CVE-2025-54406
published 2025-10-07CVE-2025-54406: Multiple OS command injection vulnerabilities exist in the formPingCmd functionality of Planet WGR-500 v1.3411b190912. A specially crafted series of HTTP…
PriorityP268high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
4.23%
89.8th percentile
Multiple OS command injection vulnerabilities exist in the formPingCmd functionality of Planet WGR-500 v1.3411b190912. A specially crafted series of HTTP requests can lead to arbitrary command execution. An attacker can send a series of HTTP requests to trigger these vulnerabilities.This command injection is related to the `counts` request parameter.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| planet | wgr-500 | — | — |
| planet | wgr-500_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/boafrm/formPingCmd
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Planet formPingCmd Multiple Parameters Command Injection Attempt (CVE-2025-54405, CVE-2025-54406)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:19; content:"/boafrm/formPingCmd"; fast_pattern; http.request_body; pcre:"/(?:ipaddr|counts)\x3d[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/"; reference:url,talosintelligence.com/vulnerability_reports/TALOS-2025-2229; reference:cve,2025-54405; reference:cve,2025-54406; classtype:web-application-attack; sid:2065218; rev:1; metadata:affected_product Planet, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_10_16, cve CVE_2025_54405_CVE_2025_54406, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_10_16, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Target HTTP POST requests to the exact URI /boafrm/formPingCmd (URI length is exactly 19 bytes) on Planet WGR-500 devices.
- →Inspect the HTTP request body for the `counts` (or `ipaddr`) parameter containing shell metacharacters used for command injection: semicolon (;/%3B), newline (\n/%0A), backtick (`/%60), pipe (|/%7C), or dollar sign ($/%24).
- →The vulnerability is exploited via a series of HTTP POST requests (not a single request), so correlate multiple POST hits to /boafrm/formPingCmd from the same source. ↗
- →Traffic is expected in plaintext (not TLS); deploy detection at the network perimeter and internally.
- →Reference Talos advisory TALOS-2025-2229 for additional exploitation context on this vulnerability.
- ·The Snort/ET rule (sid:2065218) covers both CVE-2025-54405 (ipaddr parameter) and CVE-2025-54406 (counts parameter) with a single PCRE. Ensure your ruleset distinguishes between the two CVEs if separate tracking is required.
- ·The affected firmware version is Planet WGR-500 v1.3411b190912; scope detection rules to this specific product and version to reduce false positives. ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS Planet formPingCmd Multiple Parameters Command Injection Attempt (CVE-2025-54405, CVE-2025-54406)
suricata·2025-10-16·CVSS 8.8
CVE-2025-54405 [HIGH] ET WEB_SPECIFIC_APPS Planet formPingCmd Multiple Parameters Command Injection Attempt (CVE-2025-54405, CVE-2025-54406)
ET WEB_SPECIFIC_APPS Planet formPingCmd Multiple Parameters Command Injection Attempt (CVE-2025-54405, CVE-2025-54406)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Planet formPingCmd Multiple Parameters Command Injection Attempt (CVE-2025-54405, CVE-2025-54406)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:19; content:"/boafrm/formPingCmd"; fast_pattern; http.request_body; pcre:"/(?:ipaddr|counts)\x3d[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/"; reference:url,talosintelligence.com/vulnerability_reports/TALOS-2025-2229; reference:cve,2025-54405; reference:cve,2025-54406; classtype:web-application-attack; sid:2065218; rev:1; metadata:affected_product Planet, attack_target Networking_Equipment,
No public exploits indexed.
Talos
Open PLC and Planet vulnerabilities
blogs_talos·2025-10-15·CVSS 8.8
[HIGH] Open PLC and Planet vulnerabilities
## Open PLC and Planet vulnerabilities
Cisco Talos’ Vulnerability Discovery & Research team recently disclosed one vulnerability in the OpenPLC logic controller and four vulnerabilities in the Planet WGR-500 router.
For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org , and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website .
## OpenPLC denial-of-service vulnerability
Discovered by a member of Cisco Talos.
OpenPLC is an open-source programmable logic controller intended to provide a low cost industrial solution for automation and research.
Talos researchers found TALOS-2025-2223 (CVE-2025-53476), a denial-of-service vulnerability in the ModbusTCP server functionality of OpenPLC_v3
Talos
Open PLC and Planet vulnerabilities
blogs_talos·2025-10-15·CVSS 8.8
[HIGH] Open PLC and Planet vulnerabilities
Cisco Talos’ Vulnerability Discovery & Research team recently disclosed one vulnerability in the OpenPLC logic controller and four vulnerabilities in the Planet WGR-500 router.
For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.
## OpenPLC denial-of-service vulnerability
Discovered by a member of Cisco Talos.
OpenPLC is an open-source programmable logic controller intended to provide a low cost industrial solution for automation and research.
Talos researchers found TALOS-2025-2223 (CVE-2025-53476), a denial-of-service vulnerability in the ModbusTCP server functionality of OpenPLC_v3. A specially crafted series of network co
2025-10-07
Published