CVE-2025-34035

Critical CVSS: 10.0

An OS command injection vulnerability exists in EnGenius EnShare Cloud Service version 1.4.11 and earlier. The usbinteract.cgi script fails to properly sanitize user input passed to the path parameter, allowing unauthenticated remote attackers to inject arbitrary shell commands. The injected commands are executed with root privileges, leading to full system compromise. Exploitation evidence was observed by the Shadowserver Foundation on 2024-12-05 UTC.

Vendor

Engeniustech

Product

Esr300 Firmware

CWE

CWE-78

Yayın Tarihi

2025-06-24 01:15:24

Güncelleme

2025-11-20 22:15:56

Source Identifier

disclosure@vulncheck.com

KEV Date Added

Kategoriler

CWE-78 Esr300 Firmware CRITICAL Engeniustech 2025

Referanslar

https://cxsecurity.com/issue/WLB-2017060050 https://packetstormsecurity.com/files/142792 https://vulncheck.com/advisories/engenius-enshare-iot-gigabit-cloud-service https://www.exploit-db.com/exploits/42114 https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5413.php https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5413.php