Zyxel security advisory for command injection vulnerability in EMG2926-Q10A Ethernet CPE

CVEs: CVE-2017-6884


Zyxel recently became aware of CVE-2017-6884 being listed on the CISA Known Exploited Vulnerabilities (KEV) catalog; however, Zyxel provided a patch for the mentioned customized EMG2926-Q10A in 2017. Please also note that the EMG2926-Q10A reached end-of-life several years ago; therefore, we strongly recommend that customers replace it with a newer-generation product for optimal protection.


What is the vulnerability?

A command injection vulnerability in the diagnostic function “NSLOOKUP” of the legacy Ethernet CPE EMG2926-Q10A firmware version V1.00(AAQT.4)b8 could allow an authenticated attacker to execute shell commands on an affected device.


What should you do?

The EMG2926-Q10A is a legacy product that has reached end-of-support. In accordance with industry product life cycle management practices, Zyxel advises customers to replace legacy products with newer-generation equipment for optimal protection. If you obtained your Zyxel product through an internet service provider (ISP), please contact the ISP for support.


Got a question?

If you are an ISP with customized models, please contact your Zyxel sales or service representative for further information or assistance. For customers who acquired your Zyxel device from an ISP, please reach out to the ISP’s support team directly, as the device may have custom-built settings.


Revision history

2023-9-19: Initial release