CVE-2025-54402
published 2025-10-07CVE-2025-54402: Multiple stack-based buffer overflow vulnerabilities exist in the formPingCmd functionality of Planet WGR-500 v1.3411b190912. A specially crafted series of…
PriorityP260high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.71%
48.8th percentile
Multiple stack-based buffer overflow vulnerabilities exist in the formPingCmd functionality of Planet WGR-500 v1.3411b190912. A specially crafted series of HTTP requests can lead to stack-based buffer overflow. An attacker can send a series of HTTP requests to trigger these vulnerabilities.This buffer overflow is related to the `submit-url` and `ipaddr` request parameters combined.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| planet | wgr-500 | — | — |
| planet | wgr-500_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/boafrm/formPingCmd
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Planet formPingCmd Multiple Parameters Buffer Overflow Attempt (CVE-2025-54399, CVE-2025-54400, CVE-2025-54401, CVE-2025-54402)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:19; content:"/boafrm/formPingCmd"; fast_pattern; http.request_body; pcre:"/(?:ipaddr|counts|submit-url)\x3d[^&]{100,}(?:&|$)/"; reference:cve,2025-54400; reference:cve,2025-54401; reference:cve,2025-54402; reference:url,talosintelligence.com/vulnerability_reports/TALOS-2025-2226; reference:cve,2025-54399; classtype:web-application-attack; sid:2065219; rev:1; metadata:affected_product Planet, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_10_16, cve CVE_2025_54401_CVE_2025_54400_CVE_2025_54399_CVE_2025_54402, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_10_16, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)- →Exploit targets HTTP POST requests to the exact URI /boafrm/formPingCmd (URI length is exactly 19 bytes) on Planet WGR-500 devices.
- →Buffer overflow is triggered when any of the request body parameters `ipaddr`, `counts`, or `submit-url` contain a value of 100 or more characters (i.e., an oversized parameter value). Specifically for CVE-2025-54402, the `submit-url` and `ipaddr` parameters are combined.
- →This buffer overflow is related to the `submit-url` and `ipaddr` request parameters combined. ↗
- →Traffic is expected to be plaintext (non-TLS); deploy detection at the network perimeter and internally.
- ·The Snort/ET rule (sid:2065219) covers four related CVEs (CVE-2025-54399, CVE-2025-54400, CVE-2025-54401, CVE-2025-54402) with a single signature; tuning or splitting may be needed to attribute alerts to a specific CVE.
- ·The PCRE threshold of 100+ characters for the parameter value is the detection trigger; legitimate ping command parameters are far shorter, so false-positive risk is low, but the threshold could be adjusted if needed.
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS Planet formPingCmd Multiple Parameters Buffer Overflow Attempt (CVE-2025-54399, CVE-2025-54400, CVE-2025-54401, CVE-2025-54402)
suricata·2025-10-16·CVSS 8.8
CVE-2025-54400 [HIGH] ET WEB_SPECIFIC_APPS Planet formPingCmd Multiple Parameters Buffer Overflow Attempt (CVE-2025-54399, CVE-2025-54400, CVE-2025-54401, CVE-2025-54402)
ET WEB_SPECIFIC_APPS Planet formPingCmd Multiple Parameters Buffer Overflow Attempt (CVE-2025-54399, CVE-2025-54400, CVE-2025-54401, CVE-2025-54402)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Planet formPingCmd Multiple Parameters Buffer Overflow Attempt (CVE-2025-54399, CVE-2025-54400, CVE-2025-54401, CVE-2025-54402)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:19; content:"/boafrm/formPingCmd"; fast_pattern; http.request_body; pcre:"/(?:ipaddr|counts|submit-url)\x3d[^&]{100,}(?:&|$)/"; reference:cve,2025-54400; reference:cve,2025-54401; reference:cve,2025-54402; reference:url,talosintelligence.com/vulnerability_reports/TALOS-2025-2226; reference:cve,2025-54399; classtype:web-application-attack; sid:2065219; rev:1; metadata:affected
No public exploits indexed.
Talos
Open PLC and Planet vulnerabilities
blogs_talos·2025-10-15·CVSS 8.8
[HIGH] Open PLC and Planet vulnerabilities
## Open PLC and Planet vulnerabilities
Cisco Talos’ Vulnerability Discovery & Research team recently disclosed one vulnerability in the OpenPLC logic controller and four vulnerabilities in the Planet WGR-500 router.
For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org , and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website .
## OpenPLC denial-of-service vulnerability
Discovered by a member of Cisco Talos.
OpenPLC is an open-source programmable logic controller intended to provide a low cost industrial solution for automation and research.
Talos researchers found TALOS-2025-2223 (CVE-2025-53476), a denial-of-service vulnerability in the ModbusTCP server functionality of OpenPLC_v3
Talos
Open PLC and Planet vulnerabilities
blogs_talos·2025-10-15·CVSS 8.8
[HIGH] Open PLC and Planet vulnerabilities
Cisco Talos’ Vulnerability Discovery & Research team recently disclosed one vulnerability in the OpenPLC logic controller and four vulnerabilities in the Planet WGR-500 router.
For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.
## OpenPLC denial-of-service vulnerability
Discovered by a member of Cisco Talos.
OpenPLC is an open-source programmable logic controller intended to provide a low cost industrial solution for automation and research.
Talos researchers found TALOS-2025-2223 (CVE-2025-53476), a denial-of-service vulnerability in the ModbusTCP server functionality of OpenPLC_v3. A specially crafted series of network co
2025-10-07
Published