CVE-2026-10165: Edimax BR-6478AC Stack Overflow in Firmware 1.23
Edimax BR-6478AC wireless routers running firmware version 1.23 contain a critical flaw in their network configuration interface. An authenticated attacker can send a specially crafted network request to overflow the device's memory, potentially gaining complete control over the router. The vulnerability requires an existing user account but no additional interaction from administrators, making it a practical concern for organizations deploying these devices.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-119, CWE-121
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-31 / 2026-06-17
NVD description (verbatim)
A vulnerability was identified in Edimax BR-6478AC 1.23. The impacted element is the function formWanTcpipSetup of the file /goform/formWanTcpipSetup of the component POST Request Handler. Such manipulation of the argument pppUserName leads to stack-based buffer overflow. The attack may be performed from remote. The exploit is publicly available and might be used.
4 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10165 exploits improper input validation in the formWanTcpipSetup POST handler on the Edimax BR-6478AC. The pppUserName parameter fails to enforce buffer boundaries, permitting a stack-based buffer overflow (CWE-119, CWE-121). An authenticated remote attacker can overwrite the stack with arbitrary data, potentially achieving code execution with device privileges. The vulnerability is network-accessible and requires only valid credentials—no special privileges or user interaction needed.
Business impact
Compromise of BR-6478AC devices threatens network perimeter security. An attacker with router access can intercept, modify, or redirect traffic; exfiltrate data; establish persistent backdoors; or pivot into connected networks. For SMBs and branch offices relying on these routers for network segmentation, the impact extends beyond the device itself to any systems it protects or connects. Recovery requires factory reset or manual firmware reinstallation, disrupting operations.
Affected systems
Edimax BR-6478AC devices running firmware version 1.23 are confirmed vulnerable. Verify whether your organization has deployed these routers, particularly in remote offices, branch locations, or edge network segments. Check inventory management systems and device management platforms to identify affected units. The vulnerability is specific to this model and version; confirm exact firmware revisions in your environment.
Exploitability
The exploit is publicly available, lowering the barrier to abuse. An attacker needs valid router credentials—either obtained through credential compromise, default passwords, or insider access—but the attack itself is straightforward and remotely executable. The lack of complexity and public proof-of-concept code elevates practical risk. Devices exposed to untrusted networks or with weak authentication are priority targets.
Remediation
Contact Edimax to verify firmware patching status and availability for version 1.23 or later releases. If patches are available, schedule controlled upgrades during maintenance windows to minimize network disruption. For devices in production, restrict administrative access to trusted networks using firewall rules and VPNs. Enforce strong, unique credentials on all router administrative accounts. Consider segmenting router management traffic from general network traffic. Devices without available patches should be evaluated for retirement or replacement.
Patch guidance
Check Edimax's support portal for firmware updates addressing this vulnerability. Patches typically restore input validation on the pppUserName parameter. Document current firmware versions across your BR-6478AC fleet before patching. Test patches in a lab or non-production environment first, as firmware updates occasionally introduce compatibility issues. Maintain a rollback plan in case patched firmware causes unexpected behavior. Coordinate with network teams to schedule updates during low-traffic periods.
Detection guidance
Monitor router access logs for unusual POST requests to /goform/formWanTcpipSetup with abnormally long or malformed pppUserName values. Flag failed or successful administrative authentication attempts, particularly from external IP ranges. Use network intrusion detection systems (IDS) to identify payloads targeting buffer overflow patterns against known router endpoints. Implement SNMP or syslog monitoring to detect unexpected router configuration changes or reboots. Query router configurations periodically to identify unauthorized WAN settings or user accounts.
Why prioritize this
This vulnerability scores CVSS 8.8 (HIGH severity) with full impact across confidentiality, integrity, and availability. Public exploit code eliminates discovery friction for attackers. Authentication requirement is low-friction in many environments due to weak credential hygiene. Routers are critical network infrastructure; compromise can affect downstream systems and data. Organizations with exposed BR-6478AC devices should prioritize remediation within 30 days.
Risk score, explained
The CVSS 8.8 score reflects network accessibility (AV:N), low attack complexity (AC:L), and requirement for low-privilege authentication (PR:L). The stack-based overflow yields high impact across all three security dimensions: confidentiality and integrity via code execution, and availability via denial of service or reboot. The public exploit availability increases real-world attack probability. However, the authentication requirement prevents worm-like propagation, preventing a critical (9.0+) score.
Frequently asked questions
Do I need administrator credentials to exploit this vulnerability?
Yes. The vulnerability requires valid user credentials to access the WAN configuration interface. However, many routers ship with default credentials or weak passwords, so attackers may obtain access through credential compromise or brute-force attacks. Enforce strong, unique administrative passwords on all instances.
Will patching disrupt my network?
Firmware updates typically require a router reboot, which causes temporary loss of connectivity for connected devices. Plan updates during maintenance windows or off-peak hours. Test patches in a lab environment if possible before production deployment. Most updates complete within 5–10 minutes.
Our devices are isolated to an internal corporate network. Should we still prioritize this?
Yes. Insider threats, compromised workstations, or lateral movement from other breached devices can grant access to internal networks. Even 'isolated' routers warrant patching once updates become available. Additionally, network segmentation assumptions can change; proactive patching reduces residual risk.
What if Edimax does not release a patch for version 1.23?
If patches are unavailable, evaluate alternatives: disable remote management, restrict administrative access via firewall rules to trusted IP ranges, enforce VPN-only access, or plan device replacement. Consult Edimax directly on end-of-life and support timelines. Unpatched devices should not be exposed to untrusted networks.
This analysis is based on publicly available vulnerability data as of the publication date. Patch availability and timelines are subject to vendor discretion and may change. Organizations should verify affected device inventory independently and consult official Edimax advisories for definitive patch guidance. SEC.co provides this information for security planning purposes and does not warrant completeness or real-time accuracy. Test all patches in a non-production environment before deployment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10062HIGHTRENDnet TEW-432BRP Stack Overflow – EOL Hardware Risk
- CVE-2026-10063HIGHTRENDnet TEW-432BRP Stack Overflow – End-of-Life Router Vulnerability
- CVE-2026-10065HIGHShibby Tomato 1.28 Stack Buffer Overflow in tomatodata.cgi
- CVE-2026-10066HIGHShibby Tomato Stack Buffer Overflow in UPS Service (RCE)
- CVE-2026-10067HIGHShibby Tomato 1.28 Stack Buffer Overflow in multimon.cgi
- CVE-2026-10119HIGHStack Overflow in TRENDnet TEW-432BRP End-of-Life Router
- CVE-2026-10120HIGHTRENDnet TEW-432BRP Buffer Overflow – No Patch Available
- CVE-2026-10121HIGHTRENDnet TEW-432BRP Stack Buffer Overflow