{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-34037", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2025-04-15T19:15:22.546Z", "datePublished": "2025-06-24T01:03:27.693Z", "dateUpdated": "2026-05-14T02:07:25.833Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-05-14T02:07:25.833Z"}, "title": "Linksys Routers E/WAG/WAP/WES/WET/WRT-Series", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-78", "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-88", "descriptions": [{"lang": "en", "value": "CAPEC-88 OS Command Injection"}]}], "affected": [{"vendor": "Linksys", "product": "E4200", "modules": ["Web Management Interface (tmUnblock.cgi and hndUnblock.cgi CGI scripts)"], "versions": [{"status": "affected", "version": "0", "lessThan": "1.0.06", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "Linksys", "product": "E3200", "versions": [{"status": "affected", "version": "0", "lessThan": "1.0.05", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "Linksys", "product": "E3000", "versions": [{"status": "affected", "version": "0", "lessThan": "1.0.06", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "Linksys", "product": "E2500 v1/v2", "versions": [{"status": "affected", "version": "0", "lessThan": "2.0.00", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "Linksys", "product": "E2100L v1", "versions": [{"status": "affected", "version": "0", "lessThanOrEqual": "1.0.05", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "Linksys", "product": "E2000", "versions": [{"status": "affected", "version": "0", "versionType": "semver"}], "defaultStatus": "unaffected"}, {"vendor": "Linksys", "product": "E1550", "versions": [{"status": "affected", "version": "0", "lessThanOrEqual": "1.0.03", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "Linksys", "product": "E1500 v1", "versions": [{"status": "affected", "version": "0", "lessThan": "1.0.06", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "Linksys", "product": "E1200 v1", "versions": [{"status": "affected", "version": "0", "lessThanOrEqual": "1.0.04", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "Linksys", "product": "E1000 v1", "versions": [{"status": "affected", "version": "0", "lessThan": "2.1.03", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "Linksys", "product": "E900 v1", "versions": [{"status": "affected", "version": "0", "lessThan": "1.0.04", "versionType": "custom"}], "defaultStatus": "unaffected"}], "cpeApplicability": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:linksys:e1000:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.0.06", "versionStartIncluding": "0", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "OR"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:linksys:e1000:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.0.05", "versionStartIncluding": "0", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "OR"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:h:linksys:e3000:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.0.06", "versionStartIncluding": "0", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "OR"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:linksys:e2500:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.0.00", "versionStartIncluding": "0", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "OR"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:h:linksys:e2000:*:*:*:*:*:*:*:*", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "OR"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:linksys:e1000:*:*:*:*:*:*:*:*", "versionEndIncluding": "1.0.03", "versionStartIncluding": "0", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "OR"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:linksys:e1500:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.0.06", "versionStartIncluding": "0", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "OR"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:linksys:e1200:*:*:*:*:*:*:*:*", "versionEndIncluding": "1.0.04", "versionStartIncluding": "0", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "OR"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:linksys:e1000:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.1.03", "versionStartIncluding": "0", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "OR"}], "descriptions": [{"lang": "en", "value": "An OS command injection vulnerability exists in various models of E-Series Linksys\u00a0routers via the /tmUnblock.cgi and /hndUnblock.cgi endpoints over HTTP on port 8080. The CGI scripts improperly process user-supplied input passed to the ttcp_ip parameter without sanitization, allowing unauthenticated attackers to inject shell commands. This vulnerability was reported to be exploited in the wild by the \"TheMoon\" worm\u00a0 in 2014 to deploy a MIPS ELF payload, enabling arbitrary code execution on the router. Additionally, this vulnerability may affect other Linksys products to include, but not limited to, WAG/WAP/WES/WET/WRT-series router models and Wireless-N access points and routers.\u00a0Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-06 UTC.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "An OS command injection vulnerability exists in various models of E-Series <span>Linksys&nbsp;</span>routers via the /tmUnblock.cgi and /hndUnblock.cgi endpoints over HTTP on port 8080. The CGI scripts improperly process user-supplied input passed to the ttcp_ip parameter without sanitization, allowing unauthenticated attackers to inject shell commands. This vulnerability was reported to be exploited in the wild by the \"TheMoon\" worm&nbsp; in 2014 to deploy a MIPS ELF payload, enabling arbitrary code execution on the router. Additionally, this vulnerability may affect other Linksys products to include, but not limited to, WAG/WAP/WES/WET/WRT-series router models and Wireless-N access points and routers.