Description
The traceroute diagnostic handler in /bin/httpd_clientside for ALTICE LABS / SFR France GR140DG and GR140IG fibre CPE/Router/Gateway, inserts unsanitized user input into a system() call, allowing authenticated remote attackers to execute arbitrary commands as root via crafted destAddr parameters using shell command substitution.
Published: 2026-05-05
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The traceroute diagnostic handler in /bin/httpd_clientside for ALTICE LABS / SFR France GR140DG and GR140IG fibre CPE/Router/Gateway inserts unsanitized user input into a system() call, permitting authenticated remote attackers to execute arbitrary commands as root by supplying crafted destAddr parameters that use shell command substitution. This results in full attacker control over the device, compromising confidentiality, integrity, and availability of all services it provides.

Affected Systems

The vulnerability affects devices from ALTICE LABS / SFR France that expose the /bin/httpd_clientside path, specifically the GR140DG and GR140IG fibre CPE/Router/Gateway models. No specific firmware version information is provided; the flaw is present in any model utilizing the vulnerable traceroute handler.

Risk and Exploitability

The CVSS and EPSS scores are not available, so the quantitative risk is unclear; however, the flaw is not listed in the CISA KEV catalog, indicating no confirmed public exploits yet. Its potential for authenticated remote command execution as root makes it a high‑severity vulnerability, and attackers with network access could exploit the bug by sending a destAddr parameter containing shell metacharacters, triggering arbitrary root commands.

Generated by OpenCVE AI on May 5, 2026 at 17:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware update provided by ALTICE LABS / SFR France that removes or sanitizes the vulnerable traceroute handler.
  • If no fix is available, disable the /bin/httpd_clientside traceroute service or block access to it through firewall or device configuration.
  • Restrict remote authentication to privileged users only, enforce strong password policies, and disable remote administration when not required.
  • Monitor device logs for unusually formatted destAddr inputs or unexpected system calls to detect attempted exploitation.

Generated by OpenCVE AI on May 5, 2026 at 17:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 05 May 2026 17:45:00 +0000

Type Values Removed Values Added
Title Traceroute Handler Permits Root Command Injection on ALTICE LABS Routers
Weaknesses CWE-78

Tue, 05 May 2026 16:15:00 +0000

Type Values Removed Values Added
Description The traceroute diagnostic handler in /bin/httpd_clientside for ALTICE LABS / SFR France GR140DG and GR140IG fibre CPE/Router/Gateway, inserts unsanitized user input into a system() call, allowing authenticated remote attackers to execute arbitrary commands as root via crafted destAddr parameters using shell command substitution.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-05T15:12:12.982Z

Reserved: 2026-03-09T00:00:00.000Z

Link: CVE-2026-31196

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-05T16:16:11.290

Modified: 2026-05-05T16:16:11.290

Link: CVE-2026-31196

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T17:30:06Z

Weaknesses