Edimax EW-7438RPn: 24 CVEs Disclosed — Stack Overflows and Command Injection Across Firmware Versions
A batch of 24 vulnerabilities spanning stack-based buffer overflows, command injection, and buffer overflow flaws were disclosed for the Edimax EW-7438RPn Wi-Fi extender across firmware versions 1.12 through 1.31.
Key findings
- 24 CVEs disclosed for Edimax EW-7438RPn across firmware versions 1.12–1.31
- 16 stack-based buffer overflows (High, CVSSv3 8.8) in /goform/ CGI handlers
- 6 OS command injection flaws (Medium, CVSSv3 6.3) in POST request handlers
- All vulnerabilities are remotely exploitable without authentication
- Exploit code has been published for every CVE in the batch
- No official patch from Edimax as of disclosure date
Twenty-four security vulnerabilities were disclosed together between May 23 and May 25, 2026, targeting the Edimax EW-7438RPn Wi-Fi range extender. The batch — published across a 48-hour window — covers firmware versions 1.12 through 1.31 and clusters around two dominant bug classes: stack-based buffer overflows (the majority, rated High, CVSSv3 8.8) and OS command injection flaws (rated Medium, CVSSv3 6.3). Exploit code has been made public for every CVE in the set, and all attacks can be launched remotely without authentication, making this a significant disclosure event for owners of the aging device.
Stack-Based Buffer Overflows Dominate the Batch
The largest group comprises 16 stack-based buffer overflow vulnerabilities, all rated High (CVSSv3 8.8). These flaws reside in the /goform/ CGI handlers that process HTTP POST requests. The common pattern: the submit-url argument — or device-configuration parameters — is copied into a fixed stack buffer without bounds checking, allowing a remote attacker to overwrite the return address and gain code execution.
The affected functions span nearly the entire administrative web interface. CVE-2026-9482 (formSDHCP), CVE-2026-9481 (formStats), CVE-2026-9480 (formrefresh), CVE-2026-9479 (formLogout), CVE-2026-9463 (formLicence), CVE-2026-9462 (formWpsProxyEnable), CVE-2026-9461 (formRadius), CVE-2026-9460 (formAccept), CVE-2026-9427 (formWlSiteSurvey), and CVE-2026-9426 (formHwSet) all share the same submit-url buffer overflow pattern in firmware version 1.31.
CVE-2026-9459 (formConnectionSetting) is a slight variant — the overflow is triggered through the max_Conn and timeOut arguments rather than submit-url, but the outcome is identical. CVE-2026-9425 and CVE-2026-9424 both target the formWlanMP function; the former is a High-severity stack overflow (CVSSv3 8.8) while the latter is a Medium-severity (CVSSv3 6.3) variant via the Content-Type handler, suggesting different attack surfaces on the same endpoint.
Additional stack-based overflows affect earlier firmware versions. CVE-2026-9360 (formwlencrypt24g, firmware 1.28a) overflows via the key1 argument. CVE-2026-9348 targets an unknown function in /goform/mp via the webs argument across versions up to 1.31. CVE-2026-9346 (formWirelessTbl) and CVE-2026-9345 (formWizSurvey) both overflow via submit-url and related arguments. CVE-2026-9344 (formWpsStart) overflows through the pinCode and wlan-url arguments.
Command Injection Flaws Add Remote Code Execution Risk
Five OS command injection vulnerabilities (all rated Medium, CVSSv3 6.3) were also disclosed, affecting firmware versions 1.12 and up to 1.31. These flaws allow an attacker to inject arbitrary operating-system commands through unsanitized arguments passed to shell calls.
CVE-2026-9363 (formEZCHNwlanSetup, firmware 1.12) injects commands via the method argument in the POST Request Handler. CVE-2026-9362 (formConnectionSetting, firmware 1.12) injects through max_Conn and timeOut. CVE-2026-9361 (formAccept, firmware 1.12) injects via submit-url. CVE-2026-9359 (formHwSet, firmware 1.28a) injects through hardware-configuration arguments including Anntena, Mcs, regDomain, and network-address fields. CVE-2026-9347 (formWizSurvey, versions up to 1.31) injects OS commands through the ip, mask, and gateway arguments. CVE-2026-9343 (formWpsStart, versions up to 1.31) injects through the pinCode argument.
Impact and Exploitation Context
Every CVE in this batch is remotely exploitable without authentication — the EW-7438RPn's web management interface listens on the network by default. Exploit code has been published for all 24 vulnerabilities, lowering the barrier for attackers. While no in-the-wild exploitation campaigns have been reported in the disclosure materials, the public availability of proof-of-concept code means that active scanning and exploitation is a realistic near-term threat.
The EW-7438RPn is a consumer Wi-Fi range extender that has been on the market for several years. The affected firmware versions (1.12 through 1.31) span multiple release generations, suggesting that the codebase has accumulated these vulnerabilities over time without adequate input sanitization in the CGI handler layer.
Response and Patch Status
As of the disclosure date, Edimax has not released a patched firmware version addressing these vulnerabilities. The vendor was contacted prior to disclosure, per the CVE descriptions, but no advisory or firmware update has been published. Users of the EW-7438RPn are currently without an official fix.
What to Watch
This batch represents a near-complete compromise of the EW-7438RPn's web management interface. The sheer number of distinct vulnerable endpoints — from DHCP settings to WPS configuration to site survey tools — means that even if individual handlers are patched in a future firmware, the underlying pattern of unsanitized input copying into stack buffers and shell commands suggests a systemic code-quality issue. Owners should consider isolating the device from untrusted networks and disabling remote management where possible until Edimax issues a firmware update.