(quarkslab.com) Exploiting Unauthenticated Access in GPON OLTs to Compromise ISP Infrastructure
Critical vulnerabilities in GPON OLTs and Cloud EMS fleet management systems enable unauthenticated network takeover, exposing ISP infrastructure globally.
In brief - Unauthenticated RCE flaws in VSOL GPON OLTs and Cloud EMS allow full ISP network compromise via command injection, arbitrary file upload, and default credentials. Attackers can pivot from a single OLT to cloud-based fleet managers, risking mass surveillance, data theft, or service disruption.
Technically - Key vulnerabilities include: (1) SNMP command injection via OIDs 1.3.6.1.4.1.37950.1.1.5.10.12.33.1-3 (newline bypass); (2) TACACS+ auth RCE via /action/main.html; (3) Web traceroute RCE via /action/tracert.html; (4) Cloud EMS arbitrary file upload (/uploadBUFile) for JSP webshells; (5) Info leakage via /systemMonitoring/getSystemCpuAndMem. Default creds (admin/Xpon@Olt9417#) and Docker socket access enable privilege escalation. Stored XSS, buffer overflows, and OMCI-based ONT attacks also identified.
Source: http://blog.quarkslab.com/how-olts-may-have-exposed-entire-isp-networks.html
#Cybersecurity #ThreatIntel
O RLY CYBER
npub1sh…0kwr0
2026-05-19 18:11:57 UTC
Author Public Key
npub1shlut8mwdmfevu2nt294apayu7e0mxs5mrpfyq8v5ru4ymscg9ysx0kwr0Seen on
wss://relay.momostr.pinkPublished at
2026-05-19 18:11:57 UTCEvent JSON
{
"id": "5a2997638eb00c973d2330a4a6b4a78de3a896fefa99335d150c8312f4cfd54a",
"pubkey": "85ffc59f6e6ed39671535a8b5e87a4e7b2fd9a14d8c29200eca0f9526e184149",
"created_at": 1779214317,
"kind": 1,
"tags": [
[
"proxy",
"https://swecyb.com/@orlysec/116602589537888074",
"web"
],
[
"t",
"threatintel"
],
[
"t",
"cybersecurity"
],
[
"proxy",
"https://swecyb.com/ap/users/116080658609901341/statuses/116602589537888074",
"activitypub"
],
[
"L",
"pink.momostr"
],
[
"l",
"pink.momostr.activitypub:https://swecyb.com/ap/users/116080658609901341/statuses/116602589537888074",
"pink.momostr"
],
[
"-"
]
],
"content": "(quarkslab.com) Exploiting Unauthenticated Access in GPON OLTs to Compromise ISP Infrastructure\n\nCritical vulnerabilities in GPON OLTs and Cloud EMS fleet management systems enable unauthenticated network takeover, exposing ISP infrastructure globally.\n\nIn brief - Unauthenticated RCE flaws in VSOL GPON OLTs and Cloud EMS allow full ISP network compromise via command injection, arbitrary file upload, and default credentials. Attackers can pivot from a single OLT to cloud-based fleet managers, risking mass surveillance, data theft, or service disruption.\n\nTechnically - Key vulnerabilities include: (1) SNMP command injection via OIDs 1.3.6.1.4.1.37950.1.1.5.10.12.33.1-3 (newline bypass); (2) TACACS+ auth RCE via /action/main.html; (3) Web traceroute RCE via /action/tracert.html; (4) Cloud EMS arbitrary file upload (/uploadBUFile) for JSP webshells; (5) Info leakage via /systemMonitoring/getSystemCpuAndMem. Default creds (admin/Xpon@Olt9417#) and Docker socket access enable privilege escalation. Stored XSS, buffer overflows, and OMCI-based ONT attacks also identified.\n\nSource: http://blog.quarkslab.com/how-olts-may-have-exposed-entire-isp-networks.html\n\n#Cybersecurity #ThreatIntel",
"sig": "cb36d74fb4dce7db61007c2d754ebad7e0341cb1ee842acc3930ac3c110aae2edab3cc6a8b94a1712b01505b1ccbce0ebfa9d1a1a2a71e6cc9a39343592f6256"
}