CVE-2025-1316
published 2025-03-05CVE-2025-1316: Edimax IC-7100 does not properly neutralize requests. An attacker can create specially crafted requests to achieve remote code execution on the device
PriorityP198critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2025-04-09
Exploited in the wild
EPSS
72.27%
99.4th percentile
Edimax IC-7100 does not properly neutralize requests. An attacker can create specially crafted requests to achieve remote code execution on the device
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| edimax | ic-7100_ip_camera | — | — |
Detection & IOCsextracted from sources · hover to see the quote
path/camera-cgi/admin/param.cgi
commandaction=update&ipcamSource=&NTP_enable=1&NTP_serverName=<INJECTION>
snort
alert http1 any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Edimax IC-7100 Command Injection Attempt (CVE-2025-1316)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:27; content:"/camera-cgi/admin/param.cgi"; fast_pattern; http.header; content:"Authorization|3a 20|Basic|20|YWRtaW4"; http.request_body; content:"action|3d|update"; content:"ipcamSource|3d|"; content:"NTP_enable|3d|1"; content:"NTP_serverName|3d|"; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:cve,2025-1316; reference:url,github.com/R00tS3c/DDOS-RootSec/blob/41e5009c8da9bd9fff94ffef34db218e51a55560/Botnets/Exploits/Edimax/poc.go; classtype:attempted-admin; sid:2060968; rev:1; metadata:affected_product DVR, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_03_20, cve CVE_2025_1316, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2025_03_20, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
bytes
Authorization: Basic YWRtaW4
- →Exploit targets HTTP POST requests to /camera-cgi/admin/param.cgi with a Basic Authorization header (base64 'admin') and a body containing NTP_serverName parameter used for OS command injection via shell metacharacters (;, newline, backtick, pipe, $).
- →Exploitation is being performed by botnet malware; compromised Edimax IC-7100 devices show signs including performance degradation, excessive heating, unexpected changes in device settings, and atypical/anomalous network traffic. ↗
- →Public PoC exploit code is available at the referenced GitHub repository (R00tS3c/DDOS-RootSec), confirming low barrier to exploitation. ↗
- ·The vendor confirmed IC-7100 is end-of-life and no patch will be released; all firmware versions are affected and exploitation is ongoing with no vendor fix available. ↗
- ·CISA KEV remediation due date was 2025-04-09; recommended action is to discontinue use if mitigations are unavailable, as the product may be EoL/EoS. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.3CRITICAL
cisa9.3CRITICAL
vendor_redhat7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
kernel: bpf: Avoid __bpf_prog_ret0_warn when jit fails
vendor_redhat·2025-07-10·CVSS 7.8
CVE-2025-38280 [HIGH] CWE-670 kernel: bpf: Avoid __bpf_prog_ret0_warn when jit fails
kernel: bpf: Avoid __bpf_prog_ret0_warn when jit fails
In the Linux kernel, the following vulnerability has been resolved:
bpf: Avoid __bpf_prog_ret0_warn when jit fails
syzkaller reported an issue:
WARNING: CPU: 3 PID: 217 at kernel/bpf/core.c:2357 __bpf_prog_ret0_warn+0xa/0x20 kernel/bpf/core.c:2357
Modules linked in:
CPU: 3 UID: 0 PID: 217 Comm: kworker/u32:6 Not tainted 6.15.0-rc4-syzkaller-00040-g8bac8898fe39
RIP: 0010:__bpf_prog_ret0_warn+0xa/0x20 kernel/bpf/core.c:2357
Call Trace:
bpf_dispatcher_nop_func include/linux/bpf.h:1316 [inline]
__bpf_prog_run include/linux/filter.h:718 [inline]
bpf_prog_run include/linux/filter.h:725 [inline]
cls_bpf_classify+0x74a/0x1110 net/sched/cls_bpf.c:105
...
When creating bpf program, 'fp->jit_requested' depends on bpf_jit_enable.
This issue is t
CISA
Edimax IC-7100 IP Camera OS Command Injection Vulnerability
cisa·2025-03-19·CVSS 9.3
CVE-2025-1316 [CRITICAL] CWE-78 Edimax IC-7100 IP Camera OS Command Injection Vulnerability
Vulnerability: Edimax IC-7100 IP Camera OS Command Injection Vulnerability
Affected: Edimax IC-7100 IP Camera
Edimax IC-7100 IP camera contains an OS command injection vulnerability due to improper input sanitization that allows an attacker to achieve remote code execution via specially crafted requests. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://www.edimax.com/edimax/post/post/data/edimax/global/press_releases/4801/ ; https://nvd.nist.gov/vuln/detail/CVE-2025-1316
Remediation Due Date: 2025-04-09
CISA ICS
Edimax IC-7100 IP Camera
cisa_ics·2025-03-04·CVSS 9.3
[CRITICAL] Edimax IC-7100 IP Camera
ICS Advisory
##
Edimax IC-7100 IP Camera
Release DateMarch 04, 2025
Alert CodeICSA-25-063-08
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v4 9.3
- ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
- Vendor: Edimax
- Equipment: IC-7100 IP Camera
- Vulnerability: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
## 2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to send specially crafted requests to achieve remote code execution on the device.
