Impact
An OS command injection vulnerability exists in the ping diagnostic handler in /bin/httpd_clientside on ALTICE LABS / SFR France GR140DG fibre routers with firmware versions 3GN8020801R13, 3GN8020802R0A, or 3GN8020803R0A. Unsanitized user input from the destAddr parameter is inserted directly into a system() call, allowing authenticated remote attackers to execute arbitrary commands as root via crafted destAddr parameters using shell command substitution.
Affected Systems
ALTICE LABS and SFR France fibre CPE/Router/Gateway devices – specifically the GR140DG model.
Risk and Exploitability
The vulnerability is limited to authenticated remote attackers who can access the diagnostic interface. Once authenticated, the attacker can achieve full system compromise. The CVSS score is 8.8, indicating a high severity. The EPSS score is 0.01275%, indicating a very low probability of exploitation, but the nature of the flaw and the privileges it grants make it a critical risk. The vulnerability is not listed in the CISA KEV catalog as of the last update.
OpenCVE Enrichment