Description
This vulnerability exists in GX Earth ONT models due to improper handling of user-supplied input in multiple diagnostic functions in its web management interface. An authenticated remote attacker could exploit this vulnerability by injecting arbitrary and executing OS commands on the targeted device.



Successful exploitation of this vulnerability could allow the attacker to perform remote code execution with root privileges on the targeted device.
Published: 2026-06-04
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability arises from improper processing of user-supplied input within several diagnostic routines exposed by the web management console of GX Earth ONT devices. A remote authenticated attacker can inject OS commands, leading to arbitrary code execution with system (root) privileges. The weakness corresponds to CWE‑78: Improper Neutralization of Special Elements used in an OS command context.

Affected Systems

GX India’s GX Earth 1010 and GX Earth 2022 ONT models are affected. Versions identified as e1010‑1.1ASL, e2022‑1.1ASL, e2022‑3.1.2a and earlier firmware releases lack the patch; the recommended firmware updates are E1010‑1.2ASL for 1010, and E2022‑3.1.5A, E2022‑3.1.8AV or E2022‑1.2ASL for 2022.

Risk and Exploitability

The CVSS score of 8.7 marks this flaw as high severity. While an EPSS value is not populated, the exploit requires authentication to the web interface, and successful exploitation would grant root access, exposing the device to full compromise. The vulnerability is not listed in CISA’s KEV, but its root‑privilege impact warrants immediate attention.

Generated by OpenCVE AI on June 4, 2026 at 13:22 UTC.

Remediation

Vendor Solution

Upgrade GX Earth 2022 to latest firmware version E2022-3.1.5A, E2022-3.1.8AV or E2022-1.2ASL. Upgrade GX Earth 1010 to latest firmware version E1010-1.2ASL

OpenCVE Recommended Actions

  • Apply the latest firmware: for GX Earth 2022 install versions E2022‑3.1.5A, E2022‑3.1.8AV or E2022‑1.2ASL; for GX Earth 1010 install version E1010‑1.2ASL.
  • Restrict access to the web management interface by limiting it to a secure VPN or trusted IP ranges.
  • If possible, disable or block the diagnostic functions that allow user input to be sent to the underlying operating system.

Generated by OpenCVE AI on June 4, 2026 at 13:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Description This vulnerability exists in GX Earth ONT models due to improper handling of user-supplied input in multiple diagnostic functions in its web management interface. An authenticated remote attacker could exploit this vulnerability by injecting arbitrary and executing OS commands on the targeted device. Successful exploitation of this vulnerability could allow the attacker to perform remote code execution with root privileges on the targeted device.
Title Command Injection Vulnerability in GX Earth ONT Models
First Time appeared Gx India
Gx India gx Earth 1010
Gx India gx Earth 2022
Weaknesses CWE-78
CPEs cpe:2.3:a:gx_india:gx_earth_1010:version_e1010-1.1asl:*:*:*:*:*:*:*
cpe:2.3:a:gx_india:gx_earth_2022:version_e2022_-_1.1asl:*:*:*:*:*:*:*
cpe:2.3:a:gx_india:gx_earth_2022:version_e2022_-_3.1.2a:*:*:*:*:*:*:*
cpe:2.3:a:gx_india:gx_earth_2022:version_e2022_-_3.1.5av:*:*:*:*:*:*:*
Vendors & Products Gx India
Gx India gx Earth 1010
Gx India gx Earth 2022
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Gx India Gx Earth 1010 Gx Earth 2022
cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-In

Published:

Updated: 2026-06-04T13:25:09.892Z

Reserved: 2026-05-12T07:31:47.897Z

Link: CVE-2026-45431

cve-icon Vulnrichment

Updated: 2026-06-04T13:25:04.396Z

cve-icon NVD

Status : Deferred

Published: 2026-06-04T12:16:26.110

Modified: 2026-06-04T15:26:10.707

Link: CVE-2026-45431

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T10:08:12Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')