CVE-2024-48419
Published: 27 January 2025
Summary
CVE-2024-48419 is a high-severity Command Injection (CWE-77) vulnerability in Edimax Br-6476Ac Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 12.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-48419 is a command-injection vulnerability in the Edimax AC1200 Wi-Fi 5 Dual-Band Router model BR-6476AC running firmware version 1.06. The flaw resides in the /bin/goahead binary and can be triggered through the web-interface endpoints /goform/tracerouteDiagnosis, /goform/pingDiagnosis, and /goform/fromSysToolPingCmd, each of which accepts unsanitized input that is passed directly to the system shell. Successful exploitation grants an attacker the ability to execute arbitrary commands with root privileges.
An attacker who can authenticate to the router’s web management interface (low-privilege account) can supply crafted parameters to any of the three forms and obtain unauthenticated command execution on the device. Because the injection occurs server-side with root context, the attacker can read or modify configuration files, install persistent malware, or pivot to other hosts on the LAN.
The associated GitHub advisory and vendor site constitute the primary public references; neither document describes an available firmware patch or specific mitigation steps. The EPSS score rose from a low baseline to a peak of 0.1134 on 2025-12-11 before receding to its current value of 0.0356, indicating a measurable increase in observed exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-43241
Vulnerability details
Edimax AC1200 Wi-Fi 5 Dual-Band Router BR-6476AC 1.06 suffers from Command Injection issues in /bin/goahead. Specifically, these issues can be triggered through /goform/tracerouteDiagnosis, /goform/pingDiagnosis, and /goform/fromSysToolPingCmd Each of these issues allows an attacker with access to the web interface to…
more
inject and execute arbitrary shell commands, with "root" privileges.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection vulnerability in the router's web interface (/goform/tracerouteDiagnosis, pingDiagnosis, fromSysToolPingCmd) allows authenticated attackers to execute arbitrary root shell commands, enabling exploitation of public-facing applications, exploitation of remote services, and execution via network device CLI or Unix shell.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation of user inputs to the vulnerable /goform endpoints, directly preventing command injection exploitation.
Mandates timely remediation of the identified command injection flaw through vendor patches or updates.
Enforces least privilege on the web server process handling diagnostic endpoints, limiting injected commands from executing as root.