Description
A weakness has been identified in Edimax EW-7438RPn 1.12. This affects the function formAccept of the file /goform/formAccep of the component POST Request Handler. This manipulation of the argument submit-url causes command injection. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-05-24
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists in the formAccept function of the /goform/formAccep endpoint on Edimax EW‑7438RPn routers. An attacker can tamper with the submit‑url parameter to inject arbitrary shell commands, resulting in command execution on the device. The flaw is a classic command injection (CWE‑77) that can be triggered via a POST request to the web interface, allowing remote control without local privileges.

Affected Systems

Edimax EW‑7438RPn routers running firmware version 1.12 are affected. This is the only publicly documented version with the vulnerability; other firmware releases have not been listed or verified as vulnerable.

Risk and Exploitability

The CVSS base score is 5.3, indicating a moderate severity. No EPSS score is available, and the issue is not listed in the CISA KEV catalog, suggesting that widespread exploitation has not yet been confirmed. However, an exploit is publicly documented and the attack can be launched remotely by sending a crafted POST request to the vulnerable endpoint. The risk of exploitation remains moderate to high until a patch is applied or the vulnerable functionality is disabled.

Generated by OpenCVE AI on May 24, 2026 at 08:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the router to a firmware version that removes the vulnerable formAccept function or applies a vendor patch if available.
  • If an upgrade is not feasible, block or disable POST requests to the /goform/formAccep endpoint using the router’s firewall or an external ACL to prevent the injection vector.
  • Implement strict input validation on the submit‑url parameter or use a whitelist approach to allow only legitimate URLs, mitigating the command injection risk until a permanent fix is deployed.

Generated by OpenCVE AI on May 24, 2026 at 08:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 24 May 2026 07:30:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in Edimax EW-7438RPn 1.12. This affects the function formAccept of the file /goform/formAccep of the component POST Request Handler. This manipulation of the argument submit-url causes command injection. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Title Edimax EW-7438RPn POST Request formAccep formAccept command injection
First Time appeared Edimax
Edimax ew-7438rpn
Weaknesses CWE-74
CWE-77
CPEs cpe:2.3:a:edimax:ew-7438rpn:*:*:*:*:*:*:*:*
Vendors & Products Edimax
Edimax ew-7438rpn
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Edimax Ew-7438rpn
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-24T06:30:10.172Z

Reserved: 2026-05-23T09:58:27.839Z

Link: CVE-2026-9361

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-24T08:30:05Z

Weaknesses