High severityNVD Advisory· Published Jul 10, 2025· Updated Apr 15, 2026
CVE-2025-34093
CVE-2025-34093
Description
An authenticated command injection vulnerability exists in the Polycom HDX Series command shell interface accessible over Telnet. The lan traceroute command in the devcmds console accepts unsanitized input, allowing attackers to execute arbitrary system commands. By injecting shell metacharacters through the traceroute interface, an attacker can achieve remote code execution under the context of the root user. This flaw affects systems where Telnet access is enabled and either unauthenticated access is allowed or credentials are known.
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/misc/polycom_hdx_traceroute_exec.rbnvd
- staaldraad.github.io/2017/11/12/polycom-hdx-rce/nvd
- vulncheck.com/advisories/polycom-hdx-series-telnet-rcenvd
- web.archive.org/web/20200312205144/http://support.polycom.com/content/dam/polycom-support/global/documentation/securityadvisory-remotecodeexecutionon-hdx-v0.3-hotfix-release.pdfnvd
- www.exploit-db.com/exploits/24494nvd
News mentions
0No linked articles in our index yet.