OS Command Injection Vulnerability in Edimax EW-7438RPn Firmware
CVE-2025-34024

9.4CRITICAL

Key Information:

Vendor

Edimax

Status
Edimax Ew-7438rpn Mini
Vendor
CVE Published:
20 June 2025

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2025-34024?

An OS command injection vulnerability is present in the Edimax EW-7438RPn firmware. This issue arises from improper handling of user input in the mp.asp form handler, specifically through the /goform/mp endpoint. An authenticated attacker can exploit this vulnerability by injecting shell metacharacters into the command parameter, leading to arbitrary command execution with root privileges. This flaw poses significant security risks, enabling unauthorized access and control over the device.

Affected Version(s)

Edimax EW-7438RPn Mini 0 <= 1.13

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-34024 - Proof of Concept

References

https://www.edimax.com/edimax/merchandise/merchandise_det...
product
https://www.exploit-db.com/exploits/48377
third-party-advisoryexploit
https://www.broadcom.com/support/security-center/attacksi...
third-party-advisory

CVSS V4

Score:
9.4
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Besim Altinok
.