Full Report
Cisco Talos’ Vulnerability Discovery & Research team recently disclosed one vulnerability in the OpenPLC logic controller and four vulnerabilities in the Planet WGR-500 router. For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability
Analysis Summary
# Vulnerability: OpenPLC DoS and Planet WGR-500 RCE/Corruption Flaws
## CVE Details
- CVE ID: CVE-2025-53476 (OpenPLC)
- CVE ID: CVE-2025-54399, CVE-2025-54402 (Planet WGR-500 Buffer Overflow)
- CVE ID: CVE-2025-54403, CVE-2025-54404 (Planet WGR-500 Command Injection)
- CVE ID: CVE-2025-48826 (Planet WGR-500 Format String)
- CVE ID: CVE-2025-54405, CVE-2025-54406 (Planet WGR-500 Command Injection)
- CVSS Score: Not explicitly provided, severity inferred from impact (DoS for OpenPLC, potential RCE for Planet)
- CWE: Not explicitly provided for all, but implied: CWE-404 (Improper Resource Neutralization (Denial of Service)) for OpenPLC; CWE-121 (Stack-based Buffer Overflow), CWE-78 (OS Command Injection), CWE-134 (Use of Formatted String) for Planet.
## Affected Systems
- Products: OpenPLC, Planet WGR-500 router
- Versions: OpenPLC version is specified as OpenPLC_v3. Specific affected versions for the Planet WGR-500 are not detailed, but the vulnerabilities exist in the router software.
- Configurations:
- OpenPLC: ModbusTCP server functionality.
- Planet WGR-500: Functionalities involved include `formPingCmd` and `swctrl`.
## Vulnerability Description
Several vulnerabilities were disclosed by Cisco Talos across two products:
1. **OpenPLC (CVE-2025-53476):** A denial-of-service (DoS) vulnerability exists in the ModbusTCP server functionality. A specially crafted series of network connections can cause the server to stop processing subsequent Modbus requests.
2. **Planet WGR-500 Router (Multiple CVEs):**
* **Stack-based Buffer Overflow (CVE-2025-54399, CVE-2025-54402):** Triggered via specially crafted HTTP requests to the `formPingCmd` functionality, potentially leading to memory corruption.
* **OS Command Injection (CVE-2025-54403, CVE-2025-54404, CVE-2025-54405, CVE-2025-54406):** Triggered via network requests (HTTP for `formPingCmd`, and general network requests for `swctrl`), allowing arbitrary command execution.
* **Format String (CVE-2025-48826):** Triggered via specially crafted HTTP requests to `formPingCmd`, leading to memory corruption.
## Exploitation
- Status: Not explicitly stated as exploited in the wild; disclosures suggest vulnerability discovery rather than active exploitation reports. Some Planet vulnerabilities lead to Arbitrary Command Execution, suggesting high exploitability potential.
- Complexity: Likely Low to Medium, given that many Planet flaws are triggered via simple HTTP/network requests.
- Attack Vector: Network (Remote).
## Impact
- Confidentiality: Potential impact if command injection allows file access or information disclosure.
- Integrity: High impact possible due to OS Command Injection leading to arbitrary system changes.
- Availability: DoS for OpenPLC; potential system instability/crash for Planet Router due to buffer overflows or format string issues.
## Remediation
### Patches
The article implies patches or security advisories are available directly from the vendors or through Talos reports, but specific version numbers for fixed software are not listed in this summary. Users must consult the referenced Talos reports for fix versions.
### Workarounds
No specific workarounds are provided in the summary text. General mitigation strategies (listed below) should be applied until patches are installed.
## Detection
- Indicators of Compromise: Unusually high traffic directed at the ModbusTCP port on OpenPLC; unexpected system behavior or command execution logs on the Planet WGR-500.
- Detection methods and tools: Snort coverage is available to detect the exploitation of these vulnerabilities (rules should be downloaded from snort dot org).
## References
- Vendor advisories: Cisco Talos Intelligence vulnerability reports (TALOS-2025-2223, TALOS-2025-2226 through TALOS-2025-2229).
- Relevant links - defanged:
- hxxps://blog.talosintelligence.com/author/kri/
- hxxps://snort.org/
- hxxps://talosintelligence.com/vulnerability_reports
- hxxps://talosintelligence.com/vulnerability_reports/TALOS-2025-2223
- hxxps://talosintelligence.com/vulnerability_reports/TALOS-2025-2226
- hxxps://talosintelligence.com/vulnerability_reports/TALOS-2025-2227
- hxxps://talosintelligence.com/vulnerability_reports/TALOS-2025-2228
- hxxps://talosintelligence.com/vulnerability_reports/TALOS-2025-2229