CVE-2025-34035

EnGenius EnShare IoT Gigabit Cloud Service Command Injection

CVSS 10 CRITICALEPSS 12.3%CWE-78

An OS command injection vulnerability exists in EnGenius EnShare Cloud Service version 1.4.11 and earlier. The usbinteract.cgi script fails to properly sanitize user input passed to the path parameter, allowing unauthenticated remote attackers to inject arbitrary shell commands. The injected commands are executed with root privileges, leading to full system compromise. Exploitation evidence was observed by the Shadowserver Foundation on 2024-12-05 UTC.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Affected products

EnGenius · EnShare IoT Gigabit Cloud Service

public PoCs found — 4

cve_referencecxsecurity.com/issue/WLB-2017060050unverified cve_referencepacketstormsecurity.com/files/142792unverified cve_referencewww.exploit-db.com/exploits/42114unverified cve_referencewww.zeroscience.mk/en/vulnerabilities/ZSL-2017-5413.phpunverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://cxsecurity.com/issue/WLB-2017060050 https://packetstormsecurity.com/files/142792 https://vulncheck.com/advisories/engenius-enshare-iot-gigabit-cloud-service https://www.exploit-db.com/exploits/42114 https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5413.php