Description
A vulnerability was detected in Edimax EW-7478APC 1.04. This vulnerability affects the function formStaDrvSetup of the file /goform/formStaDrvSetup of the component POST Request Handler. The manipulation of the argument rootAPmac results in os command injection. The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-06-29
Score: 5.3 Medium
EPSS: 1.2% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists in the formStaDrvSetup function of the /goform/formStaDrvSetup endpoint. An attacker can manipulate the rootAPmac field to inject arbitrary operating‑system commands. This results in full remote command execution on the device, providing an attacker with complete control over the router's operating system. The flaw is a classic example of CWE-77 – command injection, and the operating‑system component is also vulnerable to CWE-78.

Affected Systems

The affected system is the Edimax EW‑7478APC Wi‑Fi access point, firmware vendors or product versions CNA data. The device is accessible over the network, so anyone with network connectivity can exploit the flaw.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, but the flaw is exploitable without authentication from any remote host. EPSS score of 1% indicates a very low probability of exploitation; however, the vulnerability is not listed in the CISA KEV catalog. Because the vendor has not released a patch and the public exploit is exposed networks. The attack vector is a remote POST request to /goform/formStaDrvSetup, meaning an attacker who can reach the device over the network can trigger the injection.

Generated by OpenCVE AI on June 30, 2026 at 15:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply firmware updates that address the command‑injection flaw in formStaDrvSetup, as provided by Edimax or through subsequent security advisories.
  • If an update is unavailable, restrict network access to the /goform/formStaDrvSetup endpoint by implementing firewall rules or access‑control lists so only trusted hosts can send POST disabling or changing any default credentials on the device, thereby preventing unauthorized remote access that could exploit the vulnerability.
  • Continuously monitor device logs for unexpected POST activity to /goform/formStaDrvSetup and investigate any suspicious attempts.

Generated by OpenCVE AI on June 30, 2026 at 15:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 29 Jun 2026 16:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in Edimax EW-7478APC 1.04. This vulnerability affects the function formStaDrvSetup of the file /goform/formStaDrvSetup of the component POST Request Handler. The manipulation of the argument rootAPmac results in os command injection. The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title Edimax EW-7478APC POST Request formStaDrvSetup os command injection
First Time appeared Edimax
Edimax ew-7478apc
Weaknesses CWE-77
CWE-78
CPEs cpe:2.3:a:edimax:ew-7478apc:*:*:*:*:*:*:*:*
Vendors & Products Edimax
Edimax ew-7478apc
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Edimax Ew-7478apc
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-30T15:09:50.552Z

Reserved: 2026-06-28T22:29:15.833Z

Link: CVE-2026-13581

cve-icon Vulnrichment

Updated: 2026-06-30T15:09:46.700Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T15:45:05Z

Weaknesses
  • CWE-77

    Improper Neutralization of Special Elements used in a Command ('Command Injection')

  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')