CVE-2025-54405
published 2025-10-07CVE-2025-54405: Multiple OS command injection vulnerabilities exist in the formPingCmd functionality of Planet WGR-500 v1.3411b190912. A specially crafted series of HTTP…
PriorityP268high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
4.23%
89.8th percentile
Multiple OS command injection vulnerabilities exist in the formPingCmd functionality of Planet WGR-500 v1.3411b190912. A specially crafted series of HTTP requests can lead to arbitrary command execution. An attacker can send a series of HTTP requests to trigger these vulnerabilities.This command injection is related to the `ipaddr` request parameter.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| planet | wgr-500 | — | — |
| planet | wgr-500_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Planet formPingCmd Multiple Parameters Command Injection Attempt (CVE-2025-54405, CVE-2025-54406)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:19; content:"/boafrm/formPingCmd"; fast_pattern; http.request_body; pcre:"/(?:ipaddr|counts)\x3d[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/"; reference:url,talosintelligence.com/vulnerability_reports/TALOS-2025-2229; reference:cve,2025-54405; reference:cve,2025-54406; classtype:web-application-attack; sid:2065218; rev:1; metadata:affected_product Planet, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_10_16, cve CVE_2025_54405_CVE_2025_54406, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_10_16, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Target POST requests to the exact URI /boafrm/formPingCmd (bsize:19) on Planet WGR-500 devices; injection is carried in the HTTP request body via the `ipaddr` parameter ↗
- →Detect OS command injection shell metacharacters (`;`, `%3B`, newline `%0A`, backtick `%60`, pipe `%7C`, dollar-sign `%24`) injected into the `ipaddr` (CVE-2025-54405) or `counts` (CVE-2025-54406) POST body parameters ↗
- →Traffic is expected in plaintext (tls_state plaintext); deploy detection at the network perimeter and internally facing Planet networking equipment ↗
- →The vulnerability requires a series of HTTP requests to trigger; correlate multiple POST hits to /boafrm/formPingCmd from the same source within a short window ↗
- ·Affected product is Planet WGR-500 firmware v1.3411b190912 only; confirm device model and firmware version before applying detections to avoid false positives on other Planet devices ↗
- ·The Snort/Suricata rule (sid:2065218) covers both CVE-2025-54405 (`ipaddr` parameter) and CVE-2025-54406 (`counts` parameter) in a single signature; tune or split if per-CVE fidelity is required ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS Planet formPingCmd Multiple Parameters Command Injection Attempt (CVE-2025-54405, CVE-2025-54406)
suricata·2025-10-16·CVSS 8.8
CVE-2025-54405 [HIGH] ET WEB_SPECIFIC_APPS Planet formPingCmd Multiple Parameters Command Injection Attempt (CVE-2025-54405, CVE-2025-54406)
ET WEB_SPECIFIC_APPS Planet formPingCmd Multiple Parameters Command Injection Attempt (CVE-2025-54405, CVE-2025-54406)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Planet formPingCmd Multiple Parameters Command Injection Attempt (CVE-2025-54405, CVE-2025-54406)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:19; content:"/boafrm/formPingCmd"; fast_pattern; http.request_body; pcre:"/(?:ipaddr|counts)\x3d[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/"; reference:url,talosintelligence.com/vulnerability_reports/TALOS-2025-2229; reference:cve,2025-54405; reference:cve,2025-54406; classtype:web-application-attack; sid:2065218; rev:1; metadata:affected_product Planet, attack_target Networking_Equipment,
No public exploits indexed.
Talos
Open PLC and Planet vulnerabilities
blogs_talos·2025-10-15·CVSS 8.8
[HIGH] Open PLC and Planet vulnerabilities
## Open PLC and Planet vulnerabilities
Cisco Talos’ Vulnerability Discovery & Research team recently disclosed one vulnerability in the OpenPLC logic controller and four vulnerabilities in the Planet WGR-500 router.
For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org , and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website .
## OpenPLC denial-of-service vulnerability
Discovered by a member of Cisco Talos.
OpenPLC is an open-source programmable logic controller intended to provide a low cost industrial solution for automation and research.
Talos researchers found TALOS-2025-2223 (CVE-2025-53476), a denial-of-service vulnerability in the ModbusTCP server functionality of OpenPLC_v3
Talos
Open PLC and Planet vulnerabilities
blogs_talos·2025-10-15·CVSS 8.8
[HIGH] Open PLC and Planet vulnerabilities
Cisco Talos’ Vulnerability Discovery & Research team recently disclosed one vulnerability in the OpenPLC logic controller and four vulnerabilities in the Planet WGR-500 router.
For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.
## OpenPLC denial-of-service vulnerability
Discovered by a member of Cisco Talos.
OpenPLC is an open-source programmable logic controller intended to provide a low cost industrial solution for automation and research.
Talos researchers found TALOS-2025-2223 (CVE-2025-53476), a denial-of-service vulnerability in the ModbusTCP server functionality of OpenPLC_v3. A specially crafted series of network co
2025-10-07
Published