Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to vulnerabilities
HighPublic exploit

OS Command Injection in Linksys apply.cgi ping_ip

IdentifiersCVE-2013-3307CWE-78· Improper Neutralization of Special…

CVE-2013-3307 is an OS command injection vulnerability in Linksys E1000 devices through 2.1.02, E1200 devices before 2.0.05, and E3200 devices through 1.0.04. The flaw is exposed via the apply.cgi endpoint on TCP port 52000, where the ping_ip parameter is insufficiently sanitized and allows shell metacharacters to be injected into an underlying system command. A remote attacker can supply crafted input to ping_ip and cause arbitrary operating system commands to be executed on the router.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows remote execution of arbitrary OS commands on affected Linksys routers. This can enable full device compromise, malware installation, persistence establishment, configuration tampering, traffic interception or redirection, and use of the router as a botnet node, proxy, or reconnaissance platform.

Mitigation

If you can’t patch tonight, do this now.

Restrict or disable exposure of the management interface and specifically TCP port 52000 from untrusted networks. Disable remote administration if not required. Limit access to the router management plane to trusted internal hosts only, using firewall or ACL controls. Monitor for unexpected requests to apply.cgi and signs of post-compromise activity. For unsupported devices, isolate or retire them.

Remediation

Patch, then assume compromise.

Upgrade to a fixed firmware version where available. Based on the provided data, affected versions are Linksys E1000 through 2.1.02, E1200 before 2.0.05, and E3200 through 1.0.04; therefore E1200 should be updated to 2.0.05 or later, and E1000/E3200 devices should be moved to vendor-fixed firmware if available. If no supported fixed firmware exists because the device is end-of-life, replace the hardware.
PUBLIC EXPLOITS

Exploits

No valid public exploits. Mallory filtered out 1 candidate as fakes, detection scripts, or README-only repos.

VALID 0 / 1 TOTALView more in app

All candidate exploits were filtered out by Mallory's validation.

ACTIVITY FEED

Recent activity

18 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

18 SOURCESView more in app
cyber security newsNews
Jun 22, 2026
AryStinger Botnet Hijacks 4,300+ Routers to Build Global Attack Proxy Network

A decade-old router vulnerability affecting older Linksys and D-Link router models that was used to spread the AryStinger botnet malware.

Read more
security affairsNews
Jun 22, 2026
4,300+ Outdated Routers Hijacked in Stealthy Spy Infrastructure by AryStinger malware

An old router vulnerability used by AryStinger operators to compromise outdated Realtek RTL819X-based routers and build a covert reconnaissance infrastructure.

Read more
the hacker newsNews
Jun 22, 2026
AryStinger Malware Infects 4,300 Legacy Routers to Build Reconnaissance Proxy Network

A legacy vulnerability in Linksys router models that AryStinger reportedly exploits to compromise older Realtek RTL819X-based devices.

Read more
xakepNews
Jun 22, 2026
Ботнет AryStinger заразил тысячи роутеров D-Link - Хакер

An older vulnerability exploited by the AryStinger botnet to compromise outdated routers, particularly D-Link DIR-850L and DIR-818LW devices.

Read more
+8 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware11

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity6

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2013-3307
NVD
nvd.nist.gov/vuln/detail/CVE-2013-3307
MITRE CWE · CWE-78
Improper Neutralization of Special Elements…
web.archive.org
web.archive.org/web/20140421001918/https://www.trustwave.com/spiderlabs/advisories/TWSL2013-008.txt