- Description
- An issue was discovered on Dasan GPON home routers. It is possible to bypass authentication simply by appending "?images" to any URL of the device that requires authentication, as demonstrated by the /menu.html?images/ or /GponForm/diag_FORM?images/ URI. One can then manage the device.
- Source
- cve@mitre.org
- NVD status
- Modified
CVSS 3.1
- Type
- Primary
- Base score
- 9.8
- Impact score
- 5.9
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- CRITICAL
CVSS 2.0
- Type
- Primary
- Base score
- 7.5
- Impact score
- 6.4
- Exploitability score
- 10
- Vector string
- AV:N/AC:L/Au:N/C:P/I:P/A:P
Data from CISA
- Vulnerability name
- Dasan GPON Routers Authentication Bypass Vulnerability
- Exploit added on
- Mar 31, 2022
- Exploit action due
- Apr 21, 2022
- Required action
- The impacted product is end-of-life and should be disconnected if still in use.
- Hype score
- Not currently trending
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dasannetworks:gpon_router_firmware:-:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "8153A5BC-B257-4774-8106-E77FA2239A99"
}
],
"operator": "OR"
},
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dasannetworks:gpon_router:-:*:*:*:*:*:*:*",
"vulnerable": false,
"matchCriteriaId": "E795B673-4FC0-4A2B-821E-63F87B90D6C6"
}
],
"operator": "OR"
}
],
"operator": "AND"
}
]