24 CVEs Disclosed in Edimax EW-7438RPn Wi-Fi Extender: Stack Overflows and Command Injection, No Patch Available
A batch of 24 vulnerabilities, including 16 stack-based buffer overflows and 6 OS command injection flaws, has been disclosed for the Edimax EW-7438RPn Wi-Fi range extender, with public exploit code available and no official patch from the vendor.
Twenty-four security vulnerabilities were disclosed together between May 23 and May 25, 2026, targeting the Edimax EW-7438RPn Wi-Fi range extender. The batch — published across a 48-hour window — covers firmware versions 1.12 through 1.31 and clusters around two dominant bug classes: stack-based buffer overflows (the majority, rated High, CVSSv3 8.8) and OS command injection flaws (rated Medium, CVSSv3 6.3). Exploit code has been made public for every CVE in the set, and all attacks can be launched remotely without authentication, making this a significant disclosure event for owners of the aging device.
The largest group comprises 16 stack-based buffer overflow vulnerabilities, all rated High (CVSSv3 8.8). These flaws reside in the /goform/ CGI handlers that process HTTP POST requests. The common pattern: the submit-url argument — or device-configuration parameters — is copied into a fixed stack buffer without bounds checking, allowing a remote attacker to overwrite the return address and gain code execution.
The affected functions span nearly the entire administrative web interface. CVE-2026-9482 (formSDHCP), CVE-2026-9481 (formStats), CVE-2026-9480 (formrefresh), CVE-2026-9479 (formLogout), CVE-2026-9463 (formLicence), CVE-2026-9462 (formWpsProxyEnable), CVE-2026-9461 (formRadius), CVE-2026-9460 (formAccept), CVE-2026-9427 (formWlSiteSurvey), and CVE-2026-9426 (formHwSet) all share the same submit-url buffer overflow pattern in firmware version 1.31.
CVE-2026-9459 (formConnectionSetting) is a slight variant — the overflow is triggered through the max_Conn and timeOut arguments rather than submit-url, but the outcome is identical. CVE-2026-9425 and CVE-2026-9424 both target the formWlanMP function; the former is a High-severity stack overflow (CVSSv3 8.8) while the latter is a Medium-severity (CVSSv3 6.3) variant via the Content-Type handler, suggesting different attack surfaces on the same endpoint.
Five OS command injection vulnerabilities (all rated Medium, CVSSv3 6.3) were also disclosed, affecting firmware versions 1.12 and up to 1.31. These flaws allow an attacker to inject arbitrary operating-system commands through unsanitized arguments passed to shell calls. CVE-2026-9363 (formEZCHNwlanSetup, firmware 1.12) injects commands via the method argument. CVE-2026-9362 (formConnectionSetting, firmware 1.12) injects through max_Conn and timeOut. CVE-2026-9361 (formAccept, firmware 1.12) injects via submit-url. CVE-2026-9359 (formHwSet, firmware 1.28a) injects through hardware-configuration arguments including Anntena, Mcs, regDomain, and network-address fields. CVE-2026-9347 (formWizSurvey, versions up to 1.31) injects OS commands through the ip, mask, and gateway arguments. CVE-2026-9343 (formWpsStart, versions up to 1.31) injects through the pinCode argument.
Every CVE in this batch is remotely exploitable without authentication — the EW-7438RPn's web management interface listens on the network by default. Exploit code has been published for all 24 vulnerabilities, lowering the barrier for attackers. While no in-the-wild exploitation campaigns have been reported in the disclosure materials, the public availability of proof-of-concept code means that active scanning and exploitation is a realistic near-term threat.
As of the disclosure date, Edimax has not released a patched firmware version addressing these vulnerabilities. The vendor was contacted prior to disclosure, per the CVE descriptions, but no advisory or firmware update has been published. Users of the EW-7438RPn are currently without an official fix. This batch represents a near-complete compromise of the EW-7438RPn's web management interface. The sheer number of distinct vulnerable endpoints — from DHCP settings to WPS configuration to site survey tools — means that even if individual handlers are patched in a future firmware, the underlying pattern of unsanitized input copying into stack buffers and shell commands suggests a systemic code-quality issue. Owners should consider isolating the device from untrusted networks and disabling remote management where possible until Edimax issues a firmware update.