Breaking the Backbone of Global ISP Networks

In this talk, we present a practical, end-to-end attack chain against modern fiber access networks, demonstrating how multiple pre-authenticated Remote Code Execution (RCE) vulnerabilities can be chained to fully compromise an ISP infrastructure.

We begin by exploiting three pre-authenticated RCE vulnerabilities on a GPON Optical Line Terminal (OLT), gaining initial access to a device that sits at a critical point of ISP networks and directly handles customer traffic. From the compromised OLT, we pivot into the ISP’s cloud-based fleet management platform via an additional pre-authenticated RCE, ultimately obtaining centralized and persistent control over all deployed OLTs managed by the provider.

In large-scale deployments, OLTs are remotely administered through centralized management platforms, making them highly attractive targets. By chaining vulnerabilities between exposed edge devices and their associated cloud management systems, an attacker can escalate from a single-device compromise to full control over the access network infrastructure.

This attack path enables high-impact outcomes, including large-scale service disruption, long-term unauthorized access to ISP networks, customer traffic interception, and mass surveillance capabilities. These scenarios closely mirror recent real-world disclosures involving nation-state actors covertly compromising telecommunications providers in Western countries, where control over ISP infrastructure has been leveraged for strategic intelligence collection and population-scale monitoring.