CVE-2026-10127: Edimax BR-6478AC RCE Vulnerability

CVE-2026-10127 Overview

CVE-2026-10127 is a command injection vulnerability affecting the Edimax BR-6478AC router version 1.23. The flaw resides in the formStaDrvSetup function within /goform/formStaDrvSetup, which is reachable through the device's POST request handler. Attackers can manipulate the rootAPmac parameter to inject operating system commands that the router executes. The issue is classified under [CWE-74] for improper neutralization of special elements in downstream components. Public exploit details have been released, increasing the likelihood of opportunistic abuse against exposed devices.

Critical Impact

Authenticated remote attackers can inject arbitrary commands into the router operating system through the rootAPmac parameter, undermining the integrity of the device.

Affected Products

• Edimax BR-6478AC firmware version 1.23
• POST request handler component (/goform/formStaDrvSetup)
• formStaDrvSetup function processing the rootAPmac argument

Discovery Timeline

• 2026-05-30 - CVE-2026-10127 published to the National Vulnerability Database (NVD)
• 2026-06-01 - Last updated in NVD database

Technical Details for CVE-2026-10127

Vulnerability Analysis

The Edimax BR-6478AC web management interface exposes the formStaDrvSetup handler under /goform/formStaDrvSetup. The handler accepts a rootAPmac parameter via HTTP POST and passes the value to an underlying shell invocation without sanitizing shell metacharacters. An authenticated attacker on the network can append shell separators such as ;, &&, or backticks to the parameter to execute arbitrary commands in the router context. The router firmware typically runs services as root, so injected commands can read configuration, modify firewall rules, or persist additional code.

The Exploit Prediction Scoring System (EPSS) lists this issue at the 77th percentile, reflecting that public exploit material exists. See the VulDB entry for vulnerability #367304 and the technical write-up on Notion for additional context.

Root Cause

The formStaDrvSetup function concatenates the attacker-controlled rootAPmac field directly into a system command string. The firmware does not validate that the value matches a MAC address format and does not escape shell metacharacters before invoking the shell.

Attack Vector

Exploitation requires network reachability to the management interface and low-privilege credentials. An attacker submits a crafted POST request to /goform/formStaDrvSetup with a malicious rootAPmac payload. The router parses the form, calls the vulnerable function, and the injected commands execute in the embedded Linux environment. No user interaction is required beyond authenticating to the web UI.

No verified proof-of-concept code is included here. Refer to the VulDB submission #818455 and associated CTI record for published exploitation details.

Detection Methods for CVE-2026-10127

Indicators of Compromise

• HTTP POST requests to /goform/formStaDrvSetup containing shell metacharacters (;, |, &, backticks, $()) in the rootAPmac field
• Unexpected outbound connections from the router to attacker-controlled hosts following management interface activity
• Modifications to router configuration files, DNS settings, or firewall rules without an administrator action record

Detection Strategies

• Inspect web access logs and any upstream proxy or IDS captures for formStaDrvSetup requests with non-MAC content in rootAPmac
• Apply network signatures that flag POST bodies to /goform/formStaDrvSetup containing characters outside the hexadecimal and colon ranges expected of a MAC address
• Baseline normal administrative traffic to the router and alert on deviations in request frequency, source IP, or payload size

Monitoring Recommendations

• Forward router syslog and authentication events to a centralized logging platform for retention and correlation
• Track changes to firmware version, running processes, and listening sockets through scheduled SNMP or remote management polls
• Restrict who can reach the device's HTTP management interface and alert on access from unexpected subnets or VPN exit nodes

How to Mitigate CVE-2026-10127

Immediate Actions Required

• Disable remote (WAN-side) administration on the Edimax BR-6478AC and limit LAN-side access to a dedicated management VLAN
• Rotate administrator credentials and enforce strong, unique passwords to reduce the value of the low-privilege precondition
• Audit recent configuration changes and inspect the device for unauthorized scripts, cron entries, or modified DNS settings

Patch Information

No vendor patch is referenced in the available advisories at the time of publication. Monitor the Edimax support portal and the VulDB record for vulnerability #367304 for firmware updates addressing the formStaDrvSetup command injection.

Workarounds

• Block external access to /goform/formStaDrvSetup at an upstream firewall or reverse proxy until a fixed firmware is available
• Place the router behind a segmented network and restrict management traffic to a trusted jump host
• Consider replacing end-of-support consumer hardware with a currently maintained model if vendor updates are not forthcoming

# Example iptables rule to restrict management interface access to a trusted host
iptables -A INPUT -p tcp --dport 80 -s 192.0.2.10 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP