CVE-2020-37149
Published: 05 February 2026
Summary
CVE-2020-37149 is a high-severity CSRF (CWE-352) vulnerability in Edimax Ew-7438Rpn Mini Firmware. Its CVSS base score is 8.1 (High).
Operationally, ranked at the 12.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 IA-11 (Re-authentication) and SC-23 (Session Authenticity).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SC-23 requires mechanisms like anti-CSRF tokens to protect session authenticity, directly preventing forged requests to the /goform/mp endpoint from tricked authenticated users.
SI-10 mandates validation of information inputs such as crafted form data to the vulnerable endpoint, blocking arbitrary command execution.
IA-11 enforces re-authentication for high-risk actions like command execution, stopping CSRF exploits that leverage existing user sessions without further verification.
NVD Description
Edimax EW-7438RPn-v3 Mini 1.27 is vulnerable to cross-site request forgery (CSRF) that can lead to command execution. An attacker can trick an authenticated user into submitting a crafted form to the /goform/mp endpoint, resulting in arbitrary command execution on the…
more
device with the user's privileges.
Deeper analysisAI
CVE-2020-37149 is a cross-site request forgery (CSRF) vulnerability, classified under CWE-352, affecting the Edimax EW-7438RPn-v3 Mini firmware version 1.27. It enables arbitrary command execution when an authenticated user is tricked into submitting a crafted form to the /goform/mp endpoint. The vulnerability has a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H), indicating high severity due to network accessibility, low complexity, and significant impacts on integrity and availability.
An unauthenticated attacker can exploit this vulnerability remotely by luring an authenticated user to interact with a malicious webpage or link that automatically submits a forged POST request to the device's /goform/mp endpoint. This user interaction requirement (UI:R) allows the attacker, who needs no privileges (PR:N), to achieve arbitrary command execution on the device with the privileges of the tricked user, potentially compromising the Wi-Fi range extender's functionality.
Advisories and related resources include the Edimax product page at https://www.edimax.com/edimax/merchandise/merchandise_detail/data/edimax/global/wi-fi_range_extenders_n300/ew-7438rpn_mini/, a proof-of-concept exploit at https://www.exploit-db.com/exploits/48318, and a VulnCheck advisory at https://www.vulncheck.com/advisories/edimax-technology-ew-rpn-mini-cross-site-request-forgery-csrf-to-command-execution detailing the CSRF-to-command-execution attack chain. Practitioners should review these for mitigation guidance, such as firmware updates if available.
Details
- CWE(s)