CVE-2025-54406 is an OS command injection vulnerability classified under CWE-78, found in the Planet WGR-500 router firmware version v1.3411b190912. The vulnerability resides in the formPingCmd functionality, which processes HTTP requests containing the 'counts' parameter. Improper neutralization of special elements in this parameter allows an attacker to inject arbitrary OS commands. By sending a specially crafted sequence of HTTP requests, an attacker can execute commands on the underlying operating system with the privileges of the affected service. The vulnerability requires network-level access and low privileges (PR:L) but does not require user interaction or authentication, making it remotely exploitable over the network. The CVSS v3.1 base score of 8.8 reflects the critical impact on confidentiality, integrity, and availability, as successful exploitation could lead to full device compromise, data leakage, or denial of service. No patches or exploits in the wild have been reported as of the publication date, but the vulnerability's nature and ease of exploitation make it a significant threat. The lack of available patches necessitates immediate mitigation efforts to prevent exploitation. The vulnerability affects a specific firmware version, so organizations using this device should verify their versions and take action accordingly.

The impact of CVE-2025-54406 on European organizations can be severe, particularly for those relying on Planet WGR-500 routers in their network infrastructure. Successful exploitation allows attackers to execute arbitrary commands on the device, potentially leading to full compromise of the router. This can result in unauthorized access to internal networks, interception or manipulation of network traffic, disruption of network services, and potential pivoting to other critical systems. Confidentiality is at risk due to possible data exfiltration, integrity can be compromised by altering device configurations or injecting malicious code, and availability may be affected by denial-of-service conditions induced by malicious commands. Given the router's role in network connectivity, such an attack could disrupt business operations, critical communications, and services. European organizations in sectors such as telecommunications, government, finance, and critical infrastructure are particularly vulnerable due to their reliance on secure and stable network devices. The absence of known exploits in the wild provides a window for proactive defense, but the high severity score demands urgent attention.

1. Immediate network segmentation: Restrict access to the management interfaces of Planet WGR-500 devices to trusted internal networks only, using firewalls or access control lists (ACLs). 2. Disable or restrict the vulnerable formPingCmd functionality if possible, or disable HTTP management interfaces if not required. 3. Implement strict input validation and sanitization on HTTP request parameters at network gateways or web application firewalls (WAFs) to detect and block suspicious payloads targeting the 'counts' parameter. 4. Monitor network traffic and device logs for unusual HTTP requests or command execution patterns indicative of exploitation attempts. 5. Verify device firmware versions and maintain an inventory of affected devices; plan for firmware upgrades once patches become available from the vendor. 6. Employ network intrusion detection systems (NIDS) with updated signatures to detect exploitation attempts. 7. Educate network administrators about this vulnerability and enforce the principle of least privilege for device management. 8. If possible, isolate vulnerable devices from critical network segments until remediation is complete.