Edimax Edimax

  1. Vendors
  2. Edimax

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Edimax product.

RSS Feeds for Edimax security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Edimax products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Edimax Sorted by Most Security Vulnerabilities since 2018

Edimax Br 6478ac V3 Firmware8 vulnerabilities

Edimax Re11s Firmware8 vulnerabilities

Edimax Br 6208ac Firmware5 vulnerabilities

Edimax Br 6476ac Firmware5 vulnerabilities

Edimax Ew 7438rpn Mini Firmware5 vulnerabilities

Edimax Br 6428ns Firmware4 vulnerabilities

Edimax Br 6288acl Firmware3 vulnerabilities

Edimax Ew 7438rpn Mini V22 vulnerabilities

Edimax Br 6104k1 vulnerability

Edimax Br 6208ac V3 Firmware1 vulnerability

Edimax Br 6478ac Firmware1 vulnerability

Edimax Cv 7428ns Firmware1 vulnerability

Edimax Ic 7100 Firmware1 vulnerability

Known Exploited Edimax Vulnerabilities

The following Edimax vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.

Title Description Added
Edimax IC-7100 IP Camera OS Command Injection Vulnerability Edimax IC-7100 IP camera contains an OS command injection vulnerability due to improper input sanitization that allows an attacker to achieve remote code execution via specially crafted requests. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.
CVE-2025-1316 Exploit Probability: 85.3% 		March 19, 2025

The vulnerability CVE-2025-1316: Edimax IC-7100 IP Camera OS Command Injection Vulnerability is in the top 1% of the currently known exploitable vulnerabilities.

By the Year

In 2026 there have been 8 vulnerabilities in Edimax with an average score of 6.2 out of ten. Last year, in 2025 Edimax had 30 security vulnerabilities published. At the current rates, it appears that the number of vulnerabilities last year and this year may equal out. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.35.




Year Vulnerabilities Average Score
2026 8 6.18
2025 30 5.82
2024 1 9.80
2023 5 9.40

