Edimax EW-7438RPn formrefresh stack-based overflow

Vulnerability

A stack-based buffer overflow exists in the formrefresh function of the /goform/formrefresh endpoint in Edimax EW-7438RPn firmware version 1.31. The submit-url argument is copied directly into a stack buffer without any length validation, enabling an attacker to overflow the buffer and overwrite the return address. The vulnerability is reachable remotely via an HTTP POST request, and the exploit has been publicly disclosed [1].

Exploitation

An attacker with network access to the device can send a crafted POST request to /goform/formrefresh with an overly long submit-url value. The PoC demonstrates that a string of approximately 1600 'a' characters causes a crash, but by carefully controlling the overflow data, arbitrary code execution is achievable. The request may require authentication; the provided PoC uses default credentials (admin:1234) [1].

Impact

Successful exploitation grants the attacker remote code execution on the device, leading to full compromise of the extender. This can result in disclosure of network traffic, modification of device settings, or use of the device as a pivot point for further attacks [1].

Mitigation

As of the publication date, the vendor has not responded to disclosure and no patch is available. Users should restrict network access to the device, change default credentials immediately, and consider replacing the device if continued use is necessary. The vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities catalog [1].