CVE-2017-18368 · The ZyXEL P660HN-T1A v1 TCLinux Fw $7.3.15.0 v001 / 3.40(ULM.0)b31 router distributed by TrueOnline has a command injection vulnerability in

01 · The Real Story

This is a hidden maintenance hatch on an old edge router that only matters if you still own that exact building

CVE-2017-18368 is an OS command injection in the Remote System Log forwarding feature of the TrueOnline-customized ZyXEL P660HN-T1A v1 router. The vulnerable build is the legacy TCLinux Fw $7.3.15.0 v001 / 3.40(ULM.0)b31 line, where the unauthenticated ViewLog.asp endpoint accepts attacker-controlled input in the remote_host parameter and executes commands as root. Zyxel says the latest generic firmware 3.40(BYF.11) is not affected and that a patch for the customized model was provided in 2017, but the device itself has been end-of-life for years.

The vendor-style 9.8 is technically defensible because this is pre-auth remote code execution on a perimeter device, and KEV plus botnet use prove attackers care. But for enterprise prioritization, the real-world population is sharply narrower than the score implies: this is an old ISP-customized consumer/SMB router, heavily concentrated outside typical U.S. enterprise fleets, with uncertain WAN reachability in many deployments and frequent replacement by modern managed CPE. So the right call is HIGH, not CRITICAL: if you have it, move fast; if you do not, do not let this outrank broadly deployed enterprise software.

"KEV and real exploitation matter, but this is a narrow, legacy ISP router problem—not a universal enterprise fire drill."

02 · The Attack Path

4 steps from start to impact.

STEP 01

Find exposed web management

Attackers use commodity scanners such as masscan, botnet scanner threads, or internet search engines like Shodan to find the router's HTTP management interface. Unit 42 documented Gafgyt variants carrying a dedicated Zyxel scanner for this model family, showing this is operationalized rather than theoretical.

Conditions required:

The organization still uses the TrueOnline-customized P660HN-T1A v1
HTTP management is reachable from the attacker position, typically WAN or adjacent LAN
The device still runs a vulnerable firmware line

Where this breaks in practice:

Most enterprises do not deploy this Thailand ISP-specific legacy router at all
Many devices sit behind NAT/CGNAT or expose management only on the inside
Modern branch designs often replace ISP CPE with managed firewall edges

Detection/coverage: External attack-surface management can catch exposure; botnet-style pre-exploitation scanning is visible in firewall, IDS, and NetFlow if you retain edge telemetry.

STEP 02

POST to ViewLog.asp with injected remote_host

The exploit path is simple: send a crafted HTTP POST to /cgi-bin/ViewLog.asp and break out of the expected syslog host value using shell metacharacters in remote_host. Public technical writeups, a Metasploit module, and malware samples all show the same basic pattern.

Conditions required:

Unauthenticated access to ViewLog.asp
Firmware behavior matching 3.40(ULM.0)b31 / 7.3.15.0 v001 class
No upstream ACL, WAF, or ISP management filter blocking access

Where this breaks in practice:

Zyxel states 3.40(BYF.11) is immune
Some deployments may only permit this page from the LAN
A custom ISP patch may exist even where asset records still look stale

Detection/coverage: Network IPS coverage exists from vendors such as Fortinet and SonicWall; web logs, if retained at all on these devices, are typically weak, so perimeter packet capture is more reliable.

STEP 03

Run shell commands as root and fetch a payload

Successful injection lands command execution as root, which is why botnets favor it. Unit 42 observed Gafgyt using the flaw as a binary dropper, pulling architecture-specific malware into /tmp, changing mode bits, and executing it immediately.

Conditions required:

The injected command executes in the underlying shell context
The device can reach an attacker-controlled host over the internet
BusyBox utilities such as wget or equivalent are present

Where this breaks in practice:

Egress filtering or DNS controls can break payload retrieval
Reboots and volatile filesystem behavior may remove non-persistent payloads
Some attack code assumes exact platform and architecture details

Detection/coverage: There is usually no EDR on SOHO routers; detect via outbound connections, downloads to suspicious IPs, and abnormal TCP sessions from branch CPE.

STEP 04

Turn the router into a botnet node or network beachhead

The common observed outcome is not precision post-exploitation but botnet enrollment and DDoS use. That still matters to enterprises because a compromised edge router can degrade branch connectivity, expose traffic, and give attackers a foothold outside standard endpoint visibility.

