Zyxel security advisory for command injection vulnerability in P660HN-T1A DSL CPE

CVEs: CVE-2017-18368


Zyxel recently became aware of CVE-2017-18368 being listed on the CISA Known Exploited Vulnerabilities (KEV) catalog; however, Zyxel provided a patch for the mentioned customized P660HN-T1A in 2017. Additionally, the P660HN-T1A running the latest generic firmware, version 3.40(BYF.11), is not affected by CVE-2017-18363. Please also note that the P660HN-T1A reached end-of-life several years ago; therefore, we strongly recommend that users replace it with a newer-generation product for optimal protection.


What is the vulnerability?

A command injection vulnerability in the Remote System Log forwarder of the legacy DSL CPE P660HN-T1A firmware version 3.40(ULM.0)b3 could allow a remote unauthenticated attacker to execute some OS commands by sending a crafted HTTP request.


What should you do?

The P660HN-T1A is a legacy product that has reached end-of-support. In accordance with industry product life cycle management practices, Zyxel advises customers to replace legacy products with newer-generation equipment for optimal protection. If you obtained your Zyxel product through an internet service provider (ISP), please contact the ISP for support.


Got a question?

If you are an ISP, please contact your Zyxel sales or service representative for further information or assistance. For customers who acquired your Zyxel device from an ISP, please reach out to the ISP’s support team directly.


Revision history

2023-8-8: Initial release