cbcvebase.
CVE-2013-3307
published 2025-07-11

CVE-2013-3307: Linksys E1000 devices through 2.1.02, E1200 devices before 2.0.05, and E3200 devices through 1.0.04 allow OS command injection via shell metacharacters in the…

PriorityP181high8.3CVSS 3.1
AVNACLPRNUINSCCLILAL
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
5.62%
92.0th percentile
Linksys E1000 devices through 2.1.02, E1200 devices before 2.0.05, and E3200 devices through 1.0.04 allow OS command injection via shell metacharacters in the apply.cgi ping_ip parameter on TCP port 52000.

Affected

3 ranges
VendorProductVersion rangeFixed in
linksyse1000<= 2.1.02
linksyse1200< 2.0.052.0.05
linksyse3200<= 1.0.04

Detection & IOCsextracted from sources · hover to see the quote

port52000
port2332
path/apply.cgi
path/tmp/bin
filenamemipsbe_reverse_shell.elf
processsyswapd0h
processsyswapd0w
commandsubmit_button=Diagnostics&change_action=gozila_cgi&submit_type=start_ping&action=&commit=0&nowait=1&ping_ip=%3b%20ping%20-c%201%20192%2e168%2e1%2e147%20%3b&ping_size=&ping_times=5&traceroute_ip=
path/tmp/test1
  • Detect exploit attempts against CVE-2013-3307 by monitoring POST requests to /apply.cgi on TCP port 52000 containing shell metacharacters (e.g., %3b, backtick, semicolon) in the ping_ip parameter.
  • Hunt for AryStinger C2 beaconing by looking for outbound HTTP/HTTPS connections with Protobuf-encoded, XOR-obfuscated traffic to ajb8.com and related hosts.
  • Flag any Dropbear SSH listener appearing on port 2332 on router devices as an AryStinger persistence indicator.
  • Alert on processes named syswapd0h or syswapd0w running on router or NAS devices as AryStinger malware indicators.
  • Inspect /tmp/bin on potentially compromised routers for unexpected ELF binaries dropped by AryStinger.
  • The initial AryStinger propagation IP 107.150.106.14 should be blocked and used as a hunt pivot for related infrastructure.
  • The exploit payload downloads a MIPS big-endian ELF reverse shell; detect wget or curl commands in ping_ip POST body targeting /tmp paths on Linksys devices.
  • The hardcoded SSH key string sh_#@!_2024_secret can be used as a byte/string signature to detect AryStinger implants in memory or on disk.
  • ·CVE-2013-3307 exploitation requires authentication to the device, or an alternative method to inject commands, limiting unauthenticated remote exploitation.
  • ·The 4,300 infection count for AryStinger covers only RTL819X routers; NAS infections via CVE-2025-11837 are not measured and the true total is unknown.
  • ·AryStinger attribution is unresolved; defenders should not assume a specific threat actor when triaging detections.
  • ·The NAS (Go) build uses gs-netcat for persistence rather than Dropbear SSH on port 2332; detection rules for persistence must account for both variants.

CVSS provenance

nvdv3.18.3HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
vulncheck8.3HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.