Description
A vulnerability was identified in Edimax EW-7438RPn 1.28a. Affected by this vulnerability is the function formHwSet of the file /goform/formHwSet of the component POST Request Handler. The manipulation of the argument Anntena/Mcs/regDomain/nic0Addr/nic1Addr/wlanAddr/wanAddr/wlanSSID/wlanChan/comd/initgain/txcck/txofdm leads to command injection. The attack can be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-05-24
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Edimax EW-7438RPn firmware 1.28a contains a flaw in the /goform/formHwSet POST handler that allows an attacker to inject arbitrary shell commands by manipulating several form fields such as Anntena, regDomain, and wifi settings. The injection capability permits execution of operating system commands with the privileges of the web server process, potentially compromising the device’s confidentiality, integrity, and availability. The vulnerability is identified as CMD_INJECTION (CWE-74) combined with improper access control (CWE-77).

Affected Systems

The flaw is present in the Edimax EW-7438RPn Wi‑Fi router model running firmware version 1.28a. No other model or firmware version is currently listed as affected.

Risk and Exploitability

The CVSS base score is 5.3, indicating moderate severity. EPSS is not available, and the vulnerability is not listed in CISA's KEV catalog. The exploit can be launched remotely through the publicly reachable web interface, and an exploit code has already been made public. Attackers can trigger the vulnerability without authentication, provided they can reach the router over the network. The high confidence in the publish of exploit code suggests that the vulnerability is actively used in the wild.

Generated by OpenCVE AI on May 24, 2026 at 07:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the router firmware to the latest version provided by Edimax, which addresses the command injection in formHwSet.
  • If a newer firmware is unavailable, apply network segmentation and restrict access to the router’s web interface to a trusted local subnet or VPN only.
  • Configure the router’s firewall to block the /goform/formHwSet endpoint from external sources or obscure the web management interface from the Internet.

Generated by OpenCVE AI on May 24, 2026 at 07:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 24 May 2026 06:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in Edimax EW-7438RPn 1.28a. Affected by this vulnerability is the function formHwSet of the file /goform/formHwSet of the component POST Request Handler. The manipulation of the argument Anntena/Mcs/regDomain/nic0Addr/nic1Addr/wlanAddr/wanAddr/wlanSSID/wlanChan/comd/initgain/txcck/txofdm leads to command injection. The attack can be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title Edimax EW-7438RPn POST Request formHwSet command injection
First Time appeared Edimax
Edimax ew-7438rpn
Weaknesses CWE-74
CWE-77
CPEs cpe:2.3:a:edimax:ew-7438rpn:*:*:*:*:*:*:*:*
Vendors & Products Edimax
Edimax ew-7438rpn
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Edimax Ew-7438rpn
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-24T06:00:14.879Z

Reserved: 2026-05-23T09:58:08.431Z

Link: CVE-2026-9359

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-24T08:00:10Z

Weaknesses