cbcvebase.
CVE-2025-34037
published 2025-06-24

CVE-2025-34037: An OS command injection vulnerability exists in various models of E-Series Linksys routers via the /tmUnblock.cgi and /hndUnblock.cgi endpoints over HTTP on…

PriorityP194critical10CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCHSIHSAHEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
85.37%
99.7th percentile
An OS command injection vulnerability exists in various models of E-Series Linksys routers via the /tmUnblock.cgi and /hndUnblock.cgi endpoints over HTTP on port 8080. The CGI scripts improperly process user-supplied input passed to the ttcp_ip parameter without sanitization, allowing unauthenticated attackers to inject shell commands. This vulnerability was reported to be exploited in the wild by the "TheMoon" worm in 2014 to deploy a MIPS ELF payload, enabling arbitrary code execution on the router. Additionally, this vulnerability may affect other Linksys products to include, but not limited to, WAG/WAP/WES/WET/WRT-series router models and Wireless-N access points and routers. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-06 UTC.

Affected

11 ranges
VendorProductVersion rangeFixed in
linksyse1000_v1< 2.1.032.1.03
linksyse1200_v1<= 1.0.04
linksyse1500_v1< 1.0.061.0.06
linksyse1550<= 1.0.03
linksyse2000
linksyse2100l_v1<= 1.0.05
linksyse2500_v1_v2< 2.0.002.0.00
linksyse3000< 1.0.061.0.06
linksyse3200< 1.0.051.0.05
linksyse4200< 1.0.061.0.06
linksyse900_v1< 1.0.041.0.04

Detection & IOCsextracted from sources · hover to see the quote

path/tmUnblock.cgi
path/hndUnblock.cgi
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Linksys E-Series OS Command Injection (CVE-2025-34037) M1"; flow:established,to_server; http.uri; content:"/tmUnblock.cgi"; fast_pattern; http.request_body; content:"ttcp_ip|3d|"; pcre:"/^[^&]*?(?:[\x3b\x24\x26\x60\x7c]|\x25(?:3[bB]|2[46]|60|7[cC]))/R"; http.method; content:"POST"; reference:url,www.bitsight.com/blog/rondodox-botnet-infrastructure-analysis; reference:cve,2025-34037; classtype:web-application-attack; sid:2068292; rev:1;)
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Linksys E-Series OS Command Injection (CVE-2025-34037) M2"; flow:established,to_server; http.uri; content:"/hndUnblock.cgi"; fast_pattern; http.request_body; content:"ttcp_ip|3d|"; pcre:"/^[^&]*?(?:[\x3b\x24\x26\x60\x7c]|\x25(?:3[bB]|2[46]|60|7[cC]))/R"; http.method; content:"POST"; reference:url,www.bitsight.com/blog/rondodox-botnet-infrastructure-analysis; reference:cve,2025-34037; classtype:web-application-attack; sid:2068293; rev:1;)
  • Exploit targets the `ttcp_ip` POST body parameter on /tmUnblock.cgi and /hndUnblock.cgi; look for shell metacharacters (;, $, &, `, |) or their URL-encoded equivalents (%3b, %24, %26, %60, %7c) immediately following the `ttcp_ip=` value.
  • Exploitation arrives as an unauthenticated HTTP POST to port 8080; no authentication headers are required, making it straightforward to filter on destination port 8080 + URI pattern.
  • The payload delivered in the wild is a MIPS ELF binary; detections on router file-system or memory should look for MIPS ELF magic bytes dropped by the TheMoon worm.
  • Active exploitation was re-observed by Shadowserver on 2025-02-06 UTC; correlate IDS/firewall logs from that date forward for retrospective hunting.
  • Metasploit module `exploits/linux/http/linksys_themoon_exec` is publicly available; scan for matching exploit traffic patterns from automated scanners using this module.
  • Snort/Suricata SID 2068292 (M1, /tmUnblock.cgi) and SID 2068293 (M2, /hndUnblock.cgi) are the canonical ET rules; ensure these are enabled in perimeter, internal, and SSLDecrypt deployment contexts.
  • Additional threat-intelligence context on the RondoDox botnet leveraging this CVE is available at the BitSight blog reference embedded in the ET rules.
  • ·Affected scope is broad — beyond E-Series, the vulnerability may affect WAG/WAP/WES/WET/WRT-series models and Wireless-N access points; asset inventory should not be limited to E-Series only.
  • ·Metasploit module was confirmed tested only against E1500 v1.0.5; exploitation behaviour or payload delivery may differ on other firmware versions.

CVSS provenance

nvdv4.010.0CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.