Zyxel security advisory for command injection vulnerability in EMG2926-Q10A Ethernet CPE
Zyxel recently became aware of CVE-2017-6884 being listed on the CISA Known Exploited Vulnerabilities (KEV) catalog; however, Zyxel provided a patch for the mentioned customized EMG2926-Q10A in 2017. Please also note that the EMG2926-Q10A reached end-of-life several years ago; therefore, we strongly recommend that users replace it with a newer-generation product for optimal protection.
What is the vulnerability?
A command injection vulnerability in the diagnostic function “NSLOOKUP” of the legacy Ethernet CPE EMG2926-Q10A firmware version V1.00(AAQT.4)b8 could allow an authenticated attacker to execute shell commands on an affected device.
What should you do?
The EMG2926-Q10A is a legacy product that has reached end-of-support. In accordance with industry product life cycle management practices, Zyxel advises customers to replace legacy products with newer-generation equipment for optimal protection. If you obtained your Zyxel product through an internet service provider (ISP), please contact the ISP for support.
Got a question?
Please contact your local service rep or visit Zyxel’s Community for further information or assistance.
2023-9-19: Initial release.