CVE-2026-9359

MEDIUM

Edimax EW-7438RPn POST Request formHwSet command injection

Title source: cna

Description

A vulnerability was identified in Edimax EW-7438RPn 1.28a. Affected by this vulnerability is the function formHwSet of the file /goform/formHwSet of the component POST Request Handler. The manipulation of the argument Anntena/Mcs/regDomain/nic0Addr/nic1Addr/wlanAddr/wanAddr/wlanSSID/wlanChan/comd/initgain/txcck/txofdm leads to command injection. The attack can be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

References (4)

Core 4

Core References

Vdb Entry, Technical Description vdb-entry technical-description

VDB-365322 | Edimax EW-7438RPn POST Request formHwSet command injection

https://vuldb.com/vuln/365322

Signature, Permissions Required signature permissions-required

VDB-365322 | CTI Indicators (IOB, IOC, TTP, IOA)

https://vuldb.com/vuln/365322/cti

Third Party Advisory third-party-advisory

Submit #811540 | EDIMAX EW-7438RPn Mini EW-7438RPn Mini Firmware 1.28a (Version : 1.28a) Command Injection

https://vuldb.com/submit/811540

Exploit exploit

https://lavender-bicycle-a5a.notion.site/EDIMAX-EW-7438RPn-Mini-formHwSet-34b53a41781f80b98d10f0da699f2236?source=copy_link

Scores

CVSS v3 6.3

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

Details

CWE

CWE-74 CWE-77

Status published

Products (1)

Edimax/EW-7438RPn 1.28a

Published May 24, 2026

Tracked Since May 24, 2026