cbcvebase.
CVE-2025-14092
published 2025-12-05

CVE-2025-14092: A security vulnerability has been detected in Edimax BR-6478AC V3 1.0.15. This issue affects the function sub_416898 of the file…

PriorityP267high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EPSS
14.68%
96.2th percentile
A security vulnerability has been detected in Edimax BR-6478AC V3 1.0.15. This issue affects the function sub_416898 of the file /boafrm/formDebugDiagnosticRun. The manipulation of the argument host leads to os command injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Affected

2 ranges
VendorProductVersion rangeFixed in
edimaxbr-6478ac_v3
edimaxbr-6478ac_v3_firmware

Detection & IOCsextracted from sources · hover to see the quote

path/boafrm/formDebugDiagnosticRun
urlhttps://github.com/Kriswu1337/CVE/blob/main/EDIMAX/1/1.md
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Edimax formDebugDiagnosticRun host Parameter Command Injection Attempt (CVE-2025-14092)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:30; content:"/boafrm/formDebugDiagnosticRun"; fast_pattern; http.request_body; content:"host|3d|"; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,github.com/Kriswu1337/CVE/blob/main/EDIMAX/1/1.md; reference:cve,2025-14092; classtype:attempted-admin; sid:2066188; rev:1;)
  • Look for HTTP POST requests to the exact URI /boafrm/formDebugDiagnosticRun (URI length is exactly 30 bytes) targeting Edimax BR-6478AC V3 devices.
  • Inspect the POST request body for the 'host=' parameter (URL-encoded as host|3d|) followed by OS command injection metacharacters: semicolon (;/%3B), newline (\n/%0A), backtick (`/%60), pipe (|/%7C), or dollar sign ($/%24).
  • The vulnerability resides in function sub_416898 of the file /boafrm/formDebugDiagnosticRun; the 'host' argument is passed unsanitized to an OS command.
  • The attack is remotely exploitable with no authentication implied; deploy detection at the network perimeter as well as internally.
  • ·The Snort/Suricata rule (ET sid:2066188) targets plaintext HTTP only (tls_state plaintext); if the device is ever accessed over HTTPS/TLS, this rule will not fire.
  • ·The URI bsize match is exactly 30 bytes; any URL encoding or path variation of /boafrm/formDebugDiagnosticRun would bypass this length constraint.
  • ·The vendor did not respond to disclosure; no patch is available, so detection/blocking is the primary mitigation.

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv4.02.0LOWCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.05.8MEDIUMAV:N/AC:L/Au:M/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.