Skip to main content

Edimax EW-7478APC EUVDEUVD-2026-40128

| CVE-2026-13582 HIGH
Classic Buffer Overflow (CWE-120)
2026-06-29 VulDB GHSA-9gmf-7v9v-p9h8
7.4
CVSS 4.0 · Vendor: VulDB
Share

Severity by source

Vendor (VulDB) PRIMARY
7.4 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.8 HIGH

Network-reachable web endpoint (AV:N) with simple oversized input (AC:L) but requires a low-privilege web-UI account (PR:L); buffer overflow enables likely code execution, so C/I/A all High.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulDB).

CVSS VectorVendor: VulDB

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jun 29, 2026 - 16:31 vuln.today
CVSS changed
Jun 29, 2026 - 16:22 NVD
8.7 (HIGH) 7.4 (HIGH)

DescriptionCVE.org

A flaw has been found in Edimax EW-7478APC 1.04. This issue affects the function formUSBAccount of the file /goform/formUSBAccount of the component POST Request Handler. This manipulation of the argument UserName/Password causes buffer overflow. The attack is possible to be carried out remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Remote buffer overflow in the Edimax EW-7478APC wireless access point (firmware 1.04) lets an authenticated attacker corrupt memory through the formUSBAccount handler at /goform/formUSBAccount by supplying oversized UserName or Password values in a POST request, enabling likely code execution or device crash. The flaw is remotely reachable and publicly available exploit code exists (proof-of-concept, CVSS 4.0 base 7.4), though there is no public exploit identified as actively used in the wild. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach device web UI with low-priv credentials
Delivery
Craft POST to /goform/formUSBAccount
Exploit
Send oversized UserName/Password
Execution
Overflow fixed-size buffer
Persist
Execute code or crash service
Impact
Compromise or DoS access point

Vulnerability AssessmentAI

Exploitation Exploitation requires network access to the device's HTTP management interface and low-privilege authenticated access to it (CVSS PR:L), then sending a POST request to the specific endpoint /goform/formUSBAccount with an oversized UserName or Password argument handled by the formUSBAccount function in the POST Request Handler. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are partially aligned. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained low-privilege access to the access point's web interface (e.g., default/weak credentials, a shared management account, or an internal foothold) sends a crafted POST request to /goform/formUSBAccount with an overlong UserName or Password value, overflowing the parameter's fixed buffer to crash the device or execute attacker-controlled code on the firmware. A public proof-of-concept for this exact endpoint is already published, lowering the effort required to reproduce the attack.
Remediation No vendor-released patch identified at time of analysis - Edimax did not respond to the disclosure, so a fixed firmware version is not available and none should be assumed. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Edimax EW-7478APC devices; confirm affected firmware version 1.04; restrict administrative access to the device management interface to authorized networks only. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-40128 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy