CVE-2025-56498

Name of the Vulnerable Software and Affected Versions PLDT WiFi Router Prolink PGN6401V Firmware version 8.1.2

Description An OS command injection flaw exists in the web management interface. The ping6.asp page submits user input to the /boaform/formPing6 API endpoint via the pingAddr parameter, which is not properly sanitized. An authenticated attacker can inject arbitrary system commands, which are executed with root privileges. The router uses the Boa web server version 0.93.15 to handle the request. Successful exploitation can lead to full system compromise and unauthorized control of the network device.

Recommendations Firmware version 8.1.2 should be updated when a fixed version is available. As a temporary workaround, restrict access to the ping6.asp page. Sanitize the pingAddr parameter to prevent command injection.