&nbsp;Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-06 UTC."}]}], "tags": ["x_known-exploited-vulnerability"], "references": [{"url": "https://isc.sans.edu/diary/17633", "tags": ["technical-description"]}, {"url": "https://www.exploit-db.com/exploits/31683", "tags": ["third-party-advisory", "exploit"]}, {"url": "https://vulncheck.com/advisories/linksys-routers-command-injection", "tags": ["third-party-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "CRITICAL", "baseScore": 10, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"}}], "credits": [{"lang": "en", "value": "Johannes Ullrich of SANS Internet Storm Center", "type": "finder"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "vulncheck"}, "datePublic": "2014-02-16T00:00:00.000Z"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-06-24T15:53:22.492810Z", "id": "CVE-2025-34037", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-24T15:54:33.863Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-34037", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-06-24T15:53:22.492810Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-24T15:54:26.304Z"}}], "cna": {"tags": ["x_known-exploited-vulnerability"], "title": "Linksys Routers E/WAG/WAP/WES/WET/WRT-Series", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Johannes Ullrich of SANS Internet Storm Center"}], "impacts": [{"capecId": "CAPEC-88", "descriptions": [{"lang": "en", "value": "CAPEC-88 OS Command Injection"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 10, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Linksys", "modules": ["Web Management Interface (tmUnblock.cgi and hndUnblock.cgi CGI scripts)"], "product": "E4200", "versions": [{"status": "affected", "version": "0", "lessThan": "1.0.06", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "Linksys", "product": "E3200", "versions": [{"status": "affected", "version": "0", "lessThan": "1.0.05", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "Linksys", "product": "E3000", "versions": [{"status": "affected", "version": "0", "lessThan": "1.0.06", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "Linksys", "product": "E2500 v1/v2", "versions": [{"status": "affected", "version": "0", "lessThan": "2.0.00", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "Linksys", "product": "E2100L v1", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.0.05"}], "defaultStatus": "unaffected"}, {"vendor": "Linksys", "product": "E2000", "versions": [{"status": "affected", "version": "0", "versionType": "semver"}], "defaultStatus": "unaffected"}, {"vendor": "Linksys", "product": "E1550", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.0.03"}], "defaultStatus": "unaffected"}, {"vendor": "Linksys", "product": "E1500 v1", "versions": [{"status": "affected", "version": "0", "lessThan": "1.0.06", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "Linksys", "product": "E1200 v1", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.0.04"}], "defaultStatus": "unaffected"}, {"vendor": "Linksys", "product": "E1000 v1", "versions": [{"status": "affected", "version": "0", "lessThan": "2.1.03", "versionType": "custom"}], "defaultStatus": "unaffected"}, {"vendor": "Linksys", "product": "E900 v1", "versions": [{"status": "affected", "version": "0", "lessThan": "1.0.04", "versionType": "custom"}], "defaultStatus": "unaffected"}], "datePublic": "2014-02-16T00:00:00.000Z", "references": [{"url": "https://isc.sans.edu/diary/17633", "tags": ["technical-description"]}, {"url": "https://www.exploit-db.com/exploits/31683", "tags": ["third-party-advisory", "exploit"]}, {"url": "https://vulncheck.com/advisories/linksys-routers-command-injection", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "vulncheck"}, "descriptions": [{"lang": "en", "value": "An OS command injection vulnerability exists in various models of E-Series Linksys\u00a0routers via the /tmUnblock.cgi and /hndUnblock.cgi endpoints over HTTP on port 8080. The CGI scripts improperly process user-supplied input passed to the ttcp_ip parameter without sanitization, allowing unauthenticated attackers to inject shell commands. This vulnerability was reported to be exploited in the wild by the \"TheMoon\" worm\u00a0 in 2014 to deploy a MIPS ELF payload, enabling arbitrary code execution on the router. Additionally, this vulnerability may affect other Linksys products to include, but not limited to, WAG/WAP/WES/WET/WRT-series router models and Wireless-N access points and routers.\u00a0Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-06 UTC.", "supportingMedia": [{"type": "text/html", "value": "An OS command injection vulnerability exists in various models of E-Series <span>Linksys&nbsp;</span>routers via the /tmUnblock.cgi and /hndUnblock.cgi endpoints over HTTP on port 8080. The CGI scripts improperly process user-supplied input passed to the ttcp_ip parameter without sanitization, allowing unauthenticated attackers to inject shell commands. This vulnerability was reported to be exploited in the wild by the \"TheMoon\" worm&nbsp; in 2014 to deploy a MIPS ELF payload, enabling arbitrary code execution on the router. Additionally, this vulnerability may affect other Linksys products to include, but not limited to, WAG/WAP/WES/WET/WRT-series router models and Wireless-N access points and routers.&nbsp;Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-06 UTC.