Synway SMG Gateway unauth RCE patch (CVE-2025-71284)

Patch now - CVE-2025-71284 is a critical OS command injection vulnerability in Synway SMG Gateway Management Software that grants unauthenticated remote code execution via the RADIUS configuration endpoint. No vendor patch is available yet; apply the mitigations below.

Overview

CVE-2025-71284 affects Synway SMG Gateway Management Software’s RADIUS configuration page at /en/9-2radius.php. The vulnerability stems from insufficient input sanitization: user-supplied parameters such as radius_address, radius_address2, shared_secret2, source_ip, timeout, and retry are concatenated directly into a sed command without any validation. An unauthenticated attacker can exploit this by submitting a crafted POST request with save=1 and enable_radius=1 parameters to achieve arbitrary command execution on the underlying operating system.

The Shadowserver Foundation first observed exploitation evidence on July 11, 2025 (UTC), indicating active scanning or targeted attempts against this endpoint.

Impact

A successful attack enables remote code execution (RCE) at the privilege level of the SMG Gateway process, typically root or SYSTEM. This allows attackers to:

• Execute arbitrary shell commands
• Modify gateway configurations
• Exfiltrate sensitive data (including call records, credentials, and network topology)
• Use the compromised gateway as a pivot point for lateral movement into the telephony network

The CVSS 9.8 (CRITICAL) score reflects the combination of network attack vector, low attack complexity, no required privileges, and no user interaction - making this highly exploitable.

Remediation and Mitigation

No vendor patch is available as of this writing. Synway has not released a security update for this vulnerability. Until a fix is provided, implement these mitigations:

1. Restrict network access to the SMG Gateway web management interface to trusted IP addresses only. Use firewall rules or access control lists to block the /en/9-2radius.php endpoint from the internet.
2. Disable RADIUS services in the gateway management software if not required.
3. Monitor logs for suspicious POST requests to /en/9-2radius.php with multiple parameters and save=1 and enable_radius=1 flags.
4. Place the gateway behind a VPN or jump host to eliminate direct internet exposure.
5. Isolate the gateway from sensitive network segments until a patch is available.

Security Insight

This vulnerability highlights a recurring pattern in telephony and gateway management products: web-based RADIUS configuration endpoints that perform shell-level operations with root privileges but lack basic input sanitization. Similar command injection flaws have historically affected Asterisk, FreeSwitch, and various SBC vendors. The absence of authentication on the vulnerable endpoint compounds the risk, turning what should be a scoped configuration interface into an attack surface for complete system compromise. Organizations deploying SMG Gateway should treat this as a wake-up call to review all exposed management interfaces for command injection patterns, especially those handling external network protocols like RADIUS.

Further Reading

• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs