CVE-2025-34037
published 2025-06-24CVE-2025-34037: An OS command injection vulnerability exists in various models of E-Series Linksys routers via the /tmUnblock.cgi and /hndUnblock.cgi endpoints over HTTP on…
PriorityP194critical10CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCHSIHSAHEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
85.37%
99.7th percentile
An OS command injection vulnerability exists in various models of E-Series Linksys routers via the /tmUnblock.cgi and /hndUnblock.cgi endpoints over HTTP on port 8080. The CGI scripts improperly process user-supplied input passed to the ttcp_ip parameter without sanitization, allowing unauthenticated attackers to inject shell commands. This vulnerability was reported to be exploited in the wild by the "TheMoon" worm in 2014 to deploy a MIPS ELF payload, enabling arbitrary code execution on the router. Additionally, this vulnerability may affect other Linksys products to include, but not limited to, WAG/WAP/WES/WET/WRT-series router models and Wireless-N access points and routers. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-06 UTC.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| linksys | e1000_v1 | < 2.1.03 | 2.1.03 |
| linksys | e1200_v1 | <= 1.0.04 | — |
| linksys | e1500_v1 | < 1.0.06 | 1.0.06 |
| linksys | e1550 | <= 1.0.03 | — |
| linksys | e2000 | — | — |
| linksys | e2100l_v1 | <= 1.0.05 | — |
| linksys | e2500_v1_v2 | < 2.0.00 | 2.0.00 |
| linksys | e3000 | < 1.0.06 | 1.0.06 |
| linksys | e3200 | < 1.0.05 | 1.0.05 |
| linksys | e4200 | < 1.0.06 | 1.0.06 |
| linksys | e900_v1 | < 1.0.04 | 1.0.04 |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Linksys E-Series OS Command Injection (CVE-2025-34037) M1"; flow:established,to_server; http.uri; content:"/tmUnblock.cgi"; fast_pattern; http.request_body; content:"ttcp_ip|3d|"; pcre:"/^[^&]*?(?:[\x3b\x24\x26\x60\x7c]|\x25(?:3[bB]|2[46]|60|7[cC]))/R"; http.method; content:"POST"; reference:url,www.bitsight.com/blog/rondodox-botnet-infrastructure-analysis; reference:cve,2025-34037; classtype:web-application-attack; sid:2068292; rev:1;)
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Linksys E-Series OS Command Injection (CVE-2025-34037) M2"; flow:established,to_server; http.uri; content:"/hndUnblock.cgi"; fast_pattern; http.request_body; content:"ttcp_ip|3d|"; pcre:"/^[^&]*?(?:[\x3b\x24\x26\x60\x7c]|\x25(?:3[bB]|2[46]|60|7[cC]))/R"; http.method; content:"POST"; reference:url,www.bitsight.com/blog/rondodox-botnet-infrastructure-analysis; reference:cve,2025-34037; classtype:web-application-attack; sid:2068293; rev:1;)
- →Exploit targets the `ttcp_ip` POST body parameter on /tmUnblock.cgi and /hndUnblock.cgi; look for shell metacharacters (;, $, &, `, |) or their URL-encoded equivalents (%3b, %24, %26, %60, %7c) immediately following the `ttcp_ip=` value. ↗
- →Exploitation arrives as an unauthenticated HTTP POST to port 8080; no authentication headers are required, making it straightforward to filter on destination port 8080 + URI pattern. ↗
- →The payload delivered in the wild is a MIPS ELF binary; detections on router file-system or memory should look for MIPS ELF magic bytes dropped by the TheMoon worm. ↗
- →Active exploitation was re-observed by Shadowserver on 2025-02-06 UTC; correlate IDS/firewall logs from that date forward for retrospective hunting. ↗
- →Metasploit module `exploits/linux/http/linksys_themoon_exec` is publicly available; scan for matching exploit traffic patterns from automated scanners using this module. ↗
- →Snort/Suricata SID 2068292 (M1, /tmUnblock.cgi) and SID 2068293 (M2, /hndUnblock.cgi) are the canonical ET rules; ensure these are enabled in perimeter, internal, and SSLDecrypt deployment contexts.
- →Additional threat-intelligence context on the RondoDox botnet leveraging this CVE is available at the BitSight blog reference embedded in the ET rules.
- ·Affected scope is broad — beyond E-Series, the vulnerability may affect WAG/WAP/WES/WET/WRT-series models and Wireless-N access points; asset inventory should not be limited to E-Series only. ↗
- ·Metasploit module was confirmed tested only against E1500 v1.0.5; exploitation behaviour or payload delivery may differ on other firmware versions. ↗
CVSS provenance
nvdv4.010.0CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-4c6f-v7q4-2m38: An OS command injection vulnerability exists in various models of E-Series Linksys routers via the /tmUnblock
ghsa_unreviewed·2025-06-26
CVE-2025-34037 [CRITICAL] CWE-20 GHSA-4c6f-v7q4-2m38: An OS command injection vulnerability exists in various models of E-Series Linksys routers via the /tmUnblock
An OS command injection vulnerability exists in various models of E-Series Linksys routers via the /tmUnblock.cgi and /hndUnblock.cgi endpoints over HTTP on port 8080. The CGI scripts improperly process user-supplied input passed to the ttcp_ip parameter without sanitization, allowing unauthenticated attackers to inject shell commands. This vulnerability is exploited in the wild by the "TheMoon" worm to deploy a MIPS ELF payload, enabling arbitrary code execution on the router. This vulnerability may affect other Linksys products to include, but not limited to, WAG/WAP/WES/WET/WRT-series router models and Wireless-N access points and routers.
VulnCheck
linksys e1200 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2025·CVSS 10.0
CVE-2025-34037 [CRITICAL] linksys e1200 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
linksys e1200 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
An OS command injection vulnerability exists in various models of E-Series Linksys routers via the /tmUnblock.cgi and /hndUnblock.cgi endpoints over HTTP on port 8080. The CGI scripts improperly process user-supplied input passed to the ttcp_ip parameter without sanitization, allowing unauthenticated attackers to inject shell commands. This vulnerability was reported to be exploited in the wild by the "TheMoon" worm in 2014 to deploy a MIPS ELF payload, enabling arbitrary code execution on the router. Additionally, this vulnerability may affect other Linksys products to include, but not limited to, WAG/WAP/WES/WET/WRT-series router models and Wireless-N access points and routers. Explo
Suricata
ET WEB_SPECIFIC_APPS Linksys E-Series OS Command Injection (CVE-2025-34037) M2
suricata·2026-03-17·CVSS 10.0
CVE-2025-34037 [CRITICAL] ET WEB_SPECIFIC_APPS Linksys E-Series OS Command Injection (CVE-2025-34037) M2
ET WEB_SPECIFIC_APPS Linksys E-Series OS Command Injection (CVE-2025-34037) M2
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Linksys E-Series OS Command Injection (CVE-2025-34037) M2"; flow:established,to_server; http.uri; content:"/hndUnblock.cgi"; fast_pattern; http.request_body; content:"ttcp_ip|3d|"; pcre:"/^[^&]*?(?:[\x3b\x24\x26\x60\x7c]|\x25(?:3[bB]|2[46]|60|7[cC]))/R"; http.method; content:"POST"; reference:url,www.bitsight.com/blog/rondodox-botnet-infrastructure-analysis; reference:cve,2025-34037; classtype:web-application-attack; sid:2068293; rev:1; metadata:affected_product Linksys, attack_target Server, tls_state TLSDecrypt, created_at 2026_03_17, cve CVE_2025_34037, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signa
Suricata
ET WEB_SPECIFIC_APPS Linksys E-Series OS Command Injection (CVE-2025-34037) M1
suricata·2026-03-17·CVSS 10.0
CVE-2025-34037 [CRITICAL] ET WEB_SPECIFIC_APPS Linksys E-Series OS Command Injection (CVE-2025-34037) M1
ET WEB_SPECIFIC_APPS Linksys E-Series OS Command Injection (CVE-2025-34037) M1
