CVE-2018-10561

CRITICAL KEV RANSOMWARE

Dasan GPON - Auth Bypass

Title source: llm

Description

An issue was discovered on Dasan GPON home routers. It is possible to bypass authentication simply by appending "?images" to any URL of the device that requires authentication, as demonstrated by the /menu.html?images/ or /GponForm/diag_FORM?images/ URI. One can then manage the device.

Exploits (1)

exploitdb WORKING POC

by vpnmentor · bashremotehardware

https://www.exploit-db.com/exploits/44576

View Code ZIP pw:eip

References (4)

[Broken Link, Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/107053

[Exploit, Third Party Advisory, VDB Entry] https://www.exploit-db.com/exploits/44576/

[Exploit, Technical Description, Third Party Advisory] https://www.vpnmentor.com/blog/critical-vulnerability-gpon-router/

[US Government Resource] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-10561

Scores

CVSS v3 9.8

EPSS 0.9331

EPSS Percentile 99.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CISA KEV 2022-03-31

VulnCheck KEV 2018-05-07

InTheWild.io 2018-05-03

ENISA EUVD EUVD-2018-2633

Ransomware Use Confirmed

CWE

CWE-287

Status published

Products (1)

dasannetworks/gpon_router_firmware

Published May 04, 2018

KEV Added Mar 31, 2022

Tracked Since Feb 18, 2026