Impact
The flaw is a classic command injection located in the setWAN function of the Br-6478AC V2 firmware, where attacker controlled values such as pppUserName, pptpUserName, or L2TPUserName are passed directly to the underlying shell. This permits arbitrary command execution on the router itself. The weakness is categorized as CWE-74 and CWE-77, and it directly undermines the integrity and availability of the device and potentially the local network.
Affected Systems
The impact is limited to Edimax BR‑6478AC V2 wireless routers running firmware 1.23. The vulnerable component resides at the web interface endpoint /goform/setWAN, which is part of the router’s POST request handler. The device is a consumer‑grade access point or repeater exposed through a browser‑based administration interface.
Risk and Exploitability
The CVSS score of 5.3 indicates moderate severity, while the EPSS score of 1% shows a low but nonzero probability of exploitation. The vulnerability is not listed in the CISA KEV catalog, yet a public exploit has been released. Based on the description, it is inferred that authentication is not required to trigger the command injection, and the attack likely proceeds over the publicly accessible web interface. The potential impact includes compromising router configuration, disrupting network traffic, or using the device as a pivot to other local resources.
OpenCVE Enrichment