CVE-2026-10163: Edimax BR-6478AC Buffer Overflow in USB Account Handler
A buffer overflow vulnerability exists in Edimax BR-6478AC version 1.23 that allows authenticated users to crash the router or potentially execute code by sending specially crafted requests to the USB account configuration endpoint. An attacker with login credentials can exploit this flaw remotely without further user interaction. The vulnerability has already been publicly disclosed, increasing the likelihood of active exploitation.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-119, CWE-120
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-31 / 2026-06-17
NVD description (verbatim)
A vulnerability has been found in Edimax BR-6478AC 1.23. This issue affects the function formUSBAccount of the file /goform/formUSBAccount of the component POST Request Handler. The manipulation of the argument UserName/Password leads to buffer overflow. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used.
4 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10163 is a buffer overflow in the formUSBAccount function within the POST Request Handler at /goform/formUSBAccount. The vulnerability stems from improper bounds checking on the UserName and Password parameters (CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer; CWE-120: Buffer Copy without Checking Size of Input). An authenticated remote attacker can send oversized input to overflow stack or heap buffers, potentially leading to denial of service or code execution depending on memory layout and exploitation technique. The CVSS 3.1 score of 8.8 reflects the high confidentiality, integrity, and availability impact, requiring only network access and low privileges.
Business impact
Compromise of a BR-6478AC router can lead to loss of network confidentiality, unauthorized modification of routing configuration, and service disruption. If the device serves as a gateway for business-critical systems, an authenticated attacker could pivot to internal networks, intercept traffic, or block connectivity. Organizations using these devices in remote office or branch scenarios face elevated risk. The public disclosure status means adversaries likely have working exploit code or technical analysis available.
Affected systems
Edimax BR-6478AC running firmware version 1.23. Organizations should audit inventory for this specific model and firmware version. Verify whether firmware updates are available from Edimax or if the device has reached end-of-life support. Other Edimax router models may also be affected; check vendor advisories for scope of impact across the BR-6478 product line.
Exploitability
The attack requires valid authentication credentials to reach the vulnerable endpoint, which moderates immediate external risk but remains exploitable by insider threats, compromised admin accounts, or credential leakage. The public disclosure of this vulnerability significantly raises exploitation probability. No CISA KEV (Known Exploited Vulnerabilities) designation is currently assigned, but the public disclosure status suggests monitoring for KEV inclusion and active exploit tool development in the coming weeks.
Remediation
Upgrade Edimax BR-6478AC firmware to a patched version released after CVE-2026-10163 disclosure. Verify the specific patched firmware version against Edimax's official security advisory or support portal. If no patch is available for version 1.23 or the device is end-of-life, consider replacing the router with a supported model and applying compensating controls such as network segmentation and access restrictions to the router's administrative interface.
Patch guidance
Contact Edimax support or check their official security advisories to identify available patched firmware versions for the BR-6478AC. Firmware updates for Edimax devices are typically deployed via the web management interface or as manual downloads from the vendor website. Before applying any update, back up the router configuration and test in a non-production environment if possible. Monitor Edimax security bulletins for confirmation that the patch addresses CWE-119 and CWE-120 issues in the formUSBAccount function.
Detection guidance
Monitor for POST requests to /goform/formUSBAccount with unusually long UserName or Password parameter values (payloads significantly exceeding typical credential lengths). Inspect logs for authentication failures followed by crashes or unexpected administrative behavior. If the router supports detailed logging or SNMP traps, configure alerts for abnormal USB account configuration attempts. Network-based detection is challenging without deep packet inspection; focus on endpoint and log analysis from the router itself or any downstream network monitoring tools.
Why prioritize this
This vulnerability merits high priority due to the combination of authenticated-remote exploitability, severe impact potential (code execution), public disclosure status, and widespread use of Edimax routers in small-to-medium business and branch office deployments. The lack of a KEV designation does not reduce urgency given the disclosure. Organizations should treat this as a near-term patching obligation, especially for internet-facing or externally managed devices.
Risk score, explained
CVSS 3.1 score of 8.8 (HIGH) reflects complete confidentiality, integrity, and availability impact (C:H, I:H, A:H) following successful exploitation. The network attack vector (AV:N) and low privilege requirement (PR:L) indicate moderate ease of exploitation for an authenticated attacker. The lack of user interaction (UI:N) and unchanged scope (S:U) complete the risk profile. The public disclosure elevates practical exploitability despite the authenticated prerequisite.
Frequently asked questions
Can an unauthenticated attacker exploit this vulnerability?
No. The vulnerability requires valid login credentials to access the /goform/formUSBAccount endpoint. However, credential compromise through phishing, password reuse, or other means increases exposure. Ensure strong, unique admin passwords and consider multi-factor authentication if supported.
What is the difference between this vulnerability and typical buffer overflows?
Buffer overflows can vary widely in impact. This one affects a configuration handler for USB account parameters, making it accessible to any authenticated user rather than requiring system-level access. The consequences—denial of service or code execution—depend on memory layout and input validation gaps in the formUSBAccount function.
Should we replace our Edimax routers immediately?
If a patch is available, prioritize testing and deploying it promptly. If your devices are end-of-life or patches are unavailable, replacement is advisable, particularly for internet-facing or critical network roles. In the interim, restrict administrative access via network segmentation and strong access controls.
Is there any public exploit code available?
The CVE notes that the exploit has been publicly disclosed, but we do not provide or reference weaponized code. Review threat intelligence feeds, security advisories, and vendor statements to assess exploitation activity in your threat landscape. Update your intrusion detection and response procedures accordingly.
This analysis is provided for informational purposes and does not constitute a guarantee of security or liability for any damages. Organizations are responsible for independently verifying patch availability, compatibility, and applicability to their environment. SEC.co does not endorse or provide exploit code or weaponized proof-of-concepts. Always test patches in a controlled environment before production deployment. Verify all patch details and version numbers directly against vendor advisories and official release notes. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10126HIGHEdimax BR-6478AC Buffer Overflow Remote Code Execution
- CVE-2026-10164HIGHEdimax BR-6478AC Buffer Overflow Remote Code Execution
- CVE-2026-10275MEDIUMOpenSC Buffer Overflow in PKCS#11 Key Generation (5.0 Medium CVSS)
- CVE-2018-25426HIGHWinMTR 0.91 Denial-of-Service Buffer Overflow Vulnerability
- CVE-2018-25432HIGHArm Whois 3.11 Buffer Overflow Allows Local Code Execution
- CVE-2019-25733HIGHNetShareWatcher 1.5.8.0 SEH Buffer Overflow – Local Code Execution
- CVE-2019-25735HIGHAllPlayer 7.4 Buffer Overflow in URL Handling – Local Code Execution Risk
- CVE-2019-25736HIGHLabF nfsAxe 3.7 Buffer Overflow – Local Code Execution