Cyber Resilience

CVE-2025-54406

HighPublic PoCRCE

Published: 07 October 2025

Published
07 October 2025
Modified
03 November 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0048 65.6th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-54406 is a high-severity OS Command Injection (CWE-78) vulnerability in Planet Wgr-500 Firmware. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 34.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-54406 involves multiple OS command injection vulnerabilities (CWE-78) in the formPingCmd functionality of the Planet WGR-500 router running firmware version v1.3411b190912. These flaws enable arbitrary command execution through a specially crafted series of HTTP requests targeting the `counts` request parameter. Published on 2025-10-07, the vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), reflecting its high severity due to network accessibility, low attack complexity, and potential for significant impact.

An attacker requires only low privileges (PR:L) to exploit the vulnerability remotely over the network (AV:N) without user interaction (UI:N). By sending a tailored sequence of HTTP requests to the formPingCmd endpoint, the attacker can inject and execute arbitrary operating system commands via the `counts` parameter, potentially compromising confidentiality, integrity, and availability at a high level (C:H/I:H/A:H).

Mitigation guidance and further technical details are available in the Cisco Talos Intelligence advisory at https://talosintelligence.com/vulnerability_reports/TALOS-2025-2229.

EU & UK References

Vulnerability details

Multiple OS command injection vulnerabilities exist in the formPingCmd functionality of Planet WGR-500 v1.3411b190912. A specially crafted series of HTTP requests can lead to arbitrary command execution. An attacker can send a series of HTTP requests to trigger these vulnerabilities.This…

more

command injection is related to the `counts` request parameter.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
Why these techniques?

OS command injection via public-facing web interface on router (T1190) enables arbitrary command execution on network device (T1059.008).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-54403Same product: Planet Wgr-500
CVE-2025-54404Same product: Planet Wgr-500
CVE-2025-54405Same product: Planet Wgr-500
CVE-2025-11005Shared CWE-78
CVE-2026-31177Shared CWE-78
CVE-2026-23678Shared CWE-78
CVE-2026-0709Shared CWE-78
CVE-2025-56085Shared CWE-78
CVE-2025-25895Shared CWE-78
CVE-2026-31181Shared CWE-78

Affected Assets

planet
wgr-500 firmware
1.3411b190912

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of untrusted inputs like the 'counts' parameter to block OS command injection in formPingCmd.

prevent

Mandates timely flaw remediation, such as applying firmware patches for this specific command injection vulnerability in Planet WGR-500 v1.3411b190912.

prevent

Enforces least privilege on the formPingCmd process to limit the scope and impact of arbitrary OS command execution even if injection occurs.

References