Edimax EW-7438RPn Command Injection Vulnerability Leading to Remote Code Execution

A command injection vulnerability allowing remote code execution has been identified in the Edimax EW-7438RPn Wi-Fi range extender, specifically in firmware versions through 1.13. The vulnerability arises in the mp.asp form handler, where the /goform/mp endpoint fails to properly sanitize user input in the command parameter. This flaw enables authenticated attackers to inject shell commands using metacharacters, executing arbitrary commands with root privileges on the device.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected device, with the executed commands running as the root user.

Reproduction

To reproduce this vulnerability, an authenticated user can send a POST request to the /goform/mp endpoint with a command injection payload in the command parameter. The injection can be achieved using shell metacharacters to manipulate the command execution. Alternatively, the vulnerability can be reproduced by using the /goform/formSysCmd endpoint, which also accepts system command inputs and is vulnerable to similar injection attacks.