cbcvebase.
CVE-2020-8958
published 2020-07-15

CVE-2020-8958: Guangzhou 1GE ONU V2801RW 1.9.1-181203 through 2.9.0-181024 and V2804RGW 1.9.1-181203 through 2.9.0-181024 devices allow remote attackers to execute arbitrary…

PriorityP179high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
46.64%
98.7th percentile
Guangzhou 1GE ONU V2801RW 1.9.1-181203 through 2.9.0-181024 and V2804RGW 1.9.1-181203 through 2.9.0-181024 devices allow remote attackers to execute arbitrary OS commands via shell metacharacters in the boaform/admin/formPing Dest IP Address field.

Affected

2 ranges
VendorProductVersion rangeFixed in
gpononu1ge_+3fe_+wifi_onu_v2804rgw_firmware1.9.1-181203 – 2.9.0-181024
gpononu1ge_router_wifi_onu_v2801rw_firmware1.9.1-181203 – 2.9.0-181024

Detection & IOCsextracted from sources · hover to see the quote

pathboaform/admin/formPing
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Guangzhou 1GE ONU OS Command Execution (CVE-2020-8958)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"boaform/admin/formPing"; endswith; fast_pattern; http.request_body; content:"target_addr=%3B"; nocase; http.content_type; bsize:33; content:"application/x-www-form-urlencoded"; reference:url,www.karansaini.com/os-command-injection-v-sol/; reference:cve,2020-8958; classtype:attempted-admin; sid:2034488; rev:4; metadata:attack_target Server, created_at 2021_11_17, cve CVE_2020_8958, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2024_03_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
bytes
target_addr=%3B
  • Exploit requests use HTTP POST method targeting the URI path ending with 'boaform/admin/formPing'
  • The POST body contains URL-encoded shell metacharacter semicolon (%3B) in the 'target_addr' parameter, indicating OS command injection attempt in the Dest IP Address field
  • Content-Type header is exactly 'application/x-www-form-urlencoded' with a body size of 33 bytes
  • CVE-2020-8958 was among the top exploited CVEs in March 2025 with 4,773 observed attempts, indicating active in-the-wild exploitation
  • Exploitation activity was observed from FBW Networks SAS IPs based in France and Romania during March 13–25, 2025
  • ·Vulnerable firmware versions are Guangzhou 1GE ONU V2801RW 1.9.1-181203 through 2.9.0-181024 and V2804RGW 1.9.1-181203 through 2.9.0-181024; detections should be scoped to these device models
  • ·The Snort/Suricata rule (sid:2034488, rev:4) was last updated 2024-03-26; ensure the latest revision is deployed as earlier revisions may have different body-size constraints

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vulncheck7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.