Description
An OS command injection vulnerability exists in various models of E-Series Linksys routers via the /tmUnblock.cgi and /hndUnblock.cgi endpoints over HTTP on port 8080. The CGI scripts improperly process user-supplied input passed to the ttcp_ip parameter without sanitization, allowing unauthenticated attackers to inject shell commands. This vulnerability was reported to be exploited in the wild by the "TheMoon" worm  in 2014 to deploy a MIPS ELF payload, enabling arbitrary code execution on the router. Additionally, this vulnerability may affect other Linksys products to include, but not limited to, WAG/WAP/WES/WET/WRT-series router models and Wireless-N access points and routers. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-06 UTC.
Published: 2025-06-24
Score: 10 Critical
EPSS: 89.3% High
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a command injection flaw in the /tmUnblock.cgi and /hndUnblock.cgi endpoints of E-Series Linksys routers. When a user supplies a ttcp_ip parameter over HTTP on port 8080, the input is passed directly to the shell without sanitization, allowing unauthenticated attackers to inject arbitrary shell commands. The flaw enables remote code execution, as demonstrated by the 2014 TheMoon worm and recent evidence from Shadowserver.

Affected Systems

Affected models include Linksys E1000 v1, E1200 v1, E1500 v1, E1550, E2000, E2100L v1, E2500 v1/v2, E3000, E3200, E4200, and E900 v1. Other Linksys products such as WAG, WAP, WES, WET, WRT series routers and Wireless‑N access points may also be impacted. The vulnerability is specific to the HTTP interface on port 8080.

Risk and Exploitability

The CVSS score of 10 and an EPSS score of 89% indicate a critical flaw that is highly likely to be actively exploited. Exploitation is simple: the attacker only needs to send a crafted HTTP request to the vulnerable endpoint from outside the local network. The vulnerability is not yet listed in the CISA KEV catalog, but monitoring reports show recent activity in February 2025.

Generated by OpenCVE AI on April 28, 2026 at 01:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware or security patch released by Linksys for the affected E-Series models.
  • Block or filter the unused 8080 port or restrict access to the /tmUnblock.cgi and /hndUnblock.cgi endpoints to trusted internal networks using firewall rules or VLAN segmentation.
  • If a patch is not yet available, disable the /tmUnblock.cgi and /hndUnblock.cgi scripts by removing or renaming them from the router's web server or by disabling the associated services in the configuration.

Generated by OpenCVE AI on April 28, 2026 at 01:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-18964 An OS command injection vulnerability exists in various models of E-Series Linksys routers via the /tmUnblock.cgi and /hndUnblock.cgi endpoints over HTTP on port 8080. The CGI scripts improperly process user-supplied input passed to the ttcp_ip parameter without sanitization, allowing unauthenticated attackers to inject shell commands. This vulnerability is exploited in the wild by the "TheMoon" worm to deploy a MIPS ELF payload, enabling arbitrary code execution on the router. This vulnerability may affect other Linksys products to include, but not limited to, WAG/WAP/WES/WET/WRT-series router models and Wireless-N access points and routers.
History

Fri, 20 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
Description An OS command injection vulnerability exists in various models of E-Series Linksys routers via the /tmUnblock.cgi and /hndUnblock.cgi endpoints over HTTP on port 8080. The CGI scripts improperly process user-supplied input passed to the ttcp_ip parameter without sanitization, allowing unauthenticated attackers to inject shell commands. This vulnerability is exploited in the wild by the "TheMoon" worm to deploy a MIPS ELF payload, enabling arbitrary code execution on the router. This vulnerability may affect other Linksys products to include, but not limited to, WAG/WAP/WES/WET/WRT-series router models and Wireless-N access points and routers. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-06 UTC. An OS command injection vulnerability exists in various models of E-Series Linksys routers via the /tmUnblock.cgi and /hndUnblock.cgi endpoints over HTTP on port 8080. The CGI scripts improperly process user-supplied input passed to the ttcp_ip parameter without sanitization, allowing unauthenticated attackers to inject shell commands. This vulnerability was reported to be exploited in the wild by the "TheMoon" worm  in 2014 to deploy a MIPS ELF payload, enabling arbitrary code execution on the router. Additionally, this vulnerability may affect other Linksys products to include, but not limited to, WAG/WAP/WES/WET/WRT-series router models and Wireless-N access points and routers. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-06 UTC.

