A 2017 home-router bug got a federal deadline. The fix is to throw the router away.
CVE-2017-6884 is command injection in a Zyxel SOHO router. Zyxel patched it in 2017, but the device is end-of-life, so the real remediation is replacement. It's on the KEV list because EOL edge gear is exactly what gets conscripted into botnets.
CVE-2017-6884 is a command-injection bug in a Zyxel home and small-office router, disclosed in 2017, patched in 2017, and added to the Known Exploited Vulnerabilities catalog on September 18, 2023, with a federal remediation deadline of October 9 and the ransomware-use flag. The catch is that the affected device, the EMG2926-Q10A, is end-of-life. Zyxel’s own guidance is not “apply the patch,” it’s replace the hardware. For a lot of these boxes, the remediation is a trip to the recycling bin.
That’s the whole genre this CVE represents, and it’s one the catalog keeps adding to: cheap internet-connected edge hardware, long past support, still online, still exploitable.
What the bug is
CVE-2017-6884 is an OS command injection (CWE-78), CVSS 8.8. The router’s web admin includes diagnostic tools, and the nslookup function doesn’t sanitize its input: the ping_ip parameter sent to the expert/maintenance/diagnostic/nslookup endpoint gets passed to a shell, so an attacker can append arbitrary commands and run them on the device. Exploit code has been public for years. The vector requires access to the admin interface, but on consumer and small-office gear that interface is routinely exposed, weakly credentialed, or both.
Why a seven-year-old router bug matters in the catalog
Small-office and home routers, and ISP-provided customer-premises equipment like this Zyxel unit, occupy a blind spot that’s almost perfectly designed for attackers. Nobody does patch management on them. There’s no inventory, no agent, no maintenance window. They’re installed once, they work, and they’re forgotten until they don’t. When the vendor declares end-of-life, the security fixes stop, but the devices don’t go offline; they keep routing traffic in homes and small businesses for years past their support date.
That standing population of unpatchable, internet-facing, command-injectable boxes is exactly what gets conscripted into botnets and proxy networks. A device like this isn’t usually attacked because someone wants the small business behind it specifically. It’s attacked because it’s an easy, durable foothold: a node for DDoS botnets, a relay in an operational relay box (ORB) network that launders nation-state and criminal traffic, or a quiet pivot into the small network it sits on. The KEV listing and ransomware flag reflect that these footholds get used, and small businesses without an IT team are the ones most likely to be running the vulnerable hardware unaware.
What to do
This is short because the action is blunt.
- Inventory your edge hardware, including the stuff you don’t think of as “IT.” Routers, CPE, modems, the access point in the back office. You can’t replace what you don’t know you have. For MSPs, this means every client site’s edge gear, not just the servers and laptops you actively manage.
- Identify and replace end-of-life devices. If a router is past vendor support, no patch is coming for the next bug either. EOL networking gear on the perimeter is a liability with no remediation path except replacement. Budget for it as a recurring lifecycle cost, not a surprise.
- Never expose the admin interface to the internet. The single most effective control for this class of bug: the web management interface should be reachable only from the local network, never the WAN. Confirm remote administration is disabled on every edge device.
- Change default credentials and segment. Weak or default admin passwords turn “authenticated command injection” into “anyone’s command injection.” And a compromised SOHO router shouldn’t have a flat path to everything behind it.
- For MSPs specifically: make EOL edge gear a tracked finding. Client networks running unsupported routers are a portfolio-wide risk. A standardized, supported edge-device model across clients is easier to patch and easier to retire on schedule.
The reframe is about a category, not a CVE. The KEV catalog is increasingly full of old bugs in cheap edge hardware, and they’re there because the devices are still online and still being used as attacker infrastructure long after anyone stopped maintaining them. You can’t patch your way out of end-of-life; you can only inventory and replace. The most dangerous device on a small network is often the one nobody remembers is a computer, and the router is exactly that. We flag these EOL edge-device entries because, unlike most KEV items, the fix isn’t an update, it’s a purchase order, and that takes longer to act on than a patch does.
Sources
Share
Related field notes
-
The catalog is full of cheap routers and cameras for one reason: they're botnet feedstock
Scroll the KEV catalog and you hit a wall of command-injection bugs in D-Link, TP-Link, DrayTek, ASUS, Netgear, and IP-camera firmware. They're not separate stories. They're the same story: internet-exposed consumer gear that gets conscripted into IoT botnets, and the fix is almost always the same.
-
Before MOVEit and GoAnywhere, Cl0p's playbook was born on a 20-year-old Accellion box
The Accellion FTA breaches of late 2020 are where Cl0p's mass-data-theft-and-extortion model started. Four CVEs in a legacy file-transfer appliance, exploited to steal data from dozens of organizations. The product was already two decades old and on its way out.
-
900 old bugs, one answer: patch what's supported, retire what isn't
More than half the KEV catalog is pre-2025 legacy: old Windows, IE, Office, Flash, Java, Apache, and a sea of network gear. They're still listed because they're still exploited on the systems nobody updated. The legacy tier is huge, and its remediation is short.
One email, every weekday morning.
You're in. Check your inbox.