Cyber Resilience

CVE-2020-37149

MediumPublic PoC

Published: 05 February 2026

Published
05 February 2026
Modified
18 February 2026
KEV Added
Patch
CVSS Score v4 5.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0029 20.5th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2020-37149 is a medium-severity CSRF (CWE-352) vulnerability in Edimax Ew-7438Rpn Mini Firmware. Its CVSS base score is 5.1 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 IA-11 (Re-authentication) and SC-23 (Session Authenticity).

Deeper analysis

CVE-2020-37149 is a cross-site request forgery (CSRF) vulnerability, classified under CWE-352, affecting the Edimax EW-7438RPn-v3 Mini firmware version 1.27. It enables arbitrary command execution when an authenticated user is tricked into submitting a crafted form to the /goform/mp endpoint. The vulnerability has a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H), indicating high severity due to network accessibility, low complexity, and significant impacts on integrity and availability.

An unauthenticated attacker can exploit this vulnerability remotely by luring an authenticated user to interact with a malicious webpage or link that automatically submits a forged POST request to the device's /goform/mp endpoint. This user interaction requirement (UI:R) allows the attacker, who needs no privileges (PR:N), to achieve arbitrary command execution on the device with the privileges of the tricked user, potentially compromising the Wi-Fi range extender's functionality.

Advisories and related resources include the Edimax product page at https://www.edimax.com/edimax/merchandise/merchandise_detail/data/edimax/global/wi-fi_range_extenders_n300/ew-7438rpn_mini/, a proof-of-concept exploit at https://www.exploit-db.com/exploits/48318, and a VulnCheck advisory at https://www.vulncheck.com/advisories/edimax-technology-ew-rpn-mini-cross-site-request-forgery-csrf-to-command-execution detailing the CSRF-to-command-execution attack chain. Practitioners should review these for mitigation guidance, such as firmware updates if available.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Edimax EW-7438RPn-v3 Mini 1.27 is vulnerable to cross-site request forgery (CSRF) that can lead to command execution. An attacker can trick an authenticated user into submitting a crafted form to the /goform/mp endpoint, resulting in arbitrary command execution on the…

more

device with the user's privileges.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
Why these techniques?

CSRF in network device web UI directly enables remote arbitrary command execution on firmware (public-facing app exploitation + network device CLI).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2020-37125Same product: Edimax Ew-7438Rpn Mini
CVE-2020-37150Same product: Edimax Ew-7438Rpn Mini
CVE-2020-37097Same product: Edimax Ew-7438Rpn Mini
CVE-2024-48418Same vendor: Edimax
CVE-2025-15257Same vendor: Edimax
CVE-2025-14094Same vendor: Edimax
CVE-2025-22916Same vendor: Edimax
CVE-2024-48420Same vendor: Edimax
CVE-2025-22904Same vendor: Edimax
CVE-2025-22907Same vendor: Edimax

Affected Assets

edimax
ew-7438rpn mini firmware
1.27

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SC-23 requires mechanisms like anti-CSRF tokens to protect session authenticity, directly preventing forged requests to the /goform/mp endpoint from tricked authenticated users.

prevent

SI-10 mandates validation of information inputs such as crafted form data to the vulnerable endpoint, blocking arbitrary command execution.

prevent

IA-11 enforces re-authentication for high-risk actions like command execution, stopping CSRF exploits that leverage existing user sessions without further verification.

References