CVE-2025-34037

Linksys Routers E/WAG/WAP/WES/WET/WRT-Series

CVSS 10 CRITICALEPSS 85.4%CWE-78

An OS command injection vulnerability exists in various models of E-Series Linksys routers via the /tmUnblock.cgi and /hndUnblock.cgi endpoints over HTTP on port 8080. The CGI scripts improperly process user-supplied input passed to the ttcp_ip parameter without sanitization, allowing unauthenticated attackers to inject shell commands. This vulnerability was reported to be exploited in the wild by the "TheMoon" worm in 2014 to deploy a MIPS ELF payload, enabling arbitrary code execution on the router. Additionally, this vulnerability may affect other Linksys products to include, but not limited to, WAG/WAP/WES/WET/WRT-series router models and Wireless-N access points and routers. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-06 UTC.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Productos afectados

Linksys · E1000 v1 Linksys · E1200 v1 Linksys · E1500 v1 Linksys · E1550 Linksys · E2000 Linksys · E2100L v1 Linksys · E2500 v1/v2 Linksys · E3000 Linksys · E3200 Linksys · E4200 Linksys · E900 v1

PoCs públicas encontradas — 2

githubgithub.com/Taxanehh/CVE-2025-34037★ 0 cve_referencewww.exploit-db.com/exploits/31683no verificado

⚠ Recursos públicos, para evaluar la exposición de sistemas que controlas o estás autorizado a probar. Prueba solo con autorización.

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://isc.sans.edu/diary/17633 https://vulncheck.com/advisories/linksys-routers-command-injection https://www.exploit-db.com/exploits/31683