← back
CVE-2018-10561

CVE-2018-10561

CVSS 9.8 CRITICALEPSS 93.3%● KEVCWE-287
In short

A flaw in Dasan GPON routers allows anyone to bypass login protection by adding '?images' to URLs, granting full access to manage the device without credentials.

Technical detail

Authentication bypass vulnerability in Dasan GPON routers exploitable via URL manipulation (appending '?images' parameter). An unauthenticated attacker can access protected endpoints like /menu.html and /GponForm/diag_FORM, gaining administrative control without valid credentials.

Summary generated and translated by AI from the official description.
An issue was discovered on Dasan GPON home routers. It is possible to bypass authentication simply by appending "?images" to any URL of the device that requires authentication, as demonstrated by the /menu.html?images/ or /GponForm/diag_FORM?images/ URI. One can then manage the device.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
n/a · n/a
public PoCs found2
cve_referencewww.exploit-db.com/exploits/44576/unverifiedexploitdbwww.exploit-db.com/exploits/44576unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-10561https://www.exploit-db.com/exploits/44576/https://www.vpnmentor.com/blog/critical-vulnerability-gpon-router/http://www.securityfocus.com/bid/107053