CVE-2026-31195 Overview
CVE-2026-31195 is a command injection vulnerability in the ping diagnostic handler of /bin/httpd_clientside on ALTICE LABS / SFR France GR140DG and GR140IG fibre Customer Premises Equipment (CPE) routers. The handler passes unsanitized user input from the destAddr parameter directly into a system() call. Authenticated remote attackers can inject shell command substitution sequences to execute arbitrary commands as root. The flaw is classified as [CWE-78] OS Command Injection. Successful exploitation yields full administrative control of the gateway, exposing subscriber traffic and downstream networks.
Critical Impact
Authenticated attackers can achieve root-level remote code execution on affected fibre gateways, enabling persistent compromise of subscriber networks and lateral movement into LAN segments.
Affected Products
- ALTICE LABS / SFR France GR140DG fibre CPE/Router/Gateway
- ALTICE LABS / SFR France GR140IG fibre CPE/Router/Gateway
- The vulnerable binary /bin/httpd_clientside shipped on these devices
Discovery Timeline
- 2026-05-05 - CVE-2026-31195 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-31195
Vulnerability Analysis
The vulnerability resides in the ping diagnostic handler implemented inside /bin/httpd_clientside, the web management daemon on GR140DG and GR140IG gateways. The handler accepts a destAddr parameter intended to specify a target host for ICMP echo requests. Instead of validating or escaping the value, the handler concatenates it into a command string and invokes system() to execute the ping. Because the shell interprets metacharacters such as backticks and $( ), an attacker can substitute arbitrary commands that run with the privileges of the web daemon, which is root on these embedded Linux devices. Authentication is required, but credential reuse and default credentials are common on operator-managed CPE.
Root Cause
The root cause is missing input sanitization on a user-controlled parameter passed to a shell interpreter. The handler trusts destAddr as a hostname but does not enforce a hostname or IP-address grammar. Use of system() invokes /bin/sh, which expands command substitution before executing the ping binary. Safer alternatives such as execve() with a fixed argument vector, or strict regular-expression validation, would prevent shell interpretation.
Attack Vector
An attacker authenticates to the web management interface, then submits a crafted ping diagnostic request where destAddr contains shell substitution syntax such as backticked commands. The injected payload runs as root, enabling configuration changes, credential extraction from NVRAM, firmware persistence, or pivoting into the subscriber LAN. Network exposure depends on whether the operator restricts WAN access to the management interface.
See the Xerod Security Advisory XEROD-2026-0001 for technical proof-of-concept details.
Detection Methods for CVE-2026-31195
Indicators of Compromise
- HTTP requests to the ping diagnostic endpoint containing shell metacharacters in the destAddr parameter, including backticks, $(, ;, |, or &&
- Unexpected outbound connections originating from the gateway management plane to attacker-controlled infrastructure
- New or modified files in writable firmware partitions, or unexpected cron and init entries on the device
- Authentication log entries showing successful logins from atypical source addresses immediately preceding diagnostic requests
Detection Strategies
- Inspect web server access logs for POST or GET requests to the ping handler containing non-hostname characters in destAddr
- Monitor netflow for gateways initiating outbound TCP sessions to non-DNS, non-NTP destinations on uncommon ports
- Compare running firmware hashes against vendor-published baselines to detect unauthorized modification
Monitoring Recommendations
- Forward CPE syslog and HTTP access logs to a centralized SIEM and alert on shell metacharacters in diagnostic parameters
- Baseline normal management-interface source addresses and alert on deviations
- Track repeated failed authentication attempts followed by successful login and diagnostic activity
How to Mitigate CVE-2026-31195
Immediate Actions Required
- Restrict access to the gateway management interface to trusted LAN segments and disable WAN-side administration
- Rotate administrative credentials on all GR140DG and GR140IG devices and enforce strong, unique passwords
- Audit recent diagnostic activity for evidence of destAddr payloads containing shell metacharacters
- Engage the operator (SFR France or Altice Labs) to confirm patched firmware availability and schedule deployment
Patch Information
No vendor patch URL is published in the NVD record at the time of writing. Operators should consult Altice Labs and SFR France directly for firmware updates addressing CVE-2026-31195 and reference the Xerod Security Advisory XEROD-2026-0001 for disclosure context.
Workarounds
- Block external access to the HTTP management service on the WAN interface using upstream ACLs where supported
- Disable the ping diagnostic feature in the web UI if the device configuration permits
- Place vulnerable gateways behind a network segmentation boundary that restricts management traffic to a dedicated administrative VLAN
- Monitor and log all authenticated sessions to the management interface and terminate idle sessions promptly
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
