CVE-2025-34093
published 2025-07-10CVE-2025-34093: An authenticated command injection vulnerability exists in the Polycom HDX Series command shell interface accessible over Telnet. The lan traceroute command in…
PriorityP262high7.5CVSS 4.0
AVNACLATPPRHUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
2.01%
78.4th percentile
An authenticated command injection vulnerability exists in the Polycom HDX Series command shell interface accessible over Telnet. The lan traceroute command in the devcmds console accepts unsanitized input, allowing attackers to execute arbitrary system commands. By injecting shell metacharacters through the traceroute interface, an attacker can achieve remote code execution under the context of the root user. This flaw affects systems where Telnet access is enabled and either unauthenticated access is allowed or credentials are known.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| polycom | hdx_series | < 3.1.11 hotfix 2 | 3.1.11 hotfix 2 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor Telnet (TCP/23) sessions to Polycom HDX devices for shell metacharacters (e.g., ;, |, $(), ``) injected into the 'lan traceroute' command argument. ↗
- →Alert on Telnet or OpenSSL connections to Polycom HDX devices followed by 'lan traceroute' commands containing non-IP-address characters in the argument field. ↗
- →Exploitation results in command execution as root; look for unexpected child processes spawned from the Polycom shell process (e.g., /bin/sh) on HDX devices. ↗
- →A Metasploit module exists for this vulnerability (unix/misc/polycom_hdx_traceroute_exec); correlate IDS/firewall logs for Metasploit default payload staging patterns against Polycom HDX Telnet ports. ↗
- ·The vulnerability is only exploitable when Telnet access is enabled on the Polycom HDX device. Disabling Telnet eliminates the attack surface. ↗
- ·If unauthenticated Telnet access is permitted, the 'authenticated' requirement is effectively bypassed, broadening the attacker pool to unauthenticated remote actors. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/misc/polycom_hdx_traceroute_exec.rbhttps://staaldraad.github.io/2017/11/12/polycom-hdx-rce/https://vulncheck.com/advisories/polycom-hdx-series-telnet-rcehttps://web.archive.org/web/20200312205144/http://support.polycom.com/content/dam/polycom-support/global/documentation/securityadvisory-remotecodeexecutionon-hdx-v0.3-hotfix-release.pdfhttps://www.exploit-db.com/exploits/24494
2025-07-10
Published