CVE-2025-34093

HIGH

Polycom HDX Series - Command Injection

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2025-34093. PoCs published by Paul Haas, Mumbai, staaldraad, including Metasploit module exploits/unix/misc/polycom_hdx_traceroute_exec.

AI-analyzed exploit summary This Metasploit module exploits an authentication bypass vulnerability in Polycom HDX devices via simultaneous telnet connections, followed by command injection in the ping command to achieve remote code execution as root.

Description

An authenticated command injection vulnerability exists in the Polycom HDX Series command shell interface accessible over Telnet. The lan traceroute command in the devcmds console accepts unsanitized input, allowing attackers to execute arbitrary system commands. By injecting shell metacharacters through the traceroute interface, an attacker can achieve remote code execution under the context of the root user. This flaw affects systems where Telnet access is enabled and either unauthenticated access is allowed or credentials are known.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Paul Haas · rubyremotehardware

https://www.exploit-db.com/exploits/24494

View Code ZIP pw:eip

This Metasploit module exploits an authentication bypass vulnerability in Polycom HDX devices via simultaneous telnet connections, followed by command injection in the ping command to achieve remote code execution as root.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Polycom HDX devices (all releases prior to and including Commercial 3.0.5)

No auth needed

Prerequisites: Network access to the target device's telnet service (port 23) · Target device running vulnerable Polycom HDX firmware

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1210 - Exploitation of Remote Services T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by Mumbai, staaldraad · rubypocunix

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/misc/polycom_hdx_traceroute_exec.rb

View Code ZIP pw:eip

This Metasploit module exploits a command execution vulnerability in Polycom HDX series devices via the 'lan traceroute' dev command. It establishes a reverse shell by leveraging openssl to fetch and execute a payload from a listener.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Polycom HDX Series

No auth needed

Prerequisites: Network access to the target device · Telnet service exposed on port 23

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Core References

Various Sources exploit

https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/misc/polycom_hdx_traceroute_exec.rb

Various Sources exploit technical-description

https://staaldraad.github.io/2017/11/12/polycom-hdx-rce/

Various Sources vendor-advisory patch

https://web.archive.org/web/20200312205144/http://support.polycom.com/content/dam/polycom-support/global/documentation/securityadvisory-remotecodeexecutionon-hdx-v0.3-hotfix-release.pdf

Exploit, Third Party Advisory exploit

https://www.exploit-db.com/exploits/24494

Third Party Advisory third-party-advisory

https://vulncheck.com/advisories/polycom-hdx-series-telnet-rce

Scores

CVSS v4 7.5

EPSS 0.7210

EPSS Percentile 98.8%

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-78

Status published

Products (1)

Polycom/HDX Series < 3.1.11 hotfix 2

Published Jul 10, 2025

Tracked Since Feb 18, 2026