CVE-2025-71284 — AI Deep Analysis Summary

🚨 **Essence**: Unsanitized input in `radius_address` allows **OS Command Injection**. 📉 **Consequences**: Remote Code Execution (RCE) on the target system.…

🛡️ **Root Cause**: **CWE-78** (OS Command Injection). The `sed` command directly interpolates user-controlled POST parameters (`radius_address`, etc.) without any sanitization or validation.…

🏢 **Affected**: **Synway SMG Gateway Management Software** by Synway Information Engineering Co., Ltd. 📦 **Component**: The RADIUS configuration endpoint located at `/en/9-2radius.php`.

💀 **Capabilities**: Full **Remote Code Execution (RCE)**. 🗝️ **Privileges**: The injected commands run with the privileges of the web server process.…

📉 **Threshold**: **LOW**. 🚫 **Auth**: **Unauthenticated**. No login required. 🌐 **Access**: Remote attackers can send crafted POST requests directly to the internet-facing endpoint.

🔥 **Exploitation**: **YES**. Publicly observed by **Shadowserver** on July 11, 2025. 📜 **Proof**: Nuclei templates and technical descriptions (e.g., mrxn.net) are available, indicating active wild exploitation.

🔍 **Self-Check**: Scan for the specific POST endpoint `/en/9-2radius.php`. 🧪 **Test**: Send a POST request with `save=1`, `enable_radius=1`, and a malicious `radius_address` (e.g., containing `| whoami`).…

🛠️ **Fix**: The vendor page is listed, but **no official patch date** is provided in the data (Published: 2026-04-30). ⚠️ **Status**: Assume **unpatched** until verified. Check vendor site for updates.

🚧 **Workaround**: **Block external access** to `/en/9-2radius.php` via firewall/WAF. 🚫 **Restrict**: Ensure the management interface is not exposed to the public internet. Disable RADIUS if not strictly necessary.

🔴 **Urgency**: **CRITICAL**. 🚨 **Priority**: **Immediate Action Required**. CVSS Score is **9.8** (Critical). Unauthenticated RCE is a top-tier threat. Patch or isolate immediately.