CVE-2017-18373
Description
The Billion 5200W-T TCLinux Fw $7.3.8.0 v008 130603 router distributed by TrueOnline has three user accounts with default passwords, including two hardcoded service accounts: one with the username true and password true, and another with the username user3 and and a long password consisting of a repetition of the string 0123456789. These accounts can be used to login to the web interface, exploit authenticated command injections, and change router settings for malicious purposes.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Billion 5200W-T router contains hardcoded service accounts with default passwords, enabling authenticated command injection and full device compromise.
Vulnerability
The Billion 5200W-T TCLinux Fw $7.3.8.0 v008 130603 router, distributed by TrueOnline, includes three default user accounts, two of which are hardcoded service accounts: one with username true and password true, and another with username user3 and a password consisting of a repetition of the string 0123456789. These accounts are present in the web interface and can be used for authentication [1][2].
Exploitation
An attacker with network access to the router's web interface can log in using either of the hardcoded credentials. Once authenticated, the attacker can exploit command injection vulnerabilities in the syslog remote forwarding function (e.g., via ViewLog.asp) by crafting POST requests with injected commands in the remote_host parameter, leading to arbitrary command execution as root [1][2].
Impact
Successful exploitation grants the attacker full control over the router, allowing them to modify settings, intercept network traffic, launch further attacks, and maintain persistent access. This compromises the confidentiality, integrity, and availability of the device and the network it serves [1][2].
Mitigation
No official firmware patch has been released to address these issues. Users should immediately change the passwords of all default accounts and disable unused service accounts if possible. For routers still in use, restrict remote access to trusted IPs and monitor for unauthorized activity [1][2].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The `uiViewSNTPServer` parameter in `/cgi-bin/tools_time.asp` is not sanitized before being written into a shell script that is executed, allowing authenticated command injection."
Attack vector
An attacker must first authenticate to the web interface using one of the hardcoded default credentials (e.g., `admin`/`password`, `true`/`true`, or `user3`/`0123456789...`) [ref_id=1][ref_id=2]. Once authenticated, the attacker sends a POST request to `/cgi-bin/tools_time.asp` with a crafted `uiViewSNTPServer` parameter containing a command injection payload, such as `"; ping -c 20 192.168.0.1 &#` [ref_id=1]. The injected value is written to `/etc/ntp.sh` and executed almost immediately as root [ref_id=1].
Affected code
The vulnerability involves the `/cgi-bin/tools_time.asp` page on the Billion 5200W-T router running TCLinux Fw $7.3.8.0 v008 130603 [ref_id=1]. The `uiViewSNTPServer` parameter is injected into a shell command that is written to `/etc/ntp.sh` and then executed [ref_id=1][ref_id=2].
What the fix does
No fix has been published for this vulnerability [ref_id=1][ref_id=2]. The advisory states "There is NO FIX for this vulnerability" and recommends not allowing untrusted clients to connect to these routers [ref_id=1]. ZyXEL corrected that they are not the manufacturer of Billion routers, and no patch was ever released [ref_id=2].
Preconditions
- networkAttacker must be able to reach the router's web interface on TCP port 80 (or 10080)
- authAttacker must authenticate with one of the hardcoded default credentials (admin/password, true/true, or user3/0123456789...)
- configThe router must be running the affected firmware version TCLinux Fw $7.3.8.0 v008 130603
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- raw.githubusercontent.com/pedrib/PoC/master/advisories/zyxel_trueonline.txtmitrex_refsource_MISC
- seclists.org/fulldisclosure/2017/Jan/40mitrex_refsource_MISC
- ssd-disclosure.com/index.php/archives/2910mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.