Vulnerability Description
An OS command injection vulnerability exists in various models of E-Series Linksys routers via the /tmUnblock.cgi and /hndUnblock.cgi endpoints over HTTP on port 8080. The CGI scripts improperly process user-supplied input passed to the ttcp_ip parameter without sanitization, allowing unauthenticated attackers to inject shell commands. This vulnerability was reported to be exploited in the wild by the "TheMoon" worm in 2014 to deploy a MIPS ELF payload, enabling arbitrary code execution on the router. Additionally, this vulnerability may affect other Linksys products to include, but not limited to, WAG/WAP/WES/WET/WRT-series router models and Wireless-N access points and routers. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-06 UTC.
Related Weaknesses (CWE)
References
- https://isc.sans.edu/diary/17633
- https://vulncheck.com/advisories/linksys-routers-command-injection
- https://www.exploit-db.com/exploits/31683
FAQ
What is CVE-2025-34037?
CVE-2025-34037 is a documented vulnerability. An OS command injection vulnerability exists in various models of E-Series Linksys routers via the /tmUnblock.cgi and /hndUnblock.cgi endpoints over HTTP on port 8080. The CGI scripts improperly proce...
How severe is CVE-2025-34037?
CVSS scoring is not yet available for CVE-2025-34037. Check NVD for updates.
Is there a patch for CVE-2025-34037?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.