CVE-2025-71284
Published: 30 April 2026
Summary
CVE-2025-71284 is a critical-severity OS Command Injection (CWE-78) vulnerability in Synway Smg Gateway Management Software. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 7.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
Synway SMG Gateway Management Software is affected by an OS command injection vulnerability tracked as CVE-2025-71284. The flaw resides in the RADIUS configuration endpoint at /en/9-2radius.php, where the radius_address POST parameter and related fields are split and passed directly into a sed command without input sanitization, corresponding to CWE-78.
An unauthenticated remote attacker can exploit the issue by submitting a crafted POST request containing malicious values in the radius_address, radius_address2, shared_secret2, source_ip, timeout, or retry parameters together with save=1 and enable_radius=1. Successful exploitation grants arbitrary shell command execution on the affected system, resulting in a CVSS 4.0 score of 9.3.
Exploitation evidence was first observed by the Shadowserver Foundation on 2025-07-11 UTC. Public references include a Nuclei detection template, a VulnCheck advisory, and technical write-ups that document the injection vector and confirm the absence of authentication requirements. The associated EPSS score remains low with a current value of 0.0134 and a peak of 0.0138.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-209597
Vulnerability details
Synway SMG Gateway Management Software contains an OS command injection vulnerability in the RADIUS configuration endpoint at /en/9-2radius.php where the radius_address POST parameter is split and interpolated directly into a sed command without sanitization. An unauthenticated remote attacker can inject…
more
arbitrary shell commands by submitting a POST request with crafted radius_address, radius_address2, shared_secret2, source_ip, timeout, or retry parameters along with save=1 and enable_radius=1 to achieve remote code execution. Exploitation evidence was first observed by the Shadowserver Foundation on 2025-07-11 (UTC).
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated OS command injection in a public-facing web endpoint (/en/9-2radius.php) enables remote code execution, directly mapping to T1190 (Exploit Public-Facing Application) and facilitating arbitrary Unix Shell command execution (T1059.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation and sanitization of all POST parameters (radius_address, shared_secret2, etc.) before they are interpolated into shell commands, directly blocking the CWE-78 injection vector.
Enforces authentication and authorization on the /en/9-2radius.php endpoint so that unauthenticated remote attackers cannot reach the vulnerable RADIUS configuration handler.
Mandates timely application of vendor patches or configuration changes that eliminate the unsanitized sed command construction in the RADIUS endpoint.