CVE-2025-34037

Description

An OS command injection vulnerability exists in various models of E-Series Linksys routers via the /tmUnblock.cgi and /hndUnblock.cgi endpoints over HTTP on port 8080. The CGI scripts improperly process user-supplied input passed to the ttcp_ip parameter without sanitization, allowing unauthenticated attackers to inject shell commands. This vulnerability is exploited in the wild by the "TheMoon" worm to deploy a MIPS ELF payload, enabling arbitrary code execution on the router. This vulnerability may affect other Linksys products to include, but not limited to, WAG/WAP/WES/WET/WRT-series router models and Wireless-N access points and routers.

Reserved 2025-04-15 | Published 2025-06-24 | Updated 2025-06-24 | Assigner VulnCheck

Problem types

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-20 Improper Input Validation

Product status

Default status
unaffected

Any version before 1.0.06
affected

Default status
unaffected

Any version before 1.0.05
affected

Default status
unaffected

Any version before 1.0.06
affected

Default status
unaffected

Any version before 2.0.00
affected

Default status
unaffected

Any version
affected

Default status
unaffected

Any version
affected

Default status
unaffected

Any version
affected

Default status
unaffected

Any version before 1.0.06
affected

Default status
unaffected

Any version
affected

Default status
unaffected

Any version before 2.1.03
affected

Default status
unaffected

Any version before 1.0.04
affected

Credits

Johannes Ullrich of SANS Internet Storm Center finder

References

isc.sans.edu/diary/17633 technical-description

www.exploit-db.com/exploits/31683 third-party-advisory exploit

vulncheck.com/advisories/linksys-routers-command-injection third-party-advisory

cve.org (CVE-2025-34037)

nvd.nist.gov (CVE-2025-34037)

Download JSON