Threat Level: green Handler on Duty: Rick Wanner

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

DASAN GPON home routers exploits in-the-wild

Published: 2018-05-20
Last Updated: 2018-05-20 22:43:07 UTC
by Didier Stevens (Version: 1)
2 comment(s)

Beginning of May, 2 vulnerabilities with exploits were released for DASAN GPON home routers: CVE 2018-10561 and CVE 2018-10562. The first vulnerability allows unauthenticated access to the Internet facing web interface of the router, the second vulnerability allows command injection.

Soon after the disclosure, we started to observe exploit attempts on our servers:

Exploits attempt are easy to recognize: the URL contains string /GponForm/diag_FORM?images/.

We observed scans targeting just GPON devices, and scans combining GPON and Drupal exploits.

Please post a comment if you've observed these exploit attempts too.

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

Keywords: gpon router exploit
2 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Malicious Powershell Targeting UK Bank Customers
May 19th 2018
1 day ago by Xme (0 comments)

Anatomy of a Redis mining worm
May 18th 2018
2 days ago by Remco (0 comments)

Business Email Compromise incidents
May 18th 2018
3 days ago by Mark (2 comments)

Insecure Claymore Miner Management API Exploited in the Wild
May 18th 2018
3 days ago by Johannes (0 comments)

PCI DSS version 3.2.1 is out
May 18th 2018
3 days ago by Mark (0 comments)

EFAIL, a weakness in openPGP and S\MIME
May 16th 2018
5 days ago by Mark (3 comments)

Phishing emails for fake MyEtherWallet login page
May 15th 2018
6 days ago by Brad (0 comments)

Malspam pushing Trickbot malware on Friday 2018-05-11
May 14th 2018
1 week ago by Brad (0 comments)

View All Diaries →

Latest Discussions

NagiosXI 5.2.6 – 5.4.12 unauthenticated exploit chain leads to root access
created May 11th 2018
1 week ago by Remco (0 replies)

MinerPool Threat Feed info
created Apr 4th 2018
1 month ago by Anonymous (0 replies)

DShield on RPi returns no mySQL when running /home/pi/install/dshield/bin/status.sh
created Mar 29th 2018
1 month ago by nekton89 (0 replies)

Splunk: Any way to fetch logs via ssh
created Mar 15th 2018
2 months ago by Anonymous (2 replies)

Possible new worm activity
created Mar 13th 2018
2 months ago by Anonymous (0 replies)

View All Forums →

Latest News

View All News →

Top Diaries

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
10 months ago by Brad (6 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
9 months ago by Johannes (16 comments)

Second Google Chrome Extension Banker Malware in Two Weeks
Aug 29th 2017
8 months ago by Renato (0 comments)

Detection Lab: Visibility & Introspection for Defenders
Dec 15th 2017
5 months ago by Russ McRee (2 comments)

Maldoc with auto-updated link
Aug 17th 2017
9 months ago by Xme (2 comments)