Description
This vulnerability exists in GX Earth ONT models due to the transmission of user credentials in plaintext over HTTP in its web management interface. A remote attacker could exploit this vulnerability by intercepting network traffic to obtain sensitive authentication information, which could lead to unauthorized access to the targeted device.
Published: 2026-06-04
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability involves the transmission of user credentials in cleartext over HTTP within the web management interface of GX Earth ONT models. An attacker can capture these plaintext credentials, enabling unauthorized access to the targeted device. The weakness is identified as CWE‑319, indicating improper protection of sensitive data in transit.

Affected Systems

The affected vendors are GX INDIA, specifically the GX Earth 1010 and GX Earth 2022 models. All current firmware versions prior to the latest releases lack protection against transmitting credentials over HTTP. Only the firmware updates listed in the official solution contain the fix.

Risk and Exploitability

The CVSS score of 8.7 categorizes this flaw as high severity. Although an EPSS score is not available, the nature of cleartext credential transmission makes it highly exploitable in networks where traffic can be sniffed. The threat is not listed in the CISA KEV catalog. The likely attack vector is passive eavesdropping on HTTP traffic; a remote attacker on the same network segment can intercept authentication exchanges and gain unauthorized device control.

Generated by OpenCVE AI on June 4, 2026 at 13:20 UTC.

Remediation

Vendor Solution

Upgrade GX Earth 2022 to latest firmware version E2022-3.1.5A, E2022-3.1.8AV or E2022-1.2ASL. Upgrade GX Earth 1010 to latest firmware version E1010-1.2ASL

OpenCVE Recommended Actions

  • Upgrade GX Earth 2022 to firmware E2022-3.1.5A, E2022-3.1.8AV or E2022-1.2ASL.
  • Upgrade GX Earth 1010 to firmware E1010-1.2ASL.
  • Configure the devices to use HTTPS for the web management interface or disable HTTP access entirely.
  • Monitor network traffic for unauthorized HTTP sessions and ensure only secure protocols are used.

Generated by OpenCVE AI on June 4, 2026 at 13:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Description This vulnerability exists in GX Earth ONT models due to the transmission of user credentials in plaintext over HTTP in its web management interface. A remote attacker could exploit this vulnerability by intercepting network traffic to obtain sensitive authentication information, which could lead to unauthorized access to the targeted device.
Title Cleartext Transmission of Credentials Vulnerability in GX Earth ONT Models
First Time appeared Gx India
Gx India gx Earth 1010
Gx India gx Earth 2022
Weaknesses CWE-319
CPEs cpe:2.3:a:gx_india:gx_earth_1010:version_e1010-1.1asl:*:*:*:*:*:*:*
cpe:2.3:a:gx_india:gx_earth_2022:version_e2022_-_1.1asl:*:*:*:*:*:*:*
cpe:2.3:a:gx_india:gx_earth_2022:version_e2022_-_3.1.2a:*:*:*:*:*:*:*
cpe:2.3:a:gx_india:gx_earth_2022:version_e2022_-_3.1.5av:*:*:*:*:*:*:*
Vendors & Products Gx India
Gx India gx Earth 1010
Gx India gx Earth 2022
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Gx India Gx Earth 1010 Gx Earth 2022
cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-In

Published:

Updated: 2026-06-04T13:22:25.536Z

Reserved: 2026-05-12T07:31:47.898Z

Link: CVE-2026-45432

cve-icon Vulnrichment

Updated: 2026-06-04T13:22:19.605Z

cve-icon NVD

Status : Deferred

Published: 2026-06-04T12:16:26.270

Modified: 2026-06-04T15:26:10.707

Link: CVE-2026-45432

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T10:08:09Z

Weaknesses
  • CWE-319

    Cleartext Transmission of Sensitive Information