CVE-2018-10562
CVE-2018-10562 is a critical-severity vulnerability in Dasannetworks Gpon Router Firmware with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-03-31). The underlying weakness is classified as CWE-78.
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- CVSS v2: 7.5
- EPSS exploit prediction: 100% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2022-03-31)
- EU (EUVD) id: EUVD-2018-2634
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2022-03-31)
- Weakness: CWE-78
- Affected product: Dasannetworks Gpon Router Firmware
- Published:
- Last modified:
Description
An issue was discovered on Dasan GPON home routers. Command Injection can occur via the dest_host parameter in a diag_action=ping request to a GponForm/diag_Form URI. Because the router saves ping results in /tmp and transmits them to the user when the user revisits /diag.html, it's quite simple to execute commands and retrieve their output.
CVE-2018-10562: Command Injection in Dasan GPON Home Routers
AI-generated analysis based on the vulnerability data on this page.
| Attribute | Value |
|---|---|
| CVE | CVE-2018-10562 |
| Published | 2018-05-04 |
| Last Modified | 2026-06-17 |
| CVSS v2 | 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) |
| CVSS v3.1 | 9.8 CRITICAL (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) |
| CWE | CWE-78 (OS Command Injection) |
| EPSS | 0.9995 (99.73rd percentile) |
| KEV | Yes (added 2022-03-31) |
| EU Exploited | Yes (since 2022-03-31) |
Summary
An unauthenticated command injection vulnerability exists in Dasan GPON home routers. The dest_host parameter of the diagnostic ping functionality, reachable via GponForm/diag_Form with diag_action=ping, fails to sanitize input before passing it to a shell command. The router stores ping results in /tmp and serves them back to the user when /diag.html is revisited, creating a straightforward mechanism for command execution and output retrieval.
Background
Dasan Networks GPON routers are consumer-grade broadband access devices deployed by Internet Service Providers (ISPs) worldwide. In 2018, independent researchers discovered that the routers' built-in diagnostic web interface contained a critical flaw allowing unauthenticated users to inject arbitrary operating system commands. The vulnerability was later added to CISA's Known Exploited Vulnerabilities (KEV) catalog and has been actively exploited in the wild.
Root Cause
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The router's ping diagnostic feature accepts a destination host (dest_host) from the user and passes it directly to a shell command without proper input validation or sanitization. Because the underlying implementation concatenates user input into a command string executed by the operating system, an attacker can append shell metacharacters (such as semicolons, backticks, or pipe symbols) to execute arbitrary commands alongside the ping utility.
Impact
The vulnerability is rated CRITICAL under CVSS v3.1 with a score of 9.8. The metrics reflect:
- Attack Vector (AV): Network — Exploitable remotely over the internet.
- Attack Complexity (AC): Low — No special conditions or advanced techniques required.
- Privileges Required (PR): None — No authentication is needed.
- User Interaction (UI): None — Fully automated exploitation possible.
- Scope (S): Unchanged — The vulnerable component is the router itself.
- Confidentiality (C): High — Arbitrary file read and credential exposure possible.
- Integrity (I): High — Malicious code or configurations can be injected.
- Availability (A): High — The router can be crashed, bricked, or turned into a botnet node.
In practice, successful exploitation grants an attacker full control over the affected device, enabling botnet recruitment, traffic interception, lateral movement into internal networks, and DNS or routing hijacking.
Exploitation Walkthrough
Ethics Notice: The following description is provided for defensive purposes only. Testing or exploitation should be performed only on devices you own or have explicit written permission to test.
An attacker can send an HTTP request to the router's diagnostic form endpoint with a crafted dest_host value. The unsanitized input is passed to the shell, and the router writes the combined output to a temporary file. When the attacker later visits the diagnostic results page, the output of the injected command is returned alongside legitimate ping data.
Defenders should note that the following behavioral indicators are observable in logs or network traffic:
- Unexpected HTTP POST requests to paths containing
GponForm/diag_Form. dest_hostparameters containing shell metacharacters (;,|,`,$(,&&).- Subsequent GET requests to
/diag.htmlshortly after the POST. - Unusual outbound connections from the router to attacker-controlled infrastructure.
- Presence of unexpected files or processes in
/tmpon the device filesystem.
Affected and Patched Versions
Affected:
- Dasan Networks GPON Router (all known firmware versions as of the publication date; specific versions are not specified in available data).
Patched:
- Specific patched firmware versions are not documented in the available references. Dasan Networks may have released updates; however, many deployed devices in the field remain unpatched due to lack of automatic updates and ISP-managed patching cycles.
