How OLTs may have exposed entire ISP networks - Quarkslab's blog

Table of contents

Disclaimer<br>Introduction<br>What is a GPON OLT?<br>Where are they located?<br>Vulnerable devices from which manufacturer?<br>Exploitation of the cloud based fleet management tool Cloud EMSRetrieval of the source code<br>Analysis of the source code<br>Cloud EMS Information Leakage<br>Cloud EMS Remote Code Execution

OLTs Command Injection in the traceroute feature via SNMP (pre-auth)Model V1600GS-O32 (binary: gpond)<br>Model V1600GT (binary: vsapp)

OLTs Command Injection in TACACS+ login authentication feature via /action/main.html (pre-auth)<br>OLTs Command Injection in the traceroute feature via /action/tracert.html (pre-auth)<br>OLTs Default Credentials<br>ConclusionMitigations for the OLTs<br>Mitigations for Cloud EMS<br>Overview of mitigation measures

Going further<br>References<br>AppendixPython exploit for the SNMP handler<br>List of OIDs retrieved through reflection

Posted<br>Tue 19 May 2026

Author<br>Mathieu Farrell

Category

Vulnerability

Tags<br>2026,<br>pentest,<br>OLT,<br>vulnerability,<br>VSOL,<br>FTTH,<br>GPON

An Optical Line Terminal (OLT) is the central device in a Fiber-To-The-Home (FTTH) network that connects and manages all customer connections, making it a critical control point in an ISP's infrastructure for delivering high speed Internet. This article uncovers how unauthenticated access to OLTs can lead to a full network takeover starting by exploiting exposed vulnerable devices, showing how to pivot into the cloud-based fleet manager using other vulnerabilities, and then compromising an ISP's entire infrastructure.

Disclaimer

The research described in this blog post was conducted on software and devices in a private laboratory environment. All the materials (devices, source code, documentation) were publicly available and obtained from the Internet.<br>No attacks were conducted on operational sytems of real ISPs.

Introduction

This is the fifteenth article I have written over the past three years at<br>Quarkslab, and without a doubt, it has been the most thrilling and fun<br>to put together. The hidden world of ISP (Internet Service Provider) network<br>security might sound complex, but what I am about to reveal could shake up how<br>you see network defenses. In this post, I dive deep into how vulnerabilities in<br>critical devices can lead to the complete takeover of service provider networks.

Brace yourself, what follows is surprisingly simple, yet incredibly powerful.

What is a GPON OLT?

A GPON OLT (Gigabit Passive Optical Network Optical Line Terminal) is a<br>telecommunications equipment serving as the primary interface between the<br>provider's core network and the passive optical fiber infrastructure that<br>delivers high speed internet to end users. It manages and controls multiple<br>optical network units (ONUs) or optical network terminals (ONTs) installed<br>at customer premises by multiplexing data streams over a shared fiber optic<br>line. The OLT handles tasks such as traffic scheduling, bandwidth allocation,<br>encryption, and fault management, ensuring efficient and secure bidirectional<br>communication across the network.

As the central hub of a GPON architecture, the OLT ensures a smooth handover<br>between the provider's IP backbone and the passive optical distribution network,<br>making it a critical control point for maintaining network performance, security,<br>and reliability in modern FTTH (fiber to the home) deployments.

Figure 1 - Diagram taken from the manufacturer's website showing the global network (example 1).

Where are they located?

GPON OLTs are typically housed in the service provider's central offices, data<br>centers, or telecommunications hubs. These locations are highly secure (or at<br>least should be), featuring reliable power supplies, cooling systems, and<br>physical security measures to ensure uninterrupted operation.

This equipment aggregates and manages traffic from thousands of subscribers<br>by connecting them to the optical distribution network (ODN which extends<br>via fiber cables to neighborhoods and individual homes). Centralizing OLTs<br>allows ISPs to efficiently control and monitor large segments of their network<br>while ensuring easy access for maintenance and upgrades.

For the average user, a GPON OLT functions much like a standard router by<br>managing and directing network traffic between the provider's core network and<br>end users. It handles routing, bandwidth allocation, security, and access<br>control. However, unlike a typical router, it also manages the physical fiber<br>infrastructure and coordinates shared access among multiple users, making it a<br>specialized device designed specifically for optical networks.

Figure 2 - Diagram taken from the manufacturer's website showing the network architecture (example 2).

Vulnerable devices from which manufacturer?

As part of the offensive security assessment (adversary simulation mission)<br>targeting the infrastructure of an hypothetical ISP, I conducted my research on<br>some devices manufactured by VSOL[1], a vendor of<br>network...