Zyxel security advisory for command injection vulnerability in P660HN-T1A DSL CPE
Zyxel recently became aware of CVE-2017-18368 being listed on the CISA Known Exploited Vulnerabilities (KEV) catalog; however, Zyxel provided a patch for the mentioned customized P660HN-T1A in 2017. Additionally, the P660HN-T1A running the latest generic firmware, version 3.40(BYF.11), is not affected by CVE-2017-18363. Please also note that the P660HN-T1A reached end-of-life several years ago; therefore, we strongly recommend that users replace it with a newer-generation product for optimal protection.
What is the vulnerability?
A command injection vulnerability in the Remote System Log forwarder of the legacy DSL CPE P660HN-T1A firmware version 3.40(ULM.0)b3 could allow a remote unauthenticated attacker to execute some OS commands by sending a crafted HTTP request.
What should you do?
The P660HN-T1A is a legacy product that has reached end-of-support. In accordance with industry product life cycle management practices, Zyxel advises customers to replace legacy products with newer-generation equipment for optimal protection. If you obtained your Zyxel product through an internet service provider (ISP), please contact the ISP for support.
Got a question?
Please contact your local service rep or visit Zyxel’s Community for further information or assistance.
2023-8-8: Initial release.