Zyxel security advisory for command injection vulnerability in P660HN-T1A DSL CPE

CVE: CVE-2017-18368

Summary

Zyxel recently became aware of CVE-2017-18368 being listed on the CISA Known Exploited Vulnerabilities (KEV) catalog; however, Zyxel provided a patch for the mentioned customized P660HN-T1A in 2017. Additionally, the P660HN-T1A running the latest generic firmware, version 3.40(BYF.11), is not affected by CVE-2017-18363. Please also note that the P660HN-T1A reached end-of-life several years ago; therefore, we strongly recommend that users replace it with a newer-generation product for optimal protection.

What is the vulnerability?

A command injection vulnerability in the Remote System Log forwarder of the legacy DSL CPE P660HN-T1A firmware version 3.40(ULM.0)b3 could allow a remote unauthenticated attacker to execute some OS commands by sending a crafted HTTP request.

What should you do?

The P660HN-T1A is a legacy product that has reached end-of-support. In accordance with industry product life cycle management practices, Zyxel advises customers to replace legacy products with newer-generation equipment for optimal protection. If you obtained your Zyxel product through an internet service provider (ISP), please contact the ISP for support.

Got a question?

Please contact your local service rep or visit Zyxel’s Community for further information or assistance.

Revision history

2023-8-8: Initial release.

Security

Networking

Service and License

Home Connectivity

Success Stories

Organization Sizes

Use Cases

Technologies

What’s New?

Support

Training

Buy Online

Locate Partners

Select Your Location

Africa

Asia

Central America

Europe

Middle East

North America

Oceania

South America