{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-9426/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-9426"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["EW-7438RPn 1.31"],"_cs_severities":["critical"],"_cs_tags":["cve","cve-2026-9426","buffer-overflow","rce","edimax"],"_cs_type":"advisory","_cs_vendors":["Edimax"],"content_html":"\u003cp\u003eA stack-based buffer overflow vulnerability, identified as CVE-2026-9426, affects Edimax EW-7438RPn version 1.31. This flaw resides within the \u003ccode\u003eformHwSet\u003c/code\u003e function of the \u003ccode\u003e/goform/formHwSet\u003c/code\u003e file. The vulnerability is triggered through the manipulation of several arguments including Anntena, Mcs, regDomain, nic0Addr, nic1Addr, wlanAddr, wanAddr, wlanSSID, wlanChan, initgain, txcck, txofdm, and submit-url. A remote attacker can exploit this vulnerability to potentially execute arbitrary code on the affected device. Public exploits are available, increasing the risk of exploitation. The vendor was notified but has not responded.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies an Edimax EW-7438RPn device running firmware version 1.31 accessible over the network.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003e/goform/formHwSet\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eWithin the HTTP request, the attacker includes a long string in one or more of the vulnerable parameters: \u003ccode\u003eAnntena\u003c/code\u003e, \u003ccode\u003eMcs\u003c/code\u003e, \u003ccode\u003eregDomain\u003c/code\u003e, \u003ccode\u003enic0Addr\u003c/code\u003e, \u003ccode\u003enic1Addr\u003c/code\u003e, \u003ccode\u003ewlanAddr\u003c/code\u003e, \u003ccode\u003ewanAddr\u003c/code\u003e, \u003ccode\u003ewlanSSID\u003c/code\u003e, \u003ccode\u003ewlanChan\u003c/code\u003e, \u003ccode\u003einitgain\u003c/code\u003e, \u003ccode\u003etxcck\u003c/code\u003e, \u003ccode\u003etxofdm\u003c/code\u003e, or \u003ccode\u003esubmit-url\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe device processes the HTTP request, passing the attacker-controlled input to the \u003ccode\u003eformHwSet\u003c/code\u003e function without proper bounds checking.\u003c/li\u003e\n\u003cli\u003eThe oversized input overflows the stack buffer allocated for the affected parameter(s).\u003c/li\u003e\n\u003cli\u003eThe stack overflow overwrites critical data, including the return address, on the stack.\u003c/li\u003e\n\u003cli\u003eThe attacker redirects control to an attacker-controlled address.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary code on the device, potentially gaining full control.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows a remote attacker to execute arbitrary code on the Edimax EW-7438RPn device. This could lead to complete compromise of the device, allowing the attacker to eavesdrop on network traffic, modify device settings, or use the device as a launchpad for further attacks on the internal network. Given the nature of the vulnerability and the lack of vendor response, many devices may be vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect CVE-2026-9426 Exploitation Attempt via Long URI\u003c/code\u003e to detect potential exploitation attempts by identifying abnormally long request parameters (cs-uri-query) targeting the vulnerable endpoint.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on requests to the \u003ccode\u003e/goform/formHwSet\u003c/code\u003e endpoint to mitigate brute-force exploitation attempts (log source: webserver).\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests with unusually long parameters related to \u003ccode\u003eAnntena\u003c/code\u003e, \u003ccode\u003eMcs\u003c/code\u003e, \u003ccode\u003eregDomain\u003c/code\u003e, \u003ccode\u003enic0Addr\u003c/code\u003e, \u003ccode\u003enic1Addr\u003c/code\u003e, \u003ccode\u003ewlanAddr\u003c/code\u003e, \u003ccode\u003ewanAddr\u003c/code\u003e, \u003ccode\u003ewlanSSID\u003c/code\u003e, \u003ccode\u003ewlanChan\u003c/code\u003e, \u003ccode\u003einitgain\u003c/code\u003e, \u003ccode\u003etxcck\u003c/code\u003e, \u003ccode\u003etxofdm\u003c/code\u003e, or \u003ccode\u003esubmit-url\u003c/code\u003e in the URI (log source: webserver).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-26T14:07:20Z","date_published":"2026-05-26T14:07:20Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-9426-edimax-rce/","summary":"A stack-based buffer overflow vulnerability exists in Edimax EW-7438RPn version 1.31 in the formHwSet function of the /goform/formHwSet file, which can be triggered by manipulating the Anntena/Mcs/regDomain/nic0Addr/nic1Addr/wlanAddr/wanAddr/wlanSSID/wlanChan/initgain/txcck/txofdm/submit-url argument, potentially leading to remote code execution.","title":"CVE-2026-9426 - Edimax EW-7438RPn Stack-Based Buffer Overflow","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-9426-edimax-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-9426","version":"https://jsonfeed.org/version/1.1"}