It may take a day or so for new Edimax vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Edimax Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2026-1972 Feb 06, 2026
Edimax BR-6208AC 2_1.02 auth_check_userpass2 remote auth bypass default creds A vulnerability was found in Edimax BR-6208AC 2_1.02. The affected element is the function auth_check_userpass2. Performing a manipulation of the argument Username/Password results in use of default credentials. The attack may be initiated remotely. The exploit has been made public and could be used. The vendor confirms that the affected product is end-of-life. They confirm that they "will issue a consolidated Security Advisory on our official support website." This vulnerability only affects products that are no longer supported by the maintainer.
Br 6208ac Firmware
CVE-2026-1971 Feb 06, 2026
Edimax BR-6288ACL XSS via wiz_WISP24gmanual ASP before v1.12 A vulnerability has been found in Edimax BR-6288ACL up to 1.12. Impacted is the function wiz_WISP24gmanual of the file wiz_WISP24gmanual.asp. Such manipulation of the argument manualssid leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor confirms that the affected product is end-of-life. They confirm that they "will issue a consolidated Security Advisory on our official support website." This vulnerability only affects products that are no longer supported by the maintainer.
Br 6288acl Firmware
CVE-2026-1970 Feb 05, 2026
Open-Redirect in Edimax BR-6258n v1.18 via /goform/formStaDrvSetup A flaw has been found in Edimax BR-6258n up to 1.18. This issue affects the function formStaDrvSetup of the file /goform/formStaDrvSetup. This manipulation of the argument submit-url causes open redirect. The attack can be initiated remotely. The exploit has been published and may be used. The vendor confirms that the affected product is end-of-life. They confirm that they "will issue a consolidated Security Advisory on our official support website." This vulnerability only affects products that are no longer supported by the maintainer.
CVE-2020-37150 Feb 05, 2026
Unauth Access to /wizard_reboot.asp Exposes SSID/Key on EW-7438RPn-v3 Edimax EW-7438RPn-v3 Mini 1.27 allows unauthenticated attackers to access the /wizard_reboot.asp page in unsetup mode, which discloses the Wi-Fi SSID and security key. Attackers can retrieve the wireless password by sending a GET request to this endpoint, exposing sensitive information without authentication.
Ew 7438rpn Mini Firmware
CVE-2020-37149 Feb 05, 2026
CVE-2020-37149: Edimax EW-7438RPn-v3 Mini 1.27 CSRF Enables Cmd Exec Edimax EW-7438RPn-v3 Mini 1.27 is vulnerable to cross-site request forgery (CSRF) that can lead to command execution. An attacker can trick an authenticated user into submitting a crafted form to the /goform/mp endpoint, resulting in arbitrary command execution on the device with the user's privileges.
Ew 7438rpn Mini Firmware
CVE-2020-37125 Feb 05, 2026
Edimax EW-7438RPn-v3 Mini RCE via /goform/mp (pre1.27) Edimax EW-7438RPn-v3 Mini 1.27 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary commands through the /goform/mp endpoint. Attackers can exploit the vulnerability by sending crafted POST requests with command injection payloads to download and execute malicious scripts on the device.
Ew 7438rpn Mini Firmware
CVE-2020-37097 Feb 03, 2026
Edimax EW-7438RPn 1.13 wlencrypt_wiz.asp Info Disclosure Edimax EW-7438RPn 1.13 contains an information disclosure vulnerability that exposes WiFi network configuration details through the wlencrypt_wiz.asp file. Attackers can access the script to retrieve sensitive information including WiFi network name and plaintext password stored in device configuration variables.
Ew 7438rpn Mini Firmware
CVE-2020-37096 Feb 03, 2026
CrossSite Request Forgery in Edimax EW-7438RPn 1.13 MAC Filtering UI Edimax EW-7438RPn 1.13 contains a cross-site request forgery vulnerability in the MAC filtering configuration interface. Attackers can craft malicious web pages to trick users into adding unauthorized MAC addresses to the device's filtering rules without their consent.
Ew 7438rpn Mini Firmware
CVE-2025-15258 Dec 30, 2025
