Description
A security vulnerability has been detected in Edimax EW-7478APC 1.04. This affects the function formQoS of the file /goform/formQoS of the component POST Request Handler. The manipulation of the argument selSSID leads to buffer overflow. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-06-29
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the formQoS POST request handler of the Edimax EW-7478APC router, specifically the argument selSSID. Malicious manipulation of this argument triggers a buffer overflow (CWE-119 and CWE-120). The overflow can compromise the device’s execution context, potentially leading to arbitrary code execution or denial of service. The impact extends to confidentiality, integrity, and availability of the affected router and any networks it protects.

Affected Systems

The affected product is the Edimax EW-7478APC 1.04 router. No other versions are specifically mentioned, so only 1.04 is confirmed to be vulnerable. The sink is the /goform/formQoS endpoint exposed via HTTP POST.

Risk and Exploitability

With a CVSS score of 8.7 the flaw is considered high severity. The EPSS score is unavailable, but the exploit has been publicly disclosed, suggesting that adversaries could employ it. No KEV listing currently exists, yet the remote nature of the attack implies that access to the router’s web interface is sufficient for exploitation, likely without authentication. If no mitigation is applied, the attacker could gain full control of the device.

Generated by OpenCVE AI on June 29, 2026 at 17:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a firmware update that addresses the formQoS buffer overflow (upgrade to a version released after 1.04).
  • If updating firmware is not possible, block or disable the /goform/formQoS endpoint so POST requests are rejected.
  • Limit management interface access to trusted IP addresses only or place the router behind a network segment with strict controls.
  • Monitor router logs for abnormal POST activity and investigate any suspicious requests.

Generated by OpenCVE AI on June 29, 2026 at 17:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 29 Jun 2026 16:15:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in Edimax EW-7478APC 1.04. This affects the function formQoS of the file /goform/formQoS of the component POST Request Handler. The manipulation of the argument selSSID leads to buffer overflow. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title Edimax EW-7478APC POST Request formQoS buffer overflow
First Time appeared Edimax
Edimax ew-7478apc
Weaknesses CWE-119
CWE-120
CPEs cpe:2.3:a:edimax:ew-7478apc:*:*:*:*:*:*:*:*
Vendors & Products Edimax
Edimax ew-7478apc
References
Metrics cvssV2_0

{'score': 9, 'vector': 'AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 8.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Edimax Ew-7478apc
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-29T16:19:48.827Z

Reserved: 2026-06-28T22:29:13.511Z

Link: CVE-2026-13580

cve-icon Vulnrichment

Updated: 2026-06-29T16:19:45.673Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T21:00:04Z

Weaknesses
  • CWE-119

    Improper Restriction of Operations within the Bounds of a Memory Buffer

  • CWE-120

    Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')