CVE-2025-34035

EnGenius EnShare IoT Gigabit Cloud Service Command Injection

CVSS 10 CRITICALEPSS 12.3%CWE-78

An OS command injection vulnerability exists in EnGenius EnShare Cloud Service version 1.4.11 and earlier. The usbinteract.cgi script fails to properly sanitize user input passed to the path parameter, allowing unauthenticated remote attackers to inject arbitrary shell commands. The injected commands are executed with root privileges, leading to full system compromise. Exploitation evidence was observed by the Shadowserver Foundation on 2024-12-05 UTC.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Productos afectados

EnGenius · EnShare IoT Gigabit Cloud Service

PoCs públicas encontradas — 4

cve_referencecxsecurity.com/issue/WLB-2017060050no verificado cve_referencepacketstormsecurity.com/files/142792no verificado cve_referencewww.exploit-db.com/exploits/42114no verificado cve_referencewww.zeroscience.mk/en/vulnerabilities/ZSL-2017-5413.phpno verificado

⚠ Recursos públicos, para evaluar la exposición de sistemas que controlas o estás autorizado a probar. Prueba solo con autorización.

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://cxsecurity.com/issue/WLB-2017060050 https://packetstormsecurity.com/files/142792 https://vulncheck.com/advisories/engenius-enshare-iot-gigabit-cloud-service https://www.exploit-db.com/exploits/42114 https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5413.php