cbcvebase.
CVE-2025-34117
published 2025-07-16

CVE-2025-34117: A remote code execution vulnerability exists in multiple Netcore and Netis routers models with firmware released prior to August 2014 due to the presence of an…

PriorityP192critical9.3CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
22.92%
97.5th percentile
A remote code execution vulnerability exists in multiple Netcore and Netis routers models with firmware released prior to August 2014 due to the presence of an undocumented backdoor listener on UDP port 53413. Exact version boundaries remain undocumented. An unauthenticated remote attacker can send specially crafted UDP packets to execute arbitrary commands on the affected device. This backdoor uses a hardcoded authentication mechanism and accepts shell commands post-authentication. Some device models include a non-standard implementation of the `echo` command, which may affect exploitability.

Affected

2 ranges
VendorProductVersion rangeFixed in
netcore_technologyrouter_firmware
netisrouter_firmware

Detection & IOCsextracted from sources · hover to see the quote

portUDP/53413
  • Monitor for unexpected inbound UDP traffic to port 53413 on network edge devices, particularly Netcore/Netis router models; any traffic to this port is anomalous and indicative of backdoor exploitation attempts.
  • The backdoor uses a hardcoded authentication mechanism followed by shell command execution over UDP; inspect UDP payloads on port 53413 for authentication sequences followed by shell command strings.
  • No prior authentication or credentials are required to reach the backdoor listener; any source IP sending UDP packets to port 53413 on affected devices should be treated as a potential attacker.
  • Metasploit has a public exploit module for this backdoor (linux/misc/netcore_udp_53413_backdoor); correlate IDS/firewall logs for scanning activity targeting UDP/53413 against Netcore/Netis devices.
  • ·Some Netcore/Netis device models ship with a non-standard echo command that does not support the -e flag, which prevents the Metasploit module from achieving code execution on those specific models. Exploitability varies by model.
  • ·Exact firmware version boundaries for affected devices are undocumented; the vulnerability is known to affect firmware released prior to August 2014, but precise version strings have not been published.

CVSS provenance

nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.