cbcvebase.
CVE-2025-54401
published 2025-10-07

CVE-2025-54401: Multiple stack-based buffer overflow vulnerabilities exist in the formPingCmd functionality of Planet WGR-500 v1.3411b190912. A specially crafted series of…

PriorityP260high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.68%
47.7th percentile
Multiple stack-based buffer overflow vulnerabilities exist in the formPingCmd functionality of Planet WGR-500 v1.3411b190912. A specially crafted series of HTTP requests can lead to stack-based buffer overflow. An attacker can send a series of HTTP requests to trigger these vulnerabilities.This buffer overflow is related to the `submit-url` request parameter.

Affected

2 ranges
VendorProductVersion rangeFixed in
planetwgr-500
planetwgr-500_firmware

Detection & IOCsextracted from sources · hover to see the quote

url/boafrm/formPingCmd
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Planet formPingCmd Multiple Parameters Buffer Overflow Attempt (CVE-2025-54399, CVE-2025-54400, CVE-2025-54401, CVE-2025-54402)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:19; content:"/boafrm/formPingCmd"; fast_pattern; http.request_body; pcre:"/(?:ipaddr|counts|submit-url)\x3d[^&]{100,}(?:&|$)/"; reference:cve,2025-54400; reference:cve,2025-54401; reference:cve,2025-54402; reference:url,talosintelligence.com/vulnerability_reports/TALOS-2025-2226; reference:cve,2025-54399; classtype:web-application-attack; sid:2065219; rev:1; metadata:affected_product Planet, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_10_16, cve CVE_2025_54401_CVE_2025_54400_CVE_2025_54399_CVE_2025_54402, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_10_16, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Exploit targets HTTP POST requests to the exact URI /boafrm/formPingCmd (URI length is exactly 19 bytes) on Planet WGR-500 devices.
  • The overflow is triggered via the `submit-url` request body parameter (also `ipaddr` and `counts` for related CVEs) when the parameter value exceeds 100 characters before an `&` or end-of-body.
  • CVE-2025-54401 specifically relates to the `submit-url` request parameter in formPingCmd.
  • Traffic is expected in plaintext (no TLS); deploy detection at the network perimeter and internally.
  • MITRE mapping: Initial Access (TA0001) via Exploit Public-Facing Application (T1190).
  • ·The Snort/ET rule (sid:2065219) covers four related CVEs (CVE-2025-54399, CVE-2025-54400, CVE-2025-54401, CVE-2025-54402) with a single signature; a positive alert does not isolate which specific parameter/CVE was exploited without further body inspection.
  • ·Affected product is Planet WGR-500 v1.3411b190912 only; the rule targets $HOME_NET (destination), so ensure networking equipment is included in the HOME_NET variable for accurate coverage.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.