cbcvebase.
CVE-2023-31983
published 2023-05-12

CVE-2023-31983: A Command Injection vulnerability in Edimax Wireless Router N300 Firmware BR-6428NS_v4 allows attacker to execute arbitrary code via the mp function in…

PriorityP271critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
24.90%
97.6th percentile
A Command Injection vulnerability in Edimax Wireless Router N300 Firmware BR-6428NS_v4 allows attacker to execute arbitrary code via the mp function in /bin/webs without any limitations.

Affected

1 ranges
VendorProductVersion rangeFixed in
edimaxbr-6428ns_firmware

Detection & IOCsextracted from sources · hover to see the quote

url/goform/mp
path/bin/webs
commandcommand=
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Edimax N300 mp command Parameter Command Injection Attempt (CVE-2023-31983)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:10; content:"/goform/mp"; fast_pattern; http.request_body; content:"command|3d|"; pcre:"/^.*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24)|(?:\x26{2}|%26%26))+/R"; reference:cve,2023-31983; reference:url,github.com/Jiangxiazhe/IOT_hack/blob/main/EDIMAX/CV7428NS/1.md; classtype:attempted-admin; sid:2062301; rev:1; metadata:affected_product Edimax, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_05_13, cve CVE_2023_31983, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2025_05_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Look for HTTP POST requests to /goform/mp with a body containing 'command=' followed by shell injection metacharacters: semicolon (;/%3B), newline (\n/%0A), backtick (`/%60), pipe (|/%7C), dollar sign ($/%24), or double ampersand (&&/%26%26).
  • The vulnerable endpoint is /goform/mp handled by the mp function inside /bin/webs on Edimax N300 BR-6428NS_v4; monitor for unexpected process spawning from this binary.
  • The URI for this endpoint is exactly 10 bytes (/goform/mp); a bsize match of 10 can be used to tightly scope detection and reduce false positives.
  • Traffic is expected in plaintext (HTTP, not HTTPS); deploy detection at the network perimeter and internally.
  • Reference PoC available at github.com/Jiangxiazhe/IOT_hack/blob/main/EDIMAX/CV7428NS/1.md for exploit payload structure.
  • ·The vulnerability exists in Edimax Wireless Router N300 Firmware BR-6428NS_v4 specifically; confirm firmware version before applying detections to avoid false positives on other Edimax models.
  • ·The Snort/Suricata rule (sid:2062301) targets plaintext HTTP only; encrypted management interfaces would not be covered by this signature.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.