Unpatched Edimax IP camera flaw actively exploited in botnet attacks

A critical command injection vulnerability impacting the Edimax IC-7100 IP camera is currently being exploited by botnet malware to compromise devices.

The flaw was discovered by Akamai researchers, who confirmed to BleepingComputer that the flaw is exploited in attacks that are still ongoing.

Akamai researcher Kyle Lefton told BleepingComputer that they will provide more technical details about the flaw and the associated botnet next week.

After discovering the flaw, Akamai reported it to the U.S. Cybersecurity & Infrastructure Agency (CISA), who attempted to contact the Taiwanese vendor.

"Both Akamai SIRT and CISA attempted to contact the vendor (Edimax) multiple times. CISA was unable to get a response from them," Lefton told BleepingComputer.com.

"I personally reached out to them and received a response, but all they said was that the device in question, IC-7100, was end of life, therefore not receiving further updates. As Edimax was unable to provide us with more information, it is possible that this CVE affects a wider range of devices, and it is unlikely that a patch will released."

The Edimax IC-7100 is an IP security camera for remote surveillance at homes, small office buildings, commercial facilities, and industrial settings.

The product isn't widely available in retail channels anymore. It was released in October 2011, and Edimax lists it under its 'legacy products,' suggesting it's no longer produced and is likely no longer supported.

However, a significant number of those devices may still be used across the globe.

The Edimax vulnerability is tracked as CVE-2025-1316 and is a critical severity (CVSS v4.0 score 9.3) OS command injection flaw caused by the improper neutralization of incoming requests.

A remote attacker can exploit this flaw and gain remote code execution by sending specially crafted requests to the device.

In this case, the current exploitation is being performed by botnet malware to compromise the devices.

Botnets typically use these devices to launch distributed denial of service (DDoS) attacks, proxy malicious traffic, or pivot to other devices on the same network.

Given the situation and active exploitation status for CVE-2025-1316, impacted devices should be taken offline or replaced with actively supported products.

CISA recommends that users minimize internet exposure for impacted devices, place them behind firewalls, and isolate them from critical business networks.

Moreover, the U.S. agency recommends using up-to-date Virtual Private Network (VPN) products for secure remote access when required.

Common signs of compromised IoT devices include performance degradation, excessive heating, unexpected changes in device settings, and atypical/anomalous network traffic.