CVE Alert: CVE-2025-54406 – Planet – WGR-500
CVE-2025-54406
Multiple OS command injection vulnerabilities exist in the formPingCmd functionality of Planet WGR-500 v1.3411b190912. A specially crafted series of HTTP requests can lead to arbitrary command execution. An attacker can send a series of HTTP requests to trigger these vulnerabilities.This command injection is related to the `counts` request parameter.
AI Summary Analysis
Risk verdict
High risk to networked deployments; remote command execution possible with low preconditions and no user interaction. No KEV or EPSS indicators provided to elevate to Priority 1.
Why this matters
An attacker can achieve full control over the device by crafting HTTP requests that abuse the formPingCmd counts parameter, compromising confidentiality, integrity and availability. Public-facing or poorly segmented devices create attractive footholds for persistence or lateral movement within a network.
Most likely attack path
Exploitation requires access to the device over the network, with low privileges and no user interaction. An attacker can send targeted HTTP requests to trigger OS commands, potentially enabling remote code execution and subsequent host manipulation within the same device scope.
Who is most exposed
Devices with HTTP management interfaces exposed to the internet or to poorly segmented internal networks, particularly in SMB/branch-office environments using Planet WGR-500 or similar gateways.
Detection ideas
- Look for anomalous HTTP requests to the formPingCmd endpoint, especially unusual counts parameter values.
- Correlate with unexpected process creation or shell activity on the device or adjacent logging systems.
- IDS/IPS/WAF alerts for command-injection patterns and parameter tampering in management interfaces.
- Unusual spikes in management-API traffic from unauthorised subnets or IPs.
Mitigation and prioritisation
- Apply vendor patch to remedy the OS command injection; upgrade to non-affected firmware.
- Restrict management interface access to VPN-only or trusted networks; disable internet exposure if possible.
- Implement input validation and parameter whitelisting for counts; deploy a WAF/IPS signature to block injection attempts.
- Validate remediation in a lab prior to production rollout; document patch window and rollback plan.
- Monitor for exploitation attempts and enable dedicated alerting; if KEV/EPSS data becomes available, reclassify to Priority 1.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
