Cyber Resilience

CVE-2018-10562

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linkedRCE

Published: 04 May 2018

Published
04 May 2018
Modified
05 November 2025
KEV Added
31 March 2022
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9403 99.9th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2018-10562 is a critical-severity OS Command Injection (CWE-78) vulnerability in Dasannetworks Gpon Router Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2018-10562 is an OS command injection vulnerability, tracked under CWE-78, that affects Dasan GPON home routers. The flaw resides in the handling of the dest_host parameter within diag_action=ping requests sent to the GponForm/diag_Form URI; because results are written to /tmp and later served back when a user revisits /diag.html, arbitrary commands can be executed and their output retrieved.

The issue can be exploited remotely by unauthenticated attackers over the network. A single crafted HTTP request is sufficient to inject shell commands, and the stored output mechanism makes command results directly accessible without additional authentication or interaction.

Public exploit code for the vulnerability has been available since shortly after disclosure, consistent with its CVSS 9.8 rating that reflects no required privileges or user interaction.

EU & UK References

Vulnerability details

An issue was discovered on Dasan GPON home routers. Command Injection can occur via the dest_host parameter in a diag_action=ping request to a GponForm/diag_Form URI. Because the router saves ping results in /tmp and transmits them to the user when…

more

the user revisits /diag.html, it's quite simple to execute commands and retrieve their output.

CWE(s)
KEV Date Added
31 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

dasannetworks
gpon router firmware
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of the dest_host parameter to block OS command injection via the diag ping form.

prevent

Enforces authentication and authorization checks on the GponForm/diag_Form URI so unauthenticated attackers cannot reach the injection point.

prevent

Requires timely application of firmware patches that eliminate the command-injection flaw in the router's diagnostic handler.

References