EUVD-2026-31628
GHSA-5rm7-2pfg-jpcm
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A weakness has been identified in Edimax EW-7438RPn 1.31. The affected element is the function formWlanMP of the file /goform/formWlanMP of the component Content-Type Handler. Executing a manipulation of the argument ateFunc/ateGain/ateTxCount/ateChan/ateRate/ateMacID/e2pTxPower1/e2pTxPower2/e2pTxPower3/e2pTxPower4/e2pTxPower5/e2pTxPower6/e2pTxPower7/e2pTx2Power1/e2pTx2Power2/e2pTx2Power3/e2pTx2Power4/e2pTx2Power5/e2pTx2Power6/e2pTx2Power7/ateTxFreqOffset/ateMode/ateBW/ateAntenna/e2pTxFreqOffset/e2pTxPwDeltaB/e2pTxPwDeltaG/e2pTxPwDeltaMix/e2pTxPwDeltaN/readE2P can lead to os command injection. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
OS command injection in Edimax EW-7438RPn 1.31 allows a low-privileged, remote attacker to execute arbitrary commands on the device by manipulating any of approximately 29 parameters passed to the formWlanMP function via the /goform/formWlanMP endpoint. The vulnerable parameters - including ateFunc, ateGain, ateTxCount, and e2pTxPower series - are characteristic of ATE (Automatic Test Equipment) manufacturing-mode calibration parameters left accessible in the production firmware. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The CVSS 4.0 vector specifies PR:L (low privileges required), meaning the attacker must first authenticate to the device web management interface with at least a low-privileged account. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | This vulnerability presents a notable discrepancy between its CVSS 4.0 score (2.1) and its actual operational severity. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated attacker - or an insider on the local network who has obtained the router's default or weak credentials - submits a crafted HTTP POST request to http://[device-ip]/goform/formWlanMP, injecting an OS command such as a reverse shell payload into a parameter like ateFunc. The device's CGI handler passes the unsanitized value to a system() or similar call, executing the injected command as root on the embedded Linux firmware. … |
| Remediation | No vendor-released patch has been identified at time of analysis. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today