CVE-2025-34024
Published: 20 June 2025
Summary
CVE-2025-34024 is a critical-severity OS Command Injection (CWE-78) vulnerability in Edimax Ew-7438Rpn Mini Firmware. Its CVSS base score is 9.4 (Critical).
Operationally, ranked in the top 10.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
An OS command injection vulnerability exists in the Edimax EW-7438RPn firmware version 1.13 and prior. The flaw is located in the mp.asp form handler at the /goform/mp endpoint, which fails to sanitize the command parameter and permits shell metacharacters, corresponding to CWE-78 with a CVSS 4.0 score of 9.4.
An authenticated attacker with network access can supply crafted input containing shell metacharacters to the command parameter, resulting in arbitrary command execution as the root user on the device. Exploitation evidence was observed by the Shadowserver Foundation on 2024-09-14 UTC.
Public references include a VulnCheck advisory, a Broadcom attack signature entry, the vendor product page, and an Exploit-DB entry for exploit 48377. The associated EPSS score stands at a current and peak value of 0.0432 with no material rise.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-18776
Vulnerability details
An OS command injection vulnerability exists in the Edimax EW-7438RPn firmware version 1.13 and prior via the mp.asp form handler. The /goform/mp endpoint improperly handles user-supplied input to the command parameter. An authenticated attacker can inject shell commands using shell…
more
metacharacters to achieve arbitrary command execution as the root user. Exploitation evidence was observed by the Shadowserver Foundation on 2024-09-14 UTC.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.