CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-34037: Linksys Routers E/WAG/WAP/WES/WET/WRT-Series

10.0 CVSS

Description

An OS command injection vulnerability exists in various models of E-Series Linksys routers via the /tmUnblock.cgi and /hndUnblock.cgi endpoints over HTTP on port 8080. The CGI scripts improperly process user-supplied input passed to the ttcp_ip parameter without sanitization, allowing unauthenticated attackers to inject shell commands. This vulnerability is exploited in the wild by the "TheMoon" worm to deploy a MIPS ELF payload, enabling arbitrary code execution on the router. This vulnerability may affect other Linksys products to include, but not limited to, WAG/WAP/WES/WET/WRT-series router models and Wireless-N access points and routers.

Known Exploited

🚨 Marked as known exploited on June 24th, 2025 (7 days ago).

Classification

CVE ID: CVE-2025-34037

CVSS Base Severity: CRITICAL

CVSS Base Score: 10.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Problem Types

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-20 Improper Input Validation

Affected Products

Vendor: Linksys

Product: E4200, E3200, E3000, E2500 v1/v2, E2100L v1, E2000, E1550, E1500 v1, E1200 v1, E1000 v1, E900 v1

Exploit Prediction Scoring System (EPSS)

EPSS Score: 2.46% (probability of being exploited)

EPSS Percentile: 84.53% (scored less or equal to compared to others)

EPSS Date: 2025-06-30 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-34037
https://isc.sans.edu/diary/17633
https://www.exploit-db.com/exploits/31683
https://vulncheck.com/advisories/linksys-routers-command-injection

Timeline

2025-06-24 03:40:16 UTC
CVE

Linksys Routers E/WAG/WAP/WES/WET/WRT-Series
2025-06-24 03:41:16 UTC
🚨 Marked as Known Exploited