Login Sign Up

CVE-2025-22904

9.8 CRITICAL
Remote Code Execution Buffer Overflow

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on RE11S v1.11 devices by exploiting a stack overflow in the pptpUserName parameter of the setWAN function. Attackers can achieve remote code execution with high privileges, affecting all users of this specific firmware version.

💻 Affected Systems

Products:
  • RE11S
Versions: v1.11
Operating Systems: Embedded firmware
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the specific firmware version only; other versions may be unaffected but should be verified.

📦 What is this software?

Re11s Firmware by Edimax

View all CVEs affecting Re11s Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise leading to persistent backdoor installation, credential theft, and use as pivot point for network attacks.

🟠

Likely Case

Remote code execution allowing attackers to modify device configuration, intercept network traffic, or install malware.

🟢

If Mitigated

Denial of service if exploit fails or crashes device without achieving code execution.

🌐 Internet-Facing: HIGH - The vulnerable function appears accessible via network interfaces, potentially exposing devices directly to internet attacks.
🏢 Internal Only: HIGH - Even internally, this vulnerability allows attackers with network access to compromise devices.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public proof-of-concept code exists on GitHub, making exploitation straightforward for attackers with basic skills.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.edimax.com/edimax/global/

Restart Required: Yes

Instructions:

1. Check vendor website for firmware updates. 2. Download latest firmware. 3. Upload via device web interface. 4. Reboot device.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate RE11S devices from untrusted networks and restrict access to management interfaces.

Access Control Lists

linux

Implement firewall rules to block external access to device management interfaces.

iptables -A INPUT -p tcp --dport 80 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP

🧯 If You Can't Patch

  • Replace affected devices with updated models or different vendors
  • Implement strict network monitoring and anomaly detection for these devices

🔍 How to Verify

Check if Vulnerable:

Check device firmware version via web interface at System Status > Firmware Version

Check Version:

curl -s http://device-ip/status.cgi | grep -i firmware

Verify Fix Applied:

Verify firmware version is no longer v1.11 and test setWAN function with malformed pptpUserName input

📡 Detection & Monitoring

Log Indicators:

  • Unusual setWAN function calls
  • Device crash/reboot logs
  • Large pptpUserName parameter values

Network Indicators:

  • HTTP POST requests to setWAN endpoint with oversized pptpUserName
  • Unusual outbound connections from device

SIEM Query:

source="device_logs" AND (uri="/setWAN" AND pptpUserName.length>100)

📊 Metadata

CVE ID: CVE-2025-22904
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-120
EPSS Score: 0.28% exploit probability (51.2th percentile)
Published: January 16, 2025
Last Updated: April 9, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-22904, you might also want to check these:

CVE-2023-24482 10.0

This CVE describes a critical buffer overflow vulnerability in COMOS software's cache validation ser...

Same vulnerability type (CWE-120)
CVE-2024-22039 10.0

This vulnerability allows unauthenticated remote attackers to execute arbitrary code with root privi...

Same vulnerability type (CWE-120)
CVE-2022-22570 10.0

A buffer overflow vulnerability in UniFi Door Access Reader Lite firmware allows attackers with netw...

Same vulnerability type (CWE-120)