CVE-2025-34037

CVE-2025-34037 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 3 public exploits from researchers including Rew, Taxanehh, Johannes Ullrich, Rew, infodox, including a Metasploit module exploits/linux/http/linksys_themoon_exec.

AI-analyzed exploit summary This exploit targets an unauthenticated remote code execution vulnerability in various Linksys routers by leveraging a command injection flaw in the tmUnblock.cgi endpoint. It writes a MIPSEL shellcode payload to the filesystem and executes it to establish a bind shell on port 4444.

An OS command injection vulnerability exists in various models of E-Series Linksys routers via the /tmUnblock.cgi and /hndUnblock.cgi endpoints over HTTP on port 8080. The CGI scripts improperly process user-supplied input passed to the ttcp_ip parameter without sanitization, allowing unauthenticated attackers to inject shell commands. This vulnerability was reported to be exploited in the wild by the "TheMoon" worm  in 2014 to deploy a MIPS ELF payload, enabling arbitrary code execution on the router. Additionally, this vulnerability may affect other Linksys products to include, but not limited to, WAG/WAP/WES/WET/WRT-series router models and Wireless-N access points and routers. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-06 UTC.