Skip to main content
Mallory
Back to vulnerabilities
HighPublic exploit

OS command injection in Linksys E1000/E1200/E3200 apply.cgi ping_ip

IdentifiersCVE-2013-3307CWE-78· Improper Neutralization of Special…

CVE-2013-3307 is an OS command injection vulnerability in Linksys E1000 devices through 2.1.02, E1200 devices before 2.0.05, and E3200 devices through 1.0.04. The flaw is exposed via the apply.cgi endpoint on TCP port 52000, where the ping_ip parameter is insufficiently sanitized and accepts shell metacharacters. An attacker can supply crafted input to ping_ip so that the device executes unintended operating system commands in the underlying shell context.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows remote execution of arbitrary OS commands on affected Linksys routers. This can lead to full device compromise, malware deployment, botnet enrollment, configuration manipulation, persistence, traffic interception or redirection, and use of the router as a pivot for further network reconnaissance or attacks.

Mitigation

If you can’t patch tonight, do this now.

Restrict or block access to TCP port 52000 from untrusted networks, especially the Internet. Limit management-plane exposure with firewall rules or ACLs, place affected devices behind trusted administration boundaries, disable unnecessary remote administration features if present, and monitor for exploitation attempts against apply.cgi with shell metacharacters in ping_ip. Given the age of the affected products and observed botnet exploitation, retiring exposed legacy devices is the strongest mitigation where patching is not feasible.

Remediation

Patch, then assume compromise.

Upgrade affected devices to fixed firmware versions. Based on the provided information, affected versions are Linksys E1000 through 2.1.02, E1200 before 2.0.05, and E3200 through 1.0.04; therefore remediation is to move to vendor firmware newer than those affected releases, including at minimum E1200 2.0.05 or later and corresponding fixed releases for E1000 and E3200. If vendor-supported updates are unavailable because the hardware is obsolete, replace the device.
PUBLIC EXPLOITS

Exploits

No valid public exploits. Mallory filtered out 1 candidate as fakes, detection scripts, or README-only repos.

VALID 0 / 1 TOTALView more in app

All candidate exploits were filtered out by Mallory's validation.

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app
qianxin xlab blogNews
Jun 17, 2026
More Than 4,000 Legacy Routers Compromised by AryStinger, Turned into Global Attack Proxies for Hackers

An old router vulnerability used in 2026 to spread the AryStinger RTL819X malware to legacy router devices, particularly affecting older Linksys models.

Read more
secpod blogNews
Dec 4, 2025
AISURU Botnet: Inside the 29.7 Tbps Mega-Scale DDoS Weapon

A remote code execution vulnerability in Linksys X3000 and related router models, enabling attackers to compromise devices remotely.

Read more
qianxin xlab blogNews
Jan 15, 2025
Botnets Never Die: An Analysis of the Large Scale Botnet AIRASHI

Unknown (listed as exploited by AIRASHI; no additional details provided in the content).

Read more
the hacker newsNews
Jan 8, 2025
Mirai Botnet Variant Exploits Four-Faith Router Vulnerability for DDoS Attacks

A security vulnerability exploited by Mirai botnet variants to compromise devices and expand botnet reach.

Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware4

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2013-3307
NVD
nvd.nist.gov/vuln/detail/CVE-2013-3307
MITRE CWE · CWE-78
Improper Neutralization of Special Elements…
web.archive.org
web.archive.org/web/20140421001918/https://www.trustwave.com/spiderlabs/advisories/TWSL2013-008.txt