CVE-2025-14094
published 2025-12-05CVE-2025-14094: A flaw has been found in Edimax BR-6478AC V3 1.0.15. The affected element is the function sub_44CCE4 of the file /boafrm/formSysCmd. This manipulation of the…
PriorityP278critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
17.90%
96.8th percentile
A flaw has been found in Edimax BR-6478AC V3 1.0.15. The affected element is the function sub_44CCE4 of the file /boafrm/formSysCmd. This manipulation of the argument sysCmd causes os command injection. The attack may be initiated remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| edimax | br-6478ac_v3 | — | — |
| edimax | br-6478ac_v3_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Korenix JetWave/Edimax formSysCmd Command Injection Attempt (CVE-2016-20017, CVE-2025-14094)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/formSysCmd"; fast_pattern; http.request_body; content:"sysCmd|3d|"; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,www.fortinet.com/blog/threat-research/Iz1h9-campaign-enhances-arsenal-with-scores-of-exploits; reference:cve,2016-20017; reference:cve,2025-14094; reference:url,github.com/Kriswu1337/CVE/blob/main/EDIMAX/1/3.md; classtype:attempted-admin; sid:2049120; rev:3; metadata:affected_product Edimax, affected_product Korenix, attack_target Networking_Equipment, tls_state plaintext, created_at 2023_11_08, cve CVE_2016_20017, deployment Perimeter, deployment Internal, performance_impact Low, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2025_12_08, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services; target:dest_ip;)
- →Detect HTTP POST requests to /formSysCmd (or /boafrm/formSysCmd) with a body containing 'sysCmd=' followed by shell metacharacters (;, newline, backtick, pipe, $) — indicative of OS command injection exploitation.
- →The exploit targets the function sub_44CCE4 via the sysCmd argument; monitor for unexpected OS command execution originating from the web server process on Edimax BR-6478AC V3 devices. ↗
- →The attack is plaintext (non-TLS); perimeter and internal network monitoring for unencrypted HTTP POST to /formSysCmd is effective.
- →This signature is shared with CVE-2016-20017 (Korenix JetWave); the same Snort/Suricata rule (sid:2049120) covers both CVEs and both affected product families.
- →This vulnerability is tagged CISA_KEV and linked to the Iz1h9 botnet campaign; treat detections as high-priority lateral movement attempts (MITRE T1210).
- ·The Snort/Suricata rule targets $HOME_NET as the destination; ensure $HOME_NET is correctly scoped to include Edimax/Korenix networking equipment segments for effective coverage.
- ·The PCRE in the rule matches shell metacharacters both URL-encoded and raw; verify your IDS/IPS engine supports the /R (relative) PCRE flag used in this rule.
- ·The vendor (Edimax) did not respond to disclosure; no patch is confirmed available. Mitigation must rely on network-level controls rather than vendor-supplied fixes. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.02.0LOWCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.05.8MEDIUMAV:N/AC:L/Au:M/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET EXPLOIT Korenix JetWave/Edimax formSysCmd Command Injection Attempt (CVE-2016-20017, CVE-2025-14094)
suricata·2023-11-08·CVSS 9.8
CVE-2016-20017 [CRITICAL] ET EXPLOIT Korenix JetWave/Edimax formSysCmd Command Injection Attempt (CVE-2016-20017, CVE-2025-14094)
ET EXPLOIT Korenix JetWave/Edimax formSysCmd Command Injection Attempt (CVE-2016-20017, CVE-2025-14094)
Rule: alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Korenix JetWave/Edimax formSysCmd Command Injection Attempt (CVE-2016-20017, CVE-2025-14094)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/formSysCmd"; fast_pattern; http.request_body; content:"sysCmd|3d|"; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,www.fortinet.com/blog/threat-research/Iz1h9-campaign-enhances-arsenal-with-scores-of-exploits; reference:cve,2016-20017; reference:cve,2025-14094; reference:url,github.com/Kriswu1337/CVE/blob/main/EDIMAX/1/3.md; classtype:attempted-admin; sid:2049120; rev:3; metadata:affected_produ
No public exploits indexed.
No writeups or analysis indexed.
2025-12-05
Published