CVE-2025-60772
📋 TL;DR
CVE-2025-60772 is an authentication bypass vulnerability in NETLINK HG322G GPON ONT devices that allows unauthenticated attackers to gain administrative access via crafted HTTP requests. This affects NETLINK HG322G V1.0.00-231017 devices with exposed web management interfaces. Attackers can lock out legitimate administrators and take full control of affected devices.
💻 Affected Systems
- NETLINK HG322G GPON ONT
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete device takeover allowing network traffic interception, credential theft, device bricking, and use as pivot point into internal networks.
Likely Case
Unauthorized administrative access leading to configuration changes, service disruption, and potential credential harvesting.
If Mitigated
Limited impact if device is behind firewall with restricted web interface access and strong network segmentation.
🎯 Exploit Status
Proof-of-concept available in GitHub advisory. Simple HTTP request manipulation required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: Not available
Restart Required: No
Instructions:
No official patch available. Contact NETLINK support for firmware updates. Check vendor website for security advisories.
🔧 Temporary Workarounds
Restrict Web Interface Access
linuxBlock external access to web management interface using firewall rules
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP
Change Default Credentials
allChange all default credentials immediately if not already done
🧯 If You Can't Patch
- Isolate device in separate VLAN with strict access controls
- Disable web management interface if not required for operations
🔍 How to Verify
Check if Vulnerable:
Check firmware version via web interface at http://device-ip/status.html or via telnet if enabledCheck Version:
curl -s http://device-ip/status.html | grep -i versionVerify Fix Applied:
Verify firmware version is updated beyond V1.0.00-231017📡 Detection & Monitoring
Log Indicators:
- Multiple failed authentication attempts followed by successful admin access
- Unusual configuration changes from unknown IPs
Network Indicators:
- HTTP POST requests to admin endpoints without authentication
- Traffic to web interface from unexpected sources
SIEM Query:
source="device-ip" AND (url="*/admin/*" OR url="*/config/*") AND NOT user="admin"