Description
An OS command injection vulnerability exists in the OptiLink ONT1GEW GPON router firmware version V2.1.11_X101 Build 1127.190306 and earlier. The router’s web management interface fails to properly sanitize user input in the target_addr parameter of the formTracert and formPing administrative endpoints. An authenticated attacker can inject arbitrary operating system commands, which are executed with root privileges, leading to remote code execution. Successful exploitation enables full compromise of the device. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-04 UTC.
Published: 2025-06-26
Score: 9.4 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution via OS Command Injection
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is an OS command injection flaw in the OptiLink ONT1GEW GPON router’s web management interface. The target_addr parameter of the formTracert and formPing administrative endpoints is not validated, allowing an authenticated user to inject arbitrary operating system commands. Those commands are executed with root privileges, providing full remote code execution and uncompromised device control. The weakness corresponds to CWE‑78 and can affect confidentiality, integrity, and availability of the device and any network attached to it.

Affected Systems

Affected instances include all OptiLink ONT1GEW GPON routers running firmware version V2.1.11_X101 Build 1127.190306 and earlier. This encompasses any device deployed under that build, regardless of geographic location, as long as it exposes the vulnerable web interface.

Risk and Exploitability

The flaw carries a CVSS score of 9.4, indicating critical severity, but the EPSS score is below 1%, suggesting that exploitation in the wild is currently rare. The CVE is not listed in CISA’s KEV catalog. Successful exploitation requires the attacker to be authenticated against the web management interface, implying that attackers must obtain or guess valid credentials first. When authenticated, the attacker can execute any OS command and fully compromise the router. Shadowserver Foundation reported exploitation activity on 2025‑02‑04, confirming real‑world usage of the flaw.

Generated by OpenCVE AI on April 28, 2026 at 01:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest OptiLink firmware that remediate the input sanitization flaw for the formTracert and formPing endpoints.
  • If a firmware upgrade is unavailable, restrict management interface access to the local network only by disabling remote HTTP/HTTPS or applying ACLs to block external IPs.
  • Replace default credentials and enforce a strong password policy, and enable multi‑factor authentication if the device supports it, to reduce the chance of authorized exploitation.

Generated by OpenCVE AI on April 28, 2026 at 01:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-19206 An OS command injection vulnerability exists in the OptiLink ONT1GEW GPON router firmware version V2.1.11_X101 Build 1127.190306 and earlier. The router’s web management interface fails to properly sanitize user input in the target_addr parameter of the formTracert and formPing administrative endpoints. An authenticated attacker can inject arbitrary operating system commands, which are executed with root privileges, leading to remote code execution. Successful exploitation enables full compromise of the device.
History

Wed, 31 Dec 2025 20:30:00 +0000

Type Values Removed Values Added
References

Thu, 20 Nov 2025 21:00:00 +0000

Type Values Removed Values Added
Description An OS command injection vulnerability exists in the OptiLink ONT1GEW GPON router firmware version V2.1.11_X101 Build 1127.190306 and earlier. The router’s web management interface fails to properly sanitize user input in the target_addr parameter of the formTracert and formPing administrative endpoints. An authenticated attacker can inject arbitrary operating system commands, which are executed with root privileges, leading to remote code execution. Successful exploitation enables full compromise of the device. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-13 UTC. An OS command injection vulnerability exists in the OptiLink ONT1GEW GPON router firmware version V2.1.11_X101 Build 1127.190306 and earlier. The router’s web management interface fails to properly sanitize user input in the target_addr parameter of the formTracert and formPing administrative endpoints. An authenticated attacker can inject arbitrary operating system commands, which are executed with root privileges, leading to remote code execution. Successful exploitation enables full compromise of the device. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-04 UTC.

Mon, 17 Nov 2025 22:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20

Mon, 17 Nov 2025 21:45:00 +0000

Type Values Removed Values Added
Description An OS command injection vulnerability exists in the OptiLink ONT1GEW GPON router firmware version V2.1.11_X101 Build 1127.190306 and earlier. The router’s web management interface fails to properly sanitize user input in the target_addr parameter of the formTracert and formPing administrative endpoints. An authenticated attacker can inject arbitrary operating system commands, which are executed with root privileges, leading to remote code execution. Successful exploitation enables full compromise of the device. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-04 UTC. An OS command injection vulnerability exists in the OptiLink ONT1GEW GPON router firmware version V2.1.11_X101 Build 1127.190306 and earlier. The router’s web management interface fails to properly sanitize user input in the target_addr parameter of the formTracert and formPing administrative endpoints. An authenticated attacker can inject arbitrary operating system commands, which are executed with root privileges, leading to remote code execution. Successful exploitation enables full compromise of the device. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-13 UTC.

Mon, 17 Nov 2025 21:00:00 +0000

Type Values Removed Values Added
Description An OS command injection vulnerability exists in the OptiLink ONT1GEW GPON router firmware version V2.1.11_X101 Build 1127.190306 and earlier. The router’s web management interface fails to properly sanitize user input in the target_addr parameter of the formTracert and formPing administrative endpoints. An authenticated attacker can inject arbitrary operating system commands, which are executed with root privileges, leading to remote code execution. Successful exploitation enables full compromise of the device. An OS command injection vulnerability exists in the OptiLink ONT1GEW GPON router firmware version V2.1.11_X101 Build 1127.190306 and earlier. The router’s web management interface fails to properly sanitize user input in the target_addr parameter of the formTracert and formPing administrative endpoints. An authenticated attacker can inject arbitrary operating system commands, which are executed with root privileges, leading to remote code execution. Successful exploitation enables full compromise of the device. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-04 UTC.

Thu, 26 Jun 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Jun 2025 16:00:00 +0000

Type Values Removed Values Added
Description An OS command injection vulnerability exists in the OptiLink ONT1GEW GPON router firmware version V2.1.11_X101 Build 1127.190306 and earlier. The router’s web management interface fails to properly sanitize user input in the target_addr parameter of the formTracert and formPing administrative endpoints. An authenticated attacker can inject arbitrary operating system commands, which are executed with root privileges, leading to remote code execution. Successful exploitation enables full compromise of the device.
Title OptiLink ONT1GEW GPON Remote Code Execution
Weaknesses CWE-20
CWE-78
References
Metrics cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-07T14:09:13.221Z

Reserved: 2025-04-15T19:15:22.548Z

Link: CVE-2025-34049

cve-icon Vulnrichment

Updated: 2025-06-26T17:37:12.784Z

cve-icon NVD

Status : Deferred

Published: 2025-06-26T16:15:28.413

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-34049

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T01:30:17Z

Weaknesses