EUVD-2026-31676
GHSA-jhff-593j-8ffm
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
A weakness has been identified in Edimax EW-7438RPn 1.31. This impacts the function formAccept of the file /goform/formAccept. Executing a manipulation of the argument submit-url can lead to stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Stack-based buffer overflow in Edimax EW-7438RPn 1.31 range extenders allows authenticated remote attackers to corrupt memory by sending a crafted submit-url parameter to the formAccept handler at /goform/formAccept. Publicly available exploit code exists (VulDB-disclosed, with a PoC published on GitHub), but EPSS rates real-world exploitation probability at only 0.04% (13th percentile) and the vendor has not responded to disclosure, leaving the device permanently exposed.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires (1) network-layer reachability to the EW-7438RPn web administration interface on the LAN or, if remote management is enabled, over the WAN; (2) valid low-privilege web UI credentials per CVSS PR:L - default credentials qualify and are commonly unchanged on consumer extenders; (3) the device running firmware version 1.31 as identified in EUVD-2026-31676; and (4) the ability to send a crafted HTTP request to the /goform/formAccept endpoint with an oversized submit-url argument. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 7.4 reflects high confidentiality, integrity, and availability impact over an adjacent web management interface that requires low privileges (PR:L) but no user interaction, with proof-of-concept exploit maturity (E:P). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained low-privileged web UI credentials (default, weak, or phished) on a reachable EW-7438RPn issues an HTTP POST to /goform/formAccept with an oversized submit-url parameter crafted to overwrite the saved return address on the stack. Using the published PoC at github.com/wudipjq/my_vuln/blob/main/Edimax/vuln_13/13.md as a template, the attacker pivots execution to shellcode placed in the request body, gaining a root shell on the extender and using it as a foothold to pivot into the LAN, sniff Wi-Fi traffic, or enroll the device into a botnet. |
| Remediation | No vendor-released patch identified at time of analysis - the disclosing party (VulDB) reports the vendor did not respond. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Conduct full inventory of Edimax EW-7438RPn devices across all network segments. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today