CVE-2013-3307
published 2025-07-11CVE-2013-3307: Linksys E1000 devices through 2.1.02, E1200 devices before 2.0.05, and E3200 devices through 1.0.04 allow OS command injection via shell metacharacters in the…
PriorityP181high8.3CVSS 3.1
AVNACLPRNUINSCCLILAL
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
5.62%
92.0th percentile
Linksys E1000 devices through 2.1.02, E1200 devices before 2.0.05, and E3200 devices through 1.0.04 allow OS command injection via shell metacharacters in the apply.cgi ping_ip parameter on TCP port 52000.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| linksys | e1000 | <= 2.1.02 | — |
| linksys | e1200 | < 2.0.05 | 2.0.05 |
| linksys | e3200 | <= 1.0.04 | — |
Detection & IOCsextracted from sources · hover to see the quote
commandsubmit_button=Diagnostics&change_action=gozila_cgi&submit_type=start_ping&action=&commit=0&nowait=1&ping_ip=%3b%20ping%20-c%201%20192%2e168%2e1%2e147%20%3b&ping_size=&ping_times=5&traceroute_ip=↗
- →Detect exploit attempts against CVE-2013-3307 by monitoring POST requests to /apply.cgi on TCP port 52000 containing shell metacharacters (e.g., %3b, backtick, semicolon) in the ping_ip parameter. ↗
- →Hunt for AryStinger C2 beaconing by looking for outbound HTTP/HTTPS connections with Protobuf-encoded, XOR-obfuscated traffic to ajb8.com and related hosts. ↗
- →Flag any Dropbear SSH listener appearing on port 2332 on router devices as an AryStinger persistence indicator. ↗
- →Alert on processes named syswapd0h or syswapd0w running on router or NAS devices as AryStinger malware indicators. ↗
- →Inspect /tmp/bin on potentially compromised routers for unexpected ELF binaries dropped by AryStinger. ↗
- →The initial AryStinger propagation IP 107.150.106.14 should be blocked and used as a hunt pivot for related infrastructure. ↗
- →The exploit payload downloads a MIPS big-endian ELF reverse shell; detect wget or curl commands in ping_ip POST body targeting /tmp paths on Linksys devices. ↗
- →The hardcoded SSH key string sh_#@!_2024_secret can be used as a byte/string signature to detect AryStinger implants in memory or on disk. ↗
- ·CVE-2013-3307 exploitation requires authentication to the device, or an alternative method to inject commands, limiting unauthenticated remote exploitation. ↗
- ·The 4,300 infection count for AryStinger covers only RTL819X routers; NAS infections via CVE-2025-11837 are not measured and the true total is unknown. ↗
- ·AryStinger attribution is unresolved; defenders should not assume a specific threat actor when triaging detections. ↗
- ·The NAS (Go) build uses gs-netcat for persistence rather than Dropbear SSH on port 2332; detection rules for persistence must account for both variants. ↗
CVSS provenance
nvdv3.18.3HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
vulncheck8.3HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-wg68-f4gp-9q35: Linksys E1000 devices through 2
ghsa_unreviewed·2025-07-11
CVE-2013-3307 [HIGH] CWE-78 GHSA-wg68-f4gp-9q35: Linksys E1000 devices through 2
Linksys E1000 devices through 2.1.02, E1200 devices before 2.0.05, and E3200 devices through 1.0.04 allow OS command injection via shell metacharacters in the apply.cgi ping_ip parameter on TCP port 52000.
VulnCheck
Linksys x3000 firmware ping_ip command injection
vulncheck·2013·CVSS 8.3
CVE-2013-3307 [HIGH] Linksys x3000 firmware ping_ip command injection
Linksys x3000 firmware ping_ip command injection
Linksys x3000 firmware is vulnerable to a command injection vulnerability via the ping_ip parameter.
Affected: x3000_firmware Linksys
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://cybersecurity.att.com/blogs/labs-research/att-alien-labs-finds-new-golang-malwarebotenago-targeting-millions-of-routers-and-iot-devices-with-more-than-30-exploits; https://cybersecurity.att.com/blogs/labs-research/botenago-strike-again-malware-source-code-uploaded-to-github; https://www.fortiguard.com/threat-signal-report/4389/botenago-malware-targets-multiple-iot-devices; https://blog.xlab.qianxin.com/mirai-tbot-en/; ht
No detection rules found.
Hackernews
AryStinger Malware Infects 4,300 Legacy Routers to Build Reconnaissance Proxy Network
blogs_hackernews·2026-06-22·CVSS 8.3
CVE-2013-3307 [HIGH] AryStinger Malware Infects 4,300 Legacy Routers to Build Reconnaissance Proxy Network
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## AryStinger Malware Infects 4,300 Legacy Routers to Build Reconnaissance Proxy Network
A new malware family is turning forgotten home routers into a distributed reconnaissance and proxy network, not the DDoS botnet these devices usually end up in. QiAnXin's XLab calls it AryStinger and counts at least 4,300 infected routers, a total it says is still rising.
The distinction matters. AryStinger exists for the stage of an attack that comes before the break-in. Infected devices scan the internet, fingerprint services, enumerate subdomains, tunnel traffic, and run commands on demand, then ship the results back to the operator.
Ea
Bleepingcomputer
AryStinger botnet infected thousands of D-Link routers worldwide
blogs_bleepingcomputer·2026-06-21·CVSS 8.3
CVE-2013-3307 [HIGH] AryStinger botnet infected thousands of D-Link routers worldwide
## AryStinger botnet infected thousands of D-Link routers worldwide
## Bill Toulas
A previously undocumented malware botnet named AryStinger has compromised more than 4,000 outdated routers to turn them into proxies for malicious traffic.
Researchers at Qianxin's XLab threat intelligence team say that the malware converts infected devices into remotely controlled “executors” that can perform scanning, proxying, tunneling, command execution, and other activities on behalf of the attacker.
“The attacker can split a massive scanning task into multiple small chunks and distribute them to different Executors for parallel execution,” XLab researchers note .
“With this distributed-like design, the attacker can efficiently complete the early "footprinting" activities, thereby providing strong
2025-07-11
Published
Exploited in the wild