CVE-2025-22912

CriticalPublic PoC

Published: 16 January 2025

Published

16 January 2025

Modified

09 April 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0218 84.4th percentile

Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Description

RE11S v1.11 was discovered to contain a command injection vulnerability via the component /goform/formAccept.

Security Summary

CVE-2025-22912, published on 2025-01-16, is a command injection vulnerability (CWE-77) in RE11S version 1.11, specifically via the /goform/formAccept component. The flaw carries a CVSS v3.1 base score of 9.8 (Critical), reflecting its network accessibility, low attack complexity, lack of required privileges or user interaction, and high potential impact on confidentiality, integrity, and availability.

A remote, unauthenticated attacker can exploit this vulnerability over the network by sending crafted requests to the affected component, enabling arbitrary command injection and execution on the target system. Exploitation requires no prior access or user involvement, potentially allowing full remote code execution and system compromise.

Mitigation details are available in advisories and resources linked from http://re11s.com, https://github.com/xyqer1/RE11S_1.11-formAccept-CommandInjection, and https://www.edimax.com/edimax/global/. Security practitioners should consult these references for vendor patches, workarounds, or updated firmware for RE11S devices.

Details

CWE(s): CWE-77

Affected Products

edimax

re11s firmware

1.11

References

http://re11s.com
Broken Link, Not Applicable · cve@mitre.org
https://github.com/xyqer1/RE11S_1.11-formAccept-CommandInjection
Exploit, Third Party Advisory · cve@mitre.org
https://www.edimax.com/edimax/global/
Product · cve@mitre.org