Talos Vulnerability Report

TALOS-2025-2228

Planet WGR-500 formPingCmd format string vulnerability

October 7, 2025
CVE Number

CVE-2025-48826

SUMMARY

A format string vulnerability exists in the formPingCmd functionality of Planet WGR-500 v1.3411b190912. A specially crafted series of HTTP requests can lead to memory corruption. An attacker can send a series of HTTP requests to trigger this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Planet WGR-500 v1.3411b190912

PRODUCT URLS

WGR-500 - https://www.planet.com.tw/

CVSSv3 SCORE

8.8 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-134 - Use of Externally-Controlled Format String

DETAILS

The WGR-500 is a high-performance industrial router designed to support VLAN configurations, equipped with a built-in firewall, and offering a robust suite of advanced networking functionalities.

The WGR-500 features functionality to test connectivity with other computers using ping. This functionality is implemented through the web server’s formPingCmd function:

void formPingCmd(undefined4 param_1)

{
    char *submit_url;
    char* ipaddr;
    char* counts;
    [...]
    char buffer_32 [32];
    char ping_command [100];
    char buffer_260 [260];

[1] submit_url = get_from_params(param_1,"submit-url","");
    ipaddr = get_from_params(param_1,"ipaddr","");
    counts = get_from_params(param_1,"counts","");
    sprintf(ping_command,"ping -c %s %s 2>&1 > %s &",counts,ipaddr,"/tmp/pingResult");
[2] sprintf(buffer_260,submit_url);
    [...]
    return;
}

This function uses the argument submit-url, fetched at [1], as the second argument of an sprintf call at [2]. The second argument of sprintf serves as the format string; consequently, submit-url is treated as a format string. An attacker can use this format string vulnerability to achieve arbitrary code execution.

TIMELINE

2025-07-30 - Initial Vendor Contact
2025-08-01 - Vendor Disclosure
2025-08-01 - Vendor Confirmed Receipt
2025-09-01 - Status Update Request
2025-09-01 - Vendor Reply
2025-09-24 - Vendor Reply Acknowledged. Release Date Announced.
2025-10-07 - Public Release

Credit

Discovered by Francesco Benvenuto of Cisco Talos.