CVE-2025-14093
published 2025-12-05CVE-2025-14093: A vulnerability was detected in Edimax BR-6478AC V3 1.0.15. Impacted is the function sub_416990 of the file /boafrm/formTracerouteDiagnosticRun. The…
PriorityP279critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
17.34%
96.7th percentile
A vulnerability was detected in Edimax BR-6478AC V3 1.0.15. Impacted is the function sub_416990 of the file /boafrm/formTracerouteDiagnosticRun. The manipulation of the argument host results in os command injection. The attack can be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| edimax | br-6478ac_v3 | — | — |
| edimax | br-6478ac_v3_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Edimax formTracerouteDiagnosticRun host Parameter Command Injection Attempt (CVE-2025-14093)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:35; content:"/boafrm/formTracerouteDiagnosticRun"; fast_pattern; http.request_body; content:"host|3d|"; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,github.com/Kriswu1337/CVE/blob/main/EDIMAX/1/2.md; reference:cve,2025-14093; classtype:attempted-admin; sid:2066187; rev:1;)
- →Exploit arrives as an HTTP POST request to the exact URI /boafrm/formTracerouteDiagnosticRun with a URI length of exactly 35 bytes.
- →The POST body contains the 'host=' parameter (URL-encoded as host|3d|) followed by OS command injection metacharacters: semicolon (;/%3B), newline (\n/%0A), backtick (`/%60), pipe (|/%7C), or dollar sign ($/%24).
- →The vulnerable function is sub_416990 in the Edimax BR-6478AC V3 firmware version 1.0.15; the 'host' argument is passed unsanitized to an OS command. ↗
- →A public exploit PoC is available; treat any inbound POST to this endpoint from external/perimeter networks as high-confidence exploitation attempt. ↗
- ·The Snort/Suricata rule (SID 2066187) targets plaintext HTTP only (tls_state plaintext); HTTPS-wrapped traffic to the device will not be detected by this rule.
- ·The URI bsize match is fixed at 35 bytes, matching the exact path /boafrm/formTracerouteDiagnosticRun; any URL encoding or path variation of the endpoint would evade this rule.
- ·The vendor did not respond to disclosure; no patch is available, and affected devices (Edimax BR-6478AC V3 1.0.15) should be isolated or access-controlled at the network perimeter. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.02.0LOWCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.05.8MEDIUMAV:N/AC:L/Au:M/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS Edimax formTracerouteDiagnosticRun host Parameter Command Injection Attempt (CVE-2025-14093)
suricata·2025-12-08·CVSS 5.1
CVE-2025-14093 [MEDIUM] ET WEB_SPECIFIC_APPS Edimax formTracerouteDiagnosticRun host Parameter Command Injection Attempt (CVE-2025-14093)
ET WEB_SPECIFIC_APPS Edimax formTracerouteDiagnosticRun host Parameter Command Injection Attempt (CVE-2025-14093)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Edimax formTracerouteDiagnosticRun host Parameter Command Injection Attempt (CVE-2025-14093)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:35; content:"/boafrm/formTracerouteDiagnosticRun"; fast_pattern; http.request_body; content:"host|3d|"; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,github.com/Kriswu1337/CVE/blob/main/EDIMAX/1/2.md; reference:cve,2025-14093; classtype:attempted-admin; sid:2066187; rev:1; metadata:affected_product Edimax, attack_target Networking_Equipment, tls_state plaintext, created_at 2025
No public exploits indexed.
No writeups or analysis indexed.
2025-12-05
Published