CVE-2017-6884

CVE-2017-6884 is a high-severity vulnerability in Zyxel Emg2926 Firmware with a CVSS 3.x base score of 8.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2023-09-18). The underlying weakness is classified as CWE-78.

Key facts

Description

A command injection vulnerability was discovered on the Zyxel EMG2926 home router with firmware V1.00(AAQT.4)b8. The vulnerability is located in the diagnostic tools, specifically the nslookup function. A malicious user may exploit numerous vectors to execute arbitrary commands on the router, such as the ping_ip parameter to the expert/maintenance/diagnostic/nslookup URI.

Zyxel EMG2926 Command Injection Vulnerability (CVE-2017-6884)

AI-generated analysis based on the vulnerability data on this page.

Summary

CVE-2017-6884 is a command injection flaw in the Zyxel EMG2926 home router's built-in diagnostic tools. An authenticated attacker can exploit numerous vectors—including the ping_ip parameter on the nslookup page—to execute arbitrary operating system commands and achieve full device compromise.

Background

The Zyxel EMG2926 is a wireless home gateway commonly deployed in residential and small-office environments. Its web-based administrative interface includes diagnostic utilities such as ping, traceroute, and nslookup. These tools are intended to help administrators troubleshoot connectivity issues, yet they become high-risk attack surfaces when user input is passed directly to the underlying operating system shell.

Root Cause

This vulnerability is classified as CWE-78: OS Command Injection. The diagnostic nslookup function takes user-supplied input and concatenates it into a shell command without adequate sanitization, validation, or parameterization. Because the firmware passes this input to the system shell without sanitization, attacker-controlled input containing shell metacharacters is interpreted as commands, allowing arbitrary execution.

Impact

The National Vulnerability Database rates this issue with a CVSS v2 score of 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C) and a CVSS v3.1 score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

In concrete terms:

  • Network (AV:N): The attack can be launched remotely.
  • Low Complexity (AC:L): No special conditions are required.
  • Single/ Low Privileges (Au:S / PR:L): An attacker needs only a valid authentication session.
  • Complete / High CIA (C:C/I:C/A:C or C:H/I:H/A:H): Successful exploitation grants the attacker full control over the device, including the ability to read or modify configuration, intercept traffic, pivot into the local network, or render the router unavailable.

Exploitation Walkthrough

From a defensive perspective, exploitation proceeds as follows. An attacker who has already obtained valid credentials navigates to the diagnostic page and submits a crafted request to the nslookup function, injecting shell metacharacters into a field such as ping_ip. This causes the router to execute attacker-supplied commands on the underlying operating system.

Ethics caveat: The details above are provided for defensive and detection purposes only. Security practitioners should use this information to improve logging, write detection rules, and prioritize patching—not to attack systems without authorization.

Affected and Patched Versions

The following configuration is confirmed vulnerable:

  • Zyxel EMG2926 running firmware V1.00(AAQT.4)b8

No patched firmware version is documented in the available source data. Administrators should contact Zyxel support to determine whether a newer firmware release resolves this issue.

Remediation

  1. Upgrade: If a patched firmware version is available from Zyxel, apply it immediately.
  2. Compensating controls:
    • Disable remote administration (WAN-side access to the web interface).
    • Restrict access to the administrative interface to a trusted IP range or dedicated management VLAN.
    • Disable the diagnostic tools page if the firmware allows it.
    • Change default credentials and enforce strong, unique passwords.
    • Place the device behind a firewall with strict ingress rules.
  3. If no patch is available: Consider replacing the router with a model that is actively supported and receiving security updates.

Detection

  • Web logs: Monitor for HTTP requests to /expert/maintenance/diagnostic/nslookup containing shell metacharacters (e.g., ;, |, &, `, $(), or newlines) in parameters such as ping_ip or other user-controlled fields.
  • Process/behavioral monitoring: Alert on unexpected processes spawned by the router's web server or unusual outbound connections from the device.
  • Network traffic: Watch for anomalous DNS queries or ICMP patterns originating from the router that do not match baseline behavior.

Assessment

This vulnerability carries an EPSS score of 0.37634 (98.35th percentile), indicating a very high probability of exploitation in the wild. It was added to the CISA Known Exploited Vulnerabilities (KEV) catalog on 2023-09-18 and is also flagged as exploited by the European Union.

The gap between the vulnerability's public disclosure in April 2017 and its KEV inclusion in September 2023 underscores a critical lesson: long-unpatched embedded devices remain valuable targets for threat actors, especially in botnet-driven attacks.

Key lessons:

  1. Diagnostic interfaces on edge devices are privileged attack surfaces that require rigorous input validation and, where possible, should be disabled in production deployments.
  2. A vulnerability's age does not diminish its risk; if a device is still online and unpatched years after disclosure, it is likely to be exploited.

References

Frequently asked questions

What is CVE-2017-6884?
A command injection vulnerability was discovered on the Zyxel EMG2926 home router with firmware V1.00(AAQT.4)b8. The vulnerability is located in the diagnostic tools, specifically the nslookup function. A malicious user may exploit numerous vectors to execute arbitrary commands on the router, such as the ping_ip parameter to the expert/maintenance/diagnostic/nslookup URI.
How severe is CVE-2017-6884?
CVE-2017-6884 has a CVSS 3.x base score of 8.8, rated high severity. It is exploitable over network with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2017-6884 being actively exploited?
Yes. CVE-2017-6884 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2023-09-18, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2017-6884?
CVE-2017-6884 affects Zyxel Emg2926 Firmware. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2017-6884?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2017-6884 have an EU (EUVD) identifier?
Yes. CVE-2017-6884 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2017-15938. It is also flagged as exploited in the EUVD (since 2023-09-18).
When was CVE-2017-6884 published?
CVE-2017-6884 was published on 2017-04-06 and last updated on 2026-06-17.

References

Affected products (1)

Other CWE-78 (OS Command Injection) vulnerabilities

Browse all CWE-78 (OS Command Injection) vulnerabilities →