CVE-2025-34037
Awaiting Analysis Awaiting Analysis - Queue
BaseFortify

Publication date: 2025-06-24

Last updated on: 2026-03-20

Assigner: VulnCheck

Description
An OS command injection vulnerability exists in various models of E-Series Linksys routers via the /tmUnblock.cgi and /hndUnblock.cgi endpoints over HTTP on port 8080. The CGI scripts improperly process user-supplied input passed to the ttcp_ip parameter without sanitization, allowing unauthenticated attackers to inject shell commands. This vulnerability was reported to be exploited in the wild by the "TheMoon" worm  in 2014 to deploy a MIPS ELF payload, enabling arbitrary code execution on the router. Additionally, this vulnerability may affect other Linksys products to include, but not limited to, WAG/WAP/WES/WET/WRT-series router models and Wireless-N access points and routers. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-06 UTC.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-06-24
Last Modified
2026-03-20
Generated
2026-05-07
AI Q&A
2025-06-24
EPSS Evaluated
2026-05-05
NVD
CVE-2025-34037
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is an OS command injection flaw in various Linksys E-Series routers and other related models. It occurs because the router's CGI scripts (/tmUnblock.cgi and /hndUnblock.cgi) on port 8080 improperly handle user input in the ttcp_ip parameter without sanitization. This allows unauthenticated attackers to inject and execute arbitrary shell commands remotely. The vulnerability is exploited by the "TheMoon" worm, which downloads and runs a malicious MIPS ELF payload on the router, enabling full control over the device. [1, 2]


How can this vulnerability impact me? :

If exploited, this vulnerability allows an attacker to execute arbitrary code on your Linksys router without authentication. This can lead to the router being compromised and controlled remotely, potentially allowing the attacker to deploy malware, scan networks for other vulnerable devices, and disrupt your network operations. The infected router may also host malicious binaries and open new ports for further attacks, severely impacting network security and stability. [1, 2]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

Detection can be performed by sending an unauthenticated HTTP GET request to port 8080 on the router for the "/HNAP1/" URL. A vulnerable router will respond with an XML listing router features including model and firmware version, for example: <ModelName>E2500</ModelName> and <FirmwareVersion>1.0.07 build 1</FirmwareVersion>. Additionally, indicators of compromise include heavy outbound scanning on ports 80 and 8080 and inbound connection attempts to various ports below 1024. A sample command to detect vulnerability is: curl -i http://<router_ip>:8080/HNAP1/ and check for the XML response. [1]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include disabling remote administration on the router or changing the remote admin port from the default ports (80 or 8080) to a non-standard port. Restricting remote administration access by IP address can also help prevent exploitation. Additionally, using open-source firmware such as DD-WRT or OpenWRT, which are not vulnerable, can mitigate the risk. Monitoring for unusual outbound scanning activity on ports 80 and 8080 is also recommended. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart