Description
A vulnerability was found in Edimax BR-6478AC V2 1.23. This affects the function setWAN of the file /goform/setWAN of the component POST Request Handler. The manipulation of the argument pppUserName/pptpUserName/L2TPUserName results in command injection. It is possible to launch the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-06-21
Score: 5.3 Medium
EPSS: 1.2% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is a classic command injection located in the setWAN function of the Br-6478AC V2 firmware, where attacker controlled values such as pppUserName, pptpUserName, or L2TPUserName are passed directly to the underlying shell. This permits arbitrary command execution on the router itself. The weakness is categorized as CWE-74 and CWE-77, and it directly undermines the integrity and availability of the device and potentially the local network.

Affected Systems

The impact is limited to Edimax BR‑6478AC V2 wireless routers running firmware 1.23. The vulnerable component resides at the web interface endpoint /goform/setWAN, which is part of the router’s POST request handler. The device is a consumer‑grade access point or repeater exposed through a browser‑based administration interface.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, while the EPSS score of 1% shows a low but nonzero probability of exploitation. The vulnerability is not listed in the CISA KEV catalog, yet a public exploit has been released. Based on the description, it is inferred that authentication is not required to trigger the command injection, and the attack likely proceeds over the publicly accessible web interface. The potential impact includes compromising router configuration, disrupting network traffic, or using the device as a pivot to other local resources.

Generated by OpenCVE AI on June 24, 2026 at 13:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the router to the latest Edimax firmware that fixes the setWAN command injection flaw.
  • Restrict the /goform/setWAN endpoint to trusted internal IP addresses or disable remote access in the router’s configuration.
  • Place the router behind a VPN or a perimeter firewall so that the web interface is only reachable from trusted networks.
  • Enable logging and alert on anomalous POST requests to /goform/setWAN to detect abuse.

Generated by OpenCVE AI on June 24, 2026 at 13:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sun, 21 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in Edimax BR-6478AC V2 1.23. This affects the function setWAN of the file /goform/setWAN of the component POST Request Handler. The manipulation of the argument pppUserName/pptpUserName/L2TPUserName results in command injection. It is possible to launch the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title Edimax BR-6478AC V2 POST Request setWAN command injection
First Time appeared Edimax
Edimax br-6478ac V2
Weaknesses CWE-74
CWE-77
CPEs cpe:2.3:a:edimax:br-6478ac_v2:*:*:*:*:*:*:*:*
Vendors & Products Edimax
Edimax br-6478ac V2
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}


Subscriptions

Edimax Br-6478ac V2
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-22T13:23:03.867Z

Reserved: 2026-06-21T04:19:53.706Z

Link: CVE-2026-12807

cve-icon Vulnrichment

Updated: 2026-06-22T13:22:59.186Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T13:15:15Z

Weaknesses
  • CWE-74

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-77

    Improper Neutralization of Special Elements used in a Command ('Command Injection')