What is the CVSS score of CVE-2025-34037?

CVE-2025-34037 has a CVSS 4.0 base score of 10.0 (Critical). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H. EPSS exploitation probability: 81.5%.

Is there a public PoC exploit available for CVE-2025-34037?

Yes, a public proof-of-concept exploit is available for CVE-2025-34037. Prioritise patching immediately. EPSS: 81.5%.

How to fix or mitigate CVE-2025-34037?

Within 24 hours: Identify all Linksys E-Series routers on the network (query SNMP/device inventory for model/firmware version). Within 7 days: Apply vendor-released patch to all affected models; if patching cannot be completed immediately, isolate affected routers from production networks or restrict port 8080 access via firewall rules. Within 30 days: Verify patch deployment across 100% of inventory and conduct network segmentation audit to prevent direct external access to router management interfaces.

CVE-2025-34037

EUVD-2025-18964 CRITICAL

OS Command Injection (CWE-78)

2025-06-24 disclosure@vulncheck.com

RCE Command Injection

10.0

CVSS 4.0

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Lifecycle Timeline

Analysis Updated

Apr 16, 2026 - 05:53 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

Patch available

Apr 16, 2026 - 05:29 EUVD

1.0.06,2.1.03,1.0.05

PoC Detected

Mar 20, 2026 - 19:16 vuln.today

Public exploit code

EUVD ID Assigned

Mar 15, 2026 - 22:36 euvd

EUVD-2025-18964

Analysis Generated

Mar 15, 2026 - 22:36 vuln.today

CVE Published

Jun 24, 2025 - 01:15 nvd

CRITICAL 10.0

DescriptionNVD

An OS command injection vulnerability exists in various models of E-Series Linksys routers via the /tmUnblock.cgi and /hndUnblock.cgi endpoints over HTTP on port 8080. The CGI scripts improperly process user-supplied input passed to the ttcp_ip parameter without sanitization, allowing unauthenticated attackers to inject shell commands. This vulnerability is exploited in the wild by the "TheMoon" worm to deploy a MIPS ELF payload, enabling arbitrary code execution on the router. This vulnerability may affect other Linksys products to include, but not limited to, WAG/WAP/WES/WET/WRT-series router models and Wireless-N access points and routers. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-06 UTC.

AnalysisAI

Multiple Linksys E-Series router models contain an unauthenticated OS command injection vulnerability in the /tmUnblock.cgi and /hndUnblock.cgi endpoints accessible on port 8080. The ttcp_ip parameter is passed directly to a system shell without sanitization, enabling remote root-level command execution on the router.

Technical ContextAI

The tmUnblock.cgi and hndUnblock.cgi scripts process the ttcp_ip parameter by passing it directly to a system() call without input validation. Since the web server runs as root on the router, injected commands execute with full root privileges. Port 8080 hosts an alternative web interface that may be accessible remotely if remote management is enabled.

RemediationAI

Update router firmware to the latest version. Disable remote management on port 8080. Replace end-of-life Linksys routers with actively maintained models. Place IoT devices behind a firewall that blocks inbound management ports.

CVE-2025-34037 vulnerability details – vuln.today

Back