CVE-2025-34035
9.8 CRITICAL
📋 TL;DR
An unauthenticated remote OS command injection vulnerability in EnGenius EnShare Cloud Service allows attackers to execute arbitrary shell commands with root privileges. This affects version 1.4.11 and earlier, enabling complete system takeover. The vulnerability is actively exploited in the wild.
💻 Affected Systems
Products:
- EnGenius EnShare Cloud Service
Versions: 1.4.11 and earlier
Operating Systems: Embedded Linux systems running EnShare
Default Config Vulnerable:
⚠️ Yes
Notes: The usbinteract.cgi script is typically accessible without authentication in default configurations.
📦 What is this software?
Epg5000 Firmware by Engeniustech
Epg5000 Firmware by Engeniustech
Epg5000 Firmware by Engeniustech
Epg5000 Firmware by Engeniustech
Epg5000 Firmware by Engeniustech
Epg5000 Firmware by Engeniustech
Epg5000 Firmware by Engeniustech
Esr1200 Firmware by Engeniustech
Esr1200 Firmware by Engeniustech
Esr1200 Firmware by Engeniustech
Esr1200 Firmware by Engeniustech
Esr1200 Firmware by Engeniustech
Esr1750 Firmware by Engeniustech
Esr1750 Firmware by Engeniustech
Esr1750 Firmware by Engeniustech
Esr1750 Firmware by Engeniustech
Esr1750 Firmware by Engeniustech
Esr1750 Firmware by Engeniustech
Esr1750 Firmware by Engeniustech
Esr1750 Firmware by Engeniustech
Esr300 Firmware by Engeniustech
Esr300 Firmware by Engeniustech
Esr300 Firmware by Engeniustech
Esr300 Firmware by Engeniustech
Esr300 Firmware by Engeniustech
Esr300 Firmware by Engeniustech
Esr300 Firmware by Engeniustech
Esr350 Firmware by Engeniustech
Esr350 Firmware by Engeniustech
Esr350 Firmware by Engeniustech
Esr350 Firmware by Engeniustech
Esr350 Firmware by Engeniustech
Esr350 Firmware by Engeniustech
Esr350 Firmware by Engeniustech
Esr600 Firmware by Engeniustech
Esr600 Firmware by Engeniustech
Esr600 Firmware by Engeniustech
Esr600 Firmware by Engeniustech
Esr600 Firmware by Engeniustech
Esr600 Firmware by Engeniustech
Esr600 Firmware by Engeniustech
Esr600 Firmware by Engeniustech
Esr600 Firmware by Engeniustech
Esr600 Firmware by Engeniustech
Esr900 Firmware by Engeniustech
Esr900 Firmware by Engeniustech
Esr900 Firmware by Engeniustech
Esr900 Firmware by Engeniustech
Esr900 Firmware by Engeniustech
Esr900 Firmware by Engeniustech
Esr900 Firmware by Engeniustech
Esr900 Firmware by Engeniustech
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with root access, data exfiltration, ransomware deployment, and persistent backdoor installation.
Likely Case
Unauthenticated attackers gain root shell access, install cryptocurrency miners or botnet clients, and pivot to internal networks.
If Mitigated
If properly segmented and monitored, lateral movement is limited but initial compromise still occurs.
🌐 Internet-Facing: HIGH - The vulnerable service is typically internet-facing and exploitation requires no authentication.
🏢 Internal Only: MEDIUM - If exposed internally, attackers could pivot from other compromised systems.
🎯 Exploit Status
Public PoC:
⚠️ Yes
Weaponized:
CONFIRMED
Unauthenticated Exploit:
⚠️ Yes
Complexity:
LOW
Multiple public exploit scripts exist, and Shadowserver observed active exploitation in December 2024.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: No official vendor advisory found
Restart Required: No
Instructions:
No official patch available. Consider workarounds or replacement.
🔧 Temporary Workarounds
Disable usbinteract.cgi script
linuxRemove or restrict access to the vulnerable CGI script
mv /www/cgi-bin/usbinteract.cgi /www/cgi-bin/usbinteract.cgi.disabled
chmod 000 /www/cgi-bin/usbinteract.cgi.disabled
Network access control
linuxRestrict access to EnShare service using firewall rules
iptables -A INPUT -p tcp --dport 80 -s trusted_networks -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
🧯 If You Can't Patch
- Immediately isolate affected devices from internet and critical internal networks
- Implement strict network segmentation and monitor for suspicious outbound connections
🔍 How to Verify
Check if Vulnerable:
Check if usbinteract.cgi exists and is accessible: curl -v http://device-ip/cgi-bin/usbinteract.cgi?path=testCheck Version:
Check device web interface or firmware version in administration panelVerify Fix Applied:
Verify usbinteract.cgi is no longer accessible or returns 404/403📡 Detection & Monitoring
Log Indicators:
- Unusual CGI script access patterns
- Suspicious commands in web server logs
- Multiple failed then successful usbinteract.cgi requests
Network Indicators:
- Unexpected outbound connections from EnShare devices
- Traffic to known C2 servers or mining pools
SIEM Query:
source="web_logs" AND uri="/cgi-bin/usbinteract.cgi" AND (query CONTAINS "|" OR query CONTAINS ";" OR query CONTAINS "`")🔗 References
- https://cxsecurity.com/issue/WLB-2017060050
- https://packetstormsecurity.com/files/142792
- https://vulncheck.com/advisories/engenius-enshare-iot-gigabit-cloud-service
- https://www.exploit-db.com/exploits/42114
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5413.php
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5413.php
