{ "document": { "category": "csaf_security_advisory", "csaf_version": "2.0", "title": "Authenticated OS command injection in GR140DG traceroute diagnostic handler (root context)", "lang": "en", "publisher": { "category": "vendor", "name": "xerod research", "namespace": "https://xerod.io", "contact_details": "info@xerod.io", "issuing_authority": "xerod is the issuing authority for advisories under the XEROD-* identifier namespace." }, "tracking": { "id": "XEROD-2026-0002", "aliases": ["CVE-2026-31196"], "status": "final", "version": "1.0.0", "initial_release_date": "2026-05-04T00:00:00Z", "current_release_date": "2026-05-04T00:00:00Z", "generator": { "engine": { "name": "xerod-advisory-pipeline", "version": "1.0" } }, "revision_history": [ { "number": "1.0.0", "date": "2026-05-04T00:00:00Z", "summary": "Initial publication. Vendor fix is available in firmware 3GN8020803R0B." } ] }, "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "references": [ { "category": "self", "summary": "xerod advisory page (HTML)", "url": "https://xerod.io/advisories/XEROD-2026-0002.html" }, { "category": "self", "summary": "xerod advisory canonical text", "url": "https://xerod.io/advisories/XEROD-2026-0002.txt" }, { "category": "self", "summary": "xerod advisory detached PGP signature", "url": "https://xerod.io/advisories/XEROD-2026-0002.txt.asc" }, { "category": "external", "summary": "CVE-2026-31196 (cve.org)", "url": "https://www.cve.org/CVERecord?id=CVE-2026-31196" }, { "category": "external", "summary": "CVE-2026-31196 (NVD)", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31196" }, { "category": "external", "summary": "Companion advisory XEROD-2026-0001 (same root cause, ping handler)", "url": "https://xerod.io/advisories/XEROD-2026-0001.html" } ], "notes": [ { "category": "summary", "title": "Summary", "text": "An authenticated OS command injection vulnerability in the traceroute diagnostic handler implemented by /bin/httpd_clientside on the ALTICE LABS / SFR France GR140DG fibre router allows an authenticated WebUI user to execute arbitrary shell commands as root. Same root cause as XEROD-2026-0001." }, { "category": "general", "title": "Disclosure policy", "text": "Published under the xerod coordinated disclosure policy: https://xerod.io/disclosure-policy.html" } ] }, "product_tree": { "branches": [ { "category": "vendor", "name": "ALTICE LABS / SFR France", "branches": [ { "category": "product_name", "name": "GR140DG", "branches": [ { "category": "product_version", "name": "3GN8020801R13", "product": { "name": "GR140DG firmware 3GN8020801R13", "product_id": "GR140DG-3GN8020801R13" } }, { "category": "product_version", "name": "3GN8020802R0A", "product": { "name": "GR140DG firmware 3GN8020802R0A", "product_id": "GR140DG-3GN8020802R0A" } }, { "category": "product_version", "name": "3GN8020803R0A", "product": { "name": "GR140DG firmware 3GN8020803R0A", "product_id": "GR140DG-3GN8020803R0A" } }, { "category": "product_version", "name": "3GN8020803R0B", "product": { "name": "GR140DG firmware 3GN8020803R0B", "product_id": "GR140DG-3GN8020803R0B" } } ] } ] } ] }, "vulnerabilities": [ { "title": "Authenticated OS command injection in /traceroute.cmd handler", "cve": "CVE-2026-31196", "ids": [ { "system_name": "xerod", "text": "XEROD-2026-0002" } ], "cwe": { "id": "CWE-78", "name": "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" }, "discovery_date": "2026-01-08T00:00:00Z", "release_date": "2026-05-04T00:00:00Z", "notes": [ { "category": "description", "title": "Vulnerability description", "text": "The handler for /traceroute.cmd in /bin/httpd_clientside passes the user-controlled destAddr parameter into a shell command executed via system(). Validation by URIStringValidation() is character-based and not context-aware for shell execution, permitting command-substitution constructs. The WebUI runs as root, so successful exploitation yields root-level remote command execution. A stricter hostnameStringValidation() exists in the codebase but is not used by this handler. The same flaw is reproduced in the ping handler (XEROD-2026-0001), confirming a systemic design issue." } ], "scores": [ { "products": [ "GR140DG-3GN8020801R13", "GR140DG-3GN8020802R0A", "GR140DG-3GN8020803R0A" ], "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH" } } ], "product_status": { "known_affected": [ "GR140DG-3GN8020801R13", "GR140DG-3GN8020802R0A", "GR140DG-3GN8020803R0A" ], "fixed": [ "GR140DG-3GN8020803R0B" ] }, "remediations": [ { "category": "vendor_fix", "details": "Apply firmware 3GN8020803R0B or later. The vendor has shipped a fix in this release that resolves both the traceroute and ping diagnostic injection (see XEROD-2026-0001). SFR-managed devices typically receive the update over the operator-controlled provisioning channel.", "product_ids": [ "GR140DG-3GN8020801R13", "GR140DG-3GN8020802R0A", "GR140DG-3GN8020803R0A" ] }, { "category": "workaround", "details": "For devices that have not yet received the fix: restrict WebUI access to the LAN, rotate WebUI credentials, disable remote management, and apply network segmentation between the router management interface and untrusted LAN devices.", "product_ids": [ "GR140DG-3GN8020801R13", "GR140DG-3GN8020802R0A", "GR140DG-3GN8020803R0A" ] } ], "references": [ { "category": "self", "summary": "xerod advisory page", "url": "https://xerod.io/advisories/XEROD-2026-0002.html" }, { "category": "external", "summary": "CVE-2026-31196", "url": "https://www.cve.org/CVERecord?id=CVE-2026-31196" } ], "threats": [ { "category": "exploit_status", "details": "Working private PoC held by xerod research. No known public exploitation at time of publication." } ] } ] }