CVE-2026-10125: Edimax BR-6478AC Buffer Overflow Flaw

CVE-2026-10125 Overview

CVE-2026-10125 is a stack-based buffer overflow vulnerability [CWE-119] in the Edimax BR-6478AC router running firmware version 1.23. The flaw resides in the formPPPoESetup function of the /goform/formPPPoESetup endpoint, which is part of the POST request handler in the device's web management interface. Attackers can trigger the overflow by manipulating the pppUserName argument in a crafted POST request. The attack can be initiated remotely over the network, and a public exploit has been disclosed.

Critical Impact
Remote attackers with low privileges can corrupt stack memory on the device, leading to potential code execution or denial of service against affected Edimax BR-6478AC routers.

Affected Products

Edimax BR-6478AC firmware version 1.23
The formPPPoESetup POST request handler
The /goform/formPPPoESetup web management endpoint

Discovery Timeline

2026-05-30 - CVE-2026-10125 published to the National Vulnerability Database (NVD)
2026-06-01 - Last updated in NVD database

Technical Details for CVE-2026-10125

Vulnerability Analysis

The vulnerability is a stack-based buffer overflow in the formPPPoESetup handler of the Edimax BR-6478AC router. The function processes PPPoE configuration submitted through the device's web administration interface via HTTP POST. When the handler copies the user-supplied pppUserName parameter into a fixed-size stack buffer, it does not validate the input length. Supplying a pppUserName value longer than the destination buffer overwrites adjacent stack memory, including saved return addresses and frame pointers.

Because the device runs on an embedded Linux platform with limited memory protections, controlled overwrites can redirect execution flow. The publicly available exploit details indicate that the issue is reachable through authenticated POST requests to /goform/formPPPoESetup.

Root Cause

The root cause is missing bounds checking on the pppUserName POST parameter inside formPPPoESetup. The function uses an unsafe string copy operation against a fixed-length stack buffer, allowing the attacker-controlled data to exceed buffer boundaries and corrupt the call stack.

Attack Vector

An attacker reaches the vulnerability over the network by sending a crafted HTTP POST request to the /goform/formPPPoESetup endpoint on the router's management interface. The request must include an oversized pppUserName value. Exploitation requires low-level privileges to access the web interface, but no user interaction is needed. Internet-exposed management interfaces increase the practical risk.

No verified exploitation code is reproduced here. Refer to the Notion Guide for Edimax Setup and the VulDB Vulnerability Report #367302 for technical write-ups.

Detection Methods for CVE-2026-10125

Indicators of Compromise

Unexpected HTTP POST requests targeting /goform/formPPPoESetup from untrusted source addresses.
POST bodies containing abnormally long pppUserName values that exceed typical credential lengths.
Router reboots, web service crashes, or PPPoE service instability following inbound management traffic.
Configuration changes to PPPoE settings that do not correlate with administrative activity.

Detection Strategies

Inspect web server logs on the router and any upstream proxies for POST requests to /goform/formPPPoESetup with oversized parameter values.
Deploy network intrusion detection signatures that flag HTTP requests containing pppUserName fields exceeding a reasonable byte threshold.
Correlate router log anomalies, such as repeated httpd restarts, with inbound traffic to the management interface.

Monitoring Recommendations

Forward router syslog and HTTP access logs to a centralized SIEM for retention and analysis.
Alert on any access to the router's management interface from outside designated administrative networks.
Monitor for new outbound connections originating from the router that could indicate post-exploitation activity.

How to Mitigate CVE-2026-10125

Immediate Actions Required

Restrict access to the router's web management interface to trusted internal management VLANs only.
Disable remote (WAN-side) administration on the Edimax BR-6478AC until a vendor patch is verified and applied.
Rotate administrative credentials for the device and audit account usage.
Review PPPoE and WAN configurations for unauthorized modifications.

Patch Information

No vendor advisory or firmware update for CVE-2026-10125 was referenced in the NVD entry at publication. Organizations operating the Edimax BR-6478AC running firmware 1.23 should monitor the Edimax support portal and the VulDB Vulnerability Report #367302 for updated firmware releases. If a patched version is unavailable, consider replacing affected devices with hardware that receives active security maintenance.

Workarounds

Place the router behind a firewall that blocks unsolicited access to TCP ports used by the web management service.
Limit administrative access by source IP using router ACLs where supported.
Segment the router management plane from user networks to reduce exposure to internal attackers.
Disable unused services on the device to reduce the attack surface.

bash

# Example: restrict inbound access to the router management interface using an upstream firewall
iptables -A FORWARD -p tcp -d <router_ip> --dport 80 -s <admin_subnet> -j ACCEPT
iptables -A FORWARD -p tcp -d <router_ip> --dport 80 -j DROP
iptables -A FORWARD -p tcp -d <router_ip> --dport 443 -s <admin_subnet> -j ACCEPT
iptables -A FORWARD -p tcp -d <router_ip> --dport 443 -j DROP