CVE-2023-31983
published 2023-05-12CVE-2023-31983: A Command Injection vulnerability in Edimax Wireless Router N300 Firmware BR-6428NS_v4 allows attacker to execute arbitrary code via the mp function in…
PriorityP271critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
24.90%
97.6th percentile
A Command Injection vulnerability in Edimax Wireless Router N300 Firmware BR-6428NS_v4 allows attacker to execute arbitrary code via the mp function in /bin/webs without any limitations.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| edimax | br-6428ns_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Edimax N300 mp command Parameter Command Injection Attempt (CVE-2023-31983)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:10; content:"/goform/mp"; fast_pattern; http.request_body; content:"command|3d|"; pcre:"/^.*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24)|(?:\x26{2}|%26%26))+/R"; reference:cve,2023-31983; reference:url,github.com/Jiangxiazhe/IOT_hack/blob/main/EDIMAX/CV7428NS/1.md; classtype:attempted-admin; sid:2062301; rev:1; metadata:affected_product Edimax, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_05_13, cve CVE_2023_31983, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2025_05_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)- →Look for HTTP POST requests to /goform/mp with a body containing 'command=' followed by shell injection metacharacters: semicolon (;/%3B), newline (\n/%0A), backtick (`/%60), pipe (|/%7C), dollar sign ($/%24), or double ampersand (&&/%26%26).
- →The vulnerable endpoint is /goform/mp handled by the mp function inside /bin/webs on Edimax N300 BR-6428NS_v4; monitor for unexpected process spawning from this binary. ↗
- →The URI for this endpoint is exactly 10 bytes (/goform/mp); a bsize match of 10 can be used to tightly scope detection and reduce false positives.
- →Traffic is expected in plaintext (HTTP, not HTTPS); deploy detection at the network perimeter and internally.
- →Reference PoC available at github.com/Jiangxiazhe/IOT_hack/blob/main/EDIMAX/CV7428NS/1.md for exploit payload structure.
- ·The vulnerability exists in Edimax Wireless Router N300 Firmware BR-6428NS_v4 specifically; confirm firmware version before applying detections to avoid false positives on other Edimax models. ↗
- ·The Snort/Suricata rule (sid:2062301) targets plaintext HTTP only; encrypted management interfaces would not be covered by this signature.
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS Edimax N300 mp command Parameter Command Injection Attempt (CVE-2023-31983)
suricata·2025-05-13·CVSS 9.8
CVE-2023-31983 [CRITICAL] ET WEB_SPECIFIC_APPS Edimax N300 mp command Parameter Command Injection Attempt (CVE-2023-31983)
ET WEB_SPECIFIC_APPS Edimax N300 mp command Parameter Command Injection Attempt (CVE-2023-31983)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Edimax N300 mp command Parameter Command Injection Attempt (CVE-2023-31983)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:10; content:"/goform/mp"; fast_pattern; http.request_body; content:"command|3d|"; pcre:"/^.*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24)|(?:\x26{2}|%26%26))+/R"; reference:cve,2023-31983; reference:url,github.com/Jiangxiazhe/IOT_hack/blob/main/EDIMAX/CV7428NS/1.md; classtype:attempted-admin; sid:2062301; rev:1; metadata:affected_product Edimax, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_05_13, cve CVE_2023_31983, de
No public exploits indexed.
No writeups or analysis indexed.
2023-05-12
Published