A weakness has been identified in Edimax BR-6208AC 1.02/1.03 A weakness has been identified in Edimax BR-6208AC 1.02/1.03. Affected by this issue is the function formALGSetup of the file /goform/formALGSetup of the component Web-based Configuration Interface. This manipulation of the argument wlan-url causes open redirect. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks. Edimax confirms this issue: "The product mentioned, EDIMAX BR-6208AC V2, has reached its End of Life (EOL) status. It is no longer supported or maintained by Edimax, and it is no longer available for purchase in the market. Consequently, there will be no further firmware updates or patches for this device. We recommend users upgrade to newer models for better security." This vulnerability only affects products that are no longer supported by the maintainer.
Br 6208ac Firmware
CVE-2025-15257 Dec 30, 2025
A security flaw has been discovered in Edimax BR-6208AC 1.02/1.03 A security flaw has been discovered in Edimax BR-6208AC 1.02/1.03. Affected by this vulnerability is the function formRoute of the file /gogorm/formRoute of the component Web-based Configuration Interface. The manipulation of the argument strIp/strMask/strGateway results in command injection. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. Edimax confirms this issue: "The product mentioned, EDIMAX BR-6208AC V2, has reached its End of Life (EOL) status. It is no longer supported or maintained by Edimax, and it is no longer available for purchase in the market. Consequently, there will be no further firmware updates or patches for this device. We recommend users upgrade to newer models for better security." This vulnerability only affects products that are no longer supported by the maintainer.
Br 6208ac Firmware
CVE-2025-15256 Dec 30, 2025
A vulnerability was identified in Edimax BR-6208AC 1.02/1.03 A vulnerability was identified in Edimax BR-6208AC 1.02/1.03. Affected is the function formStaDrvSetup of the file /goform/formStaDrvSetup of the component Web-based Configuration Interface. The manipulation of the argument rootAPmac leads to command injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. Edimax confirms this issue: "The product mentioned, EDIMAX BR-6208AC V2, has reached its End of Life (EOL) status. It is no longer supported or maintained by Edimax, and it is no longer available for purchase in the market. Consequently, there will be no further firmware updates or patches for this device. We recommend users upgrade to newer models for better security." This vulnerability only affects products that are no longer supported by the maintainer.
Br 6208ac Firmware
CVE-2025-14910 Dec 19, 2025
Edimax BR-6208AC 1.02 FTP Daemon Path Traversal RCE A vulnerability was detected in Edimax BR-6208AC 1.02. This impacts the function handle_retr of the component FTP Daemon Service. The manipulation results in path traversal. The attack may be launched remotely. The exploit is now public and may be used. Edimax confirms this issue: "This product is no longer available in the market and has been discontinued for five years. Consequently, Edimax no longer provides technical support, firmware updates, or security patches for this specific model. However, to ensure the safety of our remaining active users, we acknowledge this report and will take the following mitigation actions: (A) We will issue an official security advisory on our support website. (B) We will strongly advise users to disable the FTP service on this device to mitigate the reported risk, by which the product will still work for common use. (C) We will recommend users upgrade to newer, supported models." This vulnerability only affects products that are no longer supported by the maintainer.
Br 6208ac Firmware
CVE-2025-14094 Dec 05, 2025
Edimax BR-6478AC V3 1.0.15 Remote OS Command Injection via formSysCmd A flaw has been found in Edimax BR-6478AC V3 1.0.15. The affected element is the function sub_44CCE4 of the file /boafrm/formSysCmd. This manipulation of the argument sysCmd causes os command injection. The attack may be initiated remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Br 6478ac V3 Firmware
CVE-2025-14093 Dec 05, 2025
Edimax BR-6478AC V3 1.0.15 OS Command Injection (formTracerouteDiagnosticRun) A vulnerability was detected in Edimax BR-6478AC V3 1.0.15. Impacted is the function sub_416990 of the file /boafrm/formTracerouteDiagnosticRun. The manipulation of the argument host results in os command injection. The attack can be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Br 6478ac V3 Firmware
CVE-2025-14092 Dec 05, 2025
Edimax BR-6478AC V3 1.0.15 cmd injection via /boafrm/formDebug A security vulnerability has been detected in Edimax BR-6478AC V3 1.0.15. This issue affects the function sub_416898 of the file /boafrm/formDebugDiagnosticRun. The manipulation of the argument host leads to os command injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Br 6478ac V3 Firmware
