This vulnerability involves OS command injection (CWE-78) in various Linksys E-Series routers, including the E4200 model, through the /tmUnblock.cgi and /hndUnblock.cgi CGI endpoints. The issue stems from insufficient input validation of the ttcp_ip parameter, which is passed to system shell commands without proper neutralization. Attackers can exploit this to execute arbitrary commands remotely without authentication. The vulnerability was actively exploited by the "TheMoon" worm in 2014, which targeted these routers to deploy malicious MIPS ELF binaries. The Shadowserver Foundation observed exploitation activity in early 2025. While other Linksys router models and Wireless-N access points may also be affected, no vendor patch or official fix has been published to date.

Successful exploitation allows unauthenticated remote attackers to execute arbitrary OS commands on vulnerable Linksys routers, leading to full compromise of the device. This can result in unauthorized control, persistent malware installation, and potential network pivoting. The vulnerability has been confirmed exploited in the wild, demonstrating active threat. The critical CVSS score of 10 reflects the high impact and ease of exploitation without any required privileges or user interaction.

No official patch or remediation has been published by Linksys as of the current information. Users should monitor vendor advisories for updates. Until a fix is available, it is recommended to restrict access to the router's HTTP port 8080 interface from untrusted networks and disable remote management features if enabled. Network-level controls such as firewall rules to block external access to these CGI endpoints can reduce exposure. Consider replacing affected devices with updated models if possible. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.