CVE-2018-10562

CRITICAL KEV RANSOMWARE NUCLEI

Dasan GPON Router Firmware - OS Command Injection via diag_action ping dest_host Parameter

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2018-10562 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 31, 2022, with confirmed use in ransomware campaigns. EIP tracks 9 public exploits from researchers including vpnmentor, 649, c0ld1. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit leverages a command injection vulnerability in the diagnostic ping functionality of certain GPON routers. It sends a crafted payload via curl to execute arbitrary commands on the target device and retrieves the output.

Description

An issue was discovered on Dasan GPON home routers. Command Injection can occur via the dest_host parameter in a diag_action=ping request to a GponForm/diag_Form URI. Because the router saves ping results in /tmp and transmits them to the user when the user revisits /diag.html, it's quite simple to execute commands and retrieve their output.

Exploits (9)

exploitdb WORKING POC
by vpnmentor · bashremotehardware
https://www.exploit-db.com/exploits/44576

This exploit leverages a command injection vulnerability in the diagnostic ping functionality of certain GPON routers. It sends a crafted payload via curl to execute arbitrary commands on the target device and retrieves the output.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: GPON routers (specific models affected by CVE-2018-10562)
No auth needed
Prerequisites: Target device must be accessible via HTTP · Diagnostic functionality must be enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 24 stars
by 649 · poc
https://github.com/649/Pingpon-Exploit

This repository contains a Python script that exploits CVE-2018-10562, a remote code execution vulnerability in GPON home routers. The script uses the Shodan API to identify vulnerable devices and then executes arbitrary Linux commands on them.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: GPON Home Gateway (various vendors)
No auth needed
Prerequisites: Shodan API key · Python 3.x · requests library · shodan library
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 4 stars
by c0ld1 · remote
https://github.com/c0ld1/GPON_RCE

This Python script exploits CVE-2018-10562, a command injection vulnerability in GPON home routers. It injects arbitrary commands via the 'dest_host' parameter in a POST request to '/GponForm/diag_Form' and retrieves the output from '/diag.html'.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: GPON home routers (specific versions not specified)
No auth needed
Prerequisites: Network access to the target router · Vulnerable GPON router with exposed management interface
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 3 stars
by ATpiu · remote
https://github.com/ATpiu/CVE-2018-10562

This is a functional exploit for CVE-2018-10562, a command injection vulnerability in GPON home routers. It leverages a POST request to inject commands via the `dest_host` parameter in the diagnostic form.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: GPON home routers (various vendors)
No auth needed
Prerequisites: Network access to the target router · Vulnerable GPON router with exposed diagnostic interface
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 2 stars
by Choudai · remote
https://github.com/Choudai/GPON-LOADER

This Python script exploits CVE-2018-10562, a command injection vulnerability in GPON Home Gateway devices. It sends a crafted POST request to execute arbitrary commands via the 'dest_host' parameter in the diagnostic ping functionality.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: GPON Home Gateway devices (various vendors)
No auth needed
Prerequisites: List of target IPs in a text file · Network access to the target devices
devstral-2 · analyzed Feb 16, 2026 Full analysis →
gitlab WORKING POC
by The-Real-TechLord · poc
https://gitlab.com/The-Real-TechLord/GPON

The repository contains a functional Python script that exploits CVE-2018-10562, a command injection vulnerability in GPON home routers. The exploit leverages an authentication bypass (CVE-2018-10561) to inject commands via the 'diag_Form' endpoint and retrieves results from the 'diag.html' page.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: GPON Home Gateway routers (various vendors)
No auth needed
Prerequisites: Network access to the target router · Python with 'requests' and 'urllib2' libraries
devstral-2 · analyzed Feb 23, 2026 Full analysis →
gitlab WORKING POC
by 0x1 · remote
https://gitlab.com/0x1/Pingpon-Exploit

The repository contains a functional Python script that exploits CVE-2018-10562, a remote command execution vulnerability in GPON home routers. It uses Shodan to discover vulnerable targets and sends crafted HTTP requests to execute arbitrary Linux commands.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: GPON Home Gateway routers (various vendors)
No auth needed
Prerequisites: Shodan API key · Python 3.x · requests and shodan libraries
devstral-2 · analyzed Feb 23, 2026 Full analysis →
nomisec STUB
by tpdlshdmlrkfmcla · poc
https://github.com/tpdlshdmlrkfmcla/backdoor.mirai.helloworld

The repository contains only a README.md with minimal information about a Dasan GPON Router vulnerability, lacking any actual exploit code or technical details. The description suggests a potential URL manipulation issue but provides no actionable PoC.

Classification
Stub 30%
Attack Type
Other
Complexity
Theoretical
Reliability
Theoretical
Target: Dasan GPON Router (version unspecified)
No auth needed
Prerequisites: access to the router's web interface
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by ExiaHan · poc
https://github.com/ExiaHan/GPON

This repository contains a Python-based exploit for CVE-2018-10562, which leverages an authentication bypass (CVE-2018-10561) to perform remote command execution on GPON home routers. The exploit injects commands via a crafted POST request to the vulnerable endpoint and retrieves results from a diagnostic page.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: GPON Home Gateway routers (various vendors)
No auth needed
Prerequisites: Network access to the target router · Vulnerable GPON router exposed to the internet or local network
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Dasan GPON Devices - Remote Code Execution
CRITICALby gy741

References (4)

Core 4
Core References
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/107053
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/44576/
Exploit, Technical Description, Third Party Advisory x_refsource_misc
https://www.vpnmentor.com/blog/critical-vulnerability-gpon-router/

Scores

CVSS v3 9.8
EPSS 0.9403
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2022-03-31
VulnCheck KEV 2018-06-15
InTheWild.io 2018-05-03
ENISA EUVD EUVD-2018-2634
Ransomware Use Confirmed
CWE
CWE-78
Status published
Products (1)
dasannetworks/gpon_router_firmware
Published May 04, 2018
KEV Added Mar 31, 2022
Tracked Since Feb 18, 2026