CVE-2025-34029 Jun 20, 2025
Command Injection in Edimax EW-7438RPn Mini v1.13 via syscmd.asp An OS command injection vulnerability exists in the Edimax EW-7438RPn Mini firmware version 1.13 and prior via the syscmd.asp form handler. The /goform/formSysCmd endpoint exposes a system command interface through the sysCmd parameter. A remote authenticated attacker can submit arbitrary shell commands directly, resulting in command execution as the root user. Exploitation evidence was observed by the Shadowserver Foundation on 2024-09-14 UTC.
Ew 7438rpn Mini V2
CVE-2025-34024 Jun 20, 2025
Command Injection in Edimax EW-7438RPn firmware <=1.13 via /goform/mp An OS command injection vulnerability exists in the Edimax EW-7438RPn firmware version 1.13 and prior via the mp.asp form handler. The /goform/mp endpoint improperly handles user-supplied input to the command parameter. An authenticated attacker can inject shell commands using shell metacharacters to achieve arbitrary command execution as the root user. Exploitation evidence was observed by the Shadowserver Foundation on 2024-09-14 UTC.
Ew 7438rpn Mini V2
CVE-2025-45857 May 13, 2025
Remote Code Execution in EDIMAX CV7428NS v1.20 via mp command EDIMAX CV7428NS v1.20 was discovered to contain a remote code execution (RCE) vulnerability via the command parameter in the mp function.
Cv 7428ns Firmware
CVE-2025-22911 Apr 15, 2025
RE11S v1.11 Stack Overflow via rootAPmac in formiNICbasicREP RE11S v1.11 was discovered to contain a stack overflow via the rootAPmac parameter in the formiNICbasicREP function.
Re11s Firmware
CVE-2025-28145 Apr 15, 2025
Command Injection in Edimax BR-6478AC V3 1.0.15 via /boafrm/formDiskFormat Edimax AC1200 Wave 2 Dual-Band Gigabit Router BR-6478AC V3 1.0.15 was discovered to contain a command injection vulnerability via partition in /boafrm/formDiskFormat.
Br 6478ac V3 Firmware
CVE-2025-28144 Apr 15, 2025
Edimax BR-6478AC V3 Router Stack Overflow via peerPin (1.0.15) Edimax AC1200 Wave 2 Dual-Band Gigabit Router BR-6478AC V3 1.0.15 was discovered to contain a stack overflow vlunerability via peerPin parameter in the formWsc function.
Br 6208ac V3 Firmware
Br 6478ac V3 Firmware
CVE-2025-28143 Apr 15, 2025
Edimax AC1200 BR-6478AC v3.1.0.15 cmd injection via /boafrm/formDiskCreateGroup Edimax AC1200 Wave 2 Dual-Band Gigabit Router BR-6478AC V3_1.0.15 was discovered to contain a command injection vulnerability via the groupname at the /boafrm/formDiskCreateGroup.
Br 6478ac V3 Firmware
CVE-2025-28142 Apr 15, 2025
Command Injection in Edimax AC1200 Router BR-6478AC /boafrm/formDiskCreateShare Edimax AC1200 Wave 2 Dual-Band Gigabit Router BR-6478AC V3_1.0.15 was discovered to contain a command injection vulnerability via the foldername in /boafrm/formDiskCreateShare.
Br 6478ac V3 Firmware
CVE-2025-28146 Apr 04, 2025
Edimax BR-6478AC 1.0.15 Cmd Injection via fota_url in /boafrm Edimax AC1200 Wave 2 Dual-Band Gigabit Router BR-6478AC V3 1.0.15 was discovered to contain a command injection vulnerability via fota_url in /boafrm/formLtefotaUpgradeQuectel
Br 6478ac V3 Firmware
CVE-2025-1316 Mar 05, 2025
IC-7100 RCE via Improper Neutralization of Requests Edimax IC-7100 does not properly neutralize requests. An attacker can create specially crafted requests to achieve remote code execution on the device
Ic 7100 Firmware
CVE-2025-1612 Feb 24, 2025
Edimax BR-6288ACL 1.30 Wireless SSID XSS via wireless5g_basic.asp A vulnerability was found in Edimax BR-6288ACL 1.30. It has been declared as problematic. This vulnerability affects unknown code of the file wireless5g_basic.asp. The manipulation of the argument SSID leads to cross site scripting. The attack can be initiated remotely. The vendor was contacted early about this disclosure but did not respond in any way.
Br 6288acl Firmware
CVE-2024-48419 Jan 27, 2025
Command Injection in Edimax AC1200 WiFi5 Router (v1.06) /bin/goahead Edimax AC1200 Wi-Fi 5 Dual-Band Router BR-6476AC 1.06 suffers from Command Injection issues in /bin/goahead. Specifically, these issues can be triggered through /goform/tracerouteDiagnosis, /goform/pingDiagnosis, and /goform/fromSysToolPingCmd Each of these issues allows an attacker with access to the web interface to inject and execute arbitrary shell commands, with "root" privileges.
Br 6476ac Firmware
CVE-2024-48416 Jan 27, 2025
Edimax BR-6476AC 1.06 Buffer Overflow via /goform/ Edimax AC1200 Wi-Fi 5 Dual-Band Router BR-6476AC 1.06 is vulnerable to Buffer Overflow via /goform/fromSetLanDhcpsClientbinding.
Br 6476ac Firmware
CVE-2024-48417 Jan 27, 2025
