CVE-2025-22905
Published: 16 January 2025
Summary
CVE-2025-22905 is a critical-severity Code Injection (CWE-94) vulnerability in Edimax Re11S Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 14.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
RE11S v1.11 contains a command injection vulnerability (CWE-94) at the /goform/mp endpoint, where the command parameter is processed without adequate sanitization. The flaw affects the RE11S device firmware and carries a CVSS 3.1 score of 9.8, reflecting network-accessible exploitation with no required credentials or user interaction and full impact on confidentiality, integrity, and availability.
An unauthenticated remote attacker can supply crafted input to the command parameter and execute arbitrary operating-system commands on the device. Successful exploitation grants complete control over the affected system, enabling actions such as data exfiltration, configuration changes, or deployment of persistent malware.
The EPSS score rose from a low baseline to a peak of 0.0560 on 2026-01-13 before receding to the current value of 0.0246, indicating a measurable increase in observed exploitation interest after public disclosure. Public references include a proof-of-concept on GitHub, the vendor site at edimax.com, and the product domain re11s.com, though no official patch or mitigation guidance is detailed in the available references.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-3042
Vulnerability details
RE11S v1.11 was discovered to contain a command injection vulnerability via the command parameter at /goform/mp.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote command injection via public web endpoint (/goform/mp) directly enables exploitation of public-facing application (T1190) and arbitrary command execution on likely Linux-based device (T1059.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the CVE by requiring identification, reporting, and timely patching of the command injection flaw in RE11S v1.11.
Prevents command injection by enforcing validation of the untrusted 'command' parameter at the /goform/mp endpoint.
Boundary protection mechanisms like web application firewalls can inspect and block malicious command injection payloads targeting the vulnerable endpoint.