cbcvebase.
CVE-2018-10561
published 2018-05-04

CVE-2018-10561: An issue was discovered on Dasan GPON home routers. It is possible to bypass authentication simply by appending "?images" to any URL of the device that…

PriorityP197critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-04-21
Exploited in the wild
EPSS
93.32%
99.8th percentile
An issue was discovered on Dasan GPON home routers. It is possible to bypass authentication simply by appending "?images" to any URL of the device that requires authentication, as demonstrated by the /menu.html?images/ or /GponForm/diag_FORM?images/ URI. One can then manage the device.

Detection & IOCsextracted from sources · hover to see the quote

url/menu.html?images/
url/GponForm/diag_FORM?images/
hash402f7be58a8165c39e95b93334a706ec13fe076a2706d2c32d6360180bba0a74
hash76af2c3ff471916bc247e4c254c9b2affa51edb7e1a18825f36817e8c5921812
hash7bd284f4da09d3a95472a66e0867d778eeb59ed54738f6fb6e417e93c0b65685
hashf693442a7e30876b46fd636d9df25495261be5c1a4f7b13e0fe5afc1b908e774
hash2e66ee1b4414fe2fb17da4372c43a826dd7767c189120eafd427773769302e35
ip185.244.25.168
url185[.]244.25[.]168/mips
url185[.]244.25[.]168/x86
url185[.]244.25[.]168/OwO/Tsunami.mips
url185[.]244.25[.]168/x86/mipsel
url185[.]244.25[.]221/bins/Yowai.mips
url185[.]244.25[.]221/bins/Yowai.mpsl
url185[.]244.25[.]221/bins/Yowai.x86
url185[.]244.25[.]221/Yowai.mips
hash57477e24a7e30d2863aca017afde50a2e2421ebb794dfe5335d93cfe2b5f7252
urlhxxp://185.246.152.173/bins/
urlhxxp://185.246.152.173/exploit/
urlhxxp://185.246.152.173/exploit/owari.{extension}
  • Authentication bypass on Dasan GPON routers is triggered by appending '?images' to any authenticated URL path. Monitor HTTP requests containing '?images' in the URI targeting GPON management interfaces.
  • The WICKED bot scans ports 8080, 8443, 80, and 81 via raw socket SYN connections to identify and exploit vulnerable IoT devices. Anomalous SYN scanning across these ports from IoT devices may indicate WICKED bot activity.
  • Omni botnet samples were delivered via the GPON vulnerability (CVE-2018-10561) and hosted in a /bins/ directory on 185.246.152.173. Monitor for HTTP GET requests to /bins/ paths on that IP.
  • Yowai (Mirai variant) uses a dictionary attack with a specific set of default credentials. Detect brute-force login attempts using these username/password pairs against router Telnet/SSH services.
  • The WICKED bot's configuration table is XOR-encrypted with key 0x37, consistent with Mirai variants. Use this key when decrypting captured bot configs for analysis.
  • Trend Micro IPS signature 1134610 covers CVE-2018-10561 exploitation. Ensure this signature is active on network security devices monitoring GPON router traffic.
  • ·CVE-2018-10561 (authentication bypass) is a prerequisite for CVE-2018-10562 (command injection/RCE). Exploitation of the RCE requires chaining both vulnerabilities.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.