CVE-2025-34037
Published: 24 June 2025
Summary
CVE-2025-34037 is a critical-severity OS Command Injection (CWE-78) vulnerability in Sans (inferred from references). Its CVSS base score is 10.0 (Critical).
Operationally, ranked in the top 0.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
An OS command injection vulnerability exists in various models of E-Series Linksys routers via the /tmUnblock.cgi and /hndUnblock.cgi endpoints over HTTP on port 8080. The CGI scripts improperly process user-supplied input passed to the ttcp_ip parameter without sanitization, allowing unauthenticated attackers to inject shell commands. This vulnerability was reported to be exploited in the wild by the "TheMoon" worm in 2014 to deploy a MIPS ELF payload, enabling arbitrary code execution on the router. Additionally, this vulnerability may affect other Linksys products to include, but not limited to, WAG/WAP/WES/WET/WRT-series router models and Wireless-N access points and routers.
Unauthenticated remote attackers can exploit the flaw by sending crafted HTTP requests containing shell commands in the ttcp_ip parameter. Successful exploitation grants arbitrary code execution on the affected router with no authentication or user interaction required, as reflected in the CVSS 10.0 score and CWE-78 classification.
Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-06 UTC, and the vulnerability carries a current EPSS score of 0.8927 with a recorded peak of 0.8958. Public references include historical analyses from SANS ISC, VulnCheck, and Exploit-DB detailing the original 2014 worm activity and proof-of-concept code.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-18964
Vulnerability details
An OS command injection vulnerability exists in various models of E-Series Linksys routers via the /tmUnblock.cgi and /hndUnblock.cgi endpoints over HTTP on port 8080. The CGI scripts improperly process user-supplied input passed to the ttcp_ip parameter without sanitization, allowing unauthenticated…
more
attackers to inject shell commands. This vulnerability was reported to be exploited in the wild by the "TheMoon" worm in 2014 to deploy a MIPS ELF payload, enabling arbitrary code execution on the router. Additionally, this vulnerability may affect other Linksys products to include, but not limited to, WAG/WAP/WES/WET/WRT-series router models and Wireless-N access points and routers. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-06 UTC.
- CWE(s)
Related Threats
Threat-Actor AttributionAI
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.