Zyxel security advisory for command injection vulnerability in P660HN-T1A DSL CPE

CVE: CVE-2017-18368

Zyxel recently became aware of CVE-2017-18368 being listed on the CISA Known Exploited Vulnerabilities (KEV) catalog; however, Zyxel provided a patch for the mentioned customized P660HN-T1A in 2017. Additionally, the P660HN-T1A running the latest generic firmware, version 3.40(BYF.11), is not affected by CVE-2017-18363. Please also note that the P660HN-T1A reached end-of-life several years ago; therefore, we strongly recommend that users replace it with a newer-generation product for optimal protection.

What is the vulnerability?

A command injection vulnerability in the Remote System Log forwarder of the legacy DSL CPE P660HN-T1A firmware version 3.40(ULM.0)b3 could allow a remote unauthenticated attacker to execute some OS commands by sending a crafted HTTP request.

What should you do?

The P660HN-T1A is a legacy product that has reached end-of-support. In accordance with industry product life cycle management practices, Zyxel advises customers to replace legacy products with newer-generation equipment for optimal protection. If you obtained your Zyxel product through an internet service provider (ISP), please contact the ISP for support.

Got a question?

Please contact your local service rep or visit Zyxel’s Community for further information or assistance.

Revision history

2023-8-8: Initial release.