The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory regarding a critical vulnerability in Edimax IC-7100 IP cameras that is actively being exploited by multiple botnets.
The vulnerability, tracked as CVE-2025-1316, allows attackers to send specially crafted requests to achieve remote code execution on affected devices.
The flaw, discovered by Akamai’s Security Intelligence and Response Team (SIRT), is classified as an “Improper Neutralization of Special Elements used in an OS Command” (CWE-78) with a CVSS v3.1 base score of 9.8.
.png
)
This critically severe vulnerability exists because the Edimax IC-7100 IP camera fails to properly neutralize and sanitize user inputs in requests sent to the device.
Edimax IP Camera OS Command Injection Vulnerability
Technically, the exploit targets the “/camera-cgi/admin/param.cgi” endpoint in vulnerable devices, injecting malicious commands into the “NTP_serverName” option as part of the “ipcamSource” parameter.
While authentication is required to exploit the vulnerability, attackers have been leveraging the prevalence of default credentials (typically admin:1234) on many internet-exposed cameras.
| Risk Factors | Details |
| Affected Products | Edimax IC-7100 IP Camera (all versions) |
| Impact | Remote code execution on the device |
| Exploit Prerequisites | Authentication required |
| CVSS 3.1 Score | 9.8 (Critical) |
Mirai-based botnets are actively exploiting this zero-day vulnerability in the wild. According to Akamai researchers, exploitation has been observed since the fall of 2024, although the proof-of-concept code dates back to June 2023.
“Successful exploitation of this vulnerability could allow an attacker to send specially crafted requests to achieve remote code execution on the device,” reads CISA’s advisory.
The threat actors exploit this remote command execution capability to run shell scripts that download Mirai malware payloads from remote servers.
Despite evidence of active exploitation, CISA has not yet added CVE-2025-1316 to its Known Exploited Vulnerabilities (KEV) catalog, which serves as “the authoritative source of vulnerabilities that have been exploited in the wild.”
The company reportedly informed researchers that IC-7100 cameras are end-of-life products and that it does not remediate security issues in obsolete products.
However, Akamai researchers believe “the vulnerability may affect supported ones” as well, suggesting the issue could have a broader impact than initially reported.
For organizations using affected cameras, CISA recommends implementing several defensive measures:
- Minimize network exposure for all control systems and ensure they are not accessible from the internet
- Locate control system networks behind firewalls and isolate them from business networks
- Use secure methods like VPNs when remote access is required
The agency further advises: “Users should discontinue product utilization” if mitigations are unavailable, and follow applicable BOD 22-01 guidance for cloud services.
Organizations observing suspected malicious activity related to this vulnerability should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
For the cybersecurity community and network defenders, this incident highlights the importance of proper vulnerability management prioritization and the critical need to secure or decommission end-of-life devices that remain connected to networks.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
