Home

Description

Synway SMG Gateway Management Software contains an OS command injection vulnerability in the RADIUS configuration endpoint at /en/9-2radius.php where the radius_address POST parameter is split and interpolated directly into a sed command without sanitization. An unauthenticated remote attacker can inject arbitrary shell commands by submitting a POST request with crafted radius_address, radius_address2, shared_secret2, source_ip, timeout, or retry parameters along with save=1 and enable_radius=1 to achieve remote code execution. Exploitation evidence was first observed by the Shadowserver Foundation on 2025-07-11 (UTC).

PUBLISHED Reserved 2026-04-29 | Published 2026-04-30 | Updated 2026-04-30 | Assigner VulnCheck




CRITICAL: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CRITICAL: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)

Product status

Default status
affected

Any version
affected

Credits

The Shadowserver Foundation finder

References

github.com/...lnerabilities/synway/synwaysmg-radius-rce.yaml

mrxn.net/jswz/synway-9-2radius-rce.html technical-description exploit

mp.weixin.qq.com/s/PyepoFSuQ63E3RnpQa9nsA technical-description exploit

www.synway.net/ product

www.vulncheck.com/...os-command-injection-via-radius-address third-party-advisory

cve.org (CVE-2025-71284)

nvd.nist.gov (CVE-2025-71284)

Download JSON