CVE-2020-8958
Description
Guangzhou 1GE ONU V2801RW 1.9.1-181203 through 2.9.0-181024 and V2804RGW 1.9.1-181203 through 2.9.0-181024 devices allow remote attackers to execute arbitrary OS commands via shell metacharacters in the boaform/admin/formPing Dest IP Address field.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
3- Guangzhou/1GE ONUdescription
- Range: 1.9.1-181203 through 2.9.0-181024
Patches
Vulnerability mechanics
Root cause
"The `target_addr` parameter in the PING diagnosis endpoint is passed directly to a shell command without sanitization, allowing injection of arbitrary OS commands via shell metacharacters."
Attack vector
An attacker with valid administrator credentials sends a crafted HTTP POST request to `http://
Affected code
The vulnerable endpoint is the PING diagnosis functionality at `/boaform/admin/formPing` on the device management portal [ref_id=1]. The `target_addr` POST parameter (the "Dest IP Address" field) is passed unsanitized to a shell command, allowing OS command injection via shell metacharacters [ref_id=1][ref_id=2]. Affected models are Guangzhou 1GE ONU V2801RW (firmware 1.9.1-181203 through 2.9.0-181024) and V2804RGW (firmware 1.9.1-181203 through 2.9.0-181024) [ref_id=2].
What the fix does
No patch has been released by the vendor as of the publication date [ref_id=1]. The advisory recommends that users restrict access to the management portal and change default credentials to mitigate the risk [ref_id=1]. A proper fix would require sanitizing the `target_addr` input to reject shell metacharacters before passing it to the underlying OS command.
Preconditions
- authAttacker must have valid administrator credentials for the device management portal
- networkAttacker must have network access to the device's management web interface
- networkThe vulnerable endpoint /boaform/admin/formPing must be reachable
Reproduction
Send a POST request to `http://
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- www.gpononu.com/dual-mode-onu/1GE-Router-WiFi-ONU.htmlmitrex_refsource_MISC
- www.gpononu.com/gpon-ont/4ge-epon-onu-v2804ew.htmlmitrex_refsource_MISC
- www.karansaini.com/os-command-injection-v-sol/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.