CVE-2025-34035
Published: 24 June 2025
Summary
CVE-2025-34035 is a critical-severity OS Command Injection (CWE-78) vulnerability in Engeniustech Esr600 Firmware. Its CVSS base score is 10.0 (Critical).
Operationally, ranked in the top 6.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
An OS command injection vulnerability exists in EnGenius EnShare Cloud Service version 1.4.11 and earlier. The usbinteract.cgi script fails to properly sanitize user input passed to the path parameter, allowing unauthenticated remote attackers to inject arbitrary shell commands. The injected commands are executed with root privileges, leading to full system compromise. The issue is tracked as CWE-78 and carries a CVSS 4.0 score of 10.0.
Unauthenticated remote attackers can exploit the flaw over the network without any user interaction or credentials. Successful exploitation grants attackers root-level access to the affected device, enabling complete system takeover including arbitrary command execution and potential persistence.
Exploitation evidence was observed by the Shadowserver Foundation on 2024-12-05 UTC. The associated EPSS score reached a peak of 0.1036 with no material rise from its starting value. Public references consist primarily of exploit disclosures dating to 2017 rather than vendor advisories describing patches or mitigations.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-18966
Vulnerability details
An OS command injection vulnerability exists in EnGenius EnShare Cloud Service version 1.4.11 and earlier. The usbinteract.cgi script fails to properly sanitize user input passed to the path parameter, allowing unauthenticated remote attackers to inject arbitrary shell commands. The injected…
more
commands are executed with root privileges, leading to full system compromise. Exploitation evidence was observed by the Shadowserver Foundation on 2024-12-05 UTC.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.