Skip to main content

Edimax EW-7438RPn EUVD-2026-31629

| CVE-2026-9425 HIGH
Stack-based Buffer Overflow (CWE-121)
2026-05-25 VulDB GHSA-597q-8598-j8gq
Stack Overflow Buffer Overflow Ew 7438Rpn
7.4
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.4 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jun 08, 2026 - 09:29 vuln.today
CVSS changed
May 26, 2026 - 19:37 NVD
8.8 (HIGH) 7.4 (HIGH)

DescriptionCVE.org

A security vulnerability has been detected in Edimax EW-7438RPn 1.31. The impacted element is the function formWlanMP of the file /goform/formWlanMP. The manipulation of the argument ateFunc/ateGain/ateTxCount/ateChan/ateRate/ateMacID/e2pTxPower1/e2pTxPower2/e2pTxPower3/e2pTxPower4/e2pTxPower5/e2pTxPower6/e2pTxPower7/e2pTx2Power1/e2pTx2Power2/e2pTx2Power3/e2pTx2Power4/e2pTx2Power5/e2pTx2Power6/e2pTx2Power7/ateTxFreqOffset/ateMode/ateBW/ateAntenna/e2pTxFreqOffset/e2pTxPwDeltaB/e2pTxPwDeltaG/e2pTxPwDeltaMix/e2pTxPwDeltaN/readE2P leads to stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Stack-based buffer overflow in the Edimax EW-7438RPn 1.31 range extender's formWlanMP handler (/goform/formWlanMP) allows remote authenticated attackers to corrupt memory and potentially achieve arbitrary code execution on the device. Publicly available exploit code exists, but EPSS remains low at 0.04% and there is no CISA KEV listing, indicating no confirmed widespread active exploitation. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify reachable EW-7438RPn admin UI
Delivery
Obtain low-privilege web credentials
Exploit
Send crafted POST to /goform/formWlanMP with oversized ATE parameter
Install
Overflow stack buffer in formWlanMP handler
C2
Hijack saved return address with ROP chain
Execute
Execute arbitrary code as device root
Impact
Persist on extender and pivot into LAN
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires network reachability to the device's HTTP management interface on the LAN-side (or WAN-side if remote administration is enabled), valid authenticated access to the web UI at the privilege level needed to reach /goform/formWlanMP (CVSS PR:L), and the ability to send a crafted POST containing an oversized value in one of the ATE/e2p test-mode parameters (ateFunc, ateGain, ateTxCount, ateChan, ateRate, ateMacID, e2pTxPower1-7, e2pTx2Power1-7, ateTxFreqOffset, ateMode, ateBW, ateAntenna, e2pTxFreqOffset, e2pTxPwDeltaB/G/Mix/N, or readE2P) on an EW-7438RPn running firmware 1.31. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H) scores 7.4 and reflects network-reachable, low-complexity exploitation requiring low-level authentication, with high impact on confidentiality, integrity, and availability of the device itself (no scope change). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained valid low-privilege credentials to the EW-7438RPn web UI - for example a default or weak admin password, or credentials harvested from a phishing or LAN-resident foothold - sends a crafted HTTP POST to /goform/formWlanMP with an oversized value in one of the ATE/e2p parameters such as ateMacID or e2pTxPower1, overflowing a stack buffer in the formWlanMP handler. With the publicly available PoC on GitHub (wudipjq/my_vuln) as a starting point and per-target ROP gadgetry, the attacker corrupts the saved return address to execute arbitrary code as the web daemon (typically root on these devices), gaining persistent control of the extender for traffic interception, DNS hijacking, or pivoting into the local network.
Remediation No vendor-released patch identified at time of analysis - the researcher reports that Edimax did not respond to coordinated disclosure, so administrators cannot rely on a fixed firmware version. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Conduct complete inventory of Edimax EW-7438RPn 1.31 devices across all locations; restrict administrative access via firewall rules. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-31629 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy