Critical command injection flaw in Edimax IC-7100 IP cameras actively exploited
Take action: If you are using Edimax IC-7100 IP cameras, first make sure they isolated from the internet and accessible only from trusted networks. Make sure to reset all default credentials. Then plan a quick replacement because hackers are actively exploiting these devices and there won't be any patch.
Learn More
A critical command injection vulnerability affecting Edimax IC-7100 IP cameras is being actively exploited by botnet malware to compromise devices worldwide.
The Edimax IC-7100 is an IP security camera designed for remote surveillance in homes, small offices, commercial facilities, and industrial settings. Released in October 2011, the product is now listed under Edimax's "legacy products," indicating it is no longer in production and likely no longer supported.
The vulnerability is tracked as CVE-2025-1316 (CVSS score 9.8) - a OS command injection flaw. The security issue stems from improper neutralization of incoming requests, which enables remote attackers to gain remote code execution capabilities by sending specially crafted requests to vulnerable devices.
Akamai researchers discovered the vulnerability. Kyle Lefton, a researcher at Akamai, stated that additional technical details about the flaw and the associated botnet will be released next week.
Several Mirai-based botnets are actively targeting these vulnerable cameras. Despite authentication being required to exploit the vulnerability, attackers are successfully leveraging default credentials commonly used in online cameras to:
- Gain initial access to the devices
- Execute remote commands to download and install Mirai payloads
- Enlist the compromised cameras into botnet networks
The compromised devices are used to launch distributed denial of service (DDoS) attacks, proxy malicious traffic or attack other devices on the same network
Both Akamai SIRT and CISA attempted to contact the vendor (Edimax) multiple times. CISA was unable to get a response from them. Edimax responded only to state that the IC-7100 device was end-of-life and therefore no longer receiving updates. Despite this, a significant number of these devices may still be in use globally.
Given the active exploitation status of CVE-2025-1316 and the lack of vendor patches, CISA recommends that users take impacted devices offline or replace them with actively supported products. In the meantime minimize internet exposure for affected devices.
