Description
A vulnerability was detected in Edimax EW-7478APC 1.04. The impacted element is the function formiNICbasic of the file /goform/formiNICbasic of the component POST Request Handler. The manipulation of the argument rootAPmac results in os command injection. The attack may be performed from remote. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-06-29
Score: 5.3 Medium
EPSS: 1.2% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the formiNICbasic function of the /goform/formiNICbasic handler on the Edimax EW‑7478APC. manipulates the rootAPmac argument, an attacker can inject operating‑system commands into the router’s firmware. This flaw allows arbitrary commands to be executed from a remote host, giving full control over the device. The weakness is an OS command injection, reflected by CWE‑77 and CWE‑78, and the CVSS score of 5.3 places it in the medium severity range.

Affected Systems

Edimax model EW‑7478APC running firmware 1.04 is affected. No other models or firmware versions are listed in the advisory.

Risk and Exploitability

The CVSS score of 5.3 indicates a medium risk level, and the exploit is publicly available. The EPSS score of 1% indicates a very low exploitation probability. The absence from the CISA KEV catalog and the low EPSS suggest that exploitation is not yet widespread, but the remote nature of the attack and the ability to execute arbitrary commands mean that the risk to a compromised network could be significant if the device is exposed to untrusted traffic.

Generated by OpenCVE AI on June 30, 2026 at 15:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • If Edimax releases a firmware update that addresses this command injection flaw, apply it immediately.
  • If a patch is not yet available, restrict remote access to the router’s web interface to trusted IP addresses or block POST requests to /goform/formiNICbasic from untrusted networks using firewall or ACL rules.
  • Disable or remove the router’s web management interface if it is unnecessary for operation.
  • Continuously monitor device logs for suspicious POST activity and investigate any anomalies.

Generated by OpenCVE AI on June 30, 2026 at 15:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 29 Jun 2026 12:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in Edimax EW-7478APC 1.04. The impacted element is the function formiNICbasic of the file /goform/formiNICbasic of the component POST Request Handler. The manipulation of the argument rootAPmac results in os command injection. The attack may be performed from remote. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title Edimax EW-7478APC POST Request formiNICbasic os command injection
First Time appeared Edimax
Edimax ew-7478apc
Weaknesses CWE-77
CWE-78
CPEs cpe:2.3:a:edimax:ew-7478apc:*:*:*:*:*:*:*:*
Vendors & Products Edimax
Edimax ew-7478apc
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Edimax Ew-7478apc
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-29T12:48:39.114Z

Reserved: 2026-06-28T16:12:50.577Z

Link: CVE-2026-13561

cve-icon Vulnrichment

Updated: 2026-06-29T12:48:32.759Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T15:45:05Z

Weaknesses
  • CWE-77

    Improper Neutralization of Special Elements used in a Command ('Command Injection')

  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')