CVE-2025-34035
CRITICAL EXPLOITED NUCLEIEnGenius EnShare Cloud Service <1.4.11 - Command Injection
Title source: llmDescription
An OS command injection vulnerability exists in EnGenius EnShare Cloud Service version 1.4.11 and earlier. The usbinteract.cgi script fails to properly sanitize user input passed to the path parameter, allowing unauthenticated remote attackers to inject arbitrary shell commands. The injected commands are executed with root privileges, leading to full system compromise. Exploitation evidence was observed by the Shadowserver Foundation on 2024-12-05 UTC.
Exploits (1)
exploitdb
WORKING POC
by LiquidWorm · pythonwebappshardware
https://www.exploit-db.com/exploits/42114
Nuclei Templates (1)
EnGenius EnShare IoT Gigabit Cloud Service 1.4.11 Root Remote Code Execution
CRITICALVERIFIEDby intelligent-ears
Shodan:
html:"/web/cgi-bin/usbinfo.cgi"
FOFA:
body="/web/cgi-bin/usbinfo.cgi"
References (5)
Scores
CVSS v3
9.8
EPSS
0.0763
EPSS Percentile
91.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitation Intel
VulnCheck KEV
2025-06-23
Classification
CWE
CWE-78
Status
published
Affected Products (50)
engeniustech/esr300_firmware
engeniustech/esr300_firmware
engeniustech/esr300_firmware
engeniustech/esr300_firmware
engeniustech/esr300_firmware
engeniustech/esr300_firmware
engeniustech/esr300_firmware
engeniustech/esr350_firmware
engeniustech/esr350_firmware
engeniustech/esr350_firmware
engeniustech/esr350_firmware
engeniustech/esr350_firmware
engeniustech/esr350_firmware
engeniustech/esr350_firmware
engeniustech/esr600_firmware
... and 35 more
Timeline
Published
Jun 24, 2025
Tracked Since
Feb 18, 2026