CVE-2025-22905

CriticalPublic PoC

Published: 16 January 2025

Published

16 January 2025

Modified

09 April 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0135 80.2th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

RE11S v1.11 was discovered to contain a command injection vulnerability via the command parameter at /goform/mp.

Security Summary

CVE-2025-22905 is a command injection vulnerability in RE11S version 1.11, exploitable via the command parameter at the /goform/mp endpoint. This issue, mapped to CWE-94, affects the RE11S software and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its potential for severe impact.

Unauthenticated remote attackers with network access can exploit this vulnerability with low attack complexity and no user interaction. Successful exploitation allows arbitrary command injection, enabling high confidentiality, integrity, and availability impacts, such as full system compromise.

Mitigation guidance and additional details are available through vendor-related references, including http://re11s.com and https://www.edimax.com/edimax/global/. A proof-of-concept demonstrating the command injection is published at https://github.com/xyqer1/RE11S_1.11-mp-CommandInjection.

Details

CWE(s): CWE-94

Affected Products

edimax

re11s firmware

1.11

References

http://re11s.com
Broken Link, Not Applicable · cve@mitre.org
https://github.com/xyqer1/RE11S_1.11-mp-CommandInjection
Exploit, Third Party Advisory · cve@mitre.org
https://www.edimax.com/edimax/global/
Product · cve@mitre.org