CVE-2018-3953

HIGH

Linksys E1200 and E2500 Firmware - OS Command Injection via Router Name Parameter

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2018-3953. Includes Metasploit module auxiliary/admin/http/linksys_e1500_e2500_exec.

AI-analyzed exploit summary This Metasploit module exploits an authenticated OS command injection vulnerability in Linksys E1500/E2500 routers. It logs in using default credentials and injects a command into the 'ping_size' parameter of a POST request to '/apply.cgi'.

Description

Devices in the Linksys ESeries line of routers (Linksys E1200 Firmware Version 2.0.09 and Linksys E2500 Firmware Version 3.0.04) are susceptible to OS command injection vulnerabilities due to improper filtering of data passed to and retrieved from NVRAM. Data entered into the 'Router Name' input field through the web portal is submitted to apply.cgi as the value to the 'machine_name' POST parameter. When the 'preinit' binary receives the SIGHUP signal, it enters a code path that continues until it reaches offset 0x0042B5C4 in the 'start_lltd' function. Within the 'start_lltd' function, a 'nvram_get' call is used to obtain the value of the user-controlled 'machine_name' NVRAM entry. This value is then entered directly into a command intended to write the host name to a file and subsequently executed.

Exploits (2)

metasploit WORKING POC

rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/admin/http/linksys_e1500_e2500_exec.rb

View Code ZIP pw:eip

This Metasploit module exploits an authenticated OS command injection vulnerability in Linksys E1500/E2500 routers. It logs in using default credentials and injects a command into the 'ping_size' parameter of a POST request to '/apply.cgi'.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Linksys E1500/E2500 routers

Auth required

Prerequisites: Network access to the target router · Valid credentials (default: admin/admin or admin/password)

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1210 - Exploitation of Remote Services

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

rubypocunix

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/linksys_e1500_apply_exec.rb

View Code ZIP pw:eip

This Metasploit module exploits an authenticated OS command injection vulnerability in Linksys E1500/E2500 routers via the apply.cgi endpoint. It supports both command execution and MIPS ELF payload delivery for remote code execution.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Linksys E1500/E2500 routers

Auth required

Prerequisites: Network access to the router's web interface · Valid credentials (default: admin/admin or admin/password)

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Exploit, Third Party Advisory x_refsource_misc

https://talosintelligence.com/vulnerability_reports/TALOS-2018-0625

Scores

CVSS v3 7.2

EPSS 0.6344

EPSS Percentile 98.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-78

Status published

Products (2)

linksys/e1200_firmware 2.0.09

linksys/e2500_firmware 3.0.04

Published Oct 17, 2018

Tracked Since Feb 18, 2026