CVE-2025-14092
published 2025-12-05CVE-2025-14092: A security vulnerability has been detected in Edimax BR-6478AC V3 1.0.15. This issue affects the function sub_416898 of the file…
PriorityP267high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EPSS
14.68%
96.2th percentile
A security vulnerability has been detected in Edimax BR-6478AC V3 1.0.15. This issue affects the function sub_416898 of the file /boafrm/formDebugDiagnosticRun. The manipulation of the argument host leads to os command injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| edimax | br-6478ac_v3 | — | — |
| edimax | br-6478ac_v3_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlhttps://github.com/Kriswu1337/CVE/blob/main/EDIMAX/1/1.md
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Edimax formDebugDiagnosticRun host Parameter Command Injection Attempt (CVE-2025-14092)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:30; content:"/boafrm/formDebugDiagnosticRun"; fast_pattern; http.request_body; content:"host|3d|"; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,github.com/Kriswu1337/CVE/blob/main/EDIMAX/1/1.md; reference:cve,2025-14092; classtype:attempted-admin; sid:2066188; rev:1;)
- →Look for HTTP POST requests to the exact URI /boafrm/formDebugDiagnosticRun (URI length is exactly 30 bytes) targeting Edimax BR-6478AC V3 devices.
- →Inspect the POST request body for the 'host=' parameter (URL-encoded as host|3d|) followed by OS command injection metacharacters: semicolon (;/%3B), newline (\n/%0A), backtick (`/%60), pipe (|/%7C), or dollar sign ($/%24).
- →The vulnerability resides in function sub_416898 of the file /boafrm/formDebugDiagnosticRun; the 'host' argument is passed unsanitized to an OS command.
- →The attack is remotely exploitable with no authentication implied; deploy detection at the network perimeter as well as internally. ↗
- ·The Snort/Suricata rule (ET sid:2066188) targets plaintext HTTP only (tls_state plaintext); if the device is ever accessed over HTTPS/TLS, this rule will not fire.
- ·The URI bsize match is exactly 30 bytes; any URL encoding or path variation of /boafrm/formDebugDiagnosticRun would bypass this length constraint.
- ·The vendor did not respond to disclosure; no patch is available, so detection/blocking is the primary mitigation. ↗
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv4.02.0LOWCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.05.8MEDIUMAV:N/AC:L/Au:M/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS Edimax formDebugDiagnosticRun host Parameter Command Injection Attempt (CVE-2025-14092)
suricata·2025-12-08·CVSS 5.1
CVE-2025-14092 [MEDIUM] ET WEB_SPECIFIC_APPS Edimax formDebugDiagnosticRun host Parameter Command Injection Attempt (CVE-2025-14092)
ET WEB_SPECIFIC_APPS Edimax formDebugDiagnosticRun host Parameter Command Injection Attempt (CVE-2025-14092)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Edimax formDebugDiagnosticRun host Parameter Command Injection Attempt (CVE-2025-14092)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:30; content:"/boafrm/formDebugDiagnosticRun"; fast_pattern; http.request_body; content:"host|3d|"; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,github.com/Kriswu1337/CVE/blob/main/EDIMAX/1/1.md; reference:cve,2025-14092; classtype:attempted-admin; sid:2066188; rev:1; metadata:affected_product Edimax, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_12_08, cve CVE
No public exploits indexed.
No writeups or analysis indexed.
2025-12-05
Published