Remediation
- Upgrade Firmware: Contact Dasan Networks or your ISP to obtain the latest GPON router firmware that remediates this vulnerability. If no patch is available, consider replacing the device with a supported model.
- Network Segmentation: Place the router in a restricted network segment. Block inbound management access from the internet (TCP 80/443/8080) at the ISP edge or upstream firewall.
- Disable Remote Management: If the device supports a remote management interface, disable it entirely unless strictly required.
- Compensating Controls: Deploy an Intrusion Prevention System (IPS) or Web Application Firewall (WAF) rule to detect and block HTTP requests containing shell metacharacters in the
dest_hostparameter of the router's diagnostic endpoint. - Monitor for Exploitation: Enable centralized logging on edge devices and alert on POST requests to
/GponForm/diag_Formand repeated GET requests to/diag.html.
Detection
- Network Signatures: Monitor for HTTP POST requests to
/GponForm/diag_Formwithdiag_action=pinganddest_hostcontaining shell syntax. - Log Analysis: Look for unexpected entries in the router's web server logs showing external IP addresses accessing the diagnostic form.
- Endpoint Behavior: Monitor router processes for unexpected child processes or connections spawned by the ping utility.
- KEV Alerting: Since this CVE is in CISA's Known Exploited Vulnerabilities catalog, any asset with this exposure should be treated as an active incident risk and prioritized for remediation.
Assessment
CVE-2018-10562 is a textbook example of how diagnostic interfaces in embedded devices can become critical attack surfaces when user input is not properly sanitized. The near-certain probability of exploitation (EPSS 0.9995) and its presence in the KEV catalog since March 2022 indicate that this vulnerability has been actively weaponized for years. The CVSS v3.1 score of 9.8 accurately reflects the ease of exploitation and the severity of impact.
Key lessons:
- Never trust input in diagnostic utilities. Even "internal" features like ping diagnostics must treat all user input as untrusted and pass it through strict allowlists or parameterized APIs.
- Visibility matters. ISP and enterprise asset inventories should include edge network equipment; consumer-grade routers deployed in business contexts are often overlooked and unpatched.
References
Frequently asked questions
- What is CVE-2018-10562?
- An issue was discovered on Dasan GPON home routers. Command Injection can occur via the dest_host parameter in a diag_action=ping request to a GponForm/diag_Form URI. Because the router saves ping results in /tmp and transmits them to the user when the user revisits /diag.html, it's quite simple to execute commands and retrieve their output.
- How severe is CVE-2018-10562?
- CVE-2018-10562 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2018-10562 being actively exploited?
- Yes. CVE-2018-10562 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-03-31, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2018-10562?
- CVE-2018-10562 affects Dasannetworks Gpon Router Firmware. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2018-10562?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2018-10562 have an EU (EUVD) identifier?
- Yes. CVE-2018-10562 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2018-2634. It is also flagged as exploited in the EUVD (since 2022-03-31).
- When was CVE-2018-10562 published?
- CVE-2018-10562 was published on 2018-05-04 and last updated on 2026-06-17.
References
- http://www.securityfocus.com/bid/107053
- https://www.exploit-db.com/exploits/44576/
- https://www.vpnmentor.com/blog/critical-vulnerability-gpon-router/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-10562
Affected products (1)
- cpe:2.3:o:dasannetworks:gpon_router_firmware:-:*:*:*:*:*:*:*
More vulnerabilities in Dasannetworks Gpon Router Firmware
- CVE-2018-10561 — Critical (CVSS 9.8): An issue was discovered on Dasan GPON home routers. It is possible to bypass authentication simply by appending…
All CVEs affecting Dasannetworks Gpon Router Firmware →
Other CWE-78 (OS Command Injection) vulnerabilities
- CVE-2026-56004 — Critical (CVSS 10.0): A shellcode injection in the mercurial handler of the obs tar_scm source service before version 0.12.4 could be used by…
- CVE-2026-56415 — Critical (CVSS 10.0): Storage Concentrator (SC & SCVM) contains a command injection vulnerability within the debug.pl script that is…
- CVE-2026-56413 — Critical (CVSS 10.0): Storage Concentrator (SC & SCVM) contains a command injection vulnerability in the ms_service.pl service, which listens…
- CVE-2026-49869 — Critical (CVSS 10.0): Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, AuthenticationFilter in…
- CVE-2026-49261 — Critical (CVSS 10.0): MariaDB server is a community developed fork of MySQL server. Versions 10.6.1 through 10.6.26, 10.11.1 through…
- CVE-2026-10520 — Critical (CVSS 10.0): An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a…