Sat, 22 Nov 2025 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Linksys
Linksys e1000
Linksys e1200
Linksys e1500
Linksys e2000
Linksys e2500
Linksys e3000
CPEs cpe:2.3:a:linksys:e1000:*:*:*:*:*:*:*:*
cpe:2.3:a:linksys:e1200:*:*:*:*:*:*:*:*
cpe:2.3:a:linksys:e1500:*:*:*:*:*:*:*:*
cpe:2.3:a:linksys:e2500:*:*:*:*:*:*:*:*
cpe:2.3:h:linksys:e2000:*:*:*:*:*:*:*:*
cpe:2.3:h:linksys:e3000:*:*:*:*:*:*:*:*
Vendors & Products Linksys
Linksys e1000
Linksys e1200
Linksys e1500
Linksys e2000
Linksys e2500
Linksys e3000

Thu, 20 Nov 2025 21:30:00 +0000

Type Values Removed Values Added
Description An OS command injection vulnerability exists in various models of E-Series Linksys routers via the /tmUnblock.cgi and /hndUnblock.cgi endpoints over HTTP on port 8080. The CGI scripts improperly process user-supplied input passed to the ttcp_ip parameter without sanitization, allowing unauthenticated attackers to inject shell commands. This vulnerability is exploited in the wild by the "TheMoon" worm to deploy a MIPS ELF payload, enabling arbitrary code execution on the router. This vulnerability may affect other Linksys products to include, but not limited to, WAG/WAP/WES/WET/WRT-series router models and Wireless-N access points and routers. Exploitation evidence was observed by the Shadowserver Foundation on 2025-07-13 UTC. An OS command injection vulnerability exists in various models of E-Series Linksys routers via the /tmUnblock.cgi and /hndUnblock.cgi endpoints over HTTP on port 8080. The CGI scripts improperly process user-supplied input passed to the ttcp_ip parameter without sanitization, allowing unauthenticated attackers to inject shell commands. This vulnerability is exploited in the wild by the "TheMoon" worm to deploy a MIPS ELF payload, enabling arbitrary code execution on the router. This vulnerability may affect other Linksys products to include, but not limited to, WAG/WAP/WES/WET/WRT-series router models and Wireless-N access points and routers. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-06 UTC.

Mon, 17 Nov 2025 22:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20

Mon, 17 Nov 2025 22:15:00 +0000

Type Values Removed Values Added
Description An OS command injection vulnerability exists in various models of E-Series Linksys routers via the /tmUnblock.cgi and /hndUnblock.cgi endpoints over HTTP on port 8080. The CGI scripts improperly process user-supplied input passed to the ttcp_ip parameter without sanitization, allowing unauthenticated attackers to inject shell commands. This vulnerability is exploited in the wild by the "TheMoon" worm to deploy a MIPS ELF payload, enabling arbitrary code execution on the router. This vulnerability may affect other Linksys products to include, but not limited to, WAG/WAP/WES/WET/WRT-series router models and Wireless-N access points and routers. An OS command injection vulnerability exists in various models of E-Series Linksys routers via the /tmUnblock.cgi and /hndUnblock.cgi endpoints over HTTP on port 8080. The CGI scripts improperly process user-supplied input passed to the ttcp_ip parameter without sanitization, allowing unauthenticated attackers to inject shell commands. This vulnerability is exploited in the wild by the "TheMoon" worm to deploy a MIPS ELF payload, enabling arbitrary code execution on the router. This vulnerability may affect other Linksys products to include, but not limited to, WAG/WAP/WES/WET/WRT-series router models and Wireless-N access points and routers. Exploitation evidence was observed by the Shadowserver Foundation on 2025-07-13 UTC.

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.0246}

 epss

{'score': 0.03342}

Tue, 24 Jun 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 24 Jun 2025 04:45:00 +0000

Type Values Removed Values Added
References

Tue, 24 Jun 2025 03:15:00 +0000

Type Values Removed Values Added
Title Linksys E-Series Routers Command Injection Linksys Routers E/WAG/WAP/WES/WET/WRT-Series
References

Tue, 24 Jun 2025 01:15:00 +0000

Type Values Removed Values Added
Description An OS command injection vulnerability exists in various models of E-Series Linksys routers via the /tmUnblock.cgi and /hndUnblock.cgi endpoints over HTTP on port 8080. The CGI scripts improperly process user-supplied input passed to the ttcp_ip parameter without sanitization, allowing unauthenticated attackers to inject shell commands. This vulnerability is exploited in the wild by the "TheMoon" worm to deploy a MIPS ELF payload, enabling arbitrary code execution on the router. This vulnerability may affect other Linksys products to include, but not limited to, WAG/WAP/WES/WET/WRT-series router models and Wireless-N access points and routers.
Title Linksys E-Series Routers Command Injection
Weaknesses CWE-20
CWE-78
References
Metrics cvssV4_0

{'score': 10, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Linksys E1000 E1200 E1500 E2000 E2500 E3000
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-14T02:07:25.833Z

Reserved: 2025-04-15T19:15:22.546Z

Link: CVE-2025-34037

cve-icon Vulnrichment

Updated: 2025-06-24T15:54:26.304Z

cve-icon NVD

Status : Deferred

Published: 2025-06-24T01:15:25.037

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-34037

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T01:30:17Z

Weaknesses