aias

Thank you very much for opening the thread once more. It turns out that the CWMP port has been heavily exploited. The exploit allows an attacker to change the DNS server settings in the consumer's router, and therefore route a large portion of their web requests to wherever they please (assuming they specifiy their own rogue DNS server's IP, of course). I have updated the thread with a method to disable the service. And it does indeed survive both soft and hard reboots. - aias

Hello, (SOLVED) This port comes by default open to the WAN on many ZyXel commercial routers. It is intended for use with the Customer Premises Equipment WAN Management Protocol, a.k.a. CWMP. It has become prone to easy exploitation. Unfortunately, the web-based management interface lacks any hint that this service is enabled, much less a method to disable it. To close this port on your router you may take the following steps: 1. Login to your device via telnet (or ssh, but mine doesn't support it). 2. Issue the following command: sys cwmp clearall. This will stop the port listening on the LAN and WAN and clear all other settings related to CWMP. You may wish to view the related information before clearing it, or otherwise make changes. Simply use `sys cwmp help` for more usage instructions. I can confirm that this will survive a reboot. For reference, the model tested: ZyXEL AMG1302-T10A. Happy hacking. - aias

Hello, I'd like to reopen an archived thread. When typing 'ZyXel 7547' into Google, this archived thread is the first result. Ref: https://forums.hak5.org/index.php?/topic/28507-open-ports-on-router-esp-port-7547/ The problem was never solved. This port comes by default as open to the WAN on many ZyXel commercial routers, and is easily made explotable. The solution to the problem is as follows: 1. Login to your device via telnet (or ssh if provided). 2. Issue the following command: sys cwmp clearall. This will stop the port listening on the WAN. That is all. - aias