Description
The ping diagnostic handler in /bin/httpd_clientside for ALTICE LABS / SFR France GR140DG and GR140IG fibre CPE/Router/Gateway, inserts unsanitized user input into a system() call, allowing authenticated remote attackers to execute arbitrary commands as root via crafted destAddr parameters using shell command substitution.
Published: 2026-05-05
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The ping diagnostic handler in /bin/httpd_clientside accepts a destination address parameter that is passed directly into a system() call without any sanitization. An authenticated attacker can exploit this by sending a carefully crafted destAddr value that triggers shell command substitution. This allows the attacker to execute arbitrary commands with root privileges on the affected device. The weakness is a classic command injection flaw.

Affected Systems

ALTICE LABS and SFR France fibre CPE/Router/Gateway devices – specifically the GR140DG and GR140IG models.

Risk and Exploitability

The vulnerability is limited to authenticated remote attackers who can access the diagnostic interface. Once authenticated, the attacker can achieve full system compromise. No EPSS score is available, but the nature of the flaw and the privileges it grants make it a critical risk. The vulnerability is not listed in the CISA KEV catalog as of the last update.

Generated by OpenCVE AI on May 5, 2026 at 17:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any vendor firmware update that sanitizes the destAddr input or replaces the insecure system() call.
  • If a patch is not yet available, block or disable access to the /bin/httpd_clientside diagnostic endpoint from external networks.
  • Restrict the allowed characters in the destAddr parameter or enforce strict input validation to eliminate shell command substitution.
  • Ensure that the diagnostic interface requires strong authentication and consider enabling two‑factor authentication if supported.

Generated by OpenCVE AI on May 5, 2026 at 17:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 05 May 2026 17:45:00 +0000

Type Values Removed Values Added
Title Root Command Execution via Unsanitized Destination Address in Ping Diagnostic Handler
Weaknesses CWE-78

Tue, 05 May 2026 16:15:00 +0000

Type Values Removed Values Added
Description The ping diagnostic handler in /bin/httpd_clientside for ALTICE LABS / SFR France GR140DG and GR140IG fibre CPE/Router/Gateway, inserts unsanitized user input into a system() call, allowing authenticated remote attackers to execute arbitrary commands as root via crafted destAddr parameters using shell command substitution.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-05T15:20:08.333Z

Reserved: 2026-03-09T00:00:00.000Z

Link: CVE-2026-31195

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-05T16:16:11.183

Modified: 2026-05-05T16:16:11.183

Link: CVE-2026-31195

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T17:30:06Z

Weaknesses