Description
This vulnerability exists in GX Earth 2022 ONT models due to the presence of hardcoded RSA private key within the device firmware. A remote attacker could exploit this vulnerability by extracting the cryptographic private key from the firmware, which could lead to decryption of HTTPS traffic and Man-in-the-Middle (MITM) attacks on the targeted device.
Published: 2026-06-04
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from a hard‑coded RSA private key embedded in the firmware of GX Earth 2022 ONT models. An attacker who can obtain the device firmware can recover this key and decrypt HTTPS traffic intended for the device, allowing man‑in‑the‑middle attacks that compromise confidentiality and potentially alter traffic. The weakness is identified as CWE‑321.

Affected Systems

GX India GX Earth 1010 and GX Earth 2022 ONT firmware versions prior to the official fixes are affected. The recommended mitigation is to upgrade GX Earth 2022 to any of the following firmware releases: E2022‑3.1.5A, E2022‑3.1.8AV, or E2022‑1.2ASL. For GX Earth 1010 the needed upgrade is to firmware version E1010‑1.2ASL. Devices running older firmware remain vulnerable.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity. The EPSS score is not available, and the vulnerability is not listed in CISA KEV, which suggests no publicly known exploit yet. The likely attack vector is remote extraction of the hard‑coded key from firmware, requiring firmware download or physical access. Although no public exploit is documented, possession of the private key presents a critical risk for confidentiality and integrity of encrypted communications, so the issue should be treated as high risk and remediated promptly.

Generated by OpenCVE AI on June 4, 2026 at 14:58 UTC.

Remediation

Vendor Solution

Upgrade GX Earth 2022 to latest firmware version E2022-3.1.5A, E2022-3.1.8AV or E2022-1.2ASL. Upgrade GX Earth 1010 to latest firmware version E1010-1.2ASL

OpenCVE Recommended Actions

  • Upgrade GX Earth 2022 firmware to one of the official patches: E2022‑3.1.5A, E2022‑3.1.8AV, or E2022‑1.2ASL.
  • Upgrade GX Earth 1010 firmware to the latest patched release E1010‑1.2ASL.
  • Isolate the ONT from untrusted networks, restrict management access to authenticated IP ranges, and monitor for anomalous traffic that could indicate key extraction or MITM attempts.

Generated by OpenCVE AI on June 4, 2026 at 14:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Description This vulnerability exists in GX Earth 2022 ONT models due to the presence of hardcoded RSA private key within the device firmware. A remote attacker could exploit this vulnerability by extracting the cryptographic private key from the firmware, which could lead to decryption of HTTPS traffic and Man-in-the-Middle (MITM) attacks on the targeted device.
Title Hardcoded Cryptographic Key Vulnerability in GX Earth ONT Models
First Time appeared Gx India
Gx India gx Earth 1010
Gx India gx Earth 2022
Weaknesses CWE-321
CPEs cpe:2.3:a:gx_india:gx_earth_1010:version_e1010-1.1asl:*:*:*:*:*:*:*
cpe:2.3:a:gx_india:gx_earth_2022:version_e2022_-_1.1asl:*:*:*:*:*:*:*
cpe:2.3:a:gx_india:gx_earth_2022:version_e2022_-_3.1.2a:*:*:*:*:*:*:*
cpe:2.3:a:gx_india:gx_earth_2022:version_e2022_-_3.1.5av:*:*:*:*:*:*:*
Vendors & Products Gx India
Gx India gx Earth 1010
Gx India gx Earth 2022
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Gx India Gx Earth 1010 Gx Earth 2022
cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-In

Published:

Updated: 2026-06-04T13:47:51.881Z

Reserved: 2026-05-12T07:31:47.898Z

Link: CVE-2026-45433

cve-icon Vulnrichment

Updated: 2026-06-04T13:47:47.776Z

cve-icon NVD

Status : Deferred

Published: 2026-06-04T14:16:41.810

Modified: 2026-06-04T15:26:10.707

Link: CVE-2026-45433

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T15:00:15Z

Weaknesses
  • CWE-321

    Use of Hard-coded Cryptographic Key