According to the firm SecuriTeam, multiple ZyXEL customized routers are affected by many vulnerabilities. The devices are distributed by the Thai IPS TrueOnline. The ZyXEL customized routers are offered for free to the customers with default settings, including default accounts and passwords, a gift for hackers.
The models are widespread, ZyXEL P660HN-T v1, ZyXEL P660HN-T v2, and Billion 5200W-T, the first of which since 2013.
“Several models are distributed by TrueOnline, three in particular are widespread:
These are customized versions of existing ZyXEL and Billion routers. They are MIPS systems and they all run BOA web server.” reads the security advisory published by SecuriTeam.
The vulnerabilities have been discovered by an independent security researcher, they include an unauthenticated remote command execution vulnerability in P660HN-T v1, an unauthenticated remote command execution and authenticated remote command execution flaws in Billion 5200W-T, and an unauthenticated remote command execution vulnerability in P660HN-T v2.
The P660HN-T v1 device is affected by a command injection vulnerability in Maintenance > Logs > System Log > Remote System Log, the issue resides in the remote_host parameter on the ViewLog.asp page, which is accessible by an unauthenticated attacker.
The network device comes with the following default credentials:
An unauthenticated command injection is present in the adv_remotelog.asp file of the Billion 5200W-T router. An attacker can trigger the vulnerability in the syslogServerAddr parameter by entering a valid IP address followed by “;<COMMAND>;”.
The same device is affected by an authenticated command injections in the interface tools_time.asp with the uiViewSNTPServer parameter. Also in this case, the expert discovered the device includes the following default accounts:
The third device, the P660HN-T v2 router is affected by a remote command injection vulnerability that results from an authenticated command injection chained with a hardcoded supervisor password. The flaw resides in the logSet.asp file, while the hardcoded supervisor credentials are username: supervisor; password: zyad1234.
“The actual command that can be injected has a length limitation of 28 characters.” states the advisory. “
Default accounts – P660HN-T v2 router
The sad aspect of the story is that the researchers reported the vulnerabilities to ZyXEL in July, but the company still hasn’t issued any patched neither workaround.
Vulnerabilities in IoT devices, including home routers and SOHO devices, are particularly critic, because attackers can exploit them to compromise the equipment and recruit them in powerful “thingbot “such as the Mirai botnet.
(Security Affairs – ZyXEL customized routers, hacking)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.