Skip to main content

GX Earth ONT CVE-2026-45433

| EUVDEUVD-2026-34251 HIGH
Use of Hard-coded Cryptographic Key (CWE-321)
2026-06-04 CERT-In GHSA-5h68-jg5g-w367
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jun 04, 2026 - 16:20 vuln.today
CVSS changed
Jun 04, 2026 - 14:22 NVD
8.7 (HIGH)
CVE Published
Jun 04, 2026 - 12:13 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

This vulnerability exists in GX Earth 2022 ONT models due to the presence of hardcoded RSA private key within the device firmware. A remote attacker could exploit this vulnerability by extracting the cryptographic private key from the firmware, which could lead to decryption of HTTPS traffic and Man-in-the-Middle (MITM) attacks on the targeted device.

AnalysisAI

Hardcoded RSA private key in GX Earth 2022 ONT (Optical Network Terminal) firmware allows remote attackers to extract the embedded cryptographic material and decrypt HTTPS sessions or perform man-in-the-middle attacks against device management traffic. CERT-In disclosed the issue (CIVN-2026-0288) affecting multiple GX India fiber ONT models and firmware versions, with no public exploit identified at time of analysis but SSVC flagging the flaw as fully automatable once the key is recovered.

Technical ContextAI

GX Earth devices are Optical Network Terminals (ONTs) - customer-premises equipment used in GPON/EPON fiber-to-the-home deployments to terminate the fiber link and provide LAN/Wi-Fi services. The root cause is CWE-321 (Use of Hard-coded Cryptographic Key): the same RSA private key is compiled into every shipped firmware image, so any attacker who extracts the firmware (via UART, flash dump, or a publicly distributed update package) gains the identical key used across the entire device fleet. Because the key terminates the TLS/HTTPS session of the device's management interface, possession breaks the confidentiality and authenticity guarantees TLS is meant to provide.

RemediationAI

No vendor-released patch identified at time of analysis; the CERT-In advisory (https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2026-0288) is currently the only authoritative reference, so operators should contact GX India directly for firmware that replaces the hardcoded RSA key with a per-device-generated key. Compensating controls until a fix ships: restrict access to the ONT web/HTTPS management interface to a dedicated management VLAN or the ISP's provisioning network (side effect: subscribers lose local GUI access), disable remote management (TR-069/HTTPS-WAN) on the WAN side if the deployment allows it, segregate ONT traffic from user LAN traffic to make on-path interception harder, and monitor for unexpected TLS sessions to the device. Because the key is identical across the fleet, simply rotating credentials or disabling individual users does not mitigate the issue - the key itself must be replaced.

Share

CVE-2026-45433 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy