CVE-2025-22906

CriticalPublic PoC

Published: 16 January 2025

Published

16 January 2025

Modified

09 April 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0218 84.4th percentile

Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Description

RE11S v1.11 was discovered to contain a command injection vulnerability via the L2TPUserName parameter at /goform/setWAN.

Security Summary

CVE-2025-22906, published on 2025-01-16, is a command injection vulnerability (CWE-94) affecting RE11S version 1.11. The issue resides in the /goform/setWAN endpoint, where the L2TPUserName parameter fails to properly sanitize user input, enabling injection of arbitrary commands. This critical flaw carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Remote, unauthenticated attackers can exploit the vulnerability over the network with low complexity and without requiring user interaction. Successful exploitation grants attackers the ability to execute arbitrary commands on the affected device, resulting in high impacts to confidentiality, integrity, and availability, such as full system compromise.

Mitigation details and advisories are referenced at http://re11s.com, a proof-of-concept exploit at https://github.com/xyqer1/RE11S_1.11-setWAN-CommandInjection, and related vendor information at https://www.edimax.com/edimax/global/. Security practitioners should consult these sources for patching instructions or workarounds.

Details

CWE(s): CWE-94

Affected Products

edimax

re11s firmware

1.11

References

http://re11s.com
Broken Link, Not Applicable · cve@mitre.org
https://github.com/xyqer1/RE11S_1.11-setWAN-CommandInjection
Exploit, Third Party Advisory · cve@mitre.org
https://www.edimax.com/edimax/global/
Product · cve@mitre.org