CVE-2025-29524 is a medium severity vulnerability identified in the DASAN GPON ONU H660WM and H660WMR210825 devices. The flaw exists in the web management interface component located at /cgi-bin/system_diagnostic_main.asp. Specifically, the vulnerability is due to incorrect access control (CWE-284), which allows unauthenticated remote attackers to access sensitive information without proper authorization. The vulnerability has a CVSS v3.1 base score of 6.5, indicating a moderate risk. The vector string (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) shows that the attack can be performed remotely over the network without any privileges or user interaction, impacting confidentiality and integrity but not availability. The affected component is a CGI script used for system diagnostics, which likely exposes internal device information or diagnostic data that could aid attackers in further exploitation or reconnaissance. No patches or known exploits in the wild have been reported as of the publication date (August 25, 2025). The vulnerability is particularly concerning because GPON ONUs (Optical Network Units) are critical endpoints in fiber-optic broadband networks, often deployed by ISPs and enterprises to provide high-speed internet access. Unauthorized access to diagnostic information could reveal network configurations, device status, or other sensitive operational data that attackers might leverage to compromise the device or the broader network infrastructure.

For European organizations, the impact of this vulnerability could be significant, especially for ISPs, telecom providers, and enterprises relying on DASAN GPON ONU devices for fiber-optic broadband connectivity. Exposure of sensitive diagnostic information could facilitate targeted attacks such as device takeover, network reconnaissance, or lateral movement within corporate or service provider networks. This could lead to breaches of customer data, disruption of internet services, or compromise of critical infrastructure. Given the widespread deployment of GPON technology across Europe for broadband access, exploitation of this vulnerability could affect both private and public sector entities. The lack of authentication and user interaction requirements lowers the barrier for attackers, increasing the risk of automated scanning and exploitation attempts. While no active exploits are currently known, the vulnerability's presence in network edge devices makes it a valuable target for threat actors aiming to establish persistent footholds or conduct espionage. Additionally, compromised ONUs could be used as pivot points for attacks against other network segments, amplifying the potential damage.

To mitigate this vulnerability, European organizations should first identify all DASAN GPON ONU H660WM and H660WMR210825 devices within their networks. Since no official patches are currently available, immediate mitigation steps include restricting access to the device management interfaces by implementing network segmentation and firewall rules that limit access to trusted management networks only. Disabling or restricting access to the vulnerable /cgi-bin/system_diagnostic_main.asp endpoint, if possible, can reduce exposure. Monitoring network traffic for unusual access patterns to the CGI interface can help detect exploitation attempts. Organizations should also engage with DASAN or their equipment vendors to obtain firmware updates or security advisories addressing this issue. Employing strong network access controls, such as VPNs or management VLANs, and enforcing strict authentication for device management interfaces will further reduce risk. Finally, integrating these devices into existing vulnerability management and incident response workflows will ensure timely detection and remediation of any exploitation attempts.