HIGH 8.8

CVE-2026-10164: Edimax BR-6478AC Buffer Overflow Remote Code Execution

A buffer overflow vulnerability exists in Edimax BR-6478AC router firmware version 1.23 that allows authenticated users to execute arbitrary code on the device. The flaw resides in the USB folder sharing feature and can be triggered by sending a specially crafted request with an oversized ShareName or SelectName parameter. Because the vulnerability requires valid credentials and the exploit has already been disclosed publicly, the risk of active exploitation is elevated.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-119, CWE-120
Affected products
0 configuration(s)
Published / Modified
2026-05-31 / 2026-06-17

NVD description (verbatim)

A vulnerability was found in Edimax BR-6478AC 1.23. Impacted is the function formUSBFolder of the file /goform/formUSBFolder of the component POST Request Handler. The manipulation of the argument ShareName/SelectName results in buffer overflow. The attack can be executed remotely. The exploit has been made public and could be used.

4 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10164 is a stack-based buffer overflow (CWE-119, CWE-120) in the formUSBFolder function within the /goform/formUSBFolder POST request handler of Edimax BR-6478AC firmware 1.23. Improper input validation on the ShareName and SelectName parameters allows an authenticated attacker to write beyond allocated buffer boundaries, corrupting the stack and potentially achieving remote code execution. The vulnerability has a CVSS 3.1 score of 8.8 (HIGH), reflecting high impact across confidentiality, integrity, and availability with low attack complexity and no user interaction required once authenticated.

Business impact

Successful exploitation enables an authenticated attacker to fully compromise the affected router, potentially allowing them to intercept network traffic, redirect users to malicious sites, modify DNS settings, conduct man-in-the-middle attacks, or use the device as a pivot point into corporate or home networks. For organizations using these devices in office environments or remote access scenarios, this represents a lateral movement risk and potential data exfiltration vector.

Affected systems

This vulnerability affects Edimax BR-6478AC routers running firmware version 1.23. Organizations should inventory these devices, particularly in guest networks, branch offices, or BYOD environments where they might be deployed without centralized monitoring. The vendor has not yet released a comprehensive list of all affected versions, so verify firmware versions across your estate.

Exploitability

The vulnerability requires valid credentials (authentication prerequisite), but does not require user interaction beyond sending a malformed POST request. The low attack complexity combined with public exploit availability creates a moderate-to-high risk that attackers with router access will attempt exploitation. Insider threats or compromised user accounts pose the most immediate concern. Remote unauthenticated exploitation is not possible based on the current attack vector.

Remediation

Organizations must identify and patch or retire affected BR-6478AC devices running firmware 1.23. Verify the latest available firmware version from Edimax support channels and apply it across all vulnerable instances. If patches are unavailable or delayed, implement network segmentation to restrict administrative access to the router management interface, disable SSH or web management remotely if not required, and monitor for suspicious USB folder sharing requests.

Patch guidance

Check Edimax's official support portal for firmware updates beyond version 1.23 for the BR-6478AC model. Establish a testing window in a non-production environment before rolling out patches. Document the firmware version deployed on each device and create a phased deployment schedule. If patch availability is delayed, maintain an inventory of affected devices and prioritize replacement or decommissioning on a risk-based timeline.

Detection guidance

Monitor router logs for POST requests to /goform/formUSBFolder with abnormally long or binary-encoded parameters in ShareName or SelectName fields. Intrusion detection systems should flag requests containing special characters, excessive URL encoding, or payloads exceeding normal input lengths for these parameters. Network telemetry can also track unexpected outbound connections or DNS modifications after router access events. Enable detailed logging on router management interfaces if supported.

Why prioritize this

This vulnerability merits prompt attention due to its HIGH CVSS score (8.8), public exploit availability, and the router's role as a network gateway. Although authentication is required, the device's position makes it an attractive target for lateral movement, and once compromised, it threatens all devices connected to it. Organizations with BR-6478AC devices deployed should treat this as higher priority than many other vulnerabilities despite the authentication requirement.

Risk score, explained

The CVSS 3.1 score of 8.8 reflects high impact (complete compromise possible), low attack complexity, and a network-accessible attack vector. The authentication requirement prevents the theoretical maximum score, but public exploit availability and the device's strategic network position elevate practical risk significantly above the base score for most deployments.

Frequently asked questions

Do I need valid router credentials to exploit this vulnerability?

Yes. The vulnerability requires prior authentication to the router's web management interface or API. However, this does not eliminate risk if default credentials have not been changed, if credentials have been leaked, or if an insider has access.

Is there a patch available for firmware version 1.23?

As of the vulnerability's publication date, no patch has been confirmed in available source data. Check Edimax's official support site and advisories directly for the latest firmware availability. Do not rely solely on this summary for patch status.

If we've replaced this router model, are we safe?

If you have fully decommissioned BR-6478AC devices running 1.23, you are no longer exposed to this specific vulnerability. However, audit your environment to ensure no legacy instances remain in secondary networks, branch offices, or test environments.

What network segmentation strategy helps mitigate this risk if we cannot patch immediately?

Restrict management interface access (HTTP/HTTPS) to a dedicated administrative VLAN, use a bastion host or jump box for router management, implement strict firewall rules limiting which source IPs can reach the router's web interface, and disable remote management if not required. These measures reduce the probability an attacker with compromised credentials can reach and exploit the vulnerability.

This analysis is based on publicly disclosed vulnerability data current as of the published date. Vendor patch status, exploit availability, and KEV listing status may change; verify directly with Edimax and authoritative sources before making deployment decisions. No exploit code is provided or endorsed. Organizations should conduct their own risk assessments and testing in controlled environments. SEC.co makes no warranty regarding the completeness or accuracy of remediation guidance and recommends consulting vendor advisories and professional security counsel for deployment-specific decisions. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).