Description
A vulnerability was identified in Edimax BR-6478AC V2 1.23. Affected is the function wiz_5in1_redirect of the file /goform/wiz_5in1_redirect of the component POST Request Handler. Such manipulation of the argument newpass leads to command injection. The attack can be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-06-21
Score: 5.3 Medium
EPSS: 1.2% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw resides in the wiz_5in1_redirect POST endpoint of the Edimax BR‑6478AC V2 firmware 1.23. Manipulation of the newpass parameter allows user input to be passed directly to a shell command without sufficient sanitization, resulting in a command‑injection vulnerability. An attacker who can reach this endpoint can cause the device to execute arbitrary shell commands with the privileges of the internal firmware process, potentially modifying configurations, installing malware, or further compromising the network.

Affected Systems

Edimax BR‑6478AC V2 wireless access points running firmware version 1.23 are affected. No other firmware revisions or product variants are identified as vulnerable in the current CVE data.

Risk and Exploitability

The CVSS base score of 5.3 indicates a moderate overall impact, while the EPSS score of 1% suggests a low but non‑zero likelihood of exploitation. The vulnerability can be triggered remotely via a POST request to /goform/wiz_5in1_redirect and is publicly documented, raising risk for device owners. The CVE is not listed in the CISA KEV catalog, so no confirmed widespread exploitation has been reported, yet publicly available proof‑of‑concept code makes it a realistic threat.

Generated by OpenCVE AI on June 24, 2026 at 11:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware update from Edimax that patches the command‑injection flaw in the /goform/wiz_5in1_redirect endpoint if one is available.
  • If no firmware update exists, block external access to the /goform/wiz_5i1_redirect URL by placing the device behind a firewall or restricting inbound connections to trusted IP ranges.
  • Disable remote web administration on the device when it is not required to reduce the attack surface.
  • Enforce strict input validation and sanitization on the newpass parameter to mitigate command‑injection weaknesses (CWE‑74/CWE‑77).
  • Monitor device logs for anomalous POST requests or command‑like payloads and investigate any suspicious activity promptly.

Generated by OpenCVE AI on June 24, 2026 at 11:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sun, 21 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in Edimax BR-6478AC V2 1.23. Affected is the function wiz_5in1_redirect of the file /goform/wiz_5in1_redirect of the component POST Request Handler. Such manipulation of the argument newpass leads to command injection. The attack can be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title Edimax BR-6478AC V2 POST Request wiz_5in1_redirect command injection
First Time appeared Edimax
Edimax br-6478ac V2
Weaknesses CWE-74
CWE-77
CPEs cpe:2.3:a:edimax:br-6478ac_v2:*:*:*:*:*:*:*:*
Vendors & Products Edimax
Edimax br-6478ac V2
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}


Subscriptions

Edimax Br-6478ac V2
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-22T16:18:27.146Z

Reserved: 2026-06-21T04:19:59.147Z

Link: CVE-2026-12809

cve-icon Vulnrichment

Updated: 2026-06-22T16:18:17.178Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T12:00:05Z

Weaknesses
  • CWE-74

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-77

    Improper Neutralization of Special Elements used in a Command ('Command Injection')