CVE-2018-10561

critical

Description

An issue was discovered on Dasan GPON home routers. It is possible to bypass authentication simply by appending "?images" to any URL of the device that requires authentication, as demonstrated by the /menu.html?images/ or /GponForm/diag_FORM?images/ URI. One can then manage the device.

References

Exploits
More

https://www.theregister.com/2025/02/28/cisa_kev_list_ransomware/

https://www.infosecurity-magazine.com/news/old-vulnerabilities-widely/

https://thehackernews.com/2025/01/new-aquabot-botnet-exploits-cve-2024.html

https://www.bleepingcomputer.com/news/security/new-aquabotv3-botnet-malware-targets-mitel-command-injection-flaw/

https://www.akamai.com/blog/security-research/2025-january-new-aquabot-mirai-variant-exploiting-mitel-phones

https://www.cloudsek.com/blog/mozi-resurfaces-as-androxgh0st-botnet-unraveling-the-latest-exploitation-wave

https://blog.xlab.qianxin.com/catddos-derivative-en/

https://www.avira.com/en/blog/a-gafgyt-variant-that-exploits-pulse-secure-cve-2020-8218

https://www.exploit-db.com/exploits/44576/

https://www.vpnmentor.com/blog/critical-vulnerability-gpon-router/

http://www.securityfocus.com/bid/107053

Details

Source: Mitre, NVD

Published: 2018-05-04

Updated: 2025-04-03

Known Exploited Vulnerability (KEV)

Risk Information

CVSS v2

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Severity: High

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical

EPSS

EPSS: 0.92142