XSS in Edimax AC1200 BR-6476AC 1.06 /goform/* Endpoints Edimax AC1200 Wi-Fi 5 Dual-Band Router BR-6476AC 1.06 is vulnerable to Cross Site Scripting (XSS) in : /bin/goahead via /goform/setStaticRoute, /goform/fromSetFilterUrlFilter, and /goform/fromSetFilterClientFilter.
Br 6476ac Firmware
CVE-2024-48418 Jan 27, 2025
Command Injection via /goform/fromSetDDNS on Edimax BR-6476AC 1.06 In Edimax AC1200 Wi-Fi 5 Dual-Band Router BR-6476AC 1.06, the request /goform/fromSetDDNS does not properly handle special characters in any of user provided parameters, allowing an attacker with access to the web interface to inject and execute arbitrary shell commands.
Br 6476ac Firmware
CVE-2024-48420 Jan 27, 2025
Edimax AC1200 BR-6476AC 1.06 Buffer Overflow via /goform/getWifiBasic Edimax AC1200 Wi-Fi 5 Dual-Band Router BR-6476AC 1.06 is vulnerable to Buffer Overflow via /goform/getWifiBasic.
Br 6476ac Firmware
CVE-2025-22907 Jan 16, 2025
RE11S v1.11 Stack Overflow in formWlSiteSurvey RE11S v1.11 was discovered to contain a stack overflow via the selSSID parameter in the formWlSiteSurvey function.
Re11s Firmware
CVE-2025-22916 Jan 16, 2025
Stack Overflow in RE11S v1.11 via formPPPoESetup pppUserName param RE11S v1.11 was discovered to contain a stack overflow via the pppUserName parameter in the formPPPoESetup function.
Re11s Firmware
CVE-2025-22913 Jan 16, 2025
CVE-2025-22913: RE11S v1.11 Stack Overflow via rootAPmac in formStaDrvSetup RE11S v1.11 was discovered to contain a stack overflow via the rootAPmac parameter in the formStaDrvSetup function.
Re11s Firmware
CVE-2025-22912 Jan 16, 2025
RE11S v1.11: /goform/formAccept Command Injection (CVE-2025-22912) RE11S v1.11 was discovered to contain a command injection vulnerability via the component /goform/formAccept.
Re11s Firmware
CVE-2025-22906 Jan 16, 2025
RE11S v1.11 Command Injection via L2TPUserName (/goform/setWAN) RE11S v1.11 was discovered to contain a command injection vulnerability via the L2TPUserName parameter at /goform/setWAN.
Re11s Firmware
CVE-2025-22905 Jan 16, 2025
Command injection in RE11S v1.11 via /goform/mp RE11S v1.11 was discovered to contain a command injection vulnerability via the command parameter at /goform/mp.
Re11s Firmware
CVE-2025-22904 Jan 16, 2025
RE11S v1.11 Stack Overflow via pptpUserName (setWAN) RE11S v1.11 was discovered to contain a stack overflow via the pptpUserName parameter in the setWAN function.
Re11s Firmware
CVE-2023-49351 Jan 16, 2024
Stack Buffer Overflow in Edimax BR6478AC V2 /bin/webs (v1.23) A stack-based buffer overflow vulnerability in /bin/webs binary in Edimax BR6478AC V2 firmware veraion v1.23 allows attackers to overwrite other values located on the stack due to an incorrect use of the strcpy() function.
Br 6478ac Firmware
CVE-2023-33722 May 31, 2023
authenticated RCE in EDIMAX BR-6288ACL v1.12 via pppUserName EDIMAX BR-6288ACL v1.12 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the pppUserName parameter.
Br 6288acl Firmware
CVE-2023-31986 May 15, 2023
Edimax N300 Firmware: Command Injection via /bin/webs setWAN A Command Injection vulnerability in Edimax Wireless Router N300 Firmware BR-6428NS_v4 allows attacker to execute arbitrary code via the setWAN function in /bin/webs without any limitations.
Br 6428ns Firmware
CVE-2023-31983 May 12, 2023
Command Injection in Edimax N300 Router via /bin/webs A Command Injection vulnerability in Edimax Wireless Router N300 Firmware BR-6428NS_v4 allows attacker to execute arbitrary code via the mp function in /bin/webs without any limitations.
Br 6428ns Firmware
CVE-2023-31985 May 12, 2023
Edimax N300: Command Injection via /bin/webs formAccept A Command Injection vulnerability in Edimax Wireless Router N300 Firmware BR-6428NS_v4 allows attacker to execute arbitrary code via the formAccept function in /bin/webs without any limitations.
Br 6428ns Firmware
CVE-2022-45768 Feb 07, 2023
CVE-2022-45768 Command Injection via formWlanMP in Edimax N300 Command Injection vulnerability in Edimax Technology Co., Ltd. Wireless Router N300 Firmware BR428nS v3 allows attacker to execute arbitrary code via the formWlanMP function.
Br 6428ns Firmware
CVE-2006-2561 May 24, 2006
Edimax BR-6104K router Edimax BR-6104K router allows remote attackers to bypass access restrictions and conduct unauthorized operations via a UPnP request with a modified InternalClient parameter (possibly within NewInternalClient), which is not validated, as demonstrated by using AddPortMapping to forward arbitrary traffic.
Br 6104k
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.