Description
A vulnerability has been found in Edimax BR-6478AC 1.23. This issue affects the function formUSBAccount of the file /goform/formUSBAccount of the component POST Request Handler. The manipulation of the argument UserName/Password leads to buffer overflow. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used.
Published: 2026-05-31
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A buffer overflow condition exists in the formUSBAccount handler of the Edimax BR-6478AC firmware. Manipulation of the UserName or Password argument can trigger an overflow that allows an attacker to execute arbitrary code on the device. The vulnerability is classified as CWE-119 and CWE-120 and has led to the public disclosure of an exploit, indicating that remote attackers can leverage the flaw without additional privileges.

Affected Systems

The affected product is the Edimax BR-6478AC router running firmware version 1.23. No other versions or components are listed as impacted.

Risk and Exploitability

The CVSS score of 8.7 places this flaw in the high severity range. The EPSS score is not available, and the vulnerability is not yet listed in the CISA KEV catalog. Attackers can exploit the flaw via a crafted HTTP POST request to the /goform/formUSBAccount endpoint; the endpoint is typically exposed through the router’s web interface, but the description does not explicitly confirm its reachability. The description does not specify whether authentication is required, so the risk of exploitation remains high for both internal and external attackers.

Generated by OpenCVE AI on May 31, 2026 at 04:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Obtain and install the latest firmware update from Edimax that addresses the formUSBAccount buffer overflow.
  • Restrict external access to the router’s web management interface by limiting the admin IP range or disabling the interface behind a VPN or firewall.
  • Configure firewall or intrusion prevention rules to block POST requests to /goform/formUSBAccount or to the entire POST request handling service until a patch is applied.

Generated by OpenCVE AI on May 31, 2026 at 04:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 31 May 2026 04:30:00 +0000

Type Values Removed Values Added
First Time appeared Edimax br-6478ac
Vendors & Products Edimax br-6478ac

Sun, 31 May 2026 03:30:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in Edimax BR-6478AC 1.23. This issue affects the function formUSBAccount of the file /goform/formUSBAccount of the component POST Request Handler. The manipulation of the argument UserName/Password leads to buffer overflow. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used.
Title Edimax BR-6478AC POST Request formUSBAccount buffer overflow
First Time appeared Edimax
Edimax br-6478ac Firmware
Weaknesses CWE-119
CWE-120
CPEs cpe:2.3:o:edimax:br-6478ac_firmware:*:*:*:*:*:*:*:*
Vendors & Products Edimax
Edimax br-6478ac Firmware
References
Metrics cvssV2_0

{'score': 9, 'vector': 'AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 8.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Edimax Br-6478ac Br-6478ac Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-31T02:15:08.626Z

Reserved: 2026-05-30T07:04:39.082Z

Link: CVE-2026-10163

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-31T04:16:15.553

Modified: 2026-05-31T04:16:15.553

Link: CVE-2026-10163

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-31T05:00:12Z

Weaknesses