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Linksys E-Series OS Command Injection (CVE-2025-34037) M1"; flow:established,to_server; http.uri; content:"/tmUnblock.cgi"; fast_pattern; http.request_body; content:"ttcp_ip|3d|"; pcre:"/^[^&]*?(?:[\x3b\x24\x26\x60\x7c]|\x25(?:3[bB]|2[46]|60|7[cC]))/R"; http.method; content:"POST"; reference:url,www.bitsight.com/blog/rondodox-botnet-infrastructure-analysis; reference:cve,2025-34037; classtype:web-application-attack; sid:2068292; rev:1; metadata:affected_product Linksys, attack_target Server, tls_state TLSDecrypt, created_at 2026_03_17, cve CVE_2025_34037, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signat
Sans Isc
What do Ports Hear When Nobody's Listening? An Assessment of Automated Cybercrime [Guest Diary], (Wed, Jun 24th)
blogs_sans_isc·2026-06-25
CVE-2016-20017 What do Ports Hear When Nobody's Listening? An Assessment of Automated Cybercrime [Guest Diary], (Wed, Jun 24th)
What do Ports Hear When Nobody's Listening? An Assessment of Automated Cybercrime [Guest Diary]
Published: 2026-06-24. Last Updated: 2026-06-25 00:39:08 UTC
by Nicole Phillips, SANS.edu BACS Student (Version: 1)
0 comment(s)
[This is a Guest Diary by Nicole Phillips, an ISC intern as part of the SANS.edu BACS program]
"I was just sitting here enjoying the company. Plants got a lot to say, if you take the time to listen."
— Eeyore, Winnie the Pooh
Introduction: Listening to the Static
Setting up and contributing to the DShield honeypot project [1] as an ISC intern is a meaningful part of the BACS program at SANS [2]. Over the last several months I've been thrilled to observe real-time SSH/Telnet activity, check every new file hash and TTY log and hunt for unique http requests. That sa
Trendmicro
RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
blogs_trendmicro·2025-10-09·CVSS 8.8
[HIGH] RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Cyber Threats
## RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Trend™ Research and ZDI Threat Hunters have identified a large-scale RondoDox botnet campaign exploiting over 50 vulnerabilities across more than 30 vendors, including flaws first seen in Pwn2Own contests.
By: Deep Patel, Ashish Verma, Simon Dulude, Peter Girnus Oct 09, 2025 Read time: ( words)
Save to Folio
Trend customers can be reassured that they have been protected against vulnerabilities like CVE-2023-1389 since it was disclosed at Pwn2Own.
Below is the timeline showing key events in the RondoDox vulnerability, from discovery to exploitation:
December 6, 2022: Tri Dang and Bien Pham (@bienpnn) from Qrious Secure exploit the WAN interface of TP-Link AX1800 at Pwn2Own Toronto 2022 .
Januar
Trendmicro
RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
blogs_trendmicro·2025-10-09·CVSS 8.8
[HIGH] RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Cyber Threats
## RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
The Trend Zero Day Initiative™ (ZDI) and Trend™ Research teams have identified a large-scale RondoDox botnet campaign exploiting over 50 vulnerabilities across more than 30 vendors, including flaws first seen in Pwn2Own contests.
By: Deep Patel, Ashish Verma, Simon Dulude, Peter Girnus Oct 09, 2025 Read time: ( words)
Save to Folio
Trend customers can be reassured that they have been protected against vulnerabilities like CVE-2023-1389 since it was disclosed at Pwn2Own.
Below is the timeline showing key events in the RondoDox vulnerability, from discovery to exploitation:
December 6, 2022: Tri Dang and Bien Pham (@bienpnn) from Qrious Secure exploit the WAN interface of TP-Link AX1800 at Pwn2Ow
Trendmicro
RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
blogs_trendmicro·2025-10-09
RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Cyber Threats
# RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Trend™ Research and ZDI Threat Hunters have identified a large-scale RondoDox botnet campaign exploiting over 50 vulnerabilities across more than 30 vendors, including flaws first seen in Pwn2Own contests.
