A set of critical stack-based buffer overflow vulnerabilities has been identified in the formPingCmd functionality of multiple network devices, including Planet WGR-500 v1. An unauthenticated remote attacker can exploit this flaw by sending a specially crafted request to the device's management interface, potentially leading to arbitrary code execution and a complete compromise of the affected system. This could allow an attacker to intercept network traffic, access the internal network, or use the device for further malicious activities.

The vulnerability is a stack-based buffer overflow within the formPingCmd function, which is responsible for processing ping requests from the device's web-based management interface. An attacker can send a crafted HTTP request containing an overly long string as a parameter for the ping command. Because the function fails to properly validate the input length, this oversized input overwrites the buffer on the stack, allowing the attacker to overwrite adjacent memory, including the function's return address. By controlling the return address, an attacker can redirect the program's execution flow to malicious shellcode, achieving remote code execution with the privileges of the web server process, which is often root on embedded devices.

This vulnerability is rated as High severity with a CVSS score of 8.8. Successful exploitation would grant an attacker complete control over the affected network device. This could lead to severe business consequences, including loss of data confidentiality through traffic sniffing (Man-in-the-Middle attacks), loss of integrity as the attacker could modify traffic in transit, and loss of availability by disabling the network device. A compromised perimeter device also provides a persistent foothold for an attacker to pivot and launch further attacks against the internal corporate network, posing a significant risk to sensitive data and critical systems.

Immediate Action: Organizations must apply the security updates provided by the respective vendors immediately to patch this vulnerability. After patching, administrators should closely monitor for any signs of exploitation attempts by reviewing device and network access logs for unusual activity targeting the management interface.

Proactive Monitoring: Implement monitoring to detect potential exploitation attempts. Look for unusually long or malformed requests to the device's web interface, specifically targeting the ping functionality. Monitor for unexpected outbound connections from the network device, high CPU utilization, or unexplained reboots, as these can be indicators of a successful compromise.

Compensating Controls: If immediate patching is not feasible, implement the following compensating controls:

• Restrict access to the device's management interface to a dedicated, trusted management network or specific IP addresses.
• Disable the web-based management interface if it is not essential and manage the device via CLI or other secure means.
• Place the device behind a Web Application Firewall (WAF) with rules designed to block overly long input strings and other common exploit patterns.

Public Exploit Available: false

Given the high CVSS score of 8.8 and the potential for complete system compromise, this vulnerability poses a critical risk and must be addressed with the highest priority. We strongly recommend that all organizations apply the vendor-supplied patches immediately across all affected devices. Although CVE-2025-54401 is not currently listed on the CISA KEV list, its severity and the impact of exploitation make it a likely candidate for future inclusion. Proactive patching is the most effective defense against potential future exploitation.