Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from Vendor (mitre) · only source for this CVE.
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
The ping diagnostic handler in /bin/httpd_clientside for ALTICE LABS / SFR France GR140DG and GR140IG fibre CPE/Router/Gateway, inserts unsanitized user input into a system() call, allowing authenticated remote attackers to execute arbitrary commands as root via crafted destAddr parameters using shell command substitution.
AnalysisAI
Command injection in ALTICE LABS GR140DG and GR140IG fibre routers allows authenticated remote attackers to execute arbitrary commands as root. The ping diagnostic handler in /bin/httpd_clientside accepts unsanitized user input in the destAddr parameter and passes it to a system() call, enabling shell command substitution. SSVC indicates total technical impact with no confirmed exploitation; EPSS score of 0.04% (12th percentile) suggests low observed exploitation activity, though the availability of a detailed security advisory (XEROD-2026-0001) may increase attack surface awareness among threat actors.
Technical ContextAI
This vulnerability affects the web-based diagnostic interface of ALTICE LABS fibre gateway devices (GR140DG and GR140IG models), commonly deployed by SFR France for residential and small business internet connectivity. The flaw manifests in the ping diagnostic handler within /bin/httpd_clientside, a binary responsible for processing client-side HTTP requests for network diagnostic tools. The code inserts user-supplied input from the destAddr parameter directly into a system() function call without proper sanitization or validation. This is a classic CWE-78 (OS Command Injection) vulnerability, where shell metacharacters and command substitution operators (such as backticks, $(), semicolons, or pipe symbols) in the destAddr field are interpreted by the underlying shell rather than treated as literal data. Because the httpd_clientside process runs with elevated privileges, successful exploitation yields root-level command execution on the embedded Linux platform. The CVSS vector PR:L indicates low-privileged authentication is required, meaning attackers need valid credentials to the router's administrative interface-typically obtained through default credentials, credential stuffing, or social engineering against residential users.
RemediationAI
Primary mitigation requires firmware update from ALTICE LABS or SFR France-contact service provider for patch availability and deployment timeline, as affected firmware versions are not publicly disclosed. Until patched firmware is available, implement layered compensating controls: (1) Restrict administrative access to the router's web interface by disabling remote management features and permitting connections only from trusted internal IP addresses via firewall rules-this prevents external attackers from reaching the authenticated exploitation surface but does not protect against compromised LAN devices or malicious insiders. (2) Change default administrative credentials immediately to complex, unique passwords (16+ characters)-this raises the authentication barrier but does not eliminate risk if credentials are subsequently compromised via phishing or traffic interception. (3) Monitor router logs for diagnostic tool access patterns, particularly ping requests with unusual characters (backticks, semicolons, dollar signs, pipes) in destination fields-logging may be limited on embedded platforms. (4) For enterprise deployments, consider network segmentation to isolate customer gateways from critical infrastructure. Refer to XEROD-2026-0001 advisory (https://xerod.io/advisories/XEROD-2026-0001) for additional technical details. None of these controls eliminate the vulnerability-firmware patching remains the definitive remediation.
Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali
Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST
Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al
In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o
Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when
Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_
Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc
Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s
An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge
An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27335
GHSA-48q2-ffv8-pgrw