Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
This vulnerability exists in GX Earth 2022 ONT models due to the presence of hardcoded RSA private key within the device firmware. A remote attacker could exploit this vulnerability by extracting the cryptographic private key from the firmware, which could lead to decryption of HTTPS traffic and Man-in-the-Middle (MITM) attacks on the targeted device.
AnalysisAI
Hardcoded RSA private key in GX Earth 2022 ONT (Optical Network Terminal) firmware allows remote attackers to extract the embedded cryptographic material and decrypt HTTPS sessions or perform man-in-the-middle attacks against device management traffic. CERT-In disclosed the issue (CIVN-2026-0288) affecting multiple GX India fiber ONT models and firmware versions, with no public exploit identified at time of analysis but SSVC flagging the flaw as fully automatable once the key is recovered.
Technical ContextAI
GX Earth devices are Optical Network Terminals (ONTs) - customer-premises equipment used in GPON/EPON fiber-to-the-home deployments to terminate the fiber link and provide LAN/Wi-Fi services. The root cause is CWE-321 (Use of Hard-coded Cryptographic Key): the same RSA private key is compiled into every shipped firmware image, so any attacker who extracts the firmware (via UART, flash dump, or a publicly distributed update package) gains the identical key used across the entire device fleet. Because the key terminates the TLS/HTTPS session of the device's management interface, possession breaks the confidentiality and authenticity guarantees TLS is meant to provide.
RemediationAI
No vendor-released patch identified at time of analysis; the CERT-In advisory (https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2026-0288) is currently the only authoritative reference, so operators should contact GX India directly for firmware that replaces the hardcoded RSA key with a per-device-generated key. Compensating controls until a fix ships: restrict access to the ONT web/HTTPS management interface to a dedicated management VLAN or the ISP's provisioning network (side effect: subscribers lose local GUI access), disable remote management (TR-069/HTTPS-WAN) on the WAN side if the deployment allows it, segregate ONT traffic from user LAN traffic to make on-path interception harder, and monitor for unexpected TLS sessions to the device. Because the key is identical across the fleet, simply rotating credentials or disabling individual users does not mitigate the issue - the key itself must be replaced.
Same weakness CWE-321 – Use of Hard-coded Cryptographic Key
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34251
GHSA-5h68-jg5g-w367