CVE-2019-25237

V-SOL · GPON/EPON OLT Platform

A privilege escalation vulnerability in the V-SOL GPON/EPON OLT Platform v2.03 allows authenticated users to gain administrative access by manipulating the user role parameter.

Executive summary

A critical privilege escalation vulnerability in the V-SOL GPON/EPON OLT Platform allows standard users to elevate their privileges to administrator, leading to full system control.

Vulnerability

The vulnerability exists in the user management endpoint where the system fails to properly validate the 'user_role_mod' parameter. By sending a crafted HTTP POST request with this parameter set to '1', an authenticated user can escalate their account to an administrative level.

Business impact

Successful exploitation allows an attacker with low-level access to gain full administrative control over the OLT platform. Given the 9.8 CVSS score, this represents a complete compromise of the network infrastructure managed by this platform, potentially impacting all downstream services and users.

Remediation

Immediate Action: Update the V-SOL GPON/EPON OLT Platform to the latest version provided by the vendor to remediate the privilege escalation flaw.

Proactive Monitoring: Monitor authentication and user management logs for suspicious HTTP POST requests targeting the user management endpoint.

Compensating Controls: Restrict access to the management interface to trusted administrative IP addresses and enforce multi-factor authentication (MFA) if supported by the platform.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

This vulnerability allows for the total takeover of critical network infrastructure and must be treated with the highest priority. Administrators should apply the vendor-recommended update immediately and audit existing user accounts for any unauthorized modifications to role assignments.