Ddos 
A critical vulnerability in multiple Linksys E-Series routers is being actively exploited in the wild by a self-propagating malware campaign known as TheMoon worm, according to new research from the SANS Technology Institute. The flaw, tracked as CVE-2025-34037, carries a maximum CVSS score of 10.0, underscoring its severity.
“An OS command injection vulnerability exists in various models of E-Series Linksys routers via the /tmUnblock.cgi and /hndUnblock.cgi endpoints… allowing unauthenticated attackers to inject shell commands,” the vulnerability description writes.
The vulnerability stems from improperly sanitized input passed to the ttcp_ip parameter via the aforementioned CGI scripts, which are accessible over HTTP port 8080. Attackers do not need to authenticate — even though the request includes randomly generated credentials like “admin”, they are not validated by the vulnerable scripts.
This makes CVE-2025-34037 a zero-click, zero-auth remote command injection vulnerability that is currently being exploited to execute arbitrary shell commands on vulnerable routers.
While a definitive list of vulnerable models is still being compiled, confirmed targets include: E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000, and E900.
Other potentially impacted models include WAG, WAP, WES, WET, and WRT-series Linksys routers, as well as Wireless-N access points.
TheMoon worm, named after the benign-looking HTML pages and imagery it uses as a calling card, is being deployed through this flaw. The attack chain begins when the worm connects to a router’s port 8080 and requests the /HNAP1/ endpoint. This returns an XML profile detailing the router’s model name and firmware version, such as:
Once confirmed vulnerable, a second unauthenticated request is sent to trigger the exploit, which executes a small shell script to download the actual worm — a 2MB ELF MIPS binary.
“Once this code runs, the infected router appears to scan for other victims… and serve the binary at a random low port,” the report notes.
Each infected router spins up a temporary HTTP server on a random port to deliver the payload to new victims. This distributed infrastructure significantly amplifies the worm’s propagation speed and reach.
Infected devices immediately begin scanning the internet for other routers to infect. The malware includes a hardcoded list of approximately 670 IP network blocks, primarily in /21 and /24 subnets, linked to DSL and cable ISPs across multiple countries.
This worm exhibits the hallmarks of a purely self-replicating threat, although there are strings within the binary that may suggest the presence of a command and control (C2) channel, which could convert it into a botnet at any time.
Security teams should monitor for the following behavioral signs:
- Heavy outbound scans on TCP ports 80 and 8080
- Inbound connection attempts to random ports <1024
- Temporary local HTTP servers running on low-numbered ports
- Devices responding to: echo “GET /HNAP1/ HTTP/1.1\r\nHost: test\r\n\r\n” | nc routerip 8080. If an XML response is returned, the device may be vulnerable
Related Posts:
- FBI Warns: End-of-Life Routers Hijacked to Power Cybercriminal Proxy Networks
- “TheMoon” Malware Returns: Thousands of Routers Compromised
- Researchers discover the first IoT worm that capable of surviving device reboots
- CVE-2023-46012 in Linksys EA7500 Routers Allows Remote Takeover, No Patch, Poc Released
- Linksys Router Flaws Exposed, Poc Published, Patch Unavailable!
Donate