CVE-2025-34037

CRITICAL EXPLOITED

Linksys E-Series - Command Injection

Title source: llm

Description

An OS command injection vulnerability exists in various models of E-Series Linksys routers via the /tmUnblock.cgi and /hndUnblock.cgi endpoints over HTTP on port 8080. The CGI scripts improperly process user-supplied input passed to the ttcp_ip parameter without sanitization, allowing unauthenticated attackers to inject shell commands. This vulnerability was reported to be exploited in the wild by the "TheMoon" worm  in 2014 to deploy a MIPS ELF payload, enabling arbitrary code execution on the router. Additionally, this vulnerability may affect other Linksys products to include, but not limited to, WAG/WAP/WES/WET/WRT-series router models and Wireless-N access points and routers. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-06 UTC.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Rew · phpremotehardware
https://www.exploit-db.com/exploits/31683
nomisec WORKING POC
by Taxanehh · poc
https://github.com/Taxanehh/CVE-2025-34037
metasploit WORKING POC EXCELLENT
by Johannes Ullrich, Rew, infodox · rubypoclinux
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/linksys_themoon_exec.rb

References (3)

Scores

CVSS v4 10.0
EPSS 0.8892
EPSS Percentile 99.5%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Details

VulnCheck KEV 2025-06-23
CWE
CWE-78
Status published
Products (11)
Linksys/E1000 v1 < 2.1.03
Linksys/E1200 v1 < 1.0.04
Linksys/E1500 v1 < 1.0.06
Linksys/E1550 < 1.0.03
Linksys/E2000
Linksys/E2100L v1 < 1.0.05
Linksys/E2500 v1/v2 < 2.0.00
Linksys/E3000 < 1.0.06
Linksys/E3200 < 1.0.05
Linksys/E4200 < 1.0.06
... and 1 more
Published Jun 24, 2025
Tracked Since Feb 18, 2026