cbcvebase.
CVE-2025-54405
published 2025-10-07

CVE-2025-54405: Multiple OS command injection vulnerabilities exist in the formPingCmd functionality of Planet WGR-500 v1.3411b190912. A specially crafted series of HTTP…

PriorityP268high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
4.23%
89.8th percentile
Multiple OS command injection vulnerabilities exist in the formPingCmd functionality of Planet WGR-500 v1.3411b190912. A specially crafted series of HTTP requests can lead to arbitrary command execution. An attacker can send a series of HTTP requests to trigger these vulnerabilities.This command injection is related to the `ipaddr` request parameter.

Affected

2 ranges
VendorProductVersion rangeFixed in
planetwgr-500
planetwgr-500_firmware

Detection & IOCsextracted from sources · hover to see the quote

url/boafrm/formPingCmd
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Planet formPingCmd Multiple Parameters Command Injection Attempt (CVE-2025-54405, CVE-2025-54406)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:19; content:"/boafrm/formPingCmd"; fast_pattern; http.request_body; pcre:"/(?:ipaddr|counts)\x3d[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/"; reference:url,talosintelligence.com/vulnerability_reports/TALOS-2025-2229; reference:cve,2025-54405; reference:cve,2025-54406; classtype:web-application-attack; sid:2065218; rev:1; metadata:affected_product Planet, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_10_16, cve CVE_2025_54405_CVE_2025_54406, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_10_16, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Target POST requests to the exact URI /boafrm/formPingCmd (bsize:19) on Planet WGR-500 devices; injection is carried in the HTTP request body via the `ipaddr` parameter
  • Detect OS command injection shell metacharacters (`;`, `%3B`, newline `%0A`, backtick `%60`, pipe `%7C`, dollar-sign `%24`) injected into the `ipaddr` (CVE-2025-54405) or `counts` (CVE-2025-54406) POST body parameters
  • Traffic is expected in plaintext (tls_state plaintext); deploy detection at the network perimeter and internally facing Planet networking equipment
  • The vulnerability requires a series of HTTP requests to trigger; correlate multiple POST hits to /boafrm/formPingCmd from the same source within a short window
  • ·Affected product is Planet WGR-500 firmware v1.3411b190912 only; confirm device model and firmware version before applying detections to avoid false positives on other Planet devices
  • ·The Snort/Suricata rule (sid:2065218) covers both CVE-2025-54405 (`ipaddr` parameter) and CVE-2025-54406 (`counts` parameter) in a single signature; tune or split if per-CVE fidelity is required
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.