CVE-2025-22904

CriticalPublic PoC

Published: 16 January 2025

Published

16 January 2025

Modified

09 April 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0050 66.1th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

RE11S v1.11 was discovered to contain a stack overflow via the pptpUserName parameter in the setWAN function.

Security Summary

CVE-2025-22904 is a stack-based buffer overflow vulnerability in RE11S version 1.11, triggered through the pptpUserName parameter in the setWAN function. This flaw, classified under CWE-120, affects the software component handling WAN configuration, likely within Edimax networking devices as indicated by associated references. The vulnerability carries a CVSS v3.1 base score of 9.8, reflecting its critical severity due to network accessibility and potential for severe impacts.

A remote attacker requires no privileges or user interaction to exploit this issue over the network with low complexity. Successful exploitation could allow arbitrary code execution, leading to high confidentiality, integrity, and availability impacts, such as full device compromise, data theft, or disruption of network services.

References include the RE11S vendor site (re11s.com), a GitHub proof-of-concept repository demonstrating the stack overflow (github.com/xyqer1/RE11S_1.11-setWAN-3-StackOverflow), and Edimax's global site (edimax.com), though specific mitigation or patch details are not detailed in available information.

Details

CWE(s): CWE-120

Affected Products

edimax

re11s firmware

1.11

References

http://re11s.com
Broken Link, Not Applicable · cve@mitre.org
https://github.com/xyqer1/RE11S_1.11-setWAN-3-StackOverflow
Exploit, Third Party Advisory · cve@mitre.org
https://www.edimax.com/edimax/global/
Product · cve@mitre.org