CVE-2025-34117

CRITICAL EXPLOITED

Netcore and Netis Router Firmware - Unauthenticated Remote Code Execution via UDP Port 53413 Backdoor

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2025-34117 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 2 public exploits from researchers including nixawk, Nixawk, h00die <[email protected]>, including a Metasploit module exploits/linux/misc/netcore_udp_53413_backdoor.

AI-analyzed exploit summary This exploit targets a backdoor in NETCORE/NETDIS routers via UDP port 53413, allowing unauthenticated command execution and file retrieval. It includes functions for login, command execution, and file operations.

Description

A remote code execution vulnerability exists in multiple Netcore and Netis routers models with firmware released prior to August 2014 due to the presence of an undocumented backdoor listener on UDP port 53413. Exact version boundaries remain undocumented. An unauthenticated remote attacker can send specially crafted UDP packets to execute arbitrary commands on the affected device. This backdoor uses a hardcoded authentication mechanism and accepts shell commands post-authentication. Some device models include a non-standard implementation of the `echo` command, which may affect exploitability.

Exploits (2)

exploitdb WORKING POC
by nixawk · pythonremotehardware
https://www.exploit-db.com/exploits/43387

This exploit targets a backdoor in NETCORE/NETDIS routers via UDP port 53413, allowing unauthenticated command execution and file retrieval. It includes functions for login, command execution, and file operations.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: NETCORE/NETDIS routers (unknown version)
No auth needed
Prerequisites: Network access to UDP port 53413 on the target device
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC NORMAL
by Nixawk, h00die <[email protected]> · rubypoclinux
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/netcore_udp_53413_backdoor.rb

This Metasploit module exploits a backdoor in Netcore/Netis routers via UDP port 53413, allowing arbitrary command execution. It authenticates with a hardcoded password and uses a command stager for payload delivery.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Netcore/Netis routers (various models)
Auth required
Prerequisites: Network access to UDP port 53413 · Target router must be vulnerable
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (7)

Core 7
Core References
Various Sources third-party-advisory technical-description
https://www.seebug.org/vuldb/ssvid-90227
Exploit, Third Party Advisory exploit
https://www.exploit-db.com/exploits/43387

Scores

CVSS v4 9.3
EPSS 0.5688
EPSS Percentile 98.2%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

VulnCheck KEV 2026-03-11
CWE
CWE-306 CWE-78 CWE-912
Status published
Products (2)
Netcore Technology/Router firmware Prior to August 2014
Netis/Router firmware Prior to August 2014
Published Jul 16, 2025
Tracked Since Feb 18, 2026