Gafgyt botnet is targeting EoL Zyxel routers

Pierluigi Paganini August 11, 2023

Researchers warn that the Gafgyt botnet is actively exploiting a vulnerability impacting the end-of-life Zyxel P660HN-T1A router.

A variant of the Gafgyt botnet is actively attempting to exploit a vulnerability, tracked as CVE-2017-18368 (CVSS v3: 9.8), impacting the end-of-life Zyxel P660HN-T1A router.

The flaw is a command injection vulnerability that resides in the Remote System Log forwarding function, which is accessible by an unauthenticated user. The vulnerability is in the ViewLog.asp page and can be exploited through the remote_host parameter.

The vulnerability impacts devices running firmware versions 7.3.15.0 v001/3.40(ULM.0)b31 or older.

Zyxel addressed the vulnerability in 2017 with the release of new firmware, however, the vendor warned that a Gafgyt variant was exploiting the flaw in 2019.

Now Fortinet published an outbreak alert to warn of a surge in attacks targeting the end-of-life routers in the wild.

“Aug 7, 2023: FortiGuard Labs continue to see attack attempts targeting the 2017 vulnerability and has blocked attack attemtps of over thousands of unique IPS devices over the last month.” reads the alert.

According the following chart, Fortinet is observing an average of 7,300 attacks per day attempting to exploit the flaw since July 2023.

Gafgyt botnet zyxel

US CISA also added the vulnerability to its Known Exploited Vulnerabilities Catalog and ordered federal agencies to fix this flaw by August 28, 2023.

“Zyxel recently became aware of CVE-2017-18368 being listed on the CISA Known Exploited Vulnerabilities (KEV) catalog; however, Zyxel provided a patch for the mentioned customized P660HN-T1A in 2017. Additionally, the P660HN-T1A running the latest generic firmware, version 3.40(BYF.11), is not affected by CVE-2017-18363. Please also note that the P660HN-T1A reached end-of-life several years ago; therefore, we strongly recommend that users replace it with a newer-generation product for optimal protection.” reads a new advisory published by the vendor.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Gafgyt botnet)



you might also like

leave a comment