CVE-2025-34035
published 2025-06-24CVE-2025-34035: An OS command injection vulnerability exists in EnGenius EnShare Cloud Service version 1.4.11 and earlier. The usbinteract.cgi script fails to properly…
PriorityP189critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
12.33%
95.7th percentile
An OS command injection vulnerability exists in EnGenius EnShare Cloud Service version 1.4.11 and earlier. The usbinteract.cgi script fails to properly sanitize user input passed to the path parameter, allowing unauthenticated remote attackers to inject arbitrary shell commands. The injected commands are executed with root privileges, leading to full system compromise. Exploitation evidence was observed by the Shadowserver Foundation on 2024-12-05 UTC.
Affected
53 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| engenius | enshare_iot_gigabit_cloud_service | <= 1.4.11 | — |
| engeniustech | epg5000_firmware | — | — |
| engeniustech | epg5000_firmware | — | — |
| engeniustech | epg5000_firmware | — | — |
| engeniustech | epg5000_firmware | — | — |
| engeniustech | epg5000_firmware | — | — |
| engeniustech | epg5000_firmware | — | — |
| engeniustech | epg5000_firmware | — | — |
| engeniustech | esr1200_firmware | — | — |
| engeniustech | esr1200_firmware | — | — |
| engeniustech | esr1200_firmware | — | — |
| engeniustech | esr1200_firmware | — | — |
| engeniustech | esr1200_firmware | — | — |
| engeniustech | esr1750_firmware | — | — |
| engeniustech | esr1750_firmware | — | — |
| engeniustech | esr1750_firmware | — | — |
| engeniustech | esr1750_firmware | — | — |
| engeniustech | esr1750_firmware | — | — |
| engeniustech | esr1750_firmware | — | — |
| engeniustech | esr1750_firmware | — | — |
| engeniustech | esr1750_firmware | — | — |
| engeniustech | esr300_firmware | — | — |
| engeniustech | esr300_firmware | — | — |
| engeniustech | esr300_firmware | — | — |
| engeniustech | esr300_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts by matching POST requests to usbinteract.cgi with the 'action=7' parameter and shell metacharacters (pipe, quote) in the 'path' parameter body. ↗
- →Successful exploitation returns HTTP 200 with a body containing 'uid=' and 'gid=' output from the injected 'id' command, and the string 'Content-type: text/html'. ↗
- →Fingerprint vulnerable EnGenius EnShare devices by searching for the string '/web/cgi-bin/usbinfo.cgi' in HTTP response bodies (Shodan/FOFA pivoting). ↗
- →Exploitation was observed in the wild by the Shadowserver Foundation on 2024-12-05 UTC; treat any POST to usbinteract.cgi with shell metacharacters in 'path' as a high-confidence active exploitation indicator. ↗
- ·The vulnerability is unauthenticated — no session token or credentials are required to exploit it, so authentication-based detections will not filter out malicious requests. ↗
- ·Injected commands execute as root; post-exploitation activity (persistence, lateral movement) will also appear as root-owned processes, which may blend with legitimate system activity on these devices. ↗
- ·Two CGI paths are known to be targeted (/web/cgi-bin/usbinteract.cgi and /cgi-bin/usbinteract.cgi); detection rules must cover both path variants. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.010.0CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-xv32-fpqh-v67r: An OS command injection vulnerability exists in EnGenius EnShare Cloud Service version 1
ghsa_unreviewed·2025-06-26
CVE-2025-34035 [CRITICAL] CWE-20 GHSA-xv32-fpqh-v67r: An OS command injection vulnerability exists in EnGenius EnShare Cloud Service version 1
An OS command injection vulnerability exists in EnGenius EnShare Cloud Service version 1.4.11 and earlier. The usbinteract.cgi script fails to properly sanitize user input passed to the path parameter, allowing unauthenticated remote attackers to inject arbitrary shell commands. The injected commands are executed with root privileges, leading to full system compromise.
VulnCheck
engeniustech esr300_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2025·CVSS 10.0
CVE-2025-34035 [CRITICAL] engeniustech esr300_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
engeniustech esr300_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
An OS command injection vulnerability exists in EnGenius EnShare Cloud Service version 1.4.11 and earlier. The usbinteract.cgi script fails to properly sanitize user input passed to the path parameter, allowing unauthenticated remote attackers to inject arbitrary shell commands. The injected commands are executed with root privileges, leading to full system compromise. Exploitation evidence was observed by the Shadowserver Foundation on 2024-12-05 UTC.
Affected: EnGenius EnShare Cloud Service
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation Reference
No detection rules found.
Nuclei
EnGenius EnShare IoT Gigabit Cloud Service 1.4.11 Root Remote Code Execution
nuclei·CVSS 10.0
CVE-2025-34035 [CRITICAL] EnGenius EnShare IoT Gigabit Cloud Service 1.4.11 Root Remote Code Execution
EnGenius EnShare IoT Gigabit Cloud Service 1.4.11 Root Remote Code Execution
An OS command injection vulnerability exists in EnGenius EnShare Cloud Service version 1.4.11 and earlier.The usbinteract.cgi script fails to properly sanitize user input passed to the path parameter, allowing unauthenticated remote attackers to inject arbitrary shell commands.The injected commands are executed with root privileges, leading to full system compromise.
Template:
id: CVE-2025-34035
info:
name: EnGenius EnShare IoT Gigabit Cloud Service 1.4.11 Root Remote Code Execution
author: intelligent-ears
severity: critical
description: |
An OS command injection vulnerability exists in EnGenius EnShare Cloud Service version 1.4.11 and earlier.The usbinteract.cgi script fails to properly sanitize user input p
No writeups or analysis indexed.
https://cxsecurity.com/issue/WLB-2017060050https://packetstormsecurity.com/files/142792https://vulncheck.com/advisories/engenius-enshare-iot-gigabit-cloud-servicehttps://www.exploit-db.com/exploits/42114https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5413.phphttps://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5413.php
2025-06-24
Published
Exploited in the wild