CVE-2025-34035

EnGenius EnShare IoT Gigabit Cloud Service Command Injection

CVSS 10 CRITICALEPSS 12.3%CWE-78

Vexday Risk Score

68Prioridad alta

Decisión SSVC (CISA)

Attend

PoC disponible → seguir de cerca

CVSS 10EPSS 12.3%KEV nãoPoC públicaNuclei simMetasploit —Patch —

Ciclo de vida

24 jun 2025Publicada en NVD

Recomendación: Planificar corrección próxima — ya existe PoC pública.

An OS command injection vulnerability exists in EnGenius EnShare Cloud Service version 1.4.11 and earlier. The usbinteract.cgi script fails to properly sanitize user input passed to the path parameter, allowing unauthenticated remote attackers to inject arbitrary shell commands. The injected commands are executed with root privileges, leading to full system compromise. Exploitation evidence was observed by the Shadowserver Foundation on 2024-12-05 UTC.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Productos afectados

EnGenius · EnShare IoT Gigabit Cloud Service

PoCs públicas encontradas — 4

cve_referencecxsecurity.com/issue/WLB-2017060050no verificado cve_referencepacketstormsecurity.com/files/142792no verificado cve_referencewww.exploit-db.com/exploits/42114no verificado cve_referencewww.zeroscience.mk/en/vulnerabilities/ZSL-2017-5413.phpno verificado

⚠ Recursos públicos, para evaluar la exposición de sistemas que controlas o estás autorizado a probar. Prueba solo con autorización.

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://cxsecurity.com/issue/WLB-2017060050 https://packetstormsecurity.com/files/142792 https://vulncheck.com/advisories/engenius-enshare-iot-gigabit-cloud-service https://www.exploit-db.com/exploits/42114 https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5413.php