CVE-2025-34035
BaseFortify
Publication date: 2025-06-24
Last updated on: 2025-11-20
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| engeniustech | esr300_firmware | 1.1.0.28 |
| engeniustech | esr300_firmware | 1.3.1.42 |
| engeniustech | esr300_firmware | 1.4.0 |
| engeniustech | esr300_firmware | 1.4.1.28 |
| engeniustech | esr300_firmware | 1.4.2 |
| engeniustech | esr300_firmware | 1.4.7 |
| engeniustech | esr300_firmware | 1.4.9 |
| engeniustech | esr300 | * |
| engeniustech | esr350_firmware | 1.1.0.29 |
| engeniustech | esr350_firmware | 1.3.1.41 |
| engeniustech | esr350_firmware | 1.4.0 |
| engeniustech | esr350_firmware | 1.4.2 |
| engeniustech | esr350_firmware | 1.4.5 |
| engeniustech | esr350_firmware | 1.4.9 |
| engeniustech | esr350_firmware | 1.4.11 |
| engeniustech | esr350 | * |
| engeniustech | esr600_firmware | 1.1.0.50 |
| engeniustech | esr600_firmware | 1.2.1.46 |
| engeniustech | esr600_firmware | 1.3.1.63 |
| engeniustech | esr600_firmware | 1.4.0.23 |
| engeniustech | esr600_firmware | 1.4.1 |
| engeniustech | esr600_firmware | 1.4.2 |
| engeniustech | esr600_firmware | 1.4.3 |
| engeniustech | esr600_firmware | 1.4.5 |
| engeniustech | esr600_firmware | 1.4.9 |
| engeniustech | esr600_firmware | 1.4.11 |
| engeniustech | esr600 | * |
| engeniustech | esr900_firmware | 1.1.0 |
| engeniustech | esr900_firmware | 1.2.2.23 |
| engeniustech | esr900_firmware | 1.3.0 |
| engeniustech | esr900_firmware | 1.3.1.26 |
| engeniustech | esr900_firmware | 1.3.5.18 |
| engeniustech | esr900_firmware | 1.4.0 |
| engeniustech | esr900_firmware | 1.4.3 |
| engeniustech | esr900_firmware | 1.4.5 |
| engeniustech | esr900 | * |
| engeniustech | esr1200_firmware | 1.1.0 |
| engeniustech | esr1200_firmware | 1.3.1.34 |
| engeniustech | esr1200_firmware | 1.4.1 |
| engeniustech | esr1200_firmware | 1.4.3 |
| engeniustech | esr1200_firmware | 1.4.5 |
| engeniustech | esr1200 | * |
| engeniustech | esr1750_firmware | 1.1.0 |
| engeniustech | esr1750_firmware | 1.2.2.27 |
| engeniustech | esr1750_firmware | 1.3.0 |
| engeniustech | esr1750_firmware | 1.3.1.34 |
| engeniustech | esr1750_firmware | 1.4.0 |
| engeniustech | esr1750_firmware | 1.4.1 |
| engeniustech | esr1750_firmware | 1.4.3 |
| engeniustech | esr1750_firmware | 1.4.5 |
| engeniustech | esr1750 | * |
| engeniustech | epg5000_firmware | 1.2.0 |
| engeniustech | epg5000_firmware | 1.3.0 |
| engeniustech | epg5000_firmware | 1.3.2 |
| engeniustech | epg5000_firmware | 1.3.3 |
| engeniustech | epg5000_firmware | 1.3.3.17 |
| engeniustech | epg5000_firmware | 1.3.7.20 |
| engeniustech | epg5000_firmware | 1.3.9.21 |
| engeniustech | epg5000 | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an OS command injection flaw in the EnGenius EnShare Cloud Service version 1.4.11 and earlier. It exists in the 'usbinteract.cgi' script, which improperly sanitizes user input passed to the 'path' parameter via GET or POST requests. Because of this, an unauthenticated remote attacker can inject arbitrary shell commands that are executed with root privileges on the device, leading to full system compromise. The EnShare feature, enabled by default, allows remote access to media files on USB drives connected to the router, and this vulnerability allows attackers to exploit that access to run commands as root without authentication. [1, 2, 3]
How can this vulnerability impact me? :
Exploiting this vulnerability allows an attacker to execute arbitrary commands on the affected device with root privileges without any authentication. This means the attacker can take full control of the device, potentially accessing sensitive data, modifying or deleting files, installing malware, or using the device as a foothold to attack other systems on the network. Since the vulnerability affects multiple EnGenius router models and firmware versions, any device running the vulnerable EnShare Cloud Service is at severe risk of full system compromise. [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending specially crafted HTTP POST requests to the affected device's usbinteract.cgi script on port 9000, targeting the 'path' parameter with command injection payloads. For example, you can test by sending a POST request with payload like `action=7&path="|id||"` to check if the device executes the 'id' command and returns output, indicating vulnerability. Using tools like curl or a Python script (such as the provided proof-of-concept exploit scripts) to send these requests and observe responses can confirm the presence of the vulnerability. [1, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include disabling the EnShare feature if it is not needed, restricting access to the device's management interface (especially port 9000) to trusted networks only, and applying the vendor's patched firmware versions that fix this vulnerability. The vendor has released patched firmware versions such as EPG5000 1.3.014-30, ESR600 1.4.12-64, and ESR900 1.4.6. Updating to these or later versions will remediate the command injection flaw. [2]