Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
This vulnerability exists in GX Earth ONT models due to improper handling of user-supplied input in multiple diagnostic functions in its web management interface. An authenticated remote attacker could exploit this vulnerability by injecting arbitrary and executing OS commands on the targeted device.
Successful exploitation of this vulnerability could allow the attacker to perform remote code execution with root privileges on the targeted device.
AnalysisAI
Authenticated remote command injection in GX Earth ONT (Optical Network Terminal) devices allows attackers with valid web management credentials to execute arbitrary OS commands as root via multiple diagnostic functions in the device's web interface. The flaw, reported by CERT-In and tracked as CIVN-2026-0288, carries a CVSS 4.0 score of 8.7 (High) reflecting low attack complexity and high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Technical ContextAI
GX Earth ONTs are customer-premises optical network terminals that bridge a PON/fiber uplink to LAN/Wi-Fi for residential or small-business broadband. Like most ONT firmware, the device exposes a web management interface that wraps shell utilities (ping, traceroute, nslookup, and similar diagnostics) for operator and end-user troubleshooting. The root cause is CWE-78 (Improper Neutralization of Special Elements used in an OS Command), meaning user-supplied parameters from those diagnostic forms are passed into a shell invocation without proper sanitization or use of an exec-style API, allowing shell metacharacters (;, |, ` `, $()`) to break out of the intended command and execute attacker-chosen binaries under the web server's process context - which on embedded ONT firmware is typically root.
RemediationAI
No vendor-released patch identified at time of analysis from the supplied data; consult the CERT-In advisory at https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2026-0288 for the latest firmware update and contact the ISP or GX Earth vendor support channel for fixed firmware images. Until a patched firmware is deployed, change all default and weak credentials on the ONT web interface to long unique passwords (this is the single highest-impact mitigation since the bug is post-auth), disable remote/WAN-side management of the ONT (typically a TR-069 or HTTP-WAN toggle) so the interface is only reachable from the LAN, and restrict LAN access to the management URL via ACLs or VLAN segmentation where the device supports it. Disabling the affected diagnostic pages is preferable to disabling the entire web UI if the firmware allows it, since blanket UI shutdown will break legitimate operator troubleshooting workflows and may require physical/console access to re-enable.
Same weakness CWE-78 – OS Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34247
GHSA-9m7w-vp93-x7hq