Back to KEVs

CVE-2025-34037

Linksys Routers E/WAG/WAP/WES/WET/WRT-Series

Basic Information

CVE State
PUBLISHED
Reserved Date
April 15, 2025
Published Date
June 24, 2025
Last Updated
May 14, 2026
Vendor
Linksys
Product
E4200, E3200, E3000, E2500 v1/v2, E2100L v1, E2000, E1550, E1500 v1, E1200 v1, E1000 v1, E900 v1
Description
An OS command injection vulnerability exists in various models of E-Series Linksys routers via the /tmUnblock.cgi and /hndUnblock.cgi endpoints over HTTP on port 8080. The CGI scripts improperly process user-supplied input passed to the ttcp_ip parameter without sanitization, allowing unauthenticated attackers to inject shell commands. This vulnerability was reported to be exploited in the wild by the "TheMoon" worm  in 2014 to deploy a MIPS ELF payload, enabling arbitrary code execution on the router. Additionally, this vulnerability may affect other Linksys products to include, but not limited to, WAG/WAP/WES/WET/WRT-series router models and Wireless-N access points and routers. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-06 UTC.
Tags
edge

CVSS Scores

CVSS v4.0

10.0 - CRITICAL

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS Score

Score
89.27% (Percentile: 99.56%) as of 2026-05-31

SSVC Information

Exploitation
poc
Automatable
Yes
Technical Impact
total

Exploit Status

Exploited in the Wild
Yes (2026-06-01 10:34:16 UTC) Source

References

https://isc.sans.edu/diary/17633 https://www.exploit-db.com/exploits/31683 https://vulncheck.com/advisories/linksys-routers-command-injection

Known Exploited Vulnerability Information

Source Added Date
CVE 2026-06-01 10:34:09 UTC

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Added to KEVIntel