CVE-2025-22916

CVE-2025-22916 is a stack-based buffer overflow vulnerability (CWE-120) affecting RE11S version 1.11. The flaw occurs in the formPPPoESetup function when processing the pppUserName parameter, allowing excessive data to overflow the stack. This critical issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating severe potential impact from remote exploitation.

An unauthenticated attacker can exploit this vulnerability over the network with low complexity and no user interaction required. By sending a specially crafted request targeting the pppUserName parameter, the attacker can trigger the stack overflow, potentially leading to arbitrary code execution, denial of service, or full compromise of the affected device, with high impacts on confidentiality, integrity, and availability.

References include the vendor site at http://re11s.com and https://www.edimax.com/edimax/global/, along with a GitHub proof-of-concept at https://github.com/xyqer1/RE11S_1.11-formPPPoESetup-StackOverflow. No specific mitigation or patch details are detailed in the available information.