Edimax EW-7438RPn webs formWlSiteSurvey stack-based overflow

Vulnerability

A stack-based buffer overflow vulnerability exists in the Edimax EW-7438RPn range extender running firmware version 1.31. The flaw resides in the formWlSiteSurvey function within the /goform/formWlSiteSurvey endpoint of the webs component. The selSSID and submit-url arguments are copied into a fixed-size stack buffer without proper length validation, allowing an oversized input to overflow the buffer and overwrite the return address. Affected version: 1.31 [1].

Exploitation

An unauthenticated remote attacker can exploit this vulnerability by sending a crafted HTTP POST request to /goform/formWlSiteSurvey with an overly long submit-url or selSSID parameter. The PoC demonstrates that submitting a long string of 'a' characters for submit-url causes the router to crash. The overflow occurs because the input is directly copied to a local stack variable without bounds checking, enabling control of the return address. No authentication is required, and the attack can be performed over the network [1].

Impact

Successful exploitation allows the attacker to cause a denial of service (crash) or potentially achieve arbitrary code execution by controlling the return address. Since the overflow occurs in a privileged context (the webs component), arbitrary code execution could lead to full compromise of the device, including access to network traffic or further lateral movement within the network. The exploit is publicly available [1].

Mitigation

As of the publication date (2026-05-25), the vendor has not responded to disclosure and no patch has been released. Users should consider isolating the device from untrusted networks, applying strict firewall rules to restrict access to the administration interface, or replacing the device with a supported alternative. There is no known workaround that directly fixes the vulnerability [1].