CVE-2017-6884
CVE-2017-6884 is a high-severity vulnerability in Zyxel Emg2926 Firmware with a CVSS 3.x base score of 8.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2023-09-18). The underlying weakness is classified as CWE-78.
Key facts
- Severity: High (CVSS 3.x base score 8.8)
- CVSS v2: 9.0
- EPSS exploit prediction: 38% (98th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2023-09-18)
- EU (EUVD) id: EUVD-2017-15938
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2023-09-18)
- Weakness: CWE-78
- Affected product: Zyxel Emg2926 Firmware
- Published:
- Last modified:
Description
A command injection vulnerability was discovered on the Zyxel EMG2926 home router with firmware V1.00(AAQT.4)b8. The vulnerability is located in the diagnostic tools, specifically the nslookup function. A malicious user may exploit numerous vectors to execute arbitrary commands on the router, such as the ping_ip parameter to the expert/maintenance/diagnostic/nslookup URI.
Zyxel EMG2926 Command Injection Vulnerability (CVE-2017-6884)
AI-generated analysis based on the vulnerability data on this page.
Summary
CVE-2017-6884 is a command injection flaw in the Zyxel EMG2926 home router's built-in diagnostic tools. An authenticated attacker can exploit numerous vectors—including the ping_ip parameter on the nslookup page—to execute arbitrary operating system commands and achieve full device compromise.
Background
The Zyxel EMG2926 is a wireless home gateway commonly deployed in residential and small-office environments. Its web-based administrative interface includes diagnostic utilities such as ping, traceroute, and nslookup. These tools are intended to help administrators troubleshoot connectivity issues, yet they become high-risk attack surfaces when user input is passed directly to the underlying operating system shell.
Root Cause
This vulnerability is classified as CWE-78: OS Command Injection. The diagnostic nslookup function takes user-supplied input and concatenates it into a shell command without adequate sanitization, validation, or parameterization. Because the firmware passes this input to the system shell without sanitization, attacker-controlled input containing shell metacharacters is interpreted as commands, allowing arbitrary execution.
Impact
The National Vulnerability Database rates this issue with a CVSS v2 score of 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C) and a CVSS v3.1 score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
In concrete terms:
- Network (AV:N): The attack can be launched remotely.
- Low Complexity (AC:L): No special conditions are required.
- Single/ Low Privileges (Au:S / PR:L): An attacker needs only a valid authentication session.
- Complete / High CIA (C:C/I:C/A:C or C:H/I:H/A:H): Successful exploitation grants the attacker full control over the device, including the ability to read or modify configuration, intercept traffic, pivot into the local network, or render the router unavailable.
Exploitation Walkthrough
From a defensive perspective, exploitation proceeds as follows. An attacker who has already obtained valid credentials navigates to the diagnostic page and submits a crafted request to the nslookup function, injecting shell metacharacters into a field such as ping_ip. This causes the router to execute attacker-supplied commands on the underlying operating system.
Ethics caveat: The details above are provided for defensive and detection purposes only. Security practitioners should use this information to improve logging, write detection rules, and prioritize patching—not to attack systems without authorization.
Affected and Patched Versions
The following configuration is confirmed vulnerable:
- Zyxel EMG2926 running firmware V1.00(AAQT.4)b8
No patched firmware version is documented in the available source data. Administrators should contact Zyxel support to determine whether a newer firmware release resolves this issue.
Remediation
- Upgrade: If a patched firmware version is available from Zyxel, apply it immediately.
- Compensating controls:
- Disable remote administration (WAN-side access to the web interface).
- Restrict access to the administrative interface to a trusted IP range or dedicated management VLAN.
- Disable the diagnostic tools page if the firmware allows it.
- Change default credentials and enforce strong, unique passwords.
- Place the device behind a firewall with strict ingress rules.
- If no patch is available: Consider replacing the router with a model that is actively supported and receiving security updates.
Detection
- Web logs: Monitor for HTTP requests to
/expert/maintenance/diagnostic/nslookupcontaining shell metacharacters (e.g.,;,|,&,`,$(), or newlines) in parameters such asping_ipor other user-controlled fields. - Process/behavioral monitoring: Alert on unexpected processes spawned by the router's web server or unusual outbound connections from the device.
- Network traffic: Watch for anomalous DNS queries or ICMP patterns originating from the router that do not match baseline behavior.
Assessment
This vulnerability carries an EPSS score of 0.37634 (98.35th percentile), indicating a very high probability of exploitation in the wild. It was added to the CISA Known Exploited Vulnerabilities (KEV) catalog on 2023-09-18 and is also flagged as exploited by the European Union.
The gap between the vulnerability's public disclosure in April 2017 and its KEV inclusion in September 2023 underscores a critical lesson: long-unpatched embedded devices remain valuable targets for threat actors, especially in botnet-driven attacks.
Key lessons:
- Diagnostic interfaces on edge devices are privileged attack surfaces that require rigorous input validation and, where possible, should be disabled in production deployments.
- A vulnerability's age does not diminish its risk; if a device is still online and unpatched years after disclosure, it is likely to be exploited.
References
Frequently asked questions
- What is CVE-2017-6884?
- A command injection vulnerability was discovered on the Zyxel EMG2926 home router with firmware V1.00(AAQT.4)b8. The vulnerability is located in the diagnostic tools, specifically the nslookup function. A malicious user may exploit numerous vectors to execute arbitrary commands on the router, such as the ping_ip parameter to the expert/maintenance/diagnostic/nslookup URI.
- How severe is CVE-2017-6884?
- CVE-2017-6884 has a CVSS 3.x base score of 8.8, rated high severity. It is exploitable over network with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2017-6884 being actively exploited?
- Yes. CVE-2017-6884 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2023-09-18, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2017-6884?
- CVE-2017-6884 affects Zyxel Emg2926 Firmware. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2017-6884?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2017-6884 have an EU (EUVD) identifier?
- Yes. CVE-2017-6884 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2017-15938. It is also flagged as exploited in the EUVD (since 2023-09-18).
- When was CVE-2017-6884 published?
- CVE-2017-6884 was published on 2017-04-06 and last updated on 2026-06-17.
References
- https://www.exploit-db.com/exploits/41782/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-6884
Affected products (1)
- cpe:2.3:o:zyxel:emg2926_firmware:v1.00\(aaqt.4\)b8:*:*:*:*:*:*:*
Other CWE-78 (OS Command Injection) vulnerabilities
- CVE-2026-56004 — Critical (CVSS 10.0): A shellcode injection in the mercurial handler of the obs tar_scm source service before version 0.12.4 could be used by…
- CVE-2026-56415 — Critical (CVSS 10.0): Storage Concentrator (SC & SCVM) contains a command injection vulnerability within the debug.pl script that is…
- CVE-2026-56413 — Critical (CVSS 10.0): Storage Concentrator (SC & SCVM) contains a command injection vulnerability in the ms_service.pl service, which listens…
- CVE-2026-49869 — Critical (CVSS 10.0): Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, AuthenticationFilter in…
- CVE-2026-49261 — Critical (CVSS 10.0): MariaDB server is a community developed fork of MySQL server. Versions 10.6.1 through 10.6.26, 10.11.1 through…
- CVE-2026-10520 — Critical (CVSS 10.0): An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a…