Skip to main content

GX Earth ONT EUVDEUVD-2026-34247

| CVE-2026-45431 HIGH
OS Command Injection (CWE-78)
2026-06-04 vdisclose@cert-in.org.in GHSA-9m7w-vp93-x7hq
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 04, 2026 - 12:32 vuln.today

DescriptionCVE.org

This vulnerability exists in GX Earth ONT models due to improper handling of user-supplied input in multiple diagnostic functions in its web management interface. An authenticated remote attacker could exploit this vulnerability by injecting arbitrary and executing OS commands on the targeted device.

Successful exploitation of this vulnerability could allow the attacker to perform remote code execution with root privileges on the targeted device.

AnalysisAI

Authenticated remote command injection in GX Earth ONT (Optical Network Terminal) devices allows attackers with valid web management credentials to execute arbitrary OS commands as root via multiple diagnostic functions in the device's web interface. The flaw, reported by CERT-In and tracked as CIVN-2026-0288, carries a CVSS 4.0 score of 8.7 (High) reflecting low attack complexity and high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Technical ContextAI

GX Earth ONTs are customer-premises optical network terminals that bridge a PON/fiber uplink to LAN/Wi-Fi for residential or small-business broadband. Like most ONT firmware, the device exposes a web management interface that wraps shell utilities (ping, traceroute, nslookup, and similar diagnostics) for operator and end-user troubleshooting. The root cause is CWE-78 (Improper Neutralization of Special Elements used in an OS Command), meaning user-supplied parameters from those diagnostic forms are passed into a shell invocation without proper sanitization or use of an exec-style API, allowing shell metacharacters (;, |, ` `, $()`) to break out of the intended command and execute attacker-chosen binaries under the web server's process context - which on embedded ONT firmware is typically root.

RemediationAI

No vendor-released patch identified at time of analysis from the supplied data; consult the CERT-In advisory at https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2026-0288 for the latest firmware update and contact the ISP or GX Earth vendor support channel for fixed firmware images. Until a patched firmware is deployed, change all default and weak credentials on the ONT web interface to long unique passwords (this is the single highest-impact mitigation since the bug is post-auth), disable remote/WAN-side management of the ONT (typically a TR-069 or HTTP-WAN toggle) so the interface is only reachable from the LAN, and restrict LAN access to the management URL via ACLs or VLAN segmentation where the device supports it. Disabling the affected diagnostic pages is preferable to disabling the entire web UI if the firmware allows it, since blanket UI shutdown will break legitimate operator troubleshooting workflows and may require physical/console access to re-enable.

Share

EUVD-2026-34247 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy