CVE-2025-48826
A format string vulnerability exists in the formPingCmd functionality of Planet WGR-500 v1.3411b190912. A specially crafted series of HTTP requests can lead to memory corruption. An attacker can send a series of HTTP requests to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Planet WGR-500 v1.3411b190912
WGR-500 - https://www.planet.com.tw/
8.8 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-134 - Use of Externally-Controlled Format String
The WGR-500 is a high-performance industrial router designed to support VLAN configurations, equipped with a built-in firewall, and offering a robust suite of advanced networking functionalities.
The WGR-500 features functionality to test connectivity with other computers using ping. This functionality is implemented through the web server’s formPingCmd
function:
void formPingCmd(undefined4 param_1)
{
char *submit_url;
char* ipaddr;
char* counts;
[...]
char buffer_32 [32];
char ping_command [100];
char buffer_260 [260];
[1] submit_url = get_from_params(param_1,"submit-url","");
ipaddr = get_from_params(param_1,"ipaddr","");
counts = get_from_params(param_1,"counts","");
sprintf(ping_command,"ping -c %s %s 2>&1 > %s &",counts,ipaddr,"/tmp/pingResult");
[2] sprintf(buffer_260,submit_url);
[...]
return;
}
This function uses the argument submit-url
, fetched at [1]
, as the second argument of an sprintf
call at [2]
. The second argument of sprintf
serves as the format string; consequently, submit-url
is treated as a format string. An attacker can use this format string vulnerability to achieve arbitrary code execution.
2025-07-30 - Initial Vendor Contact
2025-08-01 - Vendor Disclosure
2025-08-01 - Vendor Confirmed Receipt
2025-09-01 - Status Update Request
2025-09-01 - Vendor Reply
2025-09-24 - Vendor Reply Acknowledged. Release Date Announced.
2025-10-07 - Public Release
Discovered by Francesco Benvenuto of Cisco Talos.