External risk intelligence

RE11S Firmware Stack Overflow in PPPoE Setup

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2025-22916

The vulnerability exists in a PPPoE setup function within a network device firmware. Such devices, particularly Wi-Fi range extenders and routers, are frequently deployed at the network edge or as management interfaces. Configuration forms in networking hardware are commonly accessible over the network, making this surface likely to be reachable in many deployment scenarios.

Buffer Overflow

Edimax Re11s Firmware

1.11

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in RE11S firmware, specifically within the PPPoE setup function. This issue, a stack overflow, could allow an attacker to remotely compromise the device. The main concern is confirming if this specific firmware version is in use and if it is exposed externally.

  • Firmware flaw allows remote device takeover.
  • Critical flaw could impact network security.
  • Confirm exposure and affected devices.

Attack Path

How an attacker could exploit the issue

An attacker could reach the vulnerable component by accessing the device's network configuration interface. The `formPPPoESetup` function within the firmware is susceptible to a stack overflow when processing the `pppUserName` parameter. This could allow an attacker to disrupt the device's operation or potentially gain control.

  • No authentication required to reach.
  • Triggered by sending a malformed username.
  • Risk of denial-of-service or code execution.

Live Threat

Current exploitation, exposure, and threat context

A stack overflow vulnerability in the `formPPPoESetup` function, triggered by the `pppUserName` parameter, could allow an attacker to affect the service behavior of the device. This could occur when the device's configuration interface is accessible over the network.

  • Device configuration data at risk.
  • Exploited through network-accessible forms.
  • Could lead to service disruption.

Operational Fix

Recommended remediation, mitigation, and detection steps

This critical vulnerability in RE11S firmware's PPPoE setup function requires immediate attention from network and security teams, alongside vendor management if the affected devices are third-party. The first step is to identify all deployed RE11S devices, assess their network exposure and business criticality, and confirm ownership to prioritize remediation efforts.

  • Network and security teams own triage.
  • Verify RE11S device exposure.
  • Plan coordinated vendor remediation.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the Edimax RE11S device?

The Edimax RE11S is a networking device, typically used as a Wi-Fi range extender. Its firmware handles essential tasks like managing network connectivity and configuration settings to ensure devices can communicate effectively across a home or office environment.

What does CWE-120 mean for CVE-2025-22916?

CVE-2025-22916 is a stack overflow vulnerability, classified as CWE-120. This happens when the device firmware does not properly check the amount of data being written into a memory buffer. If an attacker sends an oversized or malformed username string to the system, it can overflow the buffer, potentially allowing them to crash the device or execute unauthorized commands.

How is this stack overflow triggered?

The vulnerability is triggered by sending a malformed or overly long username value to the pppUserName parameter during the PPPoE setup process. Importantly, simply having the device powered on or connected to the internet is not enough; the attacker must specifically target the configuration interface function to provide this crafted input.

Is my device at risk based on Halo Surface Signal?

Halo Surface Signal indicates this risk is significant because the vulnerable PPPoE configuration function is often reachable over the network. If your device management interface is accessible via the public internet rather than restricted to a private, local network, the likelihood of an attacker reaching this vulnerable component increases.

What steps should I take if I use RE11S hardware?

First, verify if your devices are running firmware version 1.11, as this is the affected version. Identify where these units are deployed in your network and determine if their configuration interfaces are exposed to the internet. If they are, restrict access to these interfaces immediately while you coordinate with the vendor to obtain and apply available updates.

References