CVE-2025-56498

MEDIUM

Prolink PGN6401V Firmware < 8.1.2 - Authenticated OS Command Injection via pingAddr Parameter

Title source: llm

Description

An OS command injection vulnerability exists in PLDT WiFi Router's Prolink PGN6401V Firmware 8.1.2 web management interface. The ping6.asp page submits user input to the /boaform/formPing6 endpoint via the pingAddr parameter, which is not properly sanitized. An authenticated attacker can exploit this flaw by injecting arbitrary system commands, which are executed by the underlying operating system with root privileges. The router uses the Boa web server (version 0.93.15) to handle the request. Successful exploitation can lead to full system compromise and unauthorized control of the network device.

References (2)

Core 2

Core References

Exploit, Third Party Advisory

https://github.com/Jorge2Rubio/CVEs/blob/main/CVE-2025-56498.md

View Exploit ZIP pw:eip

Product

https://prolink2u.com/products/pgn6401v

Scores

CVSS v3 5.3

EPSS 0.0172

EPSS Percentile 74.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-78

Status published

Products (1)

prolink2u/pgn6401v_firmware < 8.1.2

Published Sep 03, 2025

Tracked Since Feb 18, 2026