Cyber Resilience

CVE-2025-34035

CriticalPublic PoCRCE

Published: 24 June 2025

Published
24 June 2025
Modified
20 November 2025
KEV Added
Patch
CVSS Score v4 10.0 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.1036 93.4th percentile
Risk Priority 26 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-34035 is a critical-severity OS Command Injection (CWE-78) vulnerability in Engeniustech Esr600 Firmware. Its CVSS base score is 10.0 (Critical).

Operationally, ranked in the top 6.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

An OS command injection vulnerability exists in EnGenius EnShare Cloud Service version 1.4.11 and earlier. The usbinteract.cgi script fails to properly sanitize user input passed to the path parameter, allowing unauthenticated remote attackers to inject arbitrary shell commands. The injected commands are executed with root privileges, leading to full system compromise. The issue is tracked as CWE-78 and carries a CVSS 4.0 score of 10.0.

Unauthenticated remote attackers can exploit the flaw over the network without any user interaction or credentials. Successful exploitation grants attackers root-level access to the affected device, enabling complete system takeover including arbitrary command execution and potential persistence.

Exploitation evidence was observed by the Shadowserver Foundation on 2024-12-05 UTC. The associated EPSS score reached a peak of 0.1036 with no material rise from its starting value. Public references consist primarily of exploit disclosures dating to 2017 rather than vendor advisories describing patches or mitigations.

EU & UK References

Vulnerability details

An OS command injection vulnerability exists in EnGenius EnShare Cloud Service version 1.4.11 and earlier. The usbinteract.cgi script fails to properly sanitize user input passed to the path parameter, allowing unauthenticated remote attackers to inject arbitrary shell commands. The injected…

more

commands are executed with root privileges, leading to full system compromise. Exploitation evidence was observed by the Shadowserver Foundation on 2024-12-05 UTC.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

engeniustech
esr300 firmware
1.1.0.28, 1.3.1.42, 1.4.0, 1.4.1.28, 1.4.2
engeniustech
esr350 firmware
1.1.0.29, 1.3.1.41, 1.4.0, 1.4.11, 1.4.2
engeniustech
esr600 firmware
1.1.0.50, 1.2.1.46, 1.3.1.63, 1.4.0.23, 1.4.1
engeniustech
esr900 firmware
1.1.0, 1.2.2.23, 1.3.0, 1.3.1.26, 1.3.5.18
engeniustech
esr1200 firmware
1.1.0, 1.3.1.34, 1.4.1, 1.4.3, 1.4.5
engeniustech
esr1750 firmware
1.1.0, 1.2.2.27, 1.3.0, 1.3.1.34, 1.4.0
engeniustech
epg5000 firmware
1.2.0, 1.3.0, 1.3.2, 1.3.3, 1.3.3.17

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References