Cyber Resilience

CVE-2024-48419

HighPublic PoCRCE

Published: 27 January 2025

Published
27 January 2025
Modified
28 May 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0356 88.0th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-48419 is a high-severity Command Injection (CWE-77) vulnerability in Edimax Br-6476Ac Firmware. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 12.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-48419 is a command-injection vulnerability in the Edimax AC1200 Wi-Fi 5 Dual-Band Router model BR-6476AC running firmware version 1.06. The flaw resides in the /bin/goahead binary and can be triggered through the web-interface endpoints /goform/tracerouteDiagnosis, /goform/pingDiagnosis, and /goform/fromSysToolPingCmd, each of which accepts unsanitized input that is passed directly to the system shell. Successful exploitation grants an attacker the ability to execute arbitrary commands with root privileges.

An attacker who can authenticate to the router’s web management interface (low-privilege account) can supply crafted parameters to any of the three forms and obtain unauthenticated command execution on the device. Because the injection occurs server-side with root context, the attacker can read or modify configuration files, install persistent malware, or pivot to other hosts on the LAN.

The associated GitHub advisory and vendor site constitute the primary public references; neither document describes an available firmware patch or specific mitigation steps. The EPSS score rose from a low baseline to a peak of 0.1134 on 2025-12-11 before receding to its current value of 0.0356, indicating a measurable increase in observed exploitation interest after disclosure.

EU & UK References

Vulnerability details

Edimax AC1200 Wi-Fi 5 Dual-Band Router BR-6476AC 1.06 suffers from Command Injection issues in /bin/goahead. Specifically, these issues can be triggered through /goform/tracerouteDiagnosis, /goform/pingDiagnosis, and /goform/fromSysToolPingCmd Each of these issues allows an attacker with access to the web interface to…

more

inject and execute arbitrary shell commands, with "root" privileges.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Command injection vulnerability in the router's web interface (/goform/tracerouteDiagnosis, pingDiagnosis, fromSysToolPingCmd) allows authenticated attackers to execute arbitrary root shell commands, enabling exploitation of public-facing applications, exploitation of remote services, and execution via network device CLI or Unix shell.

CVEs Like This One

CVE-2024-48416Same product: Edimax Br-6476Ac
CVE-2024-48418Same product: Edimax Br-6476Ac
CVE-2024-48420Same product: Edimax Br-6476Ac
CVE-2025-70161Same vendor: Edimax
CVE-2025-22912Same vendor: Edimax
CVE-2025-14094Same vendor: Edimax
CVE-2025-14093Same vendor: Edimax
CVE-2025-15256Same vendor: Edimax
CVE-2025-22905Same vendor: Edimax
CVE-2020-37149Same vendor: Edimax

Affected Assets

edimax
br-6476ac firmware
1.06

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of user inputs to the vulnerable /goform endpoints, directly preventing command injection exploitation.

prevent

Mandates timely remediation of the identified command injection flaw through vendor patches or updates.

prevent

Enforces least privilege on the web server process handling diagnostic endpoints, limiting injected commands from executing as root.

References