CVE-2025-22906
Published: 16 January 2025
Summary
CVE-2025-22906 is a critical-severity Code Injection (CWE-94) vulnerability in Edimax Re11S Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 13.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
RE11S v1.11 contains a command injection vulnerability in the handling of the L2TPUserName parameter at the /goform/setWAN endpoint. The flaw is tracked as CVE-2025-22906 with a CVSS 3.1 score of 9.8 and is classified under CWE-94, indicating improper control over code generation that allows arbitrary command execution.
An unauthenticated attacker with network access can supply a malicious L2TPUserName value to the affected endpoint and execute operating-system commands on the device. Successful exploitation grants full control over confidentiality, integrity, and availability without requiring user interaction or credentials.
Public references include a proof-of-concept repository demonstrating the injection and links to the vendor site and product page, though no official advisory or patch information is provided in the available sources. The EPSS score reached a peak of 0.0404 after disclosure before settling at the current value of 0.0293, indicating a modest but noticeable increase in exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-3043
Vulnerability details
RE11S v1.11 was discovered to contain a command injection vulnerability via the L2TPUserName parameter at /goform/setWAN.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection in public web endpoint (/goform/setWAN) enables remote unauthenticated exploitation of the application (T1190) and direct arbitrary command execution (T1059).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of user inputs like the L2TPUserName parameter at the /goform/setWAN endpoint to prevent command injection exploitation.
Enforces restrictions on information inputs to block invalid or malicious payloads targeting the vulnerable L2TPUserName parameter.
Mandates timely identification, prioritization, and remediation of the specific command injection flaw in RE11S v1.11 via patching.