← back
CVE-2025-71284

Synway SMG Gateway Management Software OS Command Injection via radius_address

CVSS 9.3 CRITICALEPSS 5.7%CWE-78
Synway SMG Gateway Management Software contains an OS command injection vulnerability in the RADIUS configuration endpoint at /en/9-2radius.php where the radius_address POST parameter is split and interpolated directly into a sed command without sanitization. An unauthenticated remote attacker can inject arbitrary shell commands by submitting a POST request with crafted radius_address, radius_address2, shared_secret2, source_ip, timeout, or retry parameters along with save=1 and enable_radius=1 to achieve remote code execution. Exploitation evidence was first observed by the Shadowserver Foundation on 2025-07-11 (UTC).
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Affected products
Synway Information Engineering Co., Ltd. · Synway SMG Gateway Management Software
public PoCs found2
cve_referencemp.weixin.qq.com/s/PyepoFSuQ63E3RnpQa9nsAunverifiedcve_referencemrxn.net/jswz/synway-9-2radius-rce.htmlunverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/projectdiscovery/nuclei-templates/blob/main/http/vulnerabilities/synway/synwaysmg-radius-rce.yamlhttps://mp.weixin.qq.com/s/PyepoFSuQ63E3RnpQa9nsAhttps://mrxn.net/jswz/synway-9-2radius-rce.htmlhttps://www.synway.net/https://www.vulncheck.com/advisories/synway-smg-gateway-management-software-os-command-injection-via-radius-address