Description
A security flaw has been discovered in Edimax BR-6478AC V2 1.23. Affected by this vulnerability is the function mp of the file /goform/mp of the component POST Request Handler. Performing a manipulation of the argument command results in command injection. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-06-21
Score: 5.3 Medium
EPSS: 1.2% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability affects the mp function in the /goform/mp endpoint of Edimax BR-6478AC V2 firmware 1.23 and allows an attacker to inject arbitrary system commands via the command parameter in a POST request. This likely results in remote command execution on the device, as command injection typically permits execution of arbitrary commands. Consequently, an attacker could potentially gain control over the router. The flaw is a classic command injection (CWE-74) that also reflects improper command execution handling (CWE-77).

Affected Systems

Only the Edimax BR-6478AC V2 router running firmware 1.23 is confirmed to be vulnerable. No other vendors or product versions are listed as affected.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, while the EPSS score of 1% suggests a low but non‑zero likelihood of exploitation. The vulnerability can be triggered remotely via a simple POST request to /goform/mp, and the description indicates that no authentication is required (inferred from the lack of authentication references); this suggests the endpoint is publicly accessible. The exploit code has been released to the public, but the device is not listed in the CISA KEV catalog, meaning it is not a known active exploit at the time of this analysis.

Generated by OpenCVE AI on June 24, 2026 at 11:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy the latest firmware from Edimax that addresses the command injection in the /goform/mp endpoint when available.
  • Implement strict input validation and sanitization on the command parameter of the /goform/mp endpoint to block injection attempts, following guidelines for CWE-74 and CWE-77.
  • Limit network exposure of the device by enforcing firewall rules, VLAN segmentation, or VPN usage so that only trusted IP addresses can reach the /goform/mp endpoint.
  • If firmware updates or configuration changes are not feasible, block or disable POST requests to /goform/mp via the device settings, a reverse proxy, or an external firewall to eliminate the attack surface.

Generated by OpenCVE AI on June 24, 2026 at 11:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sun, 21 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in Edimax BR-6478AC V2 1.23. Affected by this vulnerability is the function mp of the file /goform/mp of the component POST Request Handler. Performing a manipulation of the argument command results in command injection. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Title Edimax BR-6478AC V2 POST Request mp command injection
First Time appeared Edimax
Edimax br-6478ac V2
Weaknesses CWE-74
CWE-77
CPEs cpe:2.3:a:edimax:br-6478ac_v2:*:*:*:*:*:*:*:*
Vendors & Products Edimax
Edimax br-6478ac V2
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}


Subscriptions

Edimax Br-6478ac V2
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-22T10:27:45.063Z

Reserved: 2026-06-21T04:20:02.194Z

Link: CVE-2026-12810

cve-icon Vulnrichment

Updated: 2026-06-22T10:27:41.359Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T12:00:05Z

Weaknesses
  • CWE-74

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-77

    Improper Neutralization of Special Elements used in a Command ('Command Injection')