Description
OS command injection vulnerability in the ping diagnostic handler in /bin/httpd_clientside in ALTICE LABS / SFR France GR140DG Fibre Router with firmware 3GN8020801R13, 3GN8020802R0A, or 3GN8020803R0A inserts unsanitized user input into a system() call, allowing authenticated remote attackers to execute arbitrary commands as root via crafted destAddr parameters using shell command substitution.
Published: 2026-05-05
Score: 8.8 High
EPSS: 1.3% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An OS command injection vulnerability exists in the ping diagnostic handler in /bin/httpd_clientside on ALTICE LABS / SFR France GR140DG fibre routers with firmware versions 3GN8020801R13, 3GN8020802R0A, or 3GN8020803R0A. Unsanitized user input from the destAddr parameter is inserted directly into a system() call, allowing authenticated remote attackers to execute arbitrary commands as root via crafted destAddr parameters using shell command substitution.

Affected Systems

ALTICE LABS and SFR France fibre CPE/Router/Gateway devices – specifically the GR140DG model.

Risk and Exploitability

The vulnerability is limited to authenticated remote attackers who can access the diagnostic interface. Once authenticated, the attacker can achieve full system compromise. The CVSS score is 8.8, indicating a high severity. The EPSS score is 0.01275%, indicating a very low probability of exploitation, but the nature of the flaw and the privileges it grants make it a critical risk. The vulnerability is not listed in the CISA KEV catalog as of the last update.

Generated by OpenCVE AI on June 18, 2026 at 04:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any vendor firmware update that sanitizes the destAddr input or replaces the insecure system() call.
  • If a patch is not yet available, block or disable access to the /bin/httpd_clientside diagnostic endpoint from external networks.
  • Restrict the allowed characters in the destAddr parameter or enforce strict input validation to eliminate shell command substitution.
  • Ensure that the diagnostic interface requires strong authentication and consider enabling two‑factor authentication if supported.

Generated by OpenCVE AI on June 18, 2026 at 04:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title OS Command Injection in ALTICE LABS / SFR France GR140DG Router

Wed, 17 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Title OS Command Injection in ALTICE LABS / SFR France GR140DG Router

Mon, 15 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
References

Mon, 15 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
Description The ping diagnostic handler in /bin/httpd_clientside for ALTICE LABS / SFR France GR140DG and GR140IG fibre CPE/Router/Gateway, inserts unsanitized user input into a system() call, allowing authenticated remote attackers to execute arbitrary commands as root via crafted destAddr parameters using shell command substitution. OS command injection vulnerability in the ping diagnostic handler in /bin/httpd_clientside in ALTICE LABS / SFR France GR140DG Fibre Router with firmware 3GN8020801R13, 3GN8020802R0A, or 3GN8020803R0A inserts unsanitized user input into a system() call, allowing authenticated remote attackers to execute arbitrary commands as root via crafted destAddr parameters using shell command substitution.
References

Wed, 06 May 2026 22:00:00 +0000

Type Values Removed Values Added
Title Root Command Execution via Unsanitized Destination Address in Ping Diagnostic Handler

Wed, 06 May 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 06 May 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Altice
Altice gr140dg
Altice gr140ig
Vendors & Products Altice
Altice gr140dg
Altice gr140ig

Tue, 05 May 2026 17:45:00 +0000

Type Values Removed Values Added
Title Root Command Execution via Unsanitized Destination Address in Ping Diagnostic Handler
Weaknesses CWE-78

Tue, 05 May 2026 16:15:00 +0000

Type Values Removed Values Added
Description The ping diagnostic handler in /bin/httpd_clientside for ALTICE LABS / SFR France GR140DG and GR140IG fibre CPE/Router/Gateway, inserts unsanitized user input into a system() call, allowing authenticated remote attackers to execute arbitrary commands as root via crafted destAddr parameters using shell command substitution.
References

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-15T14:42:49.882Z

Reserved: 2026-03-09T00:00:00.000Z

Link: CVE-2026-31195

cve-icon Vulnrichment

Updated: 2026-05-06T18:08:11.810Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-05T16:16:11.183

Modified: 2026-06-17T10:33:25.837

Link: CVE-2026-31195

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T04:15:15Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')