CVE-2025-34037 is an unauthenticated OS command injection vulnerability affecting various Linksys E-Series routers, and potentially additional Linksys product lines, exposed over HTTP on port 8080. The flaw is present in the CGI endpoints /tmUnblock.cgi and /hndUnblock.cgi, which improperly process attacker-controlled input supplied via the ttcp_ip parameter without adequate sanitization before passing it to the underlying shell or command execution context. As a result, a remote attacker can append or inject arbitrary shell commands through a crafted HTTP request. The issue has historical exploitation context: it was reportedly used by the TheMoon worm in 2014 to deploy a MIPS ELF payload to compromised routers. The provided content also states exploitation evidence was observed by the Shadowserver Foundation on 2025-02-06 UTC and that modern botnets continue to weaponize the flaw.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
If you can’t patch tonight, do this now.
Patch, then assume compromise.
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.
This repository is a small standalone Python exploit for unauthenticated command injection/RCE against vulnerable Linksys router CGI endpoints, primarily tmUnblock.cgi, with hndUnblock.cgi noted as an alternative. The repository contains only two files: a README describing the vulnerability, affected models, and usage, and a single executable script, exploit.py, which is the main entry point. The exploit works by crafting raw HTTP POST requests to the vulnerable CGI endpoint and injecting shell commands through the ttcp_ip form parameter. It percent-encodes the POST body, includes a Basic Authorization header with arbitrary credentials, and sends the request directly over a TCP socket to the target web service on port 80. The script first removes any previous payload from /tmp/c0d3z, then uploads an embedded base64-encoded MIPS little-endian ELF bind shell in 20-byte chunks using repeated echo -en commands with octal byte escapes. After staging, it chmods the file to make it executable, runs it via another injected command, waits briefly, and then connects to the bind shell on TCP port 4444. Capabilities include unauthenticated remote code execution, payload staging to the target filesystem, permission modification, payload execution, and an interactive post-exploitation shell over the bind socket. The exploit is operational rather than a simple proof of concept because it contains a complete hardcoded payload and an interactive shell handler. No external C2 infrastructure is used; all communication is direct between the attacker and the target router. The main fingerprintable artifacts are the vulnerable CGI paths, the temporary payload file /tmp/c0d3z, the default target IP 192.168.8.100, and the bind shell listener on port 4444.
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
13 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A critical command injection vulnerability in the /tmUnblock.cgi CGI endpoint of Linksys E-series routers that remains actively weaponized by botnets.
A command injection vulnerability in Linksys E-Series routers, exploited by RondoDox.
A vulnerability in Linksys devices exploited by the RondoDox botnet.
An OS command injection vulnerability in Linksys E-Series routers that the content states was exploited by TheMoon botnet.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.