CVE-2025-34035 CRITICAL

CVE-2025-34035: EnGenius EnShare IoT Gigabit Cloud Service Command Injection

Vendor Engenius

Product EnShare IoT Gigabit Cloud Service

Weakness CWE-78

Published June 24, 2025

Last update April 7, 2026

View on NVD All CVEs

CVSS base score

10.0/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

What the vulnerability does

01Description

An OS command injection vulnerability exists in EnGenius EnShare Cloud Service version 1.4.11 and earlier. The usbinteract.cgi script fails to properly sanitize user input passed to the path parameter, allowing unauthenticated remote attackers to inject arbitrary shell commands. The injected commands are executed with root privileges, leading to full system compromise. Exploitation evidence was observed by the Shadowserver Foundation on 2024-12-05 UTC.

Key dates

02Disclosure timeline

June 24, 2025 CVE published

April 7, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-34035

Related vulnerabilities

Identifiers

CVE CVE-2025-34035

CWE CWE-78

CVSS 10.0 / CRITICAL

Affected versions