{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/synway/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2025-71284"}],"_cs_exploited":false,"_cs_products":["SMG Gateway Management Software"],"_cs_severities":["critical"],"_cs_tags":["command-injection","rce","network"],"_cs_type":"advisory","_cs_vendors":["Synway"],"content_html":"\u003cp\u003eSynway SMG Gateway Management Software is susceptible to an OS command injection vulnerability (CVE-2025-71284) within the RADIUS configuration endpoint. An unauthenticated remote attacker can exploit this flaw by sending a specially crafted POST request to \u003ccode\u003e/en/9-2radius.php\u003c/code\u003e. The vulnerability lies in the improper sanitization of the \u003ccode\u003eradius_address\u003c/code\u003e POST parameter, which is directly incorporated into a \u003ccode\u003esed\u003c/code\u003e command. The Shadowserver Foundation observed the first exploitation evidence on 2025-07-11 (UTC). Successful exploitation allows the attacker to execute arbitrary shell commands on the affected system, potentially compromising the entire gateway. This vulnerability poses a significant risk to organizations using the Synway SMG Gateway, as it enables unauthenticated remote code execution.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a Synway SMG Gateway Management Software instance exposed to the network.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious POST request targeting the \u003ccode\u003e/en/9-2radius.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe POST request includes parameters such as \u003ccode\u003eradius_address\u003c/code\u003e, \u003ccode\u003eradius_address2\u003c/code\u003e, \u003ccode\u003eshared_secret2\u003c/code\u003e, \u003ccode\u003esource_ip\u003c/code\u003e, \u003ccode\u003etimeout\u003c/code\u003e, or \u003ccode\u003eretry\u003c/code\u003e along with \u003ccode\u003esave=1\u003c/code\u003e and \u003ccode\u003eenable_radius=1\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eradius_address\u003c/code\u003e parameter contains an OS command injection payload.\u003c/li\u003e\n\u003cli\u003eThe application improperly sanitizes the \u003ccode\u003eradius_address\u003c/code\u003e parameter and incorporates it into a \u003ccode\u003esed\u003c/code\u003e command.\u003c/li\u003e\n\u003cli\u003eThe injected command is executed by the operating system, granting the attacker arbitrary code execution privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes a reverse shell to maintain persistence and expand their foothold.\u003c/li\u003e\n\u003cli\u003eThe attacker pivots within the network, gaining access to sensitive data or systems, and potentially establishing a long-term presence.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an unauthenticated attacker to execute arbitrary commands on the Synway SMG Gateway. This could lead to complete system compromise, data theft, disruption of services, and further propagation of attacks within the network. Given the high CVSS score (9.8), this vulnerability represents a critical threat. The number of affected systems and organizations is currently unknown.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Synway SMG Gateway Radius Command Injection Attempt\u0026rdquo; to your SIEM to detect exploitation attempts based on suspicious POST requests to the vulnerable endpoint.\u003c/li\u003e\n\u003cli\u003eApply input validation and sanitization to the \u003ccode\u003eradius_address\u003c/code\u003e, \u003ccode\u003eradius_address2\u003c/code\u003e, \u003ccode\u003eshared_secret2\u003c/code\u003e, \u003ccode\u003esource_ip\u003c/code\u003e, \u003ccode\u003etimeout\u003c/code\u003e, and \u003ccode\u003eretry\u003c/code\u003e parameters in the RADIUS configuration endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to \u003ccode\u003e/en/9-2radius.php\u003c/code\u003e containing suspicious characters or command sequences indicative of command injection attacks to activate the \u0026ldquo;Synway SMG Gateway Radius Command Injection Attempt\u0026rdquo; rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T17:16:25Z","date_published":"2026-04-30T17:16:25Z","id":"/briefs/2026-05-synway-smg-rce/","summary":"Synway SMG Gateway Management Management Software is vulnerable to unauthenticated OS command injection via crafted POST requests to the RADIUS configuration endpoint, leading to remote code execution.","title":"Synway SMG Gateway Management Software Unauthenticated OS Command Injection","url":"https://feed.craftedsignal.io/briefs/2026-05-synway-smg-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Synway","version":"https://jsonfeed.org/version/1.1"}