CVE-2025-54405 PUBLISHED

Assigner: talos
Reserved: 21.07.2025 Published: 07.10.2025 Updated: 07.10.2025

Multiple OS command injection vulnerabilities exist in the formPingCmd functionality of Planet WGR-500 v1.3411b190912. A specially crafted series of HTTP requests can lead to arbitrary command execution. An attacker can send a series of HTTP requests to trigger these vulnerabilities.This command injection is related to the ipaddr request parameter.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 8.8

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	Planet
Product	WGR-500
Versions	Version v1.3411b190912 is affected

Credits

Discovered by Francesco Benvenuto of Cisco Talos.

References

https://talosintelligence.com/vulnerability_reports/TALOS-2025-2229

Problem Types

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE