CVE-2026-9362 - Vulnerability Details

Description

A security vulnerability has been detected in Edimax EW-7438RPn 1.12. This vulnerability affects the function formConnectionSetting of the file /goform/formConnectionSetting of the component Setting Handler. Such manipulation of the argument max_Conn/timeOut leads to command injection. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Published: 2026-05-24

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A remote command‑injection flaw exists in the formConnectionSetting endpoint of the EW‑7438RPn router firmware. When the max_Conn or timeOut parameters are manipulated, the device executes the supplied payload as a shell command, allowing an unauthenticated attacker to run arbitrary code on the device. The weakness corresponds to CWE‑74 (user input placed into executable code) and CWE‑77 (input validation failure leading to shell injection).

Affected Systems

The affected product is the Edimax EW‑7438RPn router running firmware version 1.12. No additional product variants or version ranges are listed, so only the specified firmware instance is known to be vulnerable.

Risk and Exploitability

The CVSS score of 5.3 indicates a medium severity flaw, but the EPSS score is not available, so the current exploitation likelihood is unknown while the vulnerability is known to be exploitable. The exploit has been disclosed publicly and may be used. The device is not included in CISA’s KEV list, suggesting no confirmed widespread exploitation at this time. The attack vector is remote over the HTTP interface, and no authentication is required, making the risk significant for exposed devices. The vendor did not respond to early disclosure, and no patch is currently available.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Edimax

EW-7438RPn

affected

Version	Status	Constraints
`1.12`	affected	—

No data.

Vendor Product Confidence Versions

Edimax

Ew-7438rpn

95%

Version	Status	Scheme	Platform
`1.12`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Block external access to the router’s administrative interface with a firewall or access‑control list.
Disable or restrict access to the /goform/formConnectionSetting endpoint, for example by configuring the device to require authentication or using a local network firewall.
Apply the latest firmware once a vendor patch is released, and test the firmware’s behavior to confirm that the injection point is closed.
Monitor system logs for abnormal command execution attempts or unexpected traffic to the formConnectionSetting endpoint.

Generated by OpenCVE AI on May 24, 2026 at 08:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00841.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://lavender-bicycle-a5a.notion.site/EDIMAX-BR-6675nD-formConnectionSetting-34b53a41781f807a9c88e746d24540cd?source=copy_link
https://vuldb.com/submit/811553
https://vuldb.com/vuln/365325
https://vuldb.com/vuln/365325/cti

History

Sun, 24 May 2026 07:30:00 +0000

Type	Values Removed	Values Added
Description		A security vulnerability has been detected in Edimax EW-7438RPn 1.12. This vulnerability affects the function formConnectionSetting of the file /goform/formConnectionSetting of the component Setting Handler. Such manipulation of the argument max_Conn/timeOut leads to command injection. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title		Edimax EW-7438RPn Setting formConnectionSetting command injection
First Time appeared		Edimax Edimax ew-7438rpn
Weaknesses		CWE-74 CWE-77
CPEs		cpe:2.3:a:edimax:ew-7438rpn::::::::
Vendors & Products		Edimax Edimax ew-7438rpn
References		https://lavender-bicycle-a5a.notion.site/EDIMAX-BR-6675nD-formConnectionSetting-34b53a41781f807a9c88e746d24540cd?source=copy_link https://vuldb.com/submit/811553 https://vuldb.com/vuln/365325 https://vuldb.com/vuln/365325/cti
Metrics		cvssV2_0 `{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Edimax Ew-7438rpn

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-05-24T07:00:11.347Z

Updated: 2026-05-24T07:00:11.347Z

Reserved: 2026-05-23T09:58:35.402Z

Link: CVE-2026-9362

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-24T08:30:05Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object