Description
A vulnerability was found in Edimax BR-6478AC V2 1.23. This affects the function setWAN of the file /goform/setWAN of the component POST Request Handler. The manipulation of the argument pppUserName/pptpUserName/L2TPUserName results in command injection. It is possible to launch the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-06-21
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is a command injection vulnerability in the POST handler for /goform/setWAN that allows an unauthenticated attacker to inject and execute arbitrary operating‑system commands by manipulating parameters such as pppUserName, pptpUserName, or L2TPUserName. This can be used to take full control of the affected router, alter its configuration, or pivot to other devices on the network.

Affected Systems

The vulnerability affects the Edimax BR‑6478AC V2 router running firmware version 1.23. The router’s advertised model is the BR‑6478AC V2, a consumer‑grade wireless access point or repeater.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity, but the flaw is exploitable remotely over the internet with no authentication required. The EPSS score is not available, and the vulnerability is not listed in CISA KEV, yet a public exploit is documented, so the likelihood of an active attack remains uncertain but non‑negligible. The attack vector is network‑based through the exposed web interface, and any device reachable from that interface can be compromised without further prerequisites.

Generated by OpenCVE AI on June 21, 2026 at 21:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Configure the firewall on the affected network to block external access to the router’s web interface or to the /goform/setWAN endpoint, allowing access only from trusted internal networks.
  • Disable remote management or the setWAN functionality on the router if it is not required, or reconfigure the device to restrict this feature to local‑only access.
  • Check Edimax’s official support site for a firmware update that addresses the command‑injection flaw and apply the update as soon as it is available; if no patch is released, consider replacing the device with a vendor‑maintained alternative.

Generated by OpenCVE AI on June 21, 2026 at 21:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in Edimax BR-6478AC V2 1.23. This affects the function setWAN of the file /goform/setWAN of the component POST Request Handler. The manipulation of the argument pppUserName/pptpUserName/L2TPUserName results in command injection. It is possible to launch the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title Edimax BR-6478AC V2 POST Request setWAN command injection
First Time appeared Edimax
Edimax br-6478ac V2
Weaknesses CWE-74
CWE-77
CPEs cpe:2.3:a:edimax:br-6478ac_v2:*:*:*:*:*:*:*:*
Vendors & Products Edimax
Edimax br-6478ac V2
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Edimax Br-6478ac V2
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-21T19:45:07.797Z

Reserved: 2026-06-21T04:19:53.706Z

Link: CVE-2026-12807

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-21T21:30:06Z

Weaknesses
  • CWE-74

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-77

    Improper Neutralization of Special Elements used in a Command ('Command Injection')