Conditions required:

Payload execution succeeds
C2 connectivity is allowed
The attacker wants DDoS capacity, proxying, or a staging foothold

Where this breaks in practice:

Limited storage and unstable persistence reduce long-term utility
Hardware replacement or ISP refresh can evict the malware quickly
Blast radius is typically the branch/site behind that router, not the whole enterprise

Detection/coverage: Watch for unexplained outbound spikes, reflection traffic, unusual long-lived sessions from router IPs, and branch instability without endpoint correlates.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	Confirmed exploited. CISA added it to KEV on `2023-08-07`, and Zyxel plus Unit 42 tie the flaw to Gafgyt/JenX-style botnet activity.
KEV status	YES. KEV entry: `Zyxel P660HN-T1A Routers Command Injection Vulnerability`; due date in the catalog was `2023-08-28` for federal agencies.
Proof-of-concept availability	Mature and weaponized. Public technical advisory by Pedro Ribeiro, public Full Disclosure post, and a public Rapid7 Metasploit module: `trueonline_p660hn_v1_rce`.
EPSS	0.93739 per the prompt, which is extremely high and consistent with the KEV listing and botnet adoption.
CVSS vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` means internet-reachable, low-complexity, no-auth, no-user-click RCE with full CIA impact if the management plane is reachable.
Affected versions	Primary affected target is the TrueOnline-customized `ZyXEL P660HN-T1A v1` running `TCLinux Fw $7.3.15.0 v001 / 3.40(ULM.0)b31`; the injection sits in `ViewLog.asp` via `remote_host`.
Fixed version	Zyxel states the latest generic firmware `3.40(BYF.11)` is not affected, and says a patch for the customized model was provided in `2017`. Because this is ISP-customized, field validation matters more than a generic version string.
Scanning / exposure data	Unit 42 reported more than 32,000 potentially vulnerable Wi-Fi routers across three exploited SOHO models from Shodan-based observation; that is not this CVE alone, but it shows attacker-relevant population. Fortinet observed roughly 7,100 attack attempts per day in August 2023 targeting this flaw.
Disclosure timeline	Researcher disclosure was `2016-12-26`; CVE/NVD publication followed on `2019-05-02`; KEV addition came much later on `2023-08-07` after active exploitation evidence.
Researcher / reporting org	Originally disclosed by Pedro Ribeiro of Agile Information Security via Securiteam Secure Disclosure; later exploitation telemetry came from Unit 42 and Fortinet.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to HIGH (8.4/10)

The decisive downward pressure is population and exposure reality: this is an old, ISP-customized router with a much smaller enterprise footprint than a generic 9.8 RCE implies. The decisive upward pressure is KEV-backed active exploitation on an edge device, which means any confirmed instance is high-consequence even if the overall fleet prevalence is low.

HIGH Active exploitation / KEV status

HIGH Technical impact if reachable

MEDIUM Real-world exposure rate inside modern U.S. enterprise fleets

MEDIUM Field mapping from asset inventory to exact ISP-customized patched build

Why this verdict

Downgrade for narrow population: this is not broad enterprise middleware; it is a legacy TrueOnline-customized router, which sharply reduces reachable fleet size in most enterprise environments.
Upgrade for exploitation evidence: KEV listing plus observed Gafgyt activity means attackers are already using it, so confirmed exposure should never be treated as routine backlog.
Downgrade for prerequisite uncertainty: original research explicitly questioned whether exploitation was available over WAN in all cases, and many deployments restrict management to LAN or ISP-only paths.
Upgrade for edge-device blast radius: when it does land, it is pre-auth command execution as root on a perimeter device, outside normal endpoint controls.

Why not higher?

I am not calling this CRITICAL for enterprise patch planning because too much of the chain depends on owning a very specific end-of-life ISP build and on actual management-plane reachability. In most 10,000-host environments, the limiting factor is not exploit quality but whether this product exists at all and whether attackers can get to the vulnerable endpoint from the internet.

Why not lower?

I am not pushing it down to MEDIUM because the exploit is pre-auth, simple, public, and already used in the wild. KEV plus router-edge execution as root is enough to keep this in HIGH even with a narrow installed base.

05 · Compensating Control

What to do — in priority order.

Block web management from untrusted networks — Immediately restrict access to the router's HTTP management plane to a trusted admin segment or out-of-band path; because this is KEV-listed, do this immediately, within hours. This directly cuts off the unauthenticated ViewLog.asp attack surface.
Replace or patch every confirmed instance — If the device is still present, obtain the ISP-specific fixed firmware or replace the unit entirely; for a HIGH verdict the remediation target is within 180 days, but because exploitation is active, do not wait for the outer bound. For EoL branch CPE, replacement is usually more trustworthy than assuming the right custom patch was applied years ago.
Monitor router egress for payload retrieval — Create detections for branch-router outbound downloads, unexpected DNS lookups, and unexplained TCP sessions from CPE IPs; deploy this immediately, within hours because KEV overrides the normal mitigation tempo. You are compensating for the fact that routers rarely have host telemetry.
Cull the asset class from internet-facing inventory — Use ASM, CMDB, and branch-site audits to identify any P660HN-T1A still in service and remove external exposure; do this immediately, within hours for known internet-facing instances. This is the fastest way to shrink the attack population attackers can actually touch.

