CVE-2025-34037

Summary

An OS command injection vulnerability exists in various models of E-Series Linksys routers via the /tmUnblock.cgi and /hndUnblock.cgi endpoints over HTTP on port 8080. The CGI scripts improperly process user-supplied input passed to the ttcp_ip parameter without sanitization, allowing unauthenticated attackers to inject shell commands. This vulnerability was reported to be exploited in the wild by the "TheMoon" worm  in 2014 to deploy a MIPS ELF payload, enabling arbitrary code execution on the router. Additionally, this vulnerability may affect other Linksys products to include, but not limited to, WAG/WAP/WES/WET/WRT-series router models and Wireless-N access points and routers. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-06 UTC.

Affected Software

VendorProductVersion RangeStatus
LinksysE42000 < 1.0.06affected
LinksysE32000 < 1.0.05affected
LinksysE30000 < 1.0.06affected
LinksysE2500 v1/v20 < 2.0.00affected
LinksysE2100L v10 <= 1.0.05affected
LinksysE20000affected
LinksysE15500 <= 1.0.03affected
LinksysE1500 v10 < 1.0.06affected
LinksysE1200 v10 <= 1.0.04affected
LinksysE1000 v10 < 2.1.03affected
LinksysE900 v10 < 1.0.04affected

Weaknesses

  • CWE-78: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: total

References