CVE-2026-9345 Overview
CVE-2026-9345 is a buffer overflow vulnerability in the Edimax EW-7438RPn wireless range extender running firmware up to version 1.31. The flaw resides in the formWizSurvey function within /goform/formWizSurvey, part of the device's webs web management component. Attackers can trigger the overflow by manipulating the ssid, manualssid, ip, mask, or gateway parameters. The vulnerability is remotely exploitable across the network and requires only low-privilege authentication. Public exploit details have been released, and the vendor did not respond to disclosure attempts, leaving deployed devices without an official fix.
Critical Impact
Remote attackers with low privileges can corrupt memory on affected Edimax EW-7438RPn devices, leading to potential code execution or device compromise on the local network perimeter.
Affected Products
- Edimax EW-7438RPn firmware versions up to and including 1.31
- webs web management component (/goform/formWizSurvey endpoint)
- formWizSurvey function handling wizard survey input
Discovery Timeline
- 2026-05-24 - CVE-2026-9345 published to the National Vulnerability Database (NVD)
- 2026-05-26 - Last updated in NVD database
Technical Details for CVE-2026-9345
Vulnerability Analysis
The vulnerability is classified under [CWE-119] (Improper Restriction of Operations within the Bounds of a Memory Buffer). It affects the formWizSurvey handler in the Edimax EW-7438RPn web management interface. The handler processes wireless setup wizard parameters submitted through HTTP requests to /goform/formWizSurvey.
The function copies user-supplied values for ssid, manualssid, ip, mask, and gateway into fixed-size stack or heap buffers without enforcing length checks. Supplying oversized strings overruns the destination buffer and corrupts adjacent memory. On embedded MIPS or ARM devices like the EW-7438RPn, this typically allows overwriting saved return addresses or function pointers, enabling control-flow hijacking.
The vendor was notified but did not respond. No official patch exists, and public exploit details are available through the GitHub Vulnerability Details writeup.
Root Cause
The root cause is missing input validation and the use of unsafe string-copy operations such as strcpy or sprintf when handling wizard survey parameters. The formWizSurvey function trusts the length of incoming POST parameters and writes them directly into bounded buffers.
Attack Vector
An authenticated attacker on the same network sends a crafted HTTP POST request to /goform/formWizSurvey with overly long values in one of the vulnerable fields. The malformed input overflows the destination buffer, corrupting memory and potentially redirecting execution. Because the device is a consumer range extender, low-privilege credentials are often trivially obtained or default. Technical specifics are documented in VulDB #365308.
Detection Methods for CVE-2026-9345
Indicators of Compromise
- HTTP POST requests to /goform/formWizSurvey containing abnormally long ssid, manualssid, ip, mask, or gateway parameter values
- Unexpected reboots, crashes, or watchdog resets of the Edimax EW-7438RPn device following web management activity
- New or unexplained outbound connections originating from the range extender's management IP
Detection Strategies
- Inspect web server and management interface logs for requests to /goform/formWizSurvey with parameter lengths exceeding typical SSID (32 bytes) or IPv4 address sizes
- Deploy network intrusion detection signatures matching long string payloads in form fields targeting the formWizSurvey endpoint
- Baseline normal administrative traffic to the device and alert on deviations in request size or frequency
Monitoring Recommendations
- Monitor network segments hosting consumer-grade wireless infrastructure for anomalous HTTP traffic patterns
- Track device uptime and crash telemetry to identify exploitation attempts that trigger reboots
- Capture and review packet metadata for management traffic to embedded devices on guest and IoT VLANs
How to Mitigate CVE-2026-9345
Immediate Actions Required
- Restrict access to the EW-7438RPn web management interface to trusted administrative hosts only
- Disable remote management features and ensure the wizard interface is not exposed to untrusted networks
- Rotate administrative credentials and remove default accounts to raise the bar for low-privilege exploitation
- Consider replacing affected devices, as the vendor has not responded to disclosure and no patch is available
Patch Information
No vendor patch is available. Edimax did not respond to the disclosure. Organizations should treat CVE-2026-9345 as an unpatched vulnerability and pursue compensating controls or device replacement. Monitor vendor channels and references such as VulDB #365308 for future advisory updates.
Workarounds
- Place affected EW-7438RPn devices behind a firewall that blocks inbound HTTP requests to /goform/formWizSurvey from non-administrative networks
- Segment range extenders onto an isolated VLAN with no routing to sensitive systems
- Disable the setup wizard endpoint where firmware configuration permits, or factory-reset and reconfigure devices only from a trusted wired connection
# Example firewall rule to restrict access to the vulnerable endpoint
# Replace 192.0.2.10 with the trusted admin host and 10.0.0.5 with the device IP
iptables -A FORWARD -p tcp -d 10.0.0.5 --dport 80 \
! -s 192.0.2.10 -m string --string "/goform/formWizSurvey" \
--algo bm -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
