External risk intelligence

Edimax RE11S Firmware setWAN Stack Overflow

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2025-22904

The vulnerability exists within the WAN configuration function of a network device, which is typically exposed as part of the internet-facing management or gateway interface in home and small office deployments.

Buffer Overflow

Edimax Re11s Firmware

1.11

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A critical security flaw has been identified in network device firmware, specifically related to how it handles user names in its remote access configuration. This issue could allow unauthorized individuals to gain significant control over affected devices. The main concern is confirming whether this technology is in use within the organization.

  • A configuration flaw allows unauthorized access.
  • It affects network devices used for remote access.
  • Verify if these devices are in use.

Attack Path

How an attacker could exploit the issue

An attacker could reach a vulnerable component in the RE11S device by exploiting the setWAN function, which is accessible over the network. This function processes the pptpUserName parameter, and if it contains a long string, it can trigger a stack overflow. This vulnerability could lead to a complete system compromise.

  • Network access is required.
  • Sending a long username triggers the overflow.
  • Risk of complete system compromise.

Live Threat

Current exploitation, exposure, and threat context

A stack overflow in the `setWAN` function, triggered by the `pptpUserName` parameter, could affect the behavior of the RE11S device. This vulnerability could potentially lead to denial of service or unauthorized access when the device is configured with specific parameters.

  • Device services could be disrupted.
  • An attacker could trigger a stack overflow.
  • Service disruption or unauthorized access may occur.

Operational Fix

Recommended remediation, mitigation, and detection steps

This critical vulnerability in network device firmware impacts internet-facing management interfaces. Network or security teams are likely responsible for initial identification and triage, working with infrastructure or platform teams to confirm asset locations and business criticality. The first practical step is to determine where the affected firmware exists, assess its exposure and impact, and then plan remediation with the accountable owner.

  • Network and security teams should own.
  • Verify external reachability and business criticality.
  • Plan vendor coordination for remediation.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the Edimax RE11S?

The Edimax RE11S is a network device, typically used as a Wi-Fi range extender to improve signal coverage in homes and small offices. The affected firmware, version 1.11, manages core device operations, including network gateway and WAN configuration settings that allow users to connect the device to an internet service provider.

What is a stack overflow in the context of CVE-2025-22904?

This vulnerability is classified as CWE-120, which relates to improper buffer handling. Specifically, the device fails to safely check the length of data provided to the pptpUserName parameter. When an excessively long string is sent to this field, the device's memory stack becomes overwhelmed, which can cause the system to crash or allow an attacker to hijack the device's execution flow.

How is this stack overflow triggered?

The flaw is triggered when the setWAN function processes a specifically crafted, overly long pptpUserName string. It is important to note that sending standard, short, or correctly formatted usernames does not trigger this vulnerability. The issue occurs only when the input exceeds the memory capacity allocated for that parameter.

Is my device at risk based on Halo Surface Signal data?

Halo Surface Signal identifies this device as likely vulnerable because the setWAN function is typically part of the management interface. If this interface is exposed directly to the internet, as is common in many home or small office deployments, the device is considered externally accessible and carries a higher risk of being targeted by unauthorized users.

What should I do if I am running this technology?

Your priority is to identify where these devices are deployed within your network. Work with your infrastructure team to verify if the devices are using the affected 1.11 firmware. Once identified, evaluate whether the management interface is reachable from outside your network and coordinate with the vendor for available updates or configuration changes to secure the device.

References