Description
A vulnerability was found in Edimax EW-7478APC 1.04. Affected is the function formPPPoESetup of the file /goform/formPPPoESetup of the component POST Request Handler. Performing a manipulation of the argument pppUserName results in stack-based buffer overflow. The attack can be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-06-29
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A stack-based buffer overflow exists in the formPPPoESetup function of the POST Request Handler in Edimax EW‑7478APC firmware 1.04. Manipulating the pppUserName parameter can overflow the stack, potentially allowing an attacker to execute arbitrary code. The flaw presents a severe confidentiality, integrity, and availability risk if exploited.

Affected Systems

The vulnerability affects Edimax EW‑7478APC devices running firmware 1.04. No other product versions are listed as impacted, but the flaw was identified in the 1.04 build.

Risk and Exploitability

The flaw can be triggered remotely via a crafted HTTP POST request, with the exploit already public and no known mitigations from the vendor. Although no EPSS score is available, the CVSS score of 8.7 indicates high severity, and the lack of a CISA KEV listing does not diminish its potential impact. Attacks would require network connectivity to the device’s administrative interface and could lead to full system compromise.

Generated by OpenCVE AI on June 29, 2026 at 13:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy the latest firmware revision that addresses the stack‑based overflow in formPPPoESetup.
  • Configure network or device firewall rules to block or restrict HTTP POST requests to /goform/formPPPoESetup from untrusted sources.
  • Enable logging and monitor for anomalous POST traffic or failed login attempts, and investigate any suspicious activity.

Generated by OpenCVE AI on June 29, 2026 at 13:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 29 Jun 2026 12:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in Edimax EW-7478APC 1.04. Affected is the function formPPPoESetup of the file /goform/formPPPoESetup of the component POST Request Handler. Performing a manipulation of the argument pppUserName results in stack-based buffer overflow. The attack can be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title Edimax EW-7478APC POST Request formPPPoESetup stack-based overflow
First Time appeared Edimax
Edimax ew-7478apc
Weaknesses CWE-119
CWE-121
CPEs cpe:2.3:a:edimax:ew-7478apc:*:*:*:*:*:*:*:*
Vendors & Products Edimax
Edimax ew-7478apc
References
Metrics cvssV2_0

{'score': 9, 'vector': 'AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 8.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Edimax Ew-7478apc
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-29T13:29:21.070Z

Reserved: 2026-06-28T16:12:58.331Z

Link: CVE-2026-13564

cve-icon Vulnrichment

Updated: 2026-06-29T13:28:57.459Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T20:05:26Z

Weaknesses
  • CWE-119

    Improper Restriction of Operations within the Bounds of a Memory Buffer

  • CWE-121

    Stack-based Buffer Overflow