Description
A vulnerability was identified in Edimax BR-6478AC V2 1.23. Affected is the function wiz_5in1_redirect of the file /goform/wiz_5in1_redirect of the component POST Request Handler. Such manipulation of the argument newpass leads to command injection. The attack can be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-06-21
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unvalidated input in the POST handler of the Edimax BR‑6478AC V2 device allows an attacker to inject shell commands via the newpass parameter of the /goform/wiz_5in1_redirect endpoint. This flaw is a classic command injection (CWE‑74) that can lead to remote code execution and full compromise of the device. The vulnerability is exploitable over the network, and publicly available proof‑of‑concept code demonstrates that arbitrary commands can be executed with the privileges of the internal firmware process.

Affected Systems

Product: Edimax BR‑6478AC V2 wireless access point, firmware 1.23. The issue resides in the wiz_5in1_redirect function of the POST request handler. Only devices running firmware version 1.23 are known to be vulnerable; no other firmware releases are confirmed to be affected.

Risk and Exploitability

The CVSS base score of 5.3 indicates a moderate severity, and with no EPSS data the likelihood of exploitation cannot be quantified, but publicly available exploits and the lack of a vendor response suggest a real risk. The vulnerability allows remote attackers to execute arbitrary commands without authentication, posing a high risk to confidentiality, integrity, and availability of the device. As it is not currently listed in CISA KEV, it is not yet a known exploited vulnerability in the wild, but the existence of ready‑to‑use exploits mandates immediate action.

Generated by OpenCVE AI on June 21, 2026 at 23:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the device firmware to a patched version that addresses the command injection in the /goform/wiz_5in1_redirect endpoint, if an official fix is available from Edimax.
  • If no patch exists, restrict external access to the /goform/wiz_5in1_redirect URL by placing the device behind a firewall or using network segmentation to limit inbound traffic to trusted networks.
  • Implement ongoing monitoring of device logs for abnormal POST requests to the /goform/wiz_5in1_redirect endpoint and set alerts for unexpected command strings or suspicious activity.
  • Consider disabling remote web administration on the device if it is not required, to reduce the attack surface.

Generated by OpenCVE AI on June 21, 2026 at 23:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in Edimax BR-6478AC V2 1.23. Affected is the function wiz_5in1_redirect of the file /goform/wiz_5in1_redirect of the component POST Request Handler. Such manipulation of the argument newpass leads to command injection. The attack can be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title Edimax BR-6478AC V2 POST Request wiz_5in1_redirect command injection
First Time appeared Edimax
Edimax br-6478ac V2
Weaknesses CWE-74
CWE-77
CPEs cpe:2.3:a:edimax:br-6478ac_v2:*:*:*:*:*:*:*:*
Vendors & Products Edimax
Edimax br-6478ac V2
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Edimax Br-6478ac V2
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-21T21:30:08.919Z

Reserved: 2026-06-21T04:19:59.147Z

Link: CVE-2026-12809

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-21T23:30:05Z

Weaknesses
  • CWE-74

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-77

    Improper Neutralization of Special Elements used in a Command ('Command Injection')