Connect with us

Hi, what are you looking for?



Multiple Vulnerabilities Impact ZyXEL Customized Routers

Various ZyXEL customized routers are plagued by several vulnerabilities and by default login credentials, SecuriTeam security researchers warn.

Various ZyXEL customized routers are plagued by several vulnerabilities and by default login credentials, SecuriTeam security researchers warn.

The flaws were found in the equipment distributed by TrueOnline, a major Internet Service Provider in Thailand. The company provides its customers with customized versions of routers, free of charge, all of which feature default accounts and passwords that put their users at risk.

Manufactured by ZyXEL, the routers run a special version of Linux called “tclinux,” with three models being particularly widespread, namely ZyXEL P660HN-T v1, ZyXEL P660HN-T v2, and Billion 5200W-T. While P660HN-T v1 was distributed up until 2013, the 5200W-T models is currently being distributed to new clients, Securi reveals.

The discovered vulnerabilities, which have been reported by an independent security researcher, include an unauthenticated remote command execution vulnerability in P660HN-T v1; unauthenticated remote command execution and authenticated remote command execution flaws in Billion 5200W-T; and an unauthenticated remote command execution vulnerability in P660HN-T v2.

In addition to these issues, all three models come with default accounts and passwords that can be leveraged by an attacker to gain access to the vulnerable device.

“These are customized versions of existing ZyXEL and Billion routers. They are MIPS systems and they all run BOA web server. The routers are vulnerable via command injections in its web interface, which can be exploited by an unauthenticated as well as an authenticated attacker,” Securi warns in an advisory.

The P660HN-T v1 is affected by a command injection vulnerability in Maintenance > Logs > System Log > Remote System Log, in the remote_host parameter on the ViewLog.asp page, which is accessible unauthenticated. The router also contains the following default credentials: username: admin, password: password; and username: true, password: true.

Advertisement. Scroll to continue reading.

The Billion 5200W-T router is affected by an unauthenticated command injection in the adv_remotelog.asp file. The flaw was found in the syslogServerAddr parameter that can be exploited by entering a valid IP address, followed by “;<COMMAND>;”.

The router is also plagued by authenticated command injections in the interface tools_time.asp with the uiViewSNTPServer parameter. Additionally, the device includes the following default accounts: username: admin, password: password; username: true, password: true; username: user3, password:




The P660HN-T v2 router, researchers say, is plagued by a remote command vulnerability composed from an authenticated command injection and a hardcoded supervisor password. The command injection vulnerability affects the logSet.asp file, while the hardcoded supervisor credentials are username: supervisor; password: zyad1234.

The security researchers note that the command that can be injected has a length limitation of 28 characters and that other default accounts are also present on the device. These include username: admin; password: password, and username: true; password: true.

Securi notes that ZyXEL was informed about these vulnerabilities in July 2016. Although the researchers attempted numerous times to re-establish contact and receive information on the status of the patches for these vulnerabilities, the company didn’t respond as of now, the researchers also say. No workaround for these flaws exists yet.

Last week, NETGEAR WNR2000 routers were found vulnerable to 0-day flaws that could result in an attacker taking full control of the impacted devices. After the vulnerability went public, NETGEAR contacted SecurityWeek to confirm that it was already working on a firmware update to address the issue.

Related: Mirai-Based Worm Targets Devices via New Attack Vector

Related: Reuse of Cryptographic Keys Exposes Millions of IoT Devices: Study

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.