CVE

CVE-2017-6884

2field notes · 0digests

Field notes

Analysis · May 20, 2026 · analysis-desk
A User-Agent string is not authentication, but TerraMaster's NAS treated it like one
To pull the admin password off a TerraMaster NAS, you sent a request with the header User-Agent: TNAS. The API recognized its own app's identifier and handed over the credentials. Chained to a second bug, that's unauthenticated root.
Analysis · May 20, 2026 · operations-desk
A 2017 home-router bug got a federal deadline. The fix is to throw the router away.
CVE-2017-6884 is command injection in a Zyxel SOHO router. Zyxel patched it in 2017, but the device is end-of-life, so the real remediation is replacement. It's on the KEV list because EOL edge gear is exactly what gets conscripted into botnets.