Cyber Resilience

CVE-2025-71284

CriticalPublic PoCRCE

Published: 30 April 2026

Published
30 April 2026
Modified
05 May 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0573 92.1th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-71284 is a critical-severity OS Command Injection (CWE-78) vulnerability in Synway Smg Gateway Management Software. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 7.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

Synway SMG Gateway Management Software is affected by an OS command injection vulnerability tracked as CVE-2025-71284. The flaw resides in the RADIUS configuration endpoint at /en/9-2radius.php, where the radius_address POST parameter and related fields are split and passed directly into a sed command without input sanitization, corresponding to CWE-78.

An unauthenticated remote attacker can exploit the issue by submitting a crafted POST request containing malicious values in the radius_address, radius_address2, shared_secret2, source_ip, timeout, or retry parameters together with save=1 and enable_radius=1. Successful exploitation grants arbitrary shell command execution on the affected system, resulting in a CVSS 4.0 score of 9.3.

Exploitation evidence was first observed by the Shadowserver Foundation on 2025-07-11 UTC. Public references include a Nuclei detection template, a VulnCheck advisory, and technical write-ups that document the injection vector and confirm the absence of authentication requirements. The associated EPSS score remains low with a current value of 0.0134 and a peak of 0.0138.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Synway SMG Gateway Management Software contains an OS command injection vulnerability in the RADIUS configuration endpoint at /en/9-2radius.php where the radius_address POST parameter is split and interpolated directly into a sed command without sanitization. An unauthenticated remote attacker can inject…

more

arbitrary shell commands by submitting a POST request with crafted radius_address, radius_address2, shared_secret2, source_ip, timeout, or retry parameters along with save=1 and enable_radius=1 to achieve remote code execution. Exploitation evidence was first observed by the Shadowserver Foundation on 2025-07-11 (UTC).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Unauthenticated OS command injection in a public-facing web endpoint (/en/9-2radius.php) enables remote code execution, directly mapping to T1190 (Exploit Public-Facing Application) and facilitating arbitrary Unix Shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2018-25115Shared CWE-78
CVE-2025-24382Shared CWE-78
CVE-2026-29058Shared CWE-78
CVE-2024-57016Shared CWE-78
CVE-2024-46484Shared CWE-78
CVE-2015-10145Shared CWE-78
CVE-2020-37002Shared CWE-78
CVE-2026-27848Shared CWE-78
CVE-2025-0356Shared CWE-78
CVE-2025-13942Shared CWE-78

Affected Assets

synway
smg gateway management software
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation and sanitization of all POST parameters (radius_address, shared_secret2, etc.) before they are interpolated into shell commands, directly blocking the CWE-78 injection vector.

prevent

Enforces authentication and authorization on the /en/9-2radius.php endpoint so that unauthenticated remote attackers cannot reach the vulnerable RADIUS configuration handler.

prevent

Mandates timely application of vendor patches or configuration changes that eliminate the unsanitized sed command construction in the RADIUS endpoint.

References