Here at vpnMentor, we are concerned about your security and privacy.
Our special team of hackers & researchers roam the internet to find security issues in sensitive products.
We found this RCE vulnerability in the majority of GPON home routers.
The first vulnerability exploits the authentication mechanism of the unit that has a flaw.
This flaw allows any attacker to bypass all authentication.
The flaw can be found with the HTTP servers, which check for specific paths when authenticating.
This allows the attacker to bypass authentication on any endpoint using a simple trick.
By appending?images/to the URL, the attacker can bypass the endpoint.
While looking through the gadget functionalities, we noticed the diagnostic endpoint contained the ping and traceroute commands.
It didnt take much to figure out that the commands can be injected by the host parameter.
We tested this vulnerability on many random GPON routers, andthe vulnerability was found on all of them.
No service impacts from this vulnerability have been reported to DZS to date.
Resolution
DZS has informed all the customers who purchased these models of the vulnerability.
DZSs mission is to ensure that all its solutions meet the highest security standards in the industry.
We embrace this, and every opportunity, to review and continuously improve our security design and testing methodologies.
c’mon, comment on how to improve this article.
