Details of VAR-202506-1088

ID

VAR-202506-1088

CVE

CVE-2025-34024

TITLE

EDIMAX Technology of EW-7438RPn Mini Firmware Input Validation Vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2025-014543

DESCRIPTION

An OS command injection vulnerability exists in the Edimax EW-7438RPn firmware version 1.13 and prior via the mp.asp form handler. The /goform/mp endpoint improperly handles user-supplied input to the command parameter. An authenticated attacker can inject shell commands using shell metacharacters to achieve arbitrary command execution as the root user. Exploitation evidence was observed by the Shadowserver Foundation on 2024-09-14 UTC. (DoS) It may be in a state

Trust: 1.62

sources: NVD: CVE-2025-34024 // JVNDB: JVNDB-2025-014543

AFFECTED PRODUCTS

vendor:	edimax	model:	ew-7438rpn mini	scope:	lte	version:	1.13	Trust: 1.0
vendor:	edimax	model:	ew-7438rpn mini	scope:	-	version:	-	Trust: 0.8
vendor:	edimax	model:	ew-7438rpn mini	scope:	eq	version:	-	Trust: 0.8
vendor:	edimax	model:	ew-7438rpn mini	scope:	lte	version:	ew-7438rpn mini firmware 1.13 and earlier	Trust: 0.8

sources: JVNDB: JVNDB-2025-014543 // NVD: CVE-2025-34024

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2025-34024
value:	HIGH
Trust: 1.0
disclosure@vulncheck.com:	CVE-2025-34024
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2025-34024
value:	HIGH
Trust: 0.8

nvd@nist.gov:	CVE-2025-34024
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2025-34024
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2025-014543 // NVD: CVE-2025-34024 // NVD: CVE-2025-34024

PROBLEMTYPE DATA

problemtype:	CWE-78	Trust: 1.0
problemtype:	Inappropriate input confirmation (CWE-20) [ others ]	Trust: 0.8
problemtype:	OS Command injection (CWE-78) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2025-014543 // NVD: CVE-2025-34024

EXTERNAL IDS

db:	NVD	id:	CVE-2025-34024	Trust: 2.6
db:	EXPLOIT-DB	id:	48377	Trust: 1.8
db:	JVNDB	id:	JVNDB-2025-014543	Trust: 0.8

sources: JVNDB: JVNDB-2025-014543 // NVD: CVE-2025-34024

REFERENCES

url:	https://vulncheck.com/advisories/edimax-ew-7438rpn-command-injections	Trust: 1.8
url:	https://www.broadcom.com/support/security-center/attacksignatures/detail?asid=32163	Trust: 1.8
url:	https://www.edimax.com/edimax/merchandise/merchandise_detail/data/edimax/global/wi-fi_range_extenders_n300/ew-7438rpn_mini/	Trust: 1.8
url:	https://www.exploit-db.com/exploits/48377	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2025-34024	Trust: 0.8

sources: JVNDB: JVNDB-2025-014543 // NVD: CVE-2025-34024

SOURCES

db:	JVNDB	id:	JVNDB-2025-014543
db:	NVD	id:	CVE-2025-34024

LAST UPDATE DATE

2025-11-21T23:11:10.158000+00:00

SOURCES UPDATE DATE

db:	JVNDB	id:	JVNDB-2025-014543	date:	2025-09-26T06:31:00
db:	NVD	id:	CVE-2025-34024	date:	2025-11-20T22:15:55.127

SOURCES RELEASE DATE

db:	JVNDB	id:	JVNDB-2025-014543	date:	2025-09-26T00:00:00
db:	NVD	id:	CVE-2025-34024	date:	2025-06-20T19:15:37.053