Jorge2Rubio

**Name of the Vulnerable Software and Affected Versions** PLDT WiFi Router Prolink PGN6401V Firmware version 8.1.2 **Description** An OS command injection flaw exists in the web management interface. The `ping6.asp` page submits user input to the `/boaform/formPing6` API endpoint via the `pingAddr` parameter, which is not properly sanitized. An authenticated attacker can inject arbitrary system commands, which are executed with root privileges. The router uses the Boa web server version 0.93.15 to handle the request. Successful exploitation can lead to full system compromise and unauthorized control of the network device. **Recommendations** Firmware version 8.1.2 should be updated when a fixed version is available. As a temporary workaround, restrict access to the `ping6.asp` page. Sanitize the `pingAddr` parameter to prevent command injection.