CVE-2025-1316

What is the Edimax IC-7100 IP Camera?

The Edimax IC-7100 is a consumer-grade IP camera designed for home and small business security surveillance. Like many consumer IP cameras, it provides a web-based management interface over HTTP and HTTPS for remote viewing and configuration. Edimax is a Taiwanese networking device manufacturer.

Consumer IP cameras with internet-facing management interfaces are a persistent target for botnet operators. The combination of weak default credentials, absent patch infrastructure, large install bases, and devices that remain deployed long past end-of-life makes this category a reliable source of exploitable nodes for DDoS botnets.

Overview

CVE-2025-1316 is a pre-authentication OS command injection vulnerability (CWE-78) in the Edimax IC-7100 IP camera that allows a remote attacker with network access to execute arbitrary OS commands on the device. The IC-7100 has reached end-of-life status, and Edimax has stated that no patch will be released. CISA recommends discontinuing use of the device. Active exploitation was confirmed in Mirai botnet variant campaigns targeting exposed IP cameras shortly after the advisory was published.

Affected Versions

Edimax confirmed the device is end-of-life and no firmware update is planned.

Technical Details

The OS command injection (CWE-78) is in the camera's web-based management interface. The device fails to sanitize user-supplied input in CGI request handling, allowing an attacker to inject shell metacharacters into HTTP request parameters. The injected commands execute in the context of the underlying embedded Linux operating system.

The vulnerability requires no authentication (PR:N) and no user interaction, making it straightforward to exploit at scale. The management interface is typically exposed over HTTP/HTTPS on the LAN by default and in some deployments is also accessible from the internet via port forwarding or UPnP.

Key characteristics:

• No credentials required
• Single crafted HTTP request to the camera's management CGI
• Commands execute with the privileges of the web server process (typically root on embedded devices)
• No patch will be released — the device must be replaced

Discovery

CISA ICS-CERT identified and disclosed the vulnerability via ICS Advisory ICSA-25-058-01 on February 27, 2025, coordinating with Edimax.

Exploitation Context

Mirai botnet variants were confirmed exploiting CVE-2025-1316 in the wild after the March 2025 advisory. Mirai specifically targets IoT devices with command injection vulnerabilities to recruit them as DDoS amplification and attack nodes. Once compromised, the camera's network connectivity is used to participate in volumetric DDoS attacks against external targets.

Internet-exposed Edimax IC-7100 cameras appeared in mass scanning datasets within days of the CISA advisory. The combination of EOL status, no available patch, and confirmed botnet exploitation led CISA to add the vulnerability to the KEV catalog on March 19, 2025.

Remediation

1. Discontinue use of the Edimax IC-7100 — this is CISA's primary recommendation. The device is EOL and will receive no security patches.
2. Replace with a supported IP camera from a vendor with an active security update program. Verify patch availability before purchasing.
3. If immediate replacement is not possible, isolate the device: place it on a separate VLAN with no internet access; disable any port forwarding or UPnP rules that expose the camera's management interface to the internet.
4. Audit your network for other EOL IoT devices — consumer IP cameras, routers, and NAS devices are the most common Mirai botnet recruitment targets.
5. Change default credentials on any surviving deployment — while this CVE is pre-auth, changed credentials reduce the risk of other credential-based attack vectors.