Description
The ping diagnostic handler in /bin/httpd_clientside for ALTICE LABS / SFR France GR140DG and GR140IG fibre CPE/Router/Gateway, inserts unsanitized user input into a system() call, allowing authenticated remote attackers to execute arbitrary commands as root via crafted destAddr parameters using shell command substitution.
Published: 2026-05-05
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The ping diagnostic handler in /bin/httpd_clientside accepts a destination address parameter that is passed directly into a system() call without any sanitization. An authenticated attacker can exploit this by sending a carefully crafted destAddr value that triggers shell command substitution. This allows the attacker to execute arbitrary commands with root privileges on the affected device. The weakness is a classic command injection flaw.

Affected Systems

ALTICE LABS and SFR France fibre CPE/Router/Gateway devices – specifically the GR140DG and GR140IG models.

Risk and Exploitability

The vulnerability is limited to authenticated remote attackers who can access the diagnostic interface. Once authenticated, the attacker can achieve full system compromise. The CVSS score is 8.8, indicating a high severity. The EPSS score is < 1%, indicating a very low probability of exploitation, but the nature of the flaw and the privileges it grants make it a critical risk. The vulnerability is not listed in the CISA KEV catalog as of the last update.

Generated by OpenCVE AI on May 6, 2026 at 21:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any vendor firmware update that sanitizes the destAddr input or replaces the insecure system() call.
  • If a patch is not yet available, block or disable access to the /bin/httpd_clientside diagnostic endpoint from external networks.
  • Restrict the allowed characters in the destAddr parameter or enforce strict input validation to eliminate shell command substitution.
  • Ensure that the diagnostic interface requires strong authentication and consider enabling two‑factor authentication if supported.

Generated by OpenCVE AI on May 6, 2026 at 21:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 22:00:00 +0000

Type Values Removed Values Added
Title Root Command Execution via Unsanitized Destination Address in Ping Diagnostic Handler

Wed, 06 May 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 06 May 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Altice
Altice gr140dg
Altice gr140ig
Vendors & Products Altice
Altice gr140dg
Altice gr140ig

Tue, 05 May 2026 17:45:00 +0000

Type Values Removed Values Added
Title Root Command Execution via Unsanitized Destination Address in Ping Diagnostic Handler
Weaknesses CWE-78

Tue, 05 May 2026 16:15:00 +0000

Type Values Removed Values Added
Description The ping diagnostic handler in /bin/httpd_clientside for ALTICE LABS / SFR France GR140DG and GR140IG fibre CPE/Router/Gateway, inserts unsanitized user input into a system() call, allowing authenticated remote attackers to execute arbitrary commands as root via crafted destAddr parameters using shell command substitution.
References

Subscriptions

Altice Gr140dg Gr140ig
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-06T18:09:03.240Z

Reserved: 2026-03-09T00:00:00.000Z

Link: CVE-2026-31195

cve-icon Vulnrichment

Updated: 2026-05-06T18:08:11.810Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-05T16:16:11.183

Modified: 2026-05-07T15:15:06.770

Link: CVE-2026-31195

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T21:45:13Z

Weaknesses