Back to KEVs

CVE-2025-34037

Linksys Routers E/WAG/WAP/WES/WET/WRT-Series

Basic Information

CVE State
PUBLISHED
Reserved Date
April 15, 2025
Published Date
June 24, 2025
Last Updated
June 24, 2025
Vendor
Linksys
Product
E4200, E3200, E3000, E2500 v1/v2, E2100L v1, E2000, E1550, E1500 v1, E1200 v1, E1000 v1, E900 v1
Description
An OS command injection vulnerability exists in various models of E-Series Linksys routers via the /tmUnblock.cgi and /hndUnblock.cgi endpoints over HTTP on port 8080. The CGI scripts improperly process user-supplied input passed to the ttcp_ip parameter without sanitization, allowing unauthenticated attackers to inject shell commands. This vulnerability is exploited in the wild by the "TheMoon" worm to deploy a MIPS ELF payload, enabling arbitrary code execution on the router. This vulnerability may affect other Linksys products to include, but not limited to, WAG/WAP/WES/WET/WRT-series router models and Wireless-N access points and routers.
Tags
edge

CVSS Scores

CVSS v4.0

10.0 - CRITICAL

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS Score

Score
3.34% (Percentile: 86.78%) as of 2025-07-17

SSVC Information

Exploitation
poc
Automatable
Yes
Technical Impact
total

Exploit Status

Exploited in the Wild
Yes (2025-06-24 03:40:25 UTC) Source

References

https://isc.sans.edu/diary/17633 https://www.exploit-db.com/exploits/31683 https://vulncheck.com/advisories/linksys-routers-command-injection

Known Exploited Vulnerability Information

Source Added Date
CVE 2025-06-24 03:40:18 UTC

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Added to KEVIntel