CVE-2020-8958

HIGH EXPLOITED IN THE WILD

Guangzhou 1GE ONU V2801RW and V2804RGW 1.9.1-181203-2.9.0-181024 - OS Command Injection via Ping Dest IP Address Field

Title source: llm

Exploitation Summary

CVE-2020-8958 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 2 public exploits from researchers including qurbat, Asjidkalam.

AI-analyzed exploit summary This repository contains a functional Python exploit for CVE-2020-8958, which leverages command injection in the 'Dest IP Address' field of the ping form in Guangzhou 1GE ONU devices. The PoC demonstrates arbitrary command execution by retrieving the contents of /etc/passwd.

Description

Guangzhou 1GE ONU V2801RW 1.9.1-181203 through 2.9.0-181024 and V2804RGW 1.9.1-181203 through 2.9.0-181024 devices allow remote attackers to execute arbitrary OS commands via shell metacharacters in the boaform/admin/formPing Dest IP Address field.

Exploits (2)

nomisec WORKING POC 7 stars

by qurbat · remote-auth

https://github.com/qurbat/CVE-2020-8958

View Code ZIP pw:eip

This repository contains a functional Python exploit for CVE-2020-8958, which leverages command injection in the 'Dest IP Address' field of the ping form in Guangzhou 1GE ONU devices. The PoC demonstrates arbitrary command execution by retrieving the contents of /etc/passwd.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Guangzhou 1GE ONU V2801RW 1.9.1-181203 through 2.9.0-181024 and V2804RGW 1.9.1-181203 through 2.9.0-181024

Auth required

Prerequisites: Network access to the target device · Default credentials (admin:admin) or valid credentials

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1202 - Indirect Command Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 6 stars

by Asjidkalam · remote

https://github.com/Asjidkalam/CVE-2020-8958

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2020-8958, an authenticated OS command injection vulnerability in NetLink routers using the `boa` server. The exploit leverages the `/boaform/admin/formPing` endpoint to inject commands via the `target_addr` parameter, allowing remote code execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: NetLink routers (e.g., HG323) with `boa` server

Auth required

Prerequisites: Network access to the target router · Valid credentials for authentication (default: admin:admin)

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (4)

Core 4

Core References

Product x_refsource_misc

https://www.gpononu.com/dual-mode-onu/1GE-Router-WiFi-ONU.html

Product x_refsource_misc

https://www.gpononu.com/gpon-ont/4ge-epon-onu-v2804ew.html

Exploit, Third Party Advisory x_refsource_misc

https://github.com/qurbat/gpon

Exploit, Third Party Advisory x_refsource_misc

https://www.karansaini.com/os-command-injection-v-sol/

Scores

CVSS v3 7.2

EPSS 0.4664

EPSS Percentile 98.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2021-11-11

InTheWild.io 2021-11-11

CWE

CWE-78

Status published

Products (2)

gpononu/1ge\+3fe\+wifi_onu_v2804rgw_firmware 1.9.1-181203 - 2.9.0-181024

gpononu/1ge_router_wifi_onu_v2801rw_firmware 1.9.1-181203 - 2.9.0-181024

Published Jul 15, 2020

Tracked Since Feb 18, 2026