Primary

Context

Edimax EW-7438RPn OS Command Injection Vulnerability Allowing Remote Code Execution

Vulnerability

A command injection vulnerability has been identified in the Edimax EW-7438RPn range, affecting versions through 1.31. The issue resides in the 'formWizSurvey' function of the 'webs' component, where user-supplied 'ip', 'mask', and 'gateway' arguments are not properly validated. This oversight allows remote attackers to inject and execute arbitrary operating system commands. The vulnerability has been publicly disclosed, and the vendor has not responded to initial reports.

Impact

Exploitation of this vulnerability allows for arbitrary OS command execution on the affected device.

Reproduction

To reproduce this vulnerability, send a POST request to '/goform/formWizSurvey' with crafted 'ip', 'mask', and 'gateway' parameters. The 'ip' parameter can be used to inject commands, which the device will execute. For example, injecting a command to start a telnet session can be used to gain shell access on the device.

Added: May 26, 2026, 9:05 PM

Updated: May 26, 2026, 9:05 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

8.7

remediation

0.0

relevance

9.3

threat

6.4

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

8.7

remediation

0.0

relevance

9.3

threat

6.4

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Edimax EW-7438RPn OS Command Injection Vulnerability Allowing Remote Code Execution

Vulnerability

Impact

Reproduction

Affected Products

Edimax EW-7438RPn

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating