MEDIUM 6.3

CVE-2026-10127: Edimax BR-6478AC Command Injection in Firmware 1.23

A command injection vulnerability exists in Edimax BR-6478AC wireless routers running firmware version 1.23. An authenticated attacker can send a specially crafted web request to the device's configuration interface that tricks it into executing arbitrary system commands. The vulnerability stems from improper validation of the 'rootAPmac' parameter in the device's wireless driver setup function. Because proof-of-concept code has been publicly released, there is a meaningful risk that attackers will attempt to exploit this flaw in active environments.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Weaknesses (CWE)
CWE-74, CWE-77
Affected products
0 configuration(s)
Published / Modified
2026-05-30 / 2026-06-17

NVD description (verbatim)

A weakness has been identified in Edimax BR-6478AC 1.23. This affects the function formStaDrvSetup of the file /goform/formStaDrvSetup of the component POST Request Handler. This manipulation of the argument rootAPmac causes command injection. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks.

4 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10127 is a command injection vulnerability in the POST Request Handler component of Edimax BR-6478AC firmware 1.23, specifically within the formStaDrvSetup function exposed at /goform/formStaDrvSetup. The vulnerability results from insufficient input sanitization of the 'rootAPmac' parameter, which is passed unsafely to a system shell context. This allows a remote attacker with valid credentials to inject shell metacharacters and execute arbitrary commands with device privileges. The vulnerability is classified under CWE-74 (Improper Neutralization of Special Elements in Output) and CWE-77 (Improper Neutralization of Special Elements used in a Command), reflecting both the encoding failure and the command injection mechanism.

Business impact

Compromised routers can become pivot points for lateral network attacks, credential theft, and data exfiltration. An attacker who gains command execution on an organization's router can sniff network traffic, redirect connections to malicious servers, or deploy persistent backdoors. For home users, a compromised BR-6478AC could expose all connected devices and stored Wi-Fi credentials. The requirement for authentication limits the immediate threat surface, but weak default credentials or credential reuse significantly increases risk.

Affected systems

Edimax BR-6478AC devices running firmware version 1.23 are confirmed vulnerable. Organizations and individuals using this model should verify their firmware version in the device's administration interface. The impact is localized to this specific model and version; other Edimax router models may not be affected, though similar firmware codebases warrant investigation.

Exploitability

The vulnerability requires an authenticated user (CWE-77 vector indicates authentication is required), which moderately restricts immediate exploitability in external attack scenarios. However, many small office and home routers ship with default or weak credentials, making authentication a weak barrier in practice. The public availability of exploit code and the relative simplicity of the injection point (a single POST parameter) mean that exploitation is straightforward for an attacker with network access to the management interface. Remote exploitation is possible if the router's web interface is exposed to the internet.

Remediation

Update Edimax BR-6478AC firmware to a patched version released after June 2026. Verify against the official Edimax support site for the latest available firmware. Immediately change default administrative credentials to a strong, unique password. Restrict access to the router's web management interface to trusted IP addresses or disable remote administration entirely. Consider segmenting management traffic onto an out-of-band network if possible.

Patch guidance

Check the Edimax support portal for the BR-6478AC product page and download the latest firmware version available. The vendor may have released patches between the vulnerability's publication (May 30, 2026) and the last modification date (June 17, 2026), or may release them shortly thereafter. Firmware updates for this model are typically applied through the device's web interface under Administration > System Settings > Firmware Upgrade. Back up the current configuration before upgrading, and allow sufficient time for the update to complete without power interruption.

Detection guidance

Monitor HTTP POST requests to /goform/formStaDrvSetup on BR-6478AC devices. Look for 'rootAPmac' parameter values containing shell metacharacters such as ';', '|', '`', '$()', or other command separators. Alert on any requests originating from unexpected internal IP addresses or during off-hours. Enable verbose logging on the affected router if available, and correlate web server logs with system command execution logs. Network intrusion detection systems should be tuned to flag obfuscated or unusual command injection patterns targeting router management interfaces.

Why prioritize this

Although the CVSS score of 6.3 (MEDIUM) reflects the authentication requirement, the combination of public exploit availability, remote attack vector, and the router's role as a network gateway warrants prioritization above other medium-severity issues. A single compromised router can undermine the security of all connected endpoints. Environments with internet-exposed router management interfaces or organizations where users frequently reuse credentials should treat this as higher priority.

Risk score, explained

The CVSS 3.1 score of 6.3 reflects a network-accessible vulnerability (AV:N) with low attack complexity (AC:L) that requires login credentials (PR:L). It grants low-level impact to confidentiality, integrity, and availability (C:L/I:L/A:L) because a successful exploit provides command execution but not necessarily full system compromise or denial of service. The score discounts the practical severity somewhat by factoring in the authentication gate, but does not penalize the public exploit availability or the strategic value of compromising network infrastructure.

Frequently asked questions

Do I need to update if I use a different Edimax router model?

This vulnerability is specific to the BR-6478AC model running firmware 1.23. Other Edimax router models are not confirmed affected. However, if you use an older or related model, check the vendor's security advisories and perform a version check. Firmware codebases can overlap across product lines, so a related model with similar firmware may warrant investigation.

What should I do if I cannot immediately patch this router?

Disable the router's remote web management feature, restrict local web interface access to trusted IP addresses only, change the default admin username and password to a strong, unique credential, and monitor network logs for suspicious POST requests to /goform/formStaDrvSetup. Consider placing the router behind a separate firewall with strict access controls.

How does authentication help or hurt my risk level?

Authentication requirement means a remote attacker cannot exploit the vulnerability from the internet without valid credentials. However, if the router uses default credentials (common in home and small office settings), if credentials are written on a sticker, or if users reuse passwords across devices, this barrier is significantly weakened. Change defaults immediately and use a strong, unique password.

Will a firewall rule block this vulnerability?

A network firewall can mitigate the risk by blocking inbound access to the router's management port (typically port 80/443). However, if an attacker is already on your network, a firewall rule alone will not prevent exploitation. The most effective defenses are patching, strong credentials, and disabling remote management access when not needed.

This analysis is provided for informational purposes by SEC.co and does not constitute professional security advice. No warranty is made regarding the accuracy or completeness of this information. Patch version numbers and release dates should be verified directly against official vendor advisories before implementation. Organizations must conduct their own risk assessment and security testing before deploying patches or making network configuration changes. The existence of public exploit code does not guarantee the exploit's reliability or applicability to all network configurations. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).