## 3. TECHNICAL DETAILS
## 3.1 AFFECTED PRODUCTS
The following versions of Edimax products are affected:
- IC-7100
GHSA
GHSA-gjfw-29fg-w4vq: Edimax IC-7100 does not properly neutralize requests
ghsa_unreviewed·2025-03-05
CVE-2025-1316 [CRITICAL] CWE-78 GHSA-gjfw-29fg-w4vq: Edimax IC-7100 does not properly neutralize requests
Edimax IC-7100 does not properly neutralize requests. An attacker can create specially crafted requests to achieve remote code execution on the device
VulnCheck
Edimax IC-7100 IP Camera OS Command Injection Vulnerability
vulncheck·2025·CVSS 9.3
CVE-2025-1316 [CRITICAL] CWE-78 Edimax IC-7100 IP Camera OS Command Injection Vulnerability
Edimax IC-7100 IP Camera OS Command Injection Vulnerability
Edimax IC-7100 IP camera contains an OS command injection vulnerability due to improper input sanitization that allows an attacker to achieve remote code execution via specially crafted requests. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.
Affected: Edimax IC-7100 IP Camera
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.securityweek.com/edimax-camera-zero-day-disclosed-by-cisa-exploited-by-botnets/; https://www.akamai.com/blog/security-research/march-edimax-cameras-command-inject
Suricata
ET WEB_SPECIFIC_APPS Edimax IC-7100 Command Injection Attempt (CVE-2025-1316)
suricata·2025-03-20·CVSS 9.3
CVE-2025-1316 [CRITICAL] ET WEB_SPECIFIC_APPS Edimax IC-7100 Command Injection Attempt (CVE-2025-1316)
ET WEB_SPECIFIC_APPS Edimax IC-7100 Command Injection Attempt (CVE-2025-1316)
Rule: alert http1 any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Edimax IC-7100 Command Injection Attempt (CVE-2025-1316)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:27; content:"/camera-cgi/admin/param.cgi"; fast_pattern; http.header; content:"Authorization|3a 20|Basic|20|YWRtaW4"; http.request_body; content:"action|3d|update"; content:"ipcamSource|3d|"; content:"NTP_enable|3d|1"; content:"NTP_serverName|3d|"; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:cve,2025-1316; reference:url,github.com/R00tS3c/DDOS-RootSec/blob/41e5009c8da9bd9fff94ffef34db218e51a55560/Botnets/Exploits/Edimax/poc.go; classtype:attempted-a
No public exploits indexed.
Bleepingcomputer
Unpatched Edimax IP camera flaw actively exploited in botnet attacks
blogs_bleepingcomputer·2025-03-07·CVSS 9.3
[CRITICAL] Unpatched Edimax IP camera flaw actively exploited in botnet attacks
## Unpatched Edimax IP camera flaw actively exploited in botnet attacks
## Bill Toulas
A critical command injection vulnerability impacting the Edimax IC-7100 IP camera is currently being exploited by botnet malware to compromise devices.
The flaw was discovered by Akamai researchers, who confirmed to BleepingComputer that the flaw is exploited in attacks that are still ongoing.
Akamai researcher Kyle Lefton told BleepingComputer that they will provide more technical details about the flaw and the associated botnet next week.
After discovering the flaw, Akamai reported it to the U.S. Cybersecurity & Infrastructure Agency (CISA) , who attempted to contact the Taiwanese vendor.
"Both Akamai SIRT and CISA attempted to contact the vendor (Edimax) multiple times. CISA was unable to get a
Greynoiseio
NoiseLetter March 2025
blogs_greynoiseio
NoiseLetter March 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Greynoiseio
Storm Watch
blogs_greynoiseio
Storm Watch
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Bugzilla
CVE-2025-38280 kernel: bpf: Avoid __bpf_prog_ret0_warn when jit fails
bugzilla·2025-07-10·CVSS 7.8
CVE-2025-38280 [HIGH] CVE-2025-38280 kernel: bpf: Avoid __bpf_prog_ret0_warn when jit fails
CVE-2025-38280 kernel: bpf: Avoid __bpf_prog_ret0_warn when jit fails
In the Linux kernel, the following vulnerability has been resolved:
bpf: Avoid __bpf_prog_ret0_warn when jit fails
syzkaller reported an issue:
WARNING: CPU: 3 PID: 217 at kernel/bpf/core.c:2357 __bpf_prog_ret0_warn+0xa/0x20 kernel/bpf/core.c:2357
Modules linked in:
CPU: 3 UID: 0 PID: 217 Comm: kworker/u32:6 Not tainted 6.15.0-rc4-syzkaller-00040-g8bac8898fe39
RIP: 0010:__bpf_prog_ret0_warn+0xa/0x20 kernel/bpf/core.c:2357
Call Trace:
bpf_dispatcher_nop_func include/linux/bpf.h:1316 [inline]
__bpf_prog_run include/linux/filter.h:718 [inline]
bpf_prog_run include/linux/filter.h:725 [inline]
cls_bpf_classify+0x74a/0x1110 net/sched/cls_bpf.c:105
...
When creating bpf program, 'fp->jit_requested' depends on bpf_jit_enab
2025-03-05
Published
2025-03-19
Added to CISA KEV
Exploited in the wild