Ther3D0Ne

**Name of the Vulnerable Software and Affected Versions** Adtran SR400ac (affected versions not specified) **Description** The issue is related to the lack of input validation in the SmartOS WiFi router ADTRAn SR400ac, allowing remote attackers to execute arbitrary code in the context of the root user. The specific flaw exists within the `ping` command, available over JSON-RPC, where a crafted `host` parameter can trigger the execution of a system call composed from a user-supplied string. Although authentication is required to exploit this issue, the existing authentication mechanism can be bypassed. **Recommendations** As a temporary workaround, consider disabling the `ping` command over JSON-RPC until a patch is available. Restrict access to the JSON-RPC interface to minimize the risk of exploitation. Avoid using the `host` parameter in the `ping` command until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.