By: Deep Patel, Ashish Verma, Simon Dulude, Peter Girnus
2025/10/09
Read time: ( words)
Save to Folio
Key takeaways
- The campaign exposes organizations to the risks of data exfiltration, persistent network compromise, and operational disruption for organizations with exposed infrastructure.
- Organizations operating internet-facing network devices are at heightened risk. Active exploitation has been observed globally since mid-2025, with several CVEs now included in CISA’s Known Exploited Vul
Trendmicro
RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
blogs_trendmicro·2025-10-09·CVSS 8.8
[HIGH] RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Cyber Threats
## RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Trend™ Research and ZDI Threat Hunters have identified a large-scale RondoDox botnet campaign exploiting over 50 vulnerabilities across more than 30 vendors, including flaws first seen in Pwn2Own contests.
By: Deep Patel, Ashish Verma, Simon Dulude, Peter Girnus 2025/10/09 Read time: ( words)
Save to Folio
Trend customers can be reassured that they have been protected against vulnerabilities like CVE-2023-1389 since it was disclosed at Pwn2Own.
Below is the timeline showing key events in the RondoDox vulnerability, from discovery to exploitation:
December 6, 2022: Tri Dang and Bien Pham (@bienpnn) from Qrious Secure exploit the WAN interface of TP-Link AX1800 at Pwn2Own Toronto 2022 .
January
Trendmicro
RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
blogs_trendmicro·2025-10-09·CVSS 8.8
[HIGH] RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Ciberamenazas
## RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
The Trend Zero Day Initiative™ (ZDI) and Trend™ Research teams have identified a large-scale RondoDox botnet campaign exploiting over 50 vulnerabilities across more than 30 vendors, including flaws first seen in Pwn2Own contests.
By: Deep Patel, Ashish Verma, Simon Dulude, Peter Girnus Oct 09, 2025 Read time: ( words)
Save to Folio
Trend customers can be reassured that they have been protected against vulnerabilities like CVE-2023-1389 since it was disclosed at Pwn2Own.
Below is the timeline showing key events in the RondoDox vulnerability, from discovery to exploitation:
December 6, 2022: Tri Dang and Bien Pham (@bienpnn) from Qrious Secure exploit the WAN interface of TP-Link AX1800 at Pwn2Ow
Bleepingcomputer
RondoDox botnet targets 56 n-day flaws in worldwide attacks
blogs_bleepingcomputer·2025-10-09·CVSS 8.8
[HIGH] RondoDox botnet targets 56 n-day flaws in worldwide attacks
## RondoDox botnet targets 56 n-day flaws in worldwide attacks
## Bill Toulas
A new large-scale botnet called RondoDox is targeting 56 vulnerabilities in more than 30 distinct devices, including flaws first disclosed during Pwn2Own hacking competitions.
The attacker focuses on a wide range of exposed devices, including DVRs, NVRs, CCTV systems, and web servers and have been active since June.
The RondoDox botnet leverages what Trend Micro researchers call an “exploit shotgun” strategy, where numerous exploits are used simultaneously to maximize the infections, even if the activity is very noisy.
Since FortiGuard Labs discovered RondoDox , the botnet appears to have expanded the list of exploited vulnerabilities, which included CVE-2024-3721 and CVE-2024-12856.
## Mass n-day exploitat
Greynoiseio
NoiseLetter March 2026
blogs_greynoiseio
NoiseLetter March 2026
Events, events… and yes, even more events. 🌍 GreyNoise has been on the move. March kept us busy with stops at eCrimes in London and SecIT in Hanover—but we’re just getting started. Over the next few months, we’ll be hitting the road for CrowdStrike CrowdTours across eight cities, heading to Glasgow to speak and sponsor CyberUK, and making our way to Tampa for H-ISAC. If you’ll be at any of these (or nearby), we’d love to connect.
And while we’ve been racking up miles, we haven’t slowed down on the research front. We’ve just released some exciting new findings—with even more coming in the next few weeks—so keep an eye out.
Thanks, as always, for being part of the GreyNoise community.
Featured
About this new report
Every enterprise firewall processes traffic from residential IP space. T
2025-06-24
Published
Exploited in the wild