CVE-2026-12808 Overview
CVE-2026-12808 is a command injection vulnerability in the Edimax BR-6478AC V2 wireless router running firmware version 1.23. The flaw resides in the stainfo function handling POST requests to the /goform/stainfo endpoint. Attackers can manipulate the interface argument to inject operating system commands that execute on the device. The issue is classified under [CWE-74] (Improper Neutralization of Special Elements in Output Used by a Downstream Component). Exploit details have been publicly disclosed, and the vendor did not respond to coordinated disclosure attempts.
Critical Impact
An authenticated remote attacker can inject arbitrary operating system commands through the interface POST parameter of /goform/stainfo, leading to command execution on the embedded router.
Affected Products
- Edimax BR-6478AC V2 router
- Firmware version 1.23
- POST Request Handler component (/goform/stainfo)
Discovery Timeline
- 2026-06-21 - CVE-2026-12808 published to NVD
- 2026-06-22 - Last updated in NVD database
Technical Details for CVE-2026-12808
Vulnerability Analysis
The vulnerability exists in the stainfo function inside the Edimax BR-6478AC V2 web management interface. The function processes POST requests sent to /goform/stainfo and reads the interface parameter without sufficient sanitization. The router passes the parameter value into a downstream shell or system command, which allows shell metacharacters to break out of the intended command context.
Command injection in embedded router firmware typically arises when developers use functions such as system(), popen(), or execve() with shell interpretation enabled, concatenating untrusted input directly into the command string. In this case, the interface argument is treated as a trusted operand. Successful exploitation runs commands with the privileges of the web server process, which on consumer routers is commonly root.
The attack is initiated remotely over the network and requires low-privilege authentication on the device. The EPSS probability is 1.18% (63.8 percentile), indicating moderate predicted exploitation activity. The vendor has not issued a patch or acknowledged the disclosure.
Root Cause
The root cause is improper neutralization of special elements supplied through the interface POST parameter [CWE-74]. The stainfo handler concatenates attacker-controlled input into a system command without input validation, character allowlisting, or argument quoting.
Attack Vector
The attacker sends a crafted HTTP POST request to /goform/stainfo on the router's management interface. The interface field carries shell metacharacters such as ;, |, &, or backticks followed by an attacker-supplied command. The router's stainfo routine executes the concatenated string in a shell context. Technical details for the request structure are published on the Notion advisory page and tracked in VulDB entry 372602.
Detection Methods for CVE-2026-12808
Indicators of Compromise
- POST requests to /goform/stainfo containing shell metacharacters (;, |, &, `, $() in the interface parameter
- Unexpected outbound network connections initiated by the router after web interface activity
- New or modified files in router-writable paths such as /tmp or /var
- Web management requests originating from external or unexpected source IP addresses
Detection Strategies
- Inspect HTTP POST bodies destined for /goform/stainfo and alert on non-alphanumeric values in the interface field
- Monitor router syslog forwarding for child processes spawned by the HTTP daemon that are not part of normal operation
- Correlate authentication events on the router with subsequent POST requests to administrative endpoints
Monitoring Recommendations
- Forward router logs to a centralized log platform and retain HTTP request metadata for the management interface
- Track DNS queries and outbound connections from the router's management IP for signs of post-exploitation activity
- Apply network segmentation telemetry to detect lateral movement from the router into internal subnets
How to Mitigate CVE-2026-12808
Immediate Actions Required
- Restrict access to the BR-6478AC V2 web management interface to trusted administrative VLANs and disable WAN-side administration
- Change default and weak administrative credentials, since exploitation requires authentication
- Place the router behind a firewall rule that blocks inbound HTTP and HTTPS to the management port from untrusted networks
- Treat the device as end-of-support if no vendor patch is available and plan replacement with a maintained model
Patch Information
No vendor patch is available. According to the CVE record, the vendor was contacted early about this disclosure but did not respond. Organizations using the Edimax BR-6478AC V2 on firmware 1.23 should monitor the VulDB entry for CVE-2026-12808 for any future vendor advisory and plan device replacement in the absence of remediation.
Workarounds
- Disable remote management and limit web administration to a single hardened management host
- Enforce strong, unique credentials and rotate them after the device has been exposed to untrusted networks
- Segment IoT and consumer networking devices onto a dedicated VLAN with egress filtering to limit post-exploitation impact
- Replace unsupported consumer routers with vendor-maintained equivalents that receive regular firmware updates
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

