MEDIUM 6.3

CVE-2026-10166: Edimax BR-6478AC Command Injection – Authentication Required

A command injection vulnerability exists in Edimax BR-6478AC version 1.23 that allows an authenticated attacker to execute arbitrary commands on the device. The flaw is in the web interface's wireless settings handler, where the rootAPmac parameter is not properly sanitized before being used in system commands. An attacker with valid login credentials can manipulate this parameter to inject malicious commands, potentially compromising router configuration, data, or availability. Public exploit details are available, increasing real-world risk.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Weaknesses (CWE)
CWE-74, CWE-77
Affected products
0 configuration(s)
Published / Modified
2026-05-31 / 2026-06-17

NVD description (verbatim)

A vulnerability was determined in Edimax BR-6478AC 1.23. The affected element is the function formWlbasic of the file /goform/formWlbasic of the component POST Request Handler. This manipulation of the argument rootAPmac causes command injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized.

4 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10166 is a command injection vulnerability (CWE-74, CWE-77) affecting the formWlbasic POST request handler in Edimax BR-6478AC 1.23. The rootAPmac argument is passed unsafely to backend command execution without proper input validation or escaping. This allows authenticated users to inject shell metacharacters and execute arbitrary OS commands with the privileges of the web application process. The attack surface is the /goform/formWlbasic endpoint, accessible over the network from any authenticated session.

Business impact

For organizations relying on Edimax BR-6478AC routers for network access control or segmentation, this vulnerability enables an insider or compromised account holder to execute commands that could alter routing rules, exfiltrate traffic, disable security features, or pivot to internal network segments. Small offices, branch sites, and remote locations commonly deploy these devices; exploitation could lead to operational disruption, data exposure, or lateral movement into corporate infrastructure.

Affected systems

Edimax BR-6478AC firmware version 1.23 is confirmed vulnerable. Organizations should verify whether other Edimax BR-6478AC firmware versions are affected by consulting the vendor's security advisory and testing in a controlled environment. Devices with this model and firmware in production should be inventoried immediately.

Exploitability

Exploitation requires valid authentication credentials to access the web interface, setting the attack complexity to low once authenticated. Public disclosure of exploit details lowers the barrier for malicious actors. The CVSS 3.1 score of 6.3 (MEDIUM) reflects the authentication requirement; however, in environments where default credentials remain unchanged or credentials are weak, the practical risk is elevated. No special user interaction or local access is required—the attack is fully remote over HTTP/HTTPS.

Remediation

Firmware patches from Edimax should be deployed immediately to all vulnerable BR-6478AC devices. Until patching is completed, implement network access controls to restrict administrative access to the web interface (typically port 80/443) to trusted IP ranges only. Change default router credentials to strong, unique passwords. Consider disabling remote management features if not actively required. Monitor the Edimax security advisory for official patch availability and version guidance.

Patch guidance

Contact Edimax support or check their official security advisories for available firmware patches. Verify the version number of your deployed devices via the web interface (Administration or System Settings panel). Firmware updates are typically performed through the device's web console under System Tools > Firmware Upgrade, or via a recovery utility if available. Always back up router configuration before applying updates and test in a non-production environment first if possible. Confirm the patched firmware version addresses CWE-74 and CWE-77 in the rootAPmac handler before deployment.

Detection guidance

Monitor router access logs for POST requests to /goform/formWlbasic containing suspicious or malformed rootAPmac parameter values, particularly those including shell metacharacters (backticks, pipes, semicolons, $(), &&, ||, etc.). Implement IDS/IPS signatures to flag such traffic. Review authentication logs for unusual administrative login patterns, especially from internal or unexpected IP addresses. Network segmentation and east-west traffic monitoring can reveal unauthorized command execution or lateral movement attempts originating from a compromised router.

Why prioritize this

Although the CVSS score is MEDIUM (6.3), the combination of public exploit availability, remote attack vector, and the router's position as a network perimeter device makes this high-priority. Routers control traffic and access; compromise directly endangers internal networks. Authentication requirement is a mitigating factor, but weak or default credentials are common in small-office deployments. Organizations should treat this as urgent in environments where BR-6478AC devices are present.

Risk score, explained

CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L yields a score of 6.3 (MEDIUM). Network accessibility and low attack complexity increase risk; authentication requirement and single-scope impact moderate it. The score does not fully capture the strategic importance of routers in network architecture; risk should be contextualized higher if these devices sit on critical network boundaries or serve sensitive functions.

Frequently asked questions

Do I need valid router admin credentials to exploit this?

Yes. The vulnerability requires authentication to the web interface. However, if your device uses default Edimax credentials (typically admin/admin) or weak passwords, the practical barrier is low. Change default credentials immediately as an interim mitigation.

How can I tell if my BR-6478AC is vulnerable?

Check your firmware version in the router's web interface under System Settings or Administration. If it shows version 1.23 or earlier, assume vulnerability unless a patch has been formally applied. Verify the exact version before assuming you are safe; consult Edimax advisories for patched firmware versions.

Is this vulnerability in the CISA KEV catalog?

No. As of the current data, this CVE is not listed in the CISA Known Exploited Vulnerabilities catalog, though public exploit details are available. The absence from KEV does not indicate lower risk; prioritize based on your asset inventory and network exposure.

What if I cannot patch immediately?

Restrict web interface access to trusted networks via firewall rules. Disable remote management if not needed. Implement strong authentication (long, unique passwords) and monitor logs for suspicious activity. These controls reduce but do not eliminate risk; patching remains the definitive remediation.

This analysis is provided for informational purposes to support vulnerability management and risk assessment. The details are based on available CVE data and vendor advisories as of the publication date. Organizations should verify all technical details, patch availability, and applicability to their environment through official Edimax documentation and testing. SEC.co does not provide guarantees regarding patch effectiveness, compatibility, or completeness. Always conduct testing in non-production environments before deploying patches or configuration changes. Consult with your network and security teams before making changes to production infrastructure. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).