CVE-2025-34049
published 2025-06-26CVE-2025-34049: An OS command injection vulnerability exists in the OptiLink ONT1GEW GPON router firmware version V2.1.11_X101 Build 1127.190306 and earlier. The router’s web…
PriorityP184critical9.4CVSS 4.0
AVNACLATNPRHUINVCHVIHVAHSCHSIHSAHEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
ITWVulnCheck KEV
Exploited in the wild
EPSS
2.45%
82.3th percentile
An OS command injection vulnerability exists in the OptiLink ONT1GEW GPON router firmware version V2.1.11_X101 Build 1127.190306 and earlier. The router’s web management interface fails to properly sanitize user input in the target_addr parameter of the formTracert and formPing administrative endpoints. An authenticated attacker can inject arbitrary operating system commands, which are executed with root privileges, leading to remote code execution. Successful exploitation enables full compromise of the device. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-04 UTC.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| optilink | ont1gew_gpon | <= V2.1.11_X101 Build 1127.190306 | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS OptiLink/GPON admin/formTracert target_addr Parameter Command Injection Attempt (CVE-2025-34049)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/boafrm/admin/form"; startswith; fast_pattern; pcre:"/^(?:Tracert|Ping)$/R"; http.request_body; content:"target_addr|3d|"; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,www.exploit-db.com/exploits/49955; reference:cve,2025-34049; classtype:attempted-admin; sid:2065216; rev:1; metadata:affected_product OptiLink, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_10_16, cve CVE_2025_34049, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_10_16, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
bytes
target_addr= followed by shell metacharacters: ; (0x3b/%3B), \n (0x0a/%0a), ` (0x60/%60), | (0x7c/%7C), $ (0x24/%24)
- →Look for HTTP POST requests to /boafrm/admin/formTracert or /boafrm/admin/formPing containing shell metacharacters (;, newline, backtick, pipe, $) in the target_addr parameter body field — these indicate OS command injection attempts.
- →Exploitation is only possible over plaintext HTTP (tls_state: plaintext); monitor perimeter and internal network segments for traffic to GPON/ONT management interfaces.
- →Active in-the-wild exploitation was observed by the Shadowserver Foundation on 2025-02-04 UTC; treat any matching traffic as high-severity.
- →Injected commands execute with root privileges; post-exploitation indicators should include unexpected root-level processes spawned from the router's web server (boa).
- →Affected firmware is OptiLink ONT1GEW GPON V2.1.11_X101 Build 1127.190306 and earlier; fingerprint devices on the network by firmware banner to prioritize response.
- ·The Snort/Suricata rule (ET sid:2065216) targets $HOME_NET as the destination, meaning it is designed to fire on inbound exploitation attempts toward internal/managed devices. Ensure $HOME_NET is correctly scoped to include GPON/ONT management subnets. ↗
- ·The URI match uses a startswith anchor on /boafrm/admin/form followed by a PCRE to match 'Tracert' or 'Ping' as the suffix; both formTracert and formPing endpoints are in scope and must both be covered.
- ·The injection detection PCRE stops matching at '&' (0x26), meaning only the target_addr value up to the next URL-encoded parameter boundary is inspected; URL-encoded variants of metacharacters (%3B, %0A, %60, %7C, %24) are also covered.
CVSS provenance
nvdv4.09.4CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.4CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-53rj-48p2-7m5j: An OS command injection vulnerability exists in the OptiLink ONT1GEW GPON router firmware version V2
ghsa_unreviewed·2025-06-26
CVE-2025-34049 [CRITICAL] CWE-20 GHSA-53rj-48p2-7m5j: An OS command injection vulnerability exists in the OptiLink ONT1GEW GPON router firmware version V2
An OS command injection vulnerability exists in the OptiLink ONT1GEW GPON router firmware version V2.1.11_X101 Build 1127.190306 and earlier. The router’s web management interface fails to properly sanitize user input in the target_addr parameter of the formTracert and formPing administrative endpoints. An authenticated attacker can inject arbitrary operating system commands, which are executed with root privileges, leading to remote code execution. Successful exploitation enables full compromise of the device.
VulnCheck
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2025·CVSS 9.4
CVE-2025-34049 [CRITICAL] Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
An OS command injection vulnerability exists in the OptiLink ONT1GEW GPON router firmware version V2.1.11_X101 Build 1127.190306 and earlier. The router’s web management interface fails to properly sanitize user input in the target_addr parameter of the formTracert and formPing administrative endpoints. An authenticated attacker can inject arbitrary operating system commands, which are executed with root privileges, leading to remote code execution. Successful exploitation enables full compromise of the device. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-04 UTC.
Affected: OptiLink ONT1GEW GPON Router
Required Action: Apply remediations or mitigations per vendor ins
Suricata
ET WEB_SPECIFIC_APPS OptiLink/GPON admin/formTracert target_addr Parameter Command Injection Attempt (CVE-2025-34049)
suricata·2025-10-16·CVSS 9.4
CVE-2025-34049 [CRITICAL] ET WEB_SPECIFIC_APPS OptiLink/GPON admin/formTracert target_addr Parameter Command Injection Attempt (CVE-2025-34049)
ET WEB_SPECIFIC_APPS OptiLink/GPON admin/formTracert target_addr Parameter Command Injection Attempt (CVE-2025-34049)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS OptiLink/GPON admin/formTracert target_addr Parameter Command Injection Attempt (CVE-2025-34049)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/boafrm/admin/form"; startswith; fast_pattern; pcre:"/^(?:Tracert|Ping)$/R"; http.request_body; content:"target_addr|3d|"; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,www.exploit-db.com/exploits/49955; reference:cve,2025-34049; classtype:attempted-admin; sid:2065216; rev:1; metadata:affected_product OptiLink, attack_target Networking_Equipment, tls_state plaintext,
No public exploits indexed.
No writeups or analysis indexed.
2025-06-26
Published
Exploited in the wild