CVE-2018-10561
Summary
| CVE | CVE-2018-10561 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2018-05-04 03:29:00 UTC |
| Updated | 2019-03-04 18:39:00 UTC |
| Description | An issue was discovered on Dasan GPON home routers. It is possible to bypass authentication simply by appending "?images" to any URL of the device that requires authentication, as demonstrated by the /menu.html?images/ or /GponForm/diag_FORM?images/ URI. One can then manage the device. |
Risk And Classification
EPSS: 0.928870000 probability, percentile 0.998170000 (date 2026-07-11)
CISA KEV: Listed on 2022-03-31; due 2022-04-21; ransomware use Unknown
Problem Types: CWE-287
CISA Known Exploited Vulnerability
| Vendor | Dasan |
|---|---|
| Product | Gigabit Passive Optical Network (GPON) Routers |
| Name | Dasan GPON Routers Authentication Bypass Vulnerability |
| Required Action | The impacted product is end-of-life and should be disconnected if still in use. |
| Notes | https://nvd.nist.gov/vuln/detail/CVE-2018-10561 |
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Hardware | Dasannetworks | Gpon Router | - | All | All | All |
| Hardware | Dasannetworks | Gpon Router | - | All | All | All |
| Operating System | Dasannetworks | Gpon Router Firmware | - | All | All | All |
| Operating System | Dasannetworks | Gpon Router Firmware | - | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Critical RCE Vulnerability Found in Over a Million GPON Home Routers | MISC | www.vpnmentor.com | Exploit, Technical Description, Third Party Advisory |
| GPON Routers - Authentication Bypass / Command Injection | EXPLOIT-DB | www.exploit-db.com | Exploit, Third Party Advisory, VDB Entry |
| Malformed Request | BID | www.securityfocus.com | Third Party Advisory, VDB Entry |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
| CISA Known Exploited Vulnerabilities catalog | CISA | www.cisa.gov | kev |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.