Cyber Resilience

CVE-2018-10561

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 04 May 2018

Published
04 May 2018
Modified
05 November 2025
KEV Added
31 March 2022
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9331 99.8th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2018-10561 is a critical-severity Improper Authentication (CWE-287) vulnerability in Dasannetworks Gpon Router Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).

Deeper analysis

The vulnerability is an authentication bypass issue, tracked as CVE-2018-10561 and assigned CWE-287, that affects Dasan GPON home routers. It allows any URL normally requiring authentication to be accessed without credentials simply by appending the string "?images", as shown with paths such as /menu.html?images/ or /GponForm/diag_FORM?images/.

An unauthenticated attacker with network access can exploit the flaw to obtain full management access to the device. The issue carries a CVSS v3.1 base score of 9.8, reflecting that the attack requires no privileges, user interaction, or special conditions and can result in complete loss of confidentiality, integrity, and availability.

Public exploit code for the vulnerability has been published, and multiple technical analyses are available through the listed references. No official patch or mitigation details are provided in the supplied information.

EU & UK References

Vulnerability details

An issue was discovered on Dasan GPON home routers. It is possible to bypass authentication simply by appending "?images" to any URL of the device that requires authentication, as demonstrated by the /menu.html?images/ or /GponForm/diag_FORM?images/ URI. One can then manage…

more

the device.

CWE(s)
KEV Date Added
31 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

dasannetworks
gpon router firmware
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authenticated access decisions on device URLs and forms, blocking the ?images bypass that grants unauthenticated management access.

prevent

Requires identification and authentication of users prior to granting access to management functions, directly countering the complete authentication bypass.

AC-17 Remote Access partial match
prevent

Mandates secure remote-access mechanisms with authentication for network-exposed device interfaces, limiting exposure to the unauthenticated URL manipulation.

References