CVE-2020-8958

HIGH EXPLOITED IN THE WILD

Gpononu 1ge Router Wifi Onu V2801rw Firmware - OS Command Injection

Title source: rule

Description

Guangzhou 1GE ONU V2801RW 1.9.1-181203 through 2.9.0-181024 and V2804RGW 1.9.1-181203 through 2.9.0-181024 devices allow remote attackers to execute arbitrary OS commands via shell metacharacters in the boaform/admin/formPing Dest IP Address field.

Exploits (2)

nomisec WORKING POC 7 stars

by qurbat · remote-auth

https://github.com/qurbat/CVE-2020-8958

View Code ZIP pw:eip

nomisec WORKING POC 6 stars

by Asjidkalam · remote

https://github.com/Asjidkalam/CVE-2020-8958

View Code ZIP pw:eip

References (4)

[Exploit, Third Party Advisory] https://github.com/qurbat/gpon

[Product] https://www.gpononu.com/dual-mode-onu/1GE-Router-WiFi-ONU.html

[Product] https://www.gpononu.com/gpon-ont/4ge-epon-onu-v2804ew.html

[Exploit, Third Party Advisory] https://www.karansaini.com/os-command-injection-v-sol/

Scores

CVSS v3 7.2

EPSS 0.8387

EPSS Percentile 99.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2021-11-11

InTheWild.io 2021-11-11

CWE

CWE-78

Status published

Products (2)

gpononu/1ge\+3fe\+wifi_onu_v2804rgw_firmware 1.9.1-181203 - 2.9.0-181024

gpononu/1ge_router_wifi_onu_v2801rw_firmware 1.9.1-181203 - 2.9.0-181024

Published Jul 15, 2020

Tracked Since Feb 18, 2026