In this talk, we present a practical, end-to-end attack chain against modern
fiber access networks, demonstrating how multiple pre-authenticated Remote Code
Execution (RCE) vulnerabilities can be chained to fully compromise an ISP
infrastructure.

We begin by exploiting three pre-authenticated RCE vulnerabilities on a GPON
Optical Line Terminal (OLT), gaining initial access to a device that sits at a
critical point of ISP networks and directly handles customer traffic. From
the compromised OLT, we pivot into the ISP’s cloud-based fleet management
platform via an additional pre-authenticated RCE, ultimately obtaining
centralized and persistent control over all deployed OLTs managed by the
provider.

In large-scale deployments, OLTs are remotely administered through centralized
management platforms, making them highly attractive targets. By chaining
vulnerabilities between exposed edge devices and their associated cloud
management systems, an attacker can escalate from a single-device compromise to
full control over the access network infrastructure.

This attack path enables high-impact outcomes, including large-scale service
disruption, long-term unauthorized access to ISP networks, customer traffic
interception, and mass surveillance capabilities. These scenarios closely mirror
recent real-world disclosures involving nation-state actors covertly
compromising telecommunications providers in Western countries, where control
over ISP infrastructure has been leveraged for strategic intelligence collection
and population-scale monitoring.