CVE-2025-34044

| EUVD-2025-19210 CRITICAL
2025-06-26 [email protected]
9.4
CVSS 4.0
Share

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None

Lifecycle Timeline

3
Analysis Generated
Mar 15, 2026 - 23:54 vuln.today
EUVD ID Assigned
Mar 15, 2026 - 23:54 euvd
EUVD-2025-19210
CVE Published
Jun 26, 2025 - 16:15 nvd
CRITICAL 9.4

Tags

PHP Command Injection

Description

A remote command injection vulnerability exists in the confirm.php interface of the WIFISKY 7-layer Flow Control Router via a specially-crafted HTTP GET request to the t parameter. Insufficient input validation allows unauthenticated attackers to execute arbitrary OS commands. Exploitation evidence was observed by the Shadowserver Foundation on 2025-01-25 UTC.

Analysis

A remote command injection vulnerability exists in the confirm.php interface of the WIFISKY 7-layer Flow Control Router via a specially-crafted HTTP GET request to the t parameter. Insufficient input validation allows unauthenticated attackers to execute arbitrary OS commands. Exploitation evidence was observed by the Shadowserver Foundation on 2025-01-25 UTC.

Technical Context

Command injection allows an attacker to execute arbitrary OS commands on the host system through a vulnerable application that passes user input to system shells. This vulnerability is classified as OS Command Injection (CWE-78).

Remediation

Avoid passing user input to system commands. Use language-specific APIs instead of shell commands. If unavoidable, use strict input validation and escaping.

Priority Score

47
Low Medium High Critical
KEV: 0
EPSS: +0.3
CVSS: +47
POC: 0

Share

CVE-2025-34044 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy