Impact
The traceroute diagnostic handler located in /bin/httpd_clientside on ALTICE LABS / SFR France GR140DG fibre routers accepts user supplied destAddr parameters without sanitization and passes them directly to a system() call. This OS command injection flaw allows authenticated remote attackers to inject shell metacharacters and execute arbitrary commands with root privileges. An attacker can craft destAddr values using shell command substitution, exploiting the unsanitized input to gain full control of the router.
Affected Systems
The vulnerability affects ALTICE LABS / SFR France GR140DG fibre routers running firmware 3GN8020801R13, 3GN8020802R0A or 3GN8020803R0A, which expose the /bin/httpd_clientside traceroute handler. Devices that use this firmware version are susceptible to the injection flaw. No other firmware is mentioned, so the risk is confined to the listed versions.
Risk and Exploitability
The CVSS score is 8.8, indicating a high severity vulnerability. The EPSS score is below 1%, suggesting low current exploitation probability, and the issue is not listed in the CISA KEV catalog. Nevertheless, the vulnerability permits authenticated remote attackers to execute arbitrary commands with root privileges via crafted destAddr parameters to the traceroute handler. Attackers with network access to the device can send shell metacharacter‑laden destAddr inputs to trigger system calls, giving them full control over the device’s confidentiality, integrity, and availability.
OpenCVE Enrichment