Edimax 7205APL with a firmware of 2.40a-00 has a huge flaw where a guest account is hard-coded into the firmware allowing anyone to perform a backup with the same privileges of the administrator.
819184677465c2c8b615fa02029e918e3a745193ddc406e52a03e02353079da1
Vendor: Edimax
Type: 7205APL
Firmware: 2.40a-00
Kind of bug: Security
Description: Normally a user called addmin, has to create a password on the Accesspoint.
When you create a back-up of the settings of your Accesspoint, it will result in a config.bin file.
Opening the file in Notepad gave the next result:
ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ 71331234,À¨ÿÿÿ default.domainÀ¨À¨dÀ¨Èadmin XXXXX guest
1234 WirelessXXXXXX, À¨ÿyy À¨À¨À¨dÀ¨domain©üUoù Lg C´ ©üUoù
Lg C´é
You can see the password of the admin XXXXX (for security reasons, I have changed the original one in XXXXX) and the password of a user called guest, 1234.
When you log in to the accesspoint with guest and 1234, you can make a backup. With the same content like above of the admin.
It is not possible to remove the user, because it is inside the firmware. So only a new one can solve this security problem.