Description
A vulnerability was identified in Edimax BR-6478AC 1.23. Affected by this vulnerability is the function formPPPoESetup of the file /goform/formPPPoESetup of the component POST Request Handler. The manipulation of the argument pppUserName leads to stack-based buffer overflow. The attack can be initiated remotely. The exploit is publicly available and might be used.
Published: 2026-05-30
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw resides in the formPPPoESetup handler of the Edimax BR-6478AC firmware version 1.23. An attacker can supply a crafted pppUserName value that overflows a stack buffer, potentially allowing the execution of arbitrary code on the device. The vulnerability is a classic stack‑based buffer overflow (CWE‑119 and CWE‑121). Since the exposure is through a POST request that is reachable from the Internet, the impact can be catastrophic, granting remote attackers full control over the router.

Affected Systems

Edimax BR‑6478AC routers running firmware 1.23 are affected. No other firmware versions or product variants are listed as vulnerable.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity and a full attack path from a remote host. The EPSS score is not available, so the current statistical exploitation probability cannot be quantified, but a publicly available exploit has already been described, implying a likely exploitation window. The vulnerability is not yet listed in the CISA KEV catalog, however the existence of an exploit code and remote trigger make it a serious concern. The attack vector is inferred to be remote, via an HTTP POST to the /goform/formPPPoESetup endpoint, as documented in the advisory.

Generated by OpenCVE AI on May 30, 2026 at 17:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Edimax firmware update that patches the buffer overflow in formPPPoESetup
  • If a firmware fix is not yet available, configure the router’s firewall or an upstream firewall to block or rate‑limit POST requests to /goform/formPPPoESetup
  • Monitor the device’s access logs for unusual POST activity and enforce strong authentication on the PPPoE configuration interface

Generated by OpenCVE AI on May 30, 2026 at 17:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 30 May 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Edimax br-6478ac
Vendors & Products Edimax br-6478ac

Sat, 30 May 2026 16:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in Edimax BR-6478AC 1.23. Affected by this vulnerability is the function formPPPoESetup of the file /goform/formPPPoESetup of the component POST Request Handler. The manipulation of the argument pppUserName leads to stack-based buffer overflow. The attack can be initiated remotely. The exploit is publicly available and might be used.
Title Edimax BR-6478AC POST Request formPPPoESetup stack-based overflow
First Time appeared Edimax
Edimax br-6478ac Firmware
Weaknesses CWE-119
CWE-121
CPEs cpe:2.3:o:edimax:br-6478ac_firmware:*:*:*:*:*:*:*:*
Vendors & Products Edimax
Edimax br-6478ac Firmware
References
Metrics cvssV2_0

{'score': 9, 'vector': 'AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 8.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Edimax Br-6478ac Br-6478ac Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-30T16:00:12.552Z

Reserved: 2026-05-29T17:24:31.576Z

Link: CVE-2026-10125

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-30T16:17:04.910

Modified: 2026-05-30T16:17:04.910

Link: CVE-2026-10125

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-30T18:15:29Z

Weaknesses