CVE-2026-32840 in Edimax GS-5008PL
Summary
by MITRE • 03/18/2026
Edimax GS-5008PL firmware version 1.00.54 and prior contain a stored cross-site scripting vulnerability in the system_name_set.cgi script that allows attackers to inject arbitrary script code by manipulating the sysName parameter. Attackers can send a crafted POST request with malicious script payload that executes when management pages including system_data.js are viewed by administrators.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/21/2026
The vulnerability identified as CVE-2026-32840 affects the Edimax GS-5008PL network switch firmware versions 1.00.54 and earlier, representing a critical stored cross-site scripting flaw that compromises the integrity of the device's web-based management interface. This vulnerability resides within the system_name_set.cgi script which processes user input without proper sanitization or validation mechanisms. The flaw specifically manifests when attackers manipulate the sysName parameter through crafted POST requests, enabling them to inject malicious script code that gets permanently stored within the device's configuration. The vulnerability falls under CWE-79 which categorizes cross-site scripting as a weakness where untrusted data is improperly incorporated into web pages without adequate validation or encoding, making it a prime target for exploitation by threat actors seeking persistent access to network infrastructure.
The technical execution of this vulnerability requires attackers to construct a malicious POST request targeting the vulnerable system_name_set.cgi endpoint and include a script payload within the sysName parameter. When administrators subsequently view management pages that include system_data.js, the stored malicious code executes within the context of the administrator's browser session. This creates a persistent threat vector where the injected scripts can perform actions such as stealing session cookies, redirecting users to malicious sites, or executing unauthorized administrative commands. The vulnerability is particularly concerning because it operates at the application layer and leverages the trust relationship between the administrator's browser and the legitimate management interface, making detection more challenging and the attack more effective.
The operational impact of this vulnerability extends beyond simple script injection, as it provides attackers with a foothold for more sophisticated attacks within the network infrastructure. Administrators who regularly access the management interface become potential victims of session hijacking attacks where the malicious scripts can capture authentication tokens and credentials. The stored nature of the vulnerability means that even after the initial attack, the malicious code persists until the firmware is updated or the configuration is manually cleared, creating a long-term threat vector. This vulnerability directly maps to ATT&CK technique T1059.007 which covers scripting through web shells, and T1566 which encompasses spearphishing with malicious attachments or links, as the initial compromise often occurs through crafted web requests.
Organizations should implement immediate mitigations including firmware updates from Edimax to address the root cause of the vulnerability, network segmentation to limit access to management interfaces, and enhanced monitoring of web-based traffic to detect suspicious POST requests targeting the affected CGI scripts. Administrative access to the switch should be restricted to authorized personnel only, with multi-factor authentication implemented where possible. Network administrators should also conduct thorough vulnerability assessments of all network infrastructure devices to identify similar vulnerabilities in other firmware components. The implementation of web application firewalls and content security policies can help prevent exploitation attempts, while regular security audits should include checks for improperly sanitized user inputs in web interfaces. Additionally, organizations should establish incident response procedures specifically addressing network device compromises to ensure rapid remediation when such vulnerabilities are exploited in the wild.