Vulnerability Description
An OS command injection vulnerability exists in the Edimax EW-7438RPn firmware version 1.13 and prior via the mp.asp form handler. The /goform/mp endpoint improperly handles user-supplied input to the command parameter. An authenticated attacker can inject shell commands using shell metacharacters to achieve arbitrary command execution as the root user. Exploitation evidence was observed by the Shadowserver Foundation on 2024-09-14 UTC.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Edimax | Ew-7438Rpn Mini Firmware | <= 1.13 |
| Edimax | Ew-7438Rpn Mini | - |
Related Weaknesses (CWE)
References
- https://vulncheck.com/advisories/edimax-ew-7438rpn-command-injectionsExploitThird Party Advisory
- https://www.broadcom.com/support/security-center/attacksignatures/detail?asid=32Third Party Advisory
- https://www.edimax.com/edimax/merchandise/merchandise_detail/data/edimax/global/Product
- https://www.exploit-db.com/exploits/48377ExploitVDB Entry
FAQ
What is CVE-2025-34024?
CVE-2025-34024 is a vulnerability with a CVSS score of 8.8 (HIGH). An OS command injection vulnerability exists in the Edimax EW-7438RPn firmware version 1.13 and prior via the mp.asp form handler. The /goform/mp endpoint improperly handles user-supplied input to the...
How severe is CVE-2025-34024?
CVE-2025-34024 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-34024?
Check the references section above for vendor advisories and patch information. Affected products include: Edimax Ew-7438Rpn Mini Firmware, Edimax Ew-7438Rpn Mini.