CVE-2026-10166: Edimax BR-6478AC RCE Vulnerability

CVE-2026-10166 Overview

CVE-2026-10166 is a command injection vulnerability in the Edimax BR-6478AC wireless router, firmware version 1.23. The flaw resides in the formWlbasic function within /goform/formWlbasic, part of the device's POST request handler. Attackers can manipulate the rootAPmac parameter to inject arbitrary operating system commands. The vulnerability is remotely exploitable and a public exploit has been disclosed. The weakness is classified under [CWE-74] (Improper Neutralization of Special Elements in Output Used by a Downstream Component).

Critical Impact
Authenticated remote attackers can inject operating system commands through the rootAPmac POST parameter, potentially leading to unauthorized command execution on the affected router.

Affected Products

Edimax BR-6478AC firmware version 1.23
Component: POST Request Handler
Endpoint: /goform/formWlbasic

Discovery Timeline

2026-05-31 - CVE-2026-10166 published to NVD
2026-06-01 - Last updated in NVD database

Technical Details for CVE-2026-10166

Vulnerability Analysis

The vulnerability exists in the formWlbasic handler used by the Edimax BR-6478AC web management interface. When the router processes a POST request to /goform/formWlbasic, it reads the rootAPmac argument and passes the value into a downstream command execution context without proper neutralization of shell metacharacters. An attacker who supplies crafted input containing shell separators or substitution sequences in rootAPmac triggers command injection on the underlying operating system.

The exploit has been publicly disclosed via VulDB Vulnerability #367418 and additional technical analysis is available in the Notion documentation. The EPSS score for this CVE is 1.058% at the 77.965 percentile, reflecting moderate observed exploitation interest relative to other CVEs.

Root Cause

The root cause is improper input neutralization in the formWlbasic handler. User-controlled data from the rootAPmac POST argument flows into a system command or shell invocation without sanitization or argument escaping. This pattern is common in embedded web interfaces that pass configuration values directly to shell utilities for applying wireless settings.

Attack Vector

The attack is conducted over the network against the router's HTTP management interface. The attacker sends a POST request to /goform/formWlbasic with a malicious rootAPmac value containing shell metacharacters. Successful injection executes commands in the context of the router's web service. Refer to the public technical write-up linked in the references for proof-of-concept request structure and payload details.

Detection Methods for CVE-2026-10166

Indicators of Compromise

Unexpected POST requests to /goform/formWlbasic containing shell metacharacters such as ;, |, &, backticks, or $() in the rootAPmac parameter.
Outbound connections from the router to unfamiliar IP addresses following access to the management interface.
Unauthorized changes to wireless configuration or the appearance of new processes on the device.

Detection Strategies

Inspect HTTP request logs on upstream proxies or network sensors for POST traffic to /goform/formWlbasic with non-MAC-formatted rootAPmac values.
Deploy network intrusion detection signatures that match shell metacharacters within form fields posted to the router's web UI.
Correlate management-plane access with subsequent anomalous DNS or outbound traffic originating from the router's IP address.

Monitoring Recommendations

Restrict and monitor administrative access to the router's web interface using ACLs and audit logging at the network layer.
Alert on any external (WAN-side) connection attempts to the router's HTTP management port.
Track firmware version drift across managed Edimax devices to ensure unpatched units are identified quickly.

How to Mitigate CVE-2026-10166

Immediate Actions Required

Disable remote (WAN-side) administration on the Edimax BR-6478AC and restrict management access to trusted LAN hosts.
Change default and weak administrator credentials to limit the pool of attackers able to reach the authenticated handler.
Segment the router's management interface onto a dedicated VLAN with strict access control.

Patch Information

No vendor patch has been referenced in the available advisory data for CVE-2026-10166. Administrators should consult Edimax product support channels for firmware updates addressing the formWlbasic handler and monitor VulDB Vulnerability #367418 for updated remediation guidance.

Workarounds

Block external access to /goform/formWlbasic at the network perimeter or via a reverse proxy with request filtering.
Apply a web application firewall rule that rejects POST requests where rootAPmac contains characters outside the valid MAC address format (^[0-9A-Fa-f:.-]+$).
Where supported, replace the affected device with a model that receives active firmware maintenance.

bash

# Example WAF/proxy rule concept: reject non-MAC values in rootAPmac
# (pseudo-config; adapt to your WAF syntax)
if request.uri == "/goform/formWlbasic" and
   request.method == "POST" and
   not match(post_arg("rootAPmac"), "^[0-9A-Fa-f]{2}([:-][0-9A-Fa-f]{2}){5}$"):
    action: deny
    log: "CVE-2026-10166 attempt blocked"