Strix
26.1K

CVE-2025-34035

CRITICALCVSS 10/10EPSS 12.33%

Last modified

CVE-2025-34035 is a critical-severity vulnerability rated 10/10 on the CVSS scale. An OS command injection vulnerability exists in EnGenius EnShare Cloud Service version 1.4.11 and earlier. The usbinteract.cgi script fails to properly sanitize user input passed to the path parameter, allowing unauthenticated remote attackers to inject arbitrary shell commands. EPSS estimates a 12.33% chance of exploitation in the next 30 days.

Description

An OS command injection vulnerability exists in EnGenius EnShare Cloud Service version 1.4.11 and earlier. The usbinteract.cgi script fails to properly sanitize user input passed to the path parameter, allowing unauthenticated remote attackers to inject arbitrary shell commands. The injected commands are executed with root privileges, leading to full system compromise. Exploitation evidence was observed by the Shadowserver Foundation on 2024-12-05 UTC.

Metrics

CVSS 3.1
9.8/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0
10/10

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

EPSS Probability
12.33%

95.7th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
EngeniustechEsr300 Firmware1.1.0.28
EngeniustechEsr300 Firmware1.3.1.42
EngeniustechEsr300 Firmware1.4.0
EngeniustechEsr300 Firmware1.4.1.28
EngeniustechEsr300 Firmware1.4.2
EngeniustechEsr300 Firmware1.4.7
EngeniustechEsr300 Firmware1.4.9
EngeniustechEsr350 Firmware1.1.0.29
EngeniustechEsr350 Firmware1.3.1.41
EngeniustechEsr350 Firmware1.4.0
EngeniustechEsr350 Firmware1.4.2
EngeniustechEsr350 Firmware1.4.5
EngeniustechEsr350 Firmware1.4.9
EngeniustechEsr350 Firmware1.4.11
EngeniustechEsr600 Firmware1.1.0.50
EngeniustechEsr600 Firmware1.2.1.46
EngeniustechEsr600 Firmware1.3.1.63
EngeniustechEsr600 Firmware1.4.0.23
EngeniustechEsr600 Firmware1.4.1
EngeniustechEsr600 Firmware1.4.2
EngeniustechEsr600 Firmware1.4.3
EngeniustechEsr600 Firmware1.4.5
EngeniustechEsr600 Firmware1.4.9
EngeniustechEsr600 Firmware1.4.11
EngeniustechEsr900 Firmware1.1.0
EngeniustechEsr900 Firmware1.2.2.23
EngeniustechEsr900 Firmware1.3.0
EngeniustechEsr900 Firmware1.3.1.26
EngeniustechEsr900 Firmware1.3.5.18
EngeniustechEsr900 Firmware1.4.0
EngeniustechEsr900 Firmware1.4.3
EngeniustechEsr900 Firmware1.4.5
EngeniustechEsr1200 Firmware1.1.0
EngeniustechEsr1200 Firmware1.3.1.34
EngeniustechEsr1200 Firmware1.4.1
EngeniustechEsr1200 Firmware1.4.3
EngeniustechEsr1200 Firmware1.4.5
EngeniustechEsr1750 Firmware1.1.0
EngeniustechEsr1750 Firmware1.2.2.27
EngeniustechEsr1750 Firmware1.3.0
EngeniustechEsr1750 Firmware1.3.1.34
EngeniustechEsr1750 Firmware1.4.0
EngeniustechEsr1750 Firmware1.4.1
EngeniustechEsr1750 Firmware1.4.3
EngeniustechEsr1750 Firmware1.4.5
EngeniustechEpg5000 Firmware1.2.0
EngeniustechEpg5000 Firmware1.3.0
EngeniustechEpg5000 Firmware1.3.2
EngeniustechEpg5000 Firmware1.3.3
EngeniustechEpg5000 Firmware1.3.3.17

Showing 50 of 52 affected configurations. See NVD for the full list.

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2025-34035?
An OS command injection vulnerability exists in EnGenius EnShare Cloud Service version 1.4.11 and earlier. The usbinteract.cgi script fails to properly sanitize user input passed to the path parameter, allowing unauthenticated remote attackers to inject arbitrary shell commands. The injected commands are executed with root privileges, leading to full system compromise. Exploitation evidence was observed by the Shadowserver Foundation on 2024-12-05 UTC.
How severe is CVE-2025-34035?
CVE-2025-34035 has a CVSS score of 10/10 (CRITICAL severity). The EPSS model estimates a 12.33% probability of exploitation in the next 30 days.
How do I fix CVE-2025-34035?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2025-34035?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST