AMTT HiBOS Hotel Broadband Operation System Command Injection Vulnerability in server_ping.php Endpoint Allowing Remote Code Execution

A command injection vulnerability allowing remote code execution has been identified in the AMTT Hotel Broadband Operation System (HiBOS). This vulnerability exists in the /manager/radius/server_ping.php endpoint, where the application executes a shell command based on the user-supplied 'ip' parameter' without adequate validation or escaping. Attackers can exploit this by injecting shell metacharacters to execute arbitrary commands on the server as the web server user. This vulnerability has been observed being exploited in the wild as of October 14, 2025.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the server, with the executed commands running as the web server user.

Reproduction

To reproduce this vulnerability, send a GET request to the /manager/radius/server_ping.php endpoint with the 'ip' parameter containing injected shell metacharacters. The injected command will be executed on the server, and the response can be used to verify the execution, such as by requesting a file like /etc/passwd.

Remediation

Contact the vendor for guidance on addressing this vulnerability.