cbcvebase.
CVE-2025-54406
published 2025-10-07

CVE-2025-54406: Multiple OS command injection vulnerabilities exist in the formPingCmd functionality of Planet WGR-500 v1.3411b190912. A specially crafted series of HTTP…

PriorityP268high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
4.23%
89.8th percentile
Multiple OS command injection vulnerabilities exist in the formPingCmd functionality of Planet WGR-500 v1.3411b190912. A specially crafted series of HTTP requests can lead to arbitrary command execution. An attacker can send a series of HTTP requests to trigger these vulnerabilities.This command injection is related to the `counts` request parameter.

Affected

2 ranges
VendorProductVersion rangeFixed in
planetwgr-500
planetwgr-500_firmware

Detection & IOCsextracted from sources · hover to see the quote

url/boafrm/formPingCmd
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Planet formPingCmd Multiple Parameters Command Injection Attempt (CVE-2025-54405, CVE-2025-54406)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:19; content:"/boafrm/formPingCmd"; fast_pattern; http.request_body; pcre:"/(?:ipaddr|counts)\x3d[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/"; reference:url,talosintelligence.com/vulnerability_reports/TALOS-2025-2229; reference:cve,2025-54405; reference:cve,2025-54406; classtype:web-application-attack; sid:2065218; rev:1; metadata:affected_product Planet, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_10_16, cve CVE_2025_54405_CVE_2025_54406, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_10_16, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Target HTTP POST requests to the exact URI /boafrm/formPingCmd (URI length is exactly 19 bytes) on Planet WGR-500 devices.
  • Inspect the HTTP request body for the `counts` (or `ipaddr`) parameter containing shell metacharacters used for command injection: semicolon (;/%3B), newline (\n/%0A), backtick (`/%60), pipe (|/%7C), or dollar sign ($/%24).
  • The vulnerability is exploited via a series of HTTP POST requests (not a single request), so correlate multiple POST hits to /boafrm/formPingCmd from the same source.
  • Traffic is expected in plaintext (not TLS); deploy detection at the network perimeter and internally.
  • Reference Talos advisory TALOS-2025-2229 for additional exploitation context on this vulnerability.
  • ·The Snort/ET rule (sid:2065218) covers both CVE-2025-54405 (ipaddr parameter) and CVE-2025-54406 (counts parameter) with a single PCRE. Ensure your ruleset distinguishes between the two CVEs if separate tracking is required.
  • ·The affected firmware version is Planet WGR-500 v1.3411b190912; scope detection rules to this specific product and version to reduce false positives.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.