Edimax EW-7438RPn webs formWpsStart os command injection

Vulnerability

The vulnerability resides in the formWpsStart function within the webs component of the Edimax EW-7438RPn wireless extender firmware up to version 1.31. The function handles WPS configuration via the /goform/formWpsStart endpoint. The pinCode argument is directly passed to an OS command without proper sanitization or validation, enabling os command injection [1]. An attacker can inject arbitrary commands by embedding them in backticks within the pinCode parameter.

Exploitation

Exploitation requires network access to the device and valid authentication credentials (as demonstrated by the Authorization header in the PoC) [1]. The attacker sends a crafted POST request to /goform/formWpsStart with the pinCode parameter containing command injection payloads enclosed in backticks. For example, setting pinCode to `telnetd -l /bin/sh -p 1234` will cause the device to execute the injected command. The PoC shows a specific request with appropriate headers and cookie [1].

Impact

Successful exploitation allows an attacker to execute arbitrary OS commands on the device with the privileges of the webs process, typically root. This can lead to full remote compromise, allowing the attacker to gain a reverse shell (as demonstrated by launching telnetd), exfiltrate sensitive data, modify device configuration, or use the device as a pivot point within the network [1].

Mitigation

As of the publication date (2026-05-23), the vendor (Edimax) has not responded to the disclosure and no official patch has been released [1]. Users should consider isolating the device on a separate VLAN or network segment, restricting access to the management interface to trusted hosts only, and monitoring for any suspicious activity. If possible, disable WPS functionality or upgrade to a newer firmware version if one becomes available. The author suggests input validation on the pinCode parameter as a remediation [1].