What doesn't work

Changing admin passwords alone does not help, because this CVE is exploited without authentication.
Endpoint EDR does not meaningfully help on the router itself, because these devices generally do not run your agent stack.
MFA for downstream apps does not block the exploit path, because the attack terminates on the router web interface before any human login flow.

06 · Verification

Crowdsourced verification payload.

Run this on an auditor workstation or CI job, not on the router. Export a CSV from your CMDB, NMS, or ISP-CPE inventory with columns like hostname,model,firmware, then run python3 check_cve_2017_18368.py inventory.csv; no special privileges are needed unless the file location requires them. The script classifies each row as VULNERABLE, PATCHED, or UNKNOWN based on the authoritative version markers published for this CVE.

noisgate-verify.py

PYTHONREAD-ONLYSAFE

#!/usr/bin/env python3
# check_cve_2017_18368.py
# Inventory-based verifier for CVE-2017-18368
# Usage: python3 check_cve_2017_18368.py inventory.csv
# CSV columns expected: hostname, model, firmware (case-insensitive names accepted)
# Exit codes:
#   0 = no vulnerable assets found
#   1 = at least one vulnerable asset found
#   2 = usage / file / parsing error

import csv
import re
import sys
from pathlib import Path

VULN_FW_MARKERS = [
    '3.40(ULM.0)b31',
    '7.3.15.0 v001',
    '$7.3.15.0 v001',
]
PATCHED_FW_MARKERS = [
    '3.40(BYF.11)',
]
MODEL_MARKERS = [
    'p660hn-t1a',
    'p660hn t1a',
]


def normalize(value: str) -> str:
    return re.sub(r'\s+', ' ', (value or '').strip()).lower()


def pick(row, *names):
    lowered = {str(k).strip().lower(): v for k, v in row.items()}
    for name in names:
        if name.lower() in lowered:
            return str(lowered[name.lower()] or '').strip()
    return ''


def classify(model: str, firmware: str) -> str:
    m = normalize(model)
    f = firmware.strip()
    fl = normalize(firmware)

    if not any(marker in m for marker in MODEL_MARKERS):
        return 'UNKNOWN'

    if any(marker.lower() in fl for marker in [x.lower() for x in PATCHED_FW_MARKERS]):
        return 'PATCHED'

    if any(marker.lower() in fl for marker in [x.lower() for x in VULN_FW_MARKERS]):
        return 'VULNERABLE'

    if 'byf' in fl:
        return 'PATCHED'

    if 'ulm' in fl and ('b31' in fl or '7.3.15.0' in fl):
        return 'VULNERABLE'

    return 'UNKNOWN'


def main():
    if len(sys.argv) != 2:
        print('UNKNOWN - usage: python3 check_cve_2017_18368.py inventory.csv')
        sys.exit(2)

    path = Path(sys.argv[1])
    if not path.exists() or not path.is_file():
        print(f'UNKNOWN - file not found: {path}')
        sys.exit(2)

    vulnerable_count = 0
    processed = 0

    try:
        with path.open(newline='', encoding='utf-8-sig') as fh:
            reader = csv.DictReader(fh)
            if not reader.fieldnames:
                print('UNKNOWN - CSV has no header row')
                sys.exit(2)

            for row in reader:
                processed += 1
                hostname = pick(row, 'hostname', 'host', 'asset', 'device', 'name', 'ip', 'address') or f'row-{processed}'
                model = pick(row, 'model', 'device_model', 'product')
                firmware = pick(row, 'firmware', 'version', 'fw', 'software_version')
                status = classify(model, firmware)
                if status == 'VULNERABLE':
                    vulnerable_count += 1
                print(f'{hostname},{status},model="{model}",firmware="{firmware}"')

    except Exception as exc:
        print(f'UNKNOWN - failed to parse CSV: {exc}')
        sys.exit(2)

    if processed == 0:
        print('UNKNOWN - CSV contained no data rows')
        sys.exit(2)

    if vulnerable_count > 0:
        print(f'VULNERABLE - {vulnerable_count} asset(s) matched CVE-2017-18368 vulnerable firmware markers')
        sys.exit(1)

    print('PATCHED - no assets matched known vulnerable firmware markers')
    sys.exit(0)


if __name__ == '__main__':
    main()

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning: first answer the only question that matters—do we still own any P660HN-T1A units, and are any management interfaces reachable from untrusted networks? Because this CVE is KEV-listed and actively exploited, patch / mitigate immediately, within hours for any confirmed exposure, overriding the normal noisgate mitigation SLA. If you confirm the device exists, block external management the same day and either apply the vendor/ISP-fixed firmware or replace the EoL hardware; for the reassessed HIGH bucket, the noisgate remediation SLA is ≤ 180 days, but for this one that is a ceiling, not a goal.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.