or visit Zyxel’s Community for further information or assistance.

Revision history

2023-9-19: Initial release.