EUVD-2025-18966
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4Tags
Description
An OS command injection vulnerability exists in EnGenius EnShare Cloud Service version 1.4.11 and earlier. The usbinteract.cgi script fails to properly sanitize user input passed to the path parameter, allowing unauthenticated remote attackers to inject arbitrary shell commands. The injected commands are executed with root privileges, leading to full system compromise. Exploitation evidence was observed by the Shadowserver Foundation on 2024-12-05 UTC.
Analysis
CVE-2025-34035 is a critical OS command injection vulnerability in EnGenius EnShare Cloud Service versions 1.4.11 and earlier, affecting the usbinteract.cgi script which fails to sanitize the 'path' parameter. Unauthenticated remote attackers can inject arbitrary shell commands executed with root privileges, resulting in complete system compromise. Active exploitation has been documented by the Shadowserver Foundation as of 2024-12-05, indicating real-world threat activity.
Technical Context
The vulnerability exists in the usbinteract.cgi CGI script component of EnGenius EnShare Cloud Service, which handles USB interaction functionality. The root cause is CWE-78 (Improper Neutralization of Special Elements used in an OS Command - OS Command Injection), where user-supplied input in the 'path' parameter is passed unsanitized to shell command execution contexts. This is a classic command injection flaw where an attacker can break out of intended command syntax by injecting shell metacharacters (e.g., semicolons, pipes, backticks, command substitution) to execute arbitrary commands. The CGI interface exposes this functionality to unauthenticated remote users over the network, making it immediately exploitable without prior authentication or user interaction. The execution context runs with root privileges, amplifying the impact from code execution to complete system compromise.
Affected Products
EnGenius EnShare Cloud Service versions 1.4.11 and earlier. The specific affected component is the usbinteract.cgi script. Likely CPE representation: cpe:2.3:a:engeniustech:enshare_cloud_service:*:*:*:*:*:*:*:* with version range up to and including 1.4.11. Organizations should identify all EnGenius EnShare Cloud Service deployments regardless of deployment model (cloud, on-premises, hybrid) as the vulnerability exists in the service software itself. No specific system architecture or OS restrictions are noted, suggesting broad platform applicability.
Remediation
Immediate actions: (1) Contact EnGenius technical support and check vendor advisory channels for patched versions beyond 1.4.11—upgrade to the latest available version immediately upon release; (2) Pending patch availability, implement network-level access controls to restrict unauthenticated access to the EnShare Cloud Service management interfaces and CGI endpoints, particularly usbinteract.cgi; (3) Disable USB interaction functionality if not required for operational needs; (4) Deploy Web Application Firewall (WAF) rules to block requests to usbinteract.cgi containing shell metacharacters (;, |, `, $(), &&, ||); (5) Monitor logs for suspicious path parameter values containing command injection patterns; (6) Isolate affected systems from untrusted networks until patched. Follow vendor advisory guidance at EnGenius support portal for official patch availability and deployment procedures.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today