Description
Synway SMG Gateway Management Software contains an OS command injection vulnerability in the RADIUS configuration endpoint at /en/9-2radius.php where the radius_address POST parameter is split and interpolated directly into a sed command without sanitization. An unauthenticated remote attacker can inject arbitrary shell commands by submitting a POST request with crafted radius_address, radius_address2, shared_secret2, source_ip, timeout, or retry parameters along with save=1 and enable_radius=1 to achieve remote code execution. Exploitation evidence was first observed by the Shadowserver Foundation on 2025-07-11 (UTC).
Published: 2026-04-30
Score: 9.3 Critical
EPSS: 1.3% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an OS command injection flaw in the RADIUS configuration endpoint of Synway SMG Gateway Management Software. An unauthenticated remote attacker can craft a POST request that injects arbitrary shell commands via the radius_address, radius_address2, shared_secret2, source_ip, timeout, or retry parameters. The injection exploits unsanitized input that is directly interpolated into a sed command, allowing the attacker to execute commands on the host with the privileges of the web service. This results in full remote code execution, potentially leading to complete system compromise, data exfiltration, or denial of service.

Affected Systems

The affected product is Synway SMG Gateway Management Software from Synway Information Engineering Co., Ltd. The vulnerability is present in the RADIUS configuration interface (e.g., /en/9-2radius.php) and applies to version 9.2. No information is available about earlier releases, so only confirmed builds are at risk until an official update is released.

Risk and Exploitability

The CVSS score of 9.3 categorises this flaw as critical. The EPSS score is not available, but the exploitation was observed by the Shadowserver Foundation on 2025-07-11, indicating real-world activity. The vulnerability is not yet listed in CISA KEV. The attack vector is unauthenticated remote: an attacker only needs network access to submit a crafted POST request to the RADIUS configuration endpoint. Because the flaw allows arbitrary shell execution, the impact is severe and could compromise the entire gateway device. The lack of an exploit database entry suggests the vulnerability is not widely automated yet, but the exploitation evidence indicates that attackers are actively leveraging it.

Generated by OpenCVE AI on May 2, 2026 at 00:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑issued patch or upgrade Synway SMG Gateway Management Software to the latest available release.
  • Until a patch is applied, block external access to the /en/9-2radius.php endpoint using a firewall or network segmentation so that only trusted internal administrators can reach it.
  • If the RADIUS configuration endpoint is not required for your environment, disable or remove it from the web interface. If it must remain, reconfigure the service to only accept validated IP addresses for radius_address and strip or escape any shell characters before using them in system commands.

Generated by OpenCVE AI on May 2, 2026 at 00:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 05 May 2026 18:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:synway:smg_gateway_management_software:-:*:*:*:*:*:*:*

Fri, 01 May 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Synway
Synway smg Gateway Management Software
Vendors & Products Synway
Synway smg Gateway Management Software

Thu, 30 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 30 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Description Synway SMG Gateway Management Software contains an OS command injection vulnerability in the RADIUS configuration endpoint at /en/9-2radius.php where the radius_address POST parameter is split and interpolated directly into a sed command without sanitization. An unauthenticated remote attacker can inject arbitrary shell commands by submitting a POST request with crafted radius_address, radius_address2, shared_secret2, source_ip, timeout, or retry parameters along with save=1 and enable_radius=1 to achieve remote code execution. Exploitation evidence was first observed by the Shadowserver Foundation on 2025-07-11 (UTC).
Title Synway SMG Gateway Management Software OS Command Injection via radius_address
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Synway Smg Gateway Management Software
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-30T18:06:54.755Z

Reserved: 2026-04-29T15:53:17.791Z

Link: CVE-2025-71284

cve-icon Vulnrichment

Updated: 2026-04-30T18:06:43.140Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-30T17:16:25.630

Modified: 2026-05-05T18:09:10.380

Link: CVE-2025-71284

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T00:30:16Z

Weaknesses