Zyxel security advisory for command injection vulnerability in EMG2926-Q10A Ethernet CPE

CVE: CVE-2017-6884

Summary

Zyxel recently became aware of CVE-2017-6884 being listed on the CISA Known Exploited Vulnerabilities (KEV) catalog; however, Zyxel provided a patch for the mentioned customized EMG2926-Q10A in 2017. Please also note that the EMG2926-Q10A reached end-of-life several years ago; therefore, we strongly recommend that users replace it with a newer-generation product for optimal protection.

What is the vulnerability?

A command injection vulnerability in the diagnostic function “NSLOOKUP” of the legacy Ethernet CPE EMG2926-Q10A firmware version V1.00(AAQT.4)b8 could allow an authenticated attacker to execute shell commands on an affected device.

What should you do?

The EMG2926-Q10A is a legacy product that has reached end-of-support. In accordance with industry product life cycle management practices, Zyxel advises customers to replace legacy products with newer-generation equipment for optimal protection. If you obtained your Zyxel product through an internet service provider (ISP), please contact the ISP for support.

Got a question?

Please contact your local service rep or visit Zyxel’s Community for further information or assistance.

Revision history

2023-9-19: Initial release.

Security

Networking

Service and License

Home Connectivity

Success Stories

Organization Sizes

Use Cases

Technologies

What’s New?

Support

Training

Buy Online

Locate Partners

Select Your Location

Africa

Asia

Central America

Europe

Middle East

North America

Oceania

South America