Impact
The vulnerability affects the mp function in the /goform/mp endpoint of Edimax BR-6478AC V2 firmware 1.23 and allows an attacker to inject arbitrary system commands via the command parameter in a POST request. This likely results in remote command execution on the device, as command injection typically permits execution of arbitrary commands. Consequently, an attacker could potentially gain control over the router. The flaw is a classic command injection (CWE-74) that also reflects improper command execution handling (CWE-77).
Affected Systems
Only the Edimax BR-6478AC V2 router running firmware 1.23 is confirmed to be vulnerable. No other vendors or product versions are listed as affected.
Risk and Exploitability
The CVSS score of 5.3 indicates moderate severity, while the EPSS score of 1% suggests a low but non‑zero likelihood of exploitation. The vulnerability can be triggered remotely via a simple POST request to /goform/mp, and the description indicates that no authentication is required (inferred from the lack of authentication references); this suggests the endpoint is publicly accessible. The exploit code has been released to the public, but the device is not listed in the CISA KEV catalog, meaning it is not a known active exploit at the time of this analysis.
OpenCVE Enrichment