CVE-2025-54406,CVE-2025-54405
Multiple OS command injection vulnerabilities exist in the formPingCmd functionality of Planet WGR-500 v1.3411b190912. A specially crafted series of HTTP requests can lead to arbitrary command execution. An attacker can send a series of HTTP requests to trigger these vulnerabilities.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Planet WGR-500 v1.3411b190912
WGR-500 - https://www.planet.com.tw/
8.8 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-78 - Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
The WGR-500 is a high-performance industrial router designed to support VLAN configurations, equipped with a built-in firewall, and offering a robust suite of advanced networking functionalities.
The WGR-500 features a function to test connectivity with other computers using ping. This functionality is implemented through the web server’s formPingCmd
function:
void formPingCmd(undefined4 param_1)
{
[...]
[1] ipaddr = get_from_params(param_1,"ipaddr","");
[2] counts = get_from_params(param_1,"counts","");
[3] sprintf(to_system_buff,"ping -c %s %s 2>&1 > %s &",counts,ipaddr,"/tmp/pingResult");
[...]
[4] system(to_system_buff);
return;
}
This functionality uses the two provided arguments, ipaddr
and counts
, to prepare the string "ping -c <counts> <ipaddr> 2>&1 > %s &"
and then executes the command via system
. The formPingCmd
API has two ways, through the request’s parameters, that can lead to OS command injection vulnerabilities. An attacker could exploit these vulnerabilities to achieve arbitrary command execution. The following details describe each request parameter that can lead to an OS command injection.
At [1]
, the ipaddr
request parameter is fetched. Subsequently, the code at [3]
is reached, and the string "ping -c <counts> <ipaddr> 2>&1 > %s &"
is composed. This string is then used at [4]
as an argument for the system
function. Because no checks are performed on the ipaddr
request’s parameter, an OS command injection can occur at [4]
.
At [2]
, the counts
request parameter is fetched. Subsequently, the code at [3]
is reached, and the string "ping -c <counts> <ipaddr> 2>&1 > %s &"
is composed. This string is then used at [4]
as an argument for the system
function. Because no checks are performed on the counts
request’s parameter, an OS command injection can occur at [4]
.
2025-07-30 - Initial Vendor Contact
2025-08-01 - Vendor Disclosure
2025-08-01 - Vendor Confirmed Receipt
2025-09-01 - Status Update Request
2025-09-01 - Vendor Reply
2025-09-24 - Vendor Reply Acknowledged. Release Date Announced.
2025-10-07 - Public Release
Discovered by Francesco Benvenuto of Cisco Talos.