cbcvebase.
CVE-2025-34035
published 2025-06-24

CVE-2025-34035: An OS command injection vulnerability exists in EnGenius EnShare Cloud Service version 1.4.11 and earlier. The usbinteract.cgi script fails to properly…

PriorityP189critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
12.33%
95.7th percentile
An OS command injection vulnerability exists in EnGenius EnShare Cloud Service version 1.4.11 and earlier. The usbinteract.cgi script fails to properly sanitize user input passed to the path parameter, allowing unauthenticated remote attackers to inject arbitrary shell commands. The injected commands are executed with root privileges, leading to full system compromise. Exploitation evidence was observed by the Shadowserver Foundation on 2024-12-05 UTC.

Affected

53 ranges· showing 25
VendorProductVersion rangeFixed in
engeniusenshare_iot_gigabit_cloud_service<= 1.4.11
engeniustechepg5000_firmware
engeniustechepg5000_firmware
engeniustechepg5000_firmware
engeniustechepg5000_firmware
engeniustechepg5000_firmware
engeniustechepg5000_firmware
engeniustechepg5000_firmware
engeniustechesr1200_firmware
engeniustechesr1200_firmware
engeniustechesr1200_firmware
engeniustechesr1200_firmware
engeniustechesr1200_firmware
engeniustechesr1750_firmware
engeniustechesr1750_firmware
engeniustechesr1750_firmware
engeniustechesr1750_firmware
engeniustechesr1750_firmware
engeniustechesr1750_firmware
engeniustechesr1750_firmware
engeniustechesr1750_firmware
engeniustechesr300_firmware
engeniustechesr300_firmware
engeniustechesr300_firmware
engeniustechesr300_firmware

Detection & IOCsextracted from sources · hover to see the quote

path/web/cgi-bin/usbinteract.cgi
path/cgi-bin/usbinteract.cgi
commandaction=7&path="|id||"
othershodan:html:"/web/cgi-bin/usbinfo.cgi"
otherfofa:body="/web/cgi-bin/usbinfo.cgi"
  • Detect exploitation attempts by matching POST requests to usbinteract.cgi with the 'action=7' parameter and shell metacharacters (pipe, quote) in the 'path' parameter body.
  • Successful exploitation returns HTTP 200 with a body containing 'uid=' and 'gid=' output from the injected 'id' command, and the string 'Content-type: text/html'.
  • Fingerprint vulnerable EnGenius EnShare devices by searching for the string '/web/cgi-bin/usbinfo.cgi' in HTTP response bodies (Shodan/FOFA pivoting).
  • Exploitation was observed in the wild by the Shadowserver Foundation on 2024-12-05 UTC; treat any POST to usbinteract.cgi with shell metacharacters in 'path' as a high-confidence active exploitation indicator.
  • ·The vulnerability is unauthenticated — no session token or credentials are required to exploit it, so authentication-based detections will not filter out malicious requests.
  • ·Injected commands execute as root; post-exploitation activity (persistence, lateral movement) will also appear as root-owned processes, which may blend with legitimate system activity on these devices.
  • ·Two CGI paths are known to be targeted (/web/cgi-bin/usbinteract.cgi and /cgi-bin/usbinteract.cgi); detection rules must cover both path variants.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.010.0CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.