How is CVE-2026-45433 exploited?

Network reachability (required): The attacker must reach the affected device over the network; the vulnerability is exploitable remotely without requiring LAN or physical proximity. Authentication (not-required): No account or credentials are needed; any unauthenticated remote party can attempt to extract the firmware and obtain the hardcoded key. Victim interaction (not-required): Exploitation requires no action from a user or administrator on the affected device. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and places no special environmental conditions or timing constraints on the attacker.

What is the impact of CVE-2026-45433?

An attacker who extracts the hardcoded RSA private key can decrypt recorded or intercepted HTTPS sessions between clients and the affected ONT device, reading plaintext credentials, session tokens, and management traffic. With the private key in hand, an attacker can impersonate the device in a man-in-the-middle position, silently reading or relaying traffic that clients believe is encrypted and authenticated. Confidential configuration data, ISP provisioning parameters, and any secrets exchanged over the device's HTTPS management interface are exposed to passive decryption.

Back to search

HIGHCVE-2026-45433Published 2026-06-04Modified 2026-06-04CNA CERT-In

CVE-2026-45433: Hardcoded Cryptographic Key Vulnerability in GX Earth ONT Models

This vulnerability exists in GX Earth 2022 ONT models due to the presence of hardcoded RSA private key within the device firmware. A remote attacker could exploit this vulnerability by extracting the cryptographic private key from the firmware, which could lead to decryption of HTTPS traffic and Man-in-the-Middle (MITM) attacks on the targeted device.

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: —
Affected Products: 2

HarborGuard Analysis

Synopsis

A hardcoded RSA private key vulnerability exists in GX Earth ONT (Optical Network Terminal) device firmware across multiple GX INDIA GX Earth 2022 and GX Earth 1010 models. The private key is embedded directly in the firmware image and is reachable by any remote attacker over the network without authentication. Successful exploitation allows an attacker to decrypt HTTPS traffic to and from affected devices and perform man-in-the-middle attacks, intercepting or reading communications in transit. HarborGuard is tracking this advisory as no upstream fix has been published yet.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built firmware-derived or management-plane container images that incorporate GX Earth ONT components. Matching runs continuously against images in connected registries and CI/CD pipelines.

Available

Triage

HarborGuard triage assigns this CVE a CVSS v4.0 score of 8.7 (HIGH) and weights it against each customer environment's compliance policy to determine urgency and routing. Findings are delivered to the appropriate team inbox within each customer org based on asset ownership and policy configuration.

Available

Patch

Because no fix version has been published for this CVE, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. In the meantime, compensating controls such as network-policy isolation of affected device management interfaces can be surfaced through HarborGuard's policy recommendations where applicable.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the affected device over the network; the vulnerability is exploitable remotely without requiring LAN or physical proximity.
AuthenticationNot required
No account or credentials are needed; any unauthenticated remote party can attempt to extract the firmware and obtain the hardcoded key.
Victim interactionNot required
Exploitation requires no action from a user or administrator on the affected device.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and places no special environmental conditions or timing constraints on the attacker.

Blast Radius

An attacker who extracts the hardcoded RSA private key can decrypt recorded or intercepted HTTPS sessions between clients and the affected ONT device, reading plaintext credentials, session tokens, and management traffic.
With the private key in hand, an attacker can impersonate the device in a man-in-the-middle position, silently reading or relaying traffic that clients believe is encrypted and authenticated.
Confidential configuration data, ISP provisioning parameters, and any secrets exchanged over the device's HTTPS management interface are exposed to passive decryption.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix has been published for CVE-2026-45433, HarborGuard monitors the advisory on every ingest cycle and will automatically surface a patched-image rebuild the moment GX INDIA releases a remediated firmware version. While waiting for an upstream patch, customers can use HarborGuard's network-policy recommendation capability to identify affected workloads or management-plane containers and apply isolation controls, such as restricting inbound HTTPS access to the device management interface to trusted source addresses only. For customers with auto-remediation enabled, a rebuild, regression test run, and PR against affected workloads will be initiated automatically as soon as a fix version is available, with median time from publication to merged patch PR for high-severity issues running around 90 minutes in environments with auto-remediation active.

See how HarborGuard automates this

Affected packages

GX INDIA / GX Earth 2022
version E2022 - 3.1.2A · version E2022 - 3.1.5AV · version E2022 - 1.1ASL
GX INDIA / GX Earth 1010
version E1010-1.1ASL

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

References

cert-in.org.in

Metrics

Get notified