CVE-2020-8958
published 2020-07-15CVE-2020-8958: Guangzhou 1GE ONU V2801RW 1.9.1-181203 through 2.9.0-181024 and V2804RGW 1.9.1-181203 through 2.9.0-181024 devices allow remote attackers to execute arbitrary…
PriorityP179high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
46.64%
98.7th percentile
Guangzhou 1GE ONU V2801RW 1.9.1-181203 through 2.9.0-181024 and V2804RGW 1.9.1-181203 through 2.9.0-181024 devices allow remote attackers to execute arbitrary OS commands via shell metacharacters in the boaform/admin/formPing Dest IP Address field.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| gpononu | 1ge_+3fe_+wifi_onu_v2804rgw_firmware | 1.9.1-181203 – 2.9.0-181024 | — |
| gpononu | 1ge_router_wifi_onu_v2801rw_firmware | 1.9.1-181203 – 2.9.0-181024 | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Guangzhou 1GE ONU OS Command Execution (CVE-2020-8958)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"boaform/admin/formPing"; endswith; fast_pattern; http.request_body; content:"target_addr=%3B"; nocase; http.content_type; bsize:33; content:"application/x-www-form-urlencoded"; reference:url,www.karansaini.com/os-command-injection-v-sol/; reference:cve,2020-8958; classtype:attempted-admin; sid:2034488; rev:4; metadata:attack_target Server, created_at 2021_11_17, cve CVE_2020_8958, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2024_03_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
bytes
target_addr=%3B
- →Exploit requests use HTTP POST method targeting the URI path ending with 'boaform/admin/formPing'
- →The POST body contains URL-encoded shell metacharacter semicolon (%3B) in the 'target_addr' parameter, indicating OS command injection attempt in the Dest IP Address field
- →Content-Type header is exactly 'application/x-www-form-urlencoded' with a body size of 33 bytes
- →CVE-2020-8958 was among the top exploited CVEs in March 2025 with 4,773 observed attempts, indicating active in-the-wild exploitation
- →Exploitation activity was observed from FBW Networks SAS IPs based in France and Romania during March 13–25, 2025 ↗
- ·Vulnerable firmware versions are Guangzhou 1GE ONU V2801RW 1.9.1-181203 through 2.9.0-181024 and V2804RGW 1.9.1-181203 through 2.9.0-181024; detections should be scoped to these device models ↗
- ·The Snort/Suricata rule (sid:2034488, rev:4) was last updated 2024-03-26; ensure the latest revision is deployed as earlier revisions may have different body-size constraints
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vulncheck7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-pgrg-v7x5-jj2w: Guangzhou 1GE ONU V2801RW 1
ghsa_unreviewed·2022-05-24
CVE-2020-8958 [HIGH] GHSA-pgrg-v7x5-jj2w: Guangzhou 1GE ONU V2801RW 1
Guangzhou 1GE ONU V2801RW 1.9.1-181203 through 2.9.0-181024 and V2804RGW 1.9.1-181203 through 2.9.0-181024 devices allow remote attackers to execute arbitrary OS commands via shell metacharacters in the boaform/admin/formPing Dest IP Address field.
VulnCheck
gpononu 1ge_router_wifi_onu_v2801rw_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2020·CVSS 7.2
CVE-2020-8958 [HIGH] gpononu 1ge_router_wifi_onu_v2801rw_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
gpononu 1ge_router_wifi_onu_v2801rw_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Guangzhou 1GE ONU V2801RW 1.9.1-181203 through 2.9.0-181024 and V2804RGW 1.9.1-181203 through 2.9.0-181024 devices allow remote attackers to execute arbitrary OS commands via shell metacharacters in the boaform/admin/formPing Dest IP Address field.
Affected: gpononu 1ge_router_wifi_onu_v2801rw_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://cybersecurity.att.com/blogs/labs-research/att-alien-labs-finds-new-golang-malwarebotenago-targeting-millions-of-routers-and-iot-devices-with-more-than-30-exploits; htt
Suricata
ET EXPLOIT Guangzhou 1GE ONU OS Command Execution (CVE-2020-8958)
suricata·2021-11-17·CVSS 7.2
CVE-2020-8958 [HIGH] ET EXPLOIT Guangzhou 1GE ONU OS Command Execution (CVE-2020-8958)
ET EXPLOIT Guangzhou 1GE ONU OS Command Execution (CVE-2020-8958)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Guangzhou 1GE ONU OS Command Execution (CVE-2020-8958)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"boaform/admin/formPing"; endswith; fast_pattern; http.request_body; content:"target_addr=%3B"; nocase; http.content_type; bsize:33; content:"application/x-www-form-urlencoded"; reference:url,www.karansaini.com/os-command-injection-v-sol/; reference:cve,2020-8958; classtype:attempted-admin; sid:2034488; rev:4; metadata:attack_target Server, created_at 2021_11_17, cve CVE_2020_8958, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2024_03_26, mitre_tactic_id TA0
No public exploits indexed.
https://github.com/qurbat/gponhttps://www.gpononu.com/dual-mode-onu/1GE-Router-WiFi-ONU.htmlhttps://www.gpononu.com/gpon-ont/4ge-epon-onu-v2804ew.htmlhttps://www.karansaini.com/os-command-injection-v-sol/https://github.com/qurbat/gponhttps://www.gpononu.com/dual-mode-onu/1GE-Router-WiFi-ONU.htmlhttps://www.gpononu.com/gpon-ont/4ge-epon-onu-v2804ew.htmlhttps://www.karansaini.com/os-command-injection-v-sol/
2020-07-15
Published
Exploited in the wild