XEROD-2026-0001 — Authenticated root command injection in GR140DG ping handler

Advisory metadata

CVSS v3.1 vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-78 — Improper Neutralization of Special Elements used in an OS Command
Vendor: ALTICE LABS / SFR France
Discovery: 2026-01-08
Vendor notified: 2026-01-15
Public disclosure: 2026-05-04

Affected products

Product	Affected versions	Fixed in
GR140DG fibre router (CPE)	3GN8020801R13, 3GN8020802R0A, 3GN8020803R0A	3GN8020803R0B

Summary

The ping diagnostic feature exposed by /bin/httpd_clientside on the ALTICE LABS / SFR France GR140DG fibre router passes user-controlled input into a shell command executed via system(). Input validation is character-based and not context-aware for shell execution, so command-substitution constructs are evaluated by the shell. The WebUI runs as root, so successful exploitation yields authenticated root-level remote command execution on the device.

Impact

An authenticated WebUI user can execute arbitrary shell commands as root on the router. Because the GR140DG is the default fibre CPE issued to a large population of SFR Fibre customers in France, the aggregate exposure is significant.

Confidentiality: critical — read access to all on-device files, including credentials and configuration.
Integrity: critical — arbitrary modification of router state, firmware persistence opportunities, and downstream-network tampering.
Availability: critical — ability to disrupt service or render the device inoperable.
Lateral-movement potential from LAN-resident malware or compromised WebUI credentials.

Technical details

The handler for /ping.cmd constructs a shell command of the form below and executes it through system(), which invokes /bin/sh and therefore performs full shell parsing and expansion before the executable is launched.

/bin/ping -c <count> -i <interval> -s <size> "<destAddr>" > /tmp/ptin_diag_result 2>&1

The destAddr parameter is interpolated directly into the command string. Validation is performed by URIStringValidation() (imported from librdk_dal.so), which filters characters rather than enforcing semantics. It rejects whitespace, control characters, double-quotes, backslash and percent, but permits the shell metacharacters used in command-substitution constructs. Because shell expansion happens before word-splitting, blocking whitespace alone does not prevent shell evaluation of the substituted output.

A stricter validator, hostnameStringValidation(), is present in the same codebase and enforces DNS hostname syntax (letters, digits, -, .) without permitting shell metacharacters. The ping handler does not use it. The WebUI process additionally runs with uid=0, removing any privilege containment around the shell call.

The root cause is a combination of an unsafe execution primitive (system()), the wrong validator for the context, and an over-privileged execution environment — a design flaw rather than a single missing check.

Proof of concept

Status: Withheld
Rationale: A working Python PoC reliably triggers the issue against the firmware versions listed above and is held privately. It will be released no earlier than 30 days after a vendor fix is generally available, or sooner if exploitation is observed in the wild. Defenders, the vendor and downstream ISPs may request access via PGP-signed email to [email protected].

Remediation and mitigation

Apply firmware 3GN8020803R0B or later. The vendor has shipped a fix in this release. Operators should confirm their CPE has been updated; SFR-managed devices typically receive the update over the operator-controlled provisioning channel.
Configuration workaround (for devices that have not yet received the fix). Restrict WebUI access to the LAN, rotate WebUI credentials, and disable remote management. This does not remediate the underlying flaw but reduces exposure to compromised credentials and CSRF chaining.
Compensating control. Network segmentation between the router management interface and untrusted LAN devices, plus monitoring for anomalous outbound traffic from the CPE.

Disclosure timeline

Date (UTC)	Event
2026-01-08	Vulnerability discovered by xerod research.
2026-01-15	Vendor (ALTICE LABS / SFR France) notified with technical details and PoC.
2026-04-02	CVE-2026-31195 reserved by xerod via CNA.
TBC	Vendor releases firmware `3GN8020803R0B` containing the fix (date pending vendor confirmation).
2026-05-04	Public disclosure of advisory XEROD-2026-0001.

Credit

xerod research. Reported to ALTICE LABS / SFR France on 2026-01-15.

References

Revision history

Revision	Date (UTC)	Change
1.0	2026-05-04	Initial publication. Vendor fix is available in firmware `3GN8020803R0B`.

Artifacts

XEROD-2026-0001.txt sha256: 3557e4c175bc30cf3155852319ac5e59fb6ce075f409a91d4a8cc96abbdca519

XEROD-2026-0001.txt.asc sha256: 5dcbe26f3924198e411e3c0f60d668ff337896f378b3d47f14fbe6539e20f75d

XEROD-2026-0001.json (CSAF 2.0) sha256: e28317282ed28544f5fee6ab664427e9d8d8699cd90dfcab6ec46053eea15f7e

Verify this advisory

Import the xerod signing key (fingerprint on the advisories index), then:

gpg --verify XEROD-2026-0001.txt.asc XEROD-2026-0001.txt

The signature covers the canonical .txt rendering. HTML and JSON artifacts are convenience formats derived from it.