CVE-2025-29524 is a security vulnerability identified in the DASAN GPON ONU H660WM and H660WMR210825 devices, specifically within the web interface component located at /cgi-bin/system_diagnostic_main.asp. The vulnerability arises from incorrect access control mechanisms, which allow unauthorized attackers to access sensitive information that should otherwise be protected. GPON (Gigabit Passive Optical Network) ONUs (Optical Network Units) are critical network devices used by Internet Service Providers (ISPs) to deliver high-speed broadband services to end users. The affected component is part of the device's diagnostic interface, which typically contains detailed system information, status reports, and potentially sensitive configuration data. Improper access control here means that attackers can bypass authentication or authorization checks, gaining access to this sensitive data without proper credentials. Although no specific affected firmware versions are listed, the vulnerability is confirmed in the stated models. No CVSS score has been assigned, and no known public exploits are reported at this time. However, the presence of such a vulnerability in network edge devices poses a significant risk as it can be leveraged for reconnaissance, further exploitation, or lateral movement within a network. The lack of patch information suggests that mitigation may currently rely on configuration changes or network-level protections until a vendor patch is released.

For European organizations, the impact of this vulnerability can be substantial, especially for ISPs, telecommunications providers, and enterprises relying on DASAN GPON ONU devices for broadband connectivity. Unauthorized access to system diagnostics can reveal sensitive information such as network configurations, device status, and potentially credentials or internal IP addresses. This information can facilitate targeted attacks, including device takeover, network mapping, or service disruption. Given the critical role of GPON ONUs in broadband infrastructure, exploitation could lead to confidentiality breaches, integrity compromises if attackers manipulate device settings, and availability issues if devices are destabilized. The threat is particularly relevant for organizations in sectors with high reliance on stable and secure internet connectivity, such as finance, healthcare, and government institutions. Additionally, attackers could use the information gained to pivot into internal networks, increasing the risk of broader compromise. The absence of known exploits currently reduces immediate risk but does not eliminate the potential for future exploitation, especially as threat actors often reverse-engineer disclosed vulnerabilities.

Organizations should implement a multi-layered approach to mitigate this vulnerability. First, restrict access to the management interfaces of DASAN GPON ONU devices by implementing network segmentation and access control lists (ACLs) to limit access only to trusted administrative hosts. Employ VPNs or secure management channels for remote access to these devices. Monitor network traffic for unusual access patterns to the /cgi-bin/system_diagnostic_main.asp endpoint. Since no patch is currently available, coordinate with DASAN to obtain firmware updates or security advisories. If possible, disable or restrict the diagnostic web interface to prevent unauthorized access. Regularly audit device configurations and logs to detect unauthorized access attempts. Additionally, implement strong authentication mechanisms for device management interfaces, such as multi-factor authentication, if supported. Finally, maintain an up-to-date asset inventory to quickly identify affected devices and prioritize remediation efforts.