CVE-2025-1448
Published: 19 February 2025
Description
A vulnerability was found in Synway SMG Gateway Management Software up to 20250204. It has been rated as critical. This issue affects some unknown processing of the file 9-12ping.php. The manipulation of the argument retry leads to command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Security Summary
CVE-2025-1448 is a critical command injection vulnerability in Synway SMG Gateway Management Software versions up to 20250204. The issue resides in the processing of the file 9-12ping.php, where manipulation of the "retry" argument enables attackers to inject arbitrary commands. It is associated with CWE-74 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-77 (Command Injection), and carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
The vulnerability can be exploited remotely by unauthenticated attackers with network access and no user interaction required. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling command execution on the affected system.
Advisories from VulDB and a GitHub issue detail the vulnerability, noting that an exploit has been publicly disclosed and may be used. The vendor was contacted early regarding the disclosure but provided no response, and no patches or specific mitigations are mentioned in the available references.
Notable context includes the public availability of the exploit, increasing the risk of immediate exploitation attempts against unpatched Synway SMG Gateway Management Software deployments.
Details
- CWE(s)