CVE-2025-34049
BaseFortify
Publication date: 2025-06-26
Last updated on: 2025-12-31
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-34049 is a critical OS command injection vulnerability in the OptiLink ONT1GEW GPON router firmware version V2.1.11_X101 Build 1127.190306 and earlier. It exists in the router's web management interface, specifically in the target_addr parameter of the formTracert and formPing administrative endpoints. An authenticated attacker can inject arbitrary operating system commands that are executed with root privileges, allowing remote code execution and full compromise of the device. [1, 2]
How can this vulnerability impact me? :
This vulnerability allows an authenticated attacker to execute arbitrary commands on the router with root privileges, leading to full device compromise. The attacker can gain remote code execution, potentially establishing a reverse shell to control the device remotely. This can result in unauthorized access, disruption of network services, interception or manipulation of network traffic, and use of the device as a foothold for further attacks. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for unauthorized or suspicious POST requests to the router's administrative endpoints /boaform/admin/formPing and /boaform/admin/formTracert, specifically looking for command injection attempts in the target_addr parameter. Additionally, verifying if the device firmware version is V2.1.11_X101 Build 1127.190306 or earlier can indicate vulnerability. Commands to detect exploitation attempts could include monitoring web server logs for POST requests to these endpoints with unusual payloads. For example, using grep on the router's logs or network traffic captures: grep 'POST /boaform/admin/formTracert' /var/log/httpd/access.log or inspecting network traffic with tools like tcpdump or Wireshark filtering for POST requests to these URLs. Also, checking for unexpected reverse shell connections or named pipe creations (/tmp/f) on the device may indicate exploitation. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading the router firmware to Build 1653.210425 or later, as recommended by the vendor. If an upgrade is not immediately possible, restrict access to the router's web management interface to trusted networks only, disable remote management if enabled, and change all default or known backdoor credentials such as "e8c:e8c", "adsl:realtek", and "admin:admin" to strong, unique passwords. Monitoring and blocking suspicious POST requests to /boaform/admin/formPing and /boaform/admin/formTracert endpoints can also help reduce risk. [2]