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:linksys:e1000:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "1.0.06", "versionStartIncluding": "0"}], "operator": "OR"}], "operator": "OR"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:linksys:e1000:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "1.0.05", "versionStartIncluding": "0"}], "operator": "OR"}], "operator": "OR"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:linksys:e3000:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "1.0.06", "versionStartIncluding": "0"}], "operator": "OR"}], "operator": "OR"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:linksys:e2500:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "2.0.00", "versionStartIncluding": "0"}], "operator": "OR"}], "operator": "OR"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:linksys:e2000:*:*:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}], "operator": "OR"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:linksys:e1000:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndIncluding": "1.0.03", "versionStartIncluding": "0"}], "operator": "OR"}], "operator": "OR"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:linksys:e1500:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "1.0.06", "versionStartIncluding": "0"}], "operator": "OR"}], "operator": "OR"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:linksys:e1200:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndIncluding": "1.0.04", "versionStartIncluding": "0"}], "operator": "OR"}], "operator": "OR"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:linksys:e1000:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "2.1.03", "versionStartIncluding": "0"}], "operator": "OR"}], "operator": "OR"}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-05-14T02:07:25.833Z"}}}, "cveMetadata": {"cveId": "CVE-2025-34037", "state": "PUBLISHED", "dateUpdated": "2026-05-14T02:07:25.833Z", "dateReserved": "2025-04-15T19:15:22.546Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2025-06-24T01:03:27.693Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An OS command injection vulnerability exists in various models of E-Series Linksys\u00a0routers via the /tmUnblock.cgi and /hndUnblock.cgi endpoints over HTTP on port 8080. The CGI scripts improperly process user-supplied input passed to the ttcp_ip parameter without sanitization, allowing unauthenticated attackers to inject shell commands. This vulnerability was reported to be exploited in the wild by the \"TheMoon\" worm\u00a0 in 2014 to deploy a MIPS ELF payload, enabling arbitrary code execution on the router. Additionally, this vulnerability may affect other Linksys products to include, but not limited to, WAG/WAP/WES/WET/WRT-series router models and Wireless-N access points and routers.\u00a0Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-06 UTC."}, {"lang": "es", "value": "Existe una vulnerabilidad de inyecci\u00f3n de comandos del sistema operativo en varios modelos de routers E-Series Linksys a trav\u00e9s de los endpoints /tmUnblock.cgi y /hndUnblock.cgi a trav\u00e9s de HTTP en el puerto 8080. Los scripts CGI procesan incorrectamente la entrada proporcionada por el usuario al par\u00e1metro ttcp_ip sin sanitizarla, lo que permite a atacantes no autenticados inyectar comandos de shell. Esta vulnerabilidad es explotada por el gusano \"TheMoon\" para desplegar un payload MIPS ELF, lo que permite la ejecuci\u00f3n de c\u00f3digo arbitrario en el router. Esta vulnerabilidad puede afectar a otros productos Linksys, incluyendo, entre otros, los modelos de routers de las series WAG/WAP/WES/WET/WRT y los puntos de acceso y routers Wireless-N."}], "id": "CVE-2025-34037", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2025-06-24T01:15:25.037", "references": [{"source": "disclosure@vulncheck.com", "url": "https://isc.sans.edu/diary/17633"}, {"source": "disclosure@vulncheck.com", "url": "https://vulncheck.com/advisories/linksys-routers-command-injection"}, {"source": "disclosure@vulncheck.com", "url": "https://www.exploit-db.com/exploits/31683"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "disclosure@vulncheck.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T01:19:20.805046+00:00", "value": {"mitigation_remediation": ["Apply the latest firmware or security patch released by Linksys for the affected E-Series models.", "Block or filter the unused 8080 port or restrict access to the /tmUnblock.cgi and /hndUnblock.cgi endpoints to trusted internal networks using firewall rules or VLAN segmentation.", "If a patch is not yet available, disable the /tmUnblock.cgi and /hndUnblock.cgi scripts by removing or renaming them from the router's web server or by disabling the associated services in the configuration."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Affected models include Linksys E1000 v1, E1200 v1, E1500 v1, E1550, E2000, E2100L v1, E2500 v1/v2, E3000, E3200, E4200, and E900 v1. Other Linksys products such as WAG, WAP, WES, WET, WRT series routers and Wireless\u2011N access points may also be impacted. The vulnerability is specific to the HTTP interface on port 8080.", "description_and_impact": "The vulnerability is a command injection flaw in the /tmUnblock.cgi and /hndUnblock.cgi endpoints of E-Series Linksys routers. When a user supplies a ttcp_ip parameter over HTTP on port 8080, the input is passed directly to the shell without sanitization, allowing unauthenticated attackers to inject arbitrary shell commands. The flaw enables remote code execution, as demonstrated by the 2014 TheMoon worm and recent evidence from Shadowserver.", "risk_and_exploitability": "The CVSS score of 10 and an EPSS score of 89% indicate a critical flaw that is highly likely to be actively exploited. Exploitation is simple: the attacker only needs to send a crafted HTTP request to the vulnerable endpoint from outside the local network. The vulnerability is not yet listed in the CISA KEV catalog, but monitoring reports show recent activity in February 2025."}}}}, "created": "2026-04-28T01:30:17.914670+00:00", "updated": "2026-04-28T01:30:17.914681+00:00", "vendors": []}