Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from Vendor (mitre) · only source for this CVE.
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
The traceroute diagnostic handler in /bin/httpd_clientside for ALTICE LABS / SFR France GR140DG and GR140IG fibre CPE/Router/Gateway, inserts unsanitized user input into a system() call, allowing authenticated remote attackers to execute arbitrary commands as root via crafted destAddr parameters using shell command substitution.
AnalysisAI
Authenticated command injection in ALTICE LABS GR140DG and GR140IG fiber gateways allows remote attackers with valid credentials to execute arbitrary commands as root through the traceroute diagnostic handler. The vulnerability exists in the /bin/httpd_clientside component where unsanitized destAddr parameters are passed directly to system() calls, enabling shell command substitution attacks. With CVSS 8.8 (High) but EPSS exploitation probability of only 0.04% (12th percentile), this vulnerability affects widely-deployed ISP-managed CPE devices in France (SFR network) but shows no evidence of active exploitation or public POC availability at time of analysis.
Technical ContextAI
This is a classic OS Command Injection vulnerability (CWE-78) in embedded Linux firmware for fiber-optic customer premise equipment. The /bin/httpd_clientside binary provides a web-based diagnostic interface where the traceroute function accepts a destAddr parameter containing destination IP addresses or hostnames. The vulnerable code passes this user-controlled input directly to the system() library call without sanitization, allowing shell metacharacter injection. Command substitution techniques like $(malicious_command) or malicious_command can break out of the intended traceroute command context. Since the httpd_clientside process runs with root privileges (common in embedded device architectures for hardware access), successful exploitation grants complete system control. The affected GR140DG/GR140IG are GPON fiber residential gateway models deployed by SFR (France) and potentially other Altice Group ISPs across Europe.
RemediationAI
No vendor-released patch or firmware update has been identified through available references at time of analysis. ISP customers using SFR-managed GR140DG/GR140IG devices should contact SFR technical support to request firmware status and potential updates, referencing CVE-2026-31196 and XEROD-2026-0002. For enterprise or self-managed deployments, implement immediate compensating controls: (1) Restrict management interface access to trusted internal networks only - block WAN-side access to administrative ports (typically TCP 80/443/8080) via firewall rules or device ACLs; (2) Disable remote management features if not operationally required, forcing local-only administration; (3) Implement strong authentication with complex passwords for all administrative accounts and regularly rotate credentials; (4) Monitor device logs for unusual traceroute diagnostic activity or failed authentication attempts; (5) If devices support it, disable the web-based diagnostics interface entirely and use CLI-based management. Note that disabling diagnostics may impact ISP remote troubleshooting capabilities. Long-term solution requires vendor firmware patch - escalate with Altice Labs and service provider for patch roadmap. Consider hardware replacement if vendor support is discontinued.
Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali
Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST
Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al
In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o
Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when
Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_
Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc
Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s
An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge
An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27337
GHSA-489r-v3h6-c72q