CVE-2025-54404 PUBLISHED

Assigner: talos
Reserved: 21.07.2025 Published: 07.10.2025 Updated: 07.10.2025

Multiple OS command injection vulnerabilities exist in the swctrl functionality of Planet WGR-500 v1.3411b190912. A specially crafted network request can lead to arbitrary command execution. An attacker can send a network request to trigger these vulnerabilities.This command injection is related to the new_device_name request parameter.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 8.8

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	Planet
Product	WGR-500
Versions	Version v1.3411b190912 is affected

Credits

Discovered by Francesco Benvenuto of Cisco Talos.

References

https://talosintelligence.com/vulnerability_reports/TALOS-2025-2227

Problem Types

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE