HIGH 8.8

CVE-2026-10125: Edimax BR-6478AC Stack Buffer Overflow Remote Code Execution

A stack-based buffer overflow exists in Edimax BR-6478AC version 1.23 routers when processing PPPoE setup requests. An authenticated attacker can send a crafted request with an oversized username parameter to the formPPPoESetup endpoint, causing the router to crash or potentially execute arbitrary code. The vulnerability requires login credentials but poses significant risk since routers are often accessible from the internet and public exploit code is available.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-119, CWE-121
Affected products
0 configuration(s)
Published / Modified
2026-05-30 / 2026-06-17

NVD description (verbatim)

A vulnerability was identified in Edimax BR-6478AC 1.23. Affected by this vulnerability is the function formPPPoESetup of the file /goform/formPPPoESetup of the component POST Request Handler. The manipulation of the argument pppUserName leads to stack-based buffer overflow. The attack can be initiated remotely. The exploit is publicly available and might be used.

4 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10125 affects the POST request handler in Edimax BR-6478AC 1.23's PPPoE configuration functionality. The pppUserName parameter in the /goform/formPPPoESetup endpoint lacks proper bounds checking, allowing a stack buffer overflow. The vulnerability maps to CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow), indicating classic memory safety issues. With a CVSS 3.1 score of 8.8 and network attack vector, the vulnerability permits authenticated remote code execution with high confidentiality, integrity, and availability impact.

Business impact

Compromised routers become pivot points for lateral network movement, credential harvesting, and persistent backdoors. Affected organizations face potential loss of network confidentiality through traffic interception, unauthorized configuration changes, and service disruption. The combination of authentication requirement with public exploit availability creates an intermediate but urgent risk window—attackers with valid credentials (whether stolen or obtained through credential stuffing) can immediately compromise the network perimeter.

Affected systems

Edimax BR-6478AC version 1.23 and likely earlier versions are confirmed vulnerable. Edimax has not published official affected/unaffected version lists in the available ground truth. Organizations should verify all BR-6478AC deployments and check Edimax security advisories for patched firmware versions and whether other BR-series models share the same vulnerability.

Exploitability

Exploitation requires authenticated access, reducing opportunistic attack surface. However, public exploit code exists, meaning threat actors have working tools. The low complexity and straightforward buffer overflow mechanism make weaponization trivial for anyone with valid credentials. Organizations should assume this vulnerability will be actively exploited where credentials are weak, reused, or obtained through phishing.

Remediation

Immediately identify all Edimax BR-6478AC deployments in your network and consult Edimax's official security advisory to determine patched firmware versions. Upgrade to the recommended firmware as soon as it is available. Pending patch availability, implement network segmentation to restrict router administrative access to trusted IP ranges and enforce strong, unique authentication credentials.

Patch guidance

Verify against the Edimax security advisory for confirmed patched firmware versions for BR-6478AC. Do not rely on version numbers in external sources—Edimax's official channel is authoritative. Perform a full firmware backup before upgrading and test in a lab environment first to ensure business continuity. Monitor Edimax notifications for any firmware release notes addressing CVE-2026-10125 specifically.

Detection guidance

Monitor and log all POST requests to /goform/formPPPoESetup, particularly those with unusually long pppUserName parameter values. Implement Web Application Firewall (WAF) rules to block requests where the pppUserName field exceeds expected length (typically 64 bytes or less for standard credentials). Use network intrusion detection signatures to identify exploitation attempts. Track authentication logs for successful logins from atypical sources or patterns, as compromised routers often involve prior credential abuse.

Why prioritize this

This vulnerability merits high priority despite the authentication requirement. Public exploit availability accelerates threat actor adoption, stack overflows frequently enable code execution, and routers are critical infrastructure that attackers actively target. The CVSS 8.8 HIGH score reflects full system compromise potential. Organizations should treat this as urgent but not emergency—there is time to coordinate testing and deployment before widespread active exploitation is likely.

Risk score, explained

The CVSS 3.1 score of 8.8 (HIGH) reflects network-accessible exploitation, low attack complexity, and complete compromise of confidentiality, integrity, and availability. The authentication requirement prevents mass automated attacks but does not substantially lower risk given credential compromise vectors. The public availability of exploits and the criticality of router infrastructure justify treating this as a priority patch beyond the base CVSS score alone.

Frequently asked questions

Does this vulnerability affect me if my router is behind a firewall?

Yes. Router admin interfaces are often exposed to the internet or accessible within corporate networks by remote workers. Even if internal-only, compromised credentials (phishing, weak passwords, breach reuse) enable exploitation. All BR-6478AC 1.23 devices should be prioritized for patching regardless of perceived network isolation.

Can I work around this without a firmware patch?

Partial mitigation is possible: restrict access to the router's admin interface to specific trusted IP ranges, enforce strong unique passwords, and disable remote management if not required. However, these are temporary controls. A firmware patch is the only real fix and should be deployed as soon as Edimax releases one.

How do I know if someone has already exploited this on my router?

Check router logs for unexpected admin logins, configuration changes, or errors in the PPPoE section. Review syslog if the device exports logs. Look for unusual outbound connections from the router. A full factory reset and firmware upgrade is recommended if compromise is suspected, followed by credential rotation for any downstream systems.

Is this vulnerability in the CISA Known Exploited Vulnerabilities catalog?

No, it is not currently listed in the KEV catalog. However, public exploit code's availability means real-world exploitation may occur despite KEV status. Do not wait for KEV listing to prioritize patching.

This analysis is based on publicly disclosed vulnerability information available as of the date of publication. Edimax firmware versions, patch dates, and advisory status may change; verify all remediation steps against the vendor's official security advisory. This document does not constitute legal or compliance advice. Organizations should conduct their own risk assessment and testing before deploying patches in production environments. No exploit code or weaponization techniques are provided or implied herein. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).