Synway SMG Gateway Management Software up to 2025-02-04 contains an OS command injection vulnerability in the ping diagnostic endpoint at /en/9-12ping.php where user-supplied POST parameters are passed without sanitization to system() calls. An unauthenticated remote attacker can inject arbitrary shell commands by submitting a POST request with crafted parameters to achieve remote code execution. This vulnerability was originally documented in CVE-2025-1448 via the retry parameter; proof-of-concept and observed exploitation evidence demonstrates that additional parameters including ip are exploitable through the same unsanitized sink. Exploitation evidence was first observed by the Shadowserver Foundation on 2026-05-14 (UTC).
Explore VulnCheck, a next-generation Cyber Threat Intelligence platform, which provides exploit and vulnerability intelligence to help you prioritize and remediate vulnerabilities that matter.
Vulnerability Prioritization
Prioritize vulnerabilities that matter based on the threat landscape and defer vulnerabilities that don't.
Early Warning System
Real-time alerting of changes in the vulnerability landscape so that you can take action before the attacks start.