Impact
The flaw resides in the wiz_5in1_redirect POST endpoint of the Edimax BR‑6478AC V2 firmware 1.23. Manipulation of the newpass parameter allows user input to be passed directly to a shell command without sufficient sanitization, resulting in a command‑injection vulnerability. An attacker who can reach this endpoint can cause the device to execute arbitrary shell commands with the privileges of the internal firmware process, potentially modifying configurations, installing malware, or further compromising the network.
Affected Systems
Edimax BR‑6478AC V2 wireless access points running firmware version 1.23 are affected. No other firmware revisions or product variants are identified as vulnerable in the current CVE data.
Risk and Exploitability
The CVSS base score of 5.3 indicates a moderate overall impact, while the EPSS score of 1% suggests a low but non‑zero likelihood of exploitation. The vulnerability can be triggered remotely via a POST request to /goform/wiz_5in1_redirect and is publicly documented, raising risk for device owners. The CVE is not listed in the CISA KEV catalog, so no confirmed widespread exploitation has been reported, yet publicly available proof‑of‑concept code makes it a realistic threat.
OpenCVE Enrichment