Login Sign Up

CVE-2025-22916

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on RE11S v1.11 devices via a stack overflow in the PPPoE setup function. Attackers can exploit this by sending specially crafted requests to the pppUserName parameter, potentially gaining full control of affected devices. This affects all systems running the vulnerable RE11S v1.11 firmware.

💻 Affected Systems

Products:
  • RE11S
Versions: v1.11
Operating Systems: Embedded/Linux-based firmware
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the web management interface of RE11S devices. The vulnerability is present in the default configuration when PPPoE functionality is exposed.

📦 What is this software?

Re11s Firmware by Edimax

View all CVEs affecting Re11s Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise leading to remote code execution, device takeover, lateral movement within networks, and persistent backdoor installation.

🟠

Likely Case

Remote code execution allowing attackers to install malware, steal credentials, or use the device as a pivot point for further attacks.

🟢

If Mitigated

Denial of service or limited information disclosure if exploit attempts are blocked by network controls.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public proof-of-concept code exists on GitHub. The vulnerability requires no authentication and has low exploitation complexity due to the stack overflow nature.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.edimax.com/edimax/global/

Restart Required: Yes

Instructions:

1. Check Edimax website for firmware updates. 2. Download latest firmware. 3. Access device web interface. 4. Navigate to firmware update section. 5. Upload and apply new firmware. 6. Reboot device.

🔧 Temporary Workarounds

Disable PPPoE Interface

all

Disable PPPoE functionality if not required to remove attack surface.

Network Segmentation

all

Isolate RE11S devices from internet and critical internal networks.

🧯 If You Can't Patch

  • Implement strict network access controls to block external access to device management interfaces
  • Deploy intrusion prevention systems with signatures for stack overflow exploits

🔍 How to Verify

Check if Vulnerable:

Check device firmware version via web interface or SSH. If version is v1.11, device is vulnerable.

Check Version:

Check web interface System Status page or use: telnet/ssh to device and check firmware version

Verify Fix Applied:

Verify firmware version has been updated to a version later than v1.11.

📡 Detection & Monitoring

Log Indicators:

  • Unusual PPPoE setup requests
  • Multiple failed authentication attempts on PPPoE interface
  • Stack overflow error messages in system logs

Network Indicators:

  • Unusual traffic to device management port (typically 80/443)
  • HTTP POST requests to PPPoE setup endpoints with long parameter values

SIEM Query:

source_ip="RE11S_IP" AND (http_request LIKE "%formPPPoESetup%" OR error_message LIKE "%stack%overflow%")

📊 Metadata

CVE ID: CVE-2025-22916
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-120
EPSS Score: 0.28% exploit probability (51.2th percentile)
Published: January 16, 2025
Last Updated: April 9, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-22916, you might also want to check these:

CVE-2023-24482 10.0

This CVE describes a critical buffer overflow vulnerability in COMOS software's cache validation ser...

Same vulnerability type (CWE-120)
CVE-2024-22039 10.0

This vulnerability allows unauthenticated remote attackers to execute arbitrary code with root privi...

Same vulnerability type (CWE-120)
CVE-2022-22570 10.0

A buffer overflow vulnerability in UniFi Door Access Reader Lite firmware allows attackers with netw...

Same vulnerability type (CWE-120)