Talos Vulnerability Report

TALOS-2025-2229

Planet WGR-500 formPingCmd OS command injection vulnerabilities

October 7, 2025
CVE Number

CVE-2025-54406,CVE-2025-54405

SUMMARY

Multiple OS command injection vulnerabilities exist in the formPingCmd functionality of Planet WGR-500 v1.3411b190912. A specially crafted series of HTTP requests can lead to arbitrary command execution. An attacker can send a series of HTTP requests to trigger these vulnerabilities.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Planet WGR-500 v1.3411b190912

PRODUCT URLS

WGR-500 - https://www.planet.com.tw/

CVSSv3 SCORE

8.8 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-78 - Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

DETAILS

The WGR-500 is a high-performance industrial router designed to support VLAN configurations, equipped with a built-in firewall, and offering a robust suite of advanced networking functionalities.

The WGR-500 features a function to test connectivity with other computers using ping. This functionality is implemented through the web server’s formPingCmd function:

void formPingCmd(undefined4 param_1)

{
    [...]
    
[1] ipaddr = get_from_params(param_1,"ipaddr","");
[2] counts = get_from_params(param_1,"counts","");
[3] sprintf(to_system_buff,"ping -c %s %s 2>&1 > %s &",counts,ipaddr,"/tmp/pingResult");
    [...]
[4] system(to_system_buff);
    return;
}

This functionality uses the two provided arguments, ipaddr and counts, to prepare the string "ping -c <counts> <ipaddr> 2>&1 > %s &" and then executes the command via system. The formPingCmd API has two ways, through the request’s parameters, that can lead to OS command injection vulnerabilities. An attacker could exploit these vulnerabilities to achieve arbitrary command execution. The following details describe each request parameter that can lead to an OS command injection.

CVE-2025-54405 - ipaddr

At [1], the ipaddr request parameter is fetched. Subsequently, the code at [3] is reached, and the string "ping -c <counts> <ipaddr> 2>&1 > %s &" is composed. This string is then used at [4] as an argument for the system function. Because no checks are performed on the ipaddr request’s parameter, an OS command injection can occur at [4].

CVE-2025-54406 - counts

At [2], the counts request parameter is fetched. Subsequently, the code at [3] is reached, and the string "ping -c <counts> <ipaddr> 2>&1 > %s &" is composed. This string is then used at [4] as an argument for the system function. Because no checks are performed on the counts request’s parameter, an OS command injection can occur at [4].

TIMELINE

2025-07-30 - Initial Vendor Contact
2025-08-01 - Vendor Disclosure
2025-08-01 - Vendor Confirmed Receipt
2025-09-01 - Status Update Request
2025-09-01 - Vendor Reply
2025-09-24 - Vendor Reply Acknowledged. Release Date Announced.
2025-10-07 - Public Release

Credit

Discovered by Francesco Benvenuto of Cisco Talos.