CVE-2020-8958

high-risk

Published 2020-07-15

Guangzhou 1GE ONU V2801RW 1.9.1-181203 through 2.9.0-181024 and V2804RGW 1.9.1-181203 through 2.9.0-181024 devices allow remote attackers to execute arbitrary OS commands via shell metacharacters in the boaform/admin/formPing Dest IP Address field.

Do I need to act?

83.9% chance of exploitation in next 30 days

EPSS score — higher than 16% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.2/10 High

NETWORK / LOW complexity

Affected Products (2)

1Ge Router Wifi Onu V2801Rw Firmware

1Ge\+3Fe\+Wifi Onu V2804Rgw Firmware

Affected Vendors

Gpononu

References (8)

Exploit https://github.com/qurbat/gpon

Product https://www.gpononu.com/dual-mode-onu/1GE-Router-WiFi-ONU.html

Product https://www.gpononu.com/gpon-ont/4ge-epon-onu-v2804ew.html

Exploit https://www.karansaini.com/os-command-injection-v-sol/

Exploit https://github.com/qurbat/gpon

Product https://www.gpononu.com/dual-mode-onu/1GE-Router-WiFi-ONU.html

Product https://www.gpononu.com/gpon-ont/4ge-epon-onu-v2804ew.html

Exploit https://www.karansaini.com/os-command-injection-v-sol/

/ 100

high-risk

Severity 26/34 · High

Exploitability 20/34 · Moderate

Exposure 7/34 · Low