CVE-2026-10126: Edimax BR-6478AC Buffer Overflow Remote Code Execution
A buffer overflow vulnerability exists in Edimax BR-6478AC version 1.23 that allows authenticated users to crash the device or potentially execute arbitrary code. The flaw is in the QoS settings handler and can be triggered by sending a specially crafted request with an oversized value in the selSSID parameter. An attacker with valid router credentials can exploit this remotely without user interaction. Public exploit code is available, elevating the practical risk.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-119, CWE-120
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-30 / 2026-06-17
NVD description (verbatim)
A security flaw has been discovered in Edimax BR-6478AC 1.23. Affected by this issue is the function formQoS of the file /goform/formQoS of the component POST Request Handler. The manipulation of the argument selSSID results in buffer overflow. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks.
4 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10126 is a classic buffer overflow (CWE-119, CWE-120) in the formQoS POST handler within Edimax BR-6478AC firmware 1.23. The vulnerability stems from insufficient bounds checking on the selSSID argument, permitting stack or heap corruption. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, score 8.8) reflects remote exploitability, low attack complexity, requirement for valid authentication, and potential for high confidentiality, integrity, and availability impact. The attack surface is the unauthenticated-looking /goform/formQoS endpoint, which in practice requires valid session credentials.
Business impact
Organizations deploying Edimax BR-6478AC routers as edge devices or in remote office setups face operational disruption (device crash/reboot) and potential unauthorized access to network segments behind the router. If an attacker with router admin credentials (obtained through phishing, credential compromise, or insider threat) exploits this flaw, they could achieve code execution with router privileges, enabling network reconnaissance, traffic interception, or lateral movement into connected systems. For managed service providers or organizations managing fleets of these devices, exploitation could trigger widespread incidents.
Affected systems
Edimax BR-6478AC version 1.23 is confirmed affected. The vendor product list is currently empty in available databases; users should verify whether other Edimax models or firmware versions in the BR-64xx AC series or similar product lines are similarly vulnerable by consulting Edimax security advisories. Organizations should audit their device inventory to identify all Edimax routers in production and prioritize BR-6478AC units.
Exploitability
Exploitability is high: the vulnerability is network-reachable, requires only low attack complexity (straightforward buffer overflow trigger), and public exploit code is available. However, a meaningful limiting factor is the requirement for authenticated access—the attacker must possess valid router credentials. The combination of public PoCs and the relatively simple nature of buffer overflow attacks means that once internal access is obtained or credentials are compromised, exploitation is trivial. Given this is an older device class (home/small office router), credential reuse and weak default settings increase real-world risk.
Remediation
Upgrade Edimax BR-6478AC to a firmware version newer than 1.23 that includes this buffer overflow fix—verify the specific patched version against Edimax's official security advisory and firmware download page. If a patch is unavailable, isolate affected routers to trusted networks only, disable remote administration features, enforce strong authentication (change default credentials immediately), and consider network segmentation to limit the blast radius. Monitor for suspicious POST requests to /goform/formQoS.
Patch guidance
Contact Edimax support or visit their firmware download portal to obtain a patched firmware release for BR-6478AC. Firmware updates for this device class are typically delivered via the web administration interface or as a downloadable binary for manual installation. Verify the release notes confirm CVE-2026-10126 remediation before deployment. Test in a non-production environment first, as router firmware updates may cause brief network outages. Ensure automatic credential reset is disabled during update to avoid lockout.
Detection guidance
Monitor network traffic for POST requests to /goform/formQoS with abnormally large or malformed selSSID parameter values. Analyze router access logs for failed QoS configuration attempts or error messages indicating buffer issues. Intrusion detection signatures should flag oversized parameter injection attempts targeting this endpoint. Check router firmware version via the web interface or CLI and cross-reference against Edimax's known-vulnerable versions. Correlate any device crashes or unexpected reboots with recent QoS configuration changes or remote access patterns.
Why prioritize this
This vulnerability merits rapid attention due to its HIGH CVSS score (8.8), public exploit availability, and potential for confidentiality and integrity compromise despite the authentication requirement. Any organization running BR-6478AC units should treat patching as urgent, especially those with internet-facing device management or users with compromised credentials. The combination of buffer overflow severity and public PoC exploitation means delay significantly increases breach probability.
Risk score, explained
The CVSS 3.1 score of 8.8 (HIGH) reflects the high potential impact (confidentiality, integrity, and availability all achievable through code execution), remote attack surface, and low attack complexity. The main factor preventing a CRITICAL rating is the prerequisite of valid authentication, which introduces a modest but material barrier. However, in environments with weak credential hygiene or where router admin accounts have been compromised, this barrier effectively dissolves, making the practical risk closer to CRITICAL in those contexts.
Frequently asked questions
Does this vulnerability require the attacker to have physical access to the router?
No. The flaw is remotely exploitable over the network. However, the attacker must possess valid router credentials (username and password), typically associated with administrative access. Physical access is not required.
Is this vulnerability currently being exploited in the wild?
Public exploit code is available as of the vulnerability publication date. This does not confirm active wild exploitation, but it significantly increases the likelihood of opportunistic attacks, particularly against organizations with weak credential management or unpatched fleets.
What should I do if I cannot patch immediately?
Isolate the affected BR-6478AC from untrusted networks, disable remote management access, enforce strong unique credentials (change defaults), implement network segmentation so the router does not sit on the same security boundary as critical systems, and monitor access logs closely. These are temporary mitigations; patching remains the primary remediation.
Are other Edimax router models affected by the same flaw?
The advisory currently specifies only BR-6478AC version 1.23. Similar Edimax AC router models may share the same code path and vulnerability. Check Edimax's security advisory to confirm whether the BR-64xx series or other product lines require updates.
This analysis is provided for informational and defensive purposes only. SEC.co does not endorse or assist in unauthorized access, exploitation, or testing of systems without explicit written permission from the system owner. Organizations must validate all patch information against official Edimax advisories before deploying. Risk scores and impact assessments are based on available data as of the analysis date and may be updated as new information emerges. Always conduct thorough testing in non-production environments before applying security updates. Consult with your vendor and internal security team regarding your specific environment and risk tolerance. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10163HIGHEdimax BR-6478AC Buffer Overflow in USB Account Handler
- CVE-2026-10164HIGHEdimax BR-6478AC Buffer Overflow Remote Code Execution
- CVE-2026-10275MEDIUMOpenSC Buffer Overflow in PKCS#11 Key Generation (5.0 Medium CVSS)
- CVE-2018-25426HIGHWinMTR 0.91 Denial-of-Service Buffer Overflow Vulnerability
- CVE-2018-25432HIGHArm Whois 3.11 Buffer Overflow Allows Local Code Execution
- CVE-2019-25733HIGHNetShareWatcher 1.5.8.0 SEH Buffer Overflow – Local Code Execution
- CVE-2019-25735HIGHAllPlayer 7.4 Buffer Overflow in URL Handling – Local Code Execution Risk
- CVE-2019-25736HIGHLabF nfsAxe 3.7 Buffer Overflow – Local Code Execution