Description
A vulnerability was detected in Edimax EW-7438RPn 1.12. This issue affects the function formEZCHNwlanSetup of the file /goform/formEZCHNwlanSetu of the component POST Request Handler. Performing a manipulation of the argument method results in command injection. Remote exploitation of the attack is possible. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-05-24
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A command injection flaw exists in the formEZCHNwlanSetu POST request handler of Edimax EW-7438RPn firmware 1.12, allowing an attacker to manipulate the method argument and execute arbitrary shell commands on the device. The CVE description confirms that remote exploitation is possible and that the exploitation method is public.

Affected Systems

The vulnerability affects Edimax EW-7438RPn routers running firmware version 1.12, as indicated by the provided CPE string and vendor/product information. No other versions or models are mentioned.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a remote web client or automated tool sending a crafted POST request to the /goform/formEZCHNwlanSetu endpoint, which is inferred from the description of the affected POST request handler.

Generated by OpenCVE AI on May 24, 2026 at 09:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the Edimax website or firmware update channel for a version that includes a fix for the command injection and apply it when available.
  • If no update is available, restrict network access to the /goform/formEZCHNwlanSetu endpoint using firewall rules or device ACLs.
  • Monitor device logs for attempts that include malicious command strings and investigate any suspicious activity.
  • If remote management is not required, disable it to reduce exposure.

Generated by OpenCVE AI on May 24, 2026 at 09:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 24 May 2026 07:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in Edimax EW-7438RPn 1.12. This issue affects the function formEZCHNwlanSetup of the file /goform/formEZCHNwlanSetu of the component POST Request Handler. Performing a manipulation of the argument method results in command injection. Remote exploitation of the attack is possible. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title Edimax EW-7438RPn POST Request formEZCHNwlanSetu formEZCHNwlanSetup command injection
First Time appeared Edimax
Edimax ew-7438rpn
Weaknesses CWE-74
CWE-77
CPEs cpe:2.3:a:edimax:ew-7438rpn:*:*:*:*:*:*:*:*
Vendors & Products Edimax
Edimax ew-7438rpn
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Edimax Ew-7438rpn
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-24T07:15:07.974Z

Reserved: 2026-05-23T09:58:42.976Z

Link: CVE-2026-9363

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-24T09:30:05Z

Weaknesses