CVE-2025-54401
published 2025-10-07CVE-2025-54401: Multiple stack-based buffer overflow vulnerabilities exist in the formPingCmd functionality of Planet WGR-500 v1.3411b190912. A specially crafted series of…
PriorityP260high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.68%
47.7th percentile
Multiple stack-based buffer overflow vulnerabilities exist in the formPingCmd functionality of Planet WGR-500 v1.3411b190912. A specially crafted series of HTTP requests can lead to stack-based buffer overflow. An attacker can send a series of HTTP requests to trigger these vulnerabilities.This buffer overflow is related to the `submit-url` request parameter.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| planet | wgr-500 | — | — |
| planet | wgr-500_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/boafrm/formPingCmd
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Planet formPingCmd Multiple Parameters Buffer Overflow Attempt (CVE-2025-54399, CVE-2025-54400, CVE-2025-54401, CVE-2025-54402)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:19; content:"/boafrm/formPingCmd"; fast_pattern; http.request_body; pcre:"/(?:ipaddr|counts|submit-url)\x3d[^&]{100,}(?:&|$)/"; reference:cve,2025-54400; reference:cve,2025-54401; reference:cve,2025-54402; reference:url,talosintelligence.com/vulnerability_reports/TALOS-2025-2226; reference:cve,2025-54399; classtype:web-application-attack; sid:2065219; rev:1; metadata:affected_product Planet, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_10_16, cve CVE_2025_54401_CVE_2025_54400_CVE_2025_54399_CVE_2025_54402, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_10_16, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)- →Exploit targets HTTP POST requests to the exact URI /boafrm/formPingCmd (URI length is exactly 19 bytes) on Planet WGR-500 devices.
- →The overflow is triggered via the `submit-url` request body parameter (also `ipaddr` and `counts` for related CVEs) when the parameter value exceeds 100 characters before an `&` or end-of-body.
- →CVE-2025-54401 specifically relates to the `submit-url` request parameter in formPingCmd. ↗
- →Traffic is expected in plaintext (no TLS); deploy detection at the network perimeter and internally.
- →MITRE mapping: Initial Access (TA0001) via Exploit Public-Facing Application (T1190).
- ·The Snort/ET rule (sid:2065219) covers four related CVEs (CVE-2025-54399, CVE-2025-54400, CVE-2025-54401, CVE-2025-54402) with a single signature; a positive alert does not isolate which specific parameter/CVE was exploited without further body inspection.
- ·Affected product is Planet WGR-500 v1.3411b190912 only; the rule targets $HOME_NET (destination), so ensure networking equipment is included in the HOME_NET variable for accurate coverage.
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS Planet formPingCmd Multiple Parameters Buffer Overflow Attempt (CVE-2025-54399, CVE-2025-54400, CVE-2025-54401, CVE-2025-54402)
suricata·2025-10-16·CVSS 8.8
CVE-2025-54400 [HIGH] ET WEB_SPECIFIC_APPS Planet formPingCmd Multiple Parameters Buffer Overflow Attempt (CVE-2025-54399, CVE-2025-54400, CVE-2025-54401, CVE-2025-54402)
ET WEB_SPECIFIC_APPS Planet formPingCmd Multiple Parameters Buffer Overflow Attempt (CVE-2025-54399, CVE-2025-54400, CVE-2025-54401, CVE-2025-54402)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Planet formPingCmd Multiple Parameters Buffer Overflow Attempt (CVE-2025-54399, CVE-2025-54400, CVE-2025-54401, CVE-2025-54402)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:19; content:"/boafrm/formPingCmd"; fast_pattern; http.request_body; pcre:"/(?:ipaddr|counts|submit-url)\x3d[^&]{100,}(?:&|$)/"; reference:cve,2025-54400; reference:cve,2025-54401; reference:cve,2025-54402; reference:url,talosintelligence.com/vulnerability_reports/TALOS-2025-2226; reference:cve,2025-54399; classtype:web-application-attack; sid:2065219; rev:1; metadata:affected
No public exploits indexed.
No writeups or analysis indexed.
2025-10-07
Published