Skip to main content

GR140DG Router CVE-2026-31195

| EUVDEUVD-2026-27335 HIGH
OS Command Injection (CWE-78)
2026-05-05 mitre GHSA-48q2-ffv8-pgrw
8.8
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from Vendor (mitre) · only source for this CVE.

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
May 06, 2026 - 21:31 vuln.today
CVSS changed
May 06, 2026 - 19:22 NVD
8.8 (None) 8.8 (HIGH)
CVE Published
May 05, 2026 - 00:00 nvd
HIGH 8.8

DescriptionCVE.org

The ping diagnostic handler in /bin/httpd_clientside for ALTICE LABS / SFR France GR140DG and GR140IG fibre CPE/Router/Gateway, inserts unsanitized user input into a system() call, allowing authenticated remote attackers to execute arbitrary commands as root via crafted destAddr parameters using shell command substitution.

AnalysisAI

Command injection in ALTICE LABS GR140DG and GR140IG fibre routers allows authenticated remote attackers to execute arbitrary commands as root. The ping diagnostic handler in /bin/httpd_clientside accepts unsanitized user input in the destAddr parameter and passes it to a system() call, enabling shell command substitution. SSVC indicates total technical impact with no confirmed exploitation; EPSS score of 0.04% (12th percentile) suggests low observed exploitation activity, though the availability of a detailed security advisory (XEROD-2026-0001) may increase attack surface awareness among threat actors.

Technical ContextAI

This vulnerability affects the web-based diagnostic interface of ALTICE LABS fibre gateway devices (GR140DG and GR140IG models), commonly deployed by SFR France for residential and small business internet connectivity. The flaw manifests in the ping diagnostic handler within /bin/httpd_clientside, a binary responsible for processing client-side HTTP requests for network diagnostic tools. The code inserts user-supplied input from the destAddr parameter directly into a system() function call without proper sanitization or validation. This is a classic CWE-78 (OS Command Injection) vulnerability, where shell metacharacters and command substitution operators (such as backticks, $(), semicolons, or pipe symbols) in the destAddr field are interpreted by the underlying shell rather than treated as literal data. Because the httpd_clientside process runs with elevated privileges, successful exploitation yields root-level command execution on the embedded Linux platform. The CVSS vector PR:L indicates low-privileged authentication is required, meaning attackers need valid credentials to the router's administrative interface-typically obtained through default credentials, credential stuffing, or social engineering against residential users.

RemediationAI

Primary mitigation requires firmware update from ALTICE LABS or SFR France-contact service provider for patch availability and deployment timeline, as affected firmware versions are not publicly disclosed. Until patched firmware is available, implement layered compensating controls: (1) Restrict administrative access to the router's web interface by disabling remote management features and permitting connections only from trusted internal IP addresses via firewall rules-this prevents external attackers from reaching the authenticated exploitation surface but does not protect against compromised LAN devices or malicious insiders. (2) Change default administrative credentials immediately to complex, unique passwords (16+ characters)-this raises the authentication barrier but does not eliminate risk if credentials are subsequently compromised via phishing or traffic interception. (3) Monitor router logs for diagnostic tool access patterns, particularly ping requests with unusual characters (backticks, semicolons, dollar signs, pipes) in destination fields-logging may be limited on embedded platforms. (4) For enterprise deployments, consider network segmentation to isolate customer gateways from critical infrastructure. Refer to XEROD-2026-0001 advisory (https://xerod.io/advisories/XEROD-2026-0001) for additional technical details. None of these controls eliminate the vulnerability-firmware patching remains the definitive remediation.

More in N A

View all
CVE-2026-31072 CRITICAL POC
9.8 May 19

Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali

CVE-2026-36356 CRITICAL POC
9.1 May 05

Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST

CVE-2026-31071 CRITICAL POC
9.1 May 19

Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al

CVE-2025-66391 HIGH POC
8.8 Jun 17

In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o

CVE-2026-26740 HIGH POC
8.2 Mar 18

Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when

CVE-2025-60464 HIGH POC
7.8 Jun 25

Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_

CVE-2026-36355 HIGH POC
7.7 May 05

Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc

CVE-2025-60474 HIGH POC
7.5 Jun 24

Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s

CVE-2026-38639 HIGH POC
7.5 Jun 26

An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S

CVE-2026-38641 HIGH POC
7.5 Jun 26

Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge

CVE-2026-38637 HIGH POC
7.5 Jun 25

An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S

CVE-2026-38640 HIGH POC
7.5 Jun 25

Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce

Share

CVE-2026-31195 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy