cvedb.io
CVE-2025-56498
MEDIUM · CVSS 5.3
EPSS exploitation probability: 0%
Published 2025-09-03T16:15:40.193 · Last modified 2026-06-17T09:42:37.983

Summary

An OS command injection vulnerability exists in PLDT WiFi Router's Prolink PGN6401V Firmware 8.1.2 web management interface. The ping6.asp page submits user input to the /boaform/formPing6 endpoint via the pingAddr parameter, which is not properly sanitized. An authenticated attacker can exploit this flaw by injecting arbitrary system commands, which are executed by the underlying operating system with root privileges. The router uses the Boa web server (version 0.93.15) to handle the request. Successful exploitation can lead to full system compromise and unauthorized control of the network device.

Affected products

prolink2u — pgn6401v_firmware

Does this affect you?

Add your gear to cvedb and we'll alert you only when prolink2u ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.