Description
OS command injection vulnerability in the traceroute diagnostic handler in /bin/httpd_clientside in ALTICE LABS / SFR France GR140DG Fibre Router with firmware 3GN8020801R13, 3GN8020802R0A, or 3GN8020803R0A inserts unsanitized user input into a system() call, allowing authenticated remote attackers to execute arbitrary commands as root via crafted destAddr parameters using shell command substitution.
Published: 2026-05-05
Score: 8.8 High
EPSS: 1.3% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The traceroute diagnostic handler located in /bin/httpd_clientside on ALTICE LABS / SFR France GR140DG fibre routers accepts user supplied destAddr parameters without sanitization and passes them directly to a system() call. This OS command injection flaw allows authenticated remote attackers to inject shell metacharacters and execute arbitrary commands with root privileges. An attacker can craft destAddr values using shell command substitution, exploiting the unsanitized input to gain full control of the router.

Affected Systems

The vulnerability affects ALTICE LABS / SFR France GR140DG fibre routers running firmware 3GN8020801R13, 3GN8020802R0A or 3GN8020803R0A, which expose the /bin/httpd_clientside traceroute handler. Devices that use this firmware version are susceptible to the injection flaw. No other firmware is mentioned, so the risk is confined to the listed versions.

Risk and Exploitability

The CVSS score is 8.8, indicating a high severity vulnerability. The EPSS score is below 1%, suggesting low current exploitation probability, and the issue is not listed in the CISA KEV catalog. Nevertheless, the vulnerability permits authenticated remote attackers to execute arbitrary commands with root privileges via crafted destAddr parameters to the traceroute handler. Attackers with network access to the device can send shell metacharacter‑laden destAddr inputs to trigger system calls, giving them full control over the device’s confidentiality, integrity, and availability.

Generated by OpenCVE AI on June 18, 2026 at 02:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware update provided by ALTICE LABS / SFR France that removes or sanitizes the vulnerable traceroute handler.
  • If no fix is available, disable the /bin/httpd_clientside traceroute service or block access to it through firewall or device configuration.
  • Restrict remote authentication to privileged users only, enforce strong password policies, and disable remote administration when not required.
  • Monitor device logs for unusually formatted destAddr inputs or unexpected system calls to detect attempted exploitation.

Generated by OpenCVE AI on June 18, 2026 at 02:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Authenticated Remote OS Command Injection in Router Traceroute Handler

Wed, 17 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Title Authenticated Remote OS Command Injection in Router Traceroute Handler

Mon, 15 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
References

Mon, 15 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
Description The traceroute diagnostic handler in /bin/httpd_clientside for ALTICE LABS / SFR France GR140DG and GR140IG fibre CPE/Router/Gateway, inserts unsanitized user input into a system() call, allowing authenticated remote attackers to execute arbitrary commands as root via crafted destAddr parameters using shell command substitution. OS command injection vulnerability in the traceroute diagnostic handler in /bin/httpd_clientside in ALTICE LABS / SFR France GR140DG Fibre Router with firmware 3GN8020801R13, 3GN8020802R0A, or 3GN8020803R0A inserts unsanitized user input into a system() call, allowing authenticated remote attackers to execute arbitrary commands as root via crafted destAddr parameters using shell command substitution.
References

Wed, 06 May 2026 22:00:00 +0000

Type Values Removed Values Added
Title Traceroute Handler Permits Root Command Injection on ALTICE LABS Routers

Wed, 06 May 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 06 May 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Altice
Altice gr140dg
Altice gr140ig
Vendors & Products Altice
Altice gr140dg
Altice gr140ig

Tue, 05 May 2026 17:45:00 +0000

Type Values Removed Values Added
Title Traceroute Handler Permits Root Command Injection on ALTICE LABS Routers
Weaknesses CWE-78

Tue, 05 May 2026 16:15:00 +0000

Type Values Removed Values Added
Description The traceroute diagnostic handler in /bin/httpd_clientside for ALTICE LABS / SFR France GR140DG and GR140IG fibre CPE/Router/Gateway, inserts unsanitized user input into a system() call, allowing authenticated remote attackers to execute arbitrary commands as root via crafted destAddr parameters using shell command substitution.
References

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-15T14:45:17.794Z

Reserved: 2026-03-09T00:00:00.000Z

Link: CVE-2026-31196

cve-icon Vulnrichment

Updated: 2026-05-06T18:20:35.128Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-05T16:16:11.290

Modified: 2026-06-17T10:33:25.987

Link: CVE-2026-31196

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T02:30:15Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')