CVE-2026-10127 - Vulnerability Details

- Edimax BR-6478AC POST Request formStaDrvSetup command injection

Description

A weakness has been identified in Edimax BR-6478AC 1.23. This affects the function formStaDrvSetup of the file /goform/formStaDrvSetup of the component POST Request Handler. This manipulation of the argument rootAPmac causes command injection. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks.

Published: 2026-05-30

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Edimax BR‑6478AC routers running firmware version 1.23 are vulnerable to command injection through the formStaDrvSetup endpoint. The rootAPmac argument is not properly sanitized, allowing an attacker to inject arbitrary shell commands via a crafted POST request. Execution of malicious commands can compromise the device’s operating system, leading to loss of confidentiality, integrity, and availability of the network infrastructure managed by the router.

Affected Systems

The affected hardware is the Edimax BR‑6478AC router. Firmware version 1.23 is identified as vulnerable. It is inferred that only this specific firmware release is affected, whereas later releases might contain a fix, but this has not been confirmed by the vendor.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity. EPSS is not available, so the exploitation probability remains uncertain, and the vulnerability is not listed in CISA’s KEV catalog. A public exploit exists and can be triggered remotely through a POST request to /goform/formStaDrvSetup. It is inferred that the attacker’s prerequisites are minimal, requiring only network connectivity to the router’s web interface, which represents a low‑barrier attack vector.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Edimax

BR-6478AC

affected

Version	Status	Constraints
`1.23`	affected	—

No data.

Vendor Product Confidence Versions

Edimax

Br-6478ac

100%

Version	Status	Scheme	Platform
`1.23`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the router firmware to the latest available version, which includes the fix for the command injection vulnerability.
Disable remote access to the router’s web management interface or restrict it to trusted IP addresses to prevent unauthenticated POST requests.
Configure firewall or ACL rules to block or restrict POST requests to the /goform/formStaDrvSetup endpoint, limiting the rootAPmac parameter to known safe values.

Generated by OpenCVE AI on May 30, 2026 at 18:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00841.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://lavender-bicycle-a5a.notion.site/EDIMAX-BR6478ACV2-formStaDrvSetup-34b53a41781f80ce9e66dbf60c71b960?source=copy_link
https://vuldb.com/submit/818455
https://vuldb.com/vuln/367304
https://vuldb.com/vuln/367304/cti

History

Sat, 30 May 2026 17:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Edimax br-6478ac
Vendors & Products		Edimax br-6478ac

Sat, 30 May 2026 16:45:00 +0000

Type	Values Removed	Values Added
Description		A weakness has been identified in Edimax BR-6478AC 1.23. This affects the function formStaDrvSetup of the file /goform/formStaDrvSetup of the component POST Request Handler. This manipulation of the argument rootAPmac causes command injection. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks.
Title		Edimax BR-6478AC POST Request formStaDrvSetup command injection
First Time appeared		Edimax Edimax br-6478ac Firmware
Weaknesses		CWE-74 CWE-77
CPEs		cpe:2.3:o:edimax:br-6478ac_firmware::::::::
Vendors & Products		Edimax Edimax br-6478ac Firmware
References		https://lavender-bicycle-a5a.notion.site/EDIMAX-BR6478ACV2-formStaDrvSetup-34b53a41781f80ce9e66dbf60c71b960?source=copy_link https://vuldb.com/submit/818455 https://vuldb.com/vuln/367304 https://vuldb.com/vuln/367304/cti
Metrics		cvssV2_0 `{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Edimax Br-6478ac Br-6478ac Firmware

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-05-30T16:30:08.799Z

Updated: 2026-05-30T16:30:08.799Z

Reserved: 2026-05-29T17:24:36.552Z

Link: CVE-2026-10127

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-30T17:16:22.013

Modified: 2026-05-30T17:16:22.013

Link: CVE-2026-10127